Security
Information Security Policies and Standards
Data Classification and Protection Standards
Electronic Device Disposal and Transfer Procedures
Information Security Policies and Standards
The CSU Information Security policy provides direction for managing and protecting the confidentiality, integrity and availability of CSU information assets. In addition, the policy defines the organizational scope of the CSU information Security Policy.
The CSU Information Security Policy and Standards are not intended to prevent, prohibit, or inhibit the sanctioned use of information assets as required to meet the CSU's core mission and campus academic and administrative goals.
Goals and Policies
The goals of the Cal Maritime Information Security Program are to:
- Identify and manage information security risks and liabilities
- Ensure compliance with all applicable laws, regulations, contracts, and California and CSU policies
- Communicate responsibilities and minimum requirements
Consistent with CSU Information Security Policies, Cal Maritime's Information Security Program establishes policy and sets expectations for protecting university information assets.
These are supported by related policies, standards, guidelines and practices to facilitate campus compliance:
- Policies are high-level statements of principle, equivalent to organizational law, that provide technology agnostic scope and direction to the campus community.
- Standards establish specific criteria and minimum baseline requirements or levels that must be met to comply with policy. They are typically technology agnostic and they provide a basis for verifying compliance through audits and assessments.
- Guidelines are recommended or suggested actions that can supplement an existing standard or provide guidance where no standard exists. They may or may not be technology agnostic.
- Practices consist of one or more series of interrelated steps to be taken to achieve a specific goal designed to implement a policy, standard or guideline. They are detailed descriptions that may use specific technologies, instructions and forms to facilitate completing the process.
Policies should be written so as to require infrequent changes while standards, guidelines and practices are typically updated as needed to address specific changes in policy, technology or university practices.
The Information Security Officer (ISO) and Chief Information Officer (CIO) are responsible
for coordinating the development and dissemination of information security and technology
policies, standards, guidelines and procedures, respectively. Policy development
is driven by CSU policies and directives, new legislation and regulations, audit findings,
risk assessment and university strategic planning and initiatives. Key campus stakeholders
are consulted early on and research is conducted to find potential models from other
universities. Using a standard format, a draft policy is developed and shared broadly
with campus constituents for review and comment. The final draft recommendation is
forwarded to the President for formal campus adoptions. Standards, guidelines and
practices do not require Presidential approval; campus constituents, including the
Campus Leadership Committee, may be asked to review and comment, but final approval
rests with the ISO and CIO.
The Integrated CSU Administrative Manual (ISCUAM) Section 8000 Information Security contains the following policy sections that include links to standards, procedures and guidelines:
8000.0 - Introduction and Scope
8005.0 - Policy Management
8010.0 - Establishing an Information Security Program
8015.0 - Organizing Information Security
8020.0 - Information Security Risk Management
8025.0 - Privacy of Personal Information
8030.0 - Personnel Information Security
8035.0 - Information Security Awareness and Training
8040.0 - Managing Third Parties
8045.0 - Information Technology Security
8050.0 - Configuration Management
8055.0 - Change Control
8060.0 - Access Control
8065.0 - Information Asset Management
8070.0 - Information Systems Acquisition, Development and Maintenance
8075.0 - Information Security Incident Management
8080.0 - Physical Security
8085.0 - Business Continuity and Disaster Recovery
8090.0 - Compliance
8095.0 - Policy Enforcement
8100.0 - Electronic and Digital Signatures
8105.0 - Responsible Use Policy
Incident Management
This section describes the process used to report events which have the potential to negatively impact the confidentiality, integrity, or availability of Cal Maritime's information assets.
The incident response cycle begins when a suspicious event is observed. Individuals in functional campus areas must either contact the IT Help Desk at helpdesk@csum.edu or contact the Information Security Officer directly. Depending on the nature of an incident (e.g. burglary, robbery) the end user may also need to contact Campus Police and file a report.
Information security incidents are considered high priority and take precedence over normal Cal Maritime business operations. Managers who supervise functional campus areas must be prepared to manage work priorities, applying their judgment to the scope and impact of an incident in accordance with direction provided by the Information Security Officer.
