SSU Information Security Policy

1.0 Introduction

Sonoma State University is committed to protecting the confidentiality, integrity, and availability of information assets owned, leased, or entrusted to the University. This policy and associated standards provides direction and support to campus IT and departments for information security in accordance with University requirements and relevant laws and regulations. SSU information security practices are designed to promote and encourage appropriate use of information assets and are not intended to prevent, prohibit, or inhibit the sanctioned use of information assets as required to meet the University’s core mission and campus academic and administrative purposes.

2.0 Scope

Sonoma State University President is responsible for protecting the confidentiality, integrity and availability of CSU information assets. Unauthorized modification, deletion, or disclosure of information assets can compromise the integrity of the mission of SSU, violate individual privacy rights, and possibly constitute a criminal act. It is the collective responsibility of all users to ensure:

  1.  Confidentiality of personally identifiable information.
  2.  Integrity of data stored on or processed by CSU/SSU information systems.
  3.  Availability of information stored on or processed by CSU/SSU information systems.
  4.  Maintenance and currency of applications installed on CSU/SSU information systems.
  5.  Compliance with applicable laws, regulations, and CSU/SSU policies governing information security and privacy protection. 

SSU retains ownership (or stewardship) of information assets owned (or leased) by SSU or entrusted to SSU. SSU reserves the right to limit access to its information assets and to use appropriate means to safeguard its data, preserve network and information system integrity, and ensure continued delivery of services to users. This can include, but is not limited to: monitoring communications across CSU/SSU network services, monitoring actions on the CSU/SSU information systems, checking information systems attached to the CSU/SSU network for security vulnerabilities, disconnecting information systems that have become a security hazard, or restricting data to/from CSU/SSU information systems and across network resources.
This policy shall apply to the following:

  1.  All campus departments, including auxiliary units, and external businesses or organizations that provide goods or services to the SSU.
  2.  Central and departmentally-managed information assets.
  3.  All students, faculty, staff, and consultants employed by SSU or any other person having access to SSU information assets.
  4.  All categories of information, regardless of the medium in which the information asset is held (e.g. paper, electronic, oral, etc).
  5.  Information technology facilities, software, and equipment (including personal computer systems) owned or leased by SSU.

This policy may be supplemented, but not superseded, by additional policies and standards adopted by each campus department. Policies, standards, and implementation procedures referenced in this policy must be developed through consultation with campus officials and key stakeholders. 

3.0 Policy Management

SSU policies shall be updated to reflect changes in SSU’s academic, administrative, or technical environments, or applicable federal/state laws and regulations. SSU’s Information Security Office shall be responsible for overseeing an annual review of this policy.

4.0 Establishing an Information Security Program

Related Links: Information Security Program
SSU has established an information security program that contains administrative, technical and physical safeguards designed to protect campus information assets. SSU’s information security program implemented a risk-based layered approach that uses preventative, detective, and corrective controls to provide a reasonable level of information security. The campus program:

  1.  Assigns development and management responsibilities for the information security program, including the appointment of an Information Security Officer (ISO).
  2.  Provides for the confidentiality, integrity and availability of information, regardless of the medium in which the information asset is held (e.g. paper, electronic, oral, etc.).
  3.  Develops risk management strategies to identify and mitigate threats and vulnerabilities to information assets.
  4.  Establishes and maintain an incident response plan.
  5.  Maintains ongoing security awareness and training programs. 
  6.  Complies with applicable laws, regulations, and CSU policies.

The campus President is delegated responsibility for implementing an effective information security program. The Senior Director for Information Technology shall exercise the responsibilities with regard to Sonoma State University through the Information Security Office security program. The information security program must be reviewed at least annually.

5.0 Organizing Information Security

Information security roles and responsibilities need to be identified and defined to achieve security objectives and mitigate risk on campus. SSU is responsible for developing, implementing, and documenting the campus organizational structure that supports the University’s information security program. The organizational structure must define the functions, relationships, responsibilities, and authorities of individuals or committees that support the campus information security program. The campus information security organization structure must be reviewed at least annually.
The campus President (or President-designee) must appoint a campus ISO.

