User privilege policy
This policy provides guidelines for the delegation of user privileges on organization-owned systems. It also provides guidance for usage of high-privilege or administrator accounts.
From the policy:
Limiting the use of superuser accounts
Users must not use administrator or root accounts — or similarly high-leveled account types — for tasks that do not require privileged access:
- For tasks that require privileged access, individualized accounts must be used for logging purposes. Use of device-default administrator or root accounts is only acceptable for circumstances in which privileges cannot be delegated to non-root accounts.
- Providing full system access for privileged accounts is highly discouraged. Delegate only privileges required for the user to perform their duties, where possible.
- Where possible, use sudo or “Run As…” to temporarily escalate privileges rather than create an account to perform a task.
- Sharing of accounts is prohibited.
- Creation of duplicate personal privileged accounts is prohibited.
- Ensure you have logged out when finishing a task. Do not walk away from a device logged in using a superuser account, leaving it unsecured.
- Passwords for privileged accounts must be consistent with the password policy in your organization.
- Maintain an inventory of privileged accounts. Deactivate accounts for users separating from the company in a timely manner.
Subscribe to the TechRepublic Premium Exclusives Newsletter
Save time with the latest TechRepublic Premium downloads, including original research, customizable IT policy templates, ready-made lunch-and-learn presentations, IT hiring tools, ROI calculators, and more. Exclusively for you! Delivered Tuesdays and Thursdays