Sac State University Policy Manual

Information Practices

Policy Administrator: Vice President for Human Resources
Authority:
Effective Date: July 1, 1987
Updated:
Index Cross-References:
Policy File Number: UMI07050.htm

INFORMATION PRACTICES

GENERAL INFORMATION

l. Section 1798.14 of the Act establishes a relevant and necessary test for the maintenance of information. It directs that, "Each agency shall maintain in its records only personal or confidential information which is relevant and necessary to accomplish a purpose of the agency required or authorized by the California Constitution or statute or mandated by the federal government." All departments bear a responsibility in analyzing their requests for data. The analytical approach recommended is to address 'How do we use the information?' and 'Would our process be significantly impacted if we did not have it?'. Any information that does not have a specific use of that does not (or should not) have significant impact should not be collected, and existing forms which solicit information should be edited accordingly. If you have questions about the legality of your forms, contact the Human Resources office, Ext. 86078.

2. The following information must be provided with any form which collects information from individuals:

    A. Division or office requesting information.

    B. Title, campus address, and phone number of responsible official.

    C. Authority for maintaining the Information.

    D. For each Item of Information, whether submission is mandatory or voluntary.

    E. The consequences of not providing all or any part of the information.

    F. The principal uses of the Information.

    G. The anticipated disclosures.

    H. The individual's right of access to records containing personal information.

    Copies of the Privacy Notice are available in the Human Resources office, Sacramento Hall,     Room 259.

3. Student Records - This policy does not cover student records except for those student records not covered by the Education Code namely:

    A. information provided by a student's parents relating to application for financial aid or
    scholarship;

    B. confidential letters or statements of recommendations maintained by the university
    before January l, 1975;

    C. information related to a student created or maintained by a physician, psychiatrist,
    psychologist or other recognized professional; and

    D. information maintained by the university law enforcement unit. [See Education Code     Section 67100 et seq.]

ACCESS 

l. All individuals who are the subject of records maintained by this campus shall have the right to inquire and be notified as to whether or not a record pertaining to them is maintained by the campus.  Whenever the campus is unable to access a record by
reference to name only, or when access by name only would impose an unreasonable administrative burden, the requesting individual may be required to submit such
other identifying information as will facilitate access to the record.

2. Upon written request, the individual shall, within 10 calendar days of the request, be provided an exact copy of all or any portion the individual desires. [Education Code 89546]

3. Individuals shall be allowed to review copies of the reports that are required to be filed with the Office of Information Practices relating to the type of records maintained by this campus. Copies of these reports are kept in the Faculty and Staff Affairs
Office.

4. Any notice to an individual which indicates that the campus maintains a record of that individual shall include the title  and business address of the person directly responsible for the system of records of which the record is a part.

5. The individual shall have the right to have another person of his/her choosing accompany him/her to inspect the individual's records.

6. Information must be presented in a reasonably comprehensible form. This means it must be in the English language, free of esoteric symbols and words, comprehensible to a person at the eighth-grade reading level.

7. If an individual wishes to have copies of records pertaining to himself/herself, such copies shall be made and a fee of not more than ten cents  (10c) per page charged unless a higher fee is established by statute. Procedures for collection of such fees were outlined in a January 19, 1977 memo from the Business Manager.

8. Copies will be furnished directly to the individual, if practical, or to another person specifically authorized by the individual. Copies may be mailed to an address
given by the individual requesting them. In all cases, proper identification of the requestor is necessary to ensure privacy.

9. Copies of all available records shall be furnished to the subject individual within ten (10) days of the date of request.

10. When an individual is permitted to review or is given copies of information about himself or herself, any information relating to another individual shall be deleted. Any confidential information contained in the record shall also be deleted. The official who is
responsible for maintaining the record system shall be responsible for doing the screening.

REFUSAL OF ACCESS

1. If the campus refuses access to an individual to information pertaining to himself/herself based on the information being "confidential", it shall inform the individual, in writing, of the fact.

2. If the individual requests a review of a refusal of access, the campus shall make such review within thirty (30) days of such request and inform the individual in writing of its final decision. In the case of confidential records held by the Department of Public
Safety, the reviewing officer shall be the Vice President for Operations and Finance or his/her designee. For Student Health Services, the reviewing officer shall be the Director of Health Services.

