Virginia Tech® home

New university security standard for administrative privileges will mitigate cyber risk

Elevated access privileges on university-owned computers to be reviewed and approved

From: Division of Information Technology

To improve the security of our IT systems and services and increase compliance with university IT policies and standards, Virginia Tech has developed the University Computer Administrator Access Standard. This new standard, developed by the Division of IT in collaboration with the IT Council, will facilitate tracking of requests and approvals for administrative access rights and creates a new process for requesting these rights.

The new standard applies to all university-owned computers or servers, as well as any system that is being used to handle high- or moderate-risk university data. The need for better control of these access rights has been identified as a key security issue by the university. Compliance with the new standard will be included in the Office of Audit, Risk, and Compliance (OARC) FY22 Audit Plan for Virginia Tech.

Implementing this new standard and process will give Virginia Tech visibility into who is able to modify their computers at a higher privilege level than a standard user, capture the reasons the access is needed, and verify that the responsibilities that adhere to these privileges are understood and that the user has the necessary training and experience. It will also help the university respond more nimbly in the event of cyber attacks, theft, or other compromise to these computers. These are risks that can have severe implications for Virginia Tech, and the university is committed to addressing them in a conscientious manner. Over the past few months, this new standard was piloted within the Division of IT and the College of Liberal Arts and Human Sciences, and will now begin wider implementation across the university.

Elevated or administrator rights give certain users the ability to make fundamental changes on a computer or server, including for example: adding or removing software, connecting to a new printer or other external device, or making changes to firewall settings. Because of the risks inherent in making these changes, it is important for those with elevated access to justify their need for it, as well as to demonstrate applicable experience and to receive approval for continued elevated access from their department head. Those who do not wish to complete these steps to retain their access rights will need to relinquish their elevated privileges and rely on desktop support personnel to assist them when changes are needed.

The University Computer Administrator Access Standard will officially go into effect on January 1, 2022. To prepare for that date, all university employees with elevated access permissions should review the Administrative Rights Overview located within 4Help’s knowledge base and consider whether they need to request a continuation of those privileges. If the answer is 'yes,’ employees should take a few minutes to complete the Administrative Access for Endpoints and Servers form, which includes a justification of the need for continued access and specifies training required.

If you have questions related to how your unit provides administrative privileges, please reach out to your department or group’s IT representative. If you have questions regarding the request form or the new administrative rights standard, contact 4Help IT Support at 4help.vt.edu, or by calling (540) 231-4357.

Share this page