Information Security

Top Security Tips for Academic Leaders

How can you as an academic leader enhance the security practices of your department?  The following 5 security topics will help you protect your department against the ever growing body of threats.

1. Training and Awareness

All employees are required to complete the online information security awareness training provided by the Chancellor’s Office (located in the DTS(opens in new window)).

To check the status of who has taken the training, reports are available in the DTS. 

This requirement is addressed in ICSUAM Policy 8035: Information Security Awareness and Training(opens in new window)

2. Data Classification and Protection

Classifications of sensitive data types
Category Classification
Level 1 (PII)
Confidential

Data governed by existing law or statute, such as:

  • (PII) Social Security number and name, credit card numbers and cardholder name, driver's license number and name
  • (ePHI) Health Information
Level 2
Internal

Information that must be protected because of ethical or privacy concerns, such as grades, disciplinary actions, or student photo

  • FERPA Information

Level 3

General

Information such as title, email address, or other directory information that is freely available in the public domain

  • FERPA Directory Information

This is requirement is addressed in ICSUAM Policy 8065: Information Asset Management(opens in new window)

3. Records Retention 

Records encompass information collected and stored by the University. How long you must keep these records depends upon what the data is. The CSU Chico records retention page outlines responsibilities and requirements including record types and required retention periods.

This topic is addressed in CSU Executive Order 1031: Records Retention and Disposition(opens in new window)

4. Cloud Security

CSU data should only be stored in approved cloud service providers.

data about the storage of sensitive data - please email ISEC@csuchico.edu for more information

If your department decides to purchase a cloud based service, then departmental administrators may be responsible for contractual and security compliance efforts for the cloud based service.  

More information can be found at: Duties of a Cloud Application Responsible Administrator(opens in new window)

This topic is addressed in CSU Chico Cloud Security Standards (PDF)

5. Access Control and Personnel Security

Department and College personnel with Human Resources assignments play a pivotal role in the timely provisioning and removal of access to campus services.  You should be aware of HR and other processes that provide access to University data and the importance of working with Human Resources to ensure accurate completion of HR transactions for all faculty, staff, and student employees. 

Addressed in ICSUAM 8060: Access Control(opens in new window) & ICSUAM 8030: Personnel Information Security(opens in new window)

6. Procurement of IT related resources and services

All purchases of IT services, whether for state use or through a contract or grant, must follow the Information Technology Procurement Review (ITPR) processes.  The ITPR process is designed to allow the campus to ensure that products are not unnecessarily duplicated (wasting money), contracts are properly negotiated, and that potential vendors follow required CSU and CSU, Chico policies and standards.  

To start the ITPR process create a ticket in TeamDynamix:  IT Procurement Review (ITPR)(opens in new window) 

This topic is addressed in ICSUAM 8040: Managing Third Parties(opens in new window)