Body
Why is it important to survey level 1 data?
The CSU and Stanislaus State have a responsibility to protect the information we collect or create in the process of conducting the activities of the institution. The first step to protecting data is knowing what it is, where it is, and what measures are already in place to guard it.
What is the Level 1 Data Survey?
The Level 1 Data Survey is a tool developed to collect information on where level 1 data is, what type of data it is, and any security measures already being taken to protect it from unauthorized or unintended disclosure.
What is level 1 data?
Level 1, or Confidential, data is defined in CSU policy as information with the following characteristics:
Information may be classified as confidential based on criteria including but not limited to:
- Disclosure exemptions - Information maintained by the University that is exempt from disclosure under the provisions of the California Public Records Act or other applicable state or federal laws.
- Severe risk - Information whose unauthorized use, access, disclosure, acquisition, modification, loss, or deletion could result in severe damage to the CSU, its students, employees, or customers. Financial loss, damage to CSU’s reputation, and legal action could occur.
- Limited use - Information intended solely for use within the CSU and limited to those with a “business need-to know.”
- Legal Obligations - Information for which disclosure to persons outside of the University is governed by specific standards and controls designed to protect the information
Examples given are:
- Passwords or credentials that grant access to level 1 and level 2 data
- PINs (Personal Identification Numbers)
- Birth date combined with last four digits of SSN and name
- Credit card numbers with cardholder name
- Tax ID with name
- Driver’s license number, state identification card, and other forms of national or international identification (such as passports, visas, etc.) in combination with name
- Last 4 digits of Social Security number and name
- Health insurance information
- Medical records related to an individual
- Psychological Counseling records related to an individual
- Bank account or debit card information in combination with any required security code, access code, or password that would permit access to an individual's financial account
- Biometric information
- Electronic or digitized signatures
- Private key (digital certificate)
- Law enforcement personnel records
- Criminal background check results
The examples above are not a set list.
Who needs to do the survey?
The short answer is, anyone with knowledge of where level 1 data is. However, it will be assigned to MPPs and Deans to be responsible for responding for the area they oversee. The assignee can delegate the response to members of staff.
Where is the survey tool?
Log in and begin submitting level 1 data locations HERE.
FAQ
What should I know about level 1 data before I start taking the survey?
- What type of level 1 data do you have (SSN, HR files, etc.)
- Where it is stored physically, on servers, or in applications (Building & room#, departmental file share, application name)
- If there are any protections in place (locks, group permissions, etc.)
Do not worry if the information is incomplete. The data will be reviewed by the Information Security Officer and any needed clarifications will be asked for.
Will the survey just be covering electronically stored data?
No, you will have the opportunity to report paper or hard copy level 1 data too. You do not need to report individual pieces of paper, just caches of records like file cabinets or rooms used for storing level 1 or confidential data.
What if I submit data somebody else submitted too?
This is ok. In the background all the information is stored in a database so spotting duplicate entries will be easier to do. Deduplication will take place before any reports are finalized.