Guidelines, Standards and Laws
Confidential information, educational records and user accounts are governed by federal and state laws and regulations, the CSU Information Security Policy and Chancellor’s executive orders, and University guidelines, standards and Administrative Procedures.
IT Security and Compliance is responsible for coordinating the development and dissemination of information security guidelines, standards and procedures for the University. See the links below to access CSU policy and University guidelines, standards and procedures.
The CSU Information Security Policy provides high-level direction for managing and protecting the confidentiality, integrity and availability of CSU information assets. In addition, the policy defines the organizational scope of the CSU information Security Policy.
- ICSUAM 8000.0 - 8100.0 CSU Information Security Policy
- ICSUAM 8005.0 Policy Management
- ICSUAM 8010.0 Establishing an Information Security Program
- ICSUAM 8015.0 Organizing Information Security
- ICSUAM 8020.0 Information Security Risk Management
- ICSUAM 8025.0 Privacy of Personal Information
- ICSUAM 8030.0 Personnel Information Security
- ICSUAM 8035.0 Information Security Awareness and Training
- ICSUAM 8040.0 Managing Third Parties
- ICSUAM 8045.0 Information Technology Security
- ICSUAM 8050.0 Configuration Management
- ICSUAM 8055.0 Change Control
- ICSUAM 8060.0 Access Control
- ICSUAM 8065.0 Information Asset Management
- ICSUAM 8070.0 Information Systems Acquisition, Development and Maintenance
- ICSUAM 8075.0 Information Security Incident Management
- ICSUAM 8080.0 Physical Security
- ICSUAM 8085.0 Business Continuity and Disaster Recovery
- ICSUAM 8090.0 Compliance
- ICSUAM 8095.0 Policy Enforcement
- ICSUAM 8100.0 Electronic and Digital Signatures
Executive Orders (EO) are formal orders issued by the California State University Chancellor to direct the establishment of campus programs and procedures, and provide guidance in the development and implementation of such programs.
Standards define the minimum requirements necessary to address information security risks and the specific requirements that ensure compliance with legal regulations, CSU policy and information security best practices. Standards represent the minimum basis upon which Board of Trustee’s audits are based. Standards undergo a formal review and approval process prior to publication.
User Guidelines provide general recommendations and instructions for campus users to comply with information security standards and the CSU Information Security Policy. They are often more technical in nature than policies and standards, and are created and updated as needed to account for changes in technology, regulations or University practices, User guidelines undergo a formal review and approval process prior to publication.
Procedures are step-by-step instructions for accomplishing specific tasks and often include recommended tools for performing those tasks. Procedures are informal documents with no impact on users and therefore, undergo only an internal technical review and approval process prior to publication.
Cal State L.A. Information Security Framework
- Information Security Management
- Asset Management
- Employee Security Management
- Physical Security Management
- Communications Management
- Network Management
- Access Control
- Business Continuity Management
- Computer Security Incident Response Management
- IT Project and Procurement Management
- Information Security Risk Management
- Applicable Federal Laws and Regulations
- Applicable California State Laws and Regulations
- Other Resources
Information Security Management
| Document | Title | Type | Status | Last Revised |
|---|---|---|---|---|
| ITS-2524 | Campus Information Security Program | Policy | Final | 11/29/2012 |
| ITS-2005-S | Information Security Roles and Responsibilities | Standard | Final | 7/22/2011 |
| ITS-2511 | Campus Security Incident Response Team (CSIRT) | Standard | Final | 6/14/2012 |
Asset Management
Employee Security Management
| Document | Title | Type | Status | Last Revised |
|---|---|---|---|---|
| AP 311 | Criminal Records Check | Procedure | Final | 2/21/2012 |
| AP 312 | Fingerprint Procedure | Procedure | Final | 4/26/2010 |
| ITS-1009-G | Separated Employees' Network/E-mail Access | Guideline | Final | 8/26/2006 |
Physical Security Management
| Document | Title | Type | Status | Last Revised |
|---|---|---|---|---|
| ICSUAM 8080.S01 | CSU Physical and Environmental Security | Standard | Final | 9/28/2011 |
| ITS-1013-G | Data Center/Communication Room Access | Guideline | Final | 5/30/2008 |
| ITS-1006-G | Securing Offices, Workspaces, and Documents | Guideline | Final | 5/21/2008 |
Communications Management
| Document | Title | Type | Status | Last Revised |
|---|---|---|---|---|
| ITS-1000-G | Electronic Communications | Guideline | Final | 08/15/2012 |
Network Management
| Document | Title | Type | Status | Last Revised |
|---|---|---|---|---|
| ITS-1001-G | Network Traffic Management | Guideline | Final | 5/28/2008 |
| ITS-1015-G | Wireless Access | Guideline | Final | 2/18/2009 |
Access Control
| Document | Title | Type | Status | Last Revised |
|---|---|---|---|---|
| ICSUAM 8060.S01 | CSU Access Control | Standard | Final | 6/5/2012 |
| ICSUAM 8100.S01 | CSU Electronic and Digital Signature Standards and Procedures | Standard | Final | 5/21/2012 |
| ITS-1012-G | Oracle Access | Guideline | Interim | 5/30/2008 |
| ITS-1002-G | Outlook Public Folders | Guideline | Final | 6/21/2006 |
| ITS-2008-S | Password Standards | Standard | Final | 6/24/2010 |
| ITS-2007-P | Administrative Systems Access Controls and Segregation of Duties Review | Procedure | Final | 12/20/2012 |
| ITS-5002-S | PeopleSoft User IDs and Passwords | Standard | Final | 6/24/2010 |
| ITS-1014-G | Access to Administrative Information Systems | Guideline | Interim | 12/12/2012 |
| ITS-2011-S | User Access Control for Decentralized Systems | Standard | Final | 3/10/2011 |
Business Continuity Management
| Document | Title | Type | Status | Last Revised |
|---|---|---|---|---|
| EO 1014 | CSU Executive Order - Business Continuity Program | EO | Final | 10/8/2007 |
| ITS-9506-Web | ITS Business Continuity Plan | Document | Final | 12/5/2012 |
| ITS-7502-Web | ITS Disaster Recovery Plan | Document | Final | 11/30/2012 |
Computer Security Incident Response Management
| Document | Title | Type | Status | Last Revised |
|---|---|---|---|---|
| ITS-1008-G | Reporting a Lost or Stolen Computer or Electronic Storage Device | Guideline | Final | 5/2/2005 |
IT Project and Procurement Management
| Document | Title | Type | Status | Last Revised |
|---|---|---|---|---|
| ICSUAM 8055.S01 | CSU Change Control Standard | Standard | Final | 3/11/2011 |
| ITS-1022-G | Information Security Contract Language | Guideline | Final | 8/4/2011 |
| ITS-1004-G | IT Project and Procurement | Guideline | Final | 6/23/2004 |
Information Security Risk Management
| Document | Title | Type | Status | Last Revised |
|---|---|---|---|---|
| ITS-1025-G | Collecting and Processing Credit Card Information | Guideline | Final | 9/19/2012 |
| ITS-1018-G | ID Theft Prevention Guidelines | Guideline | Final | 8/26/2009 |
| ITS-1028-G | User Guidelines for HIPAA Compliance | Guideline | Final | 2/28/2013 |
Applicable Federal Laws and Regulations
- Americans with Disabilities Act of 1990 (ADA)
- Copyright Law of the United States
- Family Educational Rights and Privacy Act (FERPA)
- Federal Privacy Act of 1974
- Gramm-Leach-Bliley Act (the Financial Modernization Act of 1999)
- Health Insurance Portability and Accountability Act of 1996 (HIPAA)
- Patriot Act (Public Law 107-56) (PDF Format)
- Sarbanes-Oxley Act of 2002 (Public Law 107-204) (PDF Format)
Applicable California State Laws and Regulations
- Code of Regulations
- Confidentiality of Medical Information Act (AB 1298) (PDF Format)
- Financial Information Privacy Act (Financial Code Sections 4050-4060)
- Government Code Section 8314: Use of State Resources
- Government Code Sections 11135-11139.8: Accessibility
- Information Practices Act of 1977 (Civil Code Section 1798)
- Penal Code Section 502: Illegal Use of Telecommunications Equipment
- Penal Code Section 653m: Illegal Use of an Electronic Communication Device
- Personal Information Privacy Act (SB 1386)
- Personal Information Security Act (SB 25)
- Amendment to Personal Information Privacy Act (SB 24)
- Public Records Act (Government Code Sections 6250-6270)
- State Records Management Act (Government Code Sections 14740-14774)
- State Records Program
- Search California Code Sections
- Search California Statutes