BP.05.004 - Business Practice for Access Review

Printable Version in PDF Format (Get Adobe Acrobat)

Table of Contents

History [top]

  • Business Practice Number: BP.05.004
  • Version: 1
  • Drafted By: Neal Fisch
  • Approved By: Michael Berman
  • Approval Date: 05/08/2017
  • Latest Revision Date:

Purpose [top]

Provide support of ICSUAM Policy 8060.400 for Access Review.

Background [top]

To support ICSUAM policy 8060.400, CI must develop procedures to detect unauthorized access and privileges assigned to authorized users that exceed the required access rights needed to perform their job functions.  Appropriate campus managers and data stewards must assess, at least annually, user access rights to information assets containing protected level 1 data.  The results of the assessment must be documented and stored.

Business Practice [top]

Accountability [top]

Vice President for Technology and Innovation

Information Security Officer

Appropriate campus managers and data stewards

Applicability [top]

Anyone with access to CSUCI computer systems

Definition(s) [top]

Protected Data – Data classified as Level 1 Confidential as prescribed in the recognized campus data classification standard.

Security Lead – Designated resource responsible for security role creation and changes or security administration.

ISO – Information Security Officer

Text [top]

General

Having the correct level of access is paramount to the security of CI’s information assets.  To validate that appropriate levels of access are in place, and in support of the CSU’s ICSUAM policy 8060.400  for access review, CI will perform annual access assessments for systems that contain protected level 1 data.  These assessments will be coordinated by the campus Information Security Officer with participation by the appropriate data steward(s), system/module security lead(s)/administrator(s), and appropriate campus management if needed.

Exhibit(s) [top]

User Access Controls Attestation Form

Assessment History [top]

DescriptionFrequencyRole Assigned
Annual assessment of business practiceAnnual - JulyISO
Annual assessment of user accessAnnual - JulySystem's Security Admin
Annual attestation of access reviewAnnual - JulySystem's Security Admin