Personnel Information Security Supplemental Policy
Number: 8030.0 Revised: August 15, 2010
8030.200 Employment Requirements
Subject to the limits of law and CSU bargaining agreements, all Sacramento State employers must develop procedures to conduct background checks prior to the appointment of any positions involving access to Level 1 information assets, as defined in the Sacramento State Data Classification Standard.
8030.300 Separation or Change of Employment
Access and privileges to campus information resources must be removed for all employees on the last day of active work on campus, upon termination of employment, or when job duties no longer provide a legitimate business reason for information access.
Separated employees must follow the Employee Separation Process to secure any confidential information in their possession prior to removal of their access to that information. In addition, both electronic and paper files containing sensitive information that are in the possession of separated employees must be promptly identified and either removed or placed in the possession of an authorized departmental data steward, who shall consult with the Information Security Officer to identify appropriate methods for transfer or disposal of such files. A separated employee shall be given the opportunity to retain stored personal data prior to separation.
All information technology assets used by separated employees must be transferred or disposed of in a manner that assures the continued confidentiality of any stored campus data.
If the separating employee is in possession of information resources subject to a litigation hold, the Information Security Officer must be contacted to conduct a final data collection appropriate to that litigation hold, prior to separation.
Audit of Physical Access
The Information Security Officer must conduct an annual audit of physical access to confidential information resources, including the appropriateness of physical security, key and card access, and controls over access by unauthorized personnel. Any results of the audit indicating levels of risk related to physical access that are deemed unacceptable by the Information Security Officer must be reported to the Vice President and Chief Information Officer, including recommendations for mitigation of that risk.
Back to to Sacramento State Information Security Policy Website