Teresa Macklin Information Security Officer 27 May, 2009 Campus-wide Information Security Activities

Red Flag Rules What are the “Red Flag Rules”? (Identity theft prevention program required by federal law) What does it mean to us? (Applies to us where our operations allow persons to use a credit or deposit account where payments are made periodically.) What is a “Red Flag”? ( A red flag is a pattern or activity that might indicate identity theft.)

CSU Response CSU-wide program development guidelines ready to go before Board of Trustees Guidelines include sufficient information to develop a qualified program Campuses required to develop a program and report on compliance

Campus Red Flag Program Goals  Identify Covered Accounts  Identify Relevant Red Flags  Review/develop mechanisms to Detect Red Flags  Review/develop mechanisms to Respond to Identity Theft  Integrate Red Flags Rule into Current Compliance Program Activities  Ensure Contract Compliance  Provide Employee Training  Provide Oversight and Review of the Program

PCI Compliance Payment Card Industry Data Security Standard (PCI DSS) imposed by industry on all organizations that accept payment cards PCI DSS is multi-faceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical data protection measures.

CSU Response Each campus must complete a PCI DSS assessment Implement or maintain a compliant security program CSU PCI Compliance Guidelines: Implement working committee Determine merchant and assessment activities Develop payment card authorization policy Develop campus security program Annual assessment activity

PCI Committee Objectives The committee must Obtain the support of senior management! Include representation from Information Technology, Information Security, Internal Audit, Business and Finance, and auxiliary organizations. Establish a comprehensive inventory of information related to its use of payment cards. Determine which of the standards apply (depends on volume of payment card activity across campus) Develop campus policy to review and approve new payment card activities Ensure that the campus information security policy and incident response plan meets the PCS DSS standard Conduct assessments and reviews and/or managed independent third party verification activities

PCI DSS Standard Overview Build and Maintain a Secure Network Install and maintain a firewall configuration to protect cardholder data Protect Cardholder Data Protect stored cardholder data Encrypt transmission of cardholder data and sensitive information across open public networks Maintain a Vulnerability Management Program Use and regularly update anti-virus software Develop and maintain secure systems and applications Implement Strong Access Control Measures Restrict access to data by business need-to-know Assign a unique ID to each person with computer access Restrict physical access to cardholder data Regularly Monitor and Test Networks Track and monitor access to network resources and cardholder data Regularly test security systems and processes Maintain an Information Security Policy Maintain a policy that addresses information security

Data Classification Activity In order to comply with the CSU-wide Information Security Policy and Standards, the campus is required to maintain an inventory of information assets which contain critical or protected data. Contact each campus organization and gather information about “protected” data and the methods by which it is stored. Use responses to create an inventory database. Survey released this week.

Protected Level 1 – Confidential Data Confidential Information is information maintained by the University that is exempt from disclosure under the provisions of the California Public Records Act or other applicable state or federal laws. Confidential information is information whose unauthorized use, access, disclosure, acquisition, modification, loss, or deletion could result is severe damage to the CSU, its students, employees, or customers. Financial loss, damage to the CSU’s reputation, and legal action could occur. Level 1 information is intended solely for use within the CSU and limited to those with a “business need-to know.” Statutes, regulations, other legal obligations or mandates protect much of this information. Disclosure of Level 1 information to persons outside of the University is governed by specific standards and controls designed to protect the information. Passwords or credentials that grant access to level 1 and level 2 data PINs (Personal Identification Numbers) Birth date combined with last four digits of SSN and name Credit card numbers with cardholder name Tax ID with name Driver’s license number, state identification card, and other forms of national or international identification (such as passports, visas, etc.) in combination with name Social Security number and name Health insurance information Medical records related to an individual Psychological Counseling records related to an individual Bank account or debt card information in combination with any required security code, access code, or password that would permit access to an individual's financial account Biometric information Electronic or digitized signatures Private key (digital certificate) Attorney/client communications Legal investigations conducted by the University Third party proprietary information per contractual agreement Sealed bids

Protected Level 2 – Internal Use Data (Partial List) Internal use information is information which must be protected due to proprietary, ethical, or privacy considerations. Although not specifically protected by statute, regulations, or other legal obligations or mandates, unauthorized use, access, disclosure, acquisition, modification, loss, or deletion of information at this level could cause financial loss, damage to the CSU’s reputation, violate an individual’s privacy rights, or make legal action necessary Non-directory educational information may not be released except under certain prescribed conditions. Identity Validation Keys (name with) Birth date (full: mm-dd-yy) Birth date (partial: mm-dd only) Student Information-Educational Records (Excludes directory information) including: Grades Courses taken Schedule … Employee Information Employee net salary Employment history Home address Personal telephone numbers Personal … Other Library circulation information. Trade secrets or intellectual property such as research activities …