Division:
Administration & Finance
Department:
Information Technology Services
Contact Information:
Nish Malik / Senior Associate Vice President (AVP) and Chief Information Officer (CIO) / (415) 405-4105 / nish@sfsu.edu
Effective Date:
Monday, August 1, 2011
Revised Date:
Tuesday, May 20, 2025
Authority:
Objective:
This Policy specifies basic requirements for safeguarding university-owned information assets with respect to:
- Physically Securing Equipment
- Endpoint Firewall Technology
- Configuring Strong Passwords
- Encrypting Sensitive Data
- Decommissioning Storage Media
- Establishing Remote Connections
- Maintaining Paper Records
Statement:
Physically Secure Equipment
Portable equipment such as laptops and mobile devices are easy targets for theft; do not leave them unattended. It only takes a moment for someone to pick up your laptop or handheld device while your attention is diverted.
Endpoint Firewall Technology
Firewalls protect computers from network-based attacks by filtering inbound and outbound network traffic. Access to the campus network as a whole is managed by a set of dedicated hardware-based systems. However this technology is not foolproof.
On behalf of enabling a defense-in-depth strategy, software-based firewalls shipped with commodity endpoint operating systems (such as Microsoft Windows or Mac OS) should be enabled
Configuring Strong Passwords
Passwords used to protect information assets from unauthorized use must follow the SF State Password Standard.
Passwords are considered to be Level 1 data and should either be encrypted (if they are stored on a computing device) or otherwise handled according to the rules detailed in this policy’s section on Maintaining Paper Records.
Encrypting Sensitive Data
Sensitive data (e.g. Level 1 and Level 2 data) must not be stored on a computing device unless it is encrypted. Furthermore if possible sensitive data should be stored centrally on a secured server instead of on a mobile device or portable storage media to minimize the risk of a data breach in the event of theft.
Decommissioning Storage Media
Existing endpoint systems that are scheduled for redeployment should have their storage media cryptographically erased and then re-imaged with a pristine operating system.
Digital storage media that is to be decommissioned must be handled according to the University’s Secure E-Waste and Paper Disposal policy.
Remote Connections
SF State offers Virtual Private Network (VPN) connections to faculty and staff to enable secure access to the university’s network resources when users are not directly connected to the campus network.
Campus endpoints should not be configured to receive remote client connections.
Handling Paper Records
Paper records containing sensitive information should be retained only as long as they are valid, useful, and required to be retained. (See section 4 of the Student Privacy Rights Policy and Procedures regarding student records retention, and the CSU Records Retention & Disposition Schedules.). Confidential paper records must be stored and accessed in physically secured office areas that do not offer public access. Visitors entering such areas must be escorted and monitored at all times.
Paper records that exceed their retention period must be disposed of according to the University’s Secure E-Waste and Paper Disposal policy.
Departmental Managers are responsible for overseeing disposal of paper and other media (including electronic media) in their areas.
Implementation
Responsibility for implementing this Policy will rest with ITS and Information Technology (IT) departments across campus. Submit any apparent violation of Safeguarding Information Policy to the appropriate administrative authority (vice president, dean, director, department, or program chair) or to service@sfsu.edu.
Non-Compliance
Noncompliance with applicable Policy and/or practices may result in suspension of network access privileges. In addition, disciplinary action may be applicable under other University policies, guidelines, implementing procedures, or collective bargaining agreements.