Program Administration

Information Security Management Program

1 Introduction

This Information Security Program describes how CSU San Marcos will fulfill its obligations to protect those information assets for which the campus or its auxiliaries or other affiliated organizations hold ownership or responsibility.

2 Background

Section 8000 of the Integrated CSU Administrative Manual states that:

It is the collective responsibility of all users to ensure:

Confidentiality of information which the CSU must protect from unauthorized access.

Integrity and availability of information stored on or processed by CSU information systems.

Compliance with applicable laws, regulations, and CSU/campus policies governing information security and privacy protection.

3 Program Goals

The goals of CSU San Marcos Information Security Program are to:

Identify and manage information security risks
Ensure compliance with all applicable laws, regulations, contracts, and California and CSU policies
Communicate responsibilities and minimum requirements

4 Scope

The CSU San Marcos Information Security Program applies to all people, organizations, systems, networks, processes, media, and data to whom are given access to or custody of Information Assets for which CSU San Marcos or its auxiliaries or other affiliated organizations hold ownership or responsibility, or for which CSU San Marcos or its auxiliaries or other affiliated organizations hold ownership or responsibility.

5 Annual Review

The Information Security Officer, in collaboration with the Information Security Steering Committee, will annually review this program and will recommend needed revisions.

6 Should & Must Definition

Throughout this document, the words “must” and “should” have been carefully used to describe requirements. While both terms denote a requirement that needs to be followed, the process for making exceptions differs.

Exceptions to a "should" requirement must be approved by an appropriate administrator and by all affected data owners. The Information Security Office must also be notified of the exception.

Exceptions to a "must" requirement must be approved by an appropriate administrator, by all affected data owners, and by the Information Security Office.

7 Roles and Responsibilities Standard

7.1 Data Owner or Data Authority

A Data Owner or Data Authority is responsible for decisions related to data access, use, storage, and protection of a particular type or collection of data. The data owner is an individual, not a group, department, or committee. This individual may delegate tasks. For assistance in identifying data owners in ambiguous situations, see the CSU Information Security Asset Management Standard.

The Data Owner or Data Authority:

Must inventory and classify data according to the CSU Information Asset Management Policy and CSU Information Security Data Classification Standard.
Must comply with the CSU Access Control Standard and the �� Access Control Standard in authorizing, tracking, and documenting:
- users of data
- uses of data
- stewards of data (those who store and protect the data)
- Must work with the Information Security Office to identify an acceptable level of risk for the data.
- Must work with the Information Security Office to specify and document data controls and convey them to Data Users and Data Stewards. These controls must comply with the CSU Information Security Asset Management Standard, the �� Physical Security standard, and �� Access Control standard. These controls may include, but are not limited to, passwords, access control, encryption, physical locks, and backups.
- Must annually:
  - confirm with Data Stewards that controls are in place
  - review access lists
- Must work with the Information Security Office to approve, justify, and document exceptions to security controls.
- Must perform other duties and fulfill other requirements described in the CSU Information Security Roles and Responsibilities Standard and any other CSU and �� policies and standards when and as necessary.

The Information Security Office maintains a list of Data Owners along with the scope and nature of the data over which they have responsibility. The Information Security Office includes this information in the annual report to the ISSC.

7.2 Data Steward

Data Stewards are appointed and authorized by the Data Owner to store and protect the data. Examples include: Computer System Administrators, Database Administrators, and Managers of physical storage locations or facilities.

A Data Steward:

Must ensure and/or confirm that the data is backed up.
Must restore data from backup media or site.
Must implement and follow all controls specified by the Data Owner and the Information Security Office.
Must notify the Data Owner and the Information Security Office of any vulnerabilities impacting the security of the data, and of any actual or attempted violations of security policies, standards, practices, and procedures.

Must perform other duties and fulfill other requirements described in the CSU Information Security Roles and Responsibilities Standard and any other CSU and �� policies and standards when and as necessary.

