This content is viewable by Everyone

Standard

UCSF 650-16 Addendum G - Third-Party Remote Access Standards

Purpose

To establish and set the requirements for a University of California San Francisco enterprise standard for third-party remote access to UCSF networks.

Definitions

See the University of California - Systemwide IT Policy Glossary for the most up-to-date definitions. Terms that are not in the Systemwide Glossary are defined below.

UCSF Sponsor

UCSF named role that will manage the vendor’s third-party access. This Sponsor role is to be managed by the requesting department.

Third-party Enterprise VPN Account

Account assigned to a third party that is used strictly for VPN access to UCSF using the current standard UCSF enterprise VPN solution.

Third-party Elevated Account

Account assigned to a third party used to perform administrative, elevated, or privileged functions on UCSF resources.

Third-party Remote Access Standards

A UCSF sponsor role must be created, assigned, and managed by the requesting department.

Any deviation from these standards will require a UCSF IT Security Exception Request to be submitted and approved.

If a security exception for non-standard third-party remote access is to be considered, the third-party access must apply the Third-Party Remote Access Standards Risk Treatment.

Account and Access Standards

  • Use of the standard UCSF enterprise VPN for third-party remote access is a requirement.
  • Third-party enterprise VPN accounts must be unique per individual. Shared or group enterprise VPN accounts are not permitted.
  • Third-party enterprise VPN accounts must employ the use of UCSF enterprise two-factor authentication.
  • Third-party enterprise VPN accounts must not be enabled for elevated or admin accounts.
  • Third-party enterprise VPN accounts must remain in a default disabled state until usage is required.
  • Third-party elevated accounts with administrative access used for remote administration must be unique per individual. Shared or group elevated accounts with administrative access used for remote administration are not permitted.
  • Third-party elevated accounts with administrative access used for remote administration must follow current UCSF standards and requirements for elevated accounts with administrative access.
  • Third-party elevated accounts used for remote access and remote administration of UCSF resources will remain in a default disabled state until usage is required.

Third-party and UCSF Sponsor Role Standards

  • UCSF Sponsor for the requesting department must be at least a manager or director level.
  • The UCSF Sponsor can have named delegates that must be approved by the requesting department’s director.
  • Third parties must contact the UCSF sponsor in order to enable accounts used for remote access and remote administration of UCSF resources prior to use and will only be enabled for a specified required amount of time to complete remote work, or default to twenty-four hours of access only.
  • The assigned UCSF sponsors of third-party accounts used for third-party remote access and remote administration of UCSF resources are required to regularly review third-party activities to ensure proper usage of the accounts and resources in correlation with required or request work performed.
  • The assigned UCSF sponsors of third-party accounts used for third-party remote access and remote administration of UCSF resources are required to regularly review third-party accounts to verify accounts are still required.
  • In the event of employee separation of the third party, in which employee had remote access and/or remote administration to UCSF resources, the third party must notify the assigned UCSF sponsor of this separation immediately.
  • Upon third-party notification of employee separation, the UCSF sponsor is required to immediately submit a request for separated employee’s account to be de-provisioned.

Third-party Remote Access Standards Risk Treatment

Standards listed in Third-Party Remote Access Standards that can be followed must be followed. For standards that cannot be followed, an approved UCSF IT Security Exception Request is required and must include a business justification.

Instructions for filling out Security Exception Request Form In addition, if there is an exception, the following standards must be met:

Additional standards if an exception is granted:

  • Logging (for non-enterprise standard VPN only)
    • Following logging standards listed in UCOP BFB IS-3  Appendix D. Log Management.
    • If restricted information is present, additional logging standards must meet the requirements of applicable laws, policies, and regulations. To include, but not limited to system activity review, auditing of activities, sanction policy, review of malicious activity.
    • Full logging of all connection/session activity (connection begin to connection end).
    • Logging should include Who, What, Where, When. These logs should indicate the unique user on the third-party side who initiated the connection, from where, to what, and date/time.
    • Retention of these logs should be of an adequate time in the event UCSF requires logs for an audit or investigation.
    • UCSF should have access to or the ability to request logs, and they are to be supplied in a reasonable timeframe.
    • UCSF department sponsor of third party must regularly review and audit third-party access.
  • Architectural and technical details (for non-enterprise standard VPN only)
    • A system diagram of the third-party remote access method needs to be provided to UCSF for review.
    • A data flow diagram of the third-party remote access method needs to be provided to UCSF for review; this should include all ports and protocols the remote access system employs.
    • Both UCSF and the third party must perform periodic technical and nontechnical evaluation per the requirements of any restricted information laws, policies, or regulations.
    • Any changes made to approved remote access systems or methodologies must be documented and sent to the UCSF sponsor immediately.
    • Any changes made to the approved remote access systems or methodologies will require a resubmittal of a security exception request.
  • Notice of employee separation
    • The third party is required to immediately notify the UCSF sponsor in the event of an employee separation, in which employee has/had remote access.