Information Security Plan
The CSU Bakersfield Information Security Plan implements the campus's Information Security Policy that can be found elsewhere on this site and assists the University in conforming to federal and state laws governing the protection of confidential information.
- Access to Data
- Acceptable Use
- Safeguarding Data
- Password Control and Management
- Technical Solutions
- Incident Reporting
California State University Bakersfield (CSUB) identifies various types of personal information to be confidential in nature. Confidential data at CSUB is categorized into two levels. Level I data contain information of extreme sensitivity that triggers legal obligations to the University to disclose any compromise of information contained in this category. Level II data contain information that the University considers confidential as per federal and state regulations as well as University protocol.
The following are considered Level I confidential information based on the significance of this information for the prevention of identity theft. Furthermore, as per the California Security Breach Information Act (SB 1386), any breach in the following information of any California resident that is unencrypted must be notified accordingly. SB 1386 defines a breach as "unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information."
- Social Security Number paired with last and first name or first initial
- Drivers license number or California identification card number paired with last and first name or first initial
- Bank account number or credit card number paired with last and first name or first initial
The following Level II information should be "guarded" from access to unauthorized persons. This information is considered personal information and is regulated by various federal laws as well as CSU policy. Though this information does not require notification of breach, certain fines may apply if this information is mishandled. The guiding laws and policies for Level II information include FERPA, HIPPA, the Information Practices Act of 1977, California Public Record Act, and CSU policy HR 2003-05. All faculty and staff given access to the following information must complete and sign the CSUB Confidentiality Access and Compliance form. Student assistants given access to the following information must complete and sign the Banner Confidentiality Agreement.
- Any information in students' educational records that is not listed as non-confidential information.
Faculty and Staff:
- Home Address
- Physical Description
- Home telephone number
- Medical history
- Performance evaluations
The following information is considered "directory" information and may be disclosed without consent as per FERPA guidelines. However, FERPA recommends a procedure for students to opt-out of disclosing this information. Moreover, the University chooses to exceed FERPA's recommendation of confidentiality for student data.
- Email address
The following information is considered "directory" information and may be disclosed not withstanding any future regulatory restrictions. However, no directory information shall be distributed, sold, or transferred to in any fashion for the commercial purposes of the University, an employee of the University, or any other entity.
Faculty and Staff
- Office address
- Office phone number
- Title / Position name
- Department name
- Honors and awards
- Email address
Each Cabinet Officer is responsible for granting access to individual data as described in the preceding section. Access is granted when the Cabinet Officer approves the appropriate form for an employee. Approved forms are kept on file in Administrative Computing Services. The Cabinet Officer and the employee must update this access form once a year.
Banner Role Security
CSUB has implemented Banner Role Security to protect the integrity of the Banner Application data by restricting the screens (forms) that a user can see (query) or update (maintain).
The building blocks of Banner Role Security include:
- Security Classes
- User Roles
An Object is a Banner form (screen) or process (job). The Registration Query form (SFAREGQ) and the Class List Print Job (SFRSLST) are examples of Banner Objects.
A Security Class is a group of Banner Objects logically related by business function. For each object in the class, users may have Query (read only) or Maintenance (update) access.
For example, we have a class called STU_ACAD_HIST_Q. This class contains Student Module Academic History objects for read only.
A User Role consists of the Objects & Classes required for the user to do their job. For example, we have a role for Financial Aid Student Assistants.
The data owners for each Banner module determined what Banner Objects should be in each Security Class. The data owners also determined how Roles should be defined for the campus.
Banner Access Form
When a new employee needs access to Banner or access for an existing ID needs to be changed, the user must fill out a Banner Access form. On this form, they select the User Role that will be assigned to the User ID.
If a user needs a more customized set of Objects and doesn't fit into one of the existing Roles, they can request a different grouping of Classes and/or Objects.
All requests for access must be approved by the User Department Administrators and the data owner before access is granted.
The 'Administrative Systems Access Policy' provides details on requesting access.
