Date: October 24, 2013 Code: TECHNICAL LETTER HR/EHDB Common Human Resources System (CHRS) Security Plan and Requirements - Policy Guidelines

Transcription

1 Office f the Chancellr 401 Glden Shre, 4 th Flr Lng Beach, CA hradmin@calstate.edu Date: Octber 24, 2013 Cde: TECHNICAL LETTER HR/EHDB T: Human Resurces Officers Frm: Evelyn Nazari William Perry Assciate Vice Chancellr Chief Infrmatin Security Officer Human Resurces Management & CO HR Services Infrmatin Security Subject: Cmmn Human Resurces System (CHRS) Security Plan and Requirements - Plicy Guidelines Overview Audience: Actin Item: Affected Emplyee Grup(s)/Unit(s): Human Resurces Officers and/r HR Prfessinals, Security Administratrs r designees respnsible fr campus security administratin. Adhere t the plicy guidelines fr implementatin f the CHRS Security Plan and Requirements. Individuals respnsible fr supprting and administering campus security and thse individuals invlved in the varius implementatin aspects f CHRS. Summary This Technical Letter prvides detailed infrmatin regarding the implementatin f the CHRS Security Plan and Requirements. HR Letter annunced the release f the CHRS Security Plan and Requirements as required by the system wner, Califrnia State University (CSU) Systemwide HR. This Technical Letter includes an verview f the infrmatin cntained in the CHRS Security Plan and Requirements fr CHRS, which serves as fficial dcumentatin. This infrmatin will establish secure prtcls and unifrmity fr campuses and the Chancellr s Office. Infrmatin is prvided based n the fllwing sectins: Sectins 2.0 Systemwide HR Requirements 3.0 CHRS Gvernance Structure 4.0 CHRS Security Training 5.0 Authenticatin and Access Cntrl Distributin: CSU Chancellr All Campus Vice Presidents Assciate Vice Presidents/Deans, Faculty Affairs Human Resurces Officers Business Managers Budget Officers General Cunsel State Cntrller s Office (SCO)

2 6.0 CHRS Security Incident Management 7.0 CHRS Business Cntinuity and Disaster Recvery 8.0 CHRS Infrastructure TECHNICAL LETTER HR/EHDB Page 2 f 2 Questins regarding this technical letter may be directed t Human Resurces Management at (562) This dcument is available n Human Resurces Management s Web site at: EN/th

3 CHRS Security Plan and Requirements FINAL

4 CHRS Security Plan and Requirements FINAL REVISION CONTROL Dcument Title: CHRS Security Plan and Requirements Authr: Tammy Hines File Reference: CHRS Security Plan and Requirements Revisin Histry Revisin Date Revised By Summary f Revisins Sectin(s) Revised 07/05/13 T. Hines, A. Harwd, G. Mansr New Dcument 07/09/13 J. Whitney Reviewed All 07/16/13 T. Hines Revised t remve reference t Central Security Administratr 08/19/13 T. Hines Updates t indicate dcument is apprved/final All 10/18/13 T. Hines Final edits fr distributin All All Sectin 1.3 Review / Apprval Histry Review Date Reviewed By Actin (Reviewed, Recmmended r Apprved) 07/05/13 Evelyn Nazari, Assciate Vice Chancellr HRM and CO HR Services 07/08/13 William Perry, Chief Infrmatin Security Officer, CO Infrmatin Security 07/09/13 Jessie Lum, Chief Infrmatin System Officer, CO Infrmatin Systems 08/19/13 Gail Brks, Vice Chancellr, Systemwide HR Recmmended fr apprval Recmmended fr apprval Recmmended fr apprval Apprved Page ii

5 CHRS Security Plan and Requirements FINAL Table f Cntents Page 1.0 Intrductin Dcument Purpse Dcument Scpe Assumptins Systemwide HR Requirements System Applicatins/Specific Prcesses Emplyment infrmatin Campus Cnversin Validatin Develpment HR/CS Split Persn Data (Demgraphic) /Searches Persn Data and CS CHRS Nn-Prductin Sensitive Data CHRS Data Classificatin Oracle Reprting/Queries Database SQL Access Rles and Permissins CHRS Gvernance Structure System-wide Rles and Respnsibilities Systemwide Human Resurces CHRS Data Gvernance CHRS Security Campus Actin Team (CHRS Security CAT) Central Security Administratr CMS Technical Services and Applicatin Develpment Team Campus Rles and Respnsibilities Distributed Security Administratrs CHRS Security Training Authenticatin and Access Cntrl Passwrd Management CHRS Security Incident Management CHRS Business Cntinuity and Disaster Recvery Page iii

