Information Security Plan

California State University Bakersfield (CSUB) identifies various types of personal information to be confidential in nature. Confidential data at CSUB is categorized into two levels. Level I data contain information of extreme sensitivity that triggers legal obligations to the University to disclose any compromise of information contained in this category. Level II data contain information that the University considers confidential as per federal and state regulations as well as University protocol.

• See CSU Classifications
• CSU Information Security Data Classification

The following are considered Level I confidential information based on the significance of this information for the prevention of identity theft. Furthermore, as per the California Security Breach Information Act (SB 1386), any breach in the following information of any California resident that is unencrypted must be notified accordingly. SB 1386 defines a breach as "unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information."

• Social Security Number paired with last and first name or first initial
• Drivers license number or California identification card number paired with last and first name or first initial
• Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.
• Medical Information
• Health insurance information
• A username or email address in combination with a password or security question and answer that would permit access to an online account
• Information or data collected through the use or operation of an automated license plate recognition system

The following Level II information should be "guarded" from access to unauthorized persons. This information is considered personal information and is regulated by various federal laws as well as CSU policy. Though this information does not require notification of breach, certain fines may apply if this information is mishandled. The guiding laws and policies for Level II information include FERPA, HIPPA, the Information Practices Act of 1977, California Public Record Act, and CSU policy HR 2003-05. All faculty and staff given access to the following information must complete and sign the CSUB Confidentiality Access and Compliance form. Student assistants given access to the following information must complete and sign the Confidentiality Agreement.

Students:

• Any information in students' educational records that is not listed as non-confidential information.

Faculty and Staff:

• Ethnicity
• Gender
• Home Address
• Physical Description
• Home telephone number
• Medical history
• Performance evaluations

The following information is considered "directory" information and may be disclosed without consent as per FERPA guidelines. However, FERPA recommends a procedure for students to opt-out of disclosing this information. Moreover, the University chooses to exceed FERPA's recommendation of confidentiality for student data.

Students

• Name
• Email address

The following information is considered "directory" information and may be disclosed not withstanding any future regulatory restrictions. However, no directory information shall be distributed, sold, or transferred to in any fashion for the commercial purposes of the University, an employee of the University, or any other entity.

Faculty and Staff

• Name
• Office address
• Office phone number
• Title / Position name
• Department name
• Honors and awards
• Email address

CMS Security

CSUB ensures the integrity of the PeopleSoft system and associated database data by utilizing the features of the delivered PeopleSoft Security Architecture. The building blocks of PeopleSoft Security include the following:

1. Objects
2. Component Permission Lists
3. Row Level Security (Data Permission Lists)
4. Roles
5. User Profiles

An Object is a PeopleSoft page (screen), report or process. Objects are organized by business function into components. For example, the objects needed to run CSUB Labor Cost Distribution (LCD) reports are grouped into components.

A Component Permission List defines access to specific components. The LCD Dept/School Report Permission List contains only the components the departments and schools need to run their LCD reports. Component Permission Lists define the level of access needed for each component (display, add, update, correct previous entries).

Row Level Security uses Data Permission List to define what department information can be accessed and is usually defined for a specific user or group of users. For example, users in the School of Education should not be permitted to view data for other Schools, so a Data Permission List is used to restrict access for School of Education users to only the appropriate departments.

A Role is a grouping of one or more Component Permission Lists associated with a particular job function. For example, the LCD User Dept Query Role includes only the permission lists needed by Department Users to run LCD reports.

A User Profile combines Roles and Data Permission Lists to define a user's access. The User Profile also includes user information (ID, department and encrypted password)

When a user account is first created in PeopleSoft, the system automatically assigned security role appropriate for the student level access.  Faculty or Staff type security roles are assigned based on job record and/or access request forms approved by individual PeopleSoft module owners.  New users will then access PeopleSoft system using their existing assigned NetID login credential.

PeopleSoft Access Form

When a new employee needs access to PeopleSoft or access for an existing ID needs to be changed, the user must fill out a PeopleSoft Access form. On this form, they select the User Role that will be assigned to the User ID.

If a Role doesn't exist for the access required, the user will list the Components needed and the level of access required. The Security Administrator will then define a new Role with module owner approval.

Departments managers must identify and define subordinates access privileges needed to perform the job. All requests for access must be recommended by the User Department Administrators and approved by the data owner before access is granted.

Administering PeopleSoft Security

PeopleSoft Security is administered by the PeopleSoft Security Administrators. The Security Administrators work with Enterprise Applications Database Administrators, Data Owners & PeopleSoft Systems Analysts to maintain the Permission Lists, Roles, & User Profiles as needed.

Significant changes that must be reviewed include but are not limited to: release upgrades, changes to security roles, or other significant changes impacting permissions or profiles. Access is also reviewed if a new CSUB component is added.

• Not contain the user's account name or parts of the name that exceed two consecutive characters
• Be at least eleven (11) characters in length
• Contain characters from three of the following four categories:
  • Uppercase characters (A through Z)
  • Lowercase characters (a through z)
  • Numbers (0 through 9)
  • Non-alphanumeric characters (for example, !, $, #, %)
• No reuse, passwords will not be allowed to be set to any of the users last 12 previous passwords
• Will be checked against a known password compromised list before accepted 

The CSUB information security plan takes advantage of various technological tools to protect workstations, servers and network devices. Subscribing to the sound practice of security in depth, the following solutions are either in place or are being planned as noted.

