- IRT Division
- Vice President & Chief Information Officer
AIRC Rm 3010 (map)
Tools & Resources
- For Students & Staff
- Security Services
- Training & Awareness
- Security News
Policy & Standards
Access Control Standard
|Number: 8060.0 Revised: August 15, 2010|
Access control is a critical information security process that forms the basis of the authority used to determine both that access to confidential information is limited only to authorized users and those who need such access to complete their work as a faculty member, staff member, or student. The basis for implementation of campus access controls is coordinated implementation of a campus-wide identity management system, wherein the identities, roles, and authorities of all users are maintained using consistent standards and policies. The campus identity management system is managed by the Information Resources and Technology division.
Identity management has the following four essential access control components that are managed as described below:
User Account Management
Access Control Management
Physical Access Control
User Account Management
Unless otherwise authorized by the Information Security Office, all users of campus information assets must use a unique SacLink account credential assigned only by the campus identity management system. This user credential must always be used with at least one factor of authentication (typically a standard SacLink password). Alternate methods for creating unique user accounts are not permitted, with the exception of approved use for official auxiliary organization accounts that have approved account processes. All such auxiliary account systems must otherwise conform to all campus access control policies, practices and guidelines.
Such unique campus accounts may be provisioned up to three (3) months before the start of employment by providing hiring manager approval for the new account, along with required identity information, to the Service Desk (87337). Such pre-authorized accounts must be deprovisioned in the event the new employee is not entered into the HR database as a valid employee by the intended hiring date.
IRT identity management staff will establish automated Saclink account provisioning systems that will allow new employees to self-initiate establishment of new accounts online, including establishment of the user’s unique SacLink ID and password.
IRT identity management staff will provide all incoming students with a unique Saclink account at the time of application and will establish automated Saclink account provisioning systems that will allow all students to self-initiate establishment of new accounts. Alternate methods for establishment of unique student accounts are not permitted.
Human Resources is responsible for informing the Information Security Officer about employees who separate from the university or experience a change in their job duties. The ISO is responsible for timely deprovisioning or changing of accounts and account access controls for such employees. Human Resources has established the following procedures, effective August 20, 2010:
Employees (staff, management or faculty) on leaves of absence: SacLink accounts for employees on a leave of absence will be retained; however, access to other critical job-related campus information resources will be restricted or removed when employees are on a leave of absence. Please note this does not apply to faculty on sabbatical or difference-in-pay leaves or faculty in FERP. This is a new procedure that will allow employees to maintain contact with the campus and provide access to their online information but will enhance information security by removing access to information that is not needed while the employee is on leave.
Employees (staff, management or faculty) ending appointments with the University: SacLink accounts for separated employees will be revoked by the close of business on the effective date of separation. This includes e-mail access and any other access permissions to campus information resources assigned to an employee, such as file share and CMS. This action will be taken automatically based on submitted PTFs. Please note that current emeritus faculty will not have their existing SacLink accounts changed; however, faculty retiring after August 30, 2010, who have emeritus status conferred on them upon their retirement may opt to maintain a special emeritus branded e-mail account through the University. FERP faculty will have continued access to SacLink during the entire period of their FERP participation. Also, special arrangements will be made to maintain campus SacLink accounts for temporary faculty for a reasonable period of time after the last day of employment, to allow for continued communication with the department and former students.
To effectively manage these important changes, departments and program center managers will need to be promptly informed of changes in employment status for those employees they supervise. In addition, timely communication of changes to the Office of Human Resources via already established mechanisms will assist the University in safeguarding confidential and critical campus information.
The following limited exceptions apply:
Temporary Staff may retain account access for up to three (3) weeks if their contract is being renewed.
Faculty may retain account access for up to four (4) month if needed to complete outstanding duties.
Access to systems containing Level 1 data and/or critical systems must be disabled while employees are on extended leave prior to separation.
Guest and Shared Accounts:
All “guest”, generic, or shared accounts on campus information systems or network resources must be disabled or removed by December 15, 2010 unless specifically authorized in writing by the Information Security Officer. The passwords for any remaining guest, generic or shared accounts must be regularly changed according to a schedule assigned by the Information Security Officer.
The Identity Management group must establish processes for re-enabling or resetting user accounts once they have been disabled. User identity must be appropriately verified prior to re-enabling, reassigning or resetting user accounts.
System Administration Accounts:
System administrators of campus information systems and network resources must use unique and individual SacLink System user accounts on the information systems and network resources they administer or use approved utilities such as “sudo” or “Run As” to perform system administration tasks. SacLink System use accounts must not be used for non-administrative uses (e.g., browsing the Web while logged in as administrator).
The Information Security Office has established criteria for requesting sponsored and application-level access accounts. Such accounts apply only in limited circumstances when regular SacLink accounts are not available or advisable. Request forms and instructions are available on the web at http://www.csus.edu/security/accounts. These accounts must be assigned appropriate stewards, have an end-date, be approved by the Information Security Officer and reviewed annually.
Workstation Administrator Accounts:
Use of workstation administrator accounts or assignment of workstation administrator rights to unique SacLink accounts must be limited only to situations where the employee requires administrator rights to perform assigned essential work. Only the Information Security Officer is permitted to define acceptable use of workstation administrator rights. Unless specifically authorized through the risk mitigation process, workstation administrator accounts should not be assigned and must not be used for non-administrative purposes.
