This Information Security Program describes how CSU San Marcos will fulfill its obligations to protect those information assets for which the campus or its auxiliaries or other affiliated organizations hold ownership or responsibility.
Section 8000 of the Integrated CSU Administrative Manual states that:
It is the collective responsibility of all users to ensure:
The goals of CSU San Marcos Information Security Program are to:
The CSU San Marcos Information Security Program applies to all people, organizations, systems, networks, processes, media, and data to whom are given access to or custody of Information Assets for which CSU San Marcos or its auxiliaries or other affiliated organizations hold ownership or responsibility, or for which CSU San Marcos or its auxiliaries or other affiliated organizations hold ownership or responsibility.
The Information Security Officer, in collaboration with the Information Security Steering Committee, will annually review this program and will recommend needed revisions.
Throughout this document, the words “must” and “should” have been carefully used to describe requirements. While both terms denote a requirement that needs to be followed, the process for maki ng exceptions differs.
Exceptions to a "should" requirement must be approved by an appropriate administrator and by all affected data owners. The Information Security Office must also be notified of the exception.
Exceptions to a "must" requirement must be approved by an appropriate administrator, by all affected data owners, and by the Information Security Office.
A Data Owner or Data Authority is responsible for decisions related to data access, use, storage, and protection of a particular type or collection of data. The data owner is an individual, not a group, department, or committee. This individual may delegate tasks. For assistance in identifying data owners in ambiguous situations, see the CSU Information Security Asset Management Standard.
The Data Owner or Data Authority:
The Information Security Office maintains a list of Data Owners along with the scope and nature of the data over which they have responsibility. The Information Security Office includes this information in the annual report to the ISSC.
Data Stewards are appointed and authorized by the Data Owner to store and protect the data. Examples include: Computer System Administrators, Database Administrators, and Managers of physical storage locations or facilities.
A Data Steward:
Data Users are individuals who need and use University data as part of their assigned duties or in fulfillment of assigned roles or functions within the University community. Individuals who are given access to sensitive data have a position of special trust and as such are responsible for protecting the security and integrity of that data.
A Data User:
The Information Security Officer will:
The Information Security Steering Committee (ISSC) will:
The Information Security Office will conduct a campus wide information security risk assessment every other year and will conduct other information security risk assessments as needed.
Once a risk has been identified, the Risk Management Office and the Information Security Office must establish a time frame, not to exceed six months, for responding to the risk.
During this time, the affected Data Owners, in collaboration with the Risk Management Office and the Information Security Office, must develop and implement strategies for responding to the risk.
The response must reduce the risk to acceptable levels (risk mitigation), share or shift the risk to another party (risk transference), or assume the identified risk (risk acceptance). An information security risk can only be accepted by the President of the University, or the Vice President of the affected division.
In support of ICSUAM 8020.700, the Information Security Office must share all campus wide information security risk assessments and all risk assessments involving Level 1 Protected data with the CSU Chief Information Security Officer.
Implements ICSUAM 8030 Personnel Information Security.
When an employee no longer needs access to protected data due to a change of duties within a department, the employee’s Appropriate Administrator must notify the Data Owners of the protected data. The Data Owners must review the employee’s access and revoke any access not otherwise authorized.
When an employee no longer needs access to protected data due to an inter-department change of position, the employee’s former Appropriate Administrator, Human Resources, or Faculty Affairs, as appropriate, must notify the Data Owners of the protected data. Human Resources or Faculty Affairs, as appropriate, must send an email to the employee’s former Appropriate Administrator as a reminder of this requirement. The Data Owners must review the employee’s access and revoke any access not otherwise authorized.
When an employee ends their employment at CSU San Marcos, the employee must clear campus as per the campus exit policy. Unless otherwise authorized, access to all campus protected data must be revoked. Human Resources or Faculty Affairs, as appropriate, must send an email to the employee’s former Appropriate Administrator as a reminder of this requirement.
Criminal Background Checks must be performed at the time of hire on any employee, staff, faculty, student assistant, consultant, volunteer, or other person performing work for the university, who will handle Level 1 Protected Data. These employees must be identified by their Appropriate Administrator when filling out the personnel requisition form.
All employees, staff, faculty, student assistants, consultants, volunteers, and other persons performing work for the university must, at time of hire, sign a confidentiality agreement.
When an employee ends their employment at CSU San Marcos, electronic and paper files must be promptly reviewed by an appropriate manager to determine who will become the data steward of such files and identify appropriate methods to be used for handling the files. If the separating employee is holding resources subject to a litigation hold, the relevant information must be preserved until the litigation hold has been revoked, at which point the resource is subject to the normal record retention schedule.
Upon ending employment, if a former employee wishes it to obtain a copy of any personal electronic information stored on campus information assets, the former manager and Human Resources or Faculty Affairs, as appropriate, must either provide the personal electronic information to the former employee or allow the former employee to obtain the personal electronic information in a manner that preserves the integrity of all campus information assets.