CSUB has redundant, perimeter firewalls on the main campus and standalone firewalls at each of the two offsite centers. These firewalls each have various rules designed to prevent illicit incoming traffic from harming campus resources. The CSU system has recently chosen Juniper Networks as perimeter defense system and will be deploying these new devices to all campuses in a phased rollout over the next year. These new firewalls will have even more protective features than our current firewalls including two functions in particular; intrusion prevention and the ability to create protection zones within the campus. Intrusion prevention has much finer grained protection than a typical firewall rule such that a protocol may be allowed but specific, known misuses of the protocol are blocked. Perimeter defenses protect the campus from the outside world, protection zones within the campus protect different areas of the campus from other areas within the campus. For example, a protection zone for the data center would allow access to certain servers to be restricted to only those who need access. Further, if a compromised machine is brought onto campus, its attacks are restricted to the zone it is in. We look forward to the added security these devices will provide the campus.

Also at the perimeter is a packet shaper. This device serves two main purposes. It limits peer-to-peer file sharing traffic so as to prevent it from monopolizing the Internet bandwidth to the campus and thereby interfere with normal academic network activity and it is an effective tool for identifying compromised systems.

CSUB has redundant anti-spam/anti-virus appliances to protect the campus against the annoyances and productivity-stealing aspects of bulk-unsolicited email "advertisements", so called spam. The campus currently receives approximately 200,000 such messages per day, in contrast to the approximately 35,000 legitimate email messages received per day. The appliance is updated several times per day to help it combat the ever-changing efforts of the spammers to find holes in such defenses. The appliance also has an anti-virus module to protect users from receiving email with infected attachments; approximately 300 such infections are stopped per day.

However, this, and all such anti-virus measures, are only as good as the anti-virus vendors' programmers are at identifying and creating the correct "anti-dotes" to the viruses. By definition, a new virus will bypass these protections until the vendors develop a solution. On occasion there have been virus wars with virus creators creating new viruses attacking other viruses each coming out with several new variants every day making it all but impossible to prevent viruses from slipping through. To protect against such activities, the campus mail server, FirstClass, is configured to block specific types of attachments in which viruses are typically embedded; e.g., .exe and .zip (selecting the two most common). Thankfully, this layer of defense is seldom needed — however, it has prevented the compromising of machines on this campus at least twice.

For more information, visit our Password & Email Protection page.

User workstations are pre-configured by User Support before being delivered to the users. Included in this configuration are more defensive measures. Unnecessary services that are known vectors of worm attacks are disabled. The computers are added to Active Directory which allows centralized management of access permissions to protected resources and also requires the user to authenticate before the computer can be used. Anti-virus, anti-spyware and host intrusion protection software (BitLocker) is installed that is kept up-to-date via a set of redundant centralized servers; There are various other "hardening" measures.

One of these other hardening measures is to configure the workstation to automatically check for and update with critical patches for the operating system and Microsoft Office software. Virtually all computer attacks are against known vulnerabilities for which patches exist. Keeping the system patched is the single most effective method of preventing compromise. Unfortunately our current environment does not allow for centralized supervision and verification of these critical patch installations. To that end, ITS has installed a centralized patch management system. ITS has been monitoring this segment of the security market and feels that the tools are still in need of maturity; however, they have stabilized enough so that the benefit now outweighs the risk.

Campus servers receive the same protective measures as workstations however, in addition, they have software firewalls and even more services disabled; they are also monitored daily. Special rules have been configured on the perimeter firewall to restrict access to the servers to the specific services offered on each server. This further reduces the possible attack vectors. In some cases, access has been blocked completely so that only workstations on campus can access the server.

Servers with confidential information have encryption software installed so that, where possible, communications to and from those servers are encrypted. For example, file transfers, remote logins and web access are all able to be encrypted. Current exceptions to this are the file server systems that some users access as remote disk drives; these remote drives are not accessed with encryption. However, during the coming months encryption to these remote drives also will be enabled.

If you believe that there is an existing or imminent security breach which is causing or will result in unauthorized access or exposure to confidential information, please call the Information Security Office at 661-654-2835 or 661-654-3425 and follow-up with an email to: Information Security. If after hours, contact University Police at 661-654-2677 or 661-321-6288 and follow-up with an email to: Information Security.

Most incident reporting will come from technical staff in ITS whose job it is to monitor intrusions into the campus network and various servers. However, anyone who suspects there might be a security breach involving access to confidential information must report it to the Information Security Officer and the Assistant Vice President for Information Technology Services.

Reportable incidents do not mean just breach of campus servers. They may also include lost paper files, lost laptops, lost storage devices, etc. The University bears a heavy burden in reporting the potential loss of confidential information, so everyone has an obligation to report breaches.

Various documents are used to respond and report potential security breaches:

1. Incident Response Form
2. Incident Notification Letter
3. Generic Security Incident Press Release

Anyone wishing to view these forms, please contact the Information Security Officer.