||Introduction and Scope
||The CSU Information Security policy provides direction for managing and protecting
the confidentiality, integrity and availability of CSU information assets. In addition,
the policy defines the organizational scope of the CSU information Security Policy.
||The CSU Information Security Management Department shall be responsible for overseeing
a documented annual review of this policy and communicating any changes or additions
to appropriate CSU stakeholders. The CSU Information Security policy shall be updated
as necessary to reflect changes in the CSU 's academic, administrative, or technical
environments, or applicable laws and regulations.
||Establishing an Information Security Program
||Each campus President and the Assistant Vice Chancellor for Information Technology
Services are responsible for the establishment and implementation of an information
security program that contains administrative, technical and physical safeguards designed
to protect campus information assets. Each campus information security program must
implement a risk-based, layered approach that uses preventative, detective, and corrective
controls sufficient to provide an acceptable level of information security and must
be reviewed at least annually. The campus information security program reviews must
||Organizing Information Security
||Each campus must develop, implement, and document the organizational structure that
supports the campus’ information security program. The organizational structure must
define the functions, relationships, responsibilities, and authorities of individuals
or committees that support the campus information security program. The governance
structure must be reviewed at least annually.
||Information Security Risk Management
||Risk management involves the identification and evaluation of risks to information
security assets (risk assessment) and the ongoing collection of information about
the risk (risk monitoring). Once a risk has been identified, campuses must develop
and implement strategies to reduce the risk to acceptable levels (risk mitigation),
s hare or shift the risk to another party (risk transference) or assume the identified
risk (risk acceptance).
||Privacy of Personal Information
||All users of campus information systems or network resources are advised to consider
the open nature of information disseminated electronically and must not assume any
degree of privacy or restricted access to information they create or store on campus
systems. The CSU is a public university and information stored on campus information
systems may be subject to disclosure under state law. No campus information system
or network resource c an absolutely ensure that unauthorized persons will not gain
access to information or activities. However, the CSU acknowledges its obligation
to respect and protect private information about individuals stored on campus information
systems and network resources.
||Personnel Information Security
||All users are expected to employ security practices appropriate to their responsibilities
and roles. Users who access level 1 or level 2 data as defined in the CSU Data Classification
Standard must sign an approved system-wide confidentiality (non-disclosure) agreement.
||Information Security Awareness and Training
||Each campus must implement a program for providing appropriate information security
awareness and training to employees appropriate to their access to campus information
assets. The campus information security awareness program must promote campus strategies
for protecting information assets containing protected data. All employees with access
to protected data and information assets must participate in appropriate information
security awareness training. When appropriate, information security training must
be provided to individuals whose job functions require specialized skill or knowledge
in information security.
||Managing Third Parties
||Third parties who access CSU information assets must be required to adhere to appropriate
CSU and campus information security policies and standards. A s appropriate, a risk
assessment must be conducted to determine the specific implications and control requirements
for the service provided.
||Information Technology Security
|Campuses must develop and implement appropriate technical controls to minimize risks
to their information technology infrastructure. Each campus must take reasonable steps
to protect the confidentiality, integrity, and availability of its critical as sets
and protected data from threats.
||Campuses must develop, implement, and document configuration standards to ensure that
information technology systems, network resources, and applications are appropriately
secured to protect confidentiality, integrity, and availability.
||Changes to information technology systems, network resources, and applications need
to be appropriately managed to minimize the risk of introducing unexpected vulnerabilities
and ensure that existing security protections are not adversely impacted. Campuses
must establish and document a process to manage changes to campus information assets
containing level 1 or level 2 data, as defined in the CSU Data Classification Standard.
CSU 8060.S000 Appendix A
|The CSU Information Security policy provides direction and support for managing access
to CSU information assets and guidance for: granting access to CSU information assets;
separating duties of individuals who have access to CSU information as set; conducting
reviews of access rights to CSU information assets; and modifying user access rights
to CSU information assets.
||Information Asset Management
|Each campus must develop and maintain a data classification standard that meets or
exceeds the requirements of the CSU Data Classification Standard. Campuses must maintain
an inventory of information assets containing level 1 or level 2 data as defined in
the CSU Data Classification Standard. These assets must be categorized and protected
throughout their entire life cycle, from origination to destruction.
||Information Systems Acquisition, Development and Maintenance
||Campuses must integrate information security requirements into the software life cycle
of information systems that contain protected data. The security requirements must
identify controls that are needed to ensure confidentiality, integrity, and availability.
These controls must be appropriate, cost-effective, and mitigate risks that may result
from unauthorized access, us e, dis closure, disruption, modification, or destruction
of the protected data.
||Information Security Incident Management
||Campuses must develop and maintain an information security incident response program
that includes processes for investigating, res ponding to, reporting, and recovering
from incidents involving loss, damage, misuse of information assets containing protected
data, or improper dissemination of critical or protected data, regardless of the medium
in which the breached information is held or transmitted (e.g., physical or electronic).
||Each campus must identify physical areas that must be protected from unauthorized
physical access. Such areas would include data c enters and other locations on the
campus where information assets containing protected data are stored. Campuses must
protect these limited-access areas from unauthorized physical access while ensuring
that authorized users have appropriate access. Campus information assets which access
protected data that are located in public and non-public access areas must be physically
secured to prevent theft, tampering, or damage. The level of protection provided must
be commensurate with that of identifiable risks. Campuses must review and document
physical access rights to campus limited-access areas annually.
||Business Continuity and Disaster Recovery
||An information security program needs to support the maintenance and potential restoration
of operations through and after both minor and catastrophic disruptions. Campuses
must ensure that their information assets can, in the case of a catastrophic event,
continue to operate and be appropriately accessible to users. Each campus must maintain
an ongoing program that ensures the continuity of essential functions and operations
following a catastrophic event. The campus program must be in compliance with the
CSU Business Continuity Program.
||The CSU Information Security Management Office s hall, in consultation with the CSU
Office of General Counsel and other subject matter experts, regularly identify and
define laws and regulations that apply to CSU information assets. The CSU Information
Security Management Office s hall provide this information to campuses as it develops.
Campuses must develop and maintain information security policies and standards that
comply with applicable laws and regulations and the CSU policies that apply to campus
information assets. The campus policies and standards must include monitoring controls
that ensure ongoing compliance with applicable laws, regulations, and CSU policies.
||It is the policy of the CSU to permit the use of electronic or digital signatures
in lieu of handwritten signatures. Usage of electronic or digital signatures is at
the option of an individual campus or the Chancellor’s Office provided they conform
to the terms set forth in this policy. This policy does not pertain to facsimile signatures
printed on checks issued by the CSU.
||Responsible Use Policy
||The California State University (CSU) provides access to information assets for purposes
related to its mission and to the responsibilities and necessary activities of its
faculty, students and staff. These resources are vital for the fulfillment of the
academic, research and business needs of the CSU community. This policy defines user
(e.g., faculty, staff, students, third parties, etc.) and CSU responsibilities with
respect to the use of CSU information assets in conjunction with the CSU Information