This states how privileged accounts should be managed, controlled and tracked.

• Privileged access is restricted to people who have a true need-to-know requirement for system access, control and modification.
• Privileged access may only be used to perform assigned job duties. Minimize administrative privileges and only use privileged accounts when they are required. Whenever possible, gaining and using administrative privileges should be logged.
• An ongoing inventory of all privileged accounts, together with regular validation that each person with administrative privileges is authorized is necessary.
• Administrative passwords should be complex and meet the following Password Construction Guidelines:
  • Contain at least 14 alphanumeric characters.
  • Contain both upper and lower case letters.
  • Contain at least one number.
  • Contain at least one special character (for example,!$%^&*()_+|~-=\`{}[]:”;'<>?,/).
  • Should not be found in a dictionary.
  • Should not contain personal information such as phone numbers.
• System administrators should comply to the following Password Protection Policy:
  • Password Creation
    • Users must use different passwords for University accounts as for other non-University access.
    • Where possible, users must use different passwords for various access needs.
  • Password Change
    • All privileged account passwords must be changed at least every 90 days.
    • Before deploying any new devices in a networked environment, change all default passwords.
  • Password Protection
    • Passwords must not be shared with anyone.
    • Passwords must not be inserted into email messages or other forms of electronic communication.
    • Do not write passwords down and store them anywhere in your office.
    • Passwords should be hashed or encrypted in storage.
    • Do not use the “Remember Password” feature of applications (for example, web browsers).
    • Enforce password history.
• Configure systems to log unsuccessful login attempts to administrative accounts.

Exception Handling Procedures on Privilege Account Management

It is important to follow the acceptable practices for managing privilege accounts in critical systems.  However, when the recommended practices cannot be implemented in a system due to technical difficulties or other unforeseeable circumstances, the following exception handling procedures will be followed.

1. Request for Exception: Users who need to request an exception to the password policy for a privileged account must submit a request and sent it to cchelp@ust.hk. The request should include privilege account name, name of the system, name and email of system owner, department owning the system, brief description of the function of the system, reasons for exception and duration of the exception.
2. Approval Process: ITSC Cybersecurity Operations team ("the team") will review the request and determine if an exception is necessary. If an exception is approved, the team will notify the user and provide instructions on how to proceed.
3. Risk Assessment: The team will assess the risks associated with the exception and determine if any additional controls or monitoring are necessary to mitigate the risks.
4. Documentation: The team will document the exception, including the reason for the exception, the duration of the exception, and any additional controls or monitoring that were implemented.
5. Review: The team will periodically review the exception to ensure that it is still necessary and that the risks associated with the exception are being effectively managed.