CHAPTER 1200 Information Technology Services

1210 Information Security Policy

Cal Poly relies upon a highly complex and resource-rich information technology environment to provide critical teaching, research, and public service functions. Effective security practices are necessary to protect Cal Poly’s technology infrastructure and information the University is legally or contractually bound to protect. The University’s Information Security Program framework safeguards the institution’s computing assets in the face of growing security threats.

This Policy defines and describes the responsibilities and required practices for all members of the California Polytechnic State University (“University community”) with respect to Information Security and the protection of University information.

  • All members of the University community must comply with secure and responsible administrative, technical, and physical information security practices.
  • The Information Security Office and Information Technology Services will use appropriate security controls and protocols to protect against any malicious access to, or manipulation of, the University’s information resources and network infrastructure.

1210.1 Definition of Terms

Cloud Computing Services: Application and infrastructure resources accessed via the internet. Cloud computing includes, but is not limited to:

  • Use of servers or information technology services of any type that are not hosted by the CSU or Cal Poly (e.g., social networking applications, file storage, content hosting)
  • Software as a Service (SaaS): an application hosted, maintained, and updated by a third-party vendor and available to users over the Internet
  • Platform as a Service (Paas): a platform, hosted by a third-party vendor, on which the customer can develop and run applications
  • Infrastructure as a Service (IaaS): infrastructure such as hardware, virtual services, and operating systems provided by a third-party vendor

Electronic Device: Electronic equipment, whether owned by the University or an individual, that has a processor, storage device, or persistent memory, including, but not limited to: desktop computers, laptops, tablets, cameras, audio recorders, smart phones and other mobile devices, as well as servers (including shared drives), printers, copiers, routers, switches, firewall hardware, network-aware devices with embedded electronic systems (i.e., “Internet of Things”), supervisory control and data acquisition (SCADA), and industrial control systems, etc.

Electronic Media: All media, whether owned by the University or an individual, on which electronic data can be stored, including, but not limited to: external hard drives, magnetic tapes, diskettes, CDs, DVDs, and USB storage devices (e.g., thumb drives).

Information Security Incident: Any event that, regardless of accidental or malicious cause, results in:

  • disclosure of University data, whether electronic or in printed form, to someone unauthorized to access it,
  • unauthorized alteration of University data,
  • loss of data which the University is legally or contractually bound to protect, or supporting critical University functions,
  • disrupted information technology service, or
  • a violation of the University’s Information Security policies.

Examples of such incidents include, but are not limited to:

  • Malicious software installations on electronic devices that store University data not routinely made available to the general public, e.g., employee evaluations, or data the University is legally or contractually bound to protect (e.g., social security numbers, credit card numbers, Protected Health Information (PHI), research data, etc.).
  • Loss or theft of electronic devices, electronic media, or paper records containing University data not routinely made available to the general public or data the University is legally or contractually bound to protect.
  • Defacement of a University website.
  • Unauthorized use of a computing account.
  • Use of information technology resources for unethical or unlawful purposes (incidents involving employees and pornography should be reported directly to University Human Resources).
  • Contact from the FBI, Secret Service, Department of Homeland Security or other law enforcement organizations regarding a University electronic device that may have been used to commit a crime.

Information Technology (IT) Resources: All resources owned, leased, managed, controlled, or contracted by the University involving networking, computing, electronic communication, and the management and storage of electronic data regardless of the source of funds including, but not limited to:

  • Networks (virtual and physical), networking equipment, and associated wiring including, but not limited to: gateways, routers, switches, wireless access points, concentrators, firewalls, and Internet-protocol telephony devices;
  • Cloud computing services: Software as a Service, Platform as a Service, and Infrastructure as a service;
  • Electronic devices containing computer processors including, but not limited to: computers, laptops, desktops, servers (virtual or physical), smart phones, tablets, digital assistants, printers, copiers, network-aware devices with embedded electronic systems (i.e., “Internet of things”), and supervisory control and data acquisition (SCADA), and industrial control systems;
  • Electronic data storage devices including, but not limited to: hard drives, solid state drives, optical disks (e.g., CDs, DVDs), thumb drives, and magnetic tape;
  • Software including, but not limited to: applications, databases, content management systems, web services, and print services;
  • Electronic data in transmission and at rest;
  • Network and communications access and associated privileges; and
  • Account access and associated privileges to any other IT resource.

Risk Management: The process to identify, control, and manage the impact of potential harmful events, commensurate with the value of the protected assets. Risk management includes impact analysis, risk assessment, and continuity planning.

User: Anyone who uses University information technology (IT) resources. This includes all account holders and users of University IT resources including, but not limited to: students, applicants, employees, contractors, auxiliary organization employees, guests, and affiliates of any kind.

Back to top

1210.2 Policy

Cal Poly is committed to protecting the confidentiality, integrity, and availability of its information and systems. To achieve these goals, University information and systems are secured and restricted.

This Policy complements and supports other University policies protecting the University’s information assets and resources including, but not limited to, the Data Classification standard, the Record Retention standard, and the Responsible Use Policy.

All access to and use of the University’s network, infrastructure, or information is governed by this policy. This Policy also addresses the use of any information generated, accessed, modified, transmitted, stored, or otherwise used by the University Community on the University’s information resources and network infrastructure.