6.0 Information Security Risk Management  

Related Links: Information Security Office Security Program
Risks to information assets must be actively managed in order to prioritize resources and remediation efforts. Risk management involves the identification and evaluation of risks to information security assets (risk assessment) and the development of strategies to reduce the risk to acceptable levels (risk mitigation). SSU develops risk management processes that identify and assess risks to its information assets and reduce such risks to acceptable levels. The campus risk management processes must be used continuously to ensure that risks to information assets are addressed in a timely manner. 

6.1 Risk Assessment

Risk assessments are part of an ongoing risk management process. Risk assessments provide the basis for prioritization and selection of remediation activities and can be used to monitor the effectiveness of campus controls. 
Individuals designated as owners of critical or protected information assets must develop a schedule for conducting continuous risk assessments of campus information asset. The asset owner must document the frequency of the assessment, risk assessment methodology, result of the risk assessment, and mitigation strategies designed to address identified risks. 

6.2 Risk Mitigation

Risk mitigation involves prioritizing, evaluating, and implementing appropriate risk-reducing activities recommended as a result of the risk assessment process. Since the elimination of all risk is impossible, campus leadership must balance the cost and effectiveness of the proposed risk-reducing activities against the risk being addressed. Appropriate mechanisms to safeguard information should be selected relative to the security objectives determined by the risk assessment. Controls selected to mitigate risks should include administrative, operational, technical, physical, and environmental measures as appropriate. Mitigation strategies must ensure the confidentiality, integrity, and availability of information assets and be commensurate with risks identified by risk assessments.
For those risks where the risk mitigation strategy involves the use of controls, these controls must ensure that risks are reduced to an acceptable level, taking into account:

  1.  Legal and regulatory requirements and compliance.
  2.  University operation and policy requirements and constraints.
  3.  Cost of implementation, maintenance, and operation.

Each campus must develop and maintain a method for documenting and tracking decisions related to risk mitigation activities.

6.3 Reporting Information Security Risks

The ISO must complete a comprehensive risk assessment of all critical and protected assets at least every two years. The comprehensive report should include a description of the methodology used to conduct the comprehensive risk assessment, the results of the risk assessment, and the campus mitigation strategies for addressing each identified risk. The comprehensive report must be certified by the campus President (or his/her designee).

7.0 Privacy

Related Links: Personal Confidential Information Policy
All users of SSU information technology resources are advised to consider the open nature of information disseminated electronically, especially since SSU is a public entity, and should not assume any degree of privacy or restricted access to information they create or store on SSU systems. No SSU information system or network resource can absolutely ensure that unauthorized persons will not gain access to community member information or activities. However, SSU acknowledges its obligation to respect and protect private information about individuals stored on SSU information systems and network resources.

7.1 Collection of Personal Information

In order to comply with state and federal laws and regulations (e.g., Title V, FERPA, California Public Records Act), SSU may not collect personal information unless the need for it has been clearly established in advance.
Where such information is collected:

  1.  The campus will use reasonable efforts to ensure that personal information is adequately protected from unauthorized disclosure.
  2.  The campus shall store personal information when it is appropriate and relevant to the purpose for which it has been collected.

7.2 Access to Personal Information

Except as noted elsewhere in SSU policy, information about individuals stored on SSU information systems may only be accessed by:

  1.  The individual to whom the stored information applies or their designated representatives.
  2.  Authorized SSU employees with a valid SSU-related business need to access, modify, or disclose that information.
  3.  Appropriate legal authorities.

However, appropriate authorized SSU personnel who have followed established campus procedures may access, modify, and/or disclose information about individuals stored on SSU information systems or a user’s activities on SSU information systems or network resources without consent from the individual. For example, SSU may take such actions for any of the following reasons:

  1.  To comply with applicable state, federal or international laws or regulations.
  2.  To comply or enforce applicable SSU policy.
  3.  To ensure the confidentiality, integrity or availability of SSU information systems, data, or network resources.
  4.  To respond to valid legal requests or demands for access to SSU information systems, data, or network resources.

