Information Security and Privacy Program

  • References:
    • California Information Practices Act; California Civil Code §1798-1798.78
    • Employee Access to Information Pertaining to Themselves; California Education Code §89546
    • California Code of Regulations, Title V, § 42396-42396.5
    • Gramm-Leach-Bliley Act;  FTC-15USC Subchapter I, §6801-6809 & Subchapter II, §6821-6827
  • Issue Date: May 2003
  • Revision Date: December 2018
  • Expiration Date: N/A
  • Web Link: Information Security

  1. Introduction

    California State University, Long Beach recognizes it’s affirmative and continuing obligation to protect the confidentiality, maintain the integrity, and ensure the availability of information about and used by ºÃÉ«ÏÈÉú faculty, staff, students and customers and to provide administrative, technical and physical safeguards to protect university information assets.

    The California State University, Long Beach Information Security and Privacy Program provides the framework for assisting the University with meeting it’s responsibilities to:

    • Safeguard personal and confidential information of ºÃÉ«ÏÈÉú faculty, staff, administrators, students and customers and other ºÃÉ«ÏÈÉú sensitive data regardless or format or medium;
    • Protect against anticipated threats or hazards to the physical security or integrity of ºÃÉ«ÏÈÉú information assets;
    • Protect the privacy of ºÃÉ«ÏÈÉú faculty, staff, administrators, students, and customers by preventing non-permitted disclosure of personal and confidential information; and
    • Ensure campus compliance with federal and state law, regulations, CSU and ºÃÉ«ÏÈÉú policies, procedures, and standards regarding information security and privacy.
  2. Program Scope

    The ºÃÉ«ÏÈÉú Information Security and Privacy Program applies to:

    • Information that is acquired, transmitted, processed, transferred and/or maintained  by CSU Long Beach and CSU Long Beach auxiliary organizations;
    • All data systems and equipment including departmental, divisional and other ancillary systems and equipment as well as data residing on theses systems and equipment;
    • Home/personal electronic devices of ºÃÉ«ÏÈÉú faculty, staff, and administrators which access information technology resources; and
    • Faculty, staff, administrators, students, and consultants employed by ºÃÉ«ÏÈÉú or ºÃÉ«ÏÈÉú auxiliary organizations and other persons having access to ºÃÉ«ÏÈÉú information technology resources.
    1. Program Responsibility

      University Information Security Officer

      The University Information Security Officer is an appropriate administrator designated by the President and delegated responsibility for developing policies, procedures, and standards regarding the acquisition, transmission, processing, maintenance, safeguarding, release and disposal of personal and confidential information and other ºÃÉ«ÏÈÉú sensitive data; developing training and informational materials; and assessing and ensuring the University’s compliance with applicable laws, regulations, and CSU and University policies, procedures, and standards regarding information retention, security and privacy.

      Division/Area Information Security Officers

      Division/Area Information Security Officers are management level employees appointed or designated by each Vice President, the Director of Athletics and each auxiliary organization and who serve as a conduit between the University Information Security Officer and their respective division/area.  Division/Area Information Security Officers work closely with the University Information Security Officer to guide compliance with established campus policies, procedures, and standards within their respective division/area.  Each Division/Area Information Security Officer shall provide periodic reporting including an annual report to their Vice President and the University Information Security Officer on the status of division/area compliance with the articulated information security policies, procedures and standards.

      The following positions have delegated authority to serve as Division/Area Information Security Officer:

      Division/Area Division/Area Information Security Officer
      Division of Academic Affairs Associate Vice President, Academic Technology
      Division of Administration and Finance Public Records and Audit Liaison
      Associated Students, Inc Director of Administrative Services, Associated Students, Inc.
      Athletics Senior Associate Athletics Director/SWA
      President’s Office Chief of Staff, Office of the President
      Division of Student Affairs Chief of Staff, Division of Student Affairs
      Division of University Relations & Development Director of Advancement Services
      Forty-Niner Shops, Inc. Controller, Forty-Niner Shops, Inc.
      Research Foundation Chief Operating Officer
      Forty-Niner Foundation Director of Advancement Services
      Student Government Student

      Information Security Steering Committee

      The Information Security Steering Committee is charged with evaluating ºÃÉ«ÏÈÉú's information security and privacy policies, procedures, and operations to identify potential areas of vulnerability and risk and assist with the strategic direction for campus information security.

