The CSU is enhancing its information security program by developing a set of system-wide information security policies and supports standards. The CSU contracted with a consulting firm to assist in the development of a system-wide responsible use policy, information security policy and supporting standards.
The policies and standards are intended to provide direction and support to campuses in their efforts to protect CSU information assets and provide privacy protection to individuals in accordance with applicable laws and regulations and university requirements. The policies and standards help promote and encourage appropriate use of information assets. Campuses may supplement, but not supersede, the system-wide policies and standards by developing additional campus policies and standards.
Information Security Resource Links
United States Computer Emergency Readiness Team (US-CERT) "The Department of Homeland Security's United States Computer Emergency Readiness Team (US-CERT) leads efforts to improve the Nation's cybersecurity posture, coordinate cyber information sharing, and proactively manage cyber risks to the Nation while protecting the constitutional rights of Americans. US-CERT strives to be a trusted global leader in cybersecurity—collaborative, agile, and responsive in a dynamic and complex environment." -US-CERT.GOV
Internet Storm Center (ISC) "The ISC was created in 2001 following the successful detection, analysis, and widespread warning of the Li0n worm. Today, the ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers." -ISC.SANS.EDU
California Office of Information Security "The California Information Security Office is the primary state government authority in ensuring the confidentiality, integrity, and availability of state systems and applications, and ensuring the protection of state information." -CIO.CA.GOV/OIS
The California Maritime Academy Information Security Program provides direction for managing and protecting the confidentiality, integrity and availability of California Maritime Academy information assets. In accordance with the California State University's Information Security Policy 8035, this Information Security Program contains administrative, technical and physical safeguards to protect campus information assets. Unauthorized modification, deletion or disclosure of information assets can compromise the mission of California Maritime Academy, violate individual privacy rights and possibly constitute a criminal act.
The intent of the Information Security Program is to:
Document roles and responsibilities.
Provide for the confidentiality, integrity and availability of information, regardless of the medium in which the information asset is held or transmitted (e.g., paper or electronic)
Document risk management strategies to identify and mitigate threats and vulnerabilities to level 1 and level 2 information assets as defined in the California Maritime Academy Data Classification and Handling Standard.
Document incident response strategies.
Document strategies for ongoing security awareness and training.
Comply with applicable laws, regulations, California Maritime Academy and CSU policies.
It is the collective responsibility of all users to ensure:
Confidentiality of information which California Maritime Academy must protect from unauthorized access.
Integrity and availability of information stored on or processed by California Maritime Academy information systems.
Compliance with applicable laws, regulations, CSU policies and California Maritime Academy policies governing information security and privacy protection.
The California Maritime Academy Information Security Program and security standards are not intended to prevent, prohibit or inhibit the sanctioned use of information assets as required to meet California Maritime Academy's core mission and campus academic and administrative goals
Information Security Awareness Training will be assigned annually to all CSUM staff, faculty, administrators, consultants, auxiliary employees, and student assistants, on the assumption that any of them may come into contact with sensitive data in the course of their work.
Employees must complete the assigned training within two months of its assignment. The training will automatically be reassigned one year after completion.
The goals of the California Maritime Academy Information Security Program are to:
Identify and manage information security risks and liabilities
Ensure compliance with all applicable laws, regulations, contracts, and California and CSU policies
Communicate responsibilities and minimum requirements
Consistent with CSU Information Security Policies, CSUM's Information Security Program, combined with the Information Technology Resource Responsible Use Policy, establishes policy and sets expectations for protecting university information assets.
These are supported by related policies, standards, guidelines and practices to facilitate campus compliance:
Policies are high-level statements of principle, equivalent to organizational law, that provide technology agnostic scope and direction to the campus community.
Standards establish specific criteria and minimum baseline requirements or levels that must be met to comply with policy. They are typically technology agnostic and they provide a basis for verifying compliance through audits and assessments.
Guidelines are recommended or suggested actions that can supplement an existing standard or provide guidance where no standard exists. They may or may not be technology agnostic.
Practices consist of one or more series of interrelated steps to be taken to achieve a specific goal designed to implement a policy, standard or guideline. They are detailed descriptions that may use specific technologies, instructions and forms to facilitate completing the process.
