CSU, Chico | IRES | Information Security | Desktop Survey FAQ

Desktop Survey FAQ

Why are we conducting this desktop assessment?
What is “protected Level 1 information”?
Are EmplID or Chico State ID numbers considered protected Level 1 information?
What about student grades stored by ID number?
Where can I find more information about data classification?
What if I don't know whether I have protected Level 1 information on my desktop?
What if I have protected Level 1 information on my desktop and don't know where to put it?
What if I only have protected Level 1 information about myself on my desktop?
What if I have multiple desktops or a desktop and a laptop?
I don't have a University computer - I use my own. Do I still need to complete the survey?
Do I need to complete this survey for lab computers?
What should I do if I have protected Level 1 information stored on my desktop?
How do I access the survey?
Who should I contact if I have more questions?

Why are we conducting this desktop assessment?
The University is obligated by law and policy to adequately secure protected Level 1 information.  Although we have an inventory of all campus servers, including the level of protected data stored on the servers, we do not have a similar inventory of desktops containing the most confidential of campus information.

The information security audit requires us to “conduct an assessment of all campus computers to ensure security of protected information.”

This week, 6,000 University of Washington employees were notified that their names and social security numbers were on a computer system that was hacked. This story is a good example of why protected Level 1 data needs to be kept in the proper, secure location. For more information, see the Seattle Times article.

What is “protected Level 1 information”?
Protected Level 1 information can cause the most serious harm to individuals and to the campus as a result of unauthorized access.  Much of this information is protected by statutes, regulation, other legal obligation or mandate. 

Protected Level 1 information includes:
  • Passwords or credentials
  • PINs (Personal Identification Numbers)
  • Name with birth date combined with last four of SSN
  • Name with credit card number
  • Name with Tax ID
  • Name with driver’s license number, state identification card, and other forms of national or international identification
  • Name with Social Security number
  • Medical records related to an individual
  • Psychological Counseling records related to an individual
  • Name with bank account or debit card information

Are EmplID or Chico State ID numbers considered protected Level 1 information?
EmplID or Chico State ID are not considered Level 1 data on their own. It is considered Level 1 if a combination of data such as EmplID, driver's license, and name all exist in the same report.

What about student grades stored by ID number?
Student grades stored by ID are also not Level 1 information, they are Level 2 information.

Where can I find more information about data classification?
http://www.csuchico.edu/ires/security/documents/DataClassificationStandard3.26.pdf

What if I don't know whether I have protected Level 1 information on my desktop?
Typical documents containing confidential data include Excel spreadsheets, Word documents, or database files. Here are some tips for easily finding potential files on your system: PC

What if I have protected Level 1 information on my desktop and don't know where to put it?
The Information Security Office wants to help individuals and departments find appropriate locations to store protected Level 1 information. Your participation in this survey will help us identify campus needs and plan appropriately.

What if I only have protected Level 1 information about myself on my desktop?
This assessment does not apply to your own “protected information” stored on your desktop.  It does apply to protected Level 1 information about other students, faculty or staff.

What if I have multiple desktops or a desktop and a laptop?
The survey should be completed for each State, Foundation, and AS-owned machine that you use.

I don't have a University computer - I use my own. Do I still need to complete the survey?
If you are using your own personal desktop or laptop, we would still like for you to take the survey. Please enter "self" in the "State ID" field.

Do I need to complete this survey for lab computers?
No, this is only for individual workstations.

What should I do if I have protected Level 1 information stored on my desktop?
User Services has created the following documents to help guide you through common practices for working with confidential data.

If you have protected Level 1 information on your desktop, the best thing you can do is delete or move the data. Protected Level 1 information belongs on enterprise servers housed in our data center. Some options for disposing of this information include:

  • Burn Files to a CD
    Burn onto CDs any confidential information not used frequently but necessary to keep for archival purposes. Store CDs in a locked cabinet. Delete the information from your computer, then empty trash or recycle bin.  Directions can be found on the following links: Mac and PC.
  • Store data on the University server’s file server
    Store frequently accessed protected Level 1 information on Bay (the University’s file server).  Each employee and department has easily accessible space on the server that is more secure than your desktop computer. Directions can be found at http://www.csuchico.edu/usrv/tutorials/bay/index.shtml

For more information contact the User Services Help Desk at x6000

How do I access the survey?
http://cypress.csuchico.edu/ciso/desktopsurvey


Who should I contact if I have more questions?
Please contact the Information Security Office at: chicoinformationsecurirty@csuchico.edu