California State University, Monterey Bay recognizes its affirmative and continuing obligation to protect the confidentiality, maintain the integrity, and ensure the availability of information about and used by CSUMB faculty, staff, students and customers and to provide appropriate administrative, technical and physical safeguards to protect university information assets.
The California State University, Monterey Bay Information Security Program provides the framework for assisting the University with meeting it’s responsibilities to:
- Safeguard personal and confidential information of CSUMB faculty, staff, administrators, students and customers and other CSUMB sensitive data;
- Protect against anticipated threats or hazards to the physical security or integrity of CSUMB information assets;
- Protect the privacy of CSUMB faculty, staff, administrators, students, and customers by preventing non-permitted disclosure of personal and confidential information; and
- Ensure campus compliance with federal and state law, regulations, and CSU and CSUMB policies, procedures, and standards regarding information security and privacy.
The CSUMB Information Security Program applies to:
- Information that is acquired, transmitted, processed, transferred and/or maintained by CSU Monterey Bay and CSU Monterey Bay auxiliary organizations;
- All data systems and equipment including departmental, divisional and other ancillary systems and equipment as well as data residing on theses systems and equipment;
- Devices used by CSUMB faculty, staff, and administrators which access CSUMB information assets; and
- Faculty, staff administrators, students, and consultants employed by CSUMB or CSUMB auxiliary organizations and other persons having access to CSUMB information assets.
Roles & responsibilities
University Information Security Officer
The Information Security Officer is an appropriate administrator designated by the President and delegated responsibility for developing policies, procedures, and standards regarding the acquisition, transmission, processing, maintenance, safeguarding, release and disposal of personal and confidential information and other CSUMB sensitive data; developing training and informational materials; and assessing and ensuring the University’s compliance with applicable laws, regulations, and CSU and University policies, procedures, and standards regarding information retention, security and privacy.
Custodians of records
Custodians of Records are appropriate administrators designated by each Vice President who are responsible for responding to subpoenas, court orders, request for records under the California Public Records Act or other compulsory legal processes which involve the release of University records and personal information.
University Administrators are managers and supervisors included in the Management Personnel Plan (MPP) or equivalent in CSUMB auxiliary organizations. University Administrators are responsible for ensuring compliance with established information security policies, procedures and standards within their respective college, department, administrative area, or organization.
Faculty, Staff and Auxiliary employees
CSUMB Faculty, CSUMB Staff Members and employees of Auxiliary Organizations who, in the course and scope of their duties and responsibilities, access, collect, distribute, process, store, use, transmit or dispose of personal or other CSUMB sensitive data are responsible for following established information security policies, procedures, and standards.
Access: A personal inspection or review of the personal information or a copy of the personal information, or an oral or written description or communication of the personal information.Disclosure: To permit access to or to release, transfer, disseminate, or otherwise communication all or any part of the personal information by any means, orally, in writing, or by electronic or any other means to any person or entity.
Personal Information: As used in this document means in any information identified in governing law, regulation or policy as personal information, individually identifiable health information, confidential information, education records, personally identifiable information, non-public information, non-public personal data, confidential personal information or sensitive information. Personally identifiable information (PII), or Sensitive Personal Information (SPI), as used in US privacy law and information security, is information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context.
It is information that identifies or describes an individual, including but not limited to, his or her social security number, physical description, home address, home telephone number, ethnicity, gender, telephone number, signature, passport number, bank account number, education, financial matters, medical or employment history, performance evaluations, full facial photos and other biometric identifiers. It includes statements made by, or attributed to, the individual.Personal information also includes computerized data that includes an individual’s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted: (1) Social Security Number; (2) driver’s license numbers or California Identification Card number; (3) account number, including a student or employee identification number, credit or debit card number in combination with any required security code, access code, or password that would permit access to any individual’s financial account.Personal information does not include publicly available information that is lawfully made available to the general public from federal state, or local government records or publicly available directories containing information an individual has voluntarily consented to have publicly disseminated or listed, such as name, address, or telephone number.
Directory Information: Any student information that is not generally considered to be harmful to or an invasion of a student’s privacy. CSUMB designated Directory Information includes student name, address and telephone number (see comments), major field of study, dates of attendance, degrees and awards received, and email address.
