Information Security Management and Compliance
California State University, Long Beach recognizes it’s affirmative and continuing obligation to protect the confidentiality, maintain the integrity, and ensure the availability of information about and used by CSULB faculty, staff, students and customers and to provide administrative, technical and physical safeguards to protect university information assets.
The California State University, Long Beach Information Security and Privacy Program provides the framework for assisting the University with meeting it’s responsibilities to:
The CSULB Information Security and Privacy Program applies to:
| Division/Area | Division/Area Information Security Officer |
|---|---|
| Academic Affairs | Associate Vice President, Academic Technology |
| Administration and Finance | University Information Security Officer |
| Associated Students, Inc | Executive Director, Associated Students, Inc. |
| Athletics | Senior Associate Athletics Director/SWA |
| Forty-Niner Shops, Inc. | Manager, ID Card Services |
| Foundation | Chief Financial Officer |
| President’s Office | Executive Assistant to the President |
| Student Services | Associate Vice President , Student Services/ Dean of Students |
| University Relations & Development | Director of Advancement Services |
Custodians of Records are appropriate administrators designated by the President and division Vice Presidents to maintain the official/original copy of the record/information. Custodians of records are responsible for a) Assuring that the campus is operating in compliance with the portion of the CSU Records Retention and Disposition Schedules for which they have been delegated authority; b) Identifying records/information that may have historic or vital value for the campus, and; c) reporting to the University Information Security Officer any university specific records that have not been cited within the CSU Records Retention and Disposition Schedule.
The following positions have delegate authority to serve as Custodian of Records:
| Record Schedule | Custodian of Record |
|---|---|
| 1.0 Personnel/Payroll Records | Associate Vice President, Human Resources Management |
| 3.0 Environmental Health & Safety | Director, Environmental Health & Safety |
| 4.0 Student Records (with the exception of Student Records listed below) | Associate Vice President, Enrollment Services |
| Sections 4.1.42 Teacher credential certification records; 4.1.43 Teacher credential program records | Dean, College of Education |
| Section 4.1.44 Thesis/Dissertation/Graduate Comprehensive Exam Records (i.e. committee assignment, extensions, clearance, etc.) | Vice Provost, Graduate Studies |
| Section 4.2.14 Federal Work-study payroll records | Associate Vice President, Human Resources Management |
| Sections 4.1.49 Tuition and fee charges; 4.2.3 Bank statements for accounts containing Student Financial Aid Funds; 4.2.19 Ledgers identifying Student Financial Aid transactions; 4.2.22 Perkins promissory notes and repayment schedules; 4.2.23 Perkins repayment records; 4.2.25 Records of student accounts | Bursar |
| Section 4.3 International Student Education | Assistant Vice President, International Education |
| Section 4.4, Student Athlete Records | Director of Athletics |
| Sections 4.5.1 – 4.5.6, Student Conduct Records | Director, Judicial Affairs, Division of Student Services |
| Sections 4.6.1 – 4.6.2, Student Health Records | Director, Counseling and Psychological Services, Division of Student Services |
| Sections 4.6.1 – 4.6.2, Student Health Records | Director, Disabled Student Services, Division of Student Services |
| Sections 4.6.1 – 4.6.2, Student Health Records | Director, Student Health Services, Division of Student Services |
| Section 4.7, Veteran Records | Director, Veterans Affairs Services, Division of Student Services |
| 5.0 Facilities Records | Associated Vice President, Physical Planning and Facilities Mgmt |
| 6.0 University Police Records | Chief of Police |
| 7.0 University Advancement Records | Director, Advancement Services, Division of University Relations & Development |
| 8.0 Academic Personnel | Associate Vice President, Faculty Affairs |
| 9.0 Curriculum & Accreditation | University Archives |
| 10.0 Research & Sponsored Programs | Associate Vice President, Research and External Support |
| 11.0 Institutional Records | University Archives |
In addition, the following positions have been delegated authority to accept and respond to subpoenas:
| Type of Records Subpoenaed | Custodian of Record |
|---|---|
| Student Records/Information | Director, Office of Judicial Affairs |
| Staff Personnel Records/Information (including payroll records for all employees) |
Director, Staff Human Resources |
| Faculty Personnel Records/Information (including Librarians and Coaches) |
Senior Director, Academic Employee Relations |
| Non-Personnel Records or where it is not possible to determine the specific subject of the request | University Information Security Officer |
University Administrators are managers and supervisors included in the Management Personnel Plan (MPP) or equivalent in CSULB auxiliary organizations. University Administrators are responsible for ensuring compliance with established information security policies, procedures and standards within their respective college, department, administrative area, or organization.
There are several reasonable and foreseeable internal and external risks to the security and integrity of personal information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of the security and confidentiality of personal and confidential information. These risks may include, but are not limited to:
The management and control of risks shall be accomplished by 1) the development of policies, procedures, and standards which address identified risks; 2) the development of training opportunities and informational materials to assist in the implementation of these policies, procedures and standards; and 3) monitoring, auditing and otherwise evaluating campus divisions/area/ auxiliary organizations for compliance with information policies, procedures, and standards.
The University Information Security Officer will work closely with the each Division/Area Information Security Officer to ensure that each division complies with the University's information security policies, procedures, and standards. The Division Information Security Officers will ensure that all new policies, procedures and standards are distributed within their own divisions/areas through the appropriate reporting and communication channels. Compliance with policies, procedures and standards will be monitored on an ongoing basis.
Individuals have the right to inquire and to be notified about the personal information that CSULB maintains concerning them. An opportunity to inspect any such confidential information must be afforded within 30 days of any request. If the record containing the personal information also contains personal information about another individual, that information must be deleted from the record before it is disclosed. Individuals may request copies of records containing personal information about them, and those copies must be provided within 15 days of the request. The University/Auxiliary may charge a reasonable per page cost for making any copies. Individuals may request that their personal information be amended, and if that request is denied, the individual may request a review of that decision by the Vice President, Administration and Finance or designee.
The University Information Security Officer shall conduct an annual review of the Information Security and Privacy Program to ensure that it remains appropriate and relevant.
The California Information Practices Act was enacted in 1977 to protect individual’s privacy rights in “personal information” contained in state agency records. The Act reflects the Legislature’s determination that the right to privacy is in jeopardy and that the maintenance and dissemination of private information should be subject to strict limits. The Act prohibits disclosure of personal information except in certain limited circumstances. Some of these disclosures may impose requirements not included in this document. Consultation with the University Information Security Officer is required before releasing personal information covered by the Information Practices Act.
The following disclosures are permitted under the Information Practices Act: