System and Application Administration

Policy 14.12

Related Policies

I. Reason for Policy

The purpose of this policy is to establish a consistent and secure framework for the administration of Dakota State University’s (DSU) information systems, applications, and related infrastructure. Proper system and application administration ensures the confidentiality, integrity, and availability of digital data and resources.

This policy reduces risks from unauthorized access, configuration errors, or malicious activity while ensuring accountability, compliance with federal and state regulations, and alignment with the South Dakota Board of Regents (SDBOR) security requirements.

Scope:

This policy applies to all individuals granted administrator-level or privileged access to Dakota State University–owned or DSU-operated information systems, including servers, infrastructure components, centrally managed endpoints, and enterprise or departmental applications where administrative control is required.

This policy applies only when individuals are acting in an administrative or privileged role and does not apply to routine end-user use of workstations, laptops, mobile devices, or software applications where no elevated administrative access is granted.

The scope of this policy is limited to technical system and application administration activities necessary to support the security, availability, integrity, and proper operation of institutional information technology resources.

Authority granted under this policy is administrative and technical in nature and does not extend to academic decision-making, instructional content, research activities, or matters of shared governance, except as required to meet system security, compliance, or legal obligations.

II. Definitions

1. Application Administrator. Oversees deployment, maintenance, configuration, and access controls for university software applications. Ensures availability, performance, and security.
2. CIO (Chief Information Officer). Campus Chief Information Officer/Vice President of Technology is the department head for the DSU (Dakota State University) technology department.
3. Data Steward. Data Stewards are responsible to help define, implement, and enforce data management policies and procedures within their specific data domain. Institutional data stewards have responsibility for how data is acquired, stored, used, and protected throughout its lifecycle.
4. Data Trustee. Data Trustees are the university officials with authority over institutional data or the university’s use thereof. Data Trustees are accountable for protecting, managing, and ensuring the integrity of institutional data in accordance with policies, state law, and federal law.
5. End User. Any person or entity that utilizes computing resources including, but not limited to, employees, faculty, staff, agents, vendors, consultants, contractors or subcontractors of the institution.
6. Institutional Data. Data for which institutional resources or institutionally owned, leased, licensed, or provided technology systems are used to create, manage, transmit, process, or store it, including administrative, instructional, operational, and research data. When institutional systems, devices, funding, or networks are used to create or process research data, the resulting data is considered institutional data regardless of where the researcher is physically located or which device is used at the moment of creation.
7. ITS (Information Technology Services). Information Technology Services. The official technology department for Dakota State University and subsumed departments.
8. Network Administrator. Manages and secures DSU’s computer networks and communication systems.
9. Privileged Account. An account with elevated permissions used for system or application administration (e.g., “root” or “administrator”).
10. System Administrator. Manages operating systems, servers, and hardware supporting DSU’s IT infrastructure.

III. Statement of Policy

1. Administrative Authority and Responsibilities
   1. Administrative authority is limited to actions necessary to ensure system functionality, security, and compliance and does not extend to academic judgment or institutional decision-making outside technical operations.
   2. Administrators are responsible for managing the setup, configuration, operation, and maintenance of DSU systems and applications.
   3. Access rights must follow the principle of least privilege and be based on business need.
   4. Privileged access may only be granted or revoked with approval from the CIO or designee.
   5. All administrative actions are subject to monitoring and audit by ITS.
2. Security and Access Controls
   
   1. All privileged access must use unique, traceable credentials. Shared administrator accounts are prohibited unless explicitly approved by the CIO.
   2. Remote administrative access must be conducted through secured, encrypted connections (e.g., VPN with MFA).
   3. Default or vendor-supplied passwords must be changed before deployment.
   4. Administrators must lock or log out of privileged sessions when unattended.
3. System Maintenance and Patch Management
   
   1. Systems must be maintained with current operating system updates, application patches, and anti-malware protection in accordance with ITS standards.
   2. Patch deployment must be tested and documented to reduce operational risk.
   3. System backups must follow university backup and disaster recovery procedures.
4. Monitoring and Logging
   
   1. Administrator activities and system logs must be routinely monitored for suspicious activity.
   2. Any indication of misuse, unauthorized access, or potential breach must be reported to ITS within 24 hours of discovery.
   3. Logs must be retained in accordance with DSU and BOR retention requirements.
   4. Monitoring is conducted for the purposes of system security, compliance, and operational integrity and is not intended for routine review of instructional content, research activity, or faculty communications unless required by law or approved investigative processes.
5. Ethical and Legal Responsibilities
   
   1. Administrators must respect the privacy of user data and only access content necessary to perform authorized duties.
   2. Unauthorized interception, monitoring, or modification of communications is prohibited unless explicitly authorized for investigative or security purposes.
   3. All use of DSU systems must comply with SDBOR Policy 7:1 on Acceptable Use.
6. Enforcement
   
   1. Violations of this policy may result in disciplinary action up to and including termination of employment, revocation of access, or legal action under applicable laws.

Exclusions

None

Exceptions

Any exception to this policy must be approved in writing by the Chief Information Officer. Approved exceptions must include compensating controls and a defined expiration or review period.

IV. Procedures (Major)

1. Access Request and Approval
   
   1. Supervisors must submit administrator access requests via the designated TDX Service Request Form.
   2. ITS reviews and approves access based on role requirements and security review.
2. Access Review and Revocation
   
   1. Privileged accounts must be reviewed semi-annually for continued business need.
   2. Access must be revoked immediately upon employee separation or change in role.
3. Incident Reporting
   1. Administrators must immediately report any suspected security incidents, breaches, or misuse to ITS following the DSU Incident Handling Policy (06-04-00).
   2. System Configuration Management
4. ITS maintains baseline configurations and approved images for DSU systems.
   1. Changes to production systems must follow documented change management procedures.

V. Related Documents, Forms, and Tools

NIST 800-53 Rev 5 - Security and Privacy Controls for Information Systems and Organizations
TDX Service Request Form - Access Request

VI. Policy History

Adopted: 02/09/2026