Administrative Authority Request Procedure

 
Note: "Administrative Rights" is not simply the ability to update software on a computer.  It is taking on the full responsibility of the maintenance, security, and reporting for the requested computers.  When you request this authority, you are saying that you will provide your own IT support and will not request support from Technology Services other than hardware warranty issues or to re-image your computer.  (You also cannot request help from a 3rd party unless you first obtain a vendor contract with A&M where they agree to abide by A&M security rules.)

See https://itsecuritycenter.tamu.edu/requirements/ for the A&M IT security requirements.

Effective December 19, 2016

Texas A&M University has implemented a set of Information Security procedures for the protection of computing devices and the data stored within them.  The College of Education and Human Development (CEHD) is responsible for devices owned by any unit within the college and is required to submit an annual security risk assessment on these resources.  In addition, the CEHD Dean is required to approve security plans as well as the annual risk assessments for all devices. (TAMU SAP 29..01.03.M0.01 2.5, 3.1, 3.2)  The operational responsibility for these devices as well as the creation of risk assessments has been delegated to Technology Services within the CEHD Dean’s Office.

In order to maintain all college devices, administrative control of all CEHD information resources must remain with Technology Services whenever feasible.  (Some devices such as tablets do not have the concept of administrative accounts, so are excluded but security plans and risk assessments must still be submitted.)  This control allows Technology Services to enforce security policies and system settings, verify that only legally licensed software is installed, as well as implementing other automated tasks.

However, some job responsibilities may require that you can make administrative changes to your system(s) without waiting for Technology Services.  In these cases, you may request approval from the CEHD Dean to take over operational responsibility (i.e. administrative authority, admin rights) for specified devices.  

As part of this responsibility, you must

  1. Agree to read, understand, and implement all relevant rules regarding the protection of information resources. (See https://itsecuritycenter.tamu.edu/requirements/)
  2. Prepare a Security Plan in accordance with TAMU Control Catalog item PL-2.  A template is provided.
  3. Agree to complete an annual risk assessment following requirements from the TAMU Office Information Technology Risk Management and submit the risk assessment to the CEHD ISO by March 1 each year.  A reminder with specific instructions will be sent by the ISO at the beginning of each year. A template is provided.

Request Procedure

  1. Submit your security plan and the signed request form to Arlen Strader for review. 
  2. Once the security plan is confirmed to be complete, the plan and request form will be forwarded to the CEHD Dean for approval.
  3. If approved, you will need to coordinate with Technology Services to setup administrative rights on your computer(s).

(Note: anyone who was granted Admin Rights prior to December 31, 2016 will be grandfathered in so a new request for admin rights is not needed.  However, you will need to complete a Security Plan and answers to the NIST questions each year to be included in the college's annual IT security report to A&M.)

  • Administrative Authority Request Procedure and Form
  • IT Security Plan (Blank)
  • NIST Questions
    • These 43 questions need to answered and submitted each year as part of annual IT security report.
    • NIST Questions with sample answers and notes for a Windows computer joined to the college Active Directory Domain.  These examples are intended to provide assistance as you answer your questions, but be sure any answers you provide are applicable for your situation.
    • If a question is marked as "Not Applicable," include a note explaining why the question does not apply to your situation.  For example, question #40 asks "Have you implemented the DNS service in a manner tht supports cryptographically signed responses ..."  This question can be marked as "Not Applicable" with a note along the lines of "DNS is managed by the university."
    • Any other question not marked as "Implemented" must include a note explaining the plan to implement the control by the next reporting period (February of each year) OR explain by the control cannot be reasonably implemented and request that the Dean accept the risk of failing to implement.

The IT Security Plan and NIST Question answers are compiled each year as part of the college's IT report to the university and will be provided to Auditors upon request.