CDSS/SDSURF Information Security Guidance
FAQ
What administrative, physical and technical safeguards are planned to protect data that is received, maintained, used, or transmitted? How will disclosure of attendee CSP be prevented?
- Contractors only have access to training materials and guides. Contractors that are trainers only have access to the names of their trainees in their courses via the learning management system (LMS).
Who will have access to this shared data? What safeguards are planned to prevent unauthorized access, removal or disclosure of CDSS/CSP data?
- Academy IT team assign and revoke permissions to the department's directories with the help of specific Google Groups for each department assigning access levels to appropriate directories. In addition, when staff leave, they are locked out of their accounts immediately, all passwords and security question responses are changed immediately, and campus IT are also notified. We do not store Protected Level 1 on Google Drive that may contain the employee's name, date of birth, employment history, salary. Only Academy HR, IT, program directors and fiscal staff have access to these exclusions.
Supplemental Links:
Sensitive Data Storage Classification
Protected Level 1 (PL-1 Confidential)
HIPAA: ePHI, Personal Health Records, Health Insurance Data
Personally Identifiable Information (PII): Name with Personally Identifiable Information SSN, Passport, Visa, etc.
Gramm-Leach-Bliley Act (GLBA): Name with Financial Information, Bank Accounts, Tax Returns, etc.
Payment Card Industry Data Security Standard (PCI-DSS): Payment card information, Credit Card Numbers, Bank Account and Routing Numbers.
Law Enforcement Records: Name with Driver’s License, Criminal Background.
Campus Access Credentials: Passwords or credentials that grant access to level 1 and level 2 data.
Protected Level 2 (PL-2 Internal Use)
FERPA: Student Information: Educational Records not defined as directory” information, typically: Grades, Courses taken, Schedule, Test Scores, Advising records, Educational services received, Disciplinary actions, Student photo.
Campus Financials.
Campus Attorney-client communication.
Employee Information: Name with: Home Address, Home Phone, Personal Email, Marital Status, Gender, Evaluation, Personnel Actions.
Protected Level 3 (PL-3 General)
The Academy primarily uses Google Drive for storage of our data. That said the IT department have created groups in order to share what is needed. We all must understand that access is a privilege and must be used with extreme responsibility.
Sensitive Data Storage Best Practices
Took keep PL-1 data secure, the IT Security office has developed the following guidelines:
Overall Document Privacy
Set the document as Private, and only share with selected people. (Private option highlighted below):
Public on the web - Anyone on the Internet can find and access. No sign-in required.
Anyone with the link - Anyone who has the link can access. No sign-in required.
SDSU University - People at SDSU University can find and access.
People at SDSU with the link - People at SDSU who have the link can access.
Private - Only people explicitly granted permission can access. Sign-in required. (only use this option)
Check Names
When sharing a document or folder, make sure you have the right person. For example, there may be an undergraduate student who has the same name as one of your co-workers.
Share with a Group
Did you know that Google Groups can be used to assign permissions to documents, especially in large departments? This can save a lot of time and ensure consistency.
Name Clearly
Be mindful of what you name folders and documents. People you share with will see the name, so you should be descriptive and professional in your naming. It might be helpful to include the name of the project or your department so it is easy for others to find.
Use Share Team Drives, Not Documents
If it is likely that you will share documents in the future with the same group of people, it is best to create a Shared Team Drive and share it with specified users. All the documents you put in that folder will be automatically shared with the same group of people.
Why? Sharing individual documents is more time consuming and can lead to errors and inconsistencies. When sharing a folder, it is easier to keep track of who has access and give a new person the ability to access many files at once. Also, using a folder allows everyone in your group to add to that folder, creating an easy-to-find archive of group materials.
Why not? If you only need to share one document, you may not need a folder.
Shared Drive Settings. Use the following to ensure the most secure settings for Shared Team Drives.
Only people inside San Diego State University can be given access to the files in this shared drive.
Only members of this shared drive can access files in this shared drive.
Prevent commenters and viewers from downloading, copying, and printing files in this shared drive.
Protect Your SDSUid Password
Do Not Attach Files With PL-1 Data to Email Message
Document Deletion
Only the creator/owner can permanently delete a doc/collection. If something has been moved, the owner can still find it in the "Owned by Me" section of their Google Docs/Drive homepage. If the owner is no longer at SDSU, the item(s) may be deleted permanently. For document preservation, we recommend using Google “Team drive” instead of “My Drive”.