Information Security Awareness Training will be assigned annually to all staff, faculty, administrators, consultants, auxiliary employees, and student assistants, on the assumption that any of them may come into contact with sensitive data in the course of their work.
Employees must complete the assigned training within two months of its assignment. The training will automatically be reassigned one year after completion.
Implements ICSUAM 8045 Information Technology Security.
Vulnerabilities may be discovered in multiple ways, including but not limited to the following:
Remotely exploitable vulnerabilities that allow systems to be compromised and are being actively deployed against the University must be remediated as soon as a fix is available.
Other remotely exploitable vulnerabilities that allow systems to be compromised must be remediated no more than one week after a fix becomes available.
Other vulnerabilities must be remediated within 90 days.
Implements ICSUAM 8045 Information Technology Security
Campus information systems and assets must implement logging and monitoring, and protect, retain, and dispose of all logs and monitoring data, as described in Section 500 of the CSU Information Technology Security Policy, the CSU Logging Elements Standard, and CSU Executive Order 1031 - Systemwide Records/Information Retention and Disposition Schedules Implementation.
All workstations, including laptops, are deployed with a standard configuration which includes anti-malware applications, full disk encryption and the default productivity suite. IITS will automatically update this configuration with security patches as necessary.
Mobile devices (with the exception of laptop computers) must not contain Level 1 Protected Data. These devices must only access services that are accessible from the public Internet.
Operating system and software updates may be postponed if an update will cause issues such as incompatibility with other software. Exceptions must be documented and renewed at least annually.
The campus provides space for user-generated documents. Campus employees may not use “personal” cloud storage services (i.e. Dropbox, iCloud) to store the documents they create as part of their campus work.
Implements ICSUAM 8055 Change Control.
All configuration changes to information assets or systems that process, store, receive, transmit, or use CSU protected Level 1 data must be tracked and documented. The documentation must include the nature of the change, the identity of the person making the change, and the time that the change was made.
Departments responsible for information assets or systems that process, store, receive, transmit, or use CSU protected Level 1 data must:
Implements ICSUAM 8060 Access Control
Access to Protected Data must be denied until specifically authorized. Authorization to access Level 1 Protected Data must be granted on a per user basis by the Data Owner of the data to be used using the “CSUSM Request for Access to Protected Data” form. These authorizations must follow the principles of need to know, operational need, least privilege, and separation of duties. Data Owners must track any access modifications.
Third parties wishing to access Level 1 Protected data must also receive authorization from affected Data Owners, and must follow all applicable CSU and CSUSM policies, standards, laws, and contracts.
Data Owners must review and renew all access authorizations on a specified date annually. This must be logged on the request form used for the original authorization.
Unique credentials should be used for accessing all campus information systems.
Exceptions allowing the use of shared credentials must be approved by the requesting departments’ manager and by all affected data owners, and the manager and all affected data owners must be informed of the associated risks. The department administering the system being accessed with shared credentials must track all shared credentials in use, must require shared credentials to be reauthorized at least annually, and must deactivate any shared credentials that are not reauthorized.
When passwords are issued they must be one-time Passwords/Keys.
One-time passwords (e.g., passwords assigned during account creation, password resets, or as a second factor for authentication) must be set to a unique value per user and changed immediately after first use.
CSUSM Passwords must meet the following requirements:
Passwords stored in any form, including on paper, must be protected with appropriate controls, including but not limited to being locked up, carried on one’s person at all times, and the use of strong encryption.
Any passwords stored electronically (except for service accounts) must be stored using approved encrypted password management software.
Level 1 or 2 Protected assets must never be made public. Campus personnel are encouraged to use discretion and good judgment when deciding what other information to make public, and must comply with all applicable CSUSM and CSU policies and standards, all applicable laws, and all applicable contractual requirements, when doing so.
Implements ICSUAM 8065 Information Asset Management.
Annually, CSUSM will conduct an inventory of Level 1 data (as defined by the CSU Data Classification Standard). This inventory will be completed by distributing a Level 1 Data Inventory Survey to all Admin II managers or higher.
This survey is to be completed and returned to the Information Security Office.
The Information Security Office will be available to help users complete the Data Inventory survey by appointment.
The Information Security Office will investigate and respond to Information Security incidents involving malware, fraud, harassment, inappropriate use, unauthorized data access, unauthorized physical access, unauthorized system access, unauthorized system use, lost or stolen equipment, other violations of applicable Information Security laws, policies, standards, procedures and contracts, and other violations of the confidentiality, integrity, or availability of information systems or assets for which CSU San Marcos holds responsibility.
The Information Security Incident Management program provides responsibilities and directs activities for responding to information security incidents.
Persons who suspect a security incident should contact the information one of the following ways:
Please provide the nature of data stored and accessed on any system suspected of being compromised, to the extent that this can be done without using or accessing the system itself.
Callers should state, in particular, if CSU protected level 1 or 2 data violations are suspected such as Social Security Numbers, medical information, grades, or other CSU protected level 1 or 2 data as defined in The CSU Data Classification Standard.
