The University recognizes that in order to support its core functions, comply with regulatory obligations, and contribute to the effective overall management of the institution, that information be considered a valuable asset which must be protected to ensure confidentiality, integrity, and availability.
Information classification is the process of assigning value to data in order to organize it according to its risk to loss or harm from disclosure. The Cal State
Fullerton information classification and handling standard establishes a baseline classification level which fulfills requirements placed on state agencies in relation to the collection, use, maintenance and dissemination of information relating to individuals. Additional protections are specified by a number of other federal and state laws, regulations, CSU Executive Orders, campus policies and directives that govern the privacy and confidentiality of data.

Family Education Rights and Privacy Act
 California’s Information Practices Act

Title V
 California’s Public Records Act

Gramm-Leach-Bliley Act

Health Information Portability and Accountability Act

CSU Information Security Policy

CSU Executive Orders

CSU Fullerton Directive 13
This document was derived from frameworks established by the CSU, earlier efforts by Cal State
Fullerton staff, Cal Poly Pomona and Rutgers University and has adopted portions either in full or in part.

The information classification and handling standard applies to
 All data collected, generated, maintained, and entrusted to Cal State
Fullerton (e.g., student, research, financial, employee data) except where superseded by grant, contract, or federal copyright law.
 Information in electronic or hard copy form.
Information asset classification is required to determine the relative sensitivity and criticality of information assets, which provide the basis for protection efforts and access control.
To ensure that all individuals utilizing University resources understand their responsibility for securing and protecting the University
’s data.
To provide guidance on the data classification of Fullerton information based on fiscal, legal and administrative value to the University.
To identify the corresponding Cal State Fullerton standard to be implemented by owners and/or custodians based upon the sensitivity and classification of the information asset
All members of the Cal State Fullerton University community
This document was derived from frameworks established by the CSU, earlier efforts by Cal State
Fullerton staff, Cal Poly Pomona and Rutgers University and has adopted portions either in full or in part.

Cal State Fullerton has adopted a security model to address its highly distributed and complex environment. There are a wide variety of systems, databases, and applications connected to the campus network which create, store, and transmit information. Information protection is the responsibility of every member of the campus community but specifically,
Departments and Divisions which bring in or generate the information for the University. Departments or Divisions are also responsible for ensuring the protection of that information once it is distributed to any other
Departments or Divisions, which maintains or uses the information.
Further, the Departments or Divisions are responsible for applying the appropriate “due care”, based upon the sensitivity of the information.
This Standard provides direction on classifying information based on fiscal, legal and administrative value to the University. Therefore,
University faculty, staff and administrators shall:

Classify data based upon the sensitivity criteria outlined in this document

Implement the Information Security Controls and Standards based upon this classification
II.
A. Data
The University's data is defined as any information within its purview, including student record data, personnel data, financial data (budget and payroll), student life data, departmental administrative data, police records and legal files, and all other data that pertains to, or supports the administration of the University.
This document covers all information regardless of storage medium
(e.g., paper, fiche, electronic tape, cartridge, disk, and CD-ROM) and regardless of form (e.g., text, graphic, video, and voice), as well as University data stored at third party providers.
B. Classification of Data
All University data is classified based upon sensitivity and risk. The classification of data and the corresponding levels take into account legal and regulatory obligations of the University, contractual agreements, and strategic or proprietary worth of the data.
The California State University (CSU) has identified three classification levels that are referred to as level 1, level 2, and level
This document was derived from frameworks established by the CSU, earlier efforts by Cal State
Fullerton staff, Cal Poly Pomona and Rutgers University and has adopted portions either in full or in part.

3. Although all the enumerated data values require some level of protection, particular data values are considered more sensitive and correspondingly tighter controls are required for these values.
The most critical level of sensitivity begins with Level 1.
Level 1: Confidential
Confidential information is defined as information whose unauthorized disclosure, compromise or destruction would result in severe damage to Cal State Fullerton, its students, or employees.
Financial loss, damage to
Cal State Fullerton’s reputation, and possible legal action could occur.
Level 1 data is intended solely for use within Cal State Fullerton and limited to those with a “business need-to-know”. Statutes, regulation, other legal obligations or mandates protect much of this information. The CSU has identified specific guidelines regarding the disclosure of much of this information to parties outside of the
University and controls needed to protect the unauthorized access, modification, transmission, storage, or other use.
Examples of Level 1 Information Include:
Personal Information

Passwords or credentials.

PINs (Personal Identification Numbers)

Date or Birth (Month/Day/Year) combined with last four of SSN and name.
Name refers to either an individuals full name or sufficient elements of the individuals first name followed by the individuals complete last name.

Tax ID with name.
 Driver’s license number, state identification card, and other forms of national or international identification 1 in combination with name.