7.3 Data User

Data Users are individuals who need and use University data as part of their assigned duties or in fulfillment of assigned roles or functions within the University community. Individuals who are given access to sensitive data have a position of special trust and as such are responsible for protecting the security and integrity of that data.

A Data User:

Must follow all CSU and campus security policies and standards.
Must use data only in authorized manners.
Must follow all controls specified by the Data Owner and the Information Security Office.
Must not subject any university information asset to a level of risk beyond that approved by the Data Owner.

Must perform other duties and fulfill other requirements described in the CSU Information Security Roles and Responsibilities Standard and any other CSU and �� policies and standards when and as necessary.

7.4 Information Security Officer and Information Security Steering Committee

The Information Security Officer will:

Coordinate the campus information security program on behalf of the President.
Advise the President and his/her cabinet on all information security matters.
Work closely with campus administrators and executive officers on information security matters.
Oversee campus information security risk assessment activities.
Approve technology and operational controls and methods.
Inform the President (or President designee) of significant information security risks as they are identified.
Develop and maintain information security policies.
Review and approve purchase and/or development of applications or technologies which may exposed protected data to unauthorized access.
Manage the campus information security awareness and training program.
Oversee the campus information security awareness and training program.
Provide input to the campus budget process regarding prioritization and required resources for information security risk mitigation activities and inputs regarding information security risks of proposed projects.
Respond to information security related requests during an audit.
Serve as the campus representative on the CSU Information Security Advisory Committee.
Manage the information security incident response process.
Provide input to campus Business Continuity and Disaster Recovery policies and procedures.

The Information Security Steering Committee (ISSC) will:

review and approve information security procedures, plans and guidelines that affect campus organizations.
members of the ISSC include the campus Chief Information Officer, Information Security Officer and at least two members of campus management

8 Risk Management Standard

Implements ICSUAM 8020 Information Security Risk Management

8.1 Risk Assessments

The Information Security Office will conduct a campus wide information security risk assessment every other year and will conduct other information security risk assessments as needed.

8.2 Response to Identified Risk

Once a risk has been identified, the Risk Management Office and the Information Security Office must establish a time frame, not to exceed six months, for responding to the risk.

During this time, the affected Data Owners, in collaboration with the Risk Management Office and the Information Security Office, must develop and implement strategies for responding to the risk.

The response must reduce the risk to acceptable levels (risk mitigation), share or shift the risk to another party (risk transference), or assume the identified risk (risk acceptance). An information security risk can only be accepted by the President of the University, or the Vice President of the affected division.

8.3 Reporting

In support of ICSUAM 8020.700, the Information Security Office must share all campus wide information security risk assessments and all risk assessments involving Level 1 Protected data with the CSU Chief Information Security Officer.

9 Personnel Security Standard

Implements ICSUAM 8030 Personnel Information Security.

9.1 Revoking Access to Protected Data

When an employee no longer needs access to protected data due to a change of duties within a department, the employee’s Appropriate Administrator must notify the Data Owners of the protected data. The Data Owners must review the employee’s access and revoke any access not otherwise authorized.

When an employee no longer needs access to protected data due to an inter-department change of position, the employee’s former Appropriate Administrator, Human Resources, or Faculty Affairs, as appropriate, must notify the Data Owners of the protected data. Human Resources or Faculty Affairs, as appropriate, must send an email to the employee’s former Appropriate Administrator as a reminder of this requirement. The Data Owners must review the employee’s access and revoke any access not otherwise authorized.

When an employee ends their employment at CSU San Marcos, the employee must clear campus as per the campus exit policy. Unless otherwise authorized, access to all campus protected data must be revoked. Human Resources or Faculty Affairs, as appropriate, must send an email to the employee’s former Appropriate Administrator as a reminder of this requirement.

9.2 Background Checks

Criminal Background Checks must be performed at the time of hire on any employee, staff, faculty, student assistant, consultant, volunteer, or other person performing work for the university, who will handle Level 1 Protected Data. These employees must be identified by their Appropriate Administrator when filling out the personnel requisition form.

