POLICY OBJECTIVE

The CSU Information Security policy provides direction and support for managing CSU information assets.

POLICY STATEMENT

Each campus must develop and maintain a data classification standard that meets or exceeds the requirements of the CSU Data Classification Standard.

Campuses must maintain an inventory of information assets containing level 1 or level 2 data as defined in the CSU Data Classification Standard. These assets must be categorized and protected throughout their entire life cycle, from origination to destruction.

The designated owner of information assets that store protected data is responsible for:

Classifying the information asset according to the campus Data Classification Standard.
Defining security requirements that are proportionate to the value of the information asset.
Managing the information asset according to the requirements described in the campus Information Asset Management Standard.

Critical or protected data must not be transferred to another individual or system without approval of the data owner. Before critical or protected data is transferred to a destination system, the data owner should establish agreements to ensure that authorized users implement appropriate security measures.

Benjamin F. Quillian
Executive Vice-Chancellor/Chief Financial Officer

Approved: April 19, 2010

APPLICABILITY AND AREAS OF RESPONSIBILITY

REVISION HISTORY

RESOURCES AND REFERENCE MATERIALS

Useful Guidelines:

Related Principles:

Sound Business Practices:

Laws, State Codes, Regulations and Mandates:

8065.S02 Information Security Data Classification Standard

COGNIZANT OFFICE(S)

CO Manager:

Mr. William Perry
Chief Information Security Officer
CSU Office of the Chancellor
wperry@calstate.edu

Subject Expert: