CSU and SDSU IT Security Policies, Standards, and Procedures
The Board of Trustees of the California State University (CSU) and SDSU is responsible for protecting the confidentiality, integrity and availability of CSU information assets. Unauthorized modification, deletion, or disclosure of information assets can compromise the mission of the CSU, violate individual privacy rights, and possibly constitute a criminal act.
The CSU Information Security Program activities are guided by ISO 27002:2013 (Information technology — Security techniques — Code of Practice for Information Security Controls), which are the best industry practices for the management of information security controls.
The CSU and SDSU IT security policies, standards, and/or guidelines are formal statements that specify a set of rules that all users must follow when gaining access to SDSU’s information and information systems.
- Information Security Responsible Use Policy
- Information Security Privacy of Personal Information Policy
- Information Security Policy
| CSU | Policy | ISO Domain 5: Information Security Policy |
|---|---|---|
| SDSU | Plan | SDSU Information Security Plan (To Be Updated) |
| CSU | Policy | ISO Domain 6: Organization of Information Security Policy |
|---|---|---|
| Standard | ISO Domain 6: Organization of Information Security Standard |
| CSU | Policy | ISO Domain 7: Human Resource Security Policy |
|---|---|---|
| Standard | ISO Domain 7: Human Resource Security Standard |
| CSU | Policy | ISO Domain 8: Asset Management Policy |
|---|---|---|
| Standard | ISO Domain 8: Asset Management Standard | |
| SDSU | Policy | Controlled Unclassified Information (CUI) Policy |
| Guideline | Sensitive Data Storage Best Practices | |
| Guideline | Security Guidance for Storing and Sharing Protected Data | |
| Guideline | Google Workspace (Shared Drive, Forms, and Sheets) Secure Configurations Recommendations |
| CSU | Policy | ISO Domain 9: Access Control Policy |
|---|---|---|
| Standard | ISO Domain 9: Access Control Standard |
| CSU | Policy | ISO Domain 10: Cryptography Policy |
|---|---|---|
| Standard | ISO Domain 10: Cryptography Standard |
| CSU | Policy | ISO Domain 11: Physical and Environmental Security Policy |
|---|---|---|
| Standard | ISO Domain 11: Physical and Environmental Security Standard |
| CSU | Policy | ISO Domain 12: Operations Security Policy |
|---|---|---|
| Standard | ISO Domain 12: Operations Security Standard | |
| SDSU | Policy | Server Security Policy |
| Policy | Mobile Device Security Policy | |
| Standard | Vulnerability Management Standard | |
| Standard | Security and Configuration of Information Systems Standard | |
| Standard | Minimal Endpoint Security Baseline Standard | |
| Guideline | IT Security Guidance for Remote Access |
| CSU | Policy | ISO Domain 13: Communications Security Policy |
|---|---|---|
| Standard | ISO Domain 13: Communications Security Standard | |
| SDSU | Guideline | Zoom Meetings for HIPAA Guidance |
| CSU | Policy | ISO Domain 14: Systems Acquisition, Development and Maintenance Policy |
|---|---|---|
| Standard | ISO Domain 14: Systems Acquisition Standard |
| CSU | Policy | ISO Domain 15: Supplier Relationships Policy |
|---|---|---|
| Standard | ISO Domain 15: Supplier Relationships Standard |
| CSU | Policy | ISO Domain 16: Information Security Incident Management Policy |
|---|---|---|
| Standard | ISO Domain 16: Incident Management Standard |
| CSU | Policy | ISO Domain 17: Information Security Aspects of Business Continuity Management Policy |
|---|---|---|
| Standard | ISO Domain 17: Business Continuity Management Standard |
| CSU | Policy | ISO Domain 18: Compliance Policy |
|---|---|---|
| Standard | ISO Domain 18: Compliance Standard |