Owners and overseers of the University’s Information Technology (IT) resources must take reasonable care to eliminate security vulnerabilities from those resources. In cases where University IT resources and privileges are threatened by other IT resources, Information Technology Services (ITS) may act on behalf of the University to eliminate the threat by working with the relevant owners or overseers. In circumstances where these collaborative efforts fail or there is an urgent situation requiring immediate action, the IT resource may be disabled or disconnected from the network by ITS. This policy applies to all users of the University’s information technology resources, regardless of location or affiliation.

All users of University IT resources are required to promptly report information security incidents to appropriate University officials.

Individuals or departments may not release University information, security incident details, electronic devices, or electronic media to any outside entity, including law enforcement organizations, before making the notifications required by this policy.

The University Information Security Office is responsible for responding to Information Security incidents. In addition to following up on reported incidents, this office may monitor IT resources for potentially malicious and/or harmful activity and take action deemed necessary based on detected activity or in order to enforce a University policy.

The management of each University Division or College is required to complete the process outlined in the Information Security Risk Management Standard and Information Security Risk Management Procedures at least annually; when there are significant changes to departmental or unit IT resources; or when there are significant changes to the risk environment. The department or unit head will sign off on the deliverables from this process, which will be stored in the University's central repository.

Members of the campus community will use the ICT process (see CAP 1203.2) for purchasing and deploying Information Technology resources used to store, access, or provide access to, protected data. The security evaluation will identify conditions the vendor must agree to contractually to ensure compliance with CSU Policy (CSU Information Security Policy – Supplier Relationships).

Back to top

1210.3 Compliance with Policy

Any misuse of data or IT resources may result in the limitation or revocation of access to University IT resources. In addition, failure to comply with requirements of this policy and/or its standards may result in disciplinary action up to and including termination or expulsion in accordance with relevant University policies, and may also violate federal, state, or local laws.

Back to top

1210.4 Information Security Program

The University shall protect the confidentiality of information in the custody of the University, the security of the equipment where this information is processed and maintained, and the related privacy rights of the CSU students, faculty, and staff concerning this information.

All students, faculty, staff, and consultants employed by the CSU, or any other person having access to University information technology resources, shall comply with this policy.

Back to top

1210.4.1 Information Security Officer

The Information Security Officer (ISO) is responsible for coordinating and overseeing campus-wide compliance with university policies and procedures regarding the confidentiality, integrity, and security of its information assets, with special emphasis on institutional data and databases.

Reporting to the the Vice President Information Technology Services/Chief Information Officer, the ISO works closely with Legal Counsel, University Police, and other campus managers and staff involved in securing the university's information assets to enforce established policies, identify areas of concern, and implement appropriate changes as needed.

In addition, the ISO chairs the Information Security Committee, composed of individuals who have responsibility for security on campus.

Back to top

1210.4.2 Confidentiality-Security Policy

Access to computers and data is a privilege extended at the discretion of the University. The University shall retain the right and authority to revoke or restrict such privileges at any time. Access to University computers, computing resources, and data will be restricted, denied, or discontinued by the University for failure to abide by this policy. Faculty, staff, students, and consultants employed by the CSU, or any other person having access to University information technology resources, shall sign for receipt and understanding of this policy. The signed statement shall be placed in the employee's official personnel/payroll file.

Back to top

1210.4.3 Reporting Information Technology Security Incidents

TFaculty, staff, students, and consultants employed by the CSU, or any other person having access to University information technology resources, shall report violations of the Confidentiality-Security Policy and/or unauthorized modification, deletion, or disclosure of information included in University data files and data bases.

Back to top

References for CAP 1210.4

  1. Date approved by the President: January 2, 2001
  2. Office responsible for implementation: Information Technology Services
  3. Any laws, regulations or codes of practice which should be referred to in conjunction with the policy: Emergency Management Plan; Federal Disaster Relief Act of 1974 (Public Law 93-288); Federal Civil Defense Act of 1950 (Public Law 920), as amended; NUREG 0654, Federal Emergency Management Agency REP-1, Rev. 1, 1980; United States Army Corps of Engineers-Flood Fighting (Public Law 84-99); California Code of Regulations, SEMS, Title 19, Division 2, Section 2400 et seq.; California Emergency Services Act, California Government Code, Section 8550 et seq.; California Health and Safety Code; California Master Mutual Aid Agreement, California Government Code, Section 8615 et seq.; California Natural Disaster Assistance Act, California Government Code, Section 8680 et seq.; California Vehicle Code; California Water Code, Section 128; California Code of Regulations, Title 5, Section 41302, 42402; California Education Code, Section 66600, 66606, 89031; Executive Order 533, California State University Risk Management Policy; Injury and Illness Prevention Program (May 1997); CSU Security Policy (May 1997); Executive Order 524, CSU Implementation of the CSU Major Emergency Preparedness Program; Executive Order 382, CSU Student Records Administration; Executive Order 590, CSU Student Air Travel Policy

References for CAP 1210

  1. Date approved by the President: April 23, 2020
  2. Effective Date: April 23, 2020
  3. Responsible Department/Office(s): ITS Information Security Office
  4. Revision History: Not applicable/New
  5. Related University Policies, Procedures, Manuals and/or Documents:
    1. CSU Information Security Policy
    2. CSU Data Classification Levels
    3. Cal Poly Information Security Program
    4. Risk Management Standard (to be written)
    5. Risk Management Procedures (to be written)
    6. CSU Information Security Policy – Supplier Relationships
  6. Laws, Regulations and/or Codes of practice referred to herein or related to this policy:
    1.