Skip to Main Content

Information Security Information Resources & Technology

Support Page Content

CSU Information Security Policy and Standards

Sacramento State is committed to protecting the confidentiality, integrity, and availability of information assets owned, leased, or entrusted to the University. Therefore, we hereby adopt both the California State University Information Security Policies and Standards and the Sacramento State Supplemental Information Security Policies.

Policies vs. Standards vs. Procedures

  • Policies are formal statements created by the university that reflect our mission, which in this case is the protection of Sacramento State's information and assets.
  • Standards are rules or actions that must be done to ensure our policies are being followed. They indicate expected behavior and must be enforced.
  • Procedures are detailed step by step instructions on how to implement or adhere to the standards.
  • Guidelines are recommended practices that are based on industry-standard practices.

Sacramento State Information Security Policy

CSU Information Security Policy and Standards

I. Policy

II. Scope

III. Roles and Responsibilities

IV. ISO Policies

Policies and standards are organized in the following, clickable index:

Policy Section Supplemental Policies Standards Procedures, Guidelines, Others
A.ISO Domain 5: Information Security Policy       
B.ISO Domain 6: Organization of Information Security Policy   Organization of Information Security

Standards Enforcement


Exceptions


Risk Assessment Process


CSU Data Classification Standard
 
Sacramento State Data Classification and Protection Standard

Sacramento State Vulnerability Management Standard


Sacramento State Vulnerability Management Supplemental Standard for Workstations


Sacramento State Vulnerability Exception Procedure


Sacramento State Vulnerability Exception Request Form


Sacramento State Quarantine Procedures
 
C.ISO Domain 7: Human Resource Information Policy   CSU Data Classification Standard Sacramento State Data Classification and Protection Standard
D. ISO Domain 8: Asset Management Policy EO1031 – Systemwide Records Information Retention and Disposition Schedules Implementation Policy

Health Insurance Portability and Privacy Act(HIPAA)


FERPA(Student Records) Privacy
CSU Data Classification Standard

Asset Management Standard


Data Classification Levels

Cloud Storage and Services
Sacramento State Data Classification and Protection Standard

CSU Records Retention and Disposition Schedules


Sacramento State Data Privacy Policy and Standards


Sacramento State Campus Privacy Notice


Sacramento State Data Security & Records Retention


Sacramento State Data Reporting Governance


General Data Protection Regulation
E. ISO Domain 9: Access Control Policy   Access Control Standard Sacramento State Access Control Standard – Identify Verification

Sacramento State Access Control Standard – Authentication

Sacramento State Level 1 Systems Access Review Template
F. ISO Domain 10: Cryptography Policy   Cryptography Standard

Acceptable Use of Electronic and Digital Signatures
CA State Regulation
G. ISO Domain 11: Physical and Environment Security Policy   Physical and Environment Security Standard  
H. ISO Domain 12: Operations Security Policy Information Security Responsible Use Policy Operations Security Standard

Protections Against Malicious Software Programs


Remote Access to CSU Resources


Mobile Device Management


Logging Elements


Common Workstation Minimum Configuration Requirements

High Risk/Critical Workstation Standard


Change Control


CSU Data Classification Standard
Sacramento State Campus Device Standards

Sacramento State Workstation Security Standards


Sacramento State Common Workstation Standards


Sacramento State High Risk Workstation Standards


Sacramento State Student Device Standards


Mobile Device Security


Sacramento State Technology Procurement Request
I.ISO Domain 13: Communication Security Policy   Communications Security Standard

Network Information Requirements


Boundary Protection and Isolation
Mobile Device Security
J. ISO Domain 14: Systems Acquisition, Development and Maintenance Policy   Systems Acquisition Standard

Application Security Standards
 
Sacramento State Vulnerability Management Standard

Sacramento State Vulnerability Management Supplemental Standard for Workstations


Sacramento State Vulnerability Exception Procedure


Sacramento State Vulnerability Exception Request Form


Sacramento State Quarantine Procedures


Sacramento State Campus Web & Mobile Development Security Guideline
K. ISO Domain 15: Supplier Relationships Policy   Supplier Relationships Standard

CSU Data Classification Standard
General Provisions for Information Technology Acquisitions
Information Security Requirements - Supplemental Provisions

Higher Education Cloud Vendor Assessment Tool
L. ISO Domain 16: Information Security Incident Management Policy   Incident Management Standard

CSU Data Classification Standard
Sacramento State Data Classification and Protection Standard
M. ISO Domain 17: Information Security Aspects of Business Continuity Management Policy CSU System Business Continuity Program

EO1031 – Systemwide Records Information Retention and Disposition Schedules Implementation Policy
Business Continuity Management Standard Sacramento State Business Continuity and Disaster Recovery Plan
N. ISO Domain 18: Compliance Policy HIPPA Policy

Debit/Credit Card Payment Policy 6340.00

Sacramento State Debit/Credit Card Payments Policy
Compliance Standards

01-Sacramento State Credit Card Handling Security Standards  
Sacramento State Data Privacy Policy and Standards

A01-Sacramento State Annual PCI Assessment Procedure


A02-Sacramento State Annual Credit Card Acceptance Acknowledgement


A03-Sacramento State User Access Inventory - Template


A04-Sacramento State Device Inventory - Template


A05 - Sacramento State Credit Card Business Process Inventory


02-Sacramento State Credit Card Acceptance Procedures


03-Sacramento State Credit Card Channel Request
O. Enforcement   Standards Enforcement