it.ucsf.edu

3rd Party Non-Enterprise Remote Access Standards

Esther Silver's picture

Policy Type

Standard

Purpose:
This standard establishes the requirements to adopt a University of California, San Francisco enterprise standard for 3rd party remote access to UCSF networks when one or more UCSF standards cannot be used. Requires approved security exception.

Definitions:
See UCOP BFB IS-2 for up to date definitions. http://policy.ucop.edu/doc/7020447/BFB-IS-2

Restricted Information
Restricted information describes any confidential or personal information that is protected by law or policy and that requires the highest level of access control and security protection, whether in storage or in transit. The term “restricted” should not be confused with that used by the UC managed national laboratories where federal programs may employ a different classification scheme

Standards:
Standards listed in 3rd Party Remote Access Standards must still be followed for 3rd party Non-Enterprise Remote Access. For standards that cannot be followed with a proper business justification, an approved UCSF IT Security Exception Request is required, in addition to meeting the requirements of the following standards.

  • Logging (for non-enterprise standard VPN only)
    • Following logging standards listed in UCOP IS3 Appendix D. Log Management. http://policy.ucop.edu/doc/7000543/BFB-IS-3
    • If restricted information is present, additional logging standards must meet the requirements of applicable laws, policies and regulations. To include, but not limited to; system activity review, auditing of activities, sanction policy, review of malicious activity.
    • Full logging of all connection\session activity (connection begin to connection end)
    • Logging should include Who, What, Where When. These logs should indicate the unique user on the 3rd party side who initiated the connection, from where, to what, and date/time.
    • Log retention of these logs should be of an adequate time in the event UCSF requires logs for an audit or investigation
    • UCSF should have access to, or request logs, and they are to be supplied in a reasonable timeframe
    • UCSF department sponsor of 3rd party must regularly review and audit 3rd party access
  • Architectural and technical details (for non-enterprise standard VPN only)
    • A system diagram of the 3rd party remote access method needs to be provided to UCSF for review
    • A data flow diagram of the 3rd party remote access method needs to be provided to UCSF for review, this should include all ports and protocols the remote access system employs
    • Both UCSF and the 3rd party must perform periodic technical and nontechnical evaluation per the requirements of any restricted information laws, policies or regulations.
    • Any changes made to approved remote access systems or methodologies must be documented and sent to the UCSF sponsor immediately.
    • Any changes made to the approved remote access systems or methodologies will require a resubmittal of a security exception request.
  • Notice of employee separation
    • The 3rd party is required to immediately notify the UCSF sponsor in the event of an employee separation, in which employee has/had remote access.