AMENDMENT OF RECORDS

l. Any request by an individual to amend or correct personal information in a record maintained by the campus shall be answered within twenty-one (21) days from the date of receipt of the  request. The president shall either accede to the individual's request or notify him/her in writing of the president's refusal to grant the request.  If the president refuses to grant the request, the president shall state his/her refusal in writing, and that
written statement shall become part of the individual's personnel file.

2. The response shall consist of:

    A. making the changes requested by the subject individual and notifying the individual of the     fact, or

    B. informing the individual of the campus' refusal to make the changes and the reasons for
    such refusal, and stating procedures for requesting a review of this decision and the name,
    title, and business address of the reviewing official. Both the individual's request for
    amendment or correction and the reasons for refusal of the request shall become
    part of the record.

3. If the final determination is to sustain the refusal to make the requested changes, the campus will permit the individual to file a statement of reasonable length setting forth the reasons for the individual's disagreement with the record. "Reasonable length"
shall be no more than one typewritten page, unless unusual circumstances exist. Such statement shall become part of the individual's record and be disclosed with any
authorized disclosures of such record. A copy of the reasons for refusal shall also be disclosed.

4. Any person or agency to whom the record has been disclosed during the preceding three years shall be informed of any correction of  any error or notation of dispute. See the Act, Section 1798.28 for details.

OTHER PROVISIONS OF THE ACT

1. The person designated on the Personal/Confidential Records Report shall be the officer responsible for authorizing disclosures.

2. The campus may not disclose any personal information unless:

    A. by request of the individual to whom the record pertains;

    B. upon written voluntary consent of the individual to whom the record pertains, but only if
    such consent has been obtained not more than thirty (30) days before the disclosure, or in
    the time limit specified by the individual in the written consent;

    C. to an authorized representative or guardian;

    D. for compelling safety or health reasons;

    E. for anonymous statistical research;

    F. required by law; or

    G. to a person or agency if such disclosure is relevant and necessary in the performance of
    official, constitutional or statutory duties.

Note: The above seven conditions are summaries only Specific questions should be answered by the Information Practices Act, Section 1798.24.

3. The following information concerning CSUS employees is public record information and must be made available in response to any request:

The names of persons on the public payroll.

    Work location:
    Agency
    Reporting Unit
    County of Employment
    Gross Salary:
    Frequency
    Rate
    Time Worked
    Shift Differential
    Pay Period
    Job Classification/Range
    Time Base
    Appointment and Tenure
    Retirement System
    Payee name and agency which submitted the claim for general dis-bursements payment.

4. The following information is identified as personal and should not be disclosed without the employee's consent except for official business purposes:

    Social Security Number
    Number of tax exemptions
    Amount of taxes withheld
    Amount of O.A.S.D.I. withheld
    Marital Status
    All voluntary deductions/reductions, (amounts and types)
    Survivors amounts
    Net pay
    Home address or phone number
    Birth date
    Ethnic data
    Designee for last Payroll Warrant

OTHER PROVISIONS OF THE ACT (continued)

5. An accounting must be made of the following disclosures.

    A. Personal or confidential information to another state agency.

    B. To any person pursuant to a subpoena, court order or other compulsory legal process.

    C. To any person pursuant to a search warrant.

    D. To a law enforcement agency when required for an investigation of unlawful activity.

    E. To another person or governmental organization to the extent necessary to obtain
    information from such person or governmental organization as necessary for an
    investigation by the agency of failure to comply with a specific state law. [C.C. 1798.24.]

6. Accounting for disclosures must be identifiable with and traceable to the information disclosed.

7. Each accounting must be kept for three (3) years or until the record is destroyed, whichever is shorter.

8. In many cases, when records are corrected or amended recipients of disclosures received within the last three (3) years must be informed of the changes. See Section
1798.28 of the Information Practices Act for specifics.

9. Records must be maintained with accuracy, relevance, timeliness completeness, security, and confidentiality.

10. Sources of information must be maintained in readily accessible form.

11. Employees shall not disclose personal and confidential information relating to individuals to unauthorized persons or entities. The intentional disclosure of such
information to such persons or agencies may be cause for disciplinary action, including dismissal.

12. Employees shall not seek out or use personal or confidential information relating to others for their own interest or  advantage. The intentional violation of this rule may be cause for disciplinary action, including dismissal.

13. Employees responsible for the maintenance of personal and confidential records shall take all necessary precautions to assure  that proper administrative, technical, and physical safeguards  are established and followed in order to protect the confidentiality of records containing personal information and to assure that such records are not disclosed to unauthorized individuals or agencies.  Employees shall take precautions with personal or confidential information, i.e., not leave that information on desk  tops so it is exposed. For automated records retained by the Computer Center, please see Attachment I, Computer Security.

