机密信息, educational records and user accounts are governed by federal and state laws and regulations, 基社盟信息安全政策和总理的行政命令, 及大学指引, 标准和行政政策及程序.
资讯科技保安及合规性 is responsible for coordinating the development and dissemination of information security guidelines, 大学的标准和程序. See the links below to access CSU policy 及大学指引, standards and procedures.
机密信息
描述与示例
Description
1级机密数据 is information maintained by the University that is exempt from disclosure under the provisions of the California Public Records Act or other applicable state or federal laws. 未经授权的使用, access, disclosure, acquisition, modification, loss, 或删除可能会对鉴证组造成严重损害, its students, 员工或客户. Financial loss, 对基社盟声誉的损害 and legal action could occur if data is lost, stolen, 非法分享或以其他方式泄露.
Level 1 data is intended solely for use within the CSU and limited to those with a “business need-to-know.” Statutes, regulations, other legal obligations or mandates protect much of this information. Disclosure of Level 1 data to persons outside of the University is governed by specific standards and controls designed to protect the information.
机密信息 must be interpreted in combination with all information contained on the computer or electronic storage device to determine whether a violation has occurred.
Level 1 access will be granted on a strict “need-to-know” basis only and will be restricted to authorized staff and other participants who have executed an approved Non-Disclosure Agreement (NDA). 此信息包括组织联系人列表, 内部处理程序, employee schedules and other information required to function within the organization but too sensitive to release to the public.
示例(注意:列表提供示例,但并非全部)
- 密码或凭据
- 个人识别号码
- 出生日期加上社会安全号码的最后四位数字和姓名
- Credit card numbers with cardholder name or expiration date and/or card verification code
- 带姓名的税号
- 驾驶执照号码, state identification card and other forms of national or international identification (such as passports, visas, etc.)加上名字
- 社会安全号码和姓名
- 带有姓名的健康保险信息
- 与个人有关的医疗记录
- 与个人有关的心理咨询记录
- Bank account or debit card information in combination with any required security code, access code, or password that would permit access to an individual’s financial account
- 电子或数字化签名
- 私钥(数码证书)
- 与校园或系统相关的漏洞/安全信息
- 律师/客户端通信
- 大学进行的法律调查
- 根据合同协议的第三方所有权信息
- Sealed bids
- 员工姓名和个人可识别的员工信息
- 生物识别信息
- 电子或数字化签名
- 个人特征
Description
Internal use data is information that must be protected due to proprietary, 道德或隐私方面的考虑. 尽管不受法律的特别保护, 法规或其他法律义务或命令, 未经授权使用, access, disclosure, acquisition, modification, 丢失或删除该级别的信息可能会造成经济损失, 造成经济损失的损害, 对基社盟声誉的损害, 侵犯个人隐私权或采取必要的法律行动.
Non-directory educational information may not be released except under certain prescribed conditions.
Level 2 access will be granted on a strict “need-to-know” basis only and will be restricted to authorized staff and other participants who have executed an approved Non-Disclosure Agreement (NDA). 此信息包括组织联系人列表, 内部处理程序, employee schedules and other information required to function within the organization but too sensitive to release to the public.
示例(注意:列表提供示例,但并非全部)
- 身份验证密钥(名称与)
- 出生日期(完整日期:mm-dd-yy)
- 出生日期(部分:仅限mm-dd)
- 学生姓名与个人身份的教育记录
- Grades
- Courses taken
- Schedule
- Test scores
- Advising records
- 接受的教育服务
- 纪律的行为
- 员工信息
- 员工净工资
- 工作经历
- Home address
- 个人电话号码(包括紧急联系人)
- 个人电子邮件地址
- Payment History
- 员工评估
- 纪律的行为
- 背景调查
- 母亲的娘家姓
- 种族和民族
- 父母和其他家庭成员的姓名
- 出生地(城市、州、国家)
- Gender
- Marital Status
- 物理描述
- 照片(自愿公开展示)
- Other
- 捐款人姓名、地址、电话、电邮及捐款额
- 图书馆流通信息
- 商业秘密或知识产权,如研究活动
- 关键或受保护资产的位置
- 授权软件
Description
这些信息通常被认为是公开可用的. Information at this level is either explicitly defined as public information or intended to be available to individuals both on and off campus or not specifically classified elsewhere as Level 1 or Level 2.
