Division:
Administration & Finance
Department:
Information Technology Services
Contact Information:
Nish Malik / Associate Vice President and Chief Information Officer, Information Technology Services / (415) 405-4105 / nish@sfsu.edu
Effective Date:
Tuesday, August 1, 2006
Revised Date:
March 13, 2024
Authority:
Objective:
This Policy provides direction for managing, and guidance for granting access to, SF State information assets.
Statement:
Purpose and Scope
This Policy provides direction for managing access to SF State information assets and well as guidance for:
- Granting access to SF State information assets
- Separating the duties of individuals who have access to SF State information assets
- Conducting reviews of access rights to SF State information assets
- Modifying users' access rights to SF State information assets.
Policy
All campus departments will follow this documented process or an equivalent that meets or exceeds this standard for provisioning initial access, additions, changes, and terminations of access rights for privileged access.
Authorized users and their access privileges will be specified by the data owner, unless otherwise defined by SF State Policies.
Access Control
On-campus or remote access to SF State information assets will be based on operational and security requirements. Appropriate controls will be in place to prevent unauthorized access to protected information assets.
Access to SF State information assets containing protected data will be provided only to those having a need for specific access in order to accomplish an authorized task. Access will be based on the principles of need-to-know and least privilege. Authentication controls will be implemented for access to SF State information assets that access or store protected data or that provides critical infrastructure services, and will be unique to each individual and will not be shared unless authorized by appropriate department management.
Separation of Duties
Separation of duties principles will be followed when assigning job responsibilities relating to restricted or essential resources. Departments will maintain an appropriate level of separation of duties when issuing credentials to individuals who have access to information assets containing protected data. Departments will avoid issuing credentials that allow a user greater access or more authority over information assets than is required by the employee's job duties.
Access Review
Appropriate department managers and data owners will periodically review user access rights to information assets containing protected data.
Modifying Access
Users experiencing a change in employment status (e.g., termination or position change) will have their logical access rights reviewed, and if necessary, modified or revoked.
Reference
Administrative account access control implementation guidelines
CSU Information Security Policy and Standards
ISO Domain 9: Access Control Policy