Responsible Sysadmin Policy

Revised: February 28, 2007

---

The previous form of this policy was superceded by the UCAR Designated Sysadmin Policy. Wording was revised February 28, 2007 in order to remove conflicting language.

Goals

Occasionally it is necessary to enlist technically skilled staff within ACD in order to share in the management of systems for which those staff are responsible. This role must be justified on the basis of technical requirement and merit, and must not conflict with ACD or UCAR security policies, procedures, and standards.

Primary Sysadmins

A Primary Sysadmin is one whose UCAR position description is "Systems Administrator". ACD's primary sysadmins are currently:

• Tim Fredrick (head of the ACD Computing Systems group)
• Garth D'Attilo
• Daniel Packman

Primary Sysadmins provide the management of servers and services on the UCAR network, as well as consulting to the staff. A Primary Sysadmin must have administrative access and responsibility over every computer attached to the UCAR network. Primary Sysadmins are solely responsible for the security of all systems attached to the UCAR network.

Responsible Sysadmins

In ACD, the term "Responsible Sysadmin" refers to those individuals who have delegated shared administrative control over, and shared responsibility for particular machines on the UCAR network. This delegation enlists the responsible sysadmin for certain functions involved in the management of a system, but the overall responsibility for the security of the system remains assigned to the primary sysadmins.

• The determination of who is a Responsible Sysadmin must be made jointly by the head of the ACD Computer Systems group, and the responsible sysadmin's supervisor.
• The term "responsible sysadmin" does not imply the position of a Systems Administrator with respect to UCAR policy; particularly the security policies outlined at https://www.ucar.edu/csac/internal/policy/.
• A Responsible Sysadmin may assist in the administration of hosts which have been approved by the head of the ACD Computer Systems Group and the Responsible Sysadmin's supervisor as exceptions to the Desktop Computing Standards outlined in the following ACD policies:
  • Acquisitions Policy
  • Operating Systems Policy
  • Legacy Systems Policy
• Responsible Sysadmins must have demonstrated skill in the following (in order to participate in the management and verification of the security of hosts which they help to manage):
• A complete and ongoing knowledge of all UCAR computer security policies
• A complete and ongoing knowledge of all ACD Computing Policies
• Formal Training or demonstrated skill in network security
• A complete and ongoing knowledge of security issues associated with specific technologies and software under their management.
• Immediate notification to ACD's Primary Sysadmins of any security related issue with the host or software under their management.
• Communication and coordination with all UCAR primary Sysadmins and the CSAC membership including the ability to send/receive PGP encrypted email.
• Close coordination and communication with the ACD Primary Sysadmins.
• Complete knowledge of all ACD and UCAR computer security policies, and their changes over time.

For unrestricted privileged access to Unix systems, one-time-passwords are required to be used by Responsible Sysadmins. Usually this is Cryptocard, but other one-time passwords technologies may be accepted upon the approval of a Primary Sysadmin. For hosts not connected to the UCAR network, console-only access via a locally stored password is allowed.

© 2008 UCAR | Privacy Policy | Terms of Use | Sponsored by NSF | Managed by UCAR
Postal Address: P.O. Box 3000, Boulder, CO 80307-3000 • Shipping Address: 1850 Table Mesa Drive, Boulder, CO 80305 • Contact