Technical System Administration Policy

Originally Issued: April 2015

Contacts: Don Diener Lori Temple

Download Policy Document Download Procedure Document


Every system must have a designated system owner who is a full-time UNLV employee and is accountable for the system. The system owner must ensure that the security and access requirements associated with the data on the system are in compliance with federal, state, and NSHE statutes, regulations and/or policies established by these groups. 

Technical administrators must know who the system owner is and must ensure that the security and access requirements associated with the data and/or applications on the system are met.

Systems must meet security standards set by the Office of Information Technology (OIT).

Systems will be audited periodically by OIT to ensure compliance with federal, state and NSHE statutes, regulations and/or policies.

Related Documents

Statement of Purpose

The purpose of this policy is to:

  • Keep university systems and the data they contain secure in order to ensure high availability and to prevent the systems from being used for unauthorized purposes.
  • Comply with federal, state, and NSHE statutes, regulations and/or policies.

Entities Affected by Policy

Entities affected by this policy include system owners and technical administrators.

Who Should Read This Policy

System owners and technical administrators should read this policy.


Exceptions to Password Standards

Any system that will support the requirements in sections 1.1 and 1.2 must be configured to do so. The technical administrator is responsible for educating users of the system on required password standards even if they cannot be mandated by the system.

If a system does not support the above requirements, the technical administrator must configure passwords of the maximum length and complexity that the system will support.

Any deviations from the requirements listed in sections 1.1 and 1.2 will require a written exception detailing the compensating security controls in place on the system. All exceptions will be audited periodically to ensure compliance with policy.

To request an exception, please complete the IT Exception Form.

Exceptions to Security Standards

Currently, there are no predefined exceptions to the Technical System Administration Policy. Exceptions will be made on a case-by-case basis.

To request an exception, please complete the IT Exception Form.

A written explanation as to why the system or service requires an exception must be submitted (e.g., security patch cannot be applied in an automated fashion due to the applications on the server). Technical documents should be included where available.

To protect sensitive data and preserve the integrity of UNLV systems, OIT staff will work with the requester to:

  • Establish compensating controls for system operation to mitigate risk.
  • Develop an audit schedule to verify the compensating controls remain in place and are mitigating current risks.

Deliberation on exception requests will begin within 10 business days of receipt of the request. Exceptions will be reviewed annually. Periodic audits will be conducted to determine that the conditions for granting the exception are still being met.

Frequently Asked Questions

Do the policy and associated standards and procedures apply to servers administered by a third party?

Yes, servers administered by a third party on behalf of UNLV or any unit of UNLV (infrastructure as a service) must meet these standards. For each system administered by a third party, a full-time UNLV employee must be named as the system owner. The company providing technical administration must sign appropriate agreements to:

  • Protect UNLV data
  • Abide by all federal, state, and local laws and regulations that apply to UNLV (e.g., FERPA, HIPAA, PCI-DSS, GLB Act)
  • Comply with UNLV internal policies. 

The UNLV system owner is responsible for ensuring the third party providing technical administration is compliant with the requirements above.

In the case of software as a service (SaaS), such as Google Apps, Office365, or Workday, contractual arrangements negotiated on behalf of UNLV or NSHE will supersede this document. However, a system owner must be named to monitor compliance with and changes to contractual agreements and serve as the contact for any security issues that may arise.

Services operated on UNLV’s behalf by System Computing Services require a UNLV system owner (generally an OIT staff member). The system owner must monitor compliance with service agreements and governance structures.

What is the timeline for bringing the systems I manage into compliance?

The systems should be brought into compliance as soon as possible. If you cannot bring all the systems for which you are responsible into compliance by December 31, 2015, please contact OIT for assistance.

Due to limits of the system, I do not believe I can meet some of the requirements (e.g., rotating passwords every six months). What should I do?

Contact OIT to discuss possible exceptions and compensating controls. The OIT Policy Exception Form can be found at

I am not certain if a given account should be considered a service account or an administrative account. How do I make this determination?

Generally, if the account is being used by a system it is a service account. Accounts being used by a person are administrative accounts. If the account type is not readily apparent, please contact OIT for assistance.

I have test/development system. Does it fall under this policy?

If the test/development system processes, stores, or transmits actual university data (non-fictitious), the policy applies.