This page uses javascript to help render elements, if you have problems please enable javascript.
 
Skip to main content
 
 
 
 
 
 
 
You are now inside the main content area
 
 
 
left col

Policies & Practices

right col
 
left col
right col
 
left col

CSU and CSUF Information Security Policies, Standards, and Procedures

The Board of Trustees of the California State University (CSU) and CSUF is responsible for protecting the confidentiality, integrity and availability of CSU information assets. Unauthorized modification, deletion, or disclosure of information assets can compromise the mission of the CSU, violate individual privacy rights, and possibly constitute a criminal act.

The CSU Information Security Program activities are guided by ISO 27002:2013 (Information technology — Security techniques — Code of Practice for Information Security Controls), which are the best industry practices for the management of information security controls. The CSU Information Security Program policies are provided below:

 

Policies vs. Standards vs. Guidelines

CSUF's IT security framework adopts both the CSU Information Security Policy and Standards and the CSUF Supplemental Information Security policies, standards, and guidelines.

  • Policies are formal statements created by the university that reflect our mission, which in this case is the protection of SDSU's information and assets.
  • Standards are rules or actions that must be done to ensure our policies are being followed. They indicate expected behavior and must be enforced.
  • Guidelines are recommended practices that are based on industry-standard practices.

 

Links to sections

right col
 
left col

CSU Information Security Policies and Standards

ISO Domain 5: Information Security Policy

The policy describes the responsibility for overseeing a documented annual review and communicating any changes or additions to appropriate CSU stakeholders.

ISO Domain 5: Information Security Policy Link

ISO Domain 6: Organization of Information Security Policy

This policy states that each campus must develop, implement, and document the organizational structure that supports the campus' Information Security Program.

ISO Domain 6: Organization of Information Security Policy Link

ISO Domain 6: Organization of Information Security Standard

This standard defines the functions, relationships, responsibilities, and authorities of individuals or committees that support the campus Information Security Program.

ISO Domain 6: Organization of Information Security Standard Link

ISO Domain 7: Human Resource Security Policy

This policy provides direction and support for managing personnel information security and information security training and awareness programs.

ISO Domain 7: Human Resource Security Policy Link

ISO Domain 7: Human Resource Security Standard

This standard defines the measures required to ensure that employees, contractors, and third-party users are aware of, and comply with, the security policies and procedures required by the organization.

ISO Domain 7: Human Resource Security Standard Link

ISO Domain 8: Asset Management Policy

This policy defines how CSU campuses should identify, classify, and protect information and physical assets to prevent unauthorized access, use, modification, or disclosure.

ISO Domain 8: Asset Management Policy Link

ISO Domain 8: Asset Management Standard

This standard provides detailed instructions for the identification, classification, and management of information assets and supports a consistent approach across the CSU system.

ISO Domain 8: Asset Management Standard Link

ISO Domain 9: Access Control Policy

This policy defines the guidelines for controlling access to information systems and data, ensuring that access is granted only to authorized individuals.

ISO Domain 9: Access Control Policy Link

ISO Domain 9: Access Control Standard

This standard establishes procedures for the management of access control across systems and applications within the CSU environment, including authentication, authorization, and monitoring access.

ISO Domain 9: Access Control Standard Link

ISO Domain 10: Cryptography Policy

This policy outlines the requirements for using cryptographic techniques to protect the confidentiality, integrity, and authenticity of data across the CSU system.

ISO Domain 10: Cryptography Policy Link

ISO Domain 10: Cryptography Standard

This standard details the cryptographic techniques, methods, and tools that must be used to ensure the security of CSU data, both in transit and at rest.

ISO Domain 10: Cryptography Standard Link

ISO Domain 11: Physical and Environmental Security Policy

This policy provides the framework for protecting physical locations and the environment where information systems are hosted from natural, physical, and environmental threats.

ISO Domain 11: Physical and Environmental Security Policy Link

ISO Domain 11: Physical and Environmental Security Standard

This standard sets forth the specific requirements for safeguarding physical spaces, hardware, and systems, such as data centers, server rooms, and office spaces, from unauthorized access and environmental hazards.

