Division:
Administration & Finance
Department:
Information Technology Services
Contact Information:
Nish Malik /Head of IT/Chief Information Officer, San Francisco Bay Region Network (CIO) / (415) 405-4105 / nish@sfsu.edu
Effective Date:
Tuesday, August 1, 2006
Revised Date:
January 22, 2026
Authority:
Objective:
This Policy defines requirements for managing and granting access to SF State information assets.
Statement:
Purpose and Scope
This Policy defines requirements for managing and granting access to SF State information assets:
- Granting access to SF State information assets
- Separating the duties of individuals who have access to SF State information assets
- Conducting reviews of access rights to SF State information assets
- Modifying users' access rights to SF State information assets.
Policy:
All campus departments will follow this documented process or an equivalent that meets or exceeds this standard for provisioning initial access, additions, changes, and terminations of access rights for privileged access.
Authorized users and their access privileges will be specified by the data owner, unless otherwise defined by SF State Policies.
Access Control
On-campus or remote access to SF State information assets will be based on operational and security requirements. Appropriate controls (such as multi-factor authentication) will be in place to prevent unauthorized access to protected information assets.
Access to SF State information assets containing Level 1 or Level 2 Data will be provided only to those having a need for specific access in order to accomplish an authorized task. Access will be based on the principles of need-to-know and least privilege. Authentication controls will be implemented for access to SF State information assets that access or store Level 1 or Level 2 Data or that provides critical infrastructure services, and will be unique to each individual and will not be shared unless authorized by appropriate department management.
Separation of Duties
Separation of duties principles will be followed when assigning job responsibilities relating to restricted or essential resources. Departments will maintain an appropriate level of separation of duties when issuing credentials or granting permissions to individuals who have access to information assets containing Level 1 or Level 2 Data. Departments will avoid issuing credentials or granting permissions that allow a user greater access or more authority over information assets than is required by the employee's job duties.
Access Review
Appropriate department managers and data owners will periodically review user access rights to information assets containing Level 1 or Level 2 Data.
Modifying Access
Users experiencing a change in employment status (e.g., separation or position change) will have their logical access rights reviewed, and if necessary, modified or revoked.
Non-Compliance
Noncompliance with applicable policies and/or practices may result in suspension of access privileges. In addition, disciplinary action may be applicable under other University policies, guidelines, implementing procedures, or collective bargaining agreements.