If SSU accesses, modifies, and/or discloses information about an individual and/or their activities on SSU information systems or network resources, it will make every reasonable effort to respect information and communications that are privileged or otherwise protected from disclosure by SSU policy or applicable laws. 
SSU is advised to consult the CSU Records Access Manual to determine which records must be made available for public inspection under the California Public Records Act.

7.3 Access to Electronic Data

Individuals who store personally identifiable information (e.g., social security numbers) must use due diligence to prevent unauthorized access and disclosure of confidential, private, or sensitive information. 
Browsing, altering, or accessing electronic messages (e.g., email or text) or stored files in another user’s account, computer, or storage device (e.g., disks, USB drives) is prohibited, even when such accounts or files are not password protected, unless specifically authorized by the user for SSU business reasons. This prohibition does not affect:

  1.  Authorized access by a network administrator, computer support technician, or departmental manager where such access is within the scope of that individual’s job duties.
  2.  Campus response to subpoenas or other court orders.
  3.  Campus response to a request pursuant to public record disclosure laws.

8.0 Personnel Security

All users are expected to employ security practices as appropriate to their responsibilities and roles. Users who access protected data must sign a confidentiality (non-disclosure) agreement. This agreement must be regularly renewed.

8.1 Employment Requirements

As part of an effective security program, potential employees must be informed of their information protection obligations and their trustworthiness to handle protected information must be considered. Positions involving access to protected information and positions of trust must consider requirements for background checks.  Campus personnel procedures must address these elements.

8.2 Separation or Change of Employment

Related Links: Data Disposal Standard; Purging Data from Hard Drives Procedure
The campus must implement procedures to revoke access upon termination, or when job duties no longer require a legitimate business reason for access, except where specifically permitted by University policy and by the data owner. 
Unless otherwise authorized, when an employee voluntarily or involuntarily separates from the University, information system privileges, including all internal, physical, and remote access, must be promptly disabled or removed. 
Procedures must be implemented to ensure proper disposition of electronic information resources upon termination.  See:  Data Disposal Standard; Purging Data from Hard Drives Procedure
Electronic and paper files must be promptly reviewed by an appropriate manager to determine who will become the data steward of such files and identify appropriate methods to be used for handling the files. 
If any electronic information resources are subject to a litigation hold, the department must ensure preservation of relevant information before final disposition of electronic information resources. 
SSU must verify that items granting physical access such as keys and access cards are collected from the exiting employee. Any access list that grants the exiting employee physical access to a secured campus limited-access area must be updated appropriately to reflect the change in employment status. 
Information system privileges retained after separation from the University must be documented and authorized by an appropriate campus official.

9.0 Security Awareness and Training  

Related Links: Information Security Training Standard
SSU must implement a program for providing appropriate information security awareness and training to its employees. The campus information security awareness program must promote campus strategies for protecting information assets. All employees must participate in security awareness training. When appropriate, information security training must be provided to individuals whose job functions require specialized skill or knowledge in information security. 

9.1 Security Awareness 

The security awareness program must provide an overview of campus information security policies, and help individuals recognize and appropriately respond to threats to campus information assets. The program must promote awareness of:

  1.  CSU and campus information security policies, standards, procedures, and guidelines.
  2.  Potential threats against campus information assets.
  3.  Appropriate controls and procedures to protect the confidentiality, integrity, and availability of information assets.

After receiving initial security awareness training, employees must receive follow-up awareness training annually to reflect changes in information security policy and standards. 

9.2 Security Training

When necessary, the campus information security program must also provide or coordinate training for individuals whose job functions require special knowledge of security threats, vulnerabilities, and safeguards. This training must focus on expanding knowledge, skills, and abilities for individuals who are assigned information security responsibilities.