Education Record: Any record (in handwriting, print, tape, film, computer or other medium) which is directly related to a student.
Financial Information: Includes but is not limited to information about an individual’s number of tax exemptions, amount of taxes or OASDI withheld, amount and type of voluntary/involuntary deductions/reductions, survivor’s amounts, net pay and designee for last payroll warrant.
Handled: The access, collection, distribution, process, protection, storage, use, transmittal or disposal of information containing personal data individually identifiable.
Health Information: Medical information protected by the Health Insurance Portability and Accountability Act (HIPAA) passed by Congress in 1996 includes or contains any element of personal identifying information sufficient to allow identification of the individual such as the individual’s name, address, electronic mail address, telephone number, or social security number, or other information that, alone or in combination with other publicly available information, reveals the individual’s identity.
Permitted Disclosures: Disclosures of personal information permitted under the California Information Practices Act of 1977. (See Appendix A)
Service Provider: Any person or entity that receives, maintains, processes, or otherwise is permitted access to personal information through is provision of service directly to the University.
Student: Any person who is attending or has previously attended California State University, Monterey Bay. This includes any person who has been enrolled in the regular, extension or special (i.e., summer or winter), regardless of the physical location of the program.
Third Party: Any individual or individual on behalf of an organization who is not any employee of California State University, Monterey Bay.
Information security risks
There are several reasonable and foreseeable internal and external risks to the security and integrity of personal information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of the security and confidentiality of personal and confidential information. These risks may include, but are not limited to:
- Unauthorized access of personal information by individuals not approved for access
- Compromised system security
- Interception of data during transmission
- Loss of data integrity
- Physical loss of data
- Poor audit trails
- Unauthorized access of personal information by employees
- Unauthorized transfer of personal information to third parties or employees not approved for access
- Unauthorized transfer of personal information by third parties
Management & control of risks
The management and control of risks shall be accomplished by:
- the development of policies, procedures, and standards which address identified risks;
- the development of training opportunities and informational materials to assist in the implementation of these policies, procedures and standards; and
- monitoring, auditing and otherwise evaluating campus divisions/area/auxiliary organizations for compliance with information policies, procedures, and standards.
The University Information Security Officer shall conduct an annual review of the Information Security Program to ensure that it remains appropriate and relevant.
06/21/2019 by Chip Lenno, CIO/ISO
The California Information Practices Act was enacted in 1977 to protect individual’s privacy rights in "personal information" contained in state agency records. The Act reflects the Legislature's determination that the right to privacy is in jeopardy and that the maintenance and dissemination of private information should be subject to strict limits. The Act prohibits disclosure of personal information except in certain limited circumstances.Some of these disclosures may impose requirements not included in this document. Consultation with the University Information Security Officer is required before releasing personal information covered by the Information Practices Act.
The following disclosures are permitted under the Information Practices Act:
to the individual to whom the information pertains; where the individual to whom the information pertains has given voluntary written consent to disclose the information to an identified third part no more than 30 days before the third party requested it, or within the time limit agreed to by the individual in the written consent; to an appointed guardian or conservator of a person representing the individual provided it can be proven with reasonable certainty through CSU forms, documents or correspondence that the person is the authorized representative of the individual to whom the information pertains; to persons within the CSU who need the information to perform their functions;
to another government agency when required by law; in response to a request for records under the California Public Records Act; where there is advance written assurance that the information is to be used for purposes of statistical research only and where the information will be disclosed in a form that does not identify any individual; where the CSU has determined that compelling circumstances exist which affect the health or safety of the individual to whom the information pertains, and notification is transmitted to the individual at his or her last known address, and the disclosure does not conflict with other state or federal laws; pursuant to a subpoena, court order, or other compulsory legal process if, before disclosure, the CSU notifies the individual to whom the record pertains, and if the notification is not prohibited by law; pursuant to a search warrant; to a law enforcement or regulatory agency when required for an investigation of unlawful activity of or for licensing, certification, or regulatory purposes, unless the disclosure is otherwise prohibited by law.