Safeguarding Information

Division: 

Administration & Finance

Department: 

Information Technology Services

Contact Information: 

Nish Malik / Senior Associate Vice President (AVP) and Chief Information Officer (CIO) / (415) 405-4105 / nish@sfsu.edu

Effective Date: 

Monday, August 1, 2011

Revised Date: 

Tuesday, May 20, 2025 

Authority: 

CSU Information Security Policy and Standards

Objective: 

This Policy specifies basic requirements for safeguarding university-owned information assets with respect to: 

  • Physically Securing Equipment
  • Endpoint Firewall Technology
  • Configuring Strong Passwords 
  • Encrypting Sensitive Data
  • Decommissioning Storage Media
  • Establishing Remote Connections
  • Maintaining Paper Records

Statement: 

Physically Secure Equipment

Portable equipment such as laptops and mobile devices are easy targets for theft; do not leave them unattended. It only takes a moment for someone to pick up your laptop or handheld device while your attention is diverted.

Endpoint Firewall Technology

Firewalls protect computers from network-based attacks by filtering inbound and outbound network traffic. Access to the campus network as a whole is managed by a set of dedicated hardware-based systems. However this technology is not foolproof.  

On behalf of enabling a defense-in-depth strategy, software-based firewalls shipped with commodity endpoint operating systems (such as Microsoft Windows or Mac OS) should be enabled 

Configuring Strong Passwords

Passwords used to protect information assets from unauthorized use must follow the SF State Password Standard.

Passwords are considered to be Level 1 data and should either be encrypted (if they are stored on a computing device) or otherwise handled according to the rules detailed in this policy’s section on Maintaining Paper Records. 

Encrypting Sensitive Data

Sensitive data (e.g. Level 1 and Level 2 data) must not be stored on a computing device unless it is encrypted. Furthermore if possible sensitive data should be stored centrally on a secured server instead of on a mobile device or portable storage media to minimize the risk of a data breach in the event of theft.

Decommissioning Storage Media

Existing endpoint systems that are scheduled for redeployment should have their storage media cryptographically erased and then re-imaged with a pristine operating system. 

Digital storage media that is to be decommissioned must be handled according to the University’s Secure E-Waste and Paper Disposal policy

Remote Connections

SF State offers Virtual Private Network (VPN) connections to faculty and staff to enable secure access to the university’s network resources when users are not directly connected to the campus network.

Campus endpoints should not be configured to receive remote client connections.   

Handling Paper Records

Paper records containing sensitive information should be retained only as long as they are valid, useful, and required to be retained. (See section 4 of the Student Privacy Rights Policy and Procedures regarding student records retention, and the CSU Records Retention & Disposition Schedules.). Confidential paper records must be stored and accessed in physically secured office areas that do not offer public access. Visitors entering such areas must be escorted and monitored at all times. 

Paper records that exceed their retention period must be disposed of according to the University’s Secure E-Waste and Paper Disposal policy

Departmental Managers are responsible for overseeing disposal of paper and other media (including electronic media) in their areas.

Implementation

Responsibility for implementing this Policy will rest with ITS and Information Technology (IT) departments across campus. Submit any apparent violation of Safeguarding Information Policy to the appropriate administrative authority (vice president, dean, director, department, or program chair) or to service@sfsu.edu.

Non-Compliance

Noncompliance with applicable Policy and/or practices may result in suspension of network access privileges. In addition, disciplinary action may be applicable under other University policies, guidelines, implementing procedures, or collective bargaining agreements.