10.0 Managing Third Party Service Providers

Related Links: Information Security Outsource/Vendor Policy
Third party service providers must be required to adhere to campus information security policies and standards. A risk assessment must be conducted to determine the specific implications and control requirements for the service provided. 

11.0 Information Technology Security  

Campuses must develop and implement appropriate technical controls to minimize risks to its information technology infrastructure. Each campus must take reasonable steps to protect the confidentiality, integrity, and availability of its critical information systems and protected data from threats. 

11.1 Malicious Software Protection

Related Links: Malicious Software Protection Standard
Each campus must have procedures in place to effectively detect, prevent, and report malicious software. Electronic data received from un-trusted sources must be checked for malicious software prior to being placed on an SSU network or information system.

11.2 Network Security 

The campus must appropriately design and segment their networks—based on risk, data classification, and access—in order to secure their information assets. The campus must implement and regularly review a documented process for transmitting data over the campus network. This process must include the identification of critical information systems and protected data that traverses or resides on the campus network. Campus processes for transmitting or storing critical and protected data must ensure confidentiality, integrity, and availability.

11.3 Mobile Devices  

The campus must develop and implement controls for securing protected data stored on mobile devices. Critical or protected data must not be stored on mobile devices unless effective security controls have been implemented to protect the data. Encryption must be used, or equally effective measures, on all mobile devices that store critical or protected data. Alternatives to encryption must be reviewed on a case-by-case basis and approved in writing by the Information Security Officer. Other effective measures include physical protection that ensures only authorized access to the information asset.

11.4 Information System Logs

Related Links: Log Anomaly Detection and Management Procedure
Campuses must implement logging and monitoring controls on appropriate information systems and network resources. Activity records created by logging and monitoring controls must be reviewed regularly. Server administrators are required to regularly scan, remediate, and report un-remediated vulnerabilities to the system owner or application administrator within a prescribed timeframe. The risk level of a system determines the frequency at which logs must be reviewed. Campus systems must complete a periodic, but not less than annual, risk assessment to ensure they follow the appropriate monitoring requirements. Risk factors to consider are:

  1.  Criticality of business process.
  2.  Information classification associated with the system.
  3.  Past experience or understanding of system vulnerabilities.
  4.  System exposure (e.g., services offered to the Internet).

Access to logging and monitoring data must be protected from unauthorized access. The campus must ensure that individuals are granted access to data generated from log and monitoring files based on a need to know.
Data generated by logging and monitoring must be retained for a period of time that is consistent with effective use, CSU records retention schedule, regulatory, and legal requirements such as compliance with litigations holds.

12.0 Configuration Management

Related Links: ISO Security Standards, Computer Application Control Procedure
The campus must develop and implement configuration standards to ensure that information technology systems, network resources, and applications are appropriately secured to protect confidentiality, integrity, and availability.

13.0 Change Control

Related Links: Web Application Security Review, Web Application Development Security
Changes to information technology systems, network resources, and applications need to be appropriately managed to ensure they do not introduce unexpected vulnerabilities or adversely impact existing security protections. The campus must establish and document a method to manage changes to campus information assets. The process must evaluate the information security impact of changes by taking a risk-based approach to change control. 
Changes to critical assets or assets containing protected data will likely require a more rigorous review than changes to non-critical assets. Changes to critical information assets or assets containing protected data must be made in accordance with a formal, documented change control process. Changes which may impact the security of critical information assets must be identified along with the level of control necessary to manage the change.  The campus should define and publish the scope of “significant” changes to campus information assets in order to be sure that all affected parties have adequate information to determine if a proposed change is subject to the change management approval process.

13.1 Emergency Changes

Only properly authorized persons may make an emergency change to campus information systems, data, or network resources. Emergency changes are defined as changes which, due to urgency or criticality, need to occur outside of the campus’ formal change management process. Such emergency changes should be appropriately documented and promptly submitted, after the change, to the campus’ normal change management process.

