Skip to Content

Information Security Office

Network is experiencing difficulties.

Policy Index
Managing Third Parties
CSU Policy
Number: 8040.0 Revised: April 19, 2010

Policy Objective

The CSU Information Security policy provides direction and support for managing third party relationships and guidance for granting access to third parties.

Policy Statement

100 Managing Third Parties

Third parties who access CSU information assets must be required to adhere to appropriate CSU and campus information security policies and standards. As appropriate, a risk assessment must be conducted to determine the specific implications and control requirements for the service provided.

200 Granting Access to Third Parties

Third party service providers may be granted access to campus information assets containing protected data as defined in the CSU Data Classification Standard only when they have a need for specific access in order to accomplish an authorized task.  This access must be authorized by a designated campus official and based on the principles of need-to-know and least privilege

Third party service providers must not be granted access to campus level 1 or level 2 information assets as defined in the CSU Data Classification Standard until the access has been authorized, appropriate security controls have been implemented, and a contract/agreement has been signed defining the terms for access.

Continue to the Sacramento State Supplemental Policy

Back to to Sacramento State Information Security Policy Website