Skip to Content

Information Security Office
Policy Index
Information Security Risk Management
Data Authorization
Number: 8020.0 Revised: August 15, 2010

Sacramento State retains ownership or stewardship of all campus data and reserves the right to limit access to this information and to use appropriate means to safeguard this information. In particular, all Level 1 and Level 2 data (see Data Classification Standard) must be released and handled in a manner authorized by valid data owners/managers.

The following steps describe the process that must be followed when requesting authorization to use Level 1 and/or Level 2 data outside the campus data owner/manager's control.

Key Consideration

When requesting access to Level 1 and 2 data procedures must be defined for ensuring the data is securely handled and destroyed prior to release of the data.   In all cases, the request should first consider use of existing secure campus data repositories and reports as an alternative to release of the data. In addition, if it is determined that existing repositories do not meet the need, a restricted “view only” form of data should then be considered before a raw data feed is requested.  All access must be limited to strict need-to-know for approved business purposes.

Campus Data Managers:

Data Type

Primary Data Manager and Designees

Employee

Vice President, Human Resources

Student

Vice President, Student Affairs & Registrar

Financial

Vice President & Chief Financial Officer & Controller

Auxiliary

Senior Manager of applicable auxiliary

Legal

University Counsel

Other

Vice President & Chief Information Officer

Procedure For Data Release

  1. Identify approved business use of Level 1 and Level 2 data.

  2. Contact the Data Owner to discuss data needs.

  3. Review available alternatives to release of the data (see above)

  4. Request authorization for data release if alternatives are not available.

  5. Data owner will submit a written approval form for data release that must certify that: a)alternatives to release are not feasible; b) the release is required for an approved business need; c) the time period during which the data is available; d) prohibition of further release of the data; and e) procedures for destruction of the data when required work is completed.

  6. Submit approval form to the Information Security Office.

System Requirements to House Level 1 and 2 Data

Systems that house level 1 and level 2 data must be compliant with the following security control requirements or have acceptable and authorized compensating controls approved by the ISO. Non-compliant systems must have Level 1 and 2 data removed until compliance is achieved. New systems intended to store Level 1 and 2 data must be certified compliant by the ISO before being acquired or deployed.

Hardened

This category encompasses activities and information that indicate the system has been appropriately built and configured.

  • An authorized baseline image has been used to build the system.

  • The system must be configured to run only those services required to provide the authorized services.

  • Access to system resources must be restricted to those users who require access.

  • Network access must be restricted by protocol, port and properly scoped source IP addresses at the host.

  • The system must be configured with a campus authorized anti-virus program.

  • The system may not use unencrypted protocols to communicate with other systems or users.

  • All servers supporting the system must be located in the central IRT data center.

Managed

This category encompasses activities and processes that ensure that the system is properly managed and maintained while in operation.

  • The system administrator follows the campus change management procedures ensuring that all changes are tested, documented, communicated, approved and implemented appropriately.

  • The system administrator follow the campus patch management procedures ensuring that all patches are tested and entered into the change management system.

  • The system administrator tracks all access requests, approvals, auditing, provisioning and deprovisioning users accessing resources on the system.

  • The system administrator follows the campus log management procedures ensuring that all logs options are appropriately configured, reviewed, reported, archived and pruned in accordance with the data retention standard.

  • The system administrator removes all level 1 and level 2 data once their authorized time use has passed.

Monitored

This category encompasses the activities and processes that ensure that the system is properly monitored for problems and unauthorized activities. Irregularities and security breaches must be reported to the Information Security Office immediately upon discovery or notification. Critical security events must trigger the appropriate administrator or logs must be reviewed on a daily basis.

  • The system administrator checks the user access logs.

  • The application administrator, or system administrator, checks the application logs.

  • The database administrator, or system administrator, checks the database access logs.

  • The system administrator monitors the system for unapproved and/or undocumented changes.

  • The system administrator monitors the data access logs.

Training/Agreement

This category encompasses the training and agreements required to allow the system to house the confidential information that has been requested.

  • The system administrator has been trained on the proper handling procedures for level 1 and level 2 data.

  • The system administrator has been trained on the appropriate use of level 1 and level 2 data by end users.

  • The system administrator has been trained on the proper disposal and deprovisioning procedures for level 1 and level 2 data.

User Control Categories

Users accessing level 1 and level 2 data have the duty to protect that information while in their possession or use. This section outlines the requirements users must meet in order for the system to be considered in compliance with requirements. Users (or user groups) will be marked either as Compliant or Non-Compliant with each control category. A Compliant denotation indicates that the user(s) meets or exceeds the controls identified in the following security categories. Additional controls or deviation must be documented in the Compensation/Additional Controls field.

Access Control

The principle of least privilege states that users should have access only to that information which they are required to have in order to perform their duties for a prescribed time. Access must be authorized by the appropriate data owner prior to the provisioning of users for data access.

  • Users must be authorized by the data owner

  • Users must be regularly reviewed for expiration of authorization and access removal

  • Access activities must be logged by the system administrator

Monitored

This category encompasses the activities that must be monitored by the system administrator for all users accessing level 1 and level 2 data. Irregularities and security breaches must be reported to the Information Security Office immediately upon discovery or notification.

  • Logins and logoffs (success and failures)

  • Read/Write/Delete access to level 1 and level 2 data

This also included activities to monitor use of the data by supervisors and managers. Data must not be left on monitors or printed copies left in the open. Data must not be archived or printed unless authorized and securely stored and destroyed at the defined retention period. Inappropriate use or non-compliance with appropriate use must be reported to the Information Security Office.

Training/Agreement

This category encompasses the training and agreements required to allow end-users access to level 1 or level 2 data residing on the system.

  •  
    • The end user has been trained on the proper handling procedures for level 1 and level 2 data.

    • The end user has signed a confidentiality agreement with the University and the agreement is on file with Human Resources.

    • The end user has received current Information Security Training.

  • Back to to Sacramento State Information Security Policy Website

    Feedback/Questions/Comments