Privileged Access

To perform their job duties, employees in Information Technology (IT) roles are frequently provided privileged access to information systems and to the data and records managed by those systems.  IT employees with privileged access have a responsibility to use it in an ethical, professional, and legal manner that is strictly within their authorized job functions.

The University has existing policies that describe how confidential data should be treated, and users have certain expectations of privacy.

• The University’s Acceptable Use Policy is a privacy-centric document.
• University Policy 601, “Treatment of Confidential Information,” defines confidential information, roles and responsibilities, and other important aspects.

IT Services is providing several services as a platform for unit IT, using a shared responsibility model. In some cases, those services provide IT staff with privileged access to confidential data. IT Services has adopted the following three approaches to address privileged access.

Training

IT employees with privileged access must complete an annual privacy and confidentiality training provided by Information Security and sign IT Services’ confidentiality agreement. 

Access Control 

Privileged access must be permitted to the fewest number of  IT employees and limited to the smallest scope needed, with appropriate faculty review.

Reporting and Response

The actions of IT employees with privileged access on such systems must be logged such that it is possible to determine who did what and when.  These logs must be regularly reviewed for unauthorized activity.

Questions?  Contact security@uchicago.edu.