Consultation on CSU Systemwide Information Security Drafts on Standards, Policy and Acceptable Use
RESOLVED: In response to the request for review and comment of the following draft documents developed by the Consulting firm of CH2M Hill under the auspices of the Assistant Vice Chancellor of Information Technology Services:
That the Academic Senate California State University (CSU) recommend that the Office of the Chancellor request that campuses allow sufficient and adequate consultative review and comment including those from Academic Senates using the appropriate consultative process regarding the issues being proposed in the three draft documents listed above; and be it further
The California State University System-wide Information Security Policy, April 18, 2008
The California State University System-wide Information Standards Document, April 11, 2008
The California State University Acceptable Use Policy, April 11, 2008
RESOLVED: That the Academic Senate CSU recommend that the Academic Technology Advisory Committee (ATAC) be requested to review any and all comments forwarded by each campus and that ATAC recommend appropriate revisions to the three draft documents listed above; and be it further
RESOLVED: That the Academic Senate CSU recommend that the Chancellor delay final approval of systemwide information security policy, standards, as well as acceptable use policy to allow for sufficient time to complete the recommended review process; and be it further
RESOLVED: That the Academic Senate CSU recommend that campus Presidents, Provosts and Senate chairs be provided with copies of this resolution and that campuses proceed expeditiously but also thoroughly in their review and comment of the three draft documents listed above.
RATIONALE: The following is excerpted from the introduction to the “Information Security Policy” draft document.
The California State University (CSU) is a public institution committed to the ideals of academic freedom and freedom of expression. To promote these ideals, the CSU uses and offers access to a variety of information systems, data, and network resources… This policy establishes how information assets are used and provided to users. The unauthorized collection, modification, deletion, disclosure, or misuse of CSU information assets can compromise the mission of the University, violate individuals’ rights to privacy, or constitute a criminal act.
The “Information Security Roles and Responsibilities” specified in Standards Document identify only the campus President, the campus Information Technology Administrator, and the Information Security Officer. In practice, the authority for interpretation and implementation of the proposed policies would be vested in the campus Information Security Officer on each campus. The three draft documents contain no provisions for maintaining oversight of the appropriateness of proposed policies and practices as they are implemented nor is there provision for the establishment of a process for providing checks and balances on the decisions affecting “acceptable use” of information resources and consequently how the “principle of academic freedom” will be a key factor in assuring the effective application of the proposed policy and related standards.
The intent of this resolution is to ensure that the development and implementation of information security policies and standards as well as acceptable use policies include sufficient and technically informed oversight. The Academic Senate of the California State University believes that such ongoing oversight is essential to ensure both responsible use of campus information systems, data, and network resources and the ability for all members of the campus community to effectively perform their academic and administrative responsibilities.
Unanimously – May 8-9, 2008