Information Security Management and Compliance
Records Management Standard
- References: CSU Records Access Manual
- CSU Subpoena Handbook
- CSU Executive Order 1031, Systemwide Records/Information Retention Schedules
- Government Code Section 6250-6270
- Fair and Accurate Credit Transactions Act of 2003 (FACTA); FCRA, 15 U.S.C. 1681 et seq.
- California Civil Code §1798.81
- Issue Date: September 2008
- Revision Date: April 2009
- Expiration Date: N/A
Attachment B
Information Protection Requirements
| Confidential Level 1 |
Internal Use Level 2 |
Public Level 3 |
|
|---|---|---|---|
| Handling | Please refer to the Clean Desk and Clear Screen Standard. | Same as Level 1 | No restrictions |
| Transmitting | Distribution: Electronic Mail (email or attachments to email: All email transmissions of confidential information must contain the follow statement: “The information contained in this email message or its attachment is confidential. Dissemination or copying of this email is strictly prohibited. If you think that you have received this email in error, please email the sender.” Mail (hard copy): |
Distribution: Electronic Mail (email or attachments to email): Mail (hard copy): FAX: Telephone: |
No restrictions |
| Storage | Must be stored on secured databases or file servers. When access to a secure server is not available and when approved by the employee’s Appropriate Administrator, Level 1-Confidential Information may be stored on laptops, desktops or portable electronic storage media, including but not limited to, CD-ROMs, DVD-ROMs, external hard drives, zip disks, floppy disks, reel and cassette format magnetic tapes, flash-memory cards, magnetic cards and USB flash drives (a.k.a. Memory Sticks, Thumb or Jump Drives.
Laptops, desktops and portable electronic storage media must be encrypted or otherwise rendered unreadable and unusable by unauthorized persons and must be located in a secure location at the University or another site approved by ITS management (including off-site backup services). Level 1 information may not be stored on personal equipment such as personal laptops, personal desktops, personal digital assistants (PDAs) iPods® or cell phones (such as BlackBerry®, Treo®, and iPhones®. See Note 1 for prohibitions regarding the storage of specific Payment Related Data. Printed information must be stored in a locked enclosure. |
Same as Level 1. | No restrictions |
| Retention | Records of any type of medium, such as paper, microfiche, magnetic, or optical, shall not be retained beyond the minimum retention period identified in the CSU Record Retention Schedule. |
Same as Level 1 | Same as level 1 |
| Disposition | Dispose in accordance with the Attachment C – Media Sanitization Methods. | Same as Level 1 | Normal waste disposal |
Note 1: Payment Related Data
The Primary Account Number (PAN) may not be stored unless encrypted.
The following types of payment related data may not be stored even if encrypted:
- Sensitive authentication data, which includes, but is not limited to, all of the following:
- The full contents of any data track from a payment card or other payment device
- The card verification code or any value used to verify transaction when the payment device is not present
- The personal identification number (PIN) or the encrypted PIN block
- Any payment related data that is not needed for business purposes.
- Any of the following data elements:
- Payment verification code
- Payment verification value
- PIN verification value