Policies & Practices

CSU and SDSU IT Security Policies, Standards, and Procedures

The Board of Trustees of the California State University (CSU) and SDSU is responsible for protecting the confidentiality, integrity and availability of CSU information assets. Unauthorized modification, deletion, or disclosure of information assets can compromise the mission of the CSU, violate individual privacy rights, and possibly constitute a criminal act.

The CSU Information Security Program activities are guided by ISO 27002:2013 (Information technology — Security techniques — Code of Practice for Information Security Controls), which are the best industry practices for the management of information security controls. The CSU Information Security Program policies are provided below:

These policies shall apply to the following:

  • All campuses.
  • Central and departmentally-managed campus information assets.
  • All users employed by campuses or any other person with access to campus information assets.
  • All categories of information, regardless of the medium in which the information Asset is held or transmitted (e.g. physical or electronic).
  • Information technology facilities, applications, hardware systems, and network resources owned or managed by the CSU.
  • Auxiliaries, external businesses, and organizations that use campus Information Assets must operate those assets in conformity with this policy.

Policies vs. Standards vs. Guidelines

SDSU's IT security framework adopts both the CSU Information Security Security Policy and the SDSU Supplemental Information Security policies, standards, and guidelines.

  • Policies are formal statements created by the university that reflect our mission, which in this case is the protection of SDSU's information and assets.
  • Standards are rules or actions that must be done to ensure our policies are being followed. They indicate expected behavior and must be enforced.
  • Guidelines are recommended practices that are based on industry-standard practices.

Links to sections

CSU Information Security Policies and Standards

The policy describes the responsibility for overseeing a documented annual review and communicating any changes or additions to appropriate CSU stakeholders.

ISO Domain 5: Information Security Policy Link

This policy states that each campus must develop, implement, and document the organizational structure that supports the campus' Information Security Program.

ISO Domain 6: Organization of Information Security Policy Link

This standard define the functions, relationships, responsibilities, and authorities of individuals or committees that support the campus Information Security Program.

ISO Domain 6: Organization of Information Security Standard Link

This policy provides direction and support for managing personnel information security and information security training and awareness programs.

ISO Domain 7: Human Resource Security Policy Link

This standard provides direction and support for managing personnel information security and information security training and awareness programs.

ISO Domain 7: Human Resource Security Standard Link

This policy states that each campus must develop and maintain a data classification standard that meets or exceeds the requirements of the CSU Data Classification Standard.

ISO Domain 8: Asset Management Policy Link

This standard directs that each campus maintain an inventory of Information Assets containing Level 1 or Level 2 Data as defined in the CSU Data Classification Standard. These assets must be categorized and protected throughout their entire life cycle, from origination to destruction.

ISO Domain 8: Asset Management Standard Link

This policy provides direction and support for managing access to CSU Information Assets.

ISO Domain 9: Access Control Policy Link

This standard directs that each campus must document access to campus Information Assets containing Level 1 or Level 2 Data, which must include a process for documenting appropriate approvals before access or privileges are granted.

ISO Domain 9: Access Control Standard Link

This policy regulates the permission of the use of electronic or digital signatures in lieu of handwritten signatures.

ISO Domain 10: Cryptography Policy Link

This standard provides direction on the use of electronic or digital signatures within the CSU.

ISO Domain 10: Cryptography Standard Link

This policy requires that each campus identify physical areas that must be protected from unauthorized physical access.

ISO Domain 11: Physical and Environmental Security Policy Link

This standards directs each campus to implement physical and environmental security controls to prevent unauthorized physical access, damage, and interruption to campus' Information Assets.

ISO Domain 11: Physical and Environmental Security Standard Link

This policy directs each campus to develop and implement appropriate technical controls to minimize risks their information technology infrastructure.

ISO Domain 12: Operations Security Policy Link

This standard provides standards and guidance for appropriate technical controls to minimize risks to CSU information technology infrastructure.

ISO Domain 12: Operations Security Standard Link

This policy directs each campus to implement and regularly review a documented process for transmitting data over the campus network.

ISO Domain 13: Communications Security Policy Link

This standard directs each campus to establish a method for documenting the campus network topology, equipment configuration and network address assignments.

ISO Domain 13: Communications Security Standard Link

This policy directs each campus to integrate information security requirements into the software life cycle of information systems that contain Level 1 or Level 2 Data.

ISO Domain 14: Systems Acquisition, Development and Maintenance Policy Link

This standard directs each campus to develop and maintain information security criteria for application development.

ISO Domain 14: Systems Acquisition Standard Link

This policy describes regulation of third party service that require access to campus Information Assets containing Level 1 or Level 2 Data as defined in the CSU Data Classification Standard.

ISO Domain 15: Supplier Relationships Policy Link

This standard requires that campuses ensure that it is either specifically permitted or required by law when permitting third parties to access Critical, Level 1, or Level 2 Data.

ISO Domain 15: Supplier Relationships Standard Link

This policy requires that each campus develop and maintain an information security incident response program.

ISO Domain 16: Information Security Incident Management Policy Link

This standard provides direction on how to implement an information security incident response program.

ISO Domain 16: Incident Management Standard Link

This policy requires that each campus ensure that their Information Assets can, in the case of a catastrophic event, continue to operate and be appropriately accessible to users.

ISO Domain 17: Information Security Aspects of Business Continuity Management Policy Link

This standard provides direction on how to implement a Business Continuity Management Policy that ensures that CSU Information Security Policies and Standards are still fully in force and must be followed during any disasters or other service interruptions, and during recovery and continuity activities.

ISO Domain 17: Business Continuity Management Standard Link

This policy states that the CSU Systemwide CISO shall, in consultation with the CSU Office of General Counsel and other subject matter experts, regularly identify and define laws and regulations that apply to CSU Information Assets.

ISO Domain 18: Compliance Policy Link

This standard requires each campus to develop and maintain information security policies and standards that comply with applicable laws and regulations and the CSU policies that apply to campus Information Assets.

ISO Domain 18: Compliance Standard Link

SDSU Information Security Policies

This policy applies to all SDSU activities, without regard to physical location, that access or engage with Controlled Unclassified Information (CUI).

CUI Policy Link

This policy establishes the server configuration management framework for SDSU servers to ensure security, reliability, and the coordination of technical operations.

Server Security Policy Link

The purpose of this policy is to define how to secure mobile devices that are used to transact University business, which includes accessing, storing, and processing (SDSU data.

Mobile Device Security Policy

SDSU Information Security Standards

This Vulnerability management standard documents and outlines the
processes required to reduce risk, threats, and exposure of SDSU systems.

Vulnerability Management Standard Link

This standard provides the required baseline configurations for all information systems and network devices at SDSU.

Security and Configuration of Information Systems Standard Link

The Information Technology Security Office provides this as the most current baseline configurations for SDSU endpoint devices. An endpoint is defined as any laptop, desktop, or mobile device.

Minimal Endpoint Security Baseline Standard Link

SDSU Information Security Guidelines

Part of being a proper data owner is storing sensitive data in secured locations. SDSU has prepared a Sensitive Data Storage Best Practices Guide to identify appropriate managed solutions for storing various data types.

Sensitive Data Storage Best Practices Link

This describes how CSU protected level data (Level 1 - Confidential), will be maintained when utilizing cloud storage (e.g. Google Drive). This adheres to ISO Domain 8: CSU Asset Management Policy.

Google Workspace (Shared Drive, Forms, and Sheets) Secure Configurations Guidance (PDF)

This provides guidance on how to securely access campus resources remotely.

IT Security Guidance for Remote Access Link

This provides guidance on how to comply with the Health Insurance Portability and Accountability Act (HIPAA) while using Zoom.

Zoom Meetings for HIPAA Guidance Link

Get Help

To request a service, create a ServiceNow Ticket and assign the ticket to “IT-ITSO-Help Desk”.

IT Security Office
Administration Building
https://it.sdsu.edu/get-help

Report an Incident

Please contact the Information Security team immediately if you experience or are aware of any of the following: