Skip to site content

Chapter 19 - Least Privilege

Part 8 - Information Resources Management

Title Section
Introduction 8-19.1
    Purpose 8-19.1A
    Background 8-19.1B
    Authorities 8-19.1C
    Policy 8-19.1D
    Scope 8-19.1E
    Definitions 8-19.1F
Responsibilities 8-19.2
    Indian Health Service Employees and Contractors 8-19.2A
    System Owners 8-19.2B
    Information System Coordinators 8-19.2C
    Information System Security Officers 8-19.2D
    System Administrator 8-19.2E
    Supervisors 8-19.2F
Procedures 8-19.3
    Elevated System Privilege Accounts 8-19.3A
    Specific Access Privileges 8-19.3B
    Authorized Access 8-19.3C
    Unauthorized Access 8-19.3D
    Periodic Review 8-19.3E
    Site Emergencies 8-19.3F


  1. Purpose.  The purpose of this chapter is to establish the policy and procedure for ensuring that assigned information resources are limited to employees who need those resources to perform their job duties.  The information security principle of least privilege will be applied to the allocation of access rights.
  2. Background.  Excessive or uncontrolled access to Information Technology (IT) resources can lead to the unauthorized or unintentional disclosure, modification, or destruction of those resources, as well as individual liability for negligence in protecting those resources.
  3. Authorities.
    1. 44 United States Code (U.S.C.) § 3541, et seq., the Federal Information Security Management Act of 2002, December 17, 2002.Exit Disclaimer: You Are Leaving 
    2. 5 U.S.C. § 552a, The Privacy Act of 1974, as amended, Public Law (P.L.) 93-579, December 31, 1974Exit Disclaimer: You Are Leaving .
    3. National Institute of Standards and Technology (NIST) Special Publication 800-53 Recommended Security Controls for Federal Information Systems, (Revision 3) August 2009Exit Disclaimer: You Are Leaving .
    4. Office of Management and Budget Circular A-130, Appendix III, "Security of Federal Automated Information Resources," November 28, 2000Exit Disclaimer: You Are Leaving .
    5. Department of Health and Human Services (HHS), Office of the Chief Information Officer, Policy for Information Systems Security and Privacy, June 25, 2009Exit Disclaimer: You Are Leaving .
    6. Part 8, Chapter 9, "Establishing an Incident Response Capability," Indian Health Manual
  4. Policy.  It is the policy of the IHS that each IT user will be authorized the most restrictive set of privileges or access needed for performing authorized tasks.  All elevated system privilege accounts must be controlled and limited to Office of Information Technology (OIT) support personnel, Area Information Systems Coordinators (ISC), or their designated alternates.
  5. Scope.  This policy applies to all IHS information system users, owners, custodians, and business associates, as well as access to any IHS information system.  Authorized personnel who have a legitimate need to use those resources shall be granted access to specific IT resources in the performance of job duties or responsibilities.  Any access privilege granted will be limited only to the information resources required to do the job.
  6. Definitions.
    1. Access.  Access is the right to enter, view, instruct, communicate with, store data in, retrieve data from, or otherwise make use of specific information resources.
    2. Access Privilege.  A specific activity that a user has been granted access in order to view or modify an information resource.
    3. AKMOEVE.  AKMOEVE is a menu name and is not an acronym.  AKMOEVE is the IHS Resource and Patient Management System (RPMS) standard menu for system management that includes the following submenus:  Device Management, Department of Veterans Affairs (VA) FileMan, Manage Mailman, Menu Management, Programmer Options, Operations Management, Spool Management, Information Security Officer Menu, Taskman Management, and User Management.
    4. Elevated System Privilege Account.  An account assigned to those with sufficient access to bypass the internal controls of the target platform.  In RPMS this is illustrated where a user has the @ sign as a FileMan access code, the ability to create menus and assign keys with Menuman, and access to system management tasks such as the AKMOEVE menu or ability to reach programmer (command line) mode. In windows, this is illustrated where a user account has either administrator or power-user privileges.
    5. FileMan Access Code.  A character string describing the user's security clearance with regard to files, to templates, and to data fields within a file.
    6. Information System Coordinator.  An Information System Coordinator (ISC) is appointed within his/her respective organization (including Area and Regional Offices) to facilitate, coordinate, and support the ongoing operation of the RPMS, office automation, and telecommunications management infrastructure.
    7. Information System Security Officer.  Each Information System Security Officer (ISSO) is appointed within his/her respective organization, including Area and Regional Offices to ensure that the appropriate operational security posture is maintained for an information system or program.
    8. Least Privilege.  Granting users only the minimum privileges required to provide the level of access needed to perform their official duties.
    9. MenuMan.  An RPMS menu management function contained within the VA Kernel that allows for the creation of menus, the assignment of specific menus to specific authenticated users, and the management of menu security keys.
    10. Resource and Patient Management System.  The RPMS is an easy and integrated way to effectively manage resource and patient information.  The RPMS is an integrated solution for managing clinical, business, and administrative information in the Indian health care delivery system.  It has flexible hardware configurations, over 50 software applications, and appropriate network communication components that combine to provide comprehensive clinical, financial, and administrative solutions.
    11. System Owner.  A system owner is an IHS official responsible for the overall procurement, development, integration, modification, or operation and maintenance of an information system.
    12. System Permissions.  The technical configuration that enables an individual to perform certain actions on information resources.
    13. VA Kernel.  The VA Kernel is a set of programs contained in a simple software layer, developed by the VA, United States Government, which provides an operating system and implementation independent abstraction to the RPMS Hospital Information System.  Because of this simple software layer, the RPMS software architecture has been able to adapt to changing hardware environments over the decades with only the minimum amount of software changes.  The VA Kernel provides the following in the RPMS environment:
      1. Menu Management (MenuMan)
      2. Electronic mail, group conferencing, transaction processing (MailMan)
      3. Login and Access Security
      4. Task scheduling and Batch processing
      5. Input/Output devices
      6. Protocol and Event processing
      7. Data processing and manipulation
      8. Mathematical and common library functions