6 CHRS Security Plan and Requirements FINAL 8.0 CHRS Infrastructure Oracle Database User Accunts Passwrd Management Appendix Page iv

7 1.0 Intrductin The Cmmn Management Systems (CMS) currently supprts Califrnia State University (CSU) campuses and the Chancellr s Office (CO) peratinal databases. Campuses have a minimum f seven test, develpment, and prductin databases fr each applicatin. A recent study f CMS recmmended that the CSU cnsider cnslidating applicatins t prvide pprtunities fr cst savings t the CSU. CMS gals are t achieve best business practices, reduce csts and imprve perfrmance. The CMS Executive Cmmittee (EC) determined that CMS is nt sustainable in its current state. The CMS EC prpsed the Cmmn Human Resurces System (CHRS) initiative t achieve CMS s stated gals. A CHRS Advisry Grup was then established t research the feasibility f adpting a cmmn Human Resurces (HR) system. The majr reasns t adpt a cmmn HR system were t: Enable adptin f a system-wide HR mdel that facilitates the timely adptin f best business practices acrss all campuses. Allw all campuses t take full advantage f a feature rich system. Smaller campuses d nt have the resurces t maintain and enhance the system. Cntain csts assciated with managing CMS. Prvide the CSU with a cmprehensive reprting system via a system-wide HR reprting envirnment and Data Warehuse (DW). The EC apprved the CHRS Prject which encmpasses an enriched cmmn HR applicatin cde and cmmn cnfiguratin n a single platfrm, with an HR reprting slutin. 1.1 Dcument Purpse This dcument describes the CHRS Security Plan and Requirements as required by the system wner, CSU Systemwide HR. The prtectin measures described in this dcument were designed t ensure CHRS cmplies with CSU Systemwide HR Plicies, CSU System-wide Infrmatin Security Standards and Plicies gverning infrmatin technlgy (including thse with specific relevance t HR peratins), infrmatin security and human resurces as well as all pertinent state and federal regulatry requirements. Security within CHRS will be addressed thrughut the sftware develpment life cycle and within the envirnment supprting CHRS, including but nt limited t the prductin and nn-prductin netwrk, perating system, and applicatin levels. 1.2 Dcument Scpe This strategy was develped t ensure the cnfidentiality, integrity and availability f CHRS infrmatin assets. It utlines security cntrls that must be in place t reduce and mitigate CSU security risks with assciated data frm 23 campuses and the CO residing in ne cnslidated envirnment. The CHRS Security Plan and Requirements is nt intended t be a campus prcedural dcument r a campus peratinal guide; hwever, it Page 5 f 15

8 will include specific prtcls that will gvern the security f CHRS system-wide data. The CHRS Security team will develp and distribute additinal dcuments t supprt the implementatin f this plan. 1.3 Assumptins A cre security design will be develped fr CHRS. This cre design will include the fllwing elements: Security Administratrs will be assigned t CHRS t supprt the security management activities at the CO and campus ffices. The Security Administratrs will include the CO Infrmatin Security Officer (ISO) t ensure security within CHRS is managed by a subject matter expert and cmplies with CSU System-wide Infrmatin Security Standards and Plicies gverning infrmatin security. CHRS users will be permitted t view data applicable t their jb duties nly. Campus Distributed Security Administratrs (DSAs) and ther designated emplyees may be permitted t access system-wide data t supprt develpment within a specific CHRS prject, fr a specified time, with apprpriate apprvals frm Systemwide HR. Authenticatin cntrls will be managed similar t the Cmmn Financial System (CFS) thrugh System-wide Identity Access Management (IAM) infrastructure. Access t the CHRS system-wide data will be based n the principles f need-t-knw and least privileges. Campuses will cmply with all CSU plicies gverning infrmatin security including the CSU s Segregatin f Duties plicy (SD). 2.0 Systemwide HR Requirements Each campus is its wn appinting authrity. As such, all campus infrmatin must be secured at the campus level bth in prductin and nn-prductin database instances. Applicable CSU Systemwide HR and Security Plicies must be fllwed. Refer t the Appendix sectin fr a listing f applicable CSU Systemwide HR and security plicies/laws. Where specific apprvals have been granted, an emplyee may be granted access t data at anther campus when wrking n a specific CHRS system-wide prject fr a specified duratin. In thse instances, a Cnfidentiality Agreement must be signed by the emplyee and apprvals t grant such access must be btained frm Systemwide HR. Quarterly audits f changes made t permissins and security rles must be perfrmed t ensure the access assigned was authrized, apprpriate and applicable t the functins being perfrmed. The details arund these prcesses will be dcumented in the CHRS Security/Operatinal Guide. In all ther situatins, all security strategies must be administered in such a way that campus emplyees are able t nly access infrmatin needed t perfrm their jb duties. All regulatry laws and CSU plicies must be adhered t, including thse specified in HR which states: The Califrnia State University (CSU) has a respnsibility t prtect sensitive persnal data and maintain cnfidentiality f that data under the Infrmatin Practices Act (IPA) and Title 5. In light f rapidly changing technlgy and increased Internet use, this memrandum is written t highlight the imprtance f the CSU s respnsibility. The Infrmatin Practices Act, Califrnia Civil Cde 1798, et seq., requires Page 6 f 15

