The University recognizes that in order to support its core functions, comply with regulatory obligations, and contribute to the effective overall management of the institution, that information be considered a valuable asset which must be protected to ensure confidentiality, integrity, and availability.
Information classification is the process of assigning value to data in order to organize it according to its risk to loss or harm from disclosure. The Cal State
Fullerton information classification and handling standard establishes a baseline classification level which fulfills requirements placed on state agencies in relation to the collection, use, maintenance and dissemination of information relating to individuals. Additional protections are specified by a number of other federal and state laws, regulations, CSU Executive Orders, campus policies and directives that govern the privacy and confidentiality of data.
Family Education Rights and Privacy Act
California’s Information Practices Act
Title V
California’s Public Records Act
Gramm-Leach-Bliley Act
Health Information Portability and Accountability Act
CSU Information Security Policy
CSU Executive Orders
CSU Fullerton Directive 13
This document was derived from frameworks established by the CSU, earlier efforts by Cal State
Fullerton staff, Cal Poly Pomona and Rutgers University and has adopted portions either in full or in part.
The information classification and handling standard applies to
All data collected, generated, maintained, and entrusted to Cal State
Fullerton (e.g., student, research, financial, employee data) except where superseded by grant, contract, or federal copyright law.
Information in electronic or hard copy form.
Information asset classification is required to determine the relative sensitivity and criticality of information assets, which provide the basis for protection efforts and access control.
To ensure that all individuals utilizing University resources understand their responsibility for securing and protecting the University
’s data.
To provide guidance on the data classification of Fullerton information based on fiscal, legal and administrative value to the University.
To identify the corresponding Cal State Fullerton standard to be implemented by owners and/or custodians based upon the sensitivity and classification of the information asset
All members of the Cal State Fullerton University community
This document was derived from frameworks established by the CSU, earlier efforts by Cal State
Fullerton staff, Cal Poly Pomona and Rutgers University and has adopted portions either in full or in part.
Cal State Fullerton has adopted a security model to address its highly distributed and complex environment. There are a wide variety of systems, databases, and applications connected to the campus network which create, store, and transmit information. Information protection is the responsibility of every member of the campus community but specifically,
Departments and Divisions which bring in or generate the information for the University. Departments or Divisions are also responsible for ensuring the protection of that information once it is distributed to any other
Departments or Divisions, which maintains or uses the information.
Further, the Departments or Divisions are responsible for applying the appropriate “due care”, based upon the sensitivity of the information.
This Standard provides direction on classifying information based on fiscal, legal and administrative value to the University. Therefore,
University faculty, staff and administrators shall:
Classify data based upon the sensitivity criteria outlined in this document
Implement the Information Security Controls and Standards based upon this classification
II.
A. Data
The University's data is defined as any information within its purview, including student record data, personnel data, financial data (budget and payroll), student life data, departmental administrative data, police records and legal files, and all other data that pertains to, or supports the administration of the University.
This document covers all information regardless of storage medium
(e.g., paper, fiche, electronic tape, cartridge, disk, and CD-ROM) and regardless of form (e.g., text, graphic, video, and voice), as well as University data stored at third party providers.
B. Classification of Data
All University data is classified based upon sensitivity and risk. The classification of data and the corresponding levels take into account legal and regulatory obligations of the University, contractual agreements, and strategic or proprietary worth of the data.
The California State University (CSU) has identified three classification levels that are referred to as level 1, level 2, and level
This document was derived from frameworks established by the CSU, earlier efforts by Cal State
Fullerton staff, Cal Poly Pomona and Rutgers University and has adopted portions either in full or in part.
3. Although all the enumerated data values require some level of protection, particular data values are considered more sensitive and correspondingly tighter controls are required for these values.
The most critical level of sensitivity begins with Level 1.
Level 1: Confidential
Confidential information is defined as information whose unauthorized disclosure, compromise or destruction would result in severe damage to Cal State Fullerton, its students, or employees.
Financial loss, damage to
Cal State Fullerton’s reputation, and possible legal action could occur.
Level 1 data is intended solely for use within Cal State Fullerton and limited to those with a “business need-to-know”. Statutes, regulation, other legal obligations or mandates protect much of this information. The CSU has identified specific guidelines regarding the disclosure of much of this information to parties outside of the
University and controls needed to protect the unauthorized access, modification, transmission, storage, or other use.
Examples of Level 1 Information Include:
Personal Information
Passwords or credentials.
PINs (Personal Identification Numbers)
Date or Birth (Month/Day/Year) combined with last four of SSN and name.
Name refers to either an individuals full name or sufficient elements of the individuals first name followed by the individuals complete last name.
Tax ID with name.
Driver’s license number, state identification card, and other forms of national or international identification 1 in combination with name.
Social Security number and name.
1
Such as passports, visas, etc.
