IT/PPS 04.08 - Third-Party Applications Access Review
Third-Party Applications Access Review
IT/PPS No. 04.08
Issue No. 5
Effective Date: 2/01/2022
Next Review Date: 3/01/2023 (EY)
Sr. Reviewer: Associate Vice President, Technology Resources
Texas State University is committed to protecting the institution’s information resources.
This policy outlines the responsibilities of departments owning third-party enterprise computer applications, or modules thereof, to review and certify that access to those applications is appropriately granted and revoked.
It is important, in order to ensure confidentiality and integrity of Texas State University-owned data and processes, that only those people with a valid reason have access to the university’s enterprise computer systems.
Responsibility to ensure appropriate access rests with the department owning or utilizing the computer systems or modules in question. Technology Resources will maintain a document containing third-party enterprise computer application or module names and identified owners.
Each application owner will receive an annual notification to review authorized access to the computer system or module they are responsible for and confirm the necessary access for the job duties performed. In addition, where user access occurs through an automated process, a full review of application administrator roles and evaluation of a random sample of general users meets the requirement.
PROCEDURES FOR THIRD-PARTY APPLICATION ACCESS REVIEW
This policy provides details to ensure compliance with the security of the university’s information resources (see UPPS No. 04.01.01, Security of Texas State Information Resources).
Each department owning or utilizing a third-party enterprise computer system or module must certify to the Division of Information Technology annually, by July 1, that they have conducted a full review of user access, described in Section 01.04, and have corrected any outdated access permissions.
Technology Resources will initiate the annual review process by notifying the appropriate customers directly with instructions and requirements. A formal sign off that the review has been completed must be received by July 1 annually.
The application or module owner, or designee, responsible for the computer system named must sign the review certification.
Failure to provide the required certification will result in notification to the Information Security Office for follow up, as appropriate.
REVIEWERS OF THIS PPS
Reviewers of this PPS include the following:
Position Date Associate Vice President, Technology Resources March 1 EY Chief Information Security Officer March 1 EY Vice President for Information Technology March 1 EY
This PPS has been reviewed by the following individuals in their official capacities and represents Texas State Information Technology policy and procedure from the date of this document until superseded.
Associate Vice President, Technology Resources; senior reviewer of this PPS
Vice President for Information Technology