The Incident Response Roles and Responsibilities document (Word) outlines the duties of the Cal Maritime community regarding the handling of information security incidents.
In cases where confidential (e.g. Level 1 or Level 2) data may be involved, the initial IT point of contact in the corresponding functional campus area must complete an Incident Response Form (Word) and escalate the issue to the IT Security Team in accordance with the instructions on the Incident Response Form. Isolated, low impact, events that do not put confidential data at risk generally can be handled without using this form.
Security Awareness Training
The Cal Maritime's Information Security Program provides direction for managing and
protecting the confidentiality, integrity and availability of Cal Maritime information
assets. In accordance with the California State University's Information Security Policy 8035, this Information Security Program contains administrative, technical and physical
safeguards to protect campus information assets. Unauthorized modification, deletion
or disclosure of information assets can compromise the mission of Cal Maritime, violate
individual privacy rights and possibly constitute a criminal act.
The intent of the Information Security Program is to:
- Document roles and responsibilities.
- Provide for the confidentiality, integrity and availability of information, regardless of the medium in which the information asset is held or transmitted (e.g., paper or electronic)
- Document risk management strategies to identify and mitigate threats and vulnerabilities to level 1 and level 2 information assets as defined in the Cal Maritime Data Classification and Handling Standard
- Document incident response strategies
- Document strategies for ongoing security awareness and training
- Comply with applicable laws, regulations, Cal Maritime and CSU policies
- It is the collective responsibility of all users to ensure:
- Confidentiality of information which Cal Maritime must protect from unauthorized access
- Integrity and availability of information stored on or processed by Cal Maritime information systems.
- Compliance with applicable laws, regulations, CSU policies and Cal Maritime policies governing information security and privacy protection.
The Cal Maritime Information Security Program and security standards are not intended to prevent, prohibit or inhibit the sanctioned use of information assets as required to meet Cal Maritime's core mission and campus academic and administrative goals
Information Security Awareness Training will be assigned annually to all Cal Maritime
staff, faculty, administrators, consultants, auxiliary employees, and student assistants,
on the assumption that any of them may come into contact with sensitive data in the
course of their work.
Employees must complete the assigned training within two months of its assignment.
The training will automatically be reassigned one year after completion.
Data Classification and Protection Standards
Introduction
Level 1 - confidential
- Disclosure exemptions - Information maintained by the University that is exempt from disclosure under the provisions of the California Public Records Act or other applicable state or federal laws.
- Severe risk - Information whose unauthorized use, access, disclosure, acquisition, modification, loss, or deletion could result in severe damage to the CSU, its students, employees, or customers. Financial loss, damage to the CSU's reputation, and legal action could occur.
- Limited use - Information intended solely for use within the CSU and limited to those with a "business need-to know."
- Legal Obligations - Information for which disclosure to persons outside of the University is governed by specific standards and controls designed to protect the information
Examples of Level 1 - Confidential information includes, but is not limited to:
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Level 2 - Internal Use
- Sensitivity - Information which must be protected due to proprietary, ethical, contractual or privacy considerations.
- Moderate risk - Information which may not be specifically protected by statute, regulations, or other legal obligations or mandates but for which unauthorized use, access, disclosure, acquisition, modification, loss, or deletion of could cause financial loss, damage to the CSU's reputation, violate an individual's privacy rights, or make legal action necessary.
Examples of Level 2 - Internal use information includes, but is not limited to:
|
|
|
|
|
|
|
|
|
|
Electronic Device Disposal and Transfer Procedures
This document outlines the policies and procedures for handling the disposal and transfer
of State and Foundation electronic devices, particularly those with the capacity to
store data. All electronic devices that contain data must be processed through IT
Support for disposals and transfers.
Overview
To meet California law for electronic waste disposal and to reduce the risk of accidental
disclosure of confidential information, new procedures and guidelines have been developed
to ensure the secure disposal and transfer of electronic devices and media. These
procedures were developed by IT Support Services and the Information Security Office,
in partnership with Environmental Health & Safety and Property.