9 the Chancellr s Office and campuses t cllect, use, maintain, and disseminate infrmatin relating t individuals in accrdance with its prvisins. Additinally, thrugh f Title 5 f the Califrnia Cde f Regulatins address privacy and the principles f persnnel infrmatin management. (Refer t Appendix) The CSU als cmplies with the Family Educatinal Rights and Privacy Act (FERPA), which prhibits the release f educatin recrds withut student permissin (Refer t Appendix). Each campus is respnsible fr campus recrd-keeping and prcedures relating t student and emplyee persnal infrmatin. In additin, each campus is required t maintain apprpriate access, disclsure, and cnfidentiality f student and emplyee persnal infrmatin. 1. Each campus must ensure that all emplyees with access t cnfidential persnal infrmatin have a legitimate CSU need t have such access. These emplyees must understand the respnsibility they have under the Infrmatin Practices Act and Title 5 t prtect sensitive persnal data. 2. Cnfidential persnal infrmatin shuld nt be transmitted utside the CSU unless it is fr legitimate CSU purpses. Recipients must be infrmed that the infrmatin prvided is cnfidential and is prvided fr the sle purpse f the specific business need. Als, recipients must be infrmed that they are respnsible fr the prtectin f the infrmatin and the destructin f all files after the intended use is satisfied. 2.1 System Applicatins/Specific Prcesses The fllwing system applicatin security requirements, in additin t the infrmatin utlined abve, must be adhered t fr CHRS. These peratinal security requirements apply t prductin and nn-prductin CHRS database instances Emplyment infrmatin Emplyee infrmatin must be secured at the campus and department levels and nly accessible t emplyees based upn a need-t-knw basis t perfrm their assigned jb duties. Emplyment infrmatin includes but is nt limited t infrmatin identified as Level 1 and/r Level 2 data. Refer t the CHRS Data Classificatin sectin belw fr specific details Campus Cnversin Validatin The apprach used fr campus validatin f cnverted data fr CHRS must adhere t the security requirements utlined previusly t ensure all data is secured by the campus. Access must be prvided in a manner that enables campus designated emplyees t validate data at their respective campus by specific jb functin(s) Develpment CHRS develpment will be handled by the central CO staff. Campus-specific mdificatins t CHRS are nt allwed. Therefre, campus develpment access will nt be authrized, unless it is granted t supprt a specific CHRS prject. Refer t Sectin 2.0 fr additinal details. Page 7 f 15

10 2.1.4 HR/CS Split Oracle has advised that althugh the applicatin is physically splitting, certain HR emplyment and pay infrmatin is necessary and must be kept in sync t supprt CS peratinal business needs, e.g. Wrk Study. The specific tables and values that will remain in sync will be defined by the CHRS Data Gvernance team. Nnetheless, each campus must secure their campus CS system t ensure that nly CS menu ptins, pages and functins are available within CS. The campus must cmply with the Systemwide HR plicy (t be defined) t remve access t HR menu ptins, pages and functins as these are n lnger applicable and will nt be maintained. Quarterly audits will be gverned by CO Security t ensure campus cmpliance; details f these audits and cntrls will be included in the CHRS Security Guide. (A delivered slutin will be pursued with Oracle.) Persn Data 1 (Demgraphic) /Searches HR Persn Data may be viewed by campus emplyees n a need-t-knw basis t perfrm their jb. Certain Persn Data elements may als be viewed t preclude duplicate recrds frm being added t the system, e. g. Search Match functinality. Data available fr nline viewing and searches include infrmatin cntained in the existing CSU ID Search Mdificatin. Search Criteria Search Results Name Name SSN (full) SSN last 4 digits Emplyee ID/Recrd Number Empl ID/Recrd Number Jb Cde and Descriptin HR Status (Active/Inactive) Department ID and Descriptin Date f Birth (Mnth and Date) Organizatin Relatinship Emplyee Class POI Type Business Unit Persn Data and CS HR Persn Data may be shared between the campus HR and respective CS instance. HR Persn Data may nt be shared r used t update a nn-respective campus CS instance. Systemwide HR is the data wner f Persn Data and a designated delegate will wrk with respective campus representative(s) t manage demgraphic related data discrepancies. Operatinal prcesses that gvern hw persnal infrmatin will be updated within CHRS and the Higher Educatin Cnstituent Hub (HECH) will be defined by the CHRS Data Gvernance team. 1 Refer t the data standards defined as part f the CHRS Systemwide HR Data Standardizatin prject fr a cmplete listing f Persn Data elements (Phase I). Page 8 f 15

