PURPOSE

This policy provides guidelines for the delegation of user privileges on organization-owned systems. It also provides guidance for usage of high-privilege or administrator accounts.

From the policy:

Limiting the use of superuser accounts

Users must not use administrator or root accounts — or similarly high-leveled account types — for tasks that do not require privileged access:

• For tasks that require privileged access, individualized accounts must be used for logging purposes. Use of device-default administrator or root accounts is only acceptable for circumstances in which privileges cannot be delegated to non-root accounts.
• Providing full system access for privileged accounts is highly discouraged. Delegate only privileges required for the user to perform their duties, where possible.
• Where possible, use sudo or “Run As…” to temporarily escalate privileges rather than create an account to perform a task.
• Sharing of accounts is prohibited.
• Creation of duplicate personal privileged accounts is prohibited.
• Ensure you have logged out when finishing a task. Do not walk away from a device logged in using a superuser account, leaving it unsecured.
• Passwords for privileged accounts must be consistent with the password policy in your organization.
• Maintain an inventory of privileged accounts. Deactivate accounts for users separating from the company in a timely manner.