Electronic devices require special processing if they store and retain information
when the power is turned off. For purposes of these procedures and guidelines, electronic
devices which meet this definition include but are not limited to:
- Desktop computers
- Servers
- Tablets (iPads, iPods, Android tablets, etc.)
- Printers/Copiers
- Disk drives and USB flash drives
- Cell phones and PDAs (Personal Digital Assistants)
- Media include CD-ROMs, backup tapes, and other removable media
Electronic devices which do not retain information such as TVs, VCRs, microwaves,
desktop calculators, etc. should be disposed of according to the Universal Waste Handling
and Disposal Procedures at
Transfer of Devices
- All electronic devices that retain data (Computers, tablets, cell phones, etc.) which are being transferred within a department must be completely re-imaged or factory reset by ITSupport prior to transfer.
- All devices which are being transferred between departments must be securely wiped by ITSupport prior to transfer.
Disposal of Devices
All electronic devices that retain data (Computers, tablets, cell phones, etc.) need
to be delivered to IT Support to have data securely removed. Please contact IT Support
at x1048 to arrange for pickup.
IT Support Process of data destruction
If media is functional and device storage was not encrypted at rest:
- Multipass random character write to the media before device or hard drive goes into storage for redeployment and/or physical destruction. OR
- If device is going to ewaste the storage is removed and inventoried by device type and serial number. The storage inventory is used by the ewaste vendor to certify destruction.
If media is functional and device storage was encrypted at rest:
- Device will be sent to approved e-waste vendor for disposal.
If media is not functional:
- Storage of the storage devices waiting for destruction will be labeled and stored in the Classroom data center protected by 2 entry points both controlled by electronic card access door readers.
- Storage device is removed and inventoried by device type and serial number. The storage inventory is used by the ewaste vendor to certify destruction.
Property Management Transactions
Both transfer and disposal of electronic assets will require the submission of a property transfer form.
Sensitive paper disposal
Sensitive paper documents with level 1 confidential or level 2 internal use should be disposed of using confidential shredding bins.
Authentication
Unique credentials will be used for accessing all campus information systems.
Exceptions allowing the use of shared credentials must be approved by the requesting
departments' manager and by all affected data owners. The manager and all affected
data owners must be informed of the associated risks. The department administering
the system being accessed with shared credentials must track all shared credentials
in use, must require shared credentials to be reauthorized at least annually, and
must deactivate any shared credentials that are not reauthorized.
When passwords are issued they must be one-time Passwords/Keys. One-time passwords
(e.g., passwords assigned during account creation, password resets, or as a second
factor for authentication) must be set to a unique value per user and changed immediately
at first use.
Password Standards
Passwords must meet the following requirements:
- Minimum length of 12 characters
- Not include the user name
- A combination of letters, numbers and special characters, containing at least three
of the following character types:
- Lowercase alphabetic character (a-z)
- Uppercase alphabetic character (A-Z)
- Special character (punctuation, spaces, *, %, $, etc.)
- Number (0-9)
- Accounts will be locked after 5 unsuccessful login attempts
Information Security Resource Links
- United States Computer Emergency Readiness Team (US-CERT)
"The Department of Homeland Security's United States Computer Emergency Readiness Team (US-CERT) leads efforts to improve the Nation's cybersecurity posture, coordinate cyber information sharing, and proactively manage cyber risks to the Nation while protecting the constitutional rights of Americans. US-CERT strives to be a trusted global leader in cybersecurity—collaborative, agile, and responsive in a dynamic and complex environment." -US-CERT.GOV - Internet Storm Center (ISC)
"The ISC was created in 2001 following the successful detection, analysis, and widespread warning of the Li0n worm. Today, the ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers." -ISC.SANS.EDU - California Office of Information Security
"The California Information Security Office is the primary state government authority in ensuring the confidentiality, integrity, and availability of state systems and applications, and ensuring the protection of state information." -CIO.CA.GOV/OIS