General
This section implements CSU Information Security Policy 8025.00.
Collection of Personal Information
The Information Security Officer or designee, in consultation with the University’s Institutional Review Board and other appropriate administrative units, will establish procedures governing collection of personal information. Such procedures must prescribe appropriate business needs for the collection of personal information, adequate protections against unauthorized use or disclosure of the personal information collected, and appropriate methods of storage and destruction.
Access to Personal Information
The Information Security Officer or designee, in consultation with other appropriate administrative units, will create procedures to ensure that access to collected personal information is limited to those who have a legitimate business or academic need for the access.
Each person who accesses or stores protected data must use due diligence to prevent unauthorized access and disclosure of such information. ITS will integrate best practices for handling sensitive data into initial and recurrent information security awareness training.