Skip to Content
California State University, Long BeachCalifornia State University, Long Beach

Information Security

Records Management Standard

Get Acrobat Reader

Attachment B
Information Protection Requirements

This table describes the protection measures required for each information classification level.
  Confidential
Level 1
Internal Use
Level 2
Public
Level 3
Handling Please refer to the Clean Desk and Clear Screen Standard. Same as Level 1 No restrictions
Transmitting

Distribution: Limited to those employees with an established business need-to-know and are either CSULB employees or who someone who has signed a confidentiality agreement.

Electronic Mail (email or attachments to email: May be sent within the CSULB email system (@csulb.edu) but not over a public network unless password protected or encrypted.

All email transmissions of confidential information must contain the follow statement: “The information contained in this email message or its attachment is confidential. Dissemination or copying of this email is strictly prohibited. If you think that you have received this email in error, please email the sender.”

Mail (hard copy): Printed information may be sent through intercampus or U.S. mail but must be sealed in a plain envelope clearly marked, “To be Opened by Addressee Only”.

FAX: Authorized only from and to CSULB FAX machines. Information may not be sent to public FAX machines.

Telephone: Authorized, but only to CSU employees and others with a business need-to-know.

Distribution:
Transmission only to CSULB employees and those individuals with a business need-to-know.

Electronic Mail (email or attachments to email): May be sent within the CSULB email system (@csulb.edu) or over a public network to persons with a business need-to-know.

Mail (hard copy): Printed information may be sent through intercampus or U.S. mail with no special markings or handling.

FAX:
Same as Level 1.

Telephone:
Same as Level 1.

No restrictions
Storage

Must be stored on secured databases or file servers.

When access to a secure server is not available and when approved by the employee’s Appropriate Administrator, Level 1-Confidential Information may be stored on University owned laptops, desktops or portable electronic storage media, including but not limited to, CD-ROMs, DVD-ROMs, external hard drives, zip disks, flash-memory cards, magnetic cards and USB flash drives (a.k.a. Memory Sticks, Thumb or Jump Drives). In such cases, laptops, desktops and portable electronic storage media storing level 1 data must be encrypted.

If desktops used to process Level 1 data (not store) are in a secured campus office that only allows authorized access, the appropriate administrator may choose not to encrypt the desktop. But this decision needs to be documented and approved in writing by the employee’s Appropriate Administrator and the University Information Security Officer. See Note 2.

Level 1 information may not be stored on personal equipment such as personal laptops, personal desktops, personal digital assistants (PDAs) iPods® or cell phones (such as BlackBerry®, Treo®, and iPhones®.

See Note 1 for prohibitions regarding the storage of specific Payment Related Data.

Printed level 1 information must be secured in a locked enclosure.

Same as Level 1. No restrictions
Retention Records of any type of medium, such as paper, microfiche, magnetic, or optical, shall not be retained beyond the minimum retention period identified in the CSU Record Retention Schedule. Same as Level 1 Same as level 1
Disposition Dispose in accordance with the Attachment C – Media Sanitization Methods. Same as Level 1 Normal waste disposal

Note 1: Payment Related Data

The Primary Account Number (PAN) may not be stored unless encrypted.
The following types of payment related data may not be stored even if encrypted:

  1. Sensitive authentication data, which includes, but is not limited to, all of the following:
    1. The full contents of any data track from a payment card or other payment device
    2. The card verification code or any value used to verify transaction when the payment device is not present
    3. The personal identification number (PIN) or the encrypted PIN block
  2. Any payment related data that is not needed for business purposes.
  3. Any of the following data elements:
    1. Payment verification code
    2. Payment verification value
    3. PIN verification value

Note 2:

If an unencrypted computer or hard drive with level 1 data is missing (stolen or lost), the University is required by law to activate security breach protocol/procedure. The department will have to bear the costs related to the breach notification requirements.

FURTHER INFORMATION

Information Security
(562) 985-4862