If an Information Security incident is the process causing serious harm to the University or to individuals in the University community, then telephone the University Police at 760-750-4567.
If a reasonable suspicion exists that Level 1 data has been breached, the Information Security Officer must immediately notify the CSU Chief Information Security Officer of the potential incident.
If a system is suspected of having been compromised, to avoid inadvertently destroying valuable evidence needed to protect other systems and to prove that protected information was not accessed, users and IT support staff must not:
The Information Security Office has forensic software to preserve as much of the evidence as possible from a compromised computer.
If a compromised system is believed to be exfiltrating data or attacking other systems, the system must be immediately disconnected from the network.
If the presence of malicious software has been detected then the machine in question must immediately cease to be used and must be disconnected from the network. The Information Technology Help Desk must be notified. The machine must be examined for sensitive data and fully cleaned before use can continue.
The Information Security Office will work with the affected parties to create and implement a plan to recover from the incident and remediate damage caused by the incident.
Where appropriate, violations of laws, policies, standards, procedures, contracts, or codes of conduct will be referred to other departments such as Judicial Affairs, Employee Relations and Compliance, Residential Life, or Faculty Affairs for further investigation or action.
The Information Security Office will lead a follow-up conversation to identify and apply lessons learned, and to develop and implement corrective actions directed at preventing or mitigating the risk of similar occurrences.
When all outstanding action items have been completed, the Information Security Office will close the incident and notify the President and the Information Security Incident Response Team (ISIRT).
Implements ICSUAM 8080 Physical Security
Shared Access Areas and Campus Limited Access Areas will be identified based on responses to the annual Data Inventory Survey and criteria set by the CSU Physical and Environmental Security standard.
The display screens for all campus information systems that have access to protected data must be positioned such that data cannot be readily viewed by unauthorized persons (e.g., through a window, by persons walking in a hallway, or by persons waiting in reception or public areas). If it is not possible to move a display screen to meet the above requirement, a screen filter must be used.
Implements ICSUAM 8090 Compliance
In accordance with ICSUAM 3102.5 Debit/Credit Card Payment Policy, all people, processes, and systems within the scope of the Payment Card Industry Data Security Standard (PCI DSS) must comply with the PCI DSS.
All University business must be conducted in compliance with all applicable laws, including but not limited to FERPA (Family Educational Rights and Privacy Act) and HIPAA (Health Insurance Portability and Accountability Act).
A red flag is an event or observation that indicates a heightened probability of identity theft.
Identity theft is strongly related to credit fraud, and CSU San Marcos extends credit to students in the form of Student Loans and Payment Plans.
This standard describes examples of red flags to notice, should they appear in the course of daily business, and direction in responding to red flags.
Red flag events include notification of the University by law enforcement, a credit reporting agency, a victim of identity theft, or another party, that an identity theft has occurred or is suspected of having occurred.
Red flag observations can include anything suspicious about a customer, documents provided, or information provided.
Customer red flags include inconsistencies between the customer's appearance or voice and the photograph or physical description in University records or on the presented identification.
Document red flags include any evidence that a piece of identification, a form, or any other document, has been forged, altered, or destroyed and reassembled.
Information red flags include:
Some red flags are detected automatically, such as certain kinds of invalid information, some red flags are detected through manual observation, and some are only detected when suspicious circumstances have prompted investigation. Most red flags are most likely to be discovered during the process of authenticating a student.
The detection of a Red Flag by an employee shall be reported to their appropriate administrator and to the IT Helpdesk as per the CSU San Marcos Information Security Incident Response Standard.
Based on the circumstances and the type of red flag, the Appropriate Administrator and the Information Security Incident Response Team, together with the employee will determine the appropriate response.
Appropriate responses may include:
The University remains responsible for compliance with the Red Flags Rule even if it outsources operations to a third party service provider. The written agreement between the University and the third party service provider shall require the third party to have reasonable policies and procedures designed to detect relevant Red Flags that may arise in the performance of the service provider’s activities. The written agreement must also indicate whether the service provider is responsible for notifying only the University of the detection of a Red Flag or if the service provider is responsible for implementing appropriate steps to prevent or mitigate identify theft.
All employees who process any information related to a covered account shall receive training to understand their responsibilities associated with the Identity Theft Protection Standard.
Implements ICSUAM 8095 Policy Enforcement
Investigations involving employees and students suspected of violating the CSU or CSUSM Information Security policy must be conducted in compliance with all applicable laws, regulations, collective bargaining agreements, and CSU and CSUSM policies.
CSUSM reserves the right to temporarily or permanently suspend, block, or restrict access to information assets, independent of such procedures, when it reasonably appears necessary to do so in order to protect the confidentiality, integrity, availability, or functionality of CSUSM resources or to protect CSUSM from liability.
Portions derived, with permission, from the Sonoma State University Information Security Program.
Portions derived, with the permission, from the Sacramento State Information Security Policies.
Portions derived, with permission, from the Cal Poly Policies, Standards, Guidelines, Procedures, and Forms.