Information Security Policies, Standards and Procedures

Since the inception of the campus Information Security Management and Compliance program (Program), several policies, procedures and standards have been issues. As the Program evolves, additional related policies, procedures and standards will be issued. While a “Glossary” does appear on the Information Security Management and Compliance website, we thought that it might be helpful to provide the meaning of these terms in this newsletter.

Policies:

These are overall plans embracing the general goals and acceptable procedures of the University. Draft Policies are reviewed by many campus individuals, committees, and advisory groups and revised based on comments received. The revised draft is then reviewed by Division Executives before review and approval by the President.

The CSULB Information Security Policy delegates responsibility to the campus Information Security Officer for the development of information security standards and procedures.

Standards:

These are mandatory or required actions to comply with Federal or State law, CSU or CSULB policies. Draft Standards are also reviewed by many campus individuals, committees, and advisory groups and revised based on comments prior to release.

Procedures:

These are practices for complying with policies or standards and are reviewed in the same fashion as Standards.

Security Breach Notification Requirements Expanded

Existing California Law requires all businesses and state agencies to provide notification to California residents when their personal information is acquired or reasonably believed to have been acquired by an unauthorized person. Personal information has been defined as “an individual's first name or first initial and last name in combination with any of the following data elements, when either the name or the data elements are not encrypted:

1. Social Security Number
2. Driver's license number of California identification card number
3. Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account”

In October 2007, the Governor approved Assembly Bill (AB) 1298 which amended California law to reflect additional data elements of personal information for which notification is required. California law now defines personal information as all of the above plus the following:

1. Medical information – any information regarding an individual's medical history, mental or physical conditions, or medical treatment or diagnosis by a health care professional
2. Health insurance information – an individual's health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual, or any information in an individual's application and claim history, including any appeal records.

The campus Security Incident Reporting and Breach Notification Procedures have been updated to reflect these changes.

Spotlight on the CSULB Information Classification and Protection Standard

California State University, Long Beach's databases and files, regardless of format are essential public resources that must be protected from unauthorized use, access, disclosure, modification, loss, or deletion. However, the appropriate level of physical, technical and administrative safeguards necessary to provide protection is relative to the value, legal requirements, sensitivity and criticality of the information.

The CSULB Information Classification and Protection Standard, consistent with CSU standards, establishes three (3) information classification levels based on these factors:

Level 1 – Confidential

This is the highest level of information and requires the most protection. Confidential information maintained by the University is exempt from disclosure under the provisions of the California Public Records Act or other federal or state laws. Confidential information is information whose unauthorized use, access, disclosure, acquisition, modification, loss, or deletion could result in severe damage to CSULB, its student, employees, or customers. Financial al loss, damage to CSULB's reputation, and legal action could occur. Level 1 information is intended solely for use within CSULB and limited to those with a “business need-to-know.”

Level 2- Internal Use

Level 2 includes information which must be protected due to proprietary, ethical or privacy considerations. Although not specifically protect by statute, regulations, or other legal obligations or mandates, unauthorized use, access disclosure, acquisition, modification, loss or deletion of information at this level could cause financial loss, damage to CSULB's reputation, violate an individual's privacy rights or legal action could occur.

Level 3 – Public

This is information that is generally regarded as publicly available. Information at this level is either explicitly defined as public information or intended to be available to individuals both on and off campus. Knowledge of this information does not expose CSULB to financial loss or jeopardize the security of CSULB's information assets.

Additionally, the CSULB Information Classification and Protection Standard establishes the required handling, transmitting, storage, retention and destruction requirements for each classification level to adequately protect CSULB information assets.

Please take the opportunity to familiarize yourself with the requirements of this Standard. We welcome any questions or requests for additional information. Please do not hesitate to contact the office of Information Security Management and Compliance at ext. 54862.