14. Employees shall not require individuals to disclose personal information which is not necessary and relevant to the purposes of the campus or to the particular function for which the employee is responsible.

15. Employees shall make every reasonable effort to see that inquiries and requests relating to personal records of individuals are responded to quickly and without requiring the individual to repeat unnecessarily his or her inquiry to others.

16. Employees shall assist individuals who seek information pertaining to themselves in making their inquiries sufficiently specific and descriptive so as to facilitate locating the records. 

17. Employees shall respond to inquiries from individuals and requests from them to review, obtain copies of, amend, correct, or dispute their personal records in a courteous and businesslike manner, and in accordance with campus procedures for access and amendment of personal records.

ATTACHMENT 1

COMPUTER SECURITY

PURPOSE

The purpose of this document is to provide the policies, guidelines and procedures for prevention of injury to personnel and maintenance of the physical security of the Computer Center including the protection of programs, data, and confidential materials. Security and confidentiality of data has been addressed most recently by the Information Practices Act of 1977, to which this document refers.

This manual is intended to serve as a guide to cover most foreseeable circumstances. It is not intended to act as a substitute for logical, common sense in all emergency situations.

This manual corresponds to and is consistent with the policies set forth in the State Administrative Manual (SAM) sections 4841 through 4846.6 as they apply to computer centers and the data they process.

POLICY

The Computer Center acts as both a temporary and permanent custodian of many vital records of the University. Each individual, group or office utilizing any service provided by the Computer Center shall have control over its data supplied to the Computer Center and received from it in accordance with the necessity of the entity to conduct its own affairs. Accordingly, the Computer Center is prohibited from releasing data entrusted to its care to any person or organization unless the Computer Center receives properly authorized consent of the individual or organization that has control of the data.

The CSUS computing facilities are shared resources which exist to assist the University in achieving instructional and administrative objectives. Although it is a powerful resource, it is one that can be abused. Users of the CSUS computing facilities have a number of responsibilities, those of which apply to overall security and confidentiality are summarized below.

1. To use the facility for the purposes stated in the requests for account numbers and in accordance with established policies and procedures.

2. To use the resources as efficiently as possible so as not to adversely impact other users.

3. To respect other users' rights to the privacy of their programs and data.

4. To safeguard account numbers and passwords in order to reduce the potential for illegal use of the computer and unauthorized access to data files through the theft of this information.

5. To maintain the security of data files (tape and disk) by not giving other users write access privileges to files.

6. To utilize techniques and software made available by the CSUS facility for assuring the privacy and integrity of data stored in the CSUS facility.

7. To report suspected unauthorized use of the central computing facilities to the Computer Center Manager as soon as possible. 8. To comply with systemwide policies and procedures in maintaining the security and confidentiality of programs and data files by complying with the provisions of IS 78-20 concerning recordation of file ownership and authorized use.

User responsibilities for data security, mass storage allocations, remote job entry transmission, "over the counter"
job submission, and the use of the timeshare facility are detailed and discussed in the various Users Manuals and systemwide correspondence concerning these as well as related topics.

CSUS Computer Center recognizes the following general principles regarding personal data.

1. Personal data should not be collected and maintained unless it contributes to the operations and management of the University in the reasonable performance of functions for which it is legally responsible.

2. Personal data collected by one state agency should be shared with other state agencies only to the extent that there is determined authorized need.

3. Personal data should be protected as necessary to ensure that such data is used only for lawful purposes within the University and not made available to outside individuals
or groups except as provided by law and with the proper responsible authorization.

4. If personal data is released to outside individuals or groups by proper authorization, it should be in an anonymous form where personal identification is removed and the number of data records is sufficiently large to preclude individual identification.

5. Personal data should be audited periodically to ensure its continued need and accuracy. Procedures should exist for correction of inaccuracies.

6. The physical environments where personal data is processed and stored should be audited with such frequency as is needed to ensure the maintenance of adequate safeguards against damage, alteration, theft and possible penetration by unauthorized persons.

7. It is the responsibility of the various offices of the University which generate, use and have access to automated personal and other data to ensure the confidentiality of such data through appropriate security safeguards, to ensure its continued accuracy and to properly dispose of the data when it is no longer needed.

