Confidential information, educational records and user accounts are governed by federal and state laws and regulations, the CSU Information Security Policy and Chancellor’s executive orders, and University guidelines, standards and Administrative Policies and Procedures.
IT Security and Compliance is responsible for coordinating the development and dissemination of information security guidelines, standards and procedures for the University. See the links below to access CSU policy and University guidelines, standards and procedures.
Confidential Information
Descriptions and Examples
Description
Level 1 Confidential Data is information maintained by the University that is exempt from disclosure under the provisions of the California Public Records Act or other applicable state or federal laws. Its unauthorized use, access, disclosure, acquisition, modification, loss, or deletion could result in severe damage to the CSU, its students, employees or customers. Financial loss, damage to the CSU’s reputation and legal action could occur if data is lost, stolen, unlawfully shared or otherwise compromised.
Level 1 data is intended solely for use within the CSU and limited to those with a “business need-to-know.” Statutes, regulations, other legal obligations or mandates protect much of this information. Disclosure of Level 1 data to persons outside of the University is governed by specific standards and controls designed to protect the information.
Confidential information must be interpreted in combination with all information contained on the computer or electronic storage device to determine whether a violation has occurred.
Level 1 access will be granted on a strict “need-to-know” basis only and will be restricted to authorized staff and other participants who have executed an approved Non-Disclosure Agreement (NDA). This information includes organization contact lists, internal processing procedures, employee schedules and other information required to function within the organization but too sensitive to release to the public.
Examples (note: list provides examples and is not all-inclusive)
- Passwords or credentials
- PINs (Personal Identification Numbers)
- Birth date combined with the last four digits of SSN and name
- Credit card numbers with cardholder name or expiration date and/or card verification code
- Tax ID with name
- Driver’s license number, state identification card and other forms of national or international identification (such as passports, visas, etc.) in combination with name
- Social Security number and name
- Health insurance information with name
- Medical records related to an individual
- Psychological counseling records related to an individual
- Bank account or debit card information in combination with any required security code, access code, or password that would permit access to an individual’s financial account
- Electronic or digitized signatures
- Private key (digital certificate)
- Vulnerability/security information related to a campus or system
- Attorney/client communications
- Legal investigations conducted by the University
- Third-party propriety information per contractual agreement
- Sealed bids
- Employee name with personally identifiable employee information
- Biometric information
- Electronic or digitized signatures
- Personal characteristics
Description
Internal use data is information that must be protected due to proprietary, ethical or privacy considerations. Although not specifically protected by statute, regulations or other legal obligations or mandates, unauthorized use, access, disclosure, acquisition, modification, loss or deletion of information at this level could cause financial loss, damage to cause financial loss, damage to the CSU’s reputation, violate an individual’s privacy rights or make legal action necessary.
Non-directory educational information may not be released except under certain prescribed conditions.
Level 2 access will be granted on a strict “need-to-know” basis only and will be restricted to authorized staff and other participants who have executed an approved Non-Disclosure Agreement (NDA). This information includes organization contact lists, internal processing procedures, employee schedules and other information required to function within the organization but too sensitive to release to the public.
Examples (note: list provides examples and is not all-inclusive)
- Identity Validation Keys (name with)
- Birth date (full: mm-dd-yy)
- Birth date (partial: mm-dd only)
- Student name with personally identifiable education records
- Grades
- Courses taken
- Schedule
- Test scores
- Advising records
- Educational services received
- Disciplinary actions
- Employee Information
- Employee net salary
- Employment history
- Home address
- Personal telephone numbers (including emergency contacts)
- Personal e-mail address
- Payment History
- Employee evaluations
- Disciplinary actions
- Background investigations
- Mother’s maiden name
- Race and ethnicity
- Parents and other family members names
- Birthplace (city, state, country)
- Gender
- Marital Status
- Physical description
- Photograph (voluntary for public display)
- Other
- Donor name, address, phone, email and giving amount
- Library circulation information
- Trade secrets or intellectual property such as research activities
- Location of critical or protected assets
- Licensed software
Description
This is information that is generally regarded as publicly available. Information at this level is either explicitly defined as public information or intended to be available to individuals both on and off campus or not specifically classified elsewhere as Level 1 or Level 2.
