Access Control

General

This section implements Integrated CSU Administrative Manual (ICSUAM) Policy 8060.0.

Account Provisioning

Each person who requires access to campus T&I resources is provisioned with a Dolphin Account automatically based on information in CI Records that describes a person’s affiliation with the University.

Whenever practical, each software and hardware system that performs authentication will interface with the campus’s Active Directory system and use Dolphin Names and Dolphin Passwords as authentication factors. Higher security systems may require additional authentication factors.

Systems that do not interface with the campus Active Directory or other authentication systems must demonstrate an equivalent and appropriate level of security.

Password Policy

All Dolphin Passwords must meet or exceed the following complexity rules:

  • The password must contain eight characters or more.
  • The password must contain an uppercase character, a lowercase character, and a numeric or special (i.e. !,$,#,%) character.

Dolphin Passwords may not contain a derivative of the Dolphin Name, Dolphin ID, birth date or last four digits of the user’s social security number, or a common word, phrase or number sequence.

Dolphin Passwords must be changed every 200 days using the Self Service Password Reset page on myCI. The Self Service Password Reset page is designed to prevent the reuse of the previous twelve Dolphin Passwords.

Each person issued a Dolphin Name and Dolphin Password is responsible for those credentials, and sharing them with another person constitutes a violation of the University’s Statement on Responsible Use of Information Assets.

Certain systems cannot integrate with the campus Active Directory system for authentication. For these systems, the minimum password complexity requirements and change intervals will vary. T&I will prescribe the strongest possible minimum password complexity requirements and change intervals for each of these systems in consultation with the Information Security Officer.

Administrative Access to T&I Systems

Administrative access to campus information systems is governed by two T&I Business Practices.

Administrative access to workstations is regulated by T&I business practice BP-03-002. Administrative access to workstations is restricted to employees of the University, and, in the case of staff, is further restricted to employees with a legitimate business need for such access.

Administrative access to systems, services and servers is regulated by T&I business practice BP-02-002. The Chief Information Officer, Information Security Officer and Manager, T&I Infrastructure review administrative access roles for T&I systems at least annually. Administrative access to systems, services, and servers is restricted to employees of T&I who have a legitimate, documented business need for the access.

Common Management and Common Financial Systems (CMS/CFS) Segregation of Duties

The University will annually review Separation of Duties for CMS and CFS, and certify that the separation of duties meets or exceeds applicable University and CSU policy as well as applicable State or Federal laws.

The Director of Enterprise Services and Security performs a review of CMS and CFS roles once a month in conjunction with the appropriate module and security leads.