Vendor VPN Groups and LDAP Accounts
Vendor or Third Party Remote Access
The CSU Information Security policy requires that 3rd party contractors and consultants comply with CSU and Campus Information Security requirements, and that campus sponsors manage 3rd party access.
Access to campus information assets containing protected data as defined in the CSU Data Classification Standard may be provided only to those having a need for specific access in order to accomplish an authorized task. Access must be based on the principles of need-to-know and least privilege. Authentication controls must be implemented for access to campus information assets that access or store protected data, must be unique to each individual and may not be shared unless authorized by appropriate campus management. The CSU Responsible Use Policy defines users (faculty, staff, students and third parties) and CSU responsibilities with respect to the use of CSU information assets in conjunction with the CSU information Security Policy.
All remote access (wired or wireless) to non-public campus information assets must:
- Be authorized and authenticated by use of a unique user identifier
- Pass through a campus-approved access control device (e.g., a firewall or access server)
- Be made using an approved method (e.g. campus-authorized remote desktop service)
- Use a secure encrypted protocol for the entire session
- Be log and tracked consistent with campus logging procedures.
- CSU Remote Access Resources standard is published here
- CSU Third Party Security Standards are published here
- Campus and CSU Information Security Policies and Requirements are published here
Requirements for Remote Access to University Systems and Networks:
- Vendor Access Account Request Form (link to ITSS)
- CSU Confidentiality Agreement Form
- Technical Requirements (link to VPN & NAC pages in ITSS)
- Campus sponsor must request vendor and system access through ITSS via the Vendor Access Request Form (link to ITSS form) and accounts must be limited through the use of a special VPN role
- Access is limited to the duration of the contract or one year, whichever is less
- It is the responsibility of the Sponsor and the Vendor to notify the campus when an account should be terminated
For more information on using the CSU Chico VPN, please click here.