POLICY OBJECTIVE

The CSU Information Security policy provides direction and support for developing and managing information security awareness and training programs.

POLICY STATEMENT

100 Information Security Awareness and Training

Each campus must implement a program for providing appropriate information security awareness and training to employees appropriate to their access to campus information assets. The campus information security awareness program must promote campus strategies for protecting information assets containing protected data.

All employees with access to protected data and information assets must participate in appropriate information security awareness training. When appropriate, information security training must be provided to individuals whose job functions require specialized skill or knowledge in information security.

200 Information Security Awareness

The security awareness program must provide an overview of campus information security policies, and help individuals recognize and appropriately respond to threats to campus information assets containing level 1 or level 2 data as defined in the CSU Data Classification Standard.

The program must promote awareness of:

CSU and campus information security policies, standards, procedures, and guidelines.
Potential threats against campus protected data and information assets.
Appropriate controls and procedures to protect the confidentiality, integrity, and availability of protected data and information assets.
CSU and campus notification procedures in the event protected data is compromised.

After receiving initial security awareness training, employees must receive regular updates in policies, standards, procedures and guidelines. The updates should be relevant to the employee’s job function, duties and responsibilities.

300 Information Security Training

When necessary, the campus information security program must provide or coordinate training for individuals whose job functions require special knowledge of security threats, vulnerabilities, and safeguards. This training must focus on expanding knowledge, skills, and abilities for individuals who are assigned information security responsibilities.

Benjamin F. Quillian
Executive Vice-Chancellor/Chief Financial Officer

Approved: April 19, 2010

APPLICABILITY AND AREAS OF RESPONSIBILITY

REVISION HISTORY

RESOURCES AND REFERENCE MATERIALS

Useful Guidelines:

Related Principles:

Sound Business Practices:

Laws, State Codes, Regulations and Mandates:

COGNIZANT OFFICE(S)

CO Manager:

Mr. William Perry
Chief Information Security Officer
CSU Office of the Chancellor
wperry@calstate.edu

Subject Expert: