Safeguarding Confidential Information
Recommended practices to ensure the security of confidential information.
This document provides recommendations for the implementation of administrative, technical, and physical safeguards designed to:
- Ensure the security of any confidential information in the University's custody in all forms, no matter if that information is contained electronically, written, or in any other format.
- Protect confidential information against any threats or hazards of integrity, unauthorized access, or unauthorized use.
Confidential Information means any information not exempted in specific legislation and identified as personal, sensitive, or confidential such as personally-identifiable information, individually-identifiable health information, education records, and non-public information as specified in all applicable federal or state laws, plus CSU and CSUSB policies. Confidential information includes, but is not limited to, the following examples:
- Social Security number
- Physical description
- Home address
- Home telephone number
- Education (except student records which are exempted by FERPA)
- Financial matters
- Performance evaluations
- Verbal or written statements made by or attributed to the individual
- Medical and employment history
- Social Security number
- Drivers license number or California Identification Card number
- Account number, e.g., identification number, credit or debit card number in combination with any required security code, access code, or password
that would permit access to an individual's financial account.
Confidential information may include individually-identifiable health information. This includes any information, including demographic information collected from an individual, created or received by a health care provider, health plan, employer, or health care clearinghouse. This includes information that relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to the individual, or the identification of the individual.
In addition, electronic confidential information is defined as any electronic format which includes an individual's first name or first initial and last name or education in combination with any one or more of the following data elements, when either the individual's name or the data elements are not encrypted:
- Social Security number
- Drivers license number or California Identification Card number
- Account number, e.g., identification number, credit or debit card number in combination with any required security code, access code, or password that would permit access to an individual's financial account.
Unauthorized Disclosure means to disclose, release, transfer, disseminate, or otherwise communicate all or any part of any record orally, in writing, or by electronic or any other means to any person or entity.
Recommended Practices for Individuals
All confidential information must be cared for with the appropriate level of physical and electronic (logical) security. When working with confidential information we take on the custodial responsibilities for that information. Thus each person who access this information has the responsibility to:
These terms are defined below. Note: These lists are not exhaustive. Each of them are provided to serve as included examples. As technology develops, each of these lists should be expanded to cover additional techniques and devices as appropriate
Identify and inventory where confidential information is stored, processed, or transmitted. Here are some examples:
- Electronic documents
- Printed information (paper)
Computer information systems
- Desktop computers
- Laptops / notebook computers
Local storage device
- Hard drive
- PROM (Programmable Read-Only Memory)
- Internal memory sticks/cards
- Floppy disks
- Zip drives
- Magnetic (backup) tapes
- External hard drives
- CD or DVD (optical)
Remote storage device
- Shared/mapped drive
- Network Attached Storage (NAS)
- Storage Attached Network (SAN)
Protect confidential information against unauthorized access, unauthorized use, loss, or damage. Here are some recommended practices:
- Do not share or disclose personal authentication credentials, such as user-ids and passwords or other forms of electronic authentication with other individuals.
- Do not use personal credentials for authentication to provide other individuals with access to any information systems containing confidential information.
- Maintain up to date and install all appropriate security software updates in all computer workstations and laptops and software applications
- Install and maintain antivirus software in all computer workstations and laptops and set them to auto-update to install the latest antivirus signatures.
- Keep portable equipment and storage devices such as CD, DVD, Zip disks, tapes, floppy drives, USB drives or other removable storage media in an appropriately access limited location.
- Do not leave computer equipment or portable storage devices unattended.
- Use boot-up (BIOS) passwords for all computer systems and set strong authentication for all user accounts, including any accounts with administrative rights.
- Enable screen savers with authentication (Locking passwords) for all computer systems.
- Use caution when accessing e-mail, and do not trust any unexpected e-mails. Never open an attachment without first verifying its type and checking it with an antivirus program. If in doubt, delete it, and/or contact the sender first.
- Position monitors and printers so that others cannot see or obtain confidential or sensitive data.
- When entering or collecting sensitive information from a website make sure that a secure connection has been established. Close your browser and start a new session by starting your browser again before accessing an insecure site. This will prevent others from accessing non-public information which may be stored in the browser's cookies.
- Log out, shut down, or lock the system when leaving your computer unattended at any time.
- Physical safeguards (keys, cipher locks, passwords, etc) which are used to secure confidential information should be changed occasionally, and should be changed every time someone who formerly had authorized access either leaves university employment, no longer has job requirements which require access, or a key securing such access is lost, stolen or unaccounted for.
- Take particular care at home to keep the system and sensitive data secure from unauthorized access.