Banner Role Security Maintenance
Banner Role Security is maintained via the GSASECR form. Only the ACS Database Administrators have access to this form. The form is independent of Banner and does not appear on any Banner menus.
The ACS Database Administrators work with the data owners & ACS systems analysts on updating the Object, Class and Role structure and definition as needed. Periodically, new Objects are added or obsolete Objects are removed from the existing Classes. This generally happens when an upgrade to Banner is implemented or a new CSUB process or form is added.
CMS Role Security
CSUB ensures the integrity of the PeopleSoft system and associated database data by utilizing the features of the delivered PeopleSoft Security Architecture.
The building blocks of PeopleSoft Security include the following:
- Component Permission Lists
- Row Level Security (Data Permission Lists)
- User Profiles
An Object is a PeopleSoft page (screen), report or process. Objects are organized by business function into components. For example, the objects needed to run CSUB Labor Cost Distribution (LCD) reports are grouped into components.
A Component Permission List defines access to specific components. The LCD Dept/School Report Permission List contains only the components the departments and schools need to run their LCD reports. Component Permission Lists define the level of access needed for each component (display, add, update, correct previous entries).
Row Level Security uses Data Permission List to define what department information can be accessed and is usually defined for a specific user or group of users. For example, users in the School of Education should not be permitted to view data for other Schools, so a Data Permission List is used to restrict access for School of Education users to only the appropriate departments.
A Role is a grouping of one or more Component Permission Lists associated with a particular job function. For example, the LCD User Dept Query Role includes only the permission lists needed by Department Users to run LCD reports.
A User Profile combines Roles and Data Permission Lists to define a user's access. The User Profile also includes user information (ID, department and encrypted password)
When a user account is first created in PeopleSoft, the system automatically assigned security role appropriate for the student level access. Faculty or Staff type security roles are assigned based on job record and/or access request forms approved by individual PeopleSoft module owners. New users will then access PeopleSoft system using their existing assigned NetID login credential.
PeopleSoft Access Form
When a new employee needs access to PeopleSoft or access for an existing ID needs to be changed, the user must fill out a PeopleSoft Access form. On this form, they select the User Role that will be assigned to the User ID.
If a Role doesn't exist for the access required, the user will list the Components needed and the level of access required. The Security Administrator will then define a new Role.
All requests for access must be approved by the User Department Administrators and the data owner before access is granted.
Administering PeopleSoft Security
PeopleSoft Security is administered by the PeopleSoft Security Administrators. The Security Adminstrators work with ACS Database Administrators, Data Owners & PeopleSoft Systems Analysts to maintain the Permission Lists, Roles, & User Profiles as needed.
Access is reviewed and updated each time a new PeopleSoft release is implemented or a patch is applied. Access is also reviewed if a new CSUB component is added.
- Network Protection
The CSUB information security plan takes advantage of various technological tools to protect workstations, servers and network devices. Subscribing to the sound practice of security in depth, the following solutions are either in place or are being planned as noted.
CSUB has redundant, perimeter firewalls on the main campus and standalone firewalls at each of the two offsite centers. These firewalls each have various rules designed to prevent illicit incoming traffic from harming campus resources. The CSU system has recently chosen Juniper Networks as perimeter defense system and will be deploying these new devices to all campuses in a phased rollout over the next year. These new firewalls will have even more protective features than our current firewalls including two functions in particular; intrusion prevention and the ability to create protection zones within the campus. Intrusion prevention has much finer grained protection than a typical firewall rule such that a protocol may be allowed but specific, known misuses of the protocol are blocked. Perimeter defenses protect the campus from the outside world, protection zones within the campus protect different areas of the campus from other areas within the campus. For example, a protection zone for the data center would allow access to certain servers to be restricted to only those who need access. Further, if a compromised machine is brought onto campus, its attacks are restricted to the zone it is in. We look forward to the added security these devices will provide the campus.
Also at the perimeter is a packet shaper. This device serves two main purposes. It limits peer-to-peer file sharing traffic so as to prevent it from monopolizing the internet bandwidth to the campus and thereby interfere with normal academic network activity and it is an effective tool for identifying compromised systems.
