department menu

Third Party Systems Account Access Control

Definition:

Cloud systems can refer to any information system provided by a third party that handles campus data, where the data, system and infrastructure are not housed on premise, whether the service is paid for or free. 

Examples of cloud-based systems architecture include, Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS), or Infrastructure-as-a-Service (IaaS).

Authority:

CSUSM Chief Information Security Officer

Scope:

Third party applications that handle protected level 1 data and that do not use a campus-maintained directory authentication method.

I. Background

Cloud-based information systems present numerous advantages over traditional on premise systems.  However, this new method of information systems implementation presents new risks to the confidentiality, integrity and availability of the data these systems store.  As such, it is necessary that the campus develop a method for managing and monitoring the accounts that grant access to the data these systems store.

II. Policy

  1. Where possible, cloud systems will use a campus-maintained directory and approved authentication method
  2. Access to cloud systems must follow CSU and campus standards for the request, authorizing and granting of access to protected information
  3. Access to cloud systems which do not use a campus-directory authentication method must follow the procedure below in order to ensure that access conforms to CSU and campus standards
  4. The creation, modification and deletion of user accounts that grant access to the system must be documented with the Information Security Office
  5. Administrative access, i.e. the authority to create, delete or modify user accounts must be limited to a minimal number of users
  6. Individuals with administrative access must be identified to the Information Security team
  7. Those with administrative access must be trained on the proper procedures to modify user accounts under this policy

III. Procedures

  1. A user who requires access must complete the Third Party Access Control form, which notifies the Information Security Office of the request
  2. The Information Security Office logs the request, and forwards the request to the administrator
  3. The administrator grants the requested access
  4. For modification or removal of user accounts, the application administrator may complete the form on behalf of the user

IV. Controls

  1. Annually, the Information Security Office will reconcile active user accounts in a given system with the systems user account log
  2. System user logs are retained by the Information Security Office for 12 months after the access review
  3. Access review results are retained by the Information Security Office for 12 months after the access review