Skip to Content

Information Security Office

Data Authorization

Overview

Sacramento State has a duty to protect all level 1 and level 2 data (see Data Classification Standard) entrusted to its care.  Sacramento State retains ownership or stewardship of this data and reserves the right to limit access to this information and to use appropriate means to safeguard this information.

The following steps describe the process that must be followed when requesting authorization to use level 1 and/or level 2 data in program centers and colleges outside the campus data owner's control.

Campus Data Owners:

Data Type Primary Data Owner and designees
Employee Vice President, Human Resources
Student Vice President, Student Affairs
Registrar
Financial Vice President & Chief Financial Officer
Controller
Auxiliary Executive Director
Legal University Counsel

Procedure

  1. Identify business use of level 1 and level 2 data.

  2. Complete Data Authorization Form.

    1. Download the data authorization form here

  3. Submit to Information Security Office for processing.

  4. Obtain Authorization from appropriate campus data owner.

  5. File in Risk Management system managed by the Information Security Office.

  6. Review annual, on-going monitoring and report issues

Completing the Data Authorization Form

In the Title field enter a brief description of your request.

  1. In the Business Justification field document the need for this data in order to meet Sacramento State’s core mission and campus academic and administrative goals.  

  2. The next section is broken up into 2 groups: System and User.

    1. Document the hardware/server/application that the data will reside on.

      1. Identify the hardware/server name.

      2. In the Data Element/Source field identify the level 1 and level 2 data that is required and the source system name of that data.

      3. In the Data Use field identify the service the system will provide with the requested data.

      4. In the Security Control Categories field indicate if the system is Compliant or Non-compliant within the categories.  If non-compliant, indicate compensating controls below.  See the System Control categories below for a complete description.

      5. If the systems require different data, use or security controls, copy and insert another row into the table.
    2. The User group is used for documenting what employees/user base will use the data.

      1. Identify the job title of the user that will be working with this data or describe the user base if there may be a group of users working with this data.

      2. In the Data Element/Source field identify the level 1 and level 2 data that is required and the source system of that data.

      3. In the Data Use field identify the service the user will provide with the data.

      4. In the Security Control Categories field indicate if the system is Compliant or Non-compliant within the categories.  If non-compliant, indicate compensating controls below.  See User Control Categories below for a complete description.

      5. If the users require different data, use or security controls, copy and insert another row into the table.

  3. In the Identified risks/control issues/concerns field enter brief details about known or projected risks, issues or concerns.

  4. In the Compensating/Additional Controls field enter any existing controls that you are aware of that would lessen the campus risk to the risk, issue or concerns indicated above.

  5. Read and complete the Requester section of the form.

Security Control Categories Descriptions

System Control Categories

Systems that house level 1 and level 2 data must be compliant with following security control requirements or have acceptable and authorized compensating controls before access will be granted to the requested information.  Systems will be marked either as Compliant or Non-Compliant with each control category.  A Compliant denotation indicates that the system meets or exceeds the controls identified in the following security categories.  Additional controls or deviation must be documented in the Compensation/Additional Controls field.

Hardened

 This category encompasses activities and information that indicate the system has been appropriately built and configured.

  •  An authorized baseline image has been used to build the system.

  • The system must be configured to run only those services required to provide the authorized services.

  • Access to system resources must be restricted to those users who require access.

  • Network access must be restricted by protocol, port and properly scoped source IP addresses at the host.

  • The system must be configured with a campus authorized anti-virus program.

  • The system may not use unencrypted protocols to communicate with other systems or users.

  • All servers supporting the system must be located in the central IRT data center.

Managed

This category encompasses activities and processes that ensure that the system is properly managed and maintained while in operation.

  • The system administrator follows the campus change management procedures ensuring that all changes are tested, documented, communicated, approved and implemented appropriately.

  • The system administrator follow the campus patch management procedures ensuring that all patches are tested and entered into the change management system.

  • The system administrator tracks all access requests, approvals, auditing, provisioning and deprovisioning users accessing resources on the system.

  • The system administrator follows the campus log management procedures ensuring that all logs options are appropriately configured, reviewed, reported, archived and pruned in accordance with the data retention standard.

  • The system administrator removes all level 1 and level 2 data once their authorized time use has passed.

Monitored

This category encompasses the activities and processes that ensure that the system is properly monitored for problems and unauthorized activities.  Irregularities and security breaches must be reported to the Information Security Office immediately upon discovery or notification.  Critical security events must trigger the appropriate administrator or logs must be reviewed on a daily basis.

  • The system administrator checks the user access logs.

  • The application administrator, or system administrator, checks the application logs.

  • The database administrator, or system administrator, checks the database access logs.

  • The system administrator monitors the system for unapproved and/or undocumented changes.

  • The system administrator monitors the data access logs.

Training/Agreement

This category encompasses the training and agreements required to allow the system to house the confidential information that has been requested.

  • The system administrator has been trained on the proper handling procedures for level 1 and level 2 data.

  • The system administrator has been trained on the appropriate use of level 1 and level 2 data by end users.

  • The system administrator has been trained on the proper disposal and deprovisioning procedures for level 1 and level 2 data.

User Control Categories

Users accessing level 1 and level 2 data have the duty to protect that information while in their possession or use.  This section outlines the requirements users must meet in order for the system to be considered in compliance with requirements.  Users (or user groups) will be marked either as Compliant or Non-Compliant with each control category.  A Compliant denotation indicates that the user(s) meets or exceeds the controls identified in the following security categories.  Additional controls or deviation must be documented in the Compensation/Additional Controls field.

Access Control

The principle of least privilege states that users should have access only to that information which they are required to have in order to perform their duties for a prescribed time.  Access must be authorized by the appropriate data owner prior to the provisioning of users for data access.

  • Users must be authorized by the data owner

  • Users must be regularly reviewed for expiration of authorization and access removal

  • Access activities must be logged by the system administrator

Monitored

This category encompasses the activities that must be monitored by the system administrator for all users accessing level 1 and level 2 data.  Irregularities and security breaches must be reported to the Information Security Office immediately upon discovery or notification.

  • Logins and logoffs (success and failures)

  • Read/Write/Delete access to level 1  and level 2 data

This also included activities to monitor use of the data by supervisors and managers.  Data must not be left on monitors or printed copies left in the open.   Data must not be archived or printed unless authorized and securely stored and destroyed at the defined retention period.  Inappropriate use or non-compliance with appropriate use must be reported to the Information Security Office.

Training/Agreement

This category encompasses the training and agreements required to allow end-users access to level 1 or level 2 data residing on the system.

  • The end user has been trained on the proper handling procedures for level 1 and level 2 data.

  • The end user has signed a confidentiality agreement with the University and the agreement is on file with Human Resources.

  • The end user has received current Information Security Training.

Download the data authorization form here