CSU Information Security Policies and Standards

Section CSU Policy Standard Summrary
8000.0 Introduction and Scope   The CSU Information Security policy provides direction for managing and protecting the confidentiality, integrity and availability of CSU information assets. In addition, the policy defines the organizational scope of the CSU information Security Policy.
8005.0 Policy Management   The CSU Information Security Management Department shall be responsible for overseeing a documented annual review of this policy and communicating any changes or additions to appropriate CSU stakeholders. The CSU Information Security policy shall be updated as necessary to reflect changes in the CSU 's academic, administrative, or technical environments, or applicable laws and regulations.
8010.0 Establishing an Information Security Program   Each campus President and the Assistant Vice Chancellor for Information Technology Services are responsible for the establishment and implementation of an information security program that contains administrative, technical and physical safeguards designed to protect campus information assets. Each campus information security program must implement a risk-based, layered approach that uses preventative, detective, and corrective controls sufficient to provide an acceptable level of information security and must be reviewed at least annually. The campus information security program reviews must be documented. 
8015.0 Organizing Information Security  CSU 8015.S000 Each campus must develop, implement, and document the organizational structure that supports the campus’ information security program. The organizational structure must define the functions, relationships, responsibilities, and authorities of individuals or committees that support the campus information security program. The governance structure must be reviewed at least annually. 
8020.0 Information Security Risk Management   Risk management involves the identification and evaluation of risks to information security assets (risk assessment) and the ongoing collection of information about the risk (risk monitoring). Once a risk has been identified, campuses must develop and implement strategies to reduce the risk to acceptable levels (risk mitigation), s hare or shift the risk to another party (risk transference) or assume the identified risk (risk acceptance).
8025.0 Privacy of Personal Information   All users of campus information systems or network resources are advised to consider the open nature of information disseminated electronically and must not assume any degree of privacy or restricted access to information they create or store on campus systems. The CSU is a public university and information stored on campus information systems may be subject to disclosure under state law. No campus information system or network resource c an absolutely ensure that unauthorized persons will not gain access to information or activities. However, the CSU acknowledges its obligation to respect and protect private information about individuals stored on campus information systems and network resources. 
8030.0 Personnel Information Security CSU 8030.S000 All users are expected to employ security practices appropriate to their responsibilities and roles. Users who access level 1 or level 2 data as defined in the CSU Data Classification Standard must sign an approved system-wide confidentiality (non-disclosure) agreement.
8035.0 Information Security Awareness and Training CSU 8035.S000 Each campus must implement a program for providing appropriate information security awareness and training to employees appropriate to their access to campus information assets. The campus information security awareness program must promote campus strategies for protecting information assets containing protected data. All employees with access to protected data and information assets must participate in appropriate information security awareness training. When appropriate, information security training must be provided to individuals whose job functions require specialized skill or knowledge in information security.
8040.0 Managing Third Parties CSU 8040.S001 Third parties who access CSU information assets must be required to adhere to appropriate CSU and campus information security policies and standards. A s appropriate, a risk assessment must be conducted to determine the specific implications and control requirements for the service provided. 
8045.0 Information Technology Security

CSU 8045.S200

CSU 8045.S301

CSU 8045.S302

CSU 8045.S400

CSU 8045.S600

Campuses must develop and implement appropriate technical controls to minimize risks to their information technology infrastructure. Each campus must take reasonable steps to protect the confidentiality, integrity, and availability of its critical as sets and protected data from threats.
8050.0 Configuration Management   Campuses must develop, implement, and document configuration standards to ensure that information technology systems, network resources, and applications are appropriately secured to protect confidentiality, integrity, and availability.
8055.0 Change Control CSU 8055.S01 Changes to information technology systems, network resources, and applications need to be appropriately managed to minimize the risk of introducing unexpected vulnerabilities and ensure that existing security protections are not adversely impacted. Campuses must establish and document a process to manage changes to campus information assets containing level 1 or level 2 data, as defined in the CSU Data Classification Standard.
8060.0 Access Control

CSU 8060.S000

CSU 8060.S000 Appendix A

The CSU Information Security policy provides direction and support for managing access to CSU information assets and guidance for: granting access to CSU information assets; separating duties of individuals who have access to CSU information as set; conducting reviews of access rights to CSU information assets; and modifying user access rights to CSU information assets.
8065.0 Information Asset Management

CSU 8065.S001

CSU 8065.S02

Each campus must develop and maintain a data classification standard that meets or exceeds the requirements of the CSU Data Classification Standard. Campuses must maintain an inventory of information assets containing level 1 or level 2 data as defined in the CSU Data Classification Standard. These assets must be categorized and protected throughout their entire life cycle, from origination to destruction.
8070.0 Information Systems Acquisition, Development and Maintenance CSU 8070.S000 Campuses must integrate information security requirements into the software life cycle of information systems that contain protected data. The security requirements must identify controls that are needed to ensure confidentiality, integrity, and availability. These controls must be appropriate, cost-effective, and mitigate risks that may result from unauthorized access, us e, dis closure, disruption, modification, or destruction of the protected data.
8075.0 Information Security Incident Management CSU 8075.S000 Campuses must develop and maintain an information security incident response program that includes processes for investigating, res ponding to, reporting, and recovering from incidents involving loss, damage, misuse of information assets containing protected data, or improper dissemination of critical or protected data, regardless of the medium in which the breached information is held or transmitted (e.g., physical or electronic). 
8080.0 Physical Security CSU 8080.S01 Each campus must identify physical areas that must be protected from unauthorized physical access. Such areas would include data c enters and other locations on the campus where information assets containing protected data are stored. Campuses must protect these limited-access areas from unauthorized physical access while ensuring that authorized users have appropriate access. Campus information assets which access protected data that are located in public and non-public access areas must be physically secured to prevent theft, tampering, or damage. The level of protection provided must be commensurate with that of identifiable risks. Campuses must review and document physical access rights to campus limited-access areas annually.
8085.0 Business Continuity and Disaster Recovery   An information security program needs to support the maintenance and potential restoration of operations through and after both minor and catastrophic disruptions. Campuses must ensure that their information assets can, in the case of a catastrophic event, continue to operate and be appropriately accessible to users. Each campus must maintain an ongoing program that ensures the continuity of essential functions and operations following a catastrophic event. The campus program must be in compliance with the CSU Business Continuity Program.
8090.0 Compliance   The CSU Information Security Management Office s hall, in consultation with the CSU Office of General Counsel and other subject matter experts, regularly identify and define laws and regulations that apply to CSU information assets. The CSU Information Security Management Office s hall provide this information to campuses as it develops. Campuses must develop and maintain information security policies and standards that comply with applicable laws and regulations and the CSU policies that apply to campus information assets. The campus policies and standards must include monitoring controls that ensure ongoing compliance with applicable laws, regulations, and CSU policies.
8100.0 Policy Enforcement CSU 8100.S01 It is the policy of the CSU to permit the use of electronic or digital signatures in lieu of handwritten signatures. Usage of electronic or digital signatures is at the option of an individual campus or the Chancellor’s Office provided they conform to the terms set forth in this policy. This policy does not pertain to facsimile signatures printed on checks issued by the CSU. 
8105.0 Responsible Use Policy  

The California State University (CSU) provides access to information assets for purposes related to its mission and to the responsibilities and necessary activities of its faculty, students and staff. These resources are vital for the fulfillment of the academic, research and business needs of the CSU community. This policy defines user (e.g., faculty, staff, students, third parties, etc.) and CSU responsibilities with respect to the use of CSU information assets in conjunction with the CSU Information Security Policy.