Access Control Management
Access control management is the activity of designing, implementing, updating and auditing user access to information resources. All campus access control management is under the authority of the Information Security Officer (ISO). Implementation of program center access control is typically conducted as close to the user as possible and is often assisted by local Access Control Administrators (ACA). However, authority over access controls is always specifically delegated by the ISO to program center ACAs and all activity of such ASAs must take place at all times under policies, practices, and guidelines established by the ISO.
Access Control Administrators (ACA)
Access control is carried out by three categories of administrators:
Authentication Control – Administrators who provide and manage user accounts used for authentication of identity.
Critical Access Control – Administrators who manage critical systems that typically handle Level 1 and Level 2 data,( e.g. public health and safety, network infrastructure, telecommunication, SacCT, uPortal, etc.
System Access Control – Administrators who manage business systems’ operating systems, applications and/or databases not classified as critical.
As an authorized campus Access Control Administrator (ACA) you must:
Proactively identify your role as an ACA to the Information Security Officer.
Review and take action on access control communications from the ISO or Human resources. The established campus procedure for Human Resources to communicate employee termination and other employee status changes that impact access control administration. ACAs who perform duties in the Authentication Control and/or Critical Access Control categories will receive daily notification of changes. ACAs in the Access Control category will likely receive only weekly notifications.
Document access control procedures for systems under your administration. For additional information, please see the User Provisioning and Deprovisioning training.
All access control procedures must address the following requirements:
Access to confidential or Level 1 data cannot be granted until the end user has completed a signed confidentiality agreement with Human Resources and has completed all required Information Security Training.
Clearly identify staff authorized for administrating access control.
Identify staff responsible for responding to risk assessment questionnaires and other inquiries from the Information Security Office.
Identify program center managers responsible for authorizing access to campus data you manage and/or control.
Define the steps to take when change in employment status (e.g., termination or position change) requires that an ACA review the user’s logical access rights, and if necessary, modify or revoke them.
Document all changes to user accounts (i.e., account termination, creation, and changes to account privileges) on campus information systems or network resources (except for password resets). The documented changes must be approved by appropriate campus personnel and formally documented. Notifications from the access control listserv are considered formal approval to make a change to user accounts.
Define the steps for separated employees to request and obtain personal information prior to their separation.
Verify that items granting physical access such as keys and access cards are collected from the separating employee.
Include an annual review and formal certification of access control authority. Evidence will be provided to the Information Security Office as part of the campus risk management program.
Maintain an up-to-date access list of employees granted physical access to a limited‐access area.
Maintain all cryptographic keys used by users so that access to all data is maintained after separation of employees.
Notify the Information Security Office immediately of any suspected incidents.
Document an authorized exception process if access is not immediately removed from accounts upon separation. Any exception process must be approved by the Information Security Officer. Exceptions must identify the date when the exception will be closed and the account removed.
Maintain a change log to reflect updates and changes to access control.
If an employee is changing jobs, it is the responsibility of the employee’s new manager (if the job change involves a management change) or existing manager to identify and define the access privileges needed by the employee to perform the new job. All other access must be removed.
Adequate password management is a critical aspect of access control. All campus password management is carried out under the authority of the Information Security Officer. All passwords must have a minimum length of any twelve (12) U.S. keyboard characters, with the passphrase being the preferred method for achieving this length. Those having elevated access to confidential information (e.g. access control administrators, systems administrators, etc) are encouraged to use longer passphrases.
All SacLink passwords must also:
Be changed at least annually
Passwords with elevated access and privileges to the campus fiscal system must be changed every 120 days.
Managed using the official campus password management system found at password.csus.edu
Program centers identifying a need for passwords in addition to SacLink should first check with the Information Security Office to ascertain the availability of SacLink passwords and IDs as an authentication method. All passwords must have a password change schedule approved by the Information Security Officer based upon a risk assessment.
Campus passwords may never be displayed, transmitted, or stored in clear text.
All servers and network devices must be kept in a secure location. The location entry must be locked and access must be limited to a limited set of authorized administrators. Locations with servers must be protected by an alarm system that notifies Public Safety and administrative staff of unauthorized access. An access log must be in place to track all entry and exit of all access the secured area. This access log must track time in, time out, name of individual accessing the location, supervising administrator and initials of supervising administrator. All server and network device locations must be registered with the Information Security Office for risk review, compliance and authorization.
Backup tapes must be stored in a locked, dry, fire proof area and controlled by an access log to ensure proper audit of tapes. Encryption keys or passwords for backed up data must not be stored with backup tapes and must be accessible to more than one employee.
Physical access to Level 1 data must be restricted at all times to a ‘need to know’ basis. Documents with Level 1 data must never be left unattended or openly accessible. Documents containing Level 1 or critical information should be kept in a locked secure cabinet or room with limited access.
Physical access to non-public campus resources must be removed immediately upon separation. Exceptions must be documented and approved as described in the User Management Section above.
Access to physical locations containing Level 1 data and/or critical systems must be disabled while employees are on leaves of absence or extended leave before retirement.
Back to to Sacramento State Information Security Policy Website
Information Resources and Technology | Sacramento State | 6000 J St | Sacramento, CA, 95819-6065 | AIRC Building | 916.278.7337
If you have difficulty accessing content on this page, please contact the webmaster.