CDSS/SDSURF Information Security Guidance

CDSS/SDSURF Information Security Guidance

FAQ

What administrative, physical and technical safeguards are planned to protect data that is received, maintained, used, or transmitted? How will disclosure of attendee CSP be prevented?
  • Contractors only have access to training materials and guides. Contractors that are trainers only have access to the names of their trainees in their courses via the learning management system (LMS). 
Who will have access to this shared data? What safeguards are planned to prevent unauthorized access, removal or disclosure of CDSS/CSP data?
  • Academy IT team assign and revoke permissions to the department's directories with the help of specific Google Groups for each department assigning access levels to appropriate directories. In addition, when staff leave, they are locked out of their accounts immediately, all passwords and security question responses are changed immediately, and campus IT are also notified. We do not store Protected Level 1 on Google Drive that may contain the employee's name, date of birth, employment history, salary. Only Academy HR, IT, program directors and fiscal staff have access to these exclusions.



Sensitive Data Storage Classification

Protected Level 1 (PL-1 Confidential)

  • HIPAA: ePHI, Personal Health Records, Health Insurance Data
  • Personally Identifiable Information (PII): Name with Personally Identifiable Information SSN, Passport, Visa, etc.
  • Gramm-Leach-Bliley Act (GLBA): Name with Financial Information, Bank Accounts, Tax Returns, etc.
  • Payment Card Industry Data Security Standard (PCI-DSS): Payment card information, Credit Card Numbers, Bank Account and Routing Numbers.
  • Law Enforcement Records: Name with Driver’s License, Criminal Background.
  • Campus Access Credentials: Passwords or credentials that grant access to level 1 and level 2 data.
Protected Level 2 (PL-2 Internal Use)
  • FERPA: Student Information: Educational Records not defined as directory” information, typically: Grades, Courses taken, Schedule, Test Scores, Advising records, Educational services received, Disciplinary actions, Student photo.
  • Campus Financials.
  • Campus Attorney-client communication.
  • Employee Information: Name with: Home Address, Home Phone, Personal Email, Marital Status, Gender, Evaluation, Personnel Actions.
Protected Level 3 (PL-3 General)
  • Information publicly available Publications Web: The information which may be designated as publicly available and/or intended to be provided to the public.





The Academy primarily uses Google Drive for storage of our data. That said the IT department have created groups in order to share what is needed. We all must understand that access is a privilege and must be used with extreme responsibility.

Sensitive Data Storage Best Practices 

Took keep PL-1 data secure, the IT Security office has developed the following guidelines: 

  1. Overall Document Privacy
    Set the document as Private, and only share with selected people. (Private option highlighted below):
    • Public on the web - Anyone on the Internet can find and access. No sign-in required.
    • Anyone with the link - Anyone who has the link can access. No sign-in required.
    • SDSU University - People at SDSU University can find and access.
    • People at SDSU with the link - People at SDSU who have the link can access.
    • Private - Only people explicitly granted permission can access. Sign-in required. (only use this option)
  2. Check Names
    When sharing a document or folder, make sure you have the right person. For example, there may be an undergraduate student who has the same name as one of your co-workers.
  3. Share with a Group
    Did you know that Google Groups can be used to assign permissions to documents, especially in large departments? This can save a lot of time and ensure consistency.
  4. Name Clearly
    Be mindful of what you name folders and documents. People you share with will see the name, so you should be descriptive and professional in your naming. It might be helpful to include the name of the project or your department so it is easy for others to find.
  5. Use Share Team Drives, Not Documents
    If it is likely that you will share documents in the future with the same group of people, it is best to create a Shared Team Drive and share it with specified users. All the documents you put in that folder will be automatically shared with the same group of people.
    • Why? Sharing individual documents is more time consuming and can lead to errors and inconsistencies. When sharing a folder, it is easier to keep track of who has access and give a new person the ability to access many files at once. Also, using a folder allows everyone in your group to add to that folder, creating an easy-to-find archive of group materials.
    • Why not? If you only need to share one document, you may not need a folder.
    • Shared Drive Settings. Use the following to ensure the most secure settings for Shared Team Drives.
      • Only people inside San Diego State University can be given access to the files in this shared drive.
      • Only members of this shared drive can access files in this shared drive.
      • Prevent commenters and viewers from downloading, copying, and printing files in this shared drive.
  6. Protect Your SDSUid Password
    • Don't reveal it to anyone
    • Don't re-use it for other accounts
  7. Do Not Attach Files With PL-1 Data to Email Message
    • Only use Google drive and Google team Drive to store files with PL-1 data. Do not attach and email files with PL-1 data.
  8. Document Deletion
    • Only the creator/owner can permanently delete a doc/collection. If something has been moved, the owner can still find it in the "Owned by Me" section of their Google Docs/Drive homepage. If the owner is no longer at SDSU, the item(s) may be deleted permanently. For document preservation, we recommend using Google “Team drive” instead of “My Drive”.
    • When deleting a file, the file is sent to Google Trash. Only once permanently deleted from the trash, Google Docs and collections cannot be recovered.
  9. Use Google’s "Account Activity" Feature to Help Make Sure No One Else is Using Your Account
    Your Recent Activity - entire Google account
    • The "Recent activity" section of your Account Security page lists security-related actions you’ve taken, such as signing in to your Google Account, changing your password, or adding a recovery email address or phone number. This information is for your entire Google Account, so sign-ins from any Google product (such as Blogger, Gmail, or YouTube) will be listed in this section.
    • If you notice anything suspicious, e.g. a sign-in from a browser you've never used, or a location you've never been to, you are prompted to change your password to secure your account. If you notice a recovery option change you did not make, be sure to update the recovery option in addition to changing your password.
  10. Sign Out of Your Google Account When You're Not Using It
  11. Do Not Connect To Your G Drive On Public Computer


