Integrated CSU Administrative Manual

CSU POLICY

Section:   INFORMATION SECURITY POLICY

Section 8000 Policies

Policy Number:   8030.0

Policy Title: Personnel Information Security

Policy Effective Date: April 19, 2010

Last Revision Date:  
(see revision history)

POLICY OBJECTIVE

The CSU Information Security policy provides direction and support for managing personnel information security, defines pre-employment requirements, and provides guidance for managing separations or changes in employment status.

POLICY STATEMENT


100 Personnel Information Security

All users are expected to employ security practices appropriate to their responsibilities and roles.  Users who access level 1 or level 2 data as defined in the CSU Data Classification Standard must sign an approved system-wide confidentiality (non-disclosure) agreement.

200 Employment Requirements

Campuses must develop procedures to conduct background checks on positions involving access to level 1 information assets as defined in the CSU Data Classification Standard.

 

300 Separation or Change of Employment

Campuses must implement procedures to revoke access to information resources upon termination of employment, or when job duties no longer provide a legitimate business reason for access, except where specifically permitted by campus policy and by the data owner.  Unless otherwise authorized, when an employee voluntarily or involuntarily separates from the campus, information system privileges, including all internal, physical, and remote access, must be promptly revoked.

Procedures must be implemented to ensure proper disposition of information assets upon termination.  Electronic and paper files must be promptly reviewed by an appropriate manager to determine who will become the data steward of such files and identify appropriate methods to be used for handling the files.  If the separating employee is holding resources subject to a litigation hold, the campus must ensure preservation of relevant information until the litigation hold has been revoked, at which point the resource is subject to the normal record retention schedule.

Campuses must verify that items granting physical access such as keys and access cards are collected from the exiting employee.  Any access list that grants the exiting employee physical access to a limited-access area on the campus must be updated appropriately to reflect the change in employment status.

Each campus must establish procedures to allow for separated employees to obtain such incidental personal electronic information as appropriate.

Information system privileges retained after separation from the campus must be documented and authorized by an appropriate campus official.

Benjamin F. Quillian
Executive Vice-Chancellor/Chief Financial Officer

Approved: April 19, 2010

APPLICABILITY AND AREAS OF RESPONSIBILITY

 

REVISION HISTORY

 

RESOURCES AND REFERENCE MATERIALS

Useful Guidelines:

 

Related Principles:

 

Sound Business Practices:

 

Laws, State Codes, Regulations and Mandates:

8030.S000 Personnel Security Standard

COGNIZANT OFFICE(S)

CO Manager:

Mr. William Perry
Chief Information Security Officer
CSU Office of the Chancellor
wperry@calstate.edu

Subject Expert:

Mr. William Perry
Chief Information Security Officer
CSU Office of the Chancellor
wperry@calstate.edu

Affinity Group:

 

Feedback/Questions/Comments