Access Control Supplemental Policy
Number: 8060.0 Revised: August 15, 2010
All campus employees implementing and supporting authentication and access control processes must comply with the campus Access Control Standards, as defined by the Information Security Officer. All account provisioning and de-provisioning campus-wide must take place only under standards set by the Information Security Officer and must use the defined campus-wide identity management system. All accounts will be housed only in the unified University Active Directory Domain, unless written exceptions are approved through the Information Security Officer.
All campus users of information and network systems will be provided a unique campus-wide account that must be used for computer and network access. Sacramento State prohibits any sharing of accounts used for access to information and network systems, unless such shared accounts are approved in writing by the Information Security Officer as meeting a business or instructional need that cannot be provided by more secure means. Any such approved shared accounts must be assigned a designated owner responsible for all shared account activity and must be reviewed and approved annually by the Information Security Officer.
Administrative accounts for all computers, information and network system access and control must be established only using standards and procedures required by the Information Security Officer. Such administrative accounts must only be used when elevated permissions are required for authorized business needs and must not be used on unsecured systems. Local administrative access may be removed when it does not conform to this policy.
On at least an annual basis, all users must update their campus password using the official campus-wide password management program. Password strength and configuration requirements will be established only by the Information Security Officer.
All exceptions to the above access control policies must be approved in writing using the procedures identified in Section 8000.200.
8060.200 Granting Access
Secure authentication controls must be used for all access to campus information assets that access, store or distribute Level 1 or Level 2 data. Access to Level 3 data may also be subject to secure authentication controls, as defined by the Information Security Officer.
8060.300 Separation of Duties
Review, implementation and enforcement of required separation of duties principles and processes for the handling of Level 1 and Level 2 data is delegated to the Information Security Officer, with all related actions certified in writing to the Vice President and Chief Information Officer and reported to the President. All processes used for account handling and authentication must maintain an appropriate level of separation of duties when issuing credentials to individuals who have access to information assets containing Level 1 and Level 2 data. The campus must avoid issuing credentials that allow a user greater access to or authority over information assets than is required by the employee’s properly assigned job duties.
On at least an annual basis Sacramento State will complete a formal campus-wide process to review, monitor, and ensure compliance with separation of duties and access controls for critical systems.
8060.400 Access Review
The Information Security Officer will develop procedures to detect unauthorized access and privileges assigned to users that exceed the required access rights needed to perform their job functions.
All access rights for Level 1 and Level 2 data and other elevated access must be reviewed annually and the results of such reviews documented by the Information Security Officer and reported to the Vice President and Chief Information Officer.
Users who access Level 1 or Level 2 data as defined in the CSU Data Classification Standard must sign an approved system-wide confidentiality (non-disclosure) agreement, with special attention to staff members who are granted elevated access.
8060.500 Modifying Access
All transfers and other changes in employment status affecting data access rights must be reported to the Information Security Officer in a timely manner. All required changes in account access and account privileges must be made promptly in the central campus identity management system.
Back to to Sacramento State Information Security Policy Website