Staff and Faculty Resources by Information Security Office
Reporting Security Breaches
It's important to promptly report all suspicious events, security breaches, and potential security breaches.
WHAT should you report?
unauthorized use, access, or disclosure of information lost or stolen documents, files, disks, or hardware erratic computer activity that may signal hacking or other intrusion into the organization's network
To WHOM should you report?
Your supervisor, IT Department, or Information Security Office
WHEN should you report?
Records Retention and Disposition
- CSU Executive Order 1031
- Education Code section 89043
- The implementation of the California State University (CSU) system-wide records/information retention schedules
- Practices to meet their commitment to an effective records management program and CSU audit requirements.
- Effective records management program and CSU audit, legal, and regulatory requirements.
- FERPA Training for Faculty & Staff at CSUF
- All university faculty and staff, as well as any other agents of the university who request access to student information in the student information system, must complete Information Security Training. The Information Security Training typically occurs when a faculty or staff person is initially hired. Access to the student information system will be denied until this training has been completed and the form submitted. The training program is intended to ensure that anyone accessing student education records understands the obligations under FERPA for proper use and protection of student records. If you have questions or concerns please contact your supervisor or department chair.
- Health Insurance Portability and Accountability Act of 1996 (HIPAA)
- The Information Security Office keeps student data confidential, and maintains the integrity and availability of Sacramento State information and information systems. CSUF Staff and Faculty are required to learn about the health information privacy requirements of a federal law called HIPAA (Health Insurance Portability and Accountability Act). The health information privacy requirements are known as the HIPAA Privacy Rule and go into effect beginning April 14, 2003. When you are at CSUF, you must follow policies and procedures, including those concerning health information privacy.
PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS (PCI DSS)
CSUF maintains high standard for ensuring the protection and security of its data. This endeavor encompasses our payment processing practices. To ensure the protection of our payment processing practices, CSUF adheres to the data standards established by the Payment Card Industry Security Standards Council (PCI SSC). The PCI SSC has developed the Payment Card Industry Data Security Standards (PCI DSS) for safeguarding the handling of payment card transactions. The PCI DSS is a tool that assists with PCI DSS compliance.
PCI Compliance Scope at CSUF
Compliance with the PCI DSS applies to any university department, on-campus vendor, project, program, fund raising activity, or auxiliary that accepts payment cards for products and services on behalf of the University. Additionally, payment cards, which are not limited to credit cards, bank debit cards, check authorization cards, cards used for cash-less transactions, or other forms of payment, must comply with the PCI DSS. Responsibilities and Involvement In complying with the PCI DSS, you will need to adhere to specific procedures. These procedures require you to:
- Identify your entity as a merchant Know your roles and responsibilities as it relates to PCI requirements
- Determine the scope of your cardholder data environment annually
- Identify and document the existence of cardholder data environment
- Identify and document business processes in relation to cardholder data environment Documentation of device inventory and user inventory
- Annual PCI security awareness training through the bank/acquirer
- Conduct annual risk assessment of your cardholder data environment (See pcisecuritystandards.org for information)
- Re-determine the scope of your cardholder data environment annually, to lessen the scope
- Work with your bank representative for merchant requirements
- Complete appropriate annual PCI Self-Assessment Questionnaire as determined by the bank/acquirer
- Contribute department/entity/program payment card information toward campus-wide PCI requirements
- Provide the campus Information Security Officer with annual access to your documentation for review
Due to the dynamic nature of technology and information security, the requirements for specific procedures and documents are subject to change without notice. Please review the PCI DSS Resources, or contact the Information Security Officer for additional recommendations, assistance, or questions toward compliance.