Policies & Practices

CSU and SDSU IT Security Policies, Standards, and Procedures

The Board of Trustees of the California State University (CSU) and SDSU is responsible for protecting the confidentiality, integrity and availability of CSU information assets. Unauthorized modification, deletion, or disclosure of information assets can compromise the mission of the CSU, violate individual privacy rights, and possibly constitute a criminal act.

The CSU Information Security Program activities are guided by ISO 27002:2013 (Information technology — Security techniques — Code of Practice for Information Security Controls), which are the best industry practices for the management of information security controls.

The CSU and SDSU IT security policies, standards, and/or guidelines are formal statements that specify a set of rules that all users must follow when gaining access to SDSU’s information and information systems.

Information Security

CSU	Policy	ISO Domain 5: Information Security Policy
SDSU	Plan	SDSU Information Security Plan (To Be Updated)

Organization of Information Security

CSU	Policy	ISO Domain 6: Organization of Information Security Policy
CSU	Standard	ISO Domain 6: Organization of Information Security Standard

Human Resource Security

CSU	Policy	ISO Domain 7: Human Resource Security Policy
CSU	Standard	ISO Domain 7: Human Resource Security Standard

Asset Management

CSU	Policy	ISO Domain 8: Asset Management Policy
CSU	Standard	ISO Domain 8: Asset Management Standard
SDSU	Policy	Controlled Unclassified Information (CUI) Policy
	Guideline	Sensitive Data Storage Best Practices
	Guideline	Security Guidance for Storing and Sharing Protected Data
	Guideline	Google Workspace (Shared Drive, Forms, and Sheets) Secure Configurations Recommendations

Access Control

CSU	Policy	ISO Domain 9: Access Control Policy
CSU	Standard	ISO Domain 9: Access Control Standard

Cryptography

CSU	Policy	ISO Domain 10: Cryptography Policy
CSU	Standard	ISO Domain 10: Cryptography Standard

Physical and Environmental Security

CSU	Policy	ISO Domain 11: Physical and Environmental Security Policy
CSU	Standard	ISO Domain 11: Physical and Environmental Security Standard

Operations Security

CSU	Policy	ISO Domain 12: Operations Security Policy
CSU	Standard	ISO Domain 12: Operations Security Standard
SDSU	Policy	Server Security Policy
	Policy	Mobile Device Security Policy
	Standard	Vulnerability Management Standard
	Standard	Security and Configuration of Information Systems Standard
	Standard	Minimal Endpoint Security Baseline Standard
	Guideline	IT Security Guidance for Remote Access

Communications Security

CSU	Policy	ISO Domain 13: Communications Security Policy
CSU	Standard	ISO Domain 13: Communications Security Standard
SDSU	Guideline	Zoom Meetings for HIPAA Guidance

Systems Acquisition, Development and Maintenance

CSU	Policy	ISO Domain 14: Systems Acquisition, Development and Maintenance Policy
CSU	Standard	ISO Domain 14: Systems Acquisition Standard

Supplier Relationships

CSU	Policy	ISO Domain 15: Supplier Relationships Policy
CSU	Standard	ISO Domain 15: Supplier Relationships Standard

Information Security Incident Management

CSU	Policy	ISO Domain 16: Information Security Incident Management Policy
CSU	Standard	ISO Domain 16: Incident Management Standard

Information Security Aspects of Business Continuity Management

CSU	Policy	ISO Domain 17: Information Security Aspects of Business Continuity Management Policy
CSU	Standard	ISO Domain 17: Business Continuity Management Standard

Compliance

CSU	Policy	ISO Domain 18: Compliance Policy
CSU	Standard	ISO Domain 18: Compliance Standard

Information Security Links

Colleges

Other Locations