ISP-11 System management policy
This is a sub-policy of the ISP-01 Information security policy.
Summary
This policy outlines the responsibilities of those who manage the University’s computer systems, ensuring their security, integrity, and availability. It requires system administrators and technical service managers to apply security patches, monitor systems, and manage access controls. The policy impacts how systems are managed, ensuring that sensitive information is protected and that systems are secure and regularly tested for vulnerabilities.
| Control information | Control detail |
|---|---|
| Owner | Chief Information Security Officer, IT Services |
| Author | Information Security Manager, IT Services |
| Sponsor | Chief Information Security Officer, IT Services |
| Consulted | Digital Platforms and Network Manager, Digital Spaces Manager, Information Governance and Security Advisory Board (IGSAB) |
| Approved by | Information Governance and Security Advisory Board (IGSAB) |
| Responsible area | IT Services |
| Version | 4 |
| Approval date | 27 June 2025 |
| Effective date | 27 June 2025 |
| Interim review effective date | 30 July 2025 |
| Full review period | 1 year |
| Date of next full review | 31 May 2026 |
| EIA completion date | Not applicable |
| DPIA completion date | Not applicable |
| SIA completion date | Not applicable |
| Reporting requirements | System administrators and Technical Service Managers must immediately report any information security incidents to the Information Security Team by emailing cert@bristol.ac.uk |
| Applicable statutory, legal or best practice requirements |
The policy is aligned with applicable statutory, legal, and best practice requirements such as the UK Data Protection legislation, the University’s Information Security Policy, and the IT Services Patching Policy. It also follows best practices in system management, including requirements for secure authentication, system hardening, vulnerability scanning, and penetration testing. |
| Keywords |
access control, administrative privileges, audit logs, availability, confidentiality, data protection, information security, integrity, Multi-Factor Authentication, penetration testing, security hardening, system administrators, system clocks, system management, vulnerability scanning |
On this page
1. Updates to this policy
1.1. Following an interim review in July 2025, the following updates were made:
- Access Control (section 7.1): Exception added to local administered accounts.
- Minor context clarifications.
1.2. This policy has been updated to align to the new University of Bristol policy management framework.
2. Introduction
2.1. This system management policy is a sub-policy of the ISP-01 Information security policy and sets out the responsibilities and required behaviour of those who manage computer systems on behalf of the University.
3. Scope
3.1. The University’s computer systems will be managed by System Administrators to oversee their day-to-day running and to ensure their on-going security (confidentiality, integrity and availability). These System Administrators will undertake their duties in collaboration with technical service managers and subject matter experts whose services are running on these computer systems.
3.2. This policy applies to all staff, associate and honorary members who use administrator (or elevated) privileges on any University multi-user computer system (server) to administer the system or the services running on the system.
3.3. The management of end user devices and autonomous networks is not in scope. For further information on the use and operation of Autonomous Networks see the guidance on Autonomous Networks (staff access only).
4. Definitions
4.1. A member of the University: This is defined in University Constitution: Ordinance 9, section 7.
4.2. Audit logs: Records that document the actions performed on a system.
4.3. Computer system: In the context of this policy are defined as multi-user servers that are managed by System Administrators and Technical Service Managers. These systems include servers, networks, databases and applications, and underpin University services.
4.4. Endpoint detection: A method of monitoring devices to detect any malicious activity or threats.
4.5. Hypervisor: Also known as a virtual machine monitor (VMM), is software that enables multiple virtual machines (VMs) to run on a single physical machine by managing and allocating hardware resources like CPU, memory, and storage.
4.6. Least privilege: A security principle that restricts access rights for accounts to the minimum necessary for performing their duties.
4.7. Multi-Factor Authentication (MFA): A security process that requires users to provide two or more verification factors - something they know (password) and something they have (code, token, or biometric) - to access systems.
4.8. Penetration testing: A simulated cyberattack designed to identify and address vulnerabilities in a system.
4.9. Security hardening: A cybersecurity strategy that strengthens system security by reducing vulnerabilities and the attack surface, making it more difficult for attackers to exploit the system.
4.10. Single Sign-On (SSO): A secure authentication process that allows a user to access multiple applications with one set of login credentials.
4.11. System Administrators: Individuals given administrative access to computer systems who, along with technical service managers, are responsible for ensuring the on-going security of those systems. System administrators may be members (including associate and honorary) of IT Services or other University departments.
4.12. Technical Service Manager: A member of IT Services staff who is responsible for overseeing the maintenance and security of specific University services.
4.13. University IT Architecture Board (ITAB): A body responsible for approving ongoing and future designs of network and IT system configurations, ensuring they align with the University's security standards.
4.14. Vulnerability scanning: A process for identifying security flaws and weaknesses in IT systems, networks, and software.
5. Responsibilities
5.1. System Administrators: Must ensure they understand and comply with information security policies, especially relating to system management. They must manage and secure the University’s computer systems, apply security patches, maintain system hardening baselines, and ensure security event logging is operational. They must also report incidents promptly and ensure compliance with security protocols.
5.2. Technical Service Managers: Must ensure they understand and comply with information security policies, especially relating to system management. They must ensure the ongoing security and proper operation of University services, collaborating with system administrators where required. They are also responsible for overseeing security measures, applying security patches, ensuring system hardening, and managing security events and incidents.
5.3. IT Services: Must maintain secure baselines and provide guidance for best practice with regard to system management. They must maintain administrative access to all University computer systems to support compliance with policies and ensure the systems are secure. IT Services will also respond to incidents and ensure the overall security posture of the University’s systems.
5.4. University Staff with elevated privileges: Individuals who have been provided with administrator accounts or elevated privileges to manage systems or services must use these accounts in accordance with the ISP-08 User management information security policy.
5.5. University Members: Are responsible for understanding and complying with University policies regarding information security. They must use systems securely and report any security concerns or incidents that might compromise the integrity, confidentiality, or availability of University systems and data.
6. Duties and responsibilities
6.1. System Administrators and Technical Service Managers are in uniquely privileged positions and play a key role in ensuring the security of the University’s systems and services. They are expected to be aware of the University’s Information security policy in its entirety and must always abide by the policy.
6.2. System Administrators and Technical Service Managers are responsible for ensuring the on-going security of their systems and must apply security patches in a timely manner or with other compensatory control measures taken to mitigate risk, in line with the IT Services Patching policy. They are also responsible for ensuring system hardening (see Security Hardening) baselines are maintained and that security event logging and monitoring services are operational at all times.
6.3. System Administrators and Technical Service Managers are authorised to act promptly (within guidelines specified by change management) to protect the security of their systems but must be proportionate in the actions that they take, particularly when undertaking actions that have a direct impact on the users of their systems. Any actions that may be potentially invasive of users’ reasonable expectations of privacy must be undertaken in accordance with the University’s ISP-18 Investigation of computer use policy and the associated Guidelines for system and network administrators (PDF, 44kB).
6.4. System Administrators and Technical Service Managers are responsible for the raising of cyber operational risk where systems are unable to comply with this policy.
6.5. System Administrators and Technical Service Managers must immediately report any information security incidents to the IT Service Desk via an IT Ticket or the Information Security Team by emailing cert@bristol.ac.uk.
6.6. For the purpose of compliance to standards and policies, IT Services must maintain administrative access to all University computer systems, including those where System Administrators and Technical Service Managers are not members of IT Services.
7. Access control
7.1. Access to all computer systems must be via a secure authentication process, with the exception of read-only access to publicly available information. Wherever possible, authentication must be either via the University’s single sign on service or against the University’s central authentication database. Locally administered accounts should be avoided, except where dictated by best practice and approved by IT Services.
7.2. Access and level of account privilege must be granted and managed in accordance with the ISP-08 User management policy.
7.3. Administrator accounts must only be used when necessary, in order to undertake specific tasks which require the use of these accounts. At all other times, the principle of “least privilege” should be followed.
7.4. Use of administrator accounts (whether direct or indirect) should be conducted from University owned and managed devices via a trusted network only, unless a specific exception for risk is granted by Information Security Manager.
7.5. Multi-factor authentication should be used wherever available.
8. Security hardening
8.1. Systems should be built and deployed to agreed secure baselines (i.e., systems will be hardened - this may include hardware, network, application and OS hardening methods).
8.2. Baselines will be agreed with the University IT Architecture Board (ITAB) and will be defined for hypervisors (where relevant), containers, operating systems, applications and any required “middleware”. Baselines must be reviewed by ITAB annually.
9. Security event logging and monitoring
9.1. To support the visibility of systems to the teams responsible for the security of the University, all computer systems must have endpoint detection and secure operational logging enabled to standards agreed by ITAB.
9.2. Where operational constraints conflict with this requirement, any exception to this policy must have the risk and alternative mitigations documented and approved by the IT Services Senior Leadership Team.
9.3. The use and attempted use of all computer systems should be logged. The data logged should be sufficient to support the security, compliance and capacity planning requirements of the system but should not be unnecessarily intrusive. Users of systems should be given clear information of what information is recorded, the purposes of the recordings and the retention schedule of the data collected.
9.4. The UK data protection legislation requires that any personal data collected is collected for specific purposes and that it should be deleted when it is no longer needed.
9.5. It is recommended that log files are recorded on a different system from the system being monitored.
9.6. Audit logs should be configured to record any actions undertaken using administrator or elevated privileges. Audit logs should be secured to protect them from unauthorised modification.
10. Vulnerability scanning and penetration testing
10.1. All systems should be subject to regular vulnerability scans and after any significant change has been made to a system – based on standards agreed by the IT Architecture Review Board. These scans may be undertaken by authorised University staff, or by approved and authorised external assessors. Business critical systems and other systems used to process or store data classified as confidential or above should be subject to regular penetration testing by an approved external assessor.
11. System clocks
11.1. All system clocks must be synchronised to reliable time sources. These sources will be the University’s official internal time servers, with the exception of these official internal servers themselves which will be configured as per internal IT Services service designs.
12. Further guidance
- Guidelines for system and network administrators (PDF, 44kB)
- ISP-08 User management policy
- ISP-18 Investigation of computer use policy
- IT Architecture Board (ITAB) Terms of Reference (staff access only)
Request this policy in an alternative format
If you need this policy in a different format, email uob-policymanager@bristol.ac.uk. In your message, include the format you need, for example: plain text, braille, BSL, large print or audio.