Guidelines for Non-Employees with System Administration Duties

Purpose

The purpose of these guidelines is to assign and delineate responsibilities for custody and security of university data by non-employees (e.g., contractors, consultants, retirees) who function as system administrators on university resources.  

Guidelines

The following items should be completed for the non-employees with system administration duties for university resources:

  • No-pay action in the Human Resources System.
  • Information Security Acknowledgement Form
  • Background Check – proof of successful background check
  • Annual Data Security Training.
    All non-employees (aka no-pay employees) are required (per REG 08.0.02 – Computer Use Regulation and Jan. 22, 2019 3D Memo) to complete mandatory Data Security training. These employees will receive email notifications once they are registered. Registration for new employees, including nopays, is done monthly, and employees can find a link to the training module via the New Hire Checklist
  • Two-Factor Authentication (2FA) enrollment.
    All NC State employees, including no-pays, are required to enroll in the university’s two-factor authentication solutions – Duo Security and Google 2-Step Verification –  to protect campus systems and accounts. 
  • Change in annual/contract length or change in job duties
    • The responsible unit must review and verify access is removed for everyone not requiring access (including separated employees).
    • The access certification needs to be documented and kept on file in the department. Periodic reviews of the access certification will be conducted.
  • Contractual clauses that should be included in the agreement with any third-party staffing agency
    • Reporting requirements for employment discharge
    • Separation notifications
      The Notice clause in the general provisions section of an agreement defines:

      • How a separation notice is to be made.
      • Where separation notice may be made.
      • When the separation notice is deemed to have been received.

The clause works in conjunction with other provisions of the agreement to state the circumstances when a separation notice is required.

  • Subcontracts will also include appendices that establish the scope of work, serve to limit local authorities (requiring prior approval), and establish reporting requirements and/or incorporation of additional terms and conditions. The prime award is incorporated into the subcontract as an appendix.

System Administration

System administrator duties can include the following: 

  • Administration of servers and applications, including backup, recovery and restoration.
  • Installation and configuration of technology tools. 
  • Installation and configuration of servers, software and updates in line with institutional processes and procedures.
  • Monitoring performance and maintaining systems according to requirements using institutional processes, services or procedures as appropriate.
  • Troubleshooting system, application issues and outages and notify customers and staff using institutional processes, services or procedures as appropriate.
  • Physical access to secure areas (e.g., server rooms, data center).
  • Security:
    • Ensure all managed critical systems and applications receive security patches and vulnerability remediation in a timely manner and in accordance with documented standards and procedures.
    • In consultation with management, ensure all critical systems have security monitoring, logging, alerting, and scanning enabled and maintained using the campus approved solutions (e.g., TripWire File Integrity Monitoring (FIM) solution, Splunk Enterprise Security Module, and Rapid7 Nexpose Vulnerability Management system), when available.
    • Ensure security configuration documentation (e.g., baseline, backup) exists for all critical systems and that the documentation accurately reflects the current state.
    • Deliver efficiently and effectively on all compliance activities such as PCI, FERPA, HIPAA, NIST, ISO 27002, GLBA, DMCA, Public Records requests, and Litigation Hold requests.
  • Development of expertise and thorough documentation of tasks to train staff on new and existing technologies and associated-support procedures.
  • Documentation of relevant processes, procedures and workflows.