9.3 Confidentiality Agreements

All employees, staff, faculty, student assistants, consultants, volunteers, and other persons performing work for the university must, at time of hire, sign a confidentiality agreement.

9.4 Disposition of Information Assets Upon Ending Employment

When an employee ends their employment at CSU San Marcos, electronic and paper files must be promptly reviewed by an appropriate manager to determine who will become the data steward of such files and identify appropriate methods to be used for handling the files. If the separating employee is holding resources subject to a litigation hold, the relevant information must be preserved until the litigation hold has been revoked, at which point the resource is subject to the normal record retention schedule.

Upon ending employment, if a former employee wishes it to obtain a copy of any personal electronic information stored on campus information assets, the former manager and Human Resources or Faculty Affairs, as appropriate, must either provide the personal electronic information to the former employee or allow the former employee to obtain the personal electronic information in a manner that preserves the integrity of all campus information assets.

10 Information Security Awareness Training Standard

Implements ICSUAM 8035 Information Security Awareness and Training.

Information Security Awareness Training will be assigned annually to all staff, faculty, administrators, consultants, auxiliary employees, and student assistants, on the assumption that any of them may come into contact with sensitive data in the course of their work.

Employees must complete the assigned training within two months of its assignment. The training will automatically be reassigned one year after completion.

11 Vulnerability Management Standard

Implements ICSUAM 8045 Information Technology Security.

11.1 Discovering Vulnerabilities

Vulnerabilities may be discovered in multiple ways, including but not limited to the following:

Network-based vulnerability scans
Penetration testing
Vendor announcements
Published vulnerability information
Local discoveries

11.2 Remediating Vulnerabilities

Remotely exploitable vulnerabilities that allow systems to be compromised and are being actively deployed against the University must be remediated as soon as a fix is available.

Other remotely exploitable vulnerabilities that allow systems to be compromised must be remediated no more than one week after a fix becomes available.

Other vulnerabilities must be remediated within 90 days.

12 Monitoring Standard

Implements ICSUAM 8045 Information Technology Security

Campus information systems and assets must implement logging and monitoring, and protect, retain, and dispose of all logs and monitoring data, as described in Section 500 of the CSU Information Technology Security Policy, the CSU Logging Elements Standard, and CSU Executive Order 1031 - Systemwide Records/Information Retention and Disposition Schedules Implementation.

13 Configuration Management Standard

Implements ICSUAM 8045 Information Technology Security and ISCUAM 8050 Configuration Management.

13.1 Default Configuration

All workstations, including laptops, are deployed with a standard configuration which includes anti-malware applications, full disk encryption and the default productivity suite. IITS will automatically update this configuration with security patches as necessary.

13.2 Mobile Device Management

Mobile devices (with the exception of laptop computers) must not contain Level 1 Protected Data. These devices must only access services that are accessible from the public Internet.

13.3 Operating Systems and Software Update

Operating system and software updates may be postponed if an update will cause issues such as incompatibility with other software. Exceptions must be documented and renewed at least annually.

13.4 Storage of User-Generated Documents

The campus provides space for user-generated documents. Campus employees may not use “personal” cloud storage services (i.e. Dropbox, iCloud) to store the documents they create as part of their campus work.

14 Change Control Standard

Implements ICSUAM 8055 Change Control.

All configuration changes to information assets or systems that process, store, receive, transmit, or use CSU protected Level 1 data must be tracked and documented. The documentation must include the nature of the change, the identity of the person making the change, and the time that the change was made.

Departments responsible for information assets or systems that process, store, receive, transmit, or use CSU protected Level 1 data must:

establish criteria, based on risk, that specify when stakeholders must be notified of intended changes and given an opportunity to offer input or raise concerns.

establish criteria, based on risk, that specify when changes must be formally approved by an appropriate administrator.

formally identify individuals who are authorized to make emergency changes that, due to urgency or criticality, need to occur outside of the department’s formal change management process. Such emergency changes must be appropriately documented and promptly submitted, after the change, to the department’s normal change management process.