Communicate your responsibility for confidential information. Choose the information you communicate with care.
- Promptly report any possible unauthorized access, use or loss of information or an information system to the immediate supervisor and the Information Security Office.
- Never send confidential information using non-secure applications such as IM, Chat programs or regular e-mail.
- Do not send sensitive information to e-mail accounts other than on-campus accounts. Use an authenticated method of distribution when on-campus accounts are not available.
- Always use an authenticated and approved protocol for remote communication when accessing critical servers or resources containing personal or confidential information. Use the campus VPN when accessing any critical servers such as CMS or SIS from off campus.
- Get appropriate authorization before taking University equipment off-site.
- Maintain confidentiality, integrity, and access measures up-to-date.
- Securely dispose of unnecessary confidential information in an approved manner.
- Remove any confidential and private information that it is no longer needed. This will minimize the liability in case the computer becomes infected or compromised.
- Ensure that confidential, sensitive, or personal data is properly cleansed from internal disks or removable media prior to disposal or transfer to others. Seek authoritative advice on disposing of equipment and data.
Recommended Practices for Managers
Vice Presidents, College Deans, Directors and Department Heads, with guidance and assistance from the Information Security Office, should identify, protect, communicate, and maintain all confidential information under their responsibility.
Identify and inventory all systems containing, processing, or transmitting confidential information.
- Protect confidential information by allocating appropriate resources, granting appropriate access to information, supervising operations concerning confidential information, and maintaining operations concerning the integrity of that information.
- Protect confidentiality and security of electronic and printed information (paper) maintained in work areas.
- Ensure the authorized access and use of information systems and repositories that contain or process confidential information.
- Provide employees with appropriate resources to secure information systems and repositories where confidential information is processed, stored, or handled.
- Grant employees only the appropriate level of access necessary for them to work with confidential data.
- Maintain appropriate records of authorized access to confidential data.
- Provide adequate resources for the continuation of training and education for all employees under their responsibility with access to confidential information.
- Communicate management's responsibility to protect the privacy rights of University faculty, staff, students, and partners and to ensure compliance with all legal and policy requirements.
- Communicate the responsibility and expectation to employees under their supervision to follow appropriate procedures for the protection of confidential information.
- Promptly report any possible unauthorized access, use or loss of information or an information system to the Information Security Office.
- Develop and Implement
- Implement and administer standards and practices based upon these recommendations.
- Develop, implement, and communicate plans and procedures for...
- ...maintenance and management of the software environment and applications on each for the systems under their responsibility which contain, access, transmit or process confidential information.
- ... verification that background checks are conducted for new hires with access to confidential data or systems.
- ...retention of electronic and printed material records containing confidential information.
- ...destruction of electronic records and printed materials containing confidential information. (Destruction must be thorough to prevent unauthorized access to confidential information.)
- ... identifying and prioritizing, based on duration of downtime and severity of impact to operations, critical systems under their responsibility.
- ...preservation of information in the event of natural or man-made disasters
- ... Business Continuity and Disaster Recovery for ALL critical systems under their responsibility. (It is unpredictable when critical systems may have a hardware failure, they may become compromised and must be removed from the network , or they may be destroyed or damaged in the case of a disaster.)
- ...notifying the Information Security Office when new systems containing or establishing ongoing access to confidential information are developed, whether within the confines of the department/office or placed on the campus network
- Renew awareness of recommended practices for safeguarding confidential information expectations periodically. (No less than annually).
- Define functions and approve authorization for staff members who need access to confidential data.
- Maintain inventories and confidentiality, integrity, and access measures up-to-date. Securely dispose of unnecessary confidential information.
- Maintain an up-to-date registry of all systems containing confidential information.
- Conduct an annual information risk assessment on all systems containing confidential information, and critically evaluate the adequacy of existing safeguards and compliance with campus safeguarding policies and procedures.
- Maintain appropriate and timely documentation and training for employees under their supervision with access to confidential data.
- Ensure that procedures have been adopted for upgrading and updating the information systems when critical security software updates are released.
- Ensure the information systems are managed and administered following recommended security practices.
Required Disclosure of Security Breach
The University is required to disclose any breach of system security to California residents whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. Any university student, faculty, staff, consultant or any other person, employed by CSUSB or any auxiliary CSUSB organization, having access to CSUSB confidential information must immediately notify their immediate supervisor and the Information Security Office when they have any reason to suspect that such a breach has occurred. The Information Security Office will provide assistance and follow pre-established and appropriate procedures to ensure that the campus complies with applicable laws regarding notification of security breaches involving confidential information.