Information Security

Annual CMS Security Reauthorization

CSU Policy(opens in new window) and CSU, Chico Account Management Standards (PDF) require that all user accounts be reviewed at least annually to ensure that access and account privileges are commensurate with job function, need-to-know, and employment status.  To meet these policies and standards, an on-line PeopleSoft Annual Reauthorization of Roles process will be conducted in March 2019.  This on-line reauthorization is for Student Administration, Human Resources and Financials PeopleSoft access.

Reauthorization login

Deadlines

While there are deadlines for each step in the process, each group can complete their part immediately following the preceding step.

  • Lead/Supervisor reviews by – March 8th, 2019
  • Employee confirms by – March 15th, 2019
  • MPP (management/admin) approves by – March 29th, 2019

Step 1 – Lead/Supervisor Review (March 4th - 8th)

Leads/Supervisors who authorize employee access to PeopleSoft data will receive an e-mail from cmssecurityreauth@csuchico.edu with a link to a user-friendly dashboard.  This report will list all individuals in their area who currently have access to PeopleSoft data based on a prior request indicating a business need for the data.  If the current access includes confidential data, supervisors will also need to certify that there is a continued business need for that access.

Each direct report will need to be reviewed and preauthorized in order to complete this step.   Lead/Supervisor electronic approval will be tracked and stored for audit purposes, and notifications will be sent to the appropriate security area. If access is preauthorized, the employee will be required to complete Step 2. 

reauthorization application

Step 2 – Employee Confirmation (prior to March 15th)

An employee whose access to PeopleSoft data has been preauthorized will receive an e-mail from cmssecurityreauth@csuchico.edu with a link to a user-friendly dashboard.  This report will list all of the employee’s current access to PeopleSoft data that has been reviewed by his or her lead/supervisor.

The employee will need to certify that he or she has a continued business need to see the data and has read and agrees to comply with the current information security policies and procedures. The employee’s electronic acceptance will be tracked and stored for audit purposes.

reauthorization application

Step 3 – MPP (management/admin) Approval (prior to March 29th)

MPPs with indirect reports will receive an e-mail from cmssecurityreauth@csuchico.edu with a link to a user-friendly dashboard.  This report will list individuals who indirectly report to their area and who currently have access to PeopleSoft data based on a prior request indicating a business need for the data. “Indirect reports” are employees that report to someone who then reports to you.

Each indirect report will need to be reviewed and preauthorized in order to complete this step.   MPP electronic approval will be tracked and stored for audit purposes, and notifications will be sent to the appropriate security area.  If the current access includes confidential data, you will also need to certify that there is a continued business need for that access.

reauthorization application

CMS Security Reauthorization Process Flow

CMS Security Reauthorization Process Flow
Accessible 
CMS Security Reauthorization Process Flow

Background and Requirements:

It is the responsibility of the Employee as well as the Lead/Supervisor to understand the security roles and permissions assigned to each employee.  Access and account privileges must be commensurate with job function, need-to-know, and employment status.   It is the responsibility of the Employee, Lead/Supervisor, and Appropriate Administrator to verify that access to information resources has been revoked in cases where employee has experienced a change of employment (e.g., termination or position change), or when job duties no longer provide a legitimate business reason for access (CSU Information Security Policy ICSUAM 8030(opens in new window) 300, ICSUAM 8060 500 (PDF)).

Except where specifically permitted by campus policy and by the appropriate data owner, Lead Supervisors and Appropriate Administrators may not re-authorize employee roles or permissions for positions or responsibilities for which the Lead/Supervisor or Appropriate Administrator is not responsible (ie. employees with multiple positions).

References

Frequently Asked Questions (FAQs)

Why are we doing this reauthorization?

CSU Policy and CSU, Chico Account Management Standards (PDF) require that all user accounts be reviewed at least annually to ensure that access and account privileges are commensurate with job function, need-to-know, and employment status. 

Who do I contact if I have questions regarding the process?

E-mail cmssecurityreauth@csuchico.edu with any questions regarding this process.

Who do I contact if I do not understand someone’s access?

E-mail the appropriate CMS security team with specific CMS access questions: