Privileged administrative access to computer systems and services may be required for individuals to perform certain tasks delegated to them as a member of the Organization for Transformative Works (OTW) or one of its committees. This document describes the policy under which privileged administrative access to OTW systems and resources is granted to individuals.
This policy covers all OTW members and volunteers who are given privileged administrative access to computer systems and services maintained for OTW or any of its committees for the purposes of OTW organizational work.
Where possible, privileged administrative access will be given to individual accounts rather than shared accounts so that actions may be traceable to individual account holders. Where this is not possible or feasible, shared administrative accounts may be created. If a shared account is used, the account’s authentication credentials (e.g. password) must be communicated in a secure fashion.
Limitation of Actions
Privileged administrative access, whether on an individual account or via a shared account, must only be used to perform necessary duties.
Authorization and Notification of Actions
Any action that is performed with the use of privileged administrative access must be authorized by the affected party or parties. After an action is performed with the use of privileged administrative access, the affected party or parties must be notified of the outcome of that action.
In some cases, the authorization to perform an action is implicit in the request from the originating party (e.g., creating a normal account for a new committee member) or in the specification of work to be performed (e.g., installing a software package and performing accompanying administrative tasks). In these cases explicit authorization is not required.
Any private data belonging to the OTW, its members, or volunteers that is encountered during the routine use of privileged administrative access must not be divulged to any other party without the consent of the owner of that data. Privileged administrative access must not be used with the intent to obtain access to private data that is not needed in order to complete necessary duties.
OTW members or volunteers will only be given privileged administrative access when approved by the OTW Board of Directors or the chair of the committee in which the privileges apply. The individual, relevant committee, and OTW Board of Directors will be notified of the change of account status or the granting of access to a shared account.
Modifying or Changing Access
An OTW member or volunteer with privileged administrative access may have this access modified on the approval of the OTW Board of Directors or the chair of the committee in which the privileges apply. The individual, the relevant committee, and the OTW Board of Directors will be notified of the change in access.
When an individual leaves the OTW or a committee in which they have privileged administrative access, any relevant privileged administrative access granted to that individual will be revoked. In the case of a shared account, the account’s authentication credentials must be changed and communicated securely to any other individuals requiring them.
Privileged administrative access will also be revoked at the request of the individual account holder, the chair of the committee in which the privileges apply, or the OTW Board of Directors.
When privileged administrative access is revoked, the individual in question, the relevant committee, and the OTW Board of Directors will be notified.
Any OTW member or volunteer that is found to have intentionally used privileged administative access in a manner not specified by this policy will have that access revoked and/or may be removed from committee or volunteer membership at the discretion of the Board. Disputes originating out of the enforcement of this policy will be resolved by the OTW Board of Directors or their designates.
Privileged administrative access: access given to an individual that would allow that person to view or modify data or services that a normal account holder would not be able to.
- LOPSA/SAGE/USENIX System Administrator’s Code of Ethics (in particular, the Privacy section)
- Association for Computing Machinery (ACM) Code of Ethics (in particular, section 2.8 would apply here, as well as 1.3, 1.7 and 1.8)
- UC Berkeley Model Privileged Access Agreement