Administrative Account Access Control
This practice directive provides guidance for managing and granting access to SF State information assets.
Purpose and Scope
This Practice Directive provides direction and support for managing access to SF State information assets and guidance for granting access to SF State information assets, separating duties of individuals who have access to SF State information assets, conducting reviews of access rights to SF State information assets and modifying users' access rights to SF State information assets.
All campus departments will follow this documented process or an equivalent that meets or exceeds this standard for provisioning initial access, additions, changes, and terminations of access rights for privileged access.
The SF State Administrative Account Authorization & Review Form will be used to review access of existing account holders. Authorized users and their access privileges will be specified by the data owner, unless otherwise defined by SF State Practice Directives.
On-campus or remote access to SF State information assets will be based on operational and security requirements. Appropriate controls will be in place to prevent unauthorized access to protected information assets.
Access to SF State information assets containing protected data will be provided only to those having a need for specific access in order to accomplish an authorized task. Access will be based on the principles of need-to-know and least privilege. Authentication controls will be implemented for access to SF State information assets that access or store protected data, will be unique to each individual and will not be shared unless authorized by appropriate department management.
Separation of Duties
Separation of duties principles will be followed when assigning job responsibilities relating to restricted or essential resources. Departments will maintain an appropriate level of separation of duties when issuing credentials to individuals who have access to information assets containing protected data. Departments will avoid issuing credentials that allow a user greater access or more authority over information assets than is required by the employee's job duties.
Appropriate department managers and data owners will periodically review user access rights to information assets containing protected data.
Users experiencing a change in employment status (e.g., termination or position change) will have their logical access rights reviewed, and if necessary, modified or revoked.