Knowledge of this information does not expose the CSU to financial loss or jeopardize the security of the CSU’s information assets.
Publicly available data may still be subject to appropriate campus review or disclosure procedures to mitigate potential risks of inappropriate disclosure.
1Cal State LA may disclose “Directory Information” without prior written consent of the student. However, at any time the student may exercise the option to consider this information confidential by completing the Releasing Student “Directory Information” to Outside Agencies form and submitting it to the 招生和记录中心, SSB 1st Floor. All requests to obtain student directory information must be directed to the 招生和记录中心.
示例(注意:列表提供示例,但并非全部)
- 校园识别钥匙
- 校园识别码
- User ID (do not list in a public or a large aggregate list where it is not the same as the student email address)
- 学生信息1
教育目录信息(FERPA)包括
- Name
- Address
- 电话号码
- Email address
- Photograph
- 主修领域
- 参加官方认可的活动和体育运动
- 运动员的身高和体重
- 出席日期
- Grade level
- 注册状态
- 获得学位、荣誉和奖励
- Most recent previous educational agency or institution attended by the student
议价单位学生雇员名录信息
- 聘用该学生的院系名称
- 系内学生雇员的电话号码
- 系内学生雇员的电子邮件地址
- 学生雇员的工作分类
- 员工信息(包括学生员工)
- Employee title
- 学生员工身份(如TA、GA、ISA)
- 员工校园邮箱地址
- 员工工作地点和电话号码
- 用人部门
- 员工分类
- 员工工资毛额
- 名称(第一、中间、最后)(与受保护数据关联时除外)
- 签名(非电子)
- 捐赠者的信息
- 组成的代码
- 班级、学位、学术组织、专业
- 以上定义的就业信息
- Job title
CSU信息安全政策
The CSU信息安全政策y provides high-level direction for managing and protecting the confidentiality, CSU信息资产的完整性和可用性.
政策、标准和指导方针
CSU ISO Domain
Type | Title |
---|---|
Policy | ISO Domain 5:资讯保安政策 |
Cal State LA
Type | Title |
---|---|
Policy | 加州州立大学洛杉矶信息安全项目 |
Standard | 信息安全的角色和责任 |
Guideline | 防止身分盗用指引 |
CSU ISO Domain
Type | Title |
---|---|
Policy | ISO Domain 6:信息安全政策组织 |
Standard | ISO Domain 6:信息安全标准组织 |
CSU ISO Domain
Type | Title |
---|---|
Policy | ISO Domain 7:人力资源安全政策 |
Standard | ISO Domain 7:人力资源保障标准 |
Cal State LA
Type | Title |
---|---|
Guideline | 分离的员工网络/电子邮件访问 |
Procedure | 犯罪记录查询 |
Procedure | 指纹的过程 |
CSU ISO Domain
Cal State LA
Type | Title |
---|---|
Standard | 保护工作站文档 |
Standard | 多功能设备的利用 |
Standard | 信息分类、处理和处置 |
Guidelines | 收集和处理信用卡信息 |
Guidelines | 卫生处理的数据 |
Guidelines | 加密的安全 |
Guidelines | 移动计算 |
Guidelines | 便携式电子存储介质 |
Guidelines | 安全处置电子存储介质 |
Guidelines | 保护电子版权材料 |
Procedure | 服务器漏洞管理 |
Procedure | 保护关键和高风险工作站 |
Procedure | 记录保留、管理和处理程序 |
Procedure | 学生档案管理 |
CSU ISO Domain
Type | Title |
---|---|
Policy | ISO Domain 9:访问控制策略 |
Standard | ISO Domain 9:访问控制标准 |
Cal State LA
Type | Title |
---|---|
Standard | 身份和访问管理标准 |
Standard | 密码的标准 |
Standard | PeopleSoft用户id和密码 |
Standard | 分散系统的用户访问控制和风险管理 |
Guidelines | 使用行政资讯系统 |
