PROCEDURE
PAGESUBJECT / PROCEDURE: INFORMATION SYSTEMS—AUTHORIZATION FOR UNIX SERVER SECURITY PASSWORDS / P1.8108-XXX
LEGAL AUTHORITY / P6Hx23-1.8108 / 6/22/04
Revision #04-6
P6Hx23-1.8108 PROCEDURE: INFORMATION SYSTEMS—AUTHORIZATION FOR UNIX SERVER SECURITY PASSWORDS
PURPOSE AND INTENT
To provide a procedure for authorizing and administering the assignment of user accounts and passwords to access the College’s Hewlett Packard UNIX Enterprise Server Systems.
PROCEDURE—GENERAL
Because of the importance placed upon user accounts and passwords, and their roll in controlling access to the College’s Hewlett Packard UNIX Enterprise Server Systems, the authorization for assigning or changing user accounts will be given by the Cabinet Member to whom the holder ultimately reports. There will be no access to the Hewlett Packard UNIX Enterprise Server Systems without the Cabinet member's approval. In the absence of that Cabinet member, the vice president of Information Systems can give the approval.
User accounts and passwords for the College’s Hewlett Packard (HP) enterprise server hardware and HP-UNIX (HP-UX) operating system are used to administer and support the College’s PeopleSoft Financials, Student Administration and HR/Payroll applications. User access security mechanisms within the HP-UX operating system are provided through the HP-UX System Administration Module (SAM). Among the security mechanisms offered are /etc/password and /etc/group files, and a “trusted system” option that enables password authentication, auditing, and other security features.
The HP-UX “Root” user code is the most powerful and far-reaching security privilege. The Root user code is, by vendor design, limited to one assignable password at any given time.
Day-to-day administration of the HP-UX security mechanisms is the responsibility of the AIS system administrators located at the Seminole Campus, or a designee of the associate vice president of Information Systems.
PROCEDURES—HP-UX OPERATING SYSTEM
User codes and access to the HP-UX operating system shall be restricted to system administrators, computer operators, and other such AIS persons who have specified responsibilities to perform administrative and privileged technical tasks on the HP central servers, and related applications.
Requests for assignment of HP-UX user codes shall be submitted for approval to the associate vice president of Information Systems. If approved, the associate vice president of Information Systems, or his/her designated systems administrator shall assign user codes for access to the HP-UX operating system.
The associate vice president of Information Systems shall restrict the users of the “Root” user code and password to no more than four systems administrators for purposes of work shifts, sickness, and vacation coverage.
User code passwords shall expire and must be changed every 60 days. Authorized users shall be given expiration-warning notifications at least 14 days in advance.
An audit record and report of the following events invoked via the Root user code shall be produced by the system: all log-ins and log-outs, all creations and deletions of objects, all access modifications and discretionary modifications, and all administrative and privileged events.
The associate vice president of Information Systems shall be responsible for reviewing and sign-off on the Root Audit Report every 15 days. Appropriate corrective and disciplinary actions shall be taken in the event of security breach.
The associate vice president of Information Systems shall retain copies of the reviewed, signed-off Root Audit Reports for a period of 2 fiscal years.
Persons who log on, or otherwise gain access to the College’s HP-UX operating system without authorization and the authorized user account and password are in violation of this Procedure and commit a serious breach of security.
Specific Authority: 1001.64(2) & (4), F.S.
Law Implemented: 1001.64(5), F.S.; Senate Bill 1162, 2001 Legislature; Rule 6A-14.0261, F.A.C.
History: Adopted – 10/17/01. Filed – 10/17/01. Effective – 10/17/01; 6/22/04. Filed – 6/22/04. Effective – July 1, 2004.
P1.8108-XXX