11 2.1.7 CHRS Nn-Prductin Sensitive Data Specific develpment functins must be perfrmed in the CHRS nn-prductin envirnments where data may nt be fully secured by the campus. As part f the CHRS develpment/implementatin effrts, campus emplyees may be given access t system-wide data t assist with specific prject develpment. In these instances, sensitive data cntained within the CHRS develpment (nn-prductin envirnments) must be masked and/r scrambled t minimize the pssibility that persnally identifiable infrmatin cannt be assciated with actual emplyees. T prtect infrmatin in this categry, the fllwing data elements, at a minimum are cnsidered sensitive and must be prtected as nted abve: 1. Name 2. SSN Natinal ID 3. Date f Birth (DOB) CHRS Data Classificatin The fllwing data items are classified as Level 1 and 2 by Systemwide HR as they relate t an emplyee s CSU emplyment histry and applicant recrd (name and qualificatins, educatin, physical descriptin-including pht, and backgrund investigatins) and thereby must be prtected/secured (this infrmatin is typically stred in Oracle within multiple mdules, e.g., Wrkfrce Administratin, Benefits Administratin, Time & Labr/Payrll, Absence Management, etc.). Emplyees may be granted access t these data items nly as it is relevant and necessary t perfrm their jb duties. Level 1 Data Items: Scial Security Numbers (with name) Taxpayer ID Natinal ID Internatinal Identificatin (such as passprt, visa-with name) Date f Birth (with partial SSN and Name) Benefits Recrds Medical Infrmatin Driver s License (with name) Citizenship/Visa Status Persnal Telephne Numbers, Address Address (Hme and Mailing) Race and Ethnicity Family Member Names (Mther s Maiden Name) Gender Marital Status Level 2 Data Items: Date f Birth (partial r full with name) Emplyee Applicant Recrd Net Salary Time and Labr Page 9 f 15

12 Payment Infrmatin Emplyee Evaluatins Veteran Status Disability/Reasnable Accmmdatin Age (Date f Birth) Oracle Reprting/Queries Access t Oracle query and reprting capabilities will use delivered Oracle applicatin security cntrls and rw level security. Oracle nline reprting and query is the primary reprting tl fr CHRS. Direct SQL access is nt intended fr reprting and is prvided fr technical supprt and integratin purpses Database SQL Access Access t the CHRS prductin database fr technical supprt and service accunts, e.g. integratin pint, will be allwed using Oracle accunts. The default and standard CSU_SELECT rle as utlined in the Validating Oracle Users and Rles dcument will nt include any tables that cntain emplyee related data. The CSU_UPDATE rle will nt exist within the CHRS envirnment. Only a limited number f campus based emplyees may be granted (direct database) access fr their respective campus t view and/r query infrmatin cntaining sensitive data. Level 1 and 2 data will be segregated by campus using campus specific Oracle views/rles which must be requested via the mdificatin gvernance prcess. A few predefined tables that include emplyee related data will be secured by campus and prvided as a baseline. Access t the campus-specific Oracle views will be prvided by way f campus specific Oracle rles Rles and Permissins Security Rles and Permissins lists fr CHRS will be defined and maintained by the CHRS Security Team. A system-wide set f security rles and permissin lists will be defined t supprt the Systemwide HR apprved jb functins required t implement the CHRS business practices defined by Systemwide HR. Campuses will have the ability t assign rles t users based upn their jb functin(s). Campuses may submit a request t the Central Security ffice fr an updated, r a new rle/permissin list t be defined t supprt a specific business need/functin. The request will be reviewed by the CHRS Security Team, and apprved by the Systemwide HR Data Steward fr inclusin in CHRS. Page 10 f 15