When deleting a file, the file is sent to Google Trash. Only once permanently deleted from the trash, Google Docs and collections cannot be recovered.
Use Google’s "Account Activity" Feature to Help Make Sure No One Else is Using Your Account
Your Recent Activity - entire Google account
The "Recent activity" section of your Account Security page lists security-related actions you’ve taken, such as signing in to your Google Account, changing your password, or adding a recovery email address or phone number. This information is for your entire Google Account, so sign-ins from any Google product (such as Blogger, Gmail, or YouTube) will be listed in this section. If you notice anything suspicious, e.g. a sign-in from a browser you've never used, or a location you've never been to, you are prompted to change your password to secure your account. If you notice a recovery option change you did not make, be sure to update the recovery option in addition to changing your password.
Sign Out of Your Google Account When You're Not Using It
Do Not Connect To Your G Drive On Public Computer
Storing Protected Information on SDSU Systems:
Use of Personal Equipment:
- Personal equipment includes devices such as personal laptops, personal desktops, personal digital assistants (PDAs), cell phones. SDSU Protected Level 1 or PL-1 information must not be stored on any personal equipment.
- Users must not send or forward e-mails containing PL-1 information to person email accounts.
- Users should adopt the same anti-virus, anti-spyware, and patch management standards for personal equipment the same as University Systems.
- Personal devices being used at the University must not be connected to the network behind an internal firewall without authorization.
Use of File Servers:
- IT managers are responsible for ensuring that access to information stored on file servers is limited to authorized users. Access to information should be granted according to job duties. PL-1 information that is stored on file servers should be encrypted.
Use of Databases:
- IT managers are responsible for ensuring that access to information stored on file servers is limited to authorized users. Access control should include a combination of file read/write privilege and access control lists on the database data objects. These databases should be configured to encrypt PL-1 elements.
"Red Flag" Rules:
- Requires institutions and creditors to implement a written identity theft prevention program designed to identify and detect identity theft schemes in response to "red flags".
- The rule applies to any institution that provides goods or services that are not fully paid in advance (e.g. Tuition, room and board, etc. are not due in full prior to the start or a semester.)
- Types of accounts that must adhere to the Red Flag Rules:
- Financial Aid
- Employee loans
- Installment payments and short-term loans
- Accounts that are created for ongoing services and allow students to reimburse the University when billed over a period of time.
- Any type of collection account
Red Flag Identification and Response:
- University departments must monitor a number of variables and indicators which are described in the California State University Identity Theft Prevention ("Red Flag Rule") Implementation Plan section 4.3.1.
- Additional flags that need further investigation are:
- Request to change mailing address
- Request to change password or a execution of a password reset
- Changes of forwarding email address
- Change of account names
- Change of bank account
- Reports to security@sdsu.edu
- Reports to the campus ISO
- Reports to Public Safety
FERPA Training
Family Education Right and Privacy Act
Password Requirements
SDSU and CDSS requires strong passwords that should be changed annually. The CSU mandates that SDSU must have a policy that requires password changes. The current SDSU Information Security Plan requires all passwords must be changed every 12 months
SDSU Information Security Plan. You will receive email notifications reminding you to change your password in the following schedule: 30 days, 14 days, 2 days, 1 day before expiration.
A Strong password must:
Related Articles
SDSU MFA Account Security
SDSU Duo Setup Instructions: https://it.sdsu.edu/security/operations-services/mfa Duo Portal: https://duoportal.sdsu.edu/ Missed the Training watch Video of Training
TARP: General Information
Technology Acquisition Review Process (TARP): What does this mean for the Academy TARP: Academy Vendor List TARP: Product Request
How to Make a Strong but Memorable Password
SOURCE URL: Google: https://support.google.com/accounts/answer/9094506 SDSU: https://it.sdsu.edu/sdsuid/faq.aspx SDSU Video: https://www.youtube.com/watch?v=9iliDx-08hA Password Strenght Tester: https://password.kaspersky.com/ Create a strong ...
Duo Troubleshooting - Reactivating Devices
Duo Mobile is tied to a specific device's hardware security module (HSM), you will need to reactivate Duo Mobile on your device by logging into the Duo Portal. For users who update their device (i.e. new phone), but have the same phone number, please ...