  1. Indian Health Service Employees and Contractors.  All IHS employees, contractors, and business associates are responsible for understanding the IHS information resource access policies and procedures.  All IHS employees and contractors are responsible for:
    1. Accessing only those resources for which they are authorized and using information resources in accordance with their job function and IHS policy.
    2. Notifying their supervisor or the IT department?s manager or supervisor if they find that their access to resources is beyond what is actually needed to perform the job assigned, so the access can be adjusted.
    3. Accurately completing the Information Technology Access Control (ITAC) form.
    4. Immediately reporting suspected violations of this policy to their supervisor or local or Area ISSO.
  2. System Owners.  All system owners are responsible for:
    1. Determining and documenting who will be granted access to the system based on job responsibilities.
    2. Determining what rights and privileges each user will be granted.
    3. Granting users the fewest possible privileges necessary for job performance to ensure privileges are based on a legitimate need.
    4. Ensuring that the resources and systems are protected against unauthorized access.
    5. Periodically reviewing access permissions, but no less than annually.
  3. Information System Coordinator.  An ISC functions (in general) as a member of the IHS Area Office or Regional Office senior management team.  The ISC fully participates in the total planning, programming, and operation of Area Office or Regional IT resources management and support services programs.  Information System Coordinators are responsible for maintaining a current list of each IT user with elevated system privilege accounts and the name and location of the associated system.
  4. Information Systems Security Officers.  Information System Security Officers form a critical first-line defense against viruses and other computer security threats.  The ISSOs collaborate across IHS on the confidentiality, availability, and integrity of IHS electronic information resources.  The ISSOs are the points of contact for those reporting suspected and confirmed computer security incidents.  Information System Security Officers are responsible for:
    1. Screening privileged users (i.e., individuals who are authorized to bypass significant technical and operational controls) before they access systems and every two years thereafter.
    2. Completing an annual review of all the ITAC forms to ensure supervisors have reviewed employee access within the past year.
    3. Conducting semi-annual inventory audits of all users who have elevated system privilege accounts.
  5. System Administrators.  System Administrators are responsible for:
    1. Assisting system owners with controlling access to their resources.
    2. Promptly removing access from a system when requested.
    3. Reporting any unauthorized accesses that they discover to their supervisor or local ISSO.
  6. Supervisors.  Supervisors are responsible for:
    1. Ensuring users do not have unnecessary permissions, access, capabilities, or rights that are not required for them to do their jobs.
    2. Ensuring each user is authorized the most restrictive set of privileges or access needed for performing authorized tasks.
    3. Reviewing and approving the ITAC form annually for appropriate access.
    4. Ensuring all access and privileges to IHS systems, networks, and facilities are immediately revoked when employees or contractors temporarily or permanently separate from the IHS (e.g., terminate, resign, take a leave of absence) or are reassigned within the organization.


  1. Elevated System Privilege Accounts.  All IT users with elevated system privilege accounts will be controlled and limited to those individuals with a true business need for access.
  2. Specific Access Privileges.  Users must be granted specific access privileges on each system, limited to those privileges required to perform their job functions and responsibilities.  Supervisors must analyze the duties performed by their employees to verify that users only have the system privileges that are needed to perform their assigned duties.
  3. Authorized Access. Users will only access resources to which they have been authorized, regardless of actual system permissions.
  4. Unauthorized Access.  Users will not circumvent the permissions granted to their accounts in order to gain access to unauthorized information resources.
  5. Periodic Review.  System Administrators, System Owners, and the ISSO will periodically review user privileges and modify, revoke, or deactivate access as appropriate.
  6. Site Emergencies.  In the event of a site emergency, it is possible that staff will need to be provided with elevated system privilege user access to perform trouble shooting activities.  In this situation, the ISC is responsible for ensuring that all compromised passwords are changed and access is removed immediately following the resolution of the emergency.