Information Security Plan (ISP: Section 3.9)

Storing Protected Information on SDSU Systems:
  • Protected Level 1 information should not be stored on SDSU laptops or desktops. This information should be stored on secured databases or file servers or on off-line media.
  • Off-line media should be encrypted and must be stored in a secure location at the University or another site approved by management (including off-site backup services).
  • All work computers are policy protected that mimic SDSU requirements where 15 minute no activity screen locks are enabled.  
Use of Personal Equipment: 
  • Personal equipment includes devices such as personal laptops, personal desktops, personal digital assistants (PDAs), cell phones. SDSU Protected Level 1 or PL-1 information must not be stored on any personal equipment.
  • Users must not send or forward e-mails containing PL-1 information to person email accounts.
  • Users should adopt the same anti-virus, anti-spyware, and patch management standards for personal equipment the same as University Systems. 
  • Personal devices being used at the University must not be connected to the network behind an internal firewall without authorization. 
Use of File Servers: 
  • IT managers are responsible for ensuring that access to information stored on file servers is limited to authorized users. Access to information should be granted according to job duties. PL-1 information that is stored on file servers should be encrypted. 
Use of Databases: 
  • IT managers are responsible for ensuring that access to information stored on file servers is limited to authorized users. Access control should include a combination of file read/write privilege and access control lists on the database data objects. These databases should be configured to encrypt PL-1 elements. 
"Red Flag" Rules:
  • Requires institutions and creditors to implement a written identity theft prevention program designed to identify and detect identity theft schemes in response to "red flags". 
  • The rule applies to any institution that provides goods or services that are not fully paid in advance (e.g. Tuition, room and board, etc. are not due in full prior to the start or a semester.)
  • Types of accounts that must adhere to the Red Flag Rules:
    • Financial Aid
    • Employee loans
    • Installment payments and short-term loans
    • Accounts that are created for ongoing services and allow students to reimburse the University when billed over a period of time.
    • Any type of collection account 
Red Flag Identification and Response: 
  • University departments must monitor a number of variables and indicators which are described in the California State University Identity Theft Prevention ("Red Flag Rule") Implementation Plan section 4.3.1.
  • Additional flags that need further investigation are:
    • Request to change mailing address
    • Request to change password or a execution of a password reset 
    • Changes of forwarding email address
    • Change of account names
    •  Change of bank account
    • Reports to security@sdsu.edu
    • Reports to the campus ISO
    • Reports to Public Safety

FERPA Training

Family Education Right and Privacy Act 
  • FERPA prohibits any person connected with the institution — including administrators and faculty — from improperly disclosing information.
  • Training is required annually by SDSU students and staff. This training goes over who is targeted, the uses and misuses of malware that can access your computer through various methods such as phishing, zip files, thumb drives that exploit fears and/or curiosity such as a file labeled "confidential". 
  • Simply understanding that an IT department cannot be the only entity standing in the way of a security breach. Everyone must play a part in educating themselves to stop data from being stolen or taken advantage of. 
  • Faculty are required to take FERPA training. To complete, login into your CSU account @ csu.sumtotal.host with your work email and password > click Library on the top right > Library > Type in the search box "FERPA" > select the curriculum "Data Security and FERPA" and complete the certification.

Password Requirements

SDSU and CDSS requires strong passwords that should be changed annually. The CSU mandates that SDSU must have a policy that requires password changes. The current SDSU Information Security Plan requires all passwords must be changed every 12 months SDSU Information Security Plan. You will receive email notifications reminding you to change your password in the following schedule: 30 days, 14 days, 2 days, 1 day before expiration. 

A Strong password must: 
  • Password must contain at least 10 characters.
  • Passwords must contain characters from 3 of the following 5 categories:
    • Uppercase characters of European languages (A through Z, with diacritic marks, Greek and Cyrillic characters)
    • Lowercase characters of European languages (a through z, sharp-s, with diacritic marks, Greek and Cyrillic characters)
    • Base 10 digits (0 through 9)
    • Non-alphanumeric characters: ~ ! @ # $ % ^  * _ - + =  | \ ( ) { } [ ] : ;  , . ? /
    • Any Unicode character that is categorized as an alphabetic character but is not uppercase or lowercase. This includes Unicode characters from Asian languages.
  • Passwords must not contain the user's logon ID, first name, middle name, or last name


    • Related Articles

    • SDSU MFA Account Security

      SDSU Duo Setup Instructions: https://it.sdsu.edu/security/operations-services/mfa Duo Portal: https://duoportal.sdsu.edu/ Missed the Training watch Video of Training
    • TARP: General Information

      Technology Acquisition Review Process (TARP): What does this mean for the Academy TARP: Academy Vendor List  TARP: Product Request
    • How to Make a Strong but Memorable Password

      SOURCE URL: Google: https://support.google.com/accounts/answer/9094506 SDSU: https://it.sdsu.edu/sdsuid/faq.aspx SDSU Video: https://www.youtube.com/watch?v=9iliDx-08hA Password Strenght Tester: https://password.kaspersky.com/ Create a strong ...
    • Duo Troubleshooting - Reactivating Devices

      Duo Mobile is tied to a specific device's hardware security module (HSM), you will need to reactivate Duo Mobile on your device by logging into the Duo Portal. For users who update their device (i.e. new phone), but have the same phone number, please ...