ISO Domain 11: Physical and Environmental Security Standard Link

ISO Domain 12: Operations Security Policy

This policy establishes the responsibilities and activities required to ensure that operational processes within CSU campuses are protected against security threats.

ISO Domain 12: Operations Security Policy Link

ISO Domain 12: Operations Security Standard

This standard provides guidance on the implementation of operational security measures, including incident response procedures, monitoring, and event logging, to detect and mitigate security risks.

ISO Domain 12: Operations Security Standard Link

ISO Domain 13: Communications Security Policy

The policy outlines the controls necessary to protect CSU’s communication systems, ensuring the confidentiality, integrity, and availability of communications within and between campuses.

ISO Domain 13: Communications Security Policy Link

ISO Domain 13: Communications Security Standard

This standard defines the practices for securing communication channels and protocols, such as email, voice, and network communications, to prevent unauthorized interception or tampering.

ISO Domain 13: Communications Security Standard Link

ISO Domain 14: System Acquisition, Development, and Maintenance Policy

This policy governs the requirements for ensuring that information security is incorporated into the acquisition, development, and maintenance of IT systems and software.

ISO Domain 14: System Acquisition, Development, and Maintenance Policy Link

ISO Domain 14: System Acquisition, Development, and Maintenance Standard

This standard outlines the procedures for ensuring secure system development and maintenance practices, including the use of secure coding techniques and regular security testing throughout the software lifecycle.

ISO Domain 14: System Acquisition, Development, and Maintenance Standard Link

ISO Domain 15: Supplier Relationships Policy

This policy addresses the need for CSU campuses to establish clear and effective security requirements when working with third-party suppliers and contractors.

ISO Domain 15: Supplier Relationships Policy Link

ISO Domain 15: Supplier Relationships Standard

This standard provides guidelines for managing security risks that may arise from third-party suppliers, including security clauses in contracts and monitoring third-party performance.

ISO Domain 15: Supplier Relationships Standard Link

ISO Domain 16: Information Security Incident Management Policy

The policy outlines the approach to detecting, reporting, and responding to information security incidents within the CSU system, ensuring rapid containment and remediation.

ISO Domain 16: Information Security Incident Management Policy Link

ISO Domain 16: Information Security Incident Management Standard

This standard specifies the processes for handling security incidents, including incident detection, reporting, response, recovery, and post-incident analysis to improve the security posture of the CSU system.

ISO Domain 16: Information Security Incident Management Standard Link

ISO Domain 17: Information Security Aspects of Business Continuity Management Policy

This policy ensures that information security requirements are included in business continuity and disaster recovery planning at CSU campuses.

ISO Domain 17: Information Security Aspects of Business Continuity Management Policy Link

ISO Domain 17: Information Security Aspects of Business Continuity Management Standard

This standard outlines the procedures for integrating information security into business continuity plans, disaster recovery plans, and incident response strategies to maintain operational resilience.

ISO Domain 17: Information Security Aspects of Business Continuity Management Standard Link

ISO Domain 18: Compliance Policy

This policy establishes the guidelines for ensuring that CSU campuses comply with applicable legal, regulatory, and contractual requirements related to information security.

ISO Domain 18: Compliance Policy Link

ISO Domain 18: Compliance Standard

This standard provides guidance for CSU campuses to comply with relevant laws, regulations, and contractual obligations, ensuring that information security practices align with external compliance requirements.

ISO Domain 18: Compliance Standard Link

CSU Responsible Use Policy

This policy is intended to define, promote, and encourage responsible use of CSU information assets among members of the CSU community. This policy is not intended to prevent, prohibit, or inhibit the sanctioned use of CSU information assets as required to meet the CSU’s core mission and campus academic and administrative purposes.

Responsible Use Policy

Assessment results of this policy will be kept on record by Information Security Office.

right col
 
left col

CSUF Information Security Policies

CSUF Online Privacy Policy

California State University, Fullerton (CSUF) safeguards the privacy of all visitors to our websites and applications. CSUF does not redistribute or sell personal information collected through our websites and applications.

