Information Security

Vendor or Third Party Remote Access and Accounts

The CSU Information Security policy requires that 3rd party contractors and consultants comply with CSU and Campus Information Security requirements, and that campus sponsors manage 3rd party access.

Access to campus information assets containing protected data as defined in the CSU Data Classification Standard may be provided only to those having a need for specific access in order to accomplish an authorized task.  Access must be based on the principles of need-to-know and least privilege.  Authentication controls must be implemented for access to campus information assets that access or store protected data, must be unique to each individual and may not be shared unless authorized by appropriate campus management.  The CSU Responsible Use Policy(opens in new window) defines users (faculty, staff, students and third parties) and CSU responsibilities with respect to the use of CSU information assets in conjunction with the CSU Information Security Policy.

All remote access (wired or wireless) to non-public campus information assets must:

Requirements for Remote Access to University Systems and Networks:

Requesting Accounts

Campus sponsor must request vendor and system access through ITSS via the Vendor Access Request Form (PDF) and accounts must be limited through the use of a special VPN role.

  • Access is limited to the duration of the contract or one year, whichever is less
  • It is the responsibility of the Sponsor and the Vendor to notify the campus when an account should be terminated

For more information check out the Using the CSU Chico VPN(opens in new window) page