15 Access Control Standard

Implements ICSUAM 8060 Access Control

15.1 Authorization

Access to Protected Data must be denied until specifically authorized. Authorization to access Level 1 Protected Data must be granted on a per user basis by the Data Owner of the data to be used using the “�� Request for Access to Protected Data” form. These authorizations must follow the principles of need to know, operational need, least privilege, and separation of duties. Data Owners must track any access modifications.

15.1.1 Third Parties

Third parties wishing to access Level 1 Protected data must also receive authorization from affected Data Owners, and must follow all applicable CSU and �� policies, standards, laws, and contracts.

15.1.2 Review

Data Owners must review and renew all access authorizations on a specified date annually. This must be logged on the request form used for the original authorization.

15.2 Authentication

Unique credentials should be used for accessing all campus information systems.

Exceptions allowing the use of shared credentials must be approved by the requesting departments’ manager and by all affected data owners, and the manager and all affected data owners must be informed of the associated risks. The department administering the system being accessed with shared credentials must track all shared credentials in use, must require shared credentials to be reauthorized at least annually, and must deactivate any shared credentials that are not reauthorized.

When passwords are issued they must be one-time Passwords/Keys.

One-time passwords (e.g., passwords assigned during account creation, password resets, or as a second factor for authentication) must be set to a unique value per user and changed immediately after first use.

15.3 Passwords

15.3.1 Requirements

�� Passwords must meet the following requirements:

Minimum length of 10 characters
A combination of letters, numbers and special characters, containing at least three of the following character types:
- Lowercase alphabetic character (a-z)
- Uppercase alphabetic character (A-Z)
- Special character (punctuation, spaces, *, %, $, etc.)
- Number (0-9)
- 180 day lifetime
- 10 authentication attempts before the account is locked.
- 30-minute lockout time.

15.3.2 Storage

Passwords stored in any form, including on paper, must be protected with appropriate controls, including but not limited to being locked up, carried on one’s person at all times, and the use of strong encryption.

Any passwords stored electronically (except for service accounts) must be stored using approved encrypted password management software.

15.4 Public and Shared Resources

Level 1 or 2 Protected assets must never be made public. Campus personnel are encouraged to use discretion and good judgment when deciding what other information to make public, and must comply with all applicable �� and CSU policies and standards, all applicable laws, and all applicable contractual requirements, when doing so.

16 Data Inventory Procedure

Implements ICSUAM 8065 Information Asset Management.

Annually, �� will conduct an inventory of Level 1 data (as defined by the CSU Data Classification Standard). This inventory will be completed by distributing a Level 1 Data Inventory Survey to all Admin II managers or higher.

This survey is to be completed and returned to the Information Security Office.

The Information Security Office will be available to help users complete the Data Inventory survey by appointment.

17 Information Security Incident Response Standard

Implements ICSUAM 8075 Information Security Incident Management.

17.1 Incidents

The Information Security Office will investigate and respond to Information Security incidents involving malware, fraud, harassment, inappropriate use, unauthorized data access, unauthorized physical access, unauthorized system access, unauthorized system use, lost or stolen equipment, other violations of applicable Information Security laws, policies, standards, procedures and contracts, and other violations of the confidentiality, integrity, or availability of information systems or assets for which CSU San Marcos holds responsibility.

17.2 Incident Response Procedure

The Information Security Incident Management program provides responsibilities and directs activities for responding to information security incidents.

17.2.1 Reporting

Persons who suspect a security incident should contact the information one of the following ways:

Send email to infosec@csusm.edu, or
Contact the campus helpdesk at 760-750-4790 or
Visit the campus Help Desk at Kellogg Library, Second Floor.

Please provide the nature of data stored and accessed on any system suspected of being compromised, to the extent that this can be done without using or accessing the system itself.

Callers should state, in particular, if CSU protected level 1 or 2 data violations are suspected such as Social Security Numbers, medical information, grades, or other CSU protected level 1 or 2 data as defined in The CSU Data Classification Standard.

