Skip to the content
Cal State L.A.

Menu




Information Security Programs

Over the past decade several data security standards have emerged. Some data security standards cover specific topics such as financial institutions, health information, or credit card transactions, while others are more general in nature and apply to securing any confidential data. For each new data security standard, the University must evaluate whether it conducts any business processes that apply to the new data security standard. If so, the campus is required to comply with the new standard. When compliance is required, CSULA creates an Information Security Program.

The purposes of the CSULA Information Security Programs are to: Following are the campus Information Security Programs currently in place.

Identity Theft Prevention Program
On October 31, 2007, the Federal Trade Commission and the federal financial institution regulatory agencies passed the final legislation to incorporate new sections 114 and 315 into the Fair and Accurate Credit Transactions Act of 2003 (FACTA). These new sections are referred to as the Red Flag Rules. Under the Red Flag Rules, every financial institution and creditor that holds any consumer account, or other account for which there is a reasonably foreseeable risk of identity theft, is required to establish a documented Identity Theft Prevention Program that provides for the identification, detection, and response to patterns, practices, or specific activities - known as "red flags" - that could indicate identity theft. Examples of red flag activities include unusual account activity, address discrepancies, fraud alerts on a constituent's consumer report provided by a Credit Reporting Agency, or the attempted use of suspicious account applications.

Since the University provides student loans and collects payment for some services, it is considered a creditor and the FACTA Red Flag Rules apply. All University departments and employees responsible for providing student loads and/or collecting payment for services must participate in the Identity Theft Prevention Program.

Identity Theft Prevention Continued

Identifying Covered Accounts
All University departments must first determine whether there are covered accounts within the business processes of their respective areas. Generally covered accounts distribute reimbursable University funds; extend, renew, or continue credit; and allow the account owner to make multiple payments or transactions.

Covered accounts include:
  • Student loans of University funds that are not funded by federal resources and are repaid by a payment schedule.
  • Installment payments and short-term loans.
  • Accounts that are created for ongoing services and allow students to reimburse when billed or over a period of time.
  • Any type of collection account.
Covered accounts do not include:
  • Student loans that are funded by federal resources and only disbursed by the University.
  • Fee-for-service applications such as food services, parking passes, commuter services, one-time health services, and the like.
  • Collection of fees such as Library fines or parking citations.
  • Golden Eagle Card accounts.
Identifying Red Flags
In order to identify relevant red flags, University departments that offer or manage covered accounts must review and evaluate the methods utilized to open covered accounts, to allow access to covered accounts, and any previous known occurrences of identity theft.

The following are examples of potential red flags for the listed categories:
    Notifications and Warnings from Credit Reporting Agencies
  • Report of fraud accompanying a credit report from a credit agency.
  • Notice or report from a credit agency of a credit freeze on a customer or applicant.
  • Notice or report from a credit agency of an active duty alert for the applicant.
  • Indication from a credit report of activity that is inconsistent with a campus constituent's usual pattern or activity.
    Suspicious Documents
  • Identification document or card that appears to be forged, altered, or inauthentic.
  • Identification document or card on which a person's photograph or physical description is not consistent with the person presenting the document.
  • Other document with information that is not consistent with existing campus constituent's information, such as a person's signature on a check appears forged.
  • Application for service that appears to have been altered or forged.
    Suspicious Personal Identifying Information
  • Identifying information presented that is inconsistent with other information the campus constituent provided, such as inconsistent birth dates.
  • Identifying information presented that is inconsistent with other sources of information, such as an address that does not match the address on a driver's license.
  • Identifying information presented that is the same as information shown on other applications that were found to be fraudulent.
  • Identifying information presented that is consistent with fraudulent activity, such as an invalid phone number or fictitious billing address.
  • Social security number presented that is the same as one given by another campus constituent.
  • An address or phone number presented that is the same as that of another person who is not a family member, spouse, or roommate.
  • Failing to provide complete personal identifying information on an application when reminded to do so. However, as a reminder, by law Social Security numbers must not be required.
  • Identifying information that is not consistent with the information on the official record for the campus constituent.
    Suspicious Account Activity or Unusual Use of Account
  • Change of address for an account followed by a request to change the account holder's name.
  • Payments stop on an otherwise consistently up-to-date account.
  • Account used in a way that is not consistent with prior use, such as very high activity.
  • Mail sent to the account holder is repeatedly returned as undeliverable.
  • Notification to the University that a campus constituent is not receiving mail sent by the University.
  • Breach in any University or department computer system security.
  • Unauthorized access to or use of campus constituent’s account information.
    Alerts from Others
  • Notification to the University from a campus constituent, identity theft victim, or law enforcement authority that identity theft has occurred.
  • Information from any person that they have opened or are maintaining a fraudulent account for a person engaged in identity theft or know of someone who has done so.
Preventing Identity Theft Incidents
To prevent the likelihood of future identity theft occurring in any manner, all University employees should take the following steps to protect campus constituent identifying information:
  • Keep offices and unlocked file cabinets clear of documents containing campus constituent identifying information. Be sure file cabinets, cupboards, and closets containing confidential or personal information remain locked when unattended.
  • Never leave document containing confidential or personal information on printers or facsimile machines. Before faxing confidential or personal information, contact the recipient to be sure they are standing by their fax to immediately retrieve the document.
  • Undertake complete and secure destruction of paper documents and computer files containing campus constituent information by using a confetti or pulp paper shredder.
  • Ensure all computers are password protected and that computers are locked [control/alt/delete, then enter] every time a computer is left unattended.
  • Maintain up-to-date computer anti-virus protection at all times.
  • Promptly report the loss or theft of any device that stores or transmits University data (e.g., computer, laptop, server, CD, DVD, electronic storage media, or smart phone) to University Police. Users must also promptly submit a Lost/Stolen Computer/Electronic Storage Device Report to IT Security and Compliance.
  • Do not dispose, transfer, reassign, or donate any computers, laptops, electronic storage devices, or media, or return any smart phones to a service provider without first cleansing the equipment of any confidential, personal, or proprietary information.
  • Departments and business units are responsible for ensuring that confidential information is encrypted on all electronic media.
  • Do not send unencrypted protected University data over a public network.
  • Do not remove constituent-identifying information from the campus without prior administrator authorization. If approved to do so, ensure that electronic files are encrypted, laptops are password protected, and documents and devices are secured and supervised at all times.
  • If social security numbers (SSN) are required for financial reasons or verification of a campus constituent’s identity, request only the last 4 digits. Whenever possible, use the campus identification number (CIN) instead of the SSN.
  • Require and keep only campus constituent information that is necessary for University business purposes. University data must be retained, secured, and destroyed in compliance with all legal and regulatory requirements while implementing appropriate best practices.
  • Ensure that all Web site requests for confidential information use encrypted transport methods by forcing users to a secured site (i.e., https) and if not available, provide clear notice that the Web site is not secured.
For more information regarding University department responsibilities and program administration related to the CSULA Identity Theft Prevention Program, read the User Guidelines for Identity Theft Prevention at http://www.calstatela.edu/its/policies/ITS-1018-G_IDTheftPreventionGuidelines.pdf.


