|8020.100||Information Security Risk Management||Campuses must develop risk management processes that identify, assess,and monitor risks to information assets containing Level 1 and Level 2 data as defined in the CSU Data Classification Standard. Identified risks to these information assets must be actively managed by data owners and/or appropriate administrators in order to prioritize resources and remediation efforts.|
|8020.700||Reporting Information Security Risks||The Senior Director of Systemwide Information Security Management must complete a risk assessment of information assets containing Level 1 data as defined in the CSU Data Classification Standard at least every two years. The report must include a description of the methodology, the results of the risk assessment, and recommended systemwide mitigation strategies for addressing each identified risk. The report must be certified by the systemwide Information Security Steering Committee and presented to the Chancellor (or Chancellor-designee).|
|8030.100||Personnel Information Security||All users are expected to employ security practices appropriate to their responsibilities and roles. Users who access Level 1 or Level 2 data as defined in the CSU Data Classification Standard must sign an approved system-wide confidentiality (non-disclosure) agreement.|
|8030.200||Employment Requirements||Campuses must develop procedures to conduct background checks on positions involving access to Level 1 information assets as defined in the CSU Data Classification Standard. |
|8045.300||Network Security||Campuses must appropriately design their networks—based on risk, data classification, and access—in order to ensure the confidentiality, integrity and availability of their information assets. Each campus must implement and regularly review a documented process for transmitting data over the campus network. This process must include the identification of critical information systems and protected data that is transmitted through the campus network or is stored on campus computers. Campus processes for transmitting or storing critical assets and protected data must ensure confidentiality, integrity, and availability. |
|8045.400||Mobile Devices||Campuses must develop and implement controls for securing protected data stored on mobile devices. Protected data must not be stored on mobile devices unless effective security controls have been implemented to protect the data. Campuses must use encryption, or equally effective measures, on all mobile devices that store Level 1 data as defined in the CSU Data Classification Standard. Alternatives to encryption must be reviewed on a case-by-case basis and approved in writing by a designated campus official. Other effective measures include physical protection that ensures only authorized access to protected data.|
|8045.500||Information Asset Monitoring||At a minimum, server administrators are required to scan regularly, remediate, and report unremediated vulnerabilities on critical systems or systems that store protected information within a prescribed timeframe. The risk level of a system determines the frequency at which logs must be reviewed. Risk factors to consider are:|
- Criticality of business process.
- Information classification associated with the system.
- Past experience or understanding of system vulnerabilities.
- System exposure (e.g., services offered to the Internet).
|8055.100||Change Control||Changes to information technology systems, network resources, and applications need to be appropriately managed to minimize the risk of introducing unexpected vulnerabilities and ensure that existing security protections are not adversely impacted. Campuses must establish and document a process to manage changes to campus information assets containing Level 1 or Level 2 data, as defined in the CSU Data Classification Standard. Campuses must define and communicate the scope of significant changes to Level 1 and Level 2 information assets in order to be sure that all affected parties have adequate information to determine if a proposed change is subject to the change management approval process.|
|8055.200||Emergency Changes||Only authorized persons may make an emergency change to campus information assets containing Level 1 or Level 2 data as defined in the CSU Data Classification Standard. Emergency changes are defined as changes which, due to urgency or criticality, need to occur outside of the campus’ formal change management process.|
|8060.100||Access Control||On-campus or remote access to information assets containing Level 1 or Level 2 data as defined in the CSU Data Classification Standard must be based on operational and security requirements. Appropriate controls must be in place to prevent unauthorized access to protected information assets. This includes not only the primary operational copy of the protected information assets, but also data extracts and backup copies. Campuses must have a documented process for provisioning approved additions, changes, and terminations of access rights and reviewing access of existing account holders. Access to campus protected information assets must be denied until specifically authorized.|
|8060.300||Separation of Duties||Separation of duties principles must be followed when assigning job responsibilities relating to restricted or essential resources. Campuses must maintain an appropriate level of separation of duties when issuing credentials to individuals who have access to information assets containing protected data. Campuses must avoid issuing credentials that allow a user greater access or more authority over information assets than is required by the employee’s job duties. |