If an Information Security incident is the process causing serious harm to the University or to individuals in the University community, then telephone the University Police at 760-750-4567.

17.2.2 Notification of CSU Chief Information Security Officer

If a reasonable suspicion exists that Level 1 data has been breached, the Information Security Officer must immediately notify the CSU Chief Information Security Officer of the potential incident.

17.2.3 Preservation of Evidence

If a system is suspected of having been compromised, to avoid inadvertently destroying valuable evidence needed to protect other systems and to prove that protected information was not accessed, users and IT support staff must not:

Install or run any additional services, patches, upgrades, or other fixes.
Run anti-malware scans or backup software.

The Information Security Office has forensic software to preserve as much of the evidence as possible from a compromised computer.

17.2.4 Containment of Damage

If a compromised system is believed to be exfiltrating data or attacking other systems, the system must be immediately disconnected from the network.

If the presence of malicious software has been detected then the machine in question must immediately cease to be used and must be disconnected from the network. The Information Technology Help Desk must be notified. The machine must be examined for sensitive data and fully cleaned before use can continue.

17.2.5 Recovery and Remediation

The Information Security Office will work with the affected parties to create and implement a plan to recover from the incident and remediate damage caused by the incident.

Where appropriate, violations of laws, policies, standards, procedures, contracts, or codes of conduct will be referred to other departments such as Judicial Affairs, Employee Relations and Compliance, Residential Life, or Faculty Affairs for further investigation or action.

17.2.6 Follow-up

The Information Security Office will lead a follow-up conversation to identify and apply lessons learned, and to develop and implement corrective actions directed at preventing or mitigating the risk of similar occurrences.

17.2.7 Closing the Incident

When all outstanding action items have been completed, the Information Security Office will close the incident and notify the President and the Information Security Incident Response Team (ISIRT).

18 Physical Security Standard

Implements ICSUAM 8080 Physical Security

18.1 Purpose

All areas containing Level 1 Protected data must be physically protected as per the CSU Information Security Physical Security policy and the CSU Physical and Environmental Security standard.

18.2 Identifying Security Zones

Shared Access Areas and Campus Limited Access Areas will be identified based on responses to the annual Data Inventory Survey and criteria set by the CSU Physical and Environmental Security standard.

18.3 Appropriate Controls

18.3.1 Viewing Controls

The display screens for all campus information systems that have access to protected data must be positioned such that data cannot be readily viewed by unauthorized persons (e.g., through a window, by persons walking in a hallway, or by persons waiting in reception or public areas). If it is not possible to move a display screen to meet the above requirement, a screen filter must be used.

18.3.2 Shared Access Areas

Doors controlling access to the area should be locked when the area is unattended.
Entrance to the area should be monitored and controlled by a trusted individual when the doors are unlocked.
Guests should always be monitored by persons who can prevent unauthorized access to the protected information assets or critical systems in the area.
Assets that contain Level 1 Protected data and can be removed by a single individual, including but not limited to computers or small lock boxes, must be physically locked down or directly supervised at all times.
Cabinets containing Level 1 Protected data must be kept locked, may only be unlocked while the contents are being accessed, and must be relocked immediately afterward.
Workstations that store, process, transmit, or access Level 1 Protected data must be locked with a password when unattended. This password must comply with Section 3.1 of the �� Access Control standard.
Doors controlling access to the area must always be locked.
Guests must always be logged and monitored by persons who can prevent unauthorized access to the protected information assets or critical systems in the area.
Cabinets containing Level 1 Protected data must be locked when unattended.
Workstations that store, process, transmit, or access Level 1 Protected data must be locked with a password when unattended. This password must comply with Section 3.1 of the �� Access Control standard.
Authorization to access the area must be explicitly granted and documented.
Where supported by access controls (for example, card locks), access to the area must log access times and the identity of individuals accessing the area.

