Skip to Content

Information Security Office

Access Control Standard

Access control is a specific security topic that governs the authority and responsibility to control access to physical and electronic campus resources.  It’s principles are to provide access only to those users that require access (need-to-know) as well as limit those that require access to only be able to read, modify and delete based on need (least privileged access).  To implement and support access control a formal a process must be created and adopted.

Access Control Administrator (ACA)

This applies to three categories of administrators:

  • Authentication Control – Administrators who provide and manage user accounts.
  • Critical Access Control – Administrators who manage critical systems, e.g. public health and safely, network infrastructure, telecommunication, systems with level 1 data, SacCT, uPortal, etc.
  • Access Control – Administrators who manage business system’s operating systems, applications and/or databases not classified as critical.  This does not included academic or class oriented systems.

As a campus Access Control Administrator (ACA) you must:

  1. Identify your role and categories as an ACA to the Information Security Office through the online form.
  2. Review and take action on access control listserv communications.  This is the established campus procedure for Human Resources to communicate employee termination and other status changes that impacts access control administration. ACA who are in the Authentication Control and/or Critical Access Control categorized will receive daily notification. ACA in the Access Control category only will receive weekly notifications.
  3. Document access control procedures for systems under your administration. For additional resources please see the User Provisioning and Deprovisioning training.

The procedure must:

  • Identify staff responsible for maintaining procedures and administrating access control.
  • Identify staff responsible for responding to risk assessment questionnaires and provide evidence to the Information Security Office.
  • Include steps to take when change in employment status (e.g., termination or position change) that require ACA review user’s logical access rights to be reviewed, and if necessary, modified or revoked. 
  • Allow for separated employees to obtain such incidental personal electronic information as appropriate. 
  • Document all changes to user accounts (i.e., account termination, creation, and changes to account privileges) on campus information systems or network resources (except for password resets) must be approved by appropriate campus personnel.  Such approval must be formally documented.   Notifications from the access control listserv are considered formal approval to make a change to user accounts.
  • Verify that items granting physical access such as keys and access cards are collected from the exiting employee.
  • Include an annual review and formal certification by the system Owner and/or Data Owner.  Evidence will be provided to the Information Security Office as part of the risk management program.
  • Maintain an access list that grants employee physical access to a limited‐access area on the campus and must be updated appropriately to reflect the change in employment status.
  • Address if an employee has used cryptography on data belonging to Sacramento State, he or she must provide the cryptographic keys to the manager by the last day of employment.
  • Notify the Information Security Office of a suspected incident. Report a IT Incident
  • Document an exception process if access is not immediately removed from accounts upon termination.  Exception process must be approved by the Dean/Vice President. Exceptions must identify the date when the exception will be closed and the account removed.
  • Maintain a change log to reflect updates and versioning of the procedures.

If an employee is changing jobs, it is the responsibility of the employee’s new manager (if the job change involves a management change) or existing manager to identify and define the access privileges needed by the employee to perform the new job.  This means that unless a formal request, access must be removed to systems that are not required for the new position.

Register now if you are an Access Control Administrator