Knowledge of this information does not expose the CSU to financial loss or jeopardize the security of the CSU’s information assets.
Publicly available data may still be subject to appropriate campus review or disclosure procedures to mitigate potential risks of inappropriate disclosure.
1Cal State LA may disclose “Directory Information” without prior written consent of the student. However, at any time the student may exercise the option to consider this information confidential by completing the Releasing Student “Directory Information” to Outside Agencies form and submitting it to the Admissions and Records Center, SSB 1st Floor. All requests to obtain student directory information must be directed to the Admissions and Records Center.
Examples (note: list provides examples and is not all-inclusive)
- Campus Identification Keys
- Campus identification number
- User ID (do not list in a public or a large aggregate list where it is not the same as the student email address)
- Student Information1
Educational directory information (FERPA) includes
- Name
- Address
- Telephone number
- Email address
- Photograph
- Major field of study
- Participation in officially recognized activities and sports
- Height and weight of members of athletic teams
- Dates of attendance
- Grade level
- Enrollment status
- Degrees, honors and awards received
- Most recent previous educational agency or institution attended by the student
Bargaining unit student employee directory information
- Name of the department employing the student
- The student employee’s telephone number within the department
- The student employee’s email address within the department
- The student employee’s job classification
- Employee Information (including student employees)
- Employee title
- Status as student employee (such as TA, GA, ISA)
- Employee campus email address
- Employee work location and telephone number
- Employing department
- Employee classification
- Employee gross salary
- Name (first, middle, last) (except when associated with protected data)
- Signature (non-electronic)
- Donor Information
- Constituent code
- Class, degree, academic organization, major
- Employment information defined above
- Job title
CSU Information Security Policy
The CSU Information Security Policy provides high-level direction for managing and protecting the confidentiality, integrity and availability of CSU information assets.
- Identity Access Management
- Information Security
- Introduction and Scope
- Policy Management
- Establishing an Information Security Program
- Organizing Information Security
- Information Security Risk Management
- Privacy of Personal Information
- Personnel Information Security
- Information Security Awareness and Training
- Managing Third Parties
- Information Technology Security
- Configuration Management
- Change Control
- Access Control
- Information Asset Management
- Information Systems Acquisition, Development and Maintenance
- Information Security Incident Management
- Physical Security
- Business Continuity and Disaster Recovery
- Compliance
- Policy Enforcement
- Electronic and Digital Signatures
- Responsible Use Policy
- Information Security Policy Definitions
policy, standards, and guidelines
CSU ISO Domain
Type | Title |
---|---|
Policy | ISO Domain 5: Information Security Policy |
Cal State LA
Type | Title |
---|---|
Policy | Cal State LA Information Security Program |
Standard | Information Security Roles and Responsibilities |
Guideline | ID Theft Prevention Guidelines |
CSU ISO Domain
Type | Title |
---|---|
Policy | ISO Domain 6: Organization of Information Security Policy |
Standard | ISO Domain 6: Organization of Information Security Standard |
CSU ISO Domain
Type | Title |
---|---|
Policy | ISO Domain 7: Human Resource Security Policy |
Standard | ISO Domain 7: Human Resource Security Standard |
Cal State LA
Type | Title |
---|---|
Guideline | Separated Employees' Network/E-mail Access |
Procedure | Criminal Records Check |
Procedure | Fingerprint Procedure |
CSU ISO Domain
Cal State LA
Type | Title |
---|---|
Standard | Securing Workstation Documents |
Standard | Utilization of Multi-function Devices |
Standard | Information Classification, Handling and Disposal |
Guidelines | Collecting and Processing Credit Card Information |
Guidelines | Data Sanitization |
Guidelines | Encryption Security |
Guidelines | Mobile Computing |