13 3.0 CHRS Gvernance Structure The CHRS gvernance structure defines the functins, relatinships, respnsibilities, and authrities f cmmittees and individuals that supprt CHRS. 3.1 System-wide Rles and Respnsibilities Systemwide Human Resurces The data wner fr CHRS will be the Assciate Vice Chancellr f Human Resurces Management and CO HR Services, Systemwide HR. The data delegate will be the Sr. Manager, CMS-Systemwide HR. The Vice Chancellr fr Systemwide HR is primarily respnsible fr reviewing and apprving the CHRS Security Plan and Requirements CHRS Data Gvernance Updates made t an emplyee s Persn Data recrd within CHRS may be permitted but will be gverned by rules defined by the CHRS Data Gvernance Team. The system update rules will be applicable t CHRS, the HECH and ther internal and/r external applicatins and integratins that rely n Persn Data, e.g. HR/CS Split envirnment, Identity Management Systems etc CHRS Security Campus Actin Team (CHRS Security CAT) A review team, cmprised f persnnel frm campuses and CMS Central, will be created t supprt CHRS infrmatin security requirements and initiatives. This team will be respnsible fr develping a set f rles and permissin lists apprved fr CHRS fr which security administratrs will use t assciate with campus based users. A security matrix that describes what access each end-user needs, based n the Systemwide HR Plicies and requirements and security guidelines and delivered rles frm CHRS Central team will be available t campuses. If campuses identify a needed change r new rle r permissin list, they will submit that request as described in the sectin n Rles and Permissins lists. The CHRS Security CAT will review the requests and recmmend apprval Central Security Administratr The Central Security Administratr (CSA) will wrk with the CO, campus staff, and CHRS CAT, t validate the security design and prvide pst-implementatin supprt. The CSA s duties include but are nt limited t the fllwing: Cnsultatin with campus and CO staff t meet peratinal security needs. Cnsultatin with the prject team t ensure CHRS cmpliance with CSU System-wide Infrmatin Security Standards and Plicies. Evaluatin f user security requests and cnsultatin with the CHRS Security CAT t ensure requests cmply with CHRS security plicies and audit guidelines. Prviding supprt t campuses and CMS during audits. Initial creatin f DSA User Accunts: - On-ging respnsibility will be perfrmed by Central Security Maintenance rather than Administratin. Page 11 f 15

14 Mnthly, quarterly, and annual review f CHRS security t ensure cmpliance with SD plicies CMS Technical Services and Applicatin Develpment Team CMS Technical Services will manage the prductin infrastructure assciated with the applicatin and web tiers, supprting the CHRS envirnment with directin frm the Central Security Administratr. This includes all tasks assciated with applicatin server setup, cnfiguratin and management, prcess scheduler setup, cnfiguratin and management, and web server setup cnfiguratin and management. CMS Technical Services is respnsible fr ensuring apprpriate resurces at the web and applicatin tier and include respnsibilities fr capacity planning, tuning, and installatin. CMS Technical Services alng with CMS Applicatin Develpment Teams will supprt the campus nnprductin envirnments as this nw requires central security cntrl and crdinatin. 3.2 Campus Rles and Respnsibilities Distributed Security Administratrs T highlight the shared respnsibilities f CHRS, campus security administratrs will be referred t as Distributed Security Administratrs (DSA s). The DSA s will be managed using Oracle s delivered Distributed User Prfiles functinality. They will be given the capability f assigning rles restricted t thse in their Rle Grant dmain. DSA s will prvide security supprt fr peratinal activities at the campus within the limitatins f the access prvided t them. Other duties f the DSA s include but are nt limited t the fllwing: Evaluate and act upn user access requests fr their respective campuses. Establish and maintain user prfiles in CHRS fr their respective campuses. Prcess user requests by assigning privileges t user accunts based n apprval frm Campus Applicatin Owners. Maintain dcumentatin related t users requests fr their respective campus. Accept and review user requests t access nn-campus based security bjects. Such requests are frwarded t the Central Security Administratr based n apprval frm Campus Applicatin Owner. Participate in audits f user accunts in accrdance with CSU Infrmatin Security Plicies. De-prvisin accunts when the user has separated frm the university by lcking them. Limited (Security Maintenance nly) mnthly, quarterly and annual reviews f SD reprts fr cmpliance. DSA s and their backups can grant any level f access r respnsibility within the rles granted t them fr the CHRS Oracle Applicatin. This respnsibility includes delegating limited administrative capabilities t Applicatin Leads. This special rle prvides the ability t administer the rights t any menu, cmpnent, page r tl within CHRS, again delineated by the rle granted thrugh the Rle Grant functinality, and therefre shuld be deplyed sparingly. Page 12 f 15