      Custodians of Records

      Custodians of Records are appropriate administrators designated by the President and division Vice Presidents to maintain the official/original copy of the record/information. Custodians of records are responsible for a) Assuring that the campus is operating in compliance with the portion of the CSU Records Retention and Disposition Schedules for which they have been delegated authority; b) Identifying records/information that may have historic or vital value for the campus, and; c) reporting to the University Information Security Officer any university specific records that have not been cited within the CSU Records Retention and Disposition Schedule.

      In apition, the following positions have been delegated authority to accept and respond to subpoenas:

      Type of Records Subpoenaed Custodian of Record
      Student Records/Information Director, Office of Judicial Affairs
      Staff Personnel Records/Information
      (including payroll records for all employees)
      Director, Staff Human Resources
      Faculty Personnel Records/Information
      (including Librarians and Coaches)
      Senior Director, Academic Employee Relations
      Non-Personnel Records or where it is not possible to determine the specific subject of the request Risk Manager

      University Administrators

      University Administrators are managers and supervisors included in the Management Personnel Plan (MPP) or equivalent in ºÃÉ«ÏÈÉú auxiliary organizations. University Administrators are responsible for ensuring compliance with established information security policies, procedures and standards within their respective college, department, administrative area, or organization.

      ºÃÉ«ÏÈÉú Faculty, ºÃÉ«ÏÈÉú Staff Members and employees of Auxiliary Organizations

      ºÃÉ«ÏÈÉú Faculty, ºÃÉ«ÏÈÉú Staff Members and employees or Auxiliary Organizations who, in the course and scope of their duties and responsibilities, access, collect, distribute, process, store, use, transmit or dispose of personal or other ºÃÉ«ÏÈÉú sensitive data are responsible for following established information security policies, procedures, and standards.

  3. Information Security Risks

    There are several reasonable and foreseeable internal and external risks to the security and integrity of personal information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of the security and confidentiality of personal and confidential information. These risks may include, but are not limited to:

    • Unauthorized access of personal information by individuals not approved for access;
    • Compromised system security
    • Interception of data during transmission
    • Loss of data integrity
    • Physical loss of data
    • Poor audit trails
    • Unauthorized access of personal information by employees
    • Unauthorized transfer of personal information to third parties or employees not approved for access
    • Unauthorized transfer of personal information by third parties
  4. Management and Control of Risks

    The management and control of risks shall be accomplished by 1) the development of policies, procedures, and standards which apress identified risks; 2) the development of training opportunities and informational materials to assist in the implementation of these policies, procedures and standards; and 3) monitoring, auditing and otherwise evaluating campus divisions/area/ auxiliary organizations for compliance with information policies, procedures, and standards.

    The University Information Security Officer will work closely with the each Division/Area Information Security Officer to ensure that each division complies with the University’s information security policies, procedures, and standards. The Division Information Security Officers will ensure that all new policies, procedures and standards are distributed within their own divisions/areas through the appropriate reporting and communication channels. Compliance with policies, procedures and standards will be monitored on an ongoing basis.

  5. Individual Risks

    Individuals have the right to inquire and to be notified about the personal information that ºÃÉ«ÏÈÉú maintains concerning them. An opportunity to inspect any such confidential information must be afforded within 30 days of any request. If the record containing the personal information also contains personal information about another individual, that information must be deleted from the record before it is disclosed. Individuals may request copies of records containing personal information about them, and those copies must be provided within 15 days of the request. The University/Auxiliary may charge a reasonable per page cost for making any copies. Individuals may request that their personal information be amended, and if that request is denied, the individual may request a review of that decision by the Vice President, Administration and Finance or designee.

  6. Periodic Review

    The University Information Security Officer shall conduct an annual review of the Information Security and Privacy Program to ensure that it remains appropriate and relevant.

Further Information

Information Security Office
Email: security@csulb.edu