Information Security

The Stanislaus State Information Security Policy comprises policies, standards, guidelines, and procedures pertaining to information security. The information contained in these documents is largely developed and implemented at the CSU level, although some apply only to Stanislaus State or a specific department.

Email and Phishing Scams

Phishing is a method of trying to gather personal information using deceptive e-mails and websites.  Spear phishers distribute malware in emails or breach your account to steal personal and organization information. 91% of data security breaches start with an email attack.

phish·ing
ˈfiSHiNG/
noun
  1. the fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers.

Check out this 2:28 minute training video on email phishing and how to protect your personal information and the campus data security.

Phishing is a method of trying to gather personal information using deceptive e-mails and websites.Spear phishers distribute malware in emails or breach your account to steal personal and organization information. 91% of data security breaches start with an email attack.

These attacks are easier to spot once you know what to look for. Be on the lookout for the following indicators of a malicious email:

  • Email is from a sender you don't recognize
  • Message is unexpected or unsolicited
  • Sender's organization name doesn't match the email address domain
  • Subject of the email uses emotional topics, urgent deadlines for response, too-good-to-be-true claims, or tries to scare you
  • Contains spelling or grammar mistakes
  • Asks you to download an attachment, enter personal information such as a password or social security number

Spam is not the same thing as a phishing email. Spam is unsolicited commercial email, often delivered to a large number of individuals. Phishing is an active attempt to get you to click a dangerous link, download a file infected with malware, or enter personal information such as passwords or social security numbers. Spam can blocked or deleted, but phishing emails should be reported.

Preview emails in Outlook before opening and look for these three elements: 

Attachments

When an attachment comes from someone you don't know or if you weren't expecting the file, make sure it's legitimate before opening it. 

Log-in Pages

Spear phishers will often forge log-in pages to look exactly like the real thing in order to steal your credentials.

Links

Roll your mouse pointer over the link and see if the URL that pops up matches what's in the email message. If they don't match, don't click.

If you see something that looks off, don't open or click the message. Contact the OIT Technology Support Desk at techsupport@csustan.edu and report the email. You can also use the PhishMe Report Phishing button in newer versions of Outlook to submit a suspected phishing attempt to OIT. Even if you aren't sure, contact OIT to check it out. Better safe than sorry.

This phishing email was sent to campus in April as an educational campaign. It relied on curiosity to prompt viewers into clicking the active link. If this had been a real phishing attempt, clicking the link could have stolen personal data from the viewer, or uploaded malware into the campus network. Always stop and think before clicking a link, and always contact OIT if you suspect a phishing attempt.

screenshot april

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Contact the OIT Technology Support Desk at techsupport@csustan.edu and report the email.

To learn more about the Stanislaus State CoFense Email Security Initiative: CoFense Implementation Plan Summary May 2018.pdf

Employee Virtual Private Network (VPN)

A virtual private network (VPN) uses encryption to secure communications by securing the contents from the network the VPN client (laptop) is connected to. The client sends the secured network traffic to a VPN server on the campus network and then routes it to on campus resources, like shared drives or applications only accessible on our network.

The CSU and Stanislaus State have the responsibility to protect the information we collect or create in the process of conducting the activities of the institution.

VPN allows those working remotely with University laptops to use insecure networks in a secure manner and enables them to access resources as though they are on the campus network.

Individuals with a University owned and managed laptops who need to work off-site but have access to network resources only offered while on campus available to them.

Stanislaus State’s new employee virtual private network (VPN) service uses MFA for authentication. At your first logon you will be prompted to enroll. For information on MFA please see the Multi Factor Authentication page.

Here are PDF guides on how to access the Global Protect VPN on Windows (pdf) and Macs (pdf).

Enroll a device in MFA and download the VPN client

What should I know or have before I start?

  • A University owned and managed laptop,
  • a mobile device or token enrolled in MFA, and
  • your username and password.

If you are not already enrolled, visit Duo multi factor authentication page for more information.

What if I do not have a Stanislaus State issued laptop?

Applications and services only offered on campus that a VPN connection would allow access to are not appropriate for use with equipment not owned and managed by Stanislaus State.

Do I have to use the VPN for access to everything?

Using it all the time is a good idea since it puts your device behind Stanislaus State's network protections while you are not on campus. Using a VPN connection is only required for access to applications or services only offered while connected to the campus network, like departmental shared drives or the Security Request Form web application.

Is there a time using the VPN is not appropriate?

Not all foreign governments support the use of encryption. If you are traveling internationally please check the laws or regulations governing the use of encryption to secure communications as it may not be legal in some countries. If this is the case you are also discouraged from using University resources from these countries.

What is the address to connect once I have VPN installed?

Use this address: ssovpn.csustan.edu.

