Administrative Account Access Control

Division: 

Administration & Finance

Department: 

Information Technology Services

Contact Information: 

Nish Malik / Senior Associate Vice President (AVP) and Chief Information Officer (CIO) / (415) 405-4105 / nish@sfsu.edu

Effective Date: 

Tuesday, August 1, 2006

Revised Date: 

March 13, 2024

Authority: 

ICSUAM Policy Section 8000 Information Security

Objective: 

This Policy provides direction for managing, and guidance for granting access to, SF State information assets.

Statement: 

Purpose and Scope

This Policy provides direction for managing access to SF State information assets and well as guidance for:

  • Granting access to SF State information assets
  • Separating the duties of individuals who have access to SF State information assets
  • Conducting reviews of access rights to SF State information assets
  • Modifying users' access rights to SF State information assets.

Policy

All campus departments will follow this documented process or an equivalent that meets or exceeds this standard for provisioning initial access, additions, changes, and terminations of access rights for privileged access.

Authorized users and their access privileges will be specified by the data owner, unless otherwise defined by SF State Policies.

Access Control

On-campus or remote access to SF State information assets will be based on operational and security requirements. Appropriate controls will be in place to prevent unauthorized access to protected information assets. 

Access to SF State information assets containing protected data will be provided only to those having a need for specific access in order to accomplish an authorized task. Access will be based on the principles of need-to-know and least privilege. Authentication controls will be implemented for access to SF State information assets that access or store protected data or that provides critical infrastructure services, and will be unique to each individual and will not be shared unless authorized by appropriate department management.

Separation of Duties

Separation of duties principles will be followed when assigning job responsibilities relating to restricted or essential resources. Departments will maintain an appropriate level of separation of duties when issuing credentials to individuals who have access to information assets containing protected data. Departments will avoid issuing credentials that allow a user greater access or more authority over information assets than is required by the employee's job duties.

Access Review

Appropriate department managers and data owners will periodically review user access rights to information assets containing protected data.

Modifying Access

Users experiencing a change in employment status (e.g., termination or position change) will have their logical access rights reviewed, and if necessary, modified or revoked.

Reference

Administrative account access control implementation guidelines
CSU Information Security Policy and Standards
ISO Domain 9: Access Control Policy