BP.05.003 - Business Practice for Access Controls

Printable Version in PDF Format (Get Adobe Acrobat)

Table of Contents

History [top]

  • Business Practice Number: BP.05.003
  • Version: 1
  • Drafted By: Neal Fisch
  • Approved By: Michael Berman
  • Approval Date: 05/08/2017
  • Latest Revision Date:

Purpose [top]

Provide support of ICSUAM Policy 8060.200 for Access Control.

Background [top]

To support ICSUAM policy 8060.200, access to campus information assets containing protected data as defined in the CSU Data Classification Standard may be provided only to those having a need for specific access in order to accomplish an authorized task. Access must be based on the principles of need-to-know and least privilege.

Authentication controls must be implemented for access to campus information assets or information systems and services that access or store protected data, and must be unique to each individual and may not be shared unless authorized by appropriate campus management. Where approval is granted for shared authentication, the requesting organization must be informed of the risks of such access and the shared account must be assigned a designated owner. Shared authentication privileges must be regularly reviewed and re-approved at least annually.

Business Practice [top]

Accountability [top]

Vice President for Technology and Innovation

Information Security Officer

Applicability [top]

All systems and services containing protected level 1 confidential data.

Definition(s) [top]

Multi-Factor Authentication – a method of computer access control in which a user is granted access only after successfully presenting several pieces of evidence to an authentication mechanism, typically at least two of the following categories: knowledge (something they know), possession (something they have), and inherence (something they are).

Two-Factor Authentication (or 2FA) – is a method of confirming a user’s claimed identity by utilizing a combination of two different components.  Two-factor authentication is a type of multi-factor authentication.

Text [top]


To promote stronger access controls to protect CI systems and services containing protected level 1 confidential data, CI shall implement multi-factor authentication in addition to its current access control security practices for users accessing protected level 1 confidential data.  Multi-factor authentication will add the additional authentication layer of something you have to the existing “something you know” (e.g. password and user id).  This combined authorization control will help to better protect CI’s information assets and prevent credential fraud.

Exhibit(s) [top]

Assessment History [top]

DescriptionFrequencyRole AssignedDate Completed
Assessment of business practiceAnnualISO