Technical System Administration Policy
View Full PolicyExceptions
Exceptions to Password Standards
Any system that will support the requirements in sections 1.1 and 1.2 must be configured to do so. The technical administrator is responsible for educating users of the system on required password standards even if they cannot be mandated by the system.
If a system does not support the above requirements, the technical administrator must configure passwords of the maximum length and complexity that the system will support.
Any deviations from the requirements listed in sections 1.1 and 1.2 will require a written exception detailing the compensating security controls in place on the system. All exceptions will be audited periodically to ensure compliance with policy.
To request an exception, please complete the IT Exception Form.
Exceptions to Security Standards
Currently, there are no predefined exceptions to the Technical System Administration Policy. Exceptions will be made on a case-by-case basis.
To request an exception, please complete the IT Exception Form.
A written explanation as to why the system or service requires an exception must be submitted (e.g., security patch cannot be applied in an automated fashion due to the applications on the server). Technical documents should be included where available.
To protect sensitive data and preserve the integrity of UNLV systems, OIT staff will work with the requester to:
- Establish compensating controls for system operation to mitigate risk.
- Develop an audit schedule to verify the compensating controls remain in place and are mitigating current risks.
Deliberation on exception requests will begin within 10 business days of receipt of the request. Exceptions will be reviewed annually. Periodic audits will be conducted to determine that the conditions for granting the exception are still being met.
Frequently Asked Questions
Yes, servers administered by a third party on behalf of UNLV or any unit of UNLV (infrastructure as a service) must meet these standards. For each system administered by a third party, a full-time UNLV employee must be named as the system owner. The company providing technical administration must sign appropriate agreements to:
- Protect UNLV data
- Abide by all federal, state, and local laws and regulations that apply to UNLV (e.g., FERPA, HIPAA, PCI-DSS, GLB Act)
- Comply with UNLV internal policies.
The UNLV system owner is responsible for ensuring the third party providing technical administration is compliant with the requirements above.
In the case of software as a service (SaaS), such as Google Apps, Office365, or Workday, contractual arrangements negotiated on behalf of UNLV or NSHE will supersede this document. However, a system owner must be named to monitor compliance with and changes to contractual agreements and serve as the contact for any security issues that may arise.
Services operated on UNLV’s behalf by System Computing Services require a UNLV system owner (generally an OIT staff member). The system owner must monitor compliance with service agreements and governance structures.
The systems should be brought into compliance as soon as possible. If you cannot bring all the systems for which you are responsible into compliance by December 31, 2015, please contact OIT for assistance.
Contact OIT to discuss possible exceptions and compensating controls. The OIT Policy Exception Form can be found at https://help.unlv.edu/TDClient/33/IT-Support-Portal/Requests/ServiceDet?ID=145.
Generally, if the account is being used by a system it is a service account. Accounts being used by a person are administrative accounts. If the account type is not readily apparent, please contact OIT for assistance.
If the test/development system processes, stores, or transmits actual university data (non-fictitious), the policy applies.
Yes, servers administered by a third party on behalf of UNLV or any unit of UNLV (infrastructure as a service) must meet these standards. For each system administered by a third party, a full-time UNLV employee must be named as the system owner. The company providing technical administration must sign appropriate agreements to:
- Protect UNLV data
- Abide by all federal, state, and local laws and regulations that apply to UNLV (e.g., FERPA, HIPAA, PCI-DSS, GLB Act)
- Comply with UNLV internal policies.
The UNLV system owner is responsible for ensuring the third party providing technical administration is compliant with the requirements above.
In the case of software as a service (SaaS), such as Google Apps, Office365, or Workday, contractual arrangements negotiated on behalf of UNLV or NSHE will supersede this document. However, a system owner must be named to monitor compliance with and changes to contractual agreements and serve as the contact for any security issues that may arise.
Services operated on UNLV’s behalf by System Computing Services require a UNLV system owner (generally an OIT staff member). The system owner must monitor compliance with service agreements and governance structures.
The systems should be brought into compliance as soon as possible. If you cannot bring all the systems for which you are responsible into compliance by December 31, 2015, please contact OIT for assistance.
Contact OIT to discuss possible exceptions and compensating controls. The OIT Policy Exception Form can be found at https://help.unlv.edu/TDClient/33/IT-Support-Portal/Requests/ServiceDet?ID=145.
Generally, if the account is being used by a system it is a service account. Accounts being used by a person are administrative accounts. If the account type is not readily apparent, please contact OIT for assistance.
If the test/development system processes, stores, or transmits actual university data (non-fictitious), the policy applies.