18.3.3 Campus Limited Access Areas

19 Compliance Standard

Implements ICSUAM 8090 Compliance

19.1 PCI DSS (Payment Card Industry Data Security Standard)

In accordance with ICSUAM 3102.5 Debit/Credit Card Payment Policy, all people, processes, and systems within the scope of the Payment Card Industry Data Security Standard (PCI DSS) must comply with the PCI DSS.

19.2 Legal Compliance

All University business must be conducted in compliance with all applicable laws, including but not limited to FERPA (Family Educational Rights and Privacy Act) and HIPAA (Health Insurance Portability and Accountability Act).

19.3 Identity Theft Prevention and Red Flags (FTC Red Flags Rule)

19.3.1 Definition and Purpose

A red flag is an event or observation that indicates a heightened probability of identity theft.

Identity theft is strongly related to credit fraud, and CSU San Marcos extends credit to students in the form of Student Loans and Payment Plans.

This standard describes examples of red flags to notice, should they appear in the course of daily business, and direction in responding to red flags.

19.3.2 Possible Red Flags

Red flag events include notification of the University by law enforcement, a credit reporting agency, a victim of identity theft, or another party, that an identity theft has occurred or is suspected of having occurred.

Red flag observations can include anything suspicious about a customer, documents provided, or information provided.

Customer red flags include inconsistencies between the customer's appearance or voice and the photograph or physical description in University records or on the presented identification.

Document red flags include any evidence that a piece of identification, a form, or any other document, has been forged, altered, or destroyed and reassembled.

Information red flags include:

Information, including signatures, conflicting with other information provided by the customer, on file with the University, or available from external sources
Information expected to be unique to an individual, such as a Social Security number, being shared by multiple customers
Social Security Numbers that have not been issued or that appear in the Social Security Administration’s Death Master File
Contact information known by the University to have been previously used for fraudulent purposes

19.3.3 Detection of Red Flags

Some red flags are detected automatically, such as certain kinds of invalid information, some red flags are detected through manual observation, and some are only detected when suspicious circumstances have prompted investigation. Most red flags are most likely to be discovered during the process of authenticating a student.

19.3.4 Response to Red Flags

The detection of a Red Flag by an employee shall be reported to their appropriate administrator and to the IT Helpdesk as per the CSU San Marcos Information Security Incident Response Standard.

Based on the circumstances and the type of red flag, the Appropriate Administrator and the Information Security Incident Response Team, together with the employee will determine the appropriate response.

Appropriate responses may include:

Enhanced authentication measures;
Contacting the individual;
Not lending money;
Not attempting to collect on a debt or not selling a debt to a debt collector;
Notifying law enforcement; or
Determining that no response is warranted under the particular circumstances.

19.3.5 Service Providers

The University remains responsible for compliance with the Red Flags Rule even if it outsources operations to a third party service provider. The written agreement between the University and the third party service provider shall require the third party to have reasonable policies and procedures designed to detect relevant Red Flags that may arise in the performance of the service provider’s activities. The written agreement must also indicate whether the service provider is responsible for notifying only the University of the detection of a Red Flag or if the service provider is responsible for implementing appropriate steps to prevent or mitigate identify theft.

19.3.6 Training

All employees who process any information related to a covered account shall receive training to understand their responsibilities associated with the Identity Theft Protection Standard.

20 Enforcement and Investigation Standard

Implements ICSUAM 8095 Policy Enforcement

Investigations involving employees and students suspected of violating the CSU or �� Information Security policy must be conducted in compliance with all applicable laws, regulations, collective bargaining agreements, and CSU and �� policies.

�� reserves the right to temporarily or permanently suspend, block, or restrict access to information assets, independent of such procedures, when it reasonably appears necessary to do so in order to protect the confidentiality, integrity, availability, or functionality of �� resources or to protect �� from liability.

21 Credits and Acknowledgments

Portions derived, with permission, from the Sonoma State University Information Security Program.
.
Portions derived, with the permission, from the Sacramento State Information Security Policies.
Portions derived, with permission, from the .