|8060.S01.1.1||Access Control ||Access to campus information assets containing protected data must include a process for documenting appropriate approvals before access or privileges are granted. All changes to user accounts (i.e., account termination, creation, and changes to account privileges) on campus information systems or network resources (except for password resets) must be approved by appropriate campus personnel. Such approval must be adequately documented in order to facilitate auditing of access control practices.|
|8060.S01.1.2.3||Password Management||Campuses must identify and communicate a password change schedule. The schedule may vary by system or application at the campus’ discretion as determined by risk. Passwords with administrative access to Level 1 or Level 2 data must be changed every 90 days. |
|8065||Policy Statement||Campuses must maintain an inventory of information assets containing Level 1 or Level 2 data as defined in the CSU Data Classification Standard. These assets must be categorized and protected throughout their entire life cycle, from origination to destruction. Critical or protected data must not be transferred to another individual or system without the approval of the data owner. Before critical or protected data is transferred to a destination system, the data owner should establish agreements to ensure that authorized users implement appropriate security measures.|
|8065.S01.12.1 (Draft) ||Data Ownership||Campuses must complete an inventory identifying Level 1 protected data. Campuses must assign ownership of each information asset containing Level 1 protected data. Normally, responsibility for Level 1 protected data resides with the manager of the campus program that employs the information. When the information is used by more than one program, considerations for determining ownership responsibilities include the following: |
- Which program collected the information.
- Which program is responsible for the accuracy and integrity of the information.
- Which program budgets the costs incurred in gathering, processing, storing, and distributing the information.
- Which program has the most knowledge of the useful value of the information.
- Which program would be most affected, and to what degree, if the information were lost, inaccurate, compromised, delayed, or disclosed to unauthorized parties.
|8065.S01.12.2(Draft)||Data Classification||The designated owner of an information asset is responsible for making the determination as to how an asset must be classified (e.g., Level 1, Level 2, or Level 3). Data stored on campus hardware or media (both paper and electronic) must be classified per the campus Data Classification Standard, which must meet or exceed the CSU Data Classification Standard listed in Appendix A of this document.|
|8065.S01.12.2.1(Draft)||Use of the CSU Classification Standard ||Campuses may elect to move or add data elements from one classification level to another classification level with higher protection requirements, but never to a classification level with lower protection requirements than the CSU Data Classification Standard. For example, a data element classified as Level 2 can be moved to a Level 1 classification but it cannot be moved to a Level 3 classification. Aggregates of data must be classified based upon the most secure classification level. That is, when data of mixed classification exist in the same file, document, report or memorandum, the classification of that file, document, report or memorandum must be of the highest applicable level of classification. If additional guidance is needed, then the campus ISO must be consulted.|
|8065.S01.12.2.2 (Draft)||Maintaining the CSU Data Classification Standard ||The CSU’s Senior Director for Information Security Management (CISO) must determine what data will be designated Level 1 data and must identify appropriate minimum controls. The ISO must establish a process for the review and maintenance of the data classification standard. The ISO must review the classification standard on an annual basis.|
|8065.S01.12.3 (Draft)||Data Handling||When Protected Level 1 data is transmitted electronically, it must be sent via a method that uses strong encryption. When Protected Level 2 data is transmitted electronically, it must be protected using approved campus processes.|
|8065.S01.12.4 (Draft)||Data Storage||Where the combination of assessed risk, technical feasibility and operational practicality allows, protected Level 1 data stored electronically must be encrypted using strong encryption methods.|
|8065.S01.12.6||Data Backup||Backup media containing protected Level 1 data must be encrypted using strong encryption methods.|
|8080||Policy Statement||Each campus must identify physical areas that must be protected from unauthorized physical access. Such areas would include data centers and other locations on the campus where information assets containing protected data are stored. Campuses must protect these limited-access areas from unauthorized physical access while ensuring that authorized users have appropriate access. Campus information assets which access protected data that are located in public and non-public access areas must be physically secured to prevent theft, tampering, or damage. The level of protection provided must be commensurate with that of identifiable risks. Campuses must review and document physical access rights to campus limited-access areas annually.|