Compliance, Execution and Enforcement

General

This section implements Integrated CSU Administrative Manual (ICSUAM) Policy 8090.0 and 8095.0.

Information Security Plan self-study

Annually, Information Security staff and the Information Security Officer will report progress on the implementation of this plan to the Chief Information Officer and the Vice President for Finance and Administration.

Compliance

The University will comply with applicable laws and regulations that apply to University information assets, as defined by the CSU Information Security Management Office.

Execution and Enforcement

The Information Security Officer and Chief Information Officer, in consultation with other campus administrative units, will develop procedures and policies for the conduct of information security investigations. These procedures must comply with applicable laws, system-wide policy and Collective Bargaining Agreements.

Allegations against students will be handled in accordance with Executive Order 1043, Student Conduct Procedures, and University Policy SA.11.003 – Policy on Community Responsibility and Student Conduct, and referred to the Division of Student Affairs.

Allegations against faculty and staff will be referred to appropriate campus administrators for disposition in accordance with the appropriate procedures and collective bargaining agreements.

Allegations against auxiliary employees will be referred to the appropriate auxiliary organization for disciplinary action.

Allegations against third party service providers are subject to contractual or legal remedies, and will be referred to University counsel.

In any allegation, Information Security personnel will conduct a confidential investigation and report the results of the investigation to the Chief Information Officer, the Information Security Officer and appropriate administrators. If a reasonable suspicion of a criminal act exists, the complaint will be referred to law enforcement.

The Information Security Officer or designee will develop procedures for the reporting of information security incidents or alleged violations of information security policy.