 |
| Managing Third Parties CSU Policy |
Number: 8040.0 Revised: April 19, 2010 |
Policy Objective
The CSU Information Security policy provides direction and support for managing third party relationships and guidance for granting access to third parties.
Policy Statement
100 Managing Third Parties
Third parties who access CSU information assets must be required to adhere to appropriate CSU and campus information security policies and standards. As appropriate, a risk assessment must be conducted to determine the specific implications and control requirements for the service provided.
200 Granting Access to Third Parties
Third party service providers may be granted access to campus information assets containing protected data as defined in the CSU Data Classification Standard only when they have a need for specific access in order to accomplish an authorized task. This access must be authorized by a designated campus official and based on the principles of need-to-know and least privilege
Third party service providers must not be granted access to campus level 1 or level 2 information assets as defined in the CSU Data Classification Standard until the access has been authorized, appropriate security controls have been implemented, and a contract/agreement has been signed defining the terms for access.
Continue to the Sacramento State Supplemental Policy
Back to to Sacramento State Information Security Policy Website