Guidelines | Oracle Access |
Guidelines | 保护共享计算资源 |
Procedure | 行政系统访问控制和职责分离审查 |
CSU ISO Domain
Type | Title |
---|---|
Policy | ISO Domain 10:密码策略 |
Standard | ISO Domain 10密码学标准 |
CSU ISO Domain
Type | Title |
---|---|
Policy | ISO Domain 11:物理和环境安全 |
Standard | ISO Domain 11:物理和环境安全 |
Cal State LA
Type | Title |
---|---|
Guidelines | 数据中心/通信室接入 |
Guidelines | 保护办公室、工作区和文档 |
CSU ISO Domain
Type | Title |
---|---|
Policy | ISO Domain 12:操作安全策略 |
Standard | ISO Domain 12:操作安全标准 |
CSU ISO Domain
Type | Title |
---|---|
Policy | ISO Domain 13:通讯保安政策 |
Standard | ISO Domain 13:通讯保安标准 |
Cal State LA
Type | Title |
---|---|
Guideline | 电子通讯 |
Guideline | 网络流量管理 |
Guideline | Wireless Access |
CSU ISO Domain
Type | Title |
---|---|
Policy | ISO Domain 14:系统获取、开发和维护政策 |
Standard | ISO Domain 14:系统采办标准 |
CSU ISO Domain
Type | Title |
---|---|
Policy | ISO Domain 15供应商关系政策 |
Standard | ISO Domain 15:供应商关系标准 |
Cal State LA
Type | Title |
---|---|
Guideline | 资讯保安合约语言 |
Guideline | 资讯科技项目及采购 |
CSU ISO Domain
Type | Title |
---|---|
Policy | ISO Domain 16:资讯安全事件管理策略 |
Standard | ISO Domain 16:事件管理标准 |
Cal State LA
Type | Title |
---|---|
Standard | 电脑保安事故应变小组(CSIRT) |
Guideline | 报告丢失或被盗的计算机或电子存储设备 |
Procedure | 电子保安事故报告 |
CSU ISO Domain
Type | Title |
---|---|
Policy | ISO Domain 17:业务连续性管理政策的信息安全方面 |
Standard | ISO Domain 17:连续性管理标准 |
EO | 行政命令-业务连续性计划 |
Cal State LA
Type | Title |
---|---|
Document | 其业务连续性计划 |
Document | ITS灾难恢复计划 |
CSU ISO Domain
Type | Title |
---|---|
Policy | ISO Domain 18:合规政策 |
Standard | ISO Domain 18:合规标准 |
EO | CSU Executive Order - Health Care Portability and Accountability Act of 1996 |
Cal State LA
Type | Title |
---|---|
Guideline | 收集和处理信用卡信息 |
Guideline | HIPAA合规性用户指南 |
Standards define the minimum requirements necessary to address information security risks and the specific requirements that ensure compliance with legal regulations, CSU策略和信息安全最佳实践. Standards represent the minimum basis upon which Board of Trustee’s audits are based. Standards undergo a formal review and approval process prior to publication
User Guidelines provide general recommendations and instructions for campus users to comply with information security standards and the CSU信息安全政策. 它们在本质上往往比政策和标准更具技术性, and are created and updated as needed to account for changes in technology, 规章制度或大学实践, User guidelines undergo a formal review and approval process prior to publication.
Procedures are step-by-step instructions for accomplishing specific tasks and often include recommended tools for performing those tasks. 过程是非正式的文档,对用户没有影响,因此, undergo only an internal technical review and approval process prior to publication.