Policies should be written so as to require infrequent changes while standards, guidelines and practices are typically updated as needed to address specific changes in policy, technology or university practices. The Information Security Officer (ISO) and Chief Information Officer (AVP/CIO) are responsible for coordinating the development and dissemination of information security and technology policies, standards, guidelines and procedures, respectively. Policy development is driven by CSU policies and directives, new legislation and regulations, audit findings, risk assessment and university strategic planning and initiatives. Key campus stakeholders are consulted early on and research is conducted to find potential models from other universities. Using a standard format, a draft policy is developed and shared broadly with campus constituents for review and comment. All input is considered, but is not necessarily incorporated. The IT Governance Committee is advisory and reports to the AVP on policies and plans related to management and use of information resources. The IT Governance Committee reviews and forwards final draft recommendations to the President for formal campus adoptions. Standards, guidelines and practices do not require Presidential approval; campus constituents, including the IT Governance Committee, may be asked to review and comment, but final approval rests with the ISO and AVP/CIO.
8000.0 - Introduction and Scope 8005.0 - Policy Management 8010.0 - Establishing an Information Security Program 8015.0 - Organizing Information Security 8020.0 - Information Security Risk Management 8025.0 - Privacy of Personal Information 8030.0 - Personnel Information Security 8035.0 - Information Security Awareness and Training 8040.0 - Managing Third Parties 8045.0 - Information Technology Security 8050.0 - Configuration Management 8055.0 - Change Control 8060.0 - Access Control 8065.0 - Information Asset Management 8070.0 - Information Systems Acquisition, Development and Maintenance 8075.0 - Information Security Incident Management 8080.0 - Physical Security 8085.0 - Business Continuity and Disaster Recovery 8090.0 - Compliance 8095.0 - Policy Enforcement 8100.0 - Electronic and Digital Signatures 8105.0 - Responsible Use Policy
This document provides an operational standard for the management of protected data/data elements. Data classification is the process of assigning value to data in order to organize it according to its risk to loss or harm from disclosure.
The California State University, Cal Maritime data classification and protection standards establish a baseline derived from federal laws, state laws, regulations, CSU Executive Orders, CSU ICSUAM and campus policies that govern the privacy and confidentiality of data.
The CSU, Cal Maritime data classification and protection standards apply to all data collected, generated, maintained, and entrusted to the CSU (e.g. student, research, financial, employee data, etc.) except where superseded by grant, contract, or federal copyright law. These standards apply to information in electronic or hard copy form.
Access, storage, and transmissions of Level 1 Confidential information are subject to restrictions as described in CSU Asset Management Standards. Information may be classified as confidential based on criteria including but not limited to:
Disclosure exemptions - Information maintained by the University that is exempt from disclosure under the provisions of the California Public Records Act or other applicable state or federal laws.
Severe risk - Information whose unauthorized use, access, disclosure, acquisition, modification, loss, or deletion could result in severe damage to the CSU, its students, employees, or customers. Financial loss, damage to the CSU's reputation, and legal action could occur.
Limited use - Information intended solely for use within the CSU and limited to those with a "business need-to know."
Legal Obligations - Information for which disclosure to persons outside of the University is governed by specific standards and controls designed to protect the information
Examples of Level 1 - Confidential information includes, but is not limited to:
Passwords or credentials that grant access to level 1 and level 2 data
Psychological Counseling records related to an individual
PINs (Personal Identification Numbers)
Law enforcement personnel records
Birth date combined with last four digits of SSN and name
Credit card numbers with cardholder name
Electronic or digitized signatures
Tax ID with name
Private key (digital certificate)
Driver's license number, state identification card, and other forms of national or international identification (such as passports, visas, etc.) in combination with name
Bank account or debit card information in combination with any required security code, access code, or password that would permit access to an individual's financial account
Social Security number and name
Criminal background check results
Health insurance information
Medical records related to an individual
Prospective donor profiles
Retention Tenure & Promotion Documents (RTP)
3.0 CLASSIFICATION DESCRIPTION: LEVEL 2 - INTERNAL USE
Access, storage, and transmissions of Level 2 - Internal Use information are subject to restrictions as described in CSU Asset Management Standard. Information may be classified as 'internal use' based on criteria including but not limited to:
Sensitivity - Information which must be protected due to proprietary, ethical, contractual or privacy considerations.
