Top Searches:

Panorama Presents Animapalooza Dec 5, 2025

The Nutcracker Dec 5-7, 2025

UNCSA Cantata Singers Holiday Concert Dec 7, 2025

UNCSA Guitar Studios in Recital Dec 7, 2025

Photona Dec 12, 2025

Balourdet Quartet - Learning to Fly Jan 13, 2026

See All Events
 
Home > Information Technology > IT Procedures > Third-Party Application Access

Third-Party Application Access Process with Departmental Review and Tracking Purpose

Purpose

To ensure that access to third-party applications is properly controlled, regularly reviewed, and aligned with user roles and responsibilities. This process ensures accountability at both IT Security and departmental levels, maintaining compliance with the UNCSA Access Control Standard.

Process Overview

Step Description Responsible Party Tracking/Documentation
1 Inventory of Third-Party Applications Departments, with IT Security Support Central Access Inventory maintained by IT Security
2 Initial Access Assignment Departments Initial application access assigned based on roles and responsibilities
3 Annual/Quarterly Access Review Notification IT Security Notification sent to each department, tracked in Central Tracker
4 Departmental Access Review Departments Review completion recorded in Central Tracker; access change requests submitted to IT Security
5 Verification and Remediation IT Security Confirm changes are applied; maintain audit log
6 Reporting IT Security Quarterly report to Executive Leadership on completion rates, exceptions, and remediation status


Detailed Steps

Step 1: Inventory of Third-Party Applications

  • Departments provide IT Security with a list of all third-party applications in use.
  • Information includes:
    • Application name
    • Owner/Responsible Department
    • Data sensitivity classification
    • Current users and their roles
  • IT Security maintains a centralized, regularly updated inventory.

Step 2: Initial Access Assignment

  • Departments manage initial access based on roles and responsibilities.
  • Access levels must align with the Access Control (Role-based, Attribute-based) Standard.
  • Documentation of each user's access is required and stored centrally.

Step 3: Annual/Quarterly Access Review Notification

  • Timeline: Annual/Quarterly, initiated by IT Security.
  • Action: IT Security sends formal notification to each department, outlining:
    • The systems requiring review
    • Current user access lists
    • Review deadline
  • Tracking: IT Security uses a centralized Access Review Tracker to monitor:
    • Notification sent date
    • Department acknowledgment
    • Review completion status

Step 4: Departmental Access Review

  • Departments review user access for each third-party system.
  • Verification includes:
    • Confirming active users still require access
    • Ensuring access levels align with current roles and responsibilities
    • Identifying access that should be revoked or adjusted
  • Departments submit signed verification and access change requests to IT Security.

Step 5: Verification and Remediation

  • IT Security:
    • Conducts spot-check for accuracy
    • Logs all changes and maintains an audit trail

Step 6: Reporting

  • IT Security compiles an annual summary report showing:
    • Completion rates by department
    • Outstanding issues or overdue reviews
    • Summary of access adjustments and potential risks
  • Report delivered to Executive Leadership for review.

Tracking Tools

  • Access Review Tracker: Secure centralized system tracking:
    • Application inventory
    • Review schedules
    • Department responses
    • Access change requests
    • Completion status
  • Audit Logs: Maintained by IT Security for:
    • All access changes
    • Review documentation
    • Communication records

August 07, 2025