Guidelines | Portable Electronic Storage Media |
Guidelines | Safe Disposal of Electronic Storage Media |
Guidelines | Protecting Electronic Copyrighted Material |
Procedure | Vulnerability Management for Servers |
Procedure | Securing Critical and High-Risk Workstations |
Procedure | Records Retention, Management and Disposition Program |
Procedure | Student Records Administration |
CSU ISO Domain
Type | Title |
---|---|
Policy | ISO Domain 9: Access Control Policy |
Standard | ISO Domain 9: Access Control Standard |
Cal State LA
Type | Title |
---|---|
Standard | Identity and Access Management Standard |
Standard | Password Standards |
Standard | PeopleSoft User IDs and Passwords |
Standard | User Access Controls and Risk Management for Decentralized Systems |
Guidelines | Access to Administrative Information Systems |
Guidelines | Oracle Access |
Guidelines | Securing Shared Computing Resources |
Procedure | Administrative Systems Access Controls and Segregation of Duties Review |
CSU ISO Domain
Type | Title |
---|---|
Policy | ISO Domain 10: Cryptography Policy |
Standard | ISO Domain 10: Cryptography Standard |
CSU ISO Domain
Type | Title |
---|---|
Policy | ISO Domain 11: Physical and Environmental Security |
Standard | ISO Domain 11: Physical and Environmental Security |
Cal State LA
Type | Title |
---|---|
Guidelines | Data Center/Communication Room Access |
Guidelines | Securing Offices, Workspaces, and Documents |
CSU ISO Domain
Type | Title |
---|---|
Policy | ISO Domain 12: Operations Security Policy |
Standard | ISO Domain 12: Operations Security Standard |
CSU ISO Domain
Type | Title |
---|---|
Policy | ISO Domain 13: Communications Security Policy |
Standard | ISO Domain 13: Communications Security Standard |
Cal State LA
Type | Title |
---|---|
Guideline | Electronic Communications |
Guideline | Network Traffic Management |
Guideline | Wireless Access |
CSU ISO Domain
Type | Title |
---|---|
Policy | ISO Domain 14: Systems Acquisition, Development and Maintenance Policy |
Standard | ISO Domain 14: Systems Acquisition Standard |
CSU ISO Domain
Type | Title |
---|---|
Policy | ISO Domain 15: Supplier Relationships Policy |
Standard | ISO Domain 15: Supplier Relationships Standard |
Cal State LA
Type | Title |
---|---|
Guideline | Information Security Contract Language |
Guideline | IT Project and Procurement |
CSU ISO Domain
Type | Title |
---|---|
Policy | ISO Domain 16: Information Security Incident Management Policy |
Standard | ISO Domain 16: Incident Management Standard |
Cal State LA
Type | Title |
---|---|
Standard | Computer Security Incident Response Team (CSIRT) |
Guideline | Reporting a Lost or Stolen Computer or Electronic Storage Device |
Procedure | Electronic Security Incident Reporting |
CSU ISO Domain
Cal State LA
Type | Title |
---|---|
Document | ITS Business Continuity Plan |
Document | ITS Disaster Recovery Plan |
CSU ISO Domain
Type | Title |
---|---|
Policy | ISO Domain 18: Compliance Policy |
Standard | ISO Domain 18: Compliance Standard |
EO | CSU Executive Order - Health Care Portability and Accountability Act of 1996 |
Cal State LA
Type | Title |
---|---|
Guideline | Collecting and Processing Credit Card Information |
Guideline | User Guidelines for HIPAA Compliance |
Standards define the minimum requirements necessary to address information security risks and the specific requirements that ensure compliance with legal regulations, CSU policy and information security best practices. Standards represent the minimum basis upon which Board of Trustee’s audits are based. Standards undergo a formal review and approval process prior to publication
User Guidelines provide general recommendations and instructions for campus users to comply with information security standards and the CSU Information Security Policy. They are often more technical in nature than policies and standards, and are created and updated as needed to account for changes in technology, regulations or University practices, User guidelines undergo a formal review and approval process prior to publication.
Procedures are step-by-step instructions for accomplishing specific tasks and often include recommended tools for performing those tasks. Procedures are informal documents with no impact on users and therefore, undergo only an internal technical review and approval process prior to publication.