UCSF 650-16 Addendum G - 3rd Party Remote Access Standards
To establish and set the requirements for a University of California, San Francisco enterprise standard for 3rd party remote access to UCSF networks.
See UCOP BFB IS-2 for most up to date definitions. http://policy.ucop.edu/doc/7020447/BFB-IS-2
Restricted information describes any confidential or personal information that is protected by law or policy and that requires the highest level of access control and security protection, whether in storage or in transit. The term “restricted” should not be confused with that used by the UC managed national laboratories where federal programs may employ a different classification scheme
UCSF named role that will manage the vendor’s 3rd party access. This Sponsor role is to be managed by the requesting department.
3rd Party Enterprise VPN Account
Account assigned to a 3rd party that is used strictly for VPN access to UCSF using the current standard Enterprise VPN solution.
3rd Party Elevated Account
Account assigned to a 3rd party used to perform administrative, elevated, or privileged functions on UCSF resources.
A UCSF sponsor role must be created, assigned and managed by requesting department
Any deviation from these standards will require a UCSF IT Security Exception Request to be filed and approved. In order for the non-standard 3rd party remote access security exception to be considered, the 3rd party access must meet the Non Standard 3rd Party Remote Access Standards.
Account and Access Standards
- Use of the standard UCSF Enterprise VPN for 3rd party remote access is a requirement.
- 3rd party Enterprise VPN accounts must be unique per individual. Shared\Group Enterprise VPN accounts are not permitted.
- 3rd party Enterprise VPN accounts must employ the use of UCSF enterprise 2 factor authentication.
- 3rd party Enterprise VPN accounts must not be enabled for elevated or admin accounts.
- 3rd party Enterprise VPN accounts must be, and will remain in, a default disabled state until usage is required.
- 3rd party elevated accounts with administrative access used for remote administration must be unique per individual. Shared/Group elevated accounts with administrative access used for remote administration are not permitted.
- 3rd party elevated accounts with administrative access used for remote administration must follow current UCSF standards and requirements for Elevated accounts with Administrative Access.
- 3rd party accounts used for remote access and remote administration of UCSF resources will remain in a default disabled state until usage is required.
3rd Party and UCSF Sponsor Role Standards
- UCSF Sponsor for the requesting department must be a manager or director level.
- The UCSF Sponsor can have named delegates that must be approved by the requesting department’s director.
- 3rd parties must contact UCSF sponsor in order to enable accounts used for remote access and remote administration of UCSF resources prior to use, and will only be enabled for a specified required amount of time to complete remote work, or default to 24-hour access.
- The assigned UCSF sponsors of 3rd party accounts used for 3rd party remote access and remote administration of UCSF resources are required to regularly review 3rd party activities to ensure proper usage of the accounts and resources in correlation with required or request work performed.
- The assigned UCSF sponsors of 3rd party accounts used for 3rd party remote access and remote administration of UCSF resources are required to regularly review 3rd party accounts to verify accounts are still required.
- In the event of employee separation of the 3rd party, in which employee had remote access and/or remote administration to UCSF resources, the 3rd party must notify the assigned UCSF sponsor of this separation immediately.
- Upon 3rd party notification of employee separation, the UCSF sponsor is required to immediately submit a request for separated employee’s account to be de-provisioned.