Cloud System Administrator Responsibilities
Posted March 16, 2017, ITCS Operational Security
These responsibilities give a broad overview of the routine security requirements for administrators of systems hosted EXTERNAL to ECU. These are also referred to as hosted in the CLOUD. The administration of accounts and relationship management with the vendor is a critical component of the administration of a hosted system. If you are using instructional tools that are free, more information about usage and requirements can be found on the Online Tools website.
- Service Level Agreement (SLA). Every administrator of a hosted system should be very knowledgeable of the SLA for their hosted system. The SLA states the expectations of the hosted environment and the expectations of the client. The SLA should be a part of the hosted contract executed by Materials Management.
- Availability. The administrator should check to make sure that the hosted system is available to the user as defined in the SLA.
- Performance. The administrator should check to make sure that the hosted system’s performance is meeting the parameters as defined in the SLA.
- Account Management
- On-boarding / Off-boarding processes – have a documented process for adding and removing users. The process should be reviewed annually.
- It is recommended that all users who have accounts in your system be reviewed quarterly to ensure they should still have access. Reasons for account removal could include termination, job transfer, graduation, no longer enrolled at the university, and/or no longer have a legitimate need for access.
- User access which includes the types of access in a system a user may have should be reviewed semi-annually to ensure access continues to be appropriate. Users should only have required access.
- All accounts should adhere to the ITCS Password Standard If the cloud service cannot meet this standard, then the ECU system administrator is required to develop and communicate a process where users adhere to the policy as much as possible based on the limitations of the cloud provider.
- Data Management.
- Data access should be reviewed semi-annually.
- Assign users the minimum permissions they need to perform their assigned function. If a user does not need access, then do no provide access to them.
- Log Management.
- If you have access to logs in the hosted system, the logs should be reviewed routinely. The frequency of these reviews may depend on the type of data (e.g., PCI, HIPAA, etc.) you are managing. ITCS recommends reviewing logs at least monthly. If you do not have access, then ensure your vendor is performing these reviews and providing you with documentation of these reviews.
- Administrator should be verifying:
- Correct users are logging into environment
- Investigating multiple failed login attempts.
- Investigating abnormal access times.
- System Security.All hosted systems are required to have an ITCS annual review and a hosted contract executed by Materials Management. It is your responsibility as the administrator of a hosted system to stay up to date on security changes within your system. ITCS is available to consult with you on the meaning and consequences of security notifications you may receive. As administrator, you are responsible for communicating with your user and ITCS on any security changes in the system. Ensure you are receiving all vendor communications and stay up to date. Periodically, requesting information from the vendor on system security is good practice.