14.0 Access Control

Related Links: Password Management Standard, Privileged Account Management Standard, Creating and Managing Privileged Accounts Procedure, Computing Accounts Available at the Helpdesk
On-campus or remote access to critical or protected information assets must be based on operational and security requirements. Appropriate controls must be in place to safeguard unauthorized access to critical and protected information assets. This includes not only the primary operational copy of the information asset, but also data extracts and backup copies. 
The campus must have a documented process for provisioning approved additions, changes, and terminations of access rights and reviewing access of existing account holders. Authorized users and their access privileges should be specified by the data owner, unless otherwise defined by CSU/campus policy.
Access to campus critical information assets and protected data must be denied until specifically authorized.

14.1 Granting Access 

Access to campus critical information assets and protected data may be provided only to those having a need for specific access in order to accomplish an authorized task and must be based on the principles of need-to-know and least privilege. Authentication controls must be implemented for access to campus critical information assets and protected data. 
Authentication credentials used for access to campus critical information assets and protected data must be unique to each individual and may not be shared unless authorized by appropriate campus management. Where approval is granted for shared authentication, the requesting organization must be informed of the risks of such access and the shared account must be assigned a designated owner. Shared authentication privileges must be regularly reviewed and re-approved at least annually.

14.2 Granting Access to Third Party Service Providers

Third party service providers may be granted access to campus information assets only when they have a need for specific access in order to accomplish an authorized task. This access must be authorized by an appropriate campus official and based on the principles of need-to-know and least privilege. 
Access to campus information assets by third party service providers must not be allowed until it has been authorized, appropriate security controls have been implemented, and a contract/agreement has been signed defining the terms for access.

14.3 Segregation of Duties

The principles of separation of duties should be followed when assigning job responsibilities relating to restricted or essential resources. The campus must maintain an appropriate level of segregation of duties when issuing credentials to individuals who have access to critical information assets and protected data. The campus must avoid issuing credentials that allow a user to have excessive authority over critical assets or protected data. 

14.4 Access Review

The campus must develop procedures to detect unauthorized access and privileges assigned to authorized users that exceed the required access rights needed to perform their job functions. Appropriate campus managers and data owners must review, at least annually, user access rights to critical information assets. The results of the review must be documented. 

14.4.1 Access Review – PeopleSoft Applications

The campus must perform an annual review of access granted to general and technical users of the PeopleSoft application and production databases to determine whether continuing access is necessary and appropriate. The results from the review must be documented using the guidelines provided in the CSU PeopleSoft Access Review Standard.

14.4.2 Access Review - Privileged Account Holders

Supervisors or other employees must periodically review the system administration work of personnel with access to privileged accounts on shared servers. Such action is intended to provide a periodic audit or review for those system administration functions that are not otherwise audited or reviewed in the course of being completed.

14.5 Modifying Access

Modifications to user access privileges must be tracked and logged. Users experiencing a change in employment status (e.g., termination or position change) must have their logical access rights reviewed, and if necessary, modified or revoked.

15.0 Information Asset Management

Related Links: Discovering Networked Assets and Vulnerabilities Procedure, Data Classification Standard, Data Disposal Standard
The campus must maintain an inventory of their information assets containing critical or protected data. These assets must be categorized and protected throughout their entire life cycle, from origination to destruction. The campus must develop and maintain a data classification standard that meet or exceeds the requirements of the CSU Data Classification Standard.
The designated owner of the information asset is responsible for: 

  1.  Classifying the information asset according to the campus Data Classification Standard.
  2.  Defining security requirements that are proportionate to the value of the information asset.
  3.  Managing the information asset according to the requirements described in the campus Information Asset Management Standard. 

Data should not be transferred to another individual or system without approval of the data owner. Before critical or protected data is transferred to a destination system, the data owner should establish agreements to ensure that authorized users implement appropriate security measures.

