Information Technology

About Information Technology

Data and Information Protection Requirements

The purpose of this standard is to specify the requirements for handling, transmitting, storing or otherwise managing data for the campus of CSU Monterey Bay.

Comments or feedback on this standard should be directed to The Office of the Chief Information Officer at (831) 582-4700.

Scope

These requirements apply to all three classification levels for information/data owned, maintained or otherwise controlled by CSU Monterey Bay and CSU Monterey Bay auxiliaries.

Level 1 Confidential Information

Handling

Please refer to the Clean Desk and Clear Screen Standard.

Transmitting

Distribution is limited to those employees with an established business need-to-know and are either CSUMB employees or someone who has signed a confidentiality agreement.

Electronic Mail (email or attachments to email) may be sent but only if password protected or encrypted and only to persons with a business need-to-know. All email transmissions of confidential information must contain the following statement: “The information contained in this email message or its attachment is confidential. Dissemination or copying of this email is strictly prohibited. If you think that you have received this email in error, please email the sender.”

Mail (hard copy) printed information may be sent through intercampus or U.S. Mail but must be sealed in a plain envelope clearly marked, “To be Opened by Addressee .”

FAX—authorized only from and to CSUMB fax machines. Information may not be sent to public fax machines.

Telephone—authorized, but only to CSU employees and others with a business need-to-know.

Storage

Confidential information must be stored on secured databases or file servers. When access to a secure server is not available and when approved by the employee’s appropriate administrator. Confidential information may be stored on laptops, desktops or portable electronic storage media, including but not limited to, CD-ROMs, DVD-ROMs, external hard drives, zip disks, floppy disks, reel and cassette format magnetic tapes, flash-memory cards, magnetic cards and USB flash drives (a.k.a. memory sticks, thumb or jump drives).

Laptops, desktops and portable electronic storage media must be encrypted or otherwise rendered unreadable and unusable by unauthorized persons and must be located in a secure location at the University or another site approved by ITS management (including off-site backup services).

Confidential information may not be stored on personal equipment such as personal laptops, personal desktops, tablets, portable media players, or smartphones.

Printed information must be stored in a locked enclosure.

Retention

Records of any type of medium, such as paper, microfiche, magnetic, or optical, shall not be retained beyond the minimum retention period identified in the CSU Record Retention Schedule.

Disposition

Dispose in accordance with the Media Sanitization Methods.

Level 2 Internal Use Information

Handling

Please refer to the Clean Desk and Clear Screen Standard.

Transmitting

Distribution is limited only to CSUMB employees and those individuals with a business need-to-know.

Electronic Mail (email or attachments to email) may be sent but only if password protected or encrypted and only to persons with a business need-to-know.

Mail (hard copy) printed information may be sent through intercampus or U.S. mail with no special markings or handling.

Fax—authorized only from and to CSUMB fax machines. Information may not be sent to public fax machines.

Telephone—authorized, but only to CSU employees and others with a business need-to-know.

Storage

Internal Use information must be stored on secured databases or file servers. When access to a secure server is not available and when approved by the employee’s appropriate administrator. Internal Use information may be stored on laptops, desktops or portable electronic storage media, including but not limited to, CD-ROMs, DVD-ROMs, external hard drives, zip disks, floppy disks, reel and cassette format magnetic tapes, flash-memory cards, magnetic cards and USB flash drives (a.k.a. memory sticks, thumb or jump drives).

Laptops, desktops and portable electronic storage media must be encrypted or otherwise rendered unreadable and unusable by unauthorized persons and must be located in a secure location at the University or another site approved by ITS management (including off-site backup services).

Internal Use information may not be stored on personal equipment such as personal laptops, personal desktops, tablets, portable media players, or smartphones.

Printed information must be stored in a locked enclosure.

Retention

Records of any type of medium, such as paper, microfiche, magnetic, or optical, shall not be retained beyond the minimum retention period identified in the CSU Record Retention Schedule.

Disposition

Dispose in accordance with the Media Sanitization Methods.

Level 3 Public Use Information

Handling

No restrictions.

Transmitting

No restrictions.

Storage

No restrictions.

Retention

Records of any type of medium, such as paper, microfiche, magnetic, or optical, shall not be retained beyond the minimum retention period identified in the CSU Record Retention Schedule.

Disposition

Normal waste disposal.

Payment Related Data

The Primary Account Number (PAN) may not be stored unless encrypted.

The following types of payment related data may not be stored even if encrypted:

(i) Sensitive authentication data, which includes, but is not limited to, all of the following:

  • full contents of any data track from a payment card or other payment device
  • card verification code or any value used to verify transaction when the payment device is not present
  • personal identification number (PIN) or the encrypted PIN block

(ii) Any payment related data that is not needed for business purposes.

(iii) Any of the following data elements:

  • payment verification code
  • payment verification value
  • PIN verification value

HIPAA Data

What does “HIPAA compliant” mean? The HIPAA Security Rule for electronic data that includes protected health information (PHI) requires that:

  • Whenever possible, electronic data should be stored on a secure server
  • Every event, or interaction with the data, should be logged, creating an audit trail. This function is extremely important should the need arise to verify that data were not modified inappropriately.
  • It should be possible to authorize role-based access to the data. For example, a data entry person might only have data entry privileges, but not be able to export the data.
  • Access to the database should require authentication, such as a unique username and password
  • Data should always be stored on an encrypted device, using database software that encrypts data.

Roles and Responsibilities

It is the responsibility of all employees with access to protected information to adhere to these standards.

It is the responsibility of all department managers to ensure that employees in their department adhere to these standards.

Revision Control

This standard will be subject to revision in response to changes in technology, regulatory compliance, and/or CSUMB operational initiatives.

Last reviewed/updated

06/21/2019 by Chip Lenno, CIO/ISO