Payment Card Industry Data Security Standard (PCI DSS) Program
The PCI DSS, a set of comprehensive requirements for enhancing payment card data security, was developed in 2004 by the founding payment brands of the PCI Security Standards Council, which included American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. International. The purpose was to facilitate the broad adoption of consistent data security measures on a global basis.

On October 1, 2008, version 1.2 was released that didn’t change requirements, but enhanced clarity, improved flexibility, and addressed evolving risks and threats. At that time it was recognized that since Universities collect credit card information and process credit card payments, there is a contractual obligation for them to adhere to the PCI DSS, as well as credit card association, rules and regulations.

All officials or administrators with responsibilities for managing University credit card transactions and those employees who are entrusted with processing, transmitting, or handling cardholder information in a physical or electronic format must participate in the PCI DSS Program. In addition, all computers and electronic devices involved in processing payment card data are governed by PCI DSS. By adhering to these standards the University’s liability is limited and the processing of credit cards may continue.

Payment Card Industry Security Standard Continued
The core of the PCI DSS is a group of principles and accompanying requirements, around which the specific elements of the DSS are organized:

Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data.
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters.

Protect Cardholder Data
Requirement 3: Protect stored cardholder data.
Requirement 4: Encrypt transmission of cardholder data across open, public networks.

Maintain a Vulnerability Management Program
Requirement 5: Use and regularly update anti-virus software.
Requirement 6: Develop and maintain secure systems and applications.

Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need-to-know.
Requirement 8: Assign a unique ID to each person with computer access.
Requirement 9: Restrict physical access to cardholder data.

Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data.
Requirement 11: Regularly test security systems and processes.

Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security.

CSULA has created a set of campus-specific standards for meeting each of the requirements noted above. In addition to meeting the standards, the campus PCI DSS Program requires:
  • Review and approval from the Controller's Officer prior to contracting for any credit card processing equipment, software or services.
  • Annual onsite security assessment of all equipment, systems, and networks (and their components) where card member information is processed, stored, or transmitted.
  • Quarterly network security scan that remotely tests Internet-connected computer networks and Web servers for potential weaknesses and vulnerabilities.
  • An Attestation of Compliance that certifies that the University has accurately completed the annual self-assessment and falls within the applicable processing limits for self-assessment.


Gramm Leach Bliley Information Security Program
The Gramm-Leach-Bliley Act (GLB Act), also known as the Financial Modernization Act of 1999, is a federal law that includes provisions to protect consumers’ personal financial information held by financial institutions. A portion of these regulations are applicable to colleges and universities and require that the University establish and periodically revise an information security program. All offices and individuals campus wide who are engaged in the following activities or practices are required to participate in the Gramm Leach Bliley Information Security Program: Gramm Leach Bliley Information Security Program Continued
CSULA set forth a comprehensive GLB Information Security Program that would serve as a guide for how all information security, in both paper and electronic format, would be maintained on this campus. Information covered under the plan is defined by three categories:
  • Personally Identifiable Information (PII) – Also known as protected data, PII includes first and last name, social security number, date of birth, home address, home telephone number, academic performance record, physical description, medical history, disciplinary history, gender, and ethnicity.
  • Financial Information – Information that the University has obtained from employees, alumni, auxiliary agencies, patrons, external program participants, or the like in the process of offering a financial product or service, or conducting a program. Examples include bank and credit card account numbers, and income and credit histories.
  • Student Financial Information – Information that the University has obtained from a student in the process of offering a financial product or service, or such information provided to the University by another financial institution. Examples include student loans, income tax information received from a student’s parent when offering a financial aid package, bank and credit card account numbers, and income and credit histories.
All departments that handle or maintain protected data must perform a risk assessment of their areas and put safeguards in place to secure personally identifiable, financial, and student financial information. Administrators are responsible for educating all department personnel about information security best practices in their respective areas. In addition, oversight must be provided to service providers who are given access to protected data or may come in contact with protected data while carrying out contracted service responsibilities.

The complete Gramm Leach Bliley Information Security Program, including a responsibilities matrix, is available on the ITS Web site at www.calstatela.edu/its/policies

5151 State University Drive . Los Angeles . CA 90032 . (323) 343-3000
© 2008 Trustees of the California State University

Last Update: 8/11/2009