91³Ō¹Ļ

Printable Version in PDF Format ()

Table of Contents

• History
• Purpose
• Background
• Business Practice
  • Accountability
  • Applicability
  • Definition(s)
  • Text
• Exhibit(s)
  • Assessment History

History [top]

• Business Practice Number: BP.05.003
• Version: 2
• Drafted By: Carlos Miranda
• Approved By: James August
• Approval Date: 05/08/2017
• Latest Revision Date: 02/21/2025

Purpose [top]

Provide support of for Access Control.

Background [top]

To support , access to campus information assets containing protected data as defined in the CSU Data Classification Standard may be provided only to those having a need for specific access in order to accomplish an authorized task. Access must be based on the principles of need-to-know and least privilege.

Authentication controls must be implemented for access to campus information assets or information systems and services that access or store protected data, and must be unique to each individual and may not be shared unless authorized by the appropriate campus management. Where approval is granted for shared authentication, the requesting organization must be informed of the risks of such access and the shared account must be assigned a designated owner. Shared authentication privileges must be regularly reviewed and re-approved at least annually.

Business Practice [top]

Accountability [top]

Associate Vice President for Information Technology Services
Chief Information Security Officer

Applicability [top]

All systems and services containing protected level 1 confidential data.

Definition(s) [top]

Multi-Factor Authentication ā€“ a method of computer access control in which a user is granted access only after successfully presenting several pieces of evidence to an authentication mechanism, typically at least two of the following categories: knowledge (something they know), possession (something they have), and inherence (something they are).

Two-Factor Authentication (or 2FA) ā€“ is a method of confirming a userā€™s claimed identity by utilizing a combination of two different components. Two-factor authentication is a type of multi-factor authentication.

Text [top]

General

To promote stronger access controls to protect CI systems and services containing protected level 1 confidential data, CI shall implement multi-factor authentication in addition to its current access control security practices for users accessing protected level 1 confidential data. Multi-factor authentication will add the additional authentication layer of something you have to the existing ā€œsomething you knowā€ (e.g. password and user id). This combined authorization control will help to better protect CIā€™s information assets and prevent credential fraud.

Exhibit(s) [top]

Assessment History [top]