- Email Protection
CSUB has redundant anti-spam/ anti-virus appliances to protect the campus against the annoyances and productivity-stealing aspects of bulk-unsolicited email "advertisements", so called spam. The campus currently receives approximately 200,000 such messages per day, in contrast to the approximately 35,000 legitimate email messages received per day. The appliance is updated several times per day to help it combat the ever-changing efforts of the spammers to find holes in such defenses. The appliance also has an anti-virus module to protect users from receiving email with infected attachments; approximately 300 such infections are stopped per day.
However, this, and all such anti-virus measures, are only as good as the anti-virus vendors' programmers are at identifying and creating the correct "anti-dotes" to the viruses. By definition, a new virus will bypass these protections until the vendors develop a solution. On occasion there have been virus wars with virus creators creating new viruses attacking other viruses each coming out with several new variants every day making it all but impossible to prevent viruses from slipping through. To protect against such activities, the campus mail server, FirstClass, is configured to block specific types of attachments in which viruses are typically embedded; e.g., .exe and .zip (selecting the two most common). Thankfully this layer of defense is seldom needed; however, it has prevented the compromising of machines on this campus at least twice
- Desktop and Server Lockdown
User workstations are pre-configured by User Support before being delivered to the users. Included in this configuration are more defensive measures. Unnecessary services that are known vectors of worm attacks are disabled. The computers are added to Active Directory which allows centralized management of access permissions to protected resources and also requires the user to authenticate before the computer can be used. Anti-virus, anti-spyware and host intrusion protection software (McAfee) is installed that is kept up-to-date via a set of redundant centralized servers; There are various other "hardening" measures.
One of these other hardening measures is to configure the workstation to automatically check for and update with critical patches for the operating system and Microsoft Office software. Virtually all computer attacks are against known vulnerabilities for which patches exist. Keeping the system patched is the single most effective method of preventing compromise. Unfortunately our current environment does not allow for centralized supervision and verification of these critical patch installations. To that end, ITS is planning this academic year to install a centralized patch management system. ITS has been monitoring this segment of the security market and feels that the tools are still in need of maturity; however, they have stabilized enough so that the benefit now outweighs the risk.
The McAfee anti-virus/anti-spyware/host-intrusion-prevention software is now freely available to housing residents and is available for faculty and staff to put on their home workstations.
Campus servers receive the same protective measures as workstations however, in addition, they have software firewalls and even more services disabled; they are also monitored daily. Special rules have been configured on the perimeter firewall to restrict access to the servers to the specific services offered on each server. This further reduces the possible attack vectors. In some cases, access has been blocked completely so that only workstations on campus can access the server.
Servers with confidential information have encryption software installed so that, where possible, communications to and from those servers are encrypted. For example, file transfers, remote logins and web access are all able to be encrypted. Current exceptions to this are the file server systems that some users access as remote disk drives; these remote drives are not accessed with encryption. However, during the coming months encryption to these remote drives also will be enabled.
- Network Protection
Most incident reporting will come from technical staff in ITS whose job it is to monitor intrusions into the campus network and various servers. However, anyone who suspects there might be a security breach involving access to confidential information must report it to the Information Security Officer and the Assistant Vice President for Information Technology Services.
Reportable incidents do not mean just breach of campus servers. They may also include lost paper files, lost laptops, lost storage devices, etc. The University bears a heavy burden in reporting the potential loss of confidential information, so everyone has an obligation to report breaches.
Various documents are used to respond and report potential security breaches:
- Incident Response Form
- Incident Notification Letter
- Generic Security Incident Press Release
Anyone wishing to view these forms, please contact the Information Security Officer.
CSUB expects the CSU Chancellor's Office to produce training products and programs that can be used by all campuses.
This website will be the primary communication vehicle about campus information security matters. From time to time, here may be emails posted on the FirstClass Bulletin Board reminding staff to check this web site for latest developments.