PURPOSE:
This document establishes uniform, campus wide policies and procedures for protecting all confidential information in CSUN's custody, including but not limited to private, personal, or sensitive information, and assures compliance with existing CSUN and CSU Information Security Policies. It addresses information that includes, but is not limited to, passwords, confidential stored data, and confidential data that pass over campus networks and the Internet.
POLICY/PROCEDURES::
1. All University personnel are required to be aware of the appropriate Family Educational Rights and Privacy Act (FERPA) regulations and all University policies and procedures regarding sensitive and confidential information. These include, but are not limited to, all CSU Information Security Policies, CSUN Information Security Policy, the University Policy for Use of Computing Resources, and CSUN Policies and Procedures on Student Records Administration.
2. All University Colleges and other Administrative Units must make sure to observe uniform password policies and controls with regard to length, composition, lifetime, retry policy, etc.
3. Confidential information in CSUN's custody, including but not limited to private, personal, or sensitive information, may be copied and temporarily saved only when necessary for the business of the University, and must be saved only on a secure computer that requires authentication and/or password protection. All temporary copies must be deleted as soon as they are no longer being used. Computers that contain confidential information must be wiped clean (deleted and erased) when they are no longer in use for that purpose.
4. All confidential data, and private, personal, or sensitive information including passwords, that passes over the campus wireless networks or the campus Internet boundary must be encrypted by employing appropriate encryption software or protocols, such as Virtual Private Network (VPN), Secure Shell (SSH), or HTTPS, that ensures the confidentiality of data transfers. This includes data that is automatically transferred over the network to off-campus vendors.
RESPONSIBILITIES:
1. All University Colleges and other Administrative Units must take steps to educate their employees and consultants on the appropriate FERPA regulations and University Policies and Practices that apply to confidential information, including but not limited to private, personal, or sensitive information. This includes data that is stored off campus that is maintained by either CSUN employees, consultants, or vendors.
2. Individual University personnel are responsible to make sure that they understand the regulations, policies and procedures regarding confidential information, including but not limited to private, personal, or sensitive information, and are responsible for using a secure computer and appropriate security software when accessing such information.
3. IT is responsible for the maintenance and protection of user accounts and passwords, via the campus directory, and is responsible for providing the appropriate infrastructure for secure network connections, both on campus and across the campus/Internet boundary.
4. Local IT units are responsible to insure that all computers, both on and off campus, that are used to access confidential information in CSUN's custody including but not limited to private, personal, or sensitive information, are configured to support proper password maintenance and the appropriate security software, such as Virtual Private Network (VPN) or Secure Shell (SSH). They are responsible to ensure that all computers that contain confidential information are wiped clean of this information when they are no longer in use for that purpose.
REFERENCES:
Family Education Rights and Privacy Act (FERPA)
CSU Information Security Policy
University Policy for Use of Computing Resources
Student Records Administration Policy
FURTHER INFORMATION:
Chief Information Officer (hilary.baker@csun.edu)
Approved by the President