Social Security number and name.
1
Such as passports, visas, etc.
This document was derived from frameworks established by the CSU, earlier efforts by Cal State
Fullerton staff, Cal Poly Pomona and Rutgers University and has adopted portions either in full or in part.

Financial Information

Credit card numbers with cardholder name and expiration.

Bank account or debit card information.
Health Information

Medical records related to an individual, individuals treatment, health plan, and appointments.

Psychological Counseling records related to an individual.
Technical Security Information

Vulnerability/security information related to the campus or information system.
Law Enforcement Information

Law Enforcement records related to an individual.
Level 2: Internal Use
Internal use information must be guarded due to proprietary, ethical or privacy considerations. Internal use information is intended for use by Cal State Fullerton employees and contractors and vendors covered by non-disclosure agreement. An unauthorized disclosure, compromise or destruction would directly or indirectly have an adverse impact on Cal State Fullerton, its students, or employees.
Financial loss, damage to Cal State Fullerton ’s reputation, and possible legal action could occur. Campus guidelines will indicate the controls needed to protect the unauthorized access, modification, transmission, storage or other use.
Examples of Level 2 Information Include:
Identity validation keys

Birth date (full: mm-dd-yy)

Birth date (partial: mm-dd only)
 Mother’s maiden name
This document was derived from frameworks established by the CSU, earlier efforts by Cal State
Fullerton staff, Cal Poly Pomona and Rutgers University and has adopted portions either in full or in part.

Student information

Educational records (Excludes directory information) 2

Home or mailing address

Personal telephone numbers

Personal email address

Ethnicity

Gender

Birthplace (City, State, Country)

Grades

Courses taken

Schedule

Test Scores

Advising records

Educational services received

Disciplinary actions
Employee Information

Employee net salary

Employment history

Home address

Personal telephone numbers

Personal email address

Parents and other family members names

Payment History

Employee evaluations

Background investigations

Biometric information

Electronic or digitized signatures

Private key (digital certificate)

Birthplace (City, State, Country)

Ethnicity

Gender

Marital Status

Personal characteristics

Physical description

Photograph
2
See CSU Executive Order 382
This document was derived from frameworks established by the CSU, earlier efforts by Cal State
Fullerton staff, Cal Poly Pomona and Rutgers University and has adopted portions either in full or in part.

University Alumni Information

Name

Home or mailing address

Personal telephone numbers

Personal email address

Student records still retained.

All information protected under existing Federal and State statutes
Legal Information

Legal investigations conducted by the University
Purchasing Information

Sealed bids
University Research

Trade secrets or intellectual property such as research activities
Library Patron Information

Linking a library user with the specific subject about which the library user has requested information or materials.
Facilities Information

Building plans and architectural drawings
Other Information

Location of assets
This document was derived from frameworks established by the CSU, earlier efforts by Cal State
Fullerton staff, Cal Poly Pomona and Rutgers University and has adopted portions either in full or in part.

Level 3: Public
This is information that is regarded as publicly available. This data is either explicitly defined as public information (e.g., state employee salary ranges), intended to be readily available to individuals both on- and off- campus (e.g., an employee’s work email addresses), or not specifically classified elsewhere in the protected data classification standard. Knowledge of this information does not expose Cal State Fullerton to financial loss, or jeopardize the security of
Cal State Fullerton’s assets. Publicly available data may be subject to appropriate campus review or disclosure procedures to mitigate potential risks of inappropriate disclosure.
Examples of Level 3 Information Include:
Student Information

Name

Major Field of Study

Participation in officially recognized sports/activities

Weight and Height of athletic team members

Dates of Attendance

Full or Part-time status

Degrees and awards received

Campus E-mail address

Most recent or previous college/University/agency attended
Note : If the student has requested confidentiality, the above
Student Information is no longer public for that student.
Employee Information

Employee Title

Employee public email address

Employee work location and telephone number

Employing department

Employee classification

Employee gross salary

Name (first, middle, last) (except when associated with protected information)

Signature (non-electronic)
This document was derived from frameworks established by the CSU, earlier efforts by Cal State
Fullerton staff, Cal Poly Pomona and Rutgers University and has adopted portions either in full or in part.

The Fullerton Information Security Standard is enunciated by the following documents.
A . The Cal State Fullerton Information Security Controls and Standards
The Fullerton Information Security Controls and Standards have been developed in order to provide direction on the appropriate system, administrative, and physical controls to apply to Data based on sensitivity.
University data will be protected by implementing Fullerton security standards, based upon the data classification, identified in this document.
B. Fullerton Policies, Standards, and Guidelines for Information
Security
Information Security standards are mandatory controls that must be employed in order for compliance to Standards. Security guidelines provide suggested alternatives, including implementation checklists to enable compliance with Standards.
This document was derived from frameworks established by the CSU, earlier efforts by Cal State
Fullerton staff, Cal Poly Pomona and Rutgers University and has adopted portions either in full or in part.