It is expected that users of the CSUS Computer Center will respect these principles. If in the usual discharge of duties, employees of the Computer Center should observe requests, data, printouts, or activities which appear to be contrary to stated policies and procedures, they shall bring them to the attention of the Computer Center Manager or the Information Security Officer when the Computer Center Manager is not available.

EXTERNAL SECURITY

1. The general policy of the Computer Center is to restrict access to the Computer Center to authorized Computer Center personnel, assigned vendor maintenance personnel and assigned building maintenance personnel. Other personnel will be admitted only on a need-to-enter basis. Entrance to the Computer Center may be authorized only by the Computer Center Manager, Director, Information Security Officer or their designees.

2. Access questions may be resolved by calling the:  Computer Center Manager or the Director of Computing Services.

3. All doors for normal access shall have self-locking electronic locks and shall be monitored by closed circuit television. Combinations shall be changed as employees
terminate and at regular intervals.

4. All doors not intended for normal access shall be kept locked at all times.

5. All unauthorized or attempted intrusions shall be reported to the Computer Center Manager or the Information Security Officer when the Computer Center Manager is not available.

LIMITED ACCESS

1. The outside door of the Computer Center shall be kept locked except during the time when properly recognized individuals are entering. An unlocked entrance door to the Computer Center shall not be left unattended.

2. Access to the computer room shall be denied to all except authorized Computer Center personnel.  Visitors may be admitted if proper authorization is obtained from the Computer Center Manager, Director or the Information Security Officer when the
Computer Center Manager is not available.

3. Access by any personnel other than Computer Center personnel during non-scheduled hours shall be controlled and shall require prior notification and
authorization.

INTERNAL SECURITY

1. All personnel shall be trained in emergency procedures.

2. Use of emergency switches and power-down procedures shall be understood by all Operations personnel.

3. There shall be emergency lighting in the computer and support areas. The auxiliary lighting system shall be tested at least twice a month.

4. All personnel shall be trained in the proper evacuation procedures to be used in the event of fire or acts of violence. Regularly scheduled drills shall be held and appropriate instructions shall be posted.

5. Smoking, eating or drinking shall not be permitted in the computer room and this area shall be kept clean.

6. Only authorized persons shall operate the computer systems.

7. Confidential program listings and carbons which are not to be retained shall be placed in a designated area in the controlled environment. The material shall be removed at a specified time and destroyed by shredding or other appropriate means.

8. If material indicates personal data such as names, addresses, phone numbers and social security numbers or gives any information which can be identified as being about a particular person, the material shall be treated as confidential material.

IDENTIFICATION

1. All Computer Center personnel have identification cards. These cards do not constitute authorization for access to the computer room.

2. Vendor representatives and field engineering personnel have identification. This does not constitute authorization for access to the computer
room.

3. Only those people with acceptable identification and who have authorization from the Computer Center Manager, the Director, the Information Security Officer or their designee shall be admitted to the computer room.

4. All visitors (a visitor is defined as any person who does not have a Computer Center identification card with the appropriately colored background on their picture) shall sign in and out on a log maintained at the computer room entrance. Included on the log shall be name, organization, date, time in and out, and reason for the visit.

5. All visitors shall be escorted to and from their destination by an employee of the Computer Center.  Visitors shall not be left unattended.

6. When appropriate, all packages, briefcases, tool cases, etc., shall be inspected upon entering and before leaving the Computer Center.

SOFTWARE SECURITY

1. Storage of backup data sets shall be maintained at a site separate from the Computer Center.

2. The backup of all user data sets, programs, documentation and procedures for recreation of data sets is the responsibility of the user.

3. The applicable operating systems shall have protection to prevent bypassing of security utilities.

4. All permanent mass storage files shall use, and change as necessary, privacy codes and passwords to prevent unauthorized access, tampering or destruction.

5. All permanent tape files shall be internally labeled and shall contain privacy codes to prevent unauthorized access, tampering and destruction.  Privacy codes shall be changed periodically.

6. Only members of the CSUS Operating Systems Support Group and such other persons as may be specifically authorized by the Computer Center Manager, Director
or Information Security Officer or their designee shall have access to operating systems.

DATA SECURITY

1. Since information may reside in the Computer Center which could be detrimental to peoples' interest if allowed in unauthorized hands, every Computer Center employee shall exercise caution and care when handling data. Disclosure of the data to any
unauthorized person either in detail or summary is absolutely prohibited.

