Friday, September 4, 2009

Report on Meeting About CSU Systemwide IT Policy

CSU is working on a systemwide Information Technology (IT) policy, and CSUEU has met twice with the CSU to discuss it.

Here's the report from headquarters of the August 25 meeting:

On August 25, 2009, CSUEU met with CSU for the second time regarding the CSU's proposed IT security policy.

The CSU claimed that they received more than 1,000 comments on a draft policy that was issued in October, 2008. CSUEU met with the CSU about that draft in February, 2009. Many of CSUEU's suggestions were incorporated into a July, 2009, version that we reviewed during the August 25 meeting.

Representing CSUEU were Rich McGee (BU 9, San Bernardino), Alisandra Brewer (BU 9, Sonoma), Joseph Dobzynski (BU 9, Channel Islands), Matthew Black (BU 9, Long Beach), and Teven Laxer (CSUEU Senior Labor Relations Representative). Cheryl Washington (Interim Senior Director, Systemwide Information Security Management, Chancellor's Office), Sharyn Abernatha (Senior Manager, Employee and Labor Relations, Chancellor's Office) and Teresa Macklin (Information Security Officer, San Marcos) represented the CSU.

As a result of our meeting, the CSU agreed to make the following additional modifications to their proposed policy:

  • The policy will acknowledge that the CSUEU assisted in the development of the IT security policy (the latest draft had only acknowledged the input of faculty)
  • The policy will state that the CSU does not intend to monitor, restrict, or utilize the content of legitimate academic or organizational communications
  • The policy will acknowledge that the assignment of risk should be given to the appropriate administrator, not to any individual IT employee
  • There will be periodic review of risk assessments by appropriate administrators
  • In September, the CSU will review and modify its draft policy with additional organizations and will be issuing another draft policy shortly thereafter. CSUEU will review that draft as soon as it is released.
  • In addition to the discussion regarding the IT security policy, we reviewed and discussed a proposed Information Security Awareness Program which the CSU intends to provide to all employees who have access to sensitive information (Level I, Level II or protected data). The CSU agreed to the following modifications:
    • Salaries will not be considered protected information
    • There will be a discussion about the proper disposal of Level I data
    • The CSU agreed to remove language from one slide concerning specific applications (AIM, Yahoo Messenger) and web sites which gave the impression they would not be authorized
    • Security Awareness Training is neither a test nor a policy. It is only an assessment, and campuses are free either to use this training or to create their own

CSUEU will continue to keep you informed about these issues.

Some explanatory notes:

  • Level I data is also referred to as must-notify data — data which, if it is released/compromised, the person whose data it is must be notified. Accidental release of people's Social Security Numbers would be an example of a Level I incident.
  • Security Awareness Training refers to an annual self-paced online training about information security, which the CSU has been testing. A number of CSUEU activists statewide were instructed, as part of their jobs, to test-drive this training.
  • The Unit 9 activists working on this are all IT experts.


No comments: