Policies, Goals, and Standards

Information Security Policies, Goals, and Standards

Quick Links:

Policies and Standards

Goals

Data Classification and Protection Standards

 

Policies and Standards

The CSU Information Security policy provides direction for managing and protecting the confidentiality, integrity and availability of CSU information assets. In addition, the policy defines the organizational scope of the CSU information Security Policy.

The CSU Information Security Policy and Standards are not intended to prevent, prohibit, or inhibit the sanctioned use of information assets as required to meet the CSU's core mission and campus academic and administrative goals.

CSU Information Security Policies & Standards 

 

Goals

The goals of the Cal Maritime Information Security Program are to:

  • Identify and manage information security risks and liabilities
  • Ensure compliance with all applicable laws, regulations, contracts, and California and CSU policies
  • Communicate responsibilities and minimum requirements

Consistent with CSU Information Security Policies, Cal Maritime's Information Security Program establishes policy and sets expectations for protecting university information assets. 

These are supported by related policies, standards, guidelines and practices to facilitate campus compliance:

  • Policies are high-level statements of principle, equivalent to organizational law, that provide technology agnostic scope and direction to the campus community.
  • Standards establish specific criteria and minimum baseline requirements or levels that must be met to comply with policy. They are typically technology agnostic and they provide a basis for verifying compliance through audits and assessments.
  • Guidelines are recommended or suggested actions that can supplement an existing standard or provide guidance where no standard exists.  They may or may not be technology agnostic.
  • Practices consist of one or more series of interrelated steps to be taken to achieve a specific goal designed to implement a policy, standard or guideline. They are detailed descriptions that may use specific technologies, instructions and forms to facilitate completing the process.

Policies should be written so as to require infrequent changes while standards, guidelines and practices are typically updated as needed to address specific changes in policy, technology or university practices.


The Information Security Officer (ISO) and Chief Information Officer (CIO) are responsible for coordinating the development and dissemination of information security and technology policies, standards, guidelines and procedures, respectively.  Policy development is driven by CSU policies and directives, new legislation and regulations, audit findings, risk assessment and university strategic planning and initiatives. Key campus stakeholders are consulted early on and research is conducted to find potential models from other universities. Using a standard format, a draft policy is developed and shared broadly with campus constituents for review and comment. The final draft recommendation is forwarded to the President for formal campus adoptions.  Standards, guidelines and practices do not require Presidential approval; campus constituents, including the Campus Leadership Committee, may be asked to review and comment, but final approval rests with the ISO and CIO.

The Integrated CSU Administrative Manual (ISCUAM) Section 8000 Information Security contains the following policy sections that include links to standards, procedures and guidelines:

8000.0 - Introduction and Scope
8005.0 - Policy Management
8010.0 - Establishing an Information Security Program
8015.0 - Organizing Information Security
8020.0 - Information Security Risk Management
8025.0 - Privacy of Personal Information
8030.0 - Personnel Information Security
8035.0 - Information Security Awareness and Training
8040.0 - Managing Third Parties
8045.0 - Information Technology Security
8050.0 - Configuration Management
8055.0 - Change Control
8060.0 - Access Control
8065.0 - Information Asset Management
8070.0 - Information Systems Acquisition, Development and Maintenance
8075.0 - Information Security Incident Management
8080.0 - Physical Security
8085.0 - Business Continuity and Disaster Recovery
8090.0 - Compliance
8095.0 - Policy Enforcement
8100.0 - Electronic and Digital Signatures
8105.0 - Responsible Use Policy

 

Data Classification and Protection Standards

Introduction

This document provides an operational standard for the management of protected data/data elements. Data classification is the process of assigning value to data in order to organize it according to its risk to loss or harm from disclosure.
The California State University data classification and protection standards establish a baseline derived from federal laws, state laws, regulations, CSU Executive Orders, CSU ICSUAM 8065 and campus policies that govern the privacy and confidentiality of data.
The CSU, Cal Maritime data classification and protection standards apply to all data collected, generated, maintained, and entrusted to the CSU (e.g. student, research, financial, employee data, etc.) except where superseded by grant, contract, or federal copyright law. These standards apply to information in electronic or hard copy form.
Implements: CSU Policy ICSUAM 8065 Information Asset Management Policy

Level 1 - confidential

Access, storage, and transmissions of Level 1 Confidential information are subject to restrictions as described in CSU Asset Management Standards. Information may be classified as confidential based on criteria including but not limited to:
  • Disclosure exemptions - Information maintained by the University that is exempt from disclosure under the provisions of the California Public Records Act or other applicable state or federal laws.
  • Severe risk - Information whose unauthorized use, access, disclosure, acquisition, modification, loss, or deletion could result in severe damage to the CSU, its students, employees, or customers. Financial loss, damage to the CSU's reputation, and legal action could occur.
  • Limited use - Information intended solely for use within the CSU and limited to those with a "business need-to know."
  • Legal Obligations - Information for which disclosure to persons outside of the University is governed by specific standards and controls designed to protect the information

Examples of Level 1 - Confidential information includes, but is not limited to:

  • Passwords or credentials that grant access to level 1 and level 2 data
  • Psychological Counseling records related to an individual
  • PINs (Personal Identification Numbers)
  • Law enforcement personnel records
  • Birth date combined with last four digits of SSN and name
  • Biometric information
  • Credit card numbers with cardholder name
  • Electronic or digitized signatures
  • Tax ID with name
  • Private key (digital certificate)
  • Driver's license number, state identification card, and other forms of national or international identification (such as passports, visas, etc.) in combination with name
  • Bank account or debit card information in combination with any required security code, access code, or password that would permit access to an individual's financial account
  • Social Security number and name
  • Criminal background check results
  • Health insurance information
  • EMEDC records
  • Medical records related to an individual
  • Prospective donor profiles
  • Retention Tenure & Promotion Documents (RTP)

 

Level 2 - Internal Use

Access, storage, and transmissions of Level 2 - Internal Use information are subject to restrictions as described in CSU Asset Management Standard. Information may be classified as 'internal use' based on criteria including but not limited to:
  • Sensitivity - Information which must be protected due to proprietary, ethical, contractual or privacy considerations.
  • Moderate risk - Information which may not be specifically protected by statute, regulations, or other legal obligations or mandates but for which unauthorized use, access, disclosure, acquisition, modification, loss, or deletion of could cause financial loss, damage to the CSU's reputation, violate an individual's privacy rights, or make legal action necessary.

Examples of Level 2 - Internal use information includes, but is not limited to:

  • Identity Validation Keys (name with)
    • Birth date (full: mm-dd-yy)
    • Birth date (partial: mm-dd only)
  • Vulnerability/security information related to a campus or system
  • Photo (taken for identification purposes)
  • Campus attorney-client communications
  • Student Information-Educational Records not defined as "directory" information, typically:
    • Grades
    • Courses taken
    • Schedule
    • Test Scores
    • Advising records
    • Educational services received
    • Disciplinary actions
    • Student photo
  • Employee Information
    • Employee net salary
    • Home address
    • Personal telephone numbers
    • Personal email address
    • Payment History
    • Employee evaluations
    • Pre-employment background investigations
    • Mother's maiden name
    • Race and ethnicity
    • Parents and other family members names
    • Birthplace (City, State, Country)
    • Gender
    • Marital Status
    • Physical description
    • Other
  • Library circulation information.
  • Trade secrets or intellectual property such as research activities
  • Location of critical or protected assets
  • Licensed software