2. The Computer Center Manager or designee shall periodically make inspections of sensitive files, computer and visitor logs and precautionary procedures to insure the maintenance of appropriate security measures.

3. All new employees of the Computer Center shall read this security manual.

4. Magnetic tapes and disk packs shall be stored in fire resistant and controlled areas. There shall be fire and smoke detectors and alarms with provisions for Halon flooding.

5. Inventories of tapes and disk packs shall be taken at periodic intervals and missing items shall be reported to the Computer Center Manager of the Information Security Officer when the Computer Center Manager is not available.

OWNERSHIP

1. Data resident on data files are the property of the user holding the account number under which the data file was created.

2. All data files shall be physically maintained in the Computer Center library unless released at the request of the owner. A log of the transactions relative to data files shall be maintained.

3. The data file owner assumes responsibility for the confidentiality of the data when the physical data file or processed data is removed from the Computer Center.

4. The data file owner is responsible for the prudent duplication of otherwise irreplaceable data files.

ACCESS

1. Data may be accessed by the owner of the data file.

2. Authorization for access of data must be in writing with a copy to the Computer Center.

3. If necessary, data may be accessed by a member of the University staff having direct line authority over the data file owner. In such instances, the data file owner shall be so informed.

4. The Computer Center shall prevent unwarranted disclosure of information from discarded printed and other output.

5. Access to the Computer Center library is limited to Data Control, Production Control and Operations personnel.

VALIDITY AND INTEGRITY

1. The integrity of a data file begins with its internal label. Label errors will not be accepted; when a label error occurs, the operator shall abort the job.

2. In order to ensure the validity and integrity of input data, appropriate techniques shall be employed such as sight check of documents and, when applicable, terminal screens, document audit trails, use of manual control functions for input documents and check of input documents for completion.

3. Once data has become machine readable, its validity and integrity shall continue to be checked by appropriate program controls such as label checking, edits for numeric and alphabetic fields, oversize amounts, blank fields, sequence checking, counting of records in and out of sorts, utilities and user programs. As applicable, programmed output controls shall use exception reports listing unacceptable transactions or input records, errors and warning messages. Aborts shall occur if certain control errors are found.

4. Manual output controls shall include procedures for routing of output and dismountable files, disposing of extra copies and carbons and delivering of data and reports in a confidential and secure manner.

5. Generally, audit trails and control functions shall provide the input for file reconstruction.

6. When appropriate, manipulation of the data in a file shall result in applicable exception lists, activity reports and other documents which will be helpful in identifying security violations. When applicable, the following provisions shall be used to establish security controls.

    A. Logs of transactions from terminals including identity of terminal and user.

    B. Logs of adds, updates and deletions.

    C. Tables of users authorized to use particular systems and files.

    D. Logs of files accessed and the identification of users.

7. As appropriate, Production Control and/or Data Control shall verify the proper execution of reports for system wide application.

COMPUTER CENTER CONTROLS

1. An operating log of actions taken by the computer operator shall be maintained for a specified period of time.

2. A Hardware Malfunction Log shall be maintained and shall be inspected by management. All errors and hardware problems that may have an effect the outcome of a job will be recorded.

3. Computer operators shall not enter data other than command language or responses to system requests via the console.

TERMINAL SECURITY - TIMESHARE ACTIVITY

1. The security of remote terminals and of campus computers which can be used as remote terminals to the Computer Center is the responsibility of the office or department where they reside.

2. A user shall have to enter a password which is established (and changed periodically) in conjunction with the office or department where they reside.

3. Infractions which are discovered at the Computer Center shall be reported to the Computer Center Manager, Director, or the Information Security Officer when the Computer Center Manager is not available. The Computer Center Manager shall take whatever actions are deemed necessary and shall
inform the appropriate administrators if warranted.

4. It is the responsibility of the Computer Center Manager to maintain security. If necessary, service to particular terminals may have to be interrupted until security can be assured.

5. The Computer Center Manager shall cooperate with the office or department administrators to discover violations of security whether willful or accidental.

6. Users are encouraged to report accidental or other security penetrations to the Computer Center Manager, Director, or Information Security Officer so that violations may be identified and further security measures can be developed. Violators of the Information Practices Act of 1977 shall be prosecuted according to the provision of this law.

CONFIDENTIALITY STATEMENT 1. In order to more effectively protect the
confidentiality of data and programs residing in
the Computer Center, it is required that all employees of the Computer Center sign the Confidentiality Statement. New employees must sign the statement before they are admitted to work in the computer room. One copy of the signed statement shall be kept in the employee's personnel file and one shall be given to the employee.

