Information Security

Annual CMS Security Reauthorization

CSU Policy(opens in new window) and CSU, Chico Account Management Standards (PDF) require that all user accounts be reviewed at least annually to ensure that access and account privileges are commensurate with job function, need-to-know, and employment status.  To meet these policies and standards, an on-line PeopleSoft Annual Reauthorization of Roles process will be conducted in March each year.  This on-line reauthorization is for Student Administration, Human Resources and Financials PeopleSoft access.

Deadlines

While there are deadlines for each step in the process, each group can complete their part immediately following the preceding step.

  • Lead/Supervisor reviews by – March 12th, 2021
  • Employee confirms by – March 26th, 2021
  • MPP (management/admin) approves by – April 2nd, 2021

Step 1 – Lead/Supervisor Review (March 3rd - 12th)

Leads/Supervisors who authorize employee access to PeopleSoft data will receive an e-mail from cmssecurityreauth@csuchico.edu with a link to a user-friendly dashboard.  This report will list all individuals in their area who currently have access to PeopleSoft data based on a prior request indicating a business need for the data.  If the current access includes confidential data, supervisors will also need to certify that there is a continued business need for that access.

Each direct report will need to be reviewed and preauthorized in order to complete this step.   Lead/Supervisor electronic approval will be tracked and stored for audit purposes, and notifications will be sent to the appropriate security area. If access is preauthorized, the employee will be required to complete Step 2.

Step 2 – Employee Confirmation (prior to March 26th)

An employee whose access to PeopleSoft data has been preauthorized will receive an e-mail from cmssecurityreauth@csuchico.edu with a link to a user-friendly dashboard.  This report will list all of the employee’s current access to PeopleSoft data that has been reviewed by his or her lead/supervisor.

The employee will need to certify that he or she has a continued business need to see the data and has read and agrees to comply with the current information security policies and procedures. The employee’s electronic acceptance will be tracked and stored for audit purposes.

Step 3 – MPP (management/admin) Approval (prior to April 2nd)

MPPs with indirect reports will receive an e-mail from cmssecurityreauth@csuchico.edu with a link to a user-friendly dashboard.  This report will list individuals who indirectly report to their area and who currently have access to PeopleSoft data based on a prior request indicating a business need for the data. “Indirect reports” are employees that report to someone who then reports to you.

Each indirect report will need to be reviewed and preauthorized in order to complete this step.   MPP electronic approval will be tracked and stored for audit purposes, and notifications will be sent to the appropriate security area.  If the current access includes confidential data, you will also need to certify that there is a continued business need for that access.

CMS Security Reauthorization Process Flow

CMS Security Reauthorization Process Flow
Accessible 
CMS Security Reauthorization Process Flow

Background and Requirements

It is the responsibility of the Employee as well as the Lead/Supervisor to understand the security roles and permissions assigned to each employee.  Access and account privileges must be commensurate with job function, need-to-know, and employment status.   It is the responsibility of the Employee, Lead/Supervisor, and Appropriate Administrator to verify that access to information technology has been revoked in cases where employee has experienced a change of employment (e.g., termination or position change), or when job duties no longer provide a legitimate business reason for access (CSU Information Security Policy ICSUAM 8030(opens in new window) 300, ICSUAM 8060 500(opens in new window)).

Except where specifically permitted by campus policy and by the appropriate data owner, Lead Supervisors and Appropriate Administrators may not re-authorize employee roles or permissions for positions or responsibilities for which the Lead/Supervisor or Appropriate Administrator is not responsible (ie. employees with multiple positions).

References

Frequently Asked Questions (FAQs)

Why are we doing this reauthorization?

CSU Policy and CSU, Chico Account Management Standards (PDF) require that all user accounts be reviewed at least annually to ensure that access and account privileges are commensurate with job function, need-to-know, and employment status. 

Who do I contact if I have questions regarding the process?

E-mail cmssecurityreauth@csuchico.edu with any questions regarding this process.

Who do I contact if I do not understand someone’s access?

E-mail the appropriate CMS security team with specific CMS access questions: