CSU Information Security Policy

OVERVIEW

The Board of Trustees (BOT) of the California State University (CSU) is responsible for protecting the confidentiality of information in the custody of the CSU; the security of the equipment where this information is processed and maintained; and, the related privacy rights of the CSU students, faculty and staff concerning this information. It is also the collective responsibility of the CSU, its executives and managers to insure:

This policy applies to all students, faculty and staff, consultants employed by the CSU or any other person having access to CSU information technology resources. The unauthorized modification, deletion, or disclosure of information included in CSU data files and data bases can compromise the integrity of CSU programs, violate individual privacy rights and possibly constitute a criminal act, and is expressly forbidden.

This responsibility is delegated to the campus Presidents in accordance with CSU policies. It is anticipated that the President will assign most or all of the responsibility for policy enforcement to the CIO/ITAC Designee. Therefore, the ITAC designee should keep the President informed of any changes of security and confidentiality procedures affecting the campus information technology environment. However, this policy is not limited to those systems and equipment operated and maintained by the central Information Technology organization. It applies to all data systems and equipment on campus that contain data deemed private or confidential and/or which contain mission critical data, including departmental, divisional and other ancillary systems and equipment.

SECURITY PROCEDURES

Each campus and the Chancellor’s Office must develop and maintain a written set of security policies and procedures that at a minimum implement information security, confidentiality practices consistent with these policies, and end-user responsibilities for the physical security of the equipment and the appropriate use of hardware, software and network facilities.

SECURITY POLICIES

  1. It is the policy of the CSU that all computer equipment, hardware and software be physically secure. Campuses must have plans and procedures for data centers and shared computing environment that insure, where appropriate:
    1. Protection against natural/accidental disasters. For example:
      1. Fire prevention, detection, suppression and warning.
      2. Smoke detection and warning.
      3. Water detection and warning.
      4. High temperature detection and warning.
      5. HVAC malfunction warning.
      6. Electrical power monitoring and warning.
      7. Environmental contamination (food, drink, etc.).
      8. Emergency power usage warning.
    2. Protection against intentional disasters. For example:
      1. Employee and student facility access control.
      2. Operating system software access control.
      3. Management controls and procedures.
      4. Security procedures.
      5. Emergency procedures.
      6. Reporting computer equipment thefts and breaches of security.
      7. Disaster recovery planning (computers, networks, and data).
    3. User controls and procedures:
      1. Computer access control.
      2. Computer logon/logoff control.
      3. Password security
  2. It is the policy of the CSU that Data (Information) be secure. Campus plans must include, where appropriate:
    1. Definitions and Descriptions of:
      1. Critical applications (as defined in the State Administrative Manual).
      2. Critical information.
      3. Other critical resources.
    2. Procedures for:
      1. The implementation of cost/effective data security systems (RACF, firewalls, routers, etc.).
      2. Insuring the confidentiality and security of all information deemed confidential and private
      3. Backup and off-site storage of mission critical data
    3. Required Security Measures which include
      1. Protection against known vulnerabilities.
      2. Testing of security procedures in data centers and shared computing environments.
      3. Organization and administration.
      4. Control of operating system software.
      5. Control of application software and data.
      6. Control of Transaction systems.
      7. Control of Database systems.
      8. Control of magnetic media storage in data centers and shared computing environment
    4. Guidelines for System Design:
      1. Completeness of data.
      2. Integrity of data.
      3. Accuracy of data.
      4. Audit trails of critical data changes (grade changes, residency determination, etc.).
  3. It is the policy of the CSU that all campuses have appropriate personnel policies and procedures relative to employees who have physical or virtual access to information technology equipment or the data residing therein. These policies and procedures should provide for:
    1. Use of resources for authorized, sanctioned and approved activities only and sanctions for policy violations.
    2. Individual unique user ID/passwords (no shared IDs).
    3. Access privileges controlled on a need to know basis (files, records, data elements, data bases, applications, screens, terminals, etc.).
    4. Password Security Requirements
    5. Appropriate protections for systems and applications accessible by remote access and/or dial –up modem.
    6. Assignment of responsibilities (access privileges granted)
    7. Reassignment of responsibilities (access privileges reviewed).
    8. Termination of employment (access privileges removed).
  4. It is the policy of the CSU that all campuses and the Office of the Chancellor comply with applicable State and Federal laws regarding data security and privacy.