2. Employees of vendors shall also be required to sign the Confidentiality Statement if their assignment requires that they have access to the computer room.

3. The Computer Center Manager shall retain the original of all signed Confidentiality Statements of the Computer Center personnel and employees of vendors.

PRIVACY

In California, privacy is a constitutional right. Typical privacy principles which have been identified are:

1. There must be no personal data record-keeping systems whose very existence is secret.

2. There must be a way for an individual to find out what personal information about him/her is in a record and how it is used.

3. There must be a way for individual to prevent personal information about him/her that was obtained for one purpose from being used or made available for other purposes without his/her consent or knowledge.

4. There must be a way for an individual to correct or amend a record of identifiable personal information about him.

5. An organization creating, maintaining, using or disseminating records of identifiable personal data must ensure the reliability of the data for their intended use and must take precautions to prevent misuse of the data.

6. The Computer Center realizes that the increasing use of computers and information technology, while beneficial to the efficient operations of management, has magnified the potential for harm to individual privacy that can occur from collection, maintenance, use and dissemination of personal information. It recognizes the right of privacy and, accordingly, treats all data as confidential. Further, it encourages its personnel to bring any information which might indicate a possible infringement of the right of privacy to the attention of the Computer Center Manager, Director, or Information Security Officer when the Computer Center Manager is not available.

PROFESSIONAL ETHICS

1. The subject of professional ethics is a delicate one. In spite of its sensitivity these are reasons to think that is deserves some discussion. For example, the Stanford Research Institute, in their report of November 1973, entitled "Computer Abuse," reports the results of a questionnaire to programmers and programmer managers. A majority of those responding felt that attempting to discover unpublished system commands by trial and error for the purpose of using them in their work, or accepting and using a program given to them by a friend working for another company is "all right." It is clear that improved understanding is needed.

2. Codes of computer ethics are becoming increasingly necessary and common in business, industry and government. Perhaps, the profession itself will universally adopt some set of principles of acceptable practice. The Association of Computing Machinery has published such a code. The British Computer Society has developed and adopted a "Code of Conduct" which has been published in the appendix of "The British Computer Society Code of Good Practice."

3. The topic of professional ethics will be a subject of discussion and orientation at Computer Center staff meetings and seminars. The purpose of such discussions will be to provide a general guideline of data processing activities which are determined to be incompatible with an employee's duties in the Computer Center.

4. Unless prior authorization of the Computer Center Manager, Director, or the Information Security Officer when the Computer Center Manager is not available, is obtained in writing, personnel shall not loan, trade, sell, or give away any Computer Center programs.

SECURITY REVIEWS AND EVALUATIONS

1. Objectives

Objectives of security reviews and evaluations of the Computer Center are to:

    A. assist in the implementation and maintenance of policies and standards regarding the
    confidentiality and security of information processed and stored at the Computer Center;

    B. investigate and determine the extent to which security standards and procedures are
    being followed; and

    C. identify suggestions for improvement of existing guidelines and procedures.

2. Scope of Reviews

The reviews shall consist of evaluations of the following.

    A. Security and confidentiality of computer processed information.

    B. The physical security of the system hardware.

    C. Protection of data files against deliberate or accidental destruction and modification.

    D. Access control to stored data on the basis of identity of user and authorization to know.

    E. Audit of data files regarding continued need.

3. Internal Control

A. Definition. Internal control is the plan of organization and methods within an agency which is designed to safeguard its records, check the reliability of its data, promote operational efficiency and encourage adherence to prescribed policies.

B. Management Responsibility. The Computer Center Manager is responsible for the establishment of organizational, administrative and procedural controls which are necessary to prevent access to data for unauthorized or improper purposes, reduce the incidence of error and obtain optimum results from computer operations. Controls can be divided into groups as follows.

(1) Each employee should fully understand his/her or her duties, responsibilities and limits of authority.

(2) Job assignments, facilities and procedures should be arranged so that, as far as possible, no one person will have complete control over an entire transaction or a related series of operations without the intervention of another employee or employees to provide a cross-check.

(3) To be effective, internal controls must be reviewed periodically because of changes in personnel and their duties. The most elaborate system of internal controls will not prevent inefficiencies or fraudulent practices unless adequate and continuous supervision is exercised. Controls must be consistent with the hazards involved and the cost of controls should be commensurate with the risk.