This document was derived from frameworks established by the CSU, earlier efforts by Cal State
Fullerton staff, Cal Poly Pomona and Rutgers University and has adopted portions either in full or in part.
Financial Information
Credit card numbers with cardholder name and expiration.
Bank account or debit card information.
Health Information
Medical records related to an individual, individuals treatment, health plan, and appointments.
Psychological Counseling records related to an individual.
Technical Security Information
Vulnerability/security information related to the campus or information system.
Law Enforcement Information
Law Enforcement records related to an individual.
Level 2: Internal Use
Internal use information must be guarded due to proprietary, ethical or privacy considerations. Internal use information is intended for use by Cal State Fullerton employees and contractors and vendors covered by non-disclosure agreement. An unauthorized disclosure, compromise or destruction would directly or indirectly have an adverse impact on Cal State Fullerton, its students, or employees.
Financial loss, damage to Cal State Fullerton ’s reputation, and possible legal action could occur. Campus guidelines will indicate the controls needed to protect the unauthorized access, modification, transmission, storage or other use.
Examples of Level 2 Information Include:
Identity validation keys
Birth date (full: mm-dd-yy)
Birth date (partial: mm-dd only)
Mother’s maiden name
This document was derived from frameworks established by the CSU, earlier efforts by Cal State
Fullerton staff, Cal Poly Pomona and Rutgers University and has adopted portions either in full or in part.
Student information
Educational records (Excludes directory information) 2
Home or mailing address
Personal telephone numbers
Personal email address
Ethnicity
Gender
Birthplace (City, State, Country)
Grades
Courses taken
Schedule
Test Scores
Advising records
Educational services received
Disciplinary actions
Employee Information
Employee net salary
Employment history
Home address
Personal telephone numbers
Personal email address
Parents and other family members names
Payment History
Employee evaluations
Background investigations
Biometric information
Electronic or digitized signatures
Private key (digital certificate)
Birthplace (City, State, Country)
Ethnicity
Gender
Marital Status
Personal characteristics
Physical description
Photograph
2
See CSU Executive Order 382
This document was derived from frameworks established by the CSU, earlier efforts by Cal State
Fullerton staff, Cal Poly Pomona and Rutgers University and has adopted portions either in full or in part.
University Alumni Information
Name
Home or mailing address
Personal telephone numbers
Personal email address
Student records still retained.
All information protected under existing Federal and State statutes
Legal Information
Legal investigations conducted by the University
Purchasing Information
Sealed bids
University Research
Trade secrets or intellectual property such as research activities
Library Patron Information
Linking a library user with the specific subject about which the library user has requested information or materials.
Facilities Information
Building plans and architectural drawings
Other Information
Location of assets
This document was derived from frameworks established by the CSU, earlier efforts by Cal State
Fullerton staff, Cal Poly Pomona and Rutgers University and has adopted portions either in full or in part.
Level 3: Public
This is information that is regarded as publicly available. This data is either explicitly defined as public information (e.g., state employee salary ranges), intended to be readily available to individuals both on- and off- campus (e.g., an employee’s work email addresses), or not specifically classified elsewhere in the protected data classification standard. Knowledge of this information does not expose Cal State Fullerton to financial loss, or jeopardize the security of
Cal State Fullerton’s assets. Publicly available data may be subject to appropriate campus review or disclosure procedures to mitigate potential risks of inappropriate disclosure.
Examples of Level 3 Information Include:
Student Information
Name
Major Field of Study
Participation in officially recognized sports/activities
Weight and Height of athletic team members
Dates of Attendance
Full or Part-time status
Degrees and awards received
Campus E-mail address
Most recent or previous college/University/agency attended
Note : If the student has requested confidentiality, the above
Student Information is no longer public for that student.
Employee Information
Employee Title
Employee public email address
Employee work location and telephone number
Employing department
Employee classification
Employee gross salary
Name (first, middle, last) (except when associated with protected information)
Signature (non-electronic)
This document was derived from frameworks established by the CSU, earlier efforts by Cal State
Fullerton staff, Cal Poly Pomona and Rutgers University and has adopted portions either in full or in part.
The Fullerton Information Security Standard is enunciated by the following documents.
A . The Cal State Fullerton Information Security Controls and Standards
The Fullerton Information Security Controls and Standards have been developed in order to provide direction on the appropriate system, administrative, and physical controls to apply to Data based on sensitivity.
University data will be protected by implementing Fullerton security standards, based upon the data classification, identified in this document.
B. Fullerton Policies, Standards, and Guidelines for Information
Security
Information Security standards are mandatory controls that must be employed in order for compliance to Standards. Security guidelines provide suggested alternatives, including implementation checklists to enable compliance with Standards.
This document was derived from frameworks established by the CSU, earlier efforts by Cal State
Fullerton staff, Cal Poly Pomona and Rutgers University and has adopted portions either in full or in part.