California State University, Los Angeles
IT Security -- Everybody's Responsibility
Securing
information is the responsibility of every department and individual on campus. Information security is often confused with information
technology security. We assume that with anti-virus software, firewalls, data encryption, and disaster recovery there is nothing more to do. Although these safeguards work, they cannot totally protect all data that resides on personal workstations, in file cabinets, or on desks, printers, and copiers. We all need to think about information security in a new light.
What Is Confidential Personal Data?
Any record that contains personal data of students, faculty, or staff needs to be protected, such as:
- For students: Any personally identifiable information, such as name, parent’s name, address, Social Security number (SSN), Campus ID number (CIN), credit card numbers, and personal characteristics or other information that would make the student’s identity easily traceable.
- For faculty/staff: first and last name in conjunction with any other identifiable information including SSN, driver’s license number, California ID Card number, account or credit/debit card information in combination with any required security codes.
What Is a Record?
A record is information that is maintained. Records can be stored on paper (handwritten or printed), computer media, e-mail, hand-held peripherals, CDs, DVDs, wireless devices, video or audio tapes, films, microfilm, and microfiche.
Can Departments Use My SSN?
The use of SSNs in departmental databases, reports, and other documents is not acceptable and must cease immediately. Departments using SSNs, from whatever source, to track emergency contacts, attendance, or students in a specific major must convert all SSNs to Campus ID numbers (CINs)
without delay.
Can Student Assistants Access Confidential Information?
Student assistants should not have direct access to student, faculty, or staff data, nor should they have a password to access confidential data systems. If pre-approved, some students may assist with data input if a designated supervisor signs them onto the necessary system. Students may not remove any printed information from any department office without authorization from their immediate supervisor. Only authorized individuals may view confidential data, so everyone must try to safeguard confidential information on desks, copiers, and printers from the sight of others.
Who Sees Confidential Data on Workstations?
Only those authorized may view confidential data on a workstation. Your monitor screen should be situated so that others will not be able to see it as they pass by. Concealing the screen is especially important if students regularly visit your area. When accessing confidential data in a busy area, make sure you don’t leave your workstation unattended while personal data is displayed on the screen. Data on cash and similar terminals should be cleared from the screen after each transaction. If someone approaches you while you’re working, switch to a different screen or ask the person to move to a spot where the monitor cannot be seen.
When Are Faculty and Staff Data Access Rights Reviewed?
Every department should routinely change user ids and profiles when an individual’s job responsibilities change. Departments should request ITS to revoke accounts when employees leave or move to other departments. When user ids and profiles are not current, data is vulnerable to unauthorized users.
Always be aware of how you use and secure information. Information security is everybody’s responsibility!