C. Data Protection.

(1) There shall be a data file storage area under Center control. The procedures shall provide for logging data files IN and OUT; keeping a current list identifying persons who are authorized to receive data files; keeping records to show the precise locations of all data files at all times; performing follow-up to retrieve issued data files not returned to the library within prescribed time limits; and identifying data files that are no longer needed in accordance with established file expiration dates.

(2) Only personnel who are specifically designated as custodians of data files by the Computer Center Manager, Director or the Information Security Officer when the Computer Center Manager is not available shall be allowed access to the storage area where files are kept when not in use.

(3) Data files shall be removed from the library for processing only. They shall be returned as soon as possible to the library after processing.

4. Review Checklist

The review team shall develop their own checklist based on the guidelines developed in this manual, previous experience and specific directions, if any, form the Computer Center Management at CSUS.

5. Review Team

    A. Periodically a review team shall be appointed by the Campus to perform a security review
    of the Computer Center. Composition of the team might include the Information Security
    Officer, a member of the CSUC outside CSUS, a faculty member and an administrator from
    the campus. The Computer Center Advisory Committee should be a source of suggestions
    for team member.

    B. The report of the review team shall be submitted to the Campus with copies to the
    Information Security Officer, the Computer Center Manager, and Director.

COMPUTER ACCOUNT MAINTENANCE

1. General

    A. The Campus computer user may have access to several computers. Each computer
    requires an account number and password to validate its use. This account number and
    password deserves a high level of security. The users are encouraged to maintain that
    security by not sharing their accounts and passwords and by changing their passwords
    regularly.

    B. All users are required to file an account application form. This form must be signed by the
    user indicating that they agree to abide by the rules and University policies governing
    computer use and that they have read the Computer Crime Penal Code. Also, it is necessary
    for the user to have a sponsor cosign the application form. The sponsor may be either a
    faculty member or a department head.

2. Account Assignment. Computer accounts are assigned after the user submits an account application form with all the required signatures. All accounts on a given computer have the same level of security. However, the amount of  computing resource assigned to each account will vary based upon the type of the account, i.e. class, research, faculty, group, production, etc.

3. Account Changes. Users who find the amount of computing resource inadequate for their use may request a change by completing the appropriate form along with proper justification. Approvals are also required by faculty and/or department heads.


RECORDS MAINTAINED AT CALIFORNIA STATE UNIVERSITY, SACRAMENTO


DEPARTMENT RECORD (S)


Academic Advising Orientation Assistants Information
Academic Services Data Report
Degree Conferred File
Faculty Time and Effort Reports Faculty Workload Report 
Admissions and Records Alphabetical Files Diploma File
Permanent Academic Folder
Permanent Records
Registration Forms
SAT and ACT Admission
Aptitude Test File
Verification and Certification Forms
Affirmative Action Affirmative Action Data Base
Athletics Athletic Injury Records
Athletic Physical Health Forms
Student Eligibility Criteria
Budget Report
Employee Relations Faculty Grievance Files
Discipline Files
English  English Placement Test Results
Writing Proficiency Test Results
Extended Learning Registration for Noncredit Extension Courses
Human Resources Faculty and Staff Fee
Waivers
Faculty Sabbatical Leave
Files
Personnel Files
Pre-employment Records
Search Committee Files
Financial Aids Loan Repayment Program
Student Files
Student Obligation System
Foundation Research Proposals to Outside Agencies
Individual Academic Departments  Counselor Files on Students
Student Counseling Records
Institutional Studies Faculty Teaching Histories
International Center Student Files, American Language Program
Payroll  Payroll Records
Placement Center Student/Alumnus
Placement Files
Purchasing Independent Contractors' Invoices
College of Arts and Sciences
(Dean's Office) Faculty Personnel Action Files
College of Business and Public Administration
(Dean's Office) Faculty Personnel Action Files
(Degree Programs Center) Alphabetical Folders,
MPA Program
Census Cards
External Degree, Business Administration Students
College of Education
(Credentials Office) NTE Scores
Student Information Records
(Dean's Office) Faculty Personnel Action Files
College of Engineering and Computer Science
(Dean's Office) Faculty Personnel Action Files
College of Health and Human Services
(Dean's Office) Faculty Personnel Action Files
Services to Students with  Disabilities
Disabled Student Records
Speech Pathology Patient Files
Student Files
Student Activities ; Club and Organization List
Student Affairs Employee Files
Student Counseling and Disciplinary Files
Student Health Center Employee Treatment Logs
Health History Form
Patient Medical Records
Patient Profiles
Physical Therapy Records
Referral Slips
X-ray Department Files
Testing Center EPT and ELM Scores
University Police Law Enforcement and
Traffic Records
Veterans' Affairs Tutorial Assistance