CSUF complies with all applicable state and federal privacy statutes, including, but not limited to, the Higher Education Opportunity Act (HEOA), Family Educational Rights and Privacy Act (FERPA), the Health Insurance Portability and Accountability Act (HIPAA), the California Public Records Act, the Integrated CSU Administrative Policy for Responsible Use and associated Data Security Policies.

The University will also comply with lawful subpoenas or court orders; the scope of these may include data gathered through websites and applications.

CSUF Online Privacy Policy

CSUF Vulnerability Policy

This document provides a comprehensive scan and remediation procedure designed to help protect the systems managed at the CSU Fullerton.

Information Security Office (ISO) staff will identify potential threats and vulnerabilities through internal and external scans periodically. Thereafter, application teams (Responsible parties?) will be provided the scan results for remediation. The work to maintain a secure infrastructure environment is a collaborative effort between ISO, IT application teams, and Infrastructure Services staff by supervision of the management.

Web application assessments are performed to identify potential or realized weaknesses as a result of inadvertent mis-configuration, weak authentication, insufficient error handling, sensitive information leakage, etc. Discovery and subsequent mitigation of these issues will limit the attack surface of CSU Fullerton services available both internally and externally as well as satisfy compliance with any relevant policies in place.

CSUF Vulnerability Policy Document

CSUF Web Policy

California State University, Fullerton recognizes the importance of the Internet as a means to provide information about its programs and services, support its Mission & Goals, and provide access to informational resources for study and research. This Policy is intended to promote the use of the Internet as a publishing medium by clarifying the responsibilities of authors and providing guidelines for the production of accurate, useful and attractive web sites that enhance the university’s standing in the global academic community.

CSUF Web Policy

Assessment results of this policy will be kept on record by Information Security Office.

COMPLIANCE

The University reserves the right to temporarily or permanently suspend, block, or restrict access to information assets when it reasonably appears necessary to do so to protect the confidentiality, integrity, availability, or functionality of those assets.

CSUF Mobile Device Passcode Policy

Having adequate levels of controls in place to protect data stored on mobile devices is paramount to the security of CSUF information assets. To validate that appropriate levels of access are in place, and in support of the CSU’s ICSUAM policy 8045.400 for mobile devices, Cal State Fullerton maintains standards for requesting the use of mobile storage devices.

Mobile storage devices include but are not limited to unattached storage drives of any size or format, thumb drives, SD cards, CD’s, DVD’s, or any other storage device/media that is not a part of the design and manufacture of a University assigned computer.

CSUF Mobile Device Passcode Policy

Assessment results of mobile devices will be kept on record by Information Security Office.

COMPLIANCE

The University reserves the right to temporarily or permanently suspend, block, or restrict access to information assets when it reasonably appears necessary to do so to protect the confidentiality, integrity, availability, or functionality of those assets.

CSUF Faculty & Staff Password Policy

The CSU policy requirements and  information security best practices, the campus password expiration guideline requires that all faculty, staff, emeriti and student employees change their campus password during the month of October.

Note: Administrative/Department accounts passwords are required to be changed annually. 

All Tier 1 & 2 and service accounts passwords are required to be changed every six months.  Email notifications will be sent out 30 days prior to password expiration to the owner and Department IT Coordinator for these accounts.

Learn more about passwords on Campus

CSUF Computing Resources Use Policy

The purposes of University computing and communications resources are to provide a setting and opportunity for members of the academic community to express and explore ideas openly and freely subject to conditions and terms of this policy, to acquire and develop the skills of intellectual inquiry, and to examine critically the values of culture and society.

This policy assumes as a condition of use the exercise of common sense, common courtesy, and a respect of the rights and property of the University and others. In keeping with its mission, the University provides computing and communications resources to members of its community. The computers, networks, and computing facilities made available by the University for student, faculty, and staff use are the property of California State University, Fullerton, and are provided for the completion of academic requirements, scholarship, and administration of the University. This policy sets forth users' rights and responsibilities, and is designed to address related access, use, and privacy issues in a way that meets intellectual and creative needs of campus users.

