Annual User Access Review Procedure for Level-1 Systems

Guiding the annual review of user access to Level-1 systems, this article details the procedure compliant with CSU's Access Control Policy. It covers the scope, roles, review process, documentation requirements, and certification for systems containing Level 1 and Level 2 data at Chico State. Essential for ensuring minimal necessary access and security compliance.

1.0 Purpose

CSU Information Security Policy (ISO Domain 9: Access Control) requires that an access review be conducted, at least annually, for information assets (systems/applications) containing protected Level 1 or Level 2 data. The results of a completed annual user access review must be documented with Chico State’s Information Security (ISEC) office and is essential to ensure all users who are authorized to Level-1 Applications are granted a minimum set of access privileges necessary to perform job functions.    

This procedure is intended to comply with this CSU Access Control Policy.

2.0 Scope

All systems belonging to Chico State that contain protected university information assets (also known as Level 1 (PII) confidential data) are classified as Level-1 Applications.  This includes all stateside and auxiliary systems such as cloud services, applications, servers, and databases.

Administrative access to Level-1 Applications includes any access assigned to campus employees in addition to self-service access and specifically grants permission to view PII records belonging to other people. The following are examples of roles and responsibilities that might be assigned to users with administrative access within your department's purview:

Roles and Responsibilities

• Account Holder: The individual or group which is assigned the Account. This could be a privileged or general account.
• Privileged Account: An account that may have administration access to configure setup, security administration, interface configurations, development(coding), daily batch jobs, data extract, etc.  Examples include SUPEROP (Supervisor Operator), which has full application system and security administration functionality and supersedes all levels of permissions.
• Security Administrator: Supports authorizing, modifying, or removing access to accounts within a system or application.
• System Administrator: Those who are members of organizational units that support enterprise, division, or department level IT services. System/Service administrators within their area of responsibility facilitate end-user privilege management and implement operating procedures to conform to campus information security standards and guidelines.
• System Owner: The system owner is ultimately responsible for providing the system’s service/functionality to the campus. Often the system owner is a manager, director, department chair, or college dean.
• Data Steward: The data steward is responsible for establishing procedures for granting and revoking access to campus systems that contain Level 1 or Level 2 data.

3.0 Procedure

 

3.1  On an annual basis, campus stateside and auxiliary business units who are responsible for authorizing user access to Level-1 Applications that contain Level 1 or Level 2 data are required to complete a review of users who are authorized to their application.

3.1.1       Annual user re-certifications for most Level-1 campus systems will be completed using Chico State’s Account Center.  Examples of Level-1 campus systems that are currently in scope of this procedure include PeopleSoft (Campus Solutions, Human Resources, and Finance), OnBase, Perceptive Content, Insight, and CR&A. 

3.1.1.1       A snapshot of these decentralized Level-1 campus systems will be provided to ISEC in a standardized framework that includes authorized usernames, assigned application roles, and role descriptions for each application.  The Information Security Office (ISEC) will import this information into Account Center and assign re-certification tasks to each user’s “ReportsTo” MPP administrator review and complete.

3.1.2       For some Level-1 systems that are not capable to be certified using Account Center, a manual user access review will be documented instead by the responsible business unit. A User Access Review template is provided within this procedure and includes examples of information that is normally provided when documenting an annual user access review of a Level-1 application.  Evidence of a completed annual user access review will be included the department’s certification to ISEC, and should include (at a minimum) the following parameters:

• Chico State ID# (EMPLID), campus email, or username unique to the authorized user
• First and last name
• Application Role Assigned (if available)
• Application Role Description, examples of Level 1 or 2 data provided (if present)

3.1.3       The security, system, or service administrator conducting the access review will review of the list of users and roles at a minimum, and determine:

1. Is this an active employee?
2. Has their job or responsibilities changed?
3. Do they have appropriate access (least privilege)?
4. Is the employee current with Data Security & Privacy Training?
5. Is this a shared account (i.e. does more than one person know the password)?

3.1.4       In between each annual review of user access, each campus department will be expected to monitor for any personnel changes through Chico State’s Notice of Separation (NOS) process and promptly remove access on their last day worked.

3.2  On an annual basis, campus managers and data stewards are required to review, verify, and certify authorized user access to Level-1 Applications.   Documented evidence of each annual user access review is required and will be electronically signed and documented with the Information Security Office (ISEC) and forwarded to : ISEC@csuchico.edu

 

Feedback and Contact

For questions or feedback regarding this procedure, contact the Information Security Office at isec-help@csuchico.edu.