15 4.0 CHRS Security Training Effrts are underway t develp a system-wide campus CHRS implementatin supprt prgram that will include training fr the CHRS security mdel. CMS expects campuses t take the requisite security awareness and training. CHRS will require existing security experience and reinfrce security awareness as part f the implementatin supprt prgram, as utlined in CSU System-wide Infrmatin Security Plicy. 5.0 Authenticatin and Access Cntrl CHRS will implement a custm authenticatin prcess. CHRS Oracle system will be frnt-ended by a cmbinatin f the CSYu Emplyee Prtal and Shibbleth fr general authenticatin. Users that are successfully lgged int CSYu r ther system-wide authenticatin services will be able t access resurces based n their rles that are defined and granted within CHRS. The fllwing apprach prvides an example f this mdel: 1. A user attempts t access the main page f CSYu. 2. The user is redirected t their lcal campus Identity Prvider (IAM infrastructure) t enter their campus managed credentials. 3. Once authenticated, the user will be redirected back t CSYu where they will find a link t access CHRS. 4. This link executes custm cde that wrks in cnjunctin with the Oracle Sign-In Cde. 5. If the user has been prvided access, they will nw be able t perfrm any functins granted t them thrugh the rles that have been assigned t them. 5.1 Passwrd Management Oracle Passwrd Management feature will NOT be used in CHRS. Since campuses are respnsible fr managing their campus user s passwrd plicy they are encuraged t require strng passwrds and fllw the passwrd management guidelines in the Califrnia State University System-wide Infrmatin Security Standard. Significant changes that are t be implemented in the shared CHRS will be apprpriately reviewed and apprved by the CHRS Security CAT. Significant changes made t the CHRS Security mdel will be apprpriately reviewed and apprved by the designated change cntrl authrity. Any apprved changes will be migrated int CHRS prductin per the CHRS Release Management Guide. This dcuments the migratin prcess and describes the delineatin f respnsibilities in cmpliance with SD plicies. 6.0 CHRS Security Incident Management CHRS will cmply with the Infrmatin Security Incident Management Plices as defined in the Califrnia State University System-wide Infrmatin Security Plicy. Page 13 f 15

16 7.0 CHRS Business Cntinuity and Disaster Recvery Campus and CO users and administratrs access the CHRS at the Unisys data center. Disaster recvery fr all f CMS, including the CHRS, is managed and crdinated within the purview f the Unisys data center cntract. 8.0 CHRS Infrastructure This sectin describes differences t the CMS security infrastructure made t supprt the CHRS applicatin envirnment. All current CMS security practices, plicies and prcedures will be in place fr CHRS. This includes all current security cmpnents such as VPN, IDS, and Firewalls that are in place fr the CMS envirnment. This sectin cvers nly areas where CHRS is different frm current CMS HRSA envirnments. 8.1 Oracle Database User Accunts Passwrd Management The racle accunt s passwrd cntrls will cmply with CSU Plicy Access Cntrl and Standard 8060.S01 Access Cntrl. Page 14 f 15

17 9.0 Appendix Califrnia State University. (2012, June 5). Access Cntrl 8060.S01 Retrieved August 18, 2013, frm Califrnia State University. (2010, April 19). Cnfiguratin Management Plicy Retrieved 08 19, 2013, frm ICSUAM CSU Plicy: Califrnia State University. (2011, June 22). HIPPA Regulatins as Amended by the HITECH Act- Update f Privacy and Security. Retrieved 2013, frm CSU Human Resurces Management: Califrnia State University. (2010, April 19). Infrmatin Asset Management Plicy Retrieved 08 19, 2013, frm ICSUAM CSU Plicy: Califrnia State University. (2011, September 23). Infrmatin Security Data Classificatin 8065.S02. Retrieved August 18, 2013, frm Califrnia State University. (2005, April 8). Requirements fr Prtecting Cnfidential Persnal Data: Updated t Include Infrmatin Practices Act Web Site and Security Breach. Retrieved August 18, 2013, frm CSU Human Resurces Management: US Department f Educatin. (n.d.). Family Rights and Privacy Act (FERPA). Retrieved August 18, 2013, frm US Department f Educatin: Page 15 f 15