The University's legal responsibilities assure the maintenance of the campus network systems and treats the campus community with respect.

Computing Resources Use Policy

Assessment results will be kept on record by the Information Security Office.

COMPLIANCE

The University reserves the right to temporarily or permanently suspend, block, or restrict access to information assets when it reasonably appears necessary in order to protect the confidentiality, integrity, availability, or functionality of those assets.

CSUF Mobile Device Policy

The purpose of this policy is to secure university mobile computing devices that access or store CSUF sensitive data. The measures specified herein must be followed by all CSUF Employees and Faculty to protect university data and ensure compliance with Federal and State laws and regulations, and CSU and CSUF policies and procedures governing security of information. Only CSUF-issued owned devices are approved for use with sensitive data.

Read the Mobile Device Policy

CSUF Policy for Sending Unsolicited Electronic Announcements

Cal State Fullerton maintains an electronic message network exclusively for its students, faculty and staff, as well as staff of its auxiliaries and affiliate organizations (Emeriti, for example), to facilitate the achievement of its Mission and Goals. This Policy outlines acceptable content and methods of distributing unsolicited electronic announcements through that system.

CSUF Policy for Sending Unsolicited Electronic Announcements

right col
 
left col

CSUF Information Security Standards

CSUF Cloud Computing Standards

This standard endorses the use of cloud services for file storing and sharing with vendors who can provide appropriate levels of protection and recovery for University information, and with explicit restrictions on storage of University Level 1 Protected and Level 2 Private Information.

While cloud storage of files can expedite collaboration and sharing of information anytime, anywhere, and with anyone, there are some guidelines that should be in place for the kind and type of university information that is appropriate for storing and sharing using these services. Even with personal use, one should be aware of the level of protection available for your data using such a cloud service.

Use of cloud services for storage, communication and productivity involving University Level 1 data is prohibited. Examples include but are not limited to Dropbox, Google Apps for Education, Office 365, and Exchange Online.

Use of cloud services for storage of University Level 2 data must be limited to services contracted by and supported by the University. Cloud services which are not supported by and provisioned by the University are prohibited.

A list of acceptable and unacceptable cloud services is in the appendix at the end of this policy.

Learn about cloud computing standards

CSUF Computer Classroom Security Standard

The Campus operates a heterogeneous network environment composed of centrally supported workstations, servers, and the network infrastructure. Along with administrative  systems, the University also operates computer lab facilities which fall into 6 traditional types.

Learn about computer classroom security standards

 

right col
 
left col

CSUF Information Security Guidelines

Working from Home Best Practices

Working from home requires special considerations to maintain productivity and security. This guide provides essential tips on securing your home network, safeguarding your devices, and ensuring the safety of your data while working remotely.

Working from Home Best Practices Link

Keep Home Network Secure

Securing your home network is crucial in preventing unauthorized access and protecting your personal and work-related data. This page provides guidelines for ensuring your Wi-Fi, routers, and devices are properly configured to mitigate security risks.

Keep Home Network Secure Link

Best Practices for International Travel

When traveling internationally, extra precautions are necessary to protect your data and devices. This guide outlines critical steps for safeguarding your devices and ensuring secure communication while abroad, reducing risks to your personal and institutional information.

Best Practices for International Travel Link

Secure Data Transfers

Transferring sensitive data securely is paramount to protecting your information. This page outlines the best practices for safely transferring data to prevent unauthorized access and ensure compliance with privacy and security regulations.

Secure Data Transfers Link

Digital Millennium Copyright Act

Compliance with the Digital Millennium Copyright Act (DMCA) is essential for respecting intellectual property rights. This section outlines the importance of adhering to copyright laws when using and sharing digital content within the University environment.

Digital Millennium Copyright Act Link

Online Risks, Passwords, and Laws

Understanding the risks associated with online activities, password management, and legal compliance is crucial for safeguarding sensitive information. This guide highlights best practices for managing passwords, recognizing online threats, and adhering to relevant data protection laws.

Online Risks, Passwords, and Laws Link

right col
ajax space