16.0 Information Systems Acquisition, Development, and Maintenance

Related Links: Web Application Security Review Standard and Procedure, Web Application Development Security,PCI DSS Standard, Wireless Technology and Payment Card Transaction Standard, PCI DSS Merchant Procedures, PCI Incident-Breach Procedure.
The campus must integrate information security requirements into the software development life cycle of information systems that are critical to the University or information systems that contain protected data. The security requirements must identify controls that are needed to ensure confidentiality, integrity, and availability. These controls must be appropriate, cost-effective, and mitigate risks that may result from unauthorized access, use, disclosure, disruption, modification, or destruction of the information asset. 

17.0 Information Security Incident Management

Related Links: Information Security Incident Policy, PCI Incident-Breach Procedure
The campus must develop and maintain an incident response program that includes processes for investigating, responding, reporting, and recovering from incidents involving loss, damage, misuse of information assets, or improper dissemination of critical or protected information, regardless of the medium in which the breached information is held (e.g. paper, electronic, oral). The campus program must:

  1.  Designate specific personnel to respond to information security incidents in a timely manner. 
  2.  Include procedures for documenting the incident, determining notification requirements, implementing remediation strategies, and reporting to management. 
  3.  Include processes to facilitate the application of lessons learned from incidents.
  4.  Support the development and implementation of appropriate corrective actions directed to preventing or mitigating the risk of similar occurrences.

The campus incident response plans must be tested annually and comply with the CSU Information Security Incident Management Standards. 
When the campus determines an incident must be reported to individuals or the media, the campus must immediately notify the Chancellor and Senior Director of System wide Information Security Management.

18.0 Physical Security

The campus must identify physical areas that must be protected from unauthorized physical access. Such areas would include data centers and other locations on the campus where critical or protected assets are stored. The campus must protect these areas from unauthorized physical access while ensuring that authorized users have appropriate access. Campus information assets stored in public and non-public access areas must be physically secured to prevent theft, tampering, or damage. The level of protection provided must be commensurate with that of identifiable risks. Campuses must document physical access to limited-access areas and review these access rights annually. 

19.0 Business Continuity and Disaster Recovery

An information security program needs to support the maintenance and potential restoration of operations through both minor and catastrophic disruptions. Campuses must ensure that its critical information assets can, in the case of a catastrophic event, continue to operate and be appropriately accessible to users. Each campus must maintain an ongoing program that ensures the continuity of essential functions and operations following a catastrophic event. The program must be in compliance with the CSU Executive Order 1014.

20.0 Compliance

The CSU shall, in consultation with the CSU legal staff and other subject matter experts, regularly identify and define laws and regulations that apply to CSU information assets. The CSU shall provide this information to campuses as it develops. Campuses must develop and maintain information security policies and standards that comply with applicable laws and regulations and the CSU policies that apply to campus information assets. 

21.0 Policy Enforcement

SSU respects the rights of its employees and students. In support of this policy, the campus must establish procedures which assure that investigations involving employees and students suspected of violating this policy are conducted in a fair and equitable manner. These procedures must comply with appropriate regulations (e.g., California Education Code and Title V), collective bargaining agreements, and CSU/campus policies. Additionally, campuses must develop procedures for reporting violations of this policy.
The University reserves the right to temporarily or permanently suspend, block, or restrict access to information assets, independent of such procedures, when it reasonably appears necessary to do so in order to protect the confidentiality, integrity, availability, or functionality of University resources or to protect the University from liability. 

Student infractions of this policy may be referred to the Office of Student Judicial Affairs. Third party service providers who do not comply with this policy may be subject to appropriate actions as defined in contractual agreements.

Policy Purpose This document establishes the baseline policy for Sonoma State University. All subsequent policies, standards, and procedures are to implement this policy.
Policy Number 04-106
Version 1.0.0 - Draft
Effective Date January 1 2009
Prepared by Barry Blackburn
Date Prepared November 9, 2009
Approved By Sam Scalise
Date Approved December 16, 2008
Last Updated By Barry Blackburn
Date Last Updated November 9, 2009
Associated Standards and/or Procedures See Body of this Policy and the Policy, Standards, and Procedures web pages.
Contact(s) Barry Blackburn (ISO)
Keywords enter keywords here, comma separated