GUIDELINES TO THE INFORMATION PRACTICES ACT OF 1977
RULES OF CONDUCT FOR EMPLOYEES

Employees responsible for the collection, maintenance, use and dissemination of information about individuals which relates to their personal life, including their employment and medical history, financial transactions, marital status and dependents,
for example, shall comply with the provisions of the Information Practices Act, Civil Code Sections 1798 through 1798.76. The guidelines to the Act issued by the Office of Information Practices shall be used as a basic source of guidance in administering the Act's provisions.

Employees shall not require individuals to disclose personal information which is not necessary and relevant to the lawful State function for which the employee is responsible.

Employees shall make every reasonable effort to see that inquiries and requests by individuals for their personal records are responded to quickly and without requiring the individual to unnecessarily repeat his or her inquiry to others.

Employees shall assist individuals who seek information pertaining to themselves in making their inquiry sufficiently specific and descriptive so as to facilitate locating the records requested.

Employees shall respond to inquiries from individuals, and requests from them to review, obtain copies of, amend, correct or dispute their personal records in a courteous and businesslike manner, and in accordance with Sections 1798.30 through 1798.43 of the Civil Code.

Employees shall not disclose personal and confidential information relating to individuals to unauthorized persons or entities. The intentional disclosure of such information to such persons or entities may be cause for disciplinary action.

Employees shall not seek out or use personal or confidential information relating to others for their own interest or advantage. The intentional violation of this policy may be cause for disciplinary action.

Employees responsible for maintenance of records containing personal information shall take all necessary precautions to assure that proper administrative, technical and physical safeguards are established and followed in order to protect the confidentiality of records containing personal information, and to assure that such records are not disclosed to unauthorized individuals or entities.



INSTRUCTIONS FOR PERSONAL/CONFIDENTIAL RECORDS REPORT

1. NAME OF AGENCY - Name of State Department, Board, Commission, etc., which has final authority and responsibility for the statutory or constitutional function; i.e. "appointing power".

2. DATE OF REPORT - Date report was prepared.

3. RECORDS SYSTEM TITLE - A record system is a group of related records arranged under a single filing category kept together as a unit because they deal with a
particular subject or result from the same activity.

4. DESCRIPTION OF RECORDS - Kinds of information and documents contained in the system.

5. RETENTION PERIOD - Total length of time the records are kept in the office and in central storage.

6. FINAL DISPOSAL METHOD - Methods used for final disposal or destruction of the records (e.g., shredding, state archives, etc.). Do not include central storage as a
final disposal of the records.

7. INFORMATION SOURCE (S) - i.e., data subject, parents, neighbors, employers, law enforcement, physicians, etc.

8. CATEGORY OF INDIVIDUALS WITHIN THE SYSTEM - Category of individuals to whom records pertain, (e.g., employees of the agency, drivers license holders, etc.).

9. APPROXIMATE NUMBER OF INDIVIDUALS - The approximate number of individuals on whom records containing personal or confidential information are kept within the system.

10. MAJOR USE(S) OR PURPOSE(S) OF THE INFORMATION - Why the information is collected and how it is used.

11. ACCESS PROCEDURES - re: written procedures to be followed for the data subject to gain access to the records.

12. DISPUTE PROCEDURES - re: written procedures to be followed for the data subject to amend or contest the contents of such records.

13. LEGAL AUTHORITY FOR MAINTENANCE OF THE INFORMATION - Specific State or Federal statute which authorizes maintenance of these records.

14. DISCLOSURES PER SECTION 1798.24 (e), (f) - List principle disclosures pursuant to section 1798.24 (e), (f) of the Information Practices Act.

15. PHYSICAL FORM OF THE RECORDS - Self explanatory.

16. TITLE OF OFFICIAL RESPONSIBLE FOR MAINTAINING THE RECORDS
SYSTEM - The person to contact for information about the records.

17. DIVISION, PHONE - Subdivision of the Department, Board, etc., having responsibility for the records.

18. SECTION - More specific description of No. 17, if applicable.

19. UNIT - Further specific description of No. 18, if applicable.

20. ADDRESS, CITY, ZIP - Self explanatory.