Policies, Procedures, and Standards

To access the details of a specific policy, click on the relevant policy topic in the table below. You can also navigate to the relevant Supplemental Policies, Standards, and Guidelines and Procedures by clicking on the appropriate ► in the table; where more than one document of a particular type is associated with a particular topic, clicking the ► will open a separate web page with links to relevant documents.

Note that, to access documents linked from the Guidelines and Procedures columns below, you'll need an active Warrior ID and Password

For more information, see the Stanislaus State Information Security Plan 10-16.pdf

Learn about the email security initiative at Stanislaus State CoFense Implementation Plan Summary May 2018.pdf
 

Data Classification Guidelines

This document describes the three levels of data classification that the University has adopted regarding the level of security placed on the particular types of information assets.  The levels described below are meant to be illustrative, and the list of examples of the types of data contained below is not exhaustive.  Please note that this classification standard is not intended to be used to determine eligibility of requests for information under the California Public Records Act or HEERA.  These requests should be analyzed by the appropriate legal counsel or administrator.

Access, storage and transmissions of Level 1 Confidential information are subject to restrictions as described in CSU Asset Management Standards.

Information may be classified as confidential based on criteria including but not limited to:

  1. Disclosure exemptions - Information maintained by the University that is exempt from disclosure under the provisions of the California Public Records Act or other applicable state or federal laws.
  2. Severe risk  - Information whose unauthorized use, access, disclosure, acquisition, modification, loss, or deletion could result insevere damage to the CSU, its students, employees, or customers. Financial loss, damage to the CSU’s reputation, and legal action could occur.
  3. Limited use - Information intended solely for use within the CSU and limited to those with a "business need-to know."
  4. Legal Obligations - Information for which disclosure to persons outside of the University is governed by specific standards and controls designed to protect the information.

Examples of Level 1 - Confidential information include but are not limited to:

  • Passwords or credentials that grant access to level 1 and level 2 data
  • PINs (Personal Identification Numbers)
  • Birth date combined with last four digits of SSN and name
  • Credit card numbers with cardholder name
  • Tax ID with name
  • Driver’s license number, state identification card, and other forms of national or international identification (such as passports, visas, etc.) in combination with name
  • Social Security number and name
  • Health insurance information
  • Medical records related to an individual
  • Psychological Counseling records related to an individual
  • Bank account or debit card information in combination with any required security code, access code, or password that would permit access to an individual's financial account
  • Biometric information
  • Electronic or digitized signatures
  • Private key (digital certificate)
  • Law enforcement personnel records
  • Criminal background check results

Access, storage and transmissions of Level 2 - Internal Use information are subject to restrictions as described in CSU Asset Management Standard.

Information may be classified as "internal use" based on criteria including but not limited to:

a) Sensitivity - Information which must be protected due to proprietary, ethical, contractual or privacy considerations.
b) Moderate risk - Information which may not be specifically protected by statute, regulations, or other legal obligations or mandates but for which unauthorized use, access, disclosure, acquisition, modification, loss, or deletion of could cause financial loss, damage to the CSU’s reputation, violate an individual’s privacy rights, or make legal action necessary.

Examples of Level 2 - Internal Use information include but are not limited to:

Identity Validation Keys (name with)
-Birth date (full: mm-dd-yy)
-Birth date (partial: mm-dd only)

Photo (taken for identification purposes)

Library circulation information.

Trade secrets or intellectual property such as research activities

Student Information-Educational Records not defined as "directory" information, typically:
-Grades
-Courses taken
-Schedule
-Test Scores
-Advising records
-Educational services received
-Disciplinary actions
-Student photo

Location of critical or protected assets

Licensed software

Vulnerability/security information related to a campus or system

Campus attorney-client communications

Employee Information
-Employee net salary
-Home address
-Personal telephone numbers
-Personal email address
-Payment History
-Employee evaluations
-Pre-employment background investigations
-Mother’s maiden name
-Race and ethnicity
-Parents’ and other family members’ names
-Birthplace (City, State, Country)
-Gender
-Marital Status
-Physical description
-Other

This information is designated as publically available and/or intended to be provided to the public.  

Information at this level requires no specific protective measures but may be subject to appropriate review or disclosure procedures at the discretion of the Unviserity in order to mitigate potential risks.

Disclosure of this information does not expose the CSU to financial loss or jeopardize the security of the CSU’s information assets.

Examples of Level 3 - Publicly Available

  • Warrior ID (Emplid, Student ID)
  • Employee Information
    • Employee Name (first, middle, last; except when associated with protected information)
    • Work email address
    • Work mailing address
    • Title
    • Office Location and telephone number
    • Department
    • Gross Salary
    • Signature (non-electronic)
  • Financial budget information
  • Purchase order information
  • Student Information (Non-FERPA restricted students only)
    • Name
    • Major
    • Participation in sports/activities
    • Weight and height (athletic team members only)
    • Dates of attendance
    • Full or part-time status
    • Degrees and awards received
    • Campus email address
    • Most recent or previous college/university/agency attended

Updated: December 05, 2022