RETURN TO CSUN HOMEPAGE
Access Keys

This information applies to pages in the CSUN template system.Windows-press ALT + an access key. Macintosh-press CTRL + an access key.

The following access keys are available:
CA Educational Code     SAM     SUAM     CSU Executive Orders     University Standing Committees
UNIVERSITY POLICIES AND PROCEDURES
SUBJECT: SECURITY BREACH OF PERSONAL INFORMATION POLICY
POLICY NO.: 500-13      REVISION: NEW       ISSUED: 7/5/2006       EFFECTIVE: 7/5/2006

POLICY:

Personal information in paper or electronic format will be protected from unauthorized acquisition. Should a breach result in unauthorized acquisition of personal information, information owners will be notified of the incident in a timely manner, in accordance with the Campus Incident Response Procedure for Security Breaches of Personal Information.

PURPOSE:

The purpose of this policy is to outline procedures and protocols for responding to a security breach involving personal information in paper or unencrypted electronic format processed and/or maintained by the university and its auxiliary organizations.

DEFINITIONS:

Acquisition: Personal information will be considered to be acquired, or reasonably believed to be acquired by an unauthorized person in any of the following situations:

1. Loss of documents – lost or stolen documents containing personal information.
2. Loss of computing system – Loss of any server, desktop, laptop, or personal digital assistant (PDA) containing unencrypted personal information.
3. Hacking incident – A successful intrusion of a computer system via the network.
4. Unauthorized data access – The access or attempt to access data maintained by California State University, Northridge by individuals who are not authorized to access that data. This includes situations where individuals have received data that they are not authorized to access: emails sent to the wrong recipient, paper documents sent to wrong recipient, and incorrect computer access settings. This also covers situations where unencrypted personal information has been downloaded, copied or used by an unauthorized person.

Unencrypted: Unencrypted data is called plain or clear text. Encrypted data as been altered to be unintelligible to unauthorized parties.

Personal Information: Personal Information means an individual's first name or initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted:

1. Social Security Number (SSN), or last 4 digits of SSN with date of birth (DOB).
2. Driver's license number or California Identification Card number.
3. Account number (which could include a student identification number), credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.

Breach of Security: The unauthorized acquisition of paper or computerized data that compromises the security, confidentiality, or integrity of personal information maintained by California State University, Northridge. This does not include good faith acquisition of personal information by an employee or agent of California State University, Northridge, if the personal information is not used or subject to further unauthorized disclosure.

RESPONSIBILITIES:

The following individuals and organizational units have policy responsibilities:

A. Information Security Officer:
The Information Security Officer is responsible for ensuring that the campus incident response process for computing systems and data resources is followed. For more information on the responsibilities of the ISO, please see the Campus Incident Response Procedure for Security Breaches of Personal Information.
B. Campus Units Units (divisions, units, departments, colleges, centers):
The Campus Units must:
1. Inform users granted access to personal information of their responsibilities to secure such data from unauthorized release.
2. Develop and maintain control records in a secure environment.
3. Establish monitoring procedures to identify unauthorized access to or anomalous activity.
4. Report suspected unauthorized acquisition of personal information to the Information Security Officer.
C. Data Users:
Data Users must:
1. Abide by established procedures on access to and use of personal information.
2. Protect the resources under their control, such as access passwords, computers, and data they download.
3. Report any unauthorized acquisition or anomalous activity of personal information to the Information Security Officer which may have resulted in the release of personal information to unauthorized individuals.
D. Campus incident Response Team:
The campus incident response team is responsible for coordinating a review of any security breach that potentially involves the unauthorized access of personal information. For more information on the responsibilities of the CIRT team, please see the Campus Incident Response Procedure for Security Breaches of Personal Information.

REFERENCES:

CSUN Information Security

Protection of Confidential Electronic Information

California Civil Code Sections 1798.29 and 1798.82 to 1798.84

FURTHER INFORMATION:

Chief Information Officer (hilary.baker@csun.edu)


Approved by the President


Office of the Chancellor     SYSTECH Support Portal     Online Services & Forms     Policies & Procedures

California State University, Northridge at 18111 Nordhoff Street, Northridge, CA 91330 / Phone: 818-677-1200 / © 2006 CSU Northridge

Last Updated: 4/20/2007