Moderate risk - Information which may not be specifically protected by statute, regulations, or other legal obligations or mandates but for which unauthorized use, access, disclosure, acquisition, modification, loss, or deletion of could cause financial loss, damage to the CSU's reputation, violate an individual's privacy rights, or make legal action necessary.
Identity Validation Keys (name with)
Birth date (full: mm-dd-yy)
Birth date (partial: mm-dd only)
Vulnerability/security information related to a campus or system
Photo (taken for identification purposes)
Campus attorney-client communications
Student Information-Educational Records not defined as "directory" information, typically:
Educational services received
Employee net salary
Personal telephone numbers
Personal email address
Pre-employment background investigations
Mother's maiden name
Race and ethnicity
Parents and other family members names
Birthplace (City, State, Country)
Library circulation information.
Trade secrets or intellectual property such as research activities
This document outlines the policies and procedures for handling the disposal and transfer of State and Foundation electronic devices, particularly those with the capacity to store data. All electronic devices that contain data must be processed through ITSupport for disposals and transfers.
To meet California law for electronic waste disposal and to reduce the risk of accidental disclosure of confidential information, new procedures and guidelines have been developed to ensure the secure disposal and transfer of electronic devices and media. These procedures were developed by IT Support Services and the Information Security Office, in partnership with Environmental Health & Safety and Property.
Electronic devices require special processing if they store and retain information when the power is turned off. For purposes of these procedures and guidelines, electronic devices which meet this definition include but are not limited to:
Tablets (iPads, iPods, Android tablets, etc.)
Disk drives and USB flash drives
Cell phones and PDAs (Personal Digital Assistants)
Media include CD-ROMs, backup tapes, and other removable media
Electronic devices which do not retain information such as TVs, VCRs, microwaves, desktop calculators, etc. should be disposed of according to the Universal Waste Handling and Disposal Procedures at
Transfer of Devices
All electronic devices that retain data (Computers, tablets, cell phones, etc.) which are being transferred within a department must be completely re-imaged or factory reset by ITSupport prior to transfer. There will be no charge for this service.
All such devices which are being transferred between departments must be securely wiped by ITSupport prior to transfer. There will be no charge for this service.
Disposal of Devices
All electronic devices that retain data (Computers, tablets, cell phones, etc.) need to be delivered to ITSupport to have data securely removed. Please contact ITSupport at x1048 to arrange for pickup. There will be no charge for this service.
ITSupport Process of data destruction
If media is functional:
Multipass random character write to the media before device or hard drive goes into storage for redeployment and/or physical destruction.
Storage of the devices waiting redeployment and/or destruction will be labled and stored in the ITSupport desk storage protected by 2 entry points both controlled by electronic card access door readers.
Physical destruction of the media will happen on-site with ITSupport Staff presence at all times until the media is successfully shredded.
If media is not functional:
Storage of the devices waiting for destruction will be labeled and stored in the ITSupport desk storage protected by 2 entry points both controlled by electronic card access door readers.
Physical destruction of the media will happen on-site with ITSupport Staff presence at all times until the media is successfully shredded.
Property Management Transactions
Both transfer and disposal of electronic assets will require the submission of a property transfer form. Located in the IT Support desk.
Unique credentials will be used for accessing all campus information systems.
Exceptions allowing the use of shared credentials must be approved by the requesting departments' manager and by all affected data owners. The manager and all affected data owners must be informed of the associated risks. The department administering the system being accessed with shared credentials must track all shared credentials in use, must require shared credentials to be reauthorized at least annually, and must deactivate any shared credentials that are not reauthorized.
When passwords are issued they must be one-time Passwords/Keys. One-time passwords (e.g., passwords assigned during account creation, password resets, or as a second factor for authentication) must be set to a unique value per user and changed immediately at first use.