Policies & Practices
CSU and SDSU IT Security Policies, Standards, and Procedures
The Board of Trustees of the California State University (CSU) and SDSU is responsible for protecting the confidentiality, integrity and availability of CSU information assets. Unauthorized modification, deletion, or disclosure of information assets can compromise the mission of the CSU, violate individual privacy rights, and possibly constitute a criminal act.
The CSU Information Security Program activities are guided by ISO 27002:2013 (Information technology — Security techniques — Code of Practice for Information Security Controls), which are the best industry practices for the management of information security controls. The CSU Information Security Program policies are provided below:
- Information Security Responsible Use Policy
- Information Security Privacy of Personal Information Policy
- Privacy Program
- Information Security Policy and Standards
These policies shall apply to the following:
- All campuses.
- Central and departmentally-managed campus information assets.
- All users employed by campuses or any other person with access to campus information assets.
- All categories of information, regardless of the medium in which the information Asset is held or transmitted (e.g. physical or electronic).
- Information technology facilities, applications, hardware systems, and network resources owned or managed by the CSU.
- Auxiliaries, external businesses, and organizations that use campus Information Assets must operate those assets in conformity with this policy.
Policies vs. Standards vs. Guidelines
SDSU's IT security framework adopts both the CSU Information Security Policy and Standards and the SDSU Supplemental Information Security policies, standards, and guidelines.
- Policies are formal statements created by the university that reflect our mission, which in this case is the protection of SDSU's information and assets.
- Standards are rules or actions that must be done to ensure our policies are being followed. They indicate expected behavior and must be enforced.
- Guidelines are recommended practices that are based on industry-standard practices.
Links to sections
CSU Information Security Policies and Standards
The policy describes the responsibility for overseeing a documented annual review and communicating any changes or additions to appropriate CSU stakeholders.
This policy states that each campus must develop, implement, and document the organizational structure that supports the campus' Information Security Program.
ISO Domain 6: Organization of Information Security Policy Link
This standard define the functions, relationships, responsibilities, and authorities of individuals or committees that support the campus Information Security Program.
ISO Domain 6: Organization of Information Security Standard Link
This policy provides direction and support for managing personnel information security and information security training and awareness programs.
This standard provides direction and support for managing personnel information security and information security training and awareness programs.
This policy states that each campus must develop and maintain a data classification standard that meets or exceeds the requirements of the CSU Data Classification Standard.
This standard directs that each campus maintain an inventory of Information Assets containing Level 1 or Level 2 Data as defined in the CSU Data Classification Standard. These assets must be categorized and protected throughout their entire life cycle, from origination to destruction.
This policy provides direction and support for managing access to CSU Information Assets.
This standard directs that each campus must document access to campus Information Assets containing Level 1 or Level 2 Data, which must include a process for documenting appropriate approvals before access or privileges are granted.
This policy regulates the permission of the use of electronic or digital signatures in lieu of handwritten signatures.
This standard provides direction on the use of electronic or digital signatures within the CSU.
This policy requires that each campus identify physical areas that must be protected from unauthorized physical access.
ISO Domain 11: Physical and Environmental Security Policy Link
This standards directs each campus to implement physical and environmental security controls to prevent unauthorized physical access, damage, and interruption to campus' Information Assets.
ISO Domain 11: Physical and Environmental Security Standard Link
This policy directs each campus to develop and implement appropriate technical controls to minimize risks their information technology infrastructure.
This standard provides standards and guidance for appropriate technical controls to minimize risks to CSU information technology infrastructure.
This policy directs each campus to implement and regularly review a documented process for transmitting data over the campus network.
This standard directs each campus to establish a method for documenting the campus network topology, equipment configuration and network address assignments.
This policy directs each campus to integrate information security requirements into the software life cycle of information systems that contain Level 1 or Level 2 Data.
ISO Domain 14: Systems Acquisition, Development and Maintenance Policy Link
This standard directs each campus to develop and maintain information security criteria for application development.
This policy describes regulation of third party service that require access to campus Information Assets containing Level 1 or Level 2 Data as defined in the CSU Data Classification Standard.
This standard requires that campuses ensure that it is either specifically permitted or required by law when permitting third parties to access Critical, Level 1, or Level 2 Data.
This policy requires that each campus develop and maintain an information security incident response program.
ISO Domain 16: Information Security Incident Management Policy Link
This standard provides direction on how to implement an information security incident response program.
This policy requires that each campus ensure that their Information Assets can, in the case of a catastrophic event, continue to operate and be appropriately accessible to users.
ISO Domain 17: Information Security Aspects of Business Continuity Management Policy Link
This standard provides direction on how to implement a Business Continuity Management Policy that ensures that CSU Information Security Policies and Standards are still fully in force and must be followed during any disasters or other service interruptions, and during recovery and continuity activities.
This policy states that the CSU Systemwide CISO shall, in consultation with the CSU Office of General Counsel and other subject matter experts, regularly identify and define laws and regulations that apply to CSU Information Assets.
This standard requires each campus to develop and maintain information security policies and standards that comply with applicable laws and regulations and the CSU policies that apply to campus Information Assets.
SDSU Information Security Policies
This policy applies to all SDSU activities, without regard to physical location, that access or engage with Controlled Unclassified Information (CUI).
This policy establishes the server configuration management framework for SDSU servers to ensure security, reliability, and the coordination of technical operations.
The purpose of this policy is to define how to secure mobile devices that are used to transact University business, which includes accessing, storing, and processing (SDSU data.
SDSU Information Security Standards
This Vulnerability management standard documents and outlines the
processes required to reduce risk, threats, and exposure of SDSU systems.
This standard provides the required baseline configurations for all information systems and network devices at SDSU.
Security and Configuration of Information Systems Standard Link
The Information Technology Security Office provides this as the most current baseline configurations for SDSU endpoint devices. An endpoint is defined as any laptop, desktop, or mobile device.
SDSU Information Security Guidelines
Part of being a proper data owner is storing sensitive data in secured locations. SDSU has prepared a Sensitive Data Storage Best Practices Guide to identify appropriate managed solutions for storing various data types.
This describes how CSU protected level data (Level 1 - Confidential), will be maintained when utilizing cloud storage (e.g. Google Drive). This adheres to ISO Domain 8: CSU Asset Management Policy.
Google Workspace (Shared Drive, Forms, and Sheets) Secure Configurations Guidance (PDF)
This provides guidance on how to securely access campus resources remotely.
This provides guidance on how to comply with the Health Insurance Portability and Accountability Act (HIPAA) while using Zoom.
Get Help
To request a service, please submit a ticket via ServiceNow.
Report an Incident
Please contact the Information Security team immediately if you experience or are aware of any of the following: