SENSITIVE DATA SECURITY AND PROTECTION CALIFORNIA STATE UNIVERSITY, SAN BERNARDINO. Audit Report July 10, 2013

Transcription

1 SENSITIVE DATA SECURITY AND PROTECTION CALIFORNIA STATE UNIVERSITY, SAN BERNARDINO Audit Report July 10, 2013 Lupe C. Garcia, Chair Rebecca D. Eisen Steven M. Glazer William Hauck Hugo N. Morales Members, Committee on Audit University Auditor: Larry Mandel Senior Director: Michael Caldera IT Audit Manager: Greg Dove Senior Auditor: Kim Pham Staff BOARD OF TRUSTEES THE CALIFORNIA STATE UNIVERSITY

2 CONTENTS Executive Summary... 1 Introduction... 3 Background... 3 Purpose... 4 Scope and Methodology... 5 OBSERVATIONS, RECOMMENDATIONS, AND CAMPUS RESPONSES Information Security Policy... 6 Asset Management... 7 Protected Data Inventory Assessment... 7 Disposition of Protected Data... 8 Record Retention and Disposal... 9 Backup Storage Human Resources Network Security Access Controls System Access Review Password Controls Server Room Security File Room Security Storage of Paper Records Protection of Paper Documents Encryption ii

3 CONTENTS APPENDICES APPENDIX A: APPENDIX B: APPENDIX C: Personnel Contacted Campus Response Chancellor s Acceptance ABBREVIATIONS AVP CSU CSUSB HR ICSUAM ISO IT Associate Vice President California State University California State University, San Bernardino Human Resources Integrated California State University Administrative Manual Information Security Office Information Technology iii

4 EXECUTIVE SUMMARY As a result of a systemwide risk assessment conducted by the Office of the University Auditor during the last quarter of 2012, the Board of Trustees, at its January 2013 meeting, directed that Sensitive Data Security and Protection be reviewed. The Office of the University Auditor had previously reviewed sensitive data at six campuses in the We visited the California State University, San Bernardino campus from January 28, 2013, through February 22, 2013, and audited the procedures in effect at that time. In our opinion, except for the effect of the weaknesses described below, the fiscal, operational, and administrative controls for sensitive data as of February 22, 2013, taken as a whole, were not sufficient to meet the objectives stated above and in the Purpose section of this report. Areas of concern include: sensitive data security policy, human resources, system access controls, network security, encryption, and asset management. As a result of changing conditions and the degree of compliance with procedures, the effectiveness of controls changes over time. Specific limitations that may hinder the effectiveness of an otherwise adequate system of controls include, but are not limited to, resource constraints, faulty judgments, unintentional errors, circumvention by collusion, and management overrides. Establishing controls that would prevent all these limitations would not be cost-effective; moreover, an audit may not always detect these limitations. Our audit did not examine all controls over sensitive data, but was designed to assess management controls, increase awareness of the topic, and assess regulatory compliance for significant sensitive data categories that are prevalent in the California State University environment. The following summary provides management with an overview of conditions requiring attention. Areas of review not mentioned in this section were found to be satisfactory. Numbers in brackets [ ] refer to page numbers in the report. INFORMATION SECURITY POLICY [6] The campus information security office (ISO) did not have a process to track and report decentralized computing departments ongoing compliance with campus information security policies and procedures. ASSET MANAGEMENT [7] The campus did not perform periodic inventory and controls assessments of all protected data maintained in electronic and paper files. Also, administration of disposed and obsolete computers needed improvement. Specifically, decentralized departments were not required to document the deletion of protected data on disposed computers, and obsolete computers had not been wiped, disposed of, and removed from inventory. Further, electronic data records were not consistently disposed of at the end of the required retention period. In addition, backup tapes of college and departmental data were not always stored in a secure offsite facility. Page 1

5 EXECUTIVE SUMMARY HUMAN RESOURCES [11] The campus did not have a method to track and monitor information security training for computer users on accounts that were created by decentralized departments, nor had it ensured that all users had completed the training. NETWORK SECURITY [12] The campus had not placed the library s Internet-accessible web server on a separate network segment from other internal production servers. In addition, the campus had not placed a College of Education server with protected data on a separate network from user computers. ACCESS CONTROLS [13] The campus did not perform periodic, documented reviews of user access privileges for all decentralized systems containing sensitive data. Also, password controls were not always adequate for college and departmental computer systems. In addition, physical security of college and departmental server rooms needed improvement. For example, server room doors were not always locked, and fire extinguishers were not installed in all server rooms. Further, physical security of college and departmental file rooms used to store sensitive paper documents needed improvement. Specifically, certain file rooms and file cabinets used to store sensitive paper documents were not locked after business hours, and one file room with unlocked cabinets was also used as a break room. Additionally, physical security of paper records in storage was not always adequate, as sensitive HR paper documents were not fully enclosed by security fencing at the warehouse used for long-term storage. Also, faculty HR paper documents were not stored in a locked cabinet at all times. ENCRYPTION [20] The campus did not always store protected data in an encrypted format, nor did it always encrypt system backups that contained protected data. Page 2

6 INTRODUCTION BACKGROUND Integrated California State University Administrative Manual (ICSUAM) , Information Security Policy, dated April 19, 2010, represents the most recent and specific guidance to campuses regarding the security and protection of sensitive data. It provides direction for managing and protecting the confidentiality, integrity, and availability of California State University (CSU) information assets and defines the organizational scope of information security throughout the system. The policy states that the Board of Trustees is responsible for protecting the confidentiality, integrity, and availability of CSU information assets. Unauthorized modification, deletion, or disclosure of information assets can compromise the mission of the CSU, violate individual privacy rights, and possibly constitute a criminal act. According to ICSUAM , it is the collective responsibility of all users to ensure: The confidentiality of information that the CSU must protect from unauthorized access. The integrity and availability of information stored on or processed by CSU information systems. Compliance with applicable laws, regulations, and CSU or campus policies governing information security and privacy protection. The policy further states that auxiliary organizations, external businesses, and organizations that use campus information assets must also follow the CSU Information Security Policy. State Administrative Manual 5300 defines information security as the protection of information and information systems and equipment from a wide spectrum of threats and risks. Implementing appropriate security measures and controls to provide for the confidentiality, integrity, and availability of information regardless of its form (electronic, print, or other media) is critical to ensure business continuity and protection against unauthorized access, use, disclosure, disruption, modification, or destruction. Pursuant to Government Code , every state agency, department, and office shall comply with the information security and privacy policies, standards, procedures, and filing requirements issued by the Office of Information Security and Privacy Protection in the California Office of Information Security. At the CSU campuses, the information security officer has overall responsibility for the security and protection of sensitive data, which extends to all campus departments, colleges, and auxiliary organizations. Page 3

7 INTRODUCTION PURPOSE Our overall audit objective was to ascertain the effectiveness of existing policies and procedures related to the administration and control of sensitive data; to determine the adequacy of controls over the related processes; and to ensure compliance with relevant governmental regulations, Trustee policy, Office of the Chancellor directives, and campus procedures. Within the overall audit objective, specific goals included determining whether: Certain essential administrative and managerial internal controls are in place, including delegations of authority and responsibility, oversight committees, executive-level reporting, and documented policies and procedures. A management framework is established to initiate and control the implementation of information security within the organization, and management direction and support for information security is communicated in accordance with business requirements and relevant laws and regulations. All assets are accounted for and have a nominated owner/custodian who is responsible for achieving and maintaining appropriate protection of organizational assets, and information is appropriately classified to indicate the expected degree of protection. Security responsibilities are addressed with employees prior to the start of employment so that users are aware of information security threats and concerns and are equipped to support organizational security policy in the course of their normal work. Responsibilities and procedures for the management of information processing and service delivery are defined, and technical security controls are integrated within systems and networks. Access rights to systems, applications, and business processes surrounding sensitive data are controlled by means of user identification and authentication, based on business and security requirements. Formal event reporting and escalation procedures are in place for information security events and weaknesses, and communication is consistent and effective, allowing for timely corrective action. The information systems design, configuration, operation, use, and management are in conformance with statutory, regulatory, and contractual security requirements and are regularly reviewed for compliance. Contractual language addressing a third party s responsibility for protecting sensitive data is appropriate. Page 4

8 INTRODUCTION SCOPE AND METHODOLOGY The proposed scope of the audit, as presented in Action Item, Agenda Item 2 of the January 22 and 23, 2013, meeting of the Committee on Audit, stated that sensitive data security and protection would include review and compliance with Trustee policy, federal and state directives, and campus policies and procedures; procedures for handling confidential information; communication and employee training; encryption; tracking and monitoring of access to sensitive data; and retention practices for key records. If the sensitive data is maintained by a third party, we would review the involvement of campus information security personnel in the decision process; documentation of campus expectations for handling and securing the data; contract language covering security expectations; and monitoring of third-party performance. Our study and evaluation were conducted in accordance with the International Standards for the Professional Practice of Internal Auditing issued by the Institute of Internal Auditors and included the audit tests we considered necessary in determining that operational and administrative controls are in place and operative. This review emphasized, but was not limited to, compliance with state and federal laws, Board of Trustee policies, and Office of the Chancellor and campus policies, letters, and directives. The audit review focused on procedures currently in effect. We focused primarily upon the administrative, compliance, operational, and technical controls over the security and protection of sensitive data. Specifically, we reviewed and tested: Information security policies and procedures. Information security organizational structure and management framework. Information asset management accountability and classification. Human resources security responsibilities. Administrative and technical security procedures. Access and configuration controls over networks, systems, applications, business processes, and data. Incident response, escalation, and reporting procedures. Compliance with relevant statutory, regulatory, and contractual security requirements. Third-party contractual language regarding handling of sensitive data. Our testing and methodology was designed to provide a managerial level review of key security practices over sensitive data. Our review did not examine all categories of sensitive data; selected emerging technologies were excluded from the scope of the review. Our testing approach was designed to provide a view of the security used to protect only key computing and business processes. Page 5

9 OBSERVATIONS, RECOMMENDATIONS, AND CAMPUS RESPONSES INFORMATION SECURITY POLICY The campus information security office (ISO) did not have a process to track and report decentralized computing departments ongoing compliance with campus information security policies and procedures. Integrated California State University Administrative Manual (ICSUAM) , Establishing an Information Security Program, dated April 19, 2010, states in part, that the campus information security program must implement a risk-based, layered approach that uses preventative, detective, and corrective controls sufficient to provide an acceptable level of information security and must be reviewed at least annually. The program should: a) provide for the confidentiality, integrity, and availability of information, regardless of the medium in which the information asset is held or transmitted (e.g. paper or electronic); and b) develop risk management strategies to identify and mitigate threats and vulnerabilities. ICSUAM 8015, Organizing Information Security, dated April 19, 2010, states in part that the information security officer (or designee of president) is responsible for the campuswide information security program and may organize the responsibilities as appropriate. ICSUAM 8020, Information Security Risk Management, dated April 19, 2010, states that campuses must develop risk management processes that identify, assess, and monitor risks to information assets containing level 1 and level 2 data as defined in the California State University (CSU) Data Classification Standard. Identified risks to these information assets must be actively managed by data owners and/or appropriate administrators in order to prioritize resources and remediation efforts. The associate vice president (AVP) of information technology (IT) stated that managers of the decentralized areas may not have been aware that the recommended security controls from the ISO were applicable to decentralized departmental systems and applications, and the campus had not implemented a process to ensure compliance. Inadequate monitoring and enforcement of campuswide policies and standards limits the campus ability to direct a comprehensive information security program and increases the campus exposure to security breaches and inappropriate use of computing resources. Recommendation 1 We recommend that the campus develop a process to track and report decentralized computing departments ongoing compliance with campus information security policies and procedures. Campus Response We concur. The ISO will incorporate a process to periodically assess that decentralized computing systems containing level 1 and level 2 information are in compliance with appropriate California Page 6

10 OBSERVATIONS, RECOMMENDATIONS, AND CAMPUS RESPONSES State University, San Bernardino (CSUSB) information security policies and standards. The process has been incorporated in the CSUSB Safeguarding Confidential Information standard. Revisions to this standard are pending approval. Implementation date: December 2013 ASSET MANAGEMENT PROTECTED DATA INVENTORY ASSESSMENT The campus did not perform periodic inventory and controls assessments of all protected data maintained in electronic and paper files. ICSUAM 8020, Information Security Risk Management, dated April 19, 2010, states that campuses must develop risk management processes that identify, assess, and monitor risks to information assets containing level 1 and level 2 data as defined in the CSU Data Classification Standard. Identified risks to these information assets must be actively managed by data owners and/or appropriate administrators in order to prioritize resources and remediation efforts. Risk assessments are part of an ongoing risk management process. Risk assessments provide the basis for prioritization and selection of remediation activities and can be used to monitor the effectiveness of campus controls. Campuses must document the scope and frequency of the assessment, risk assessment methodology, result of the risk assessment, and mitigation strategies designed to address identified risks. ICSUAM 8065, Information Asset Management, dated April 19, 2010, states that campuses must maintain an inventory of information assets containing level 1 or level 2 data as defined in the CSU Data Classification Standard. These assets must be categorized and protected throughout their entire life cycle, from origination to destruction. The AVP of IT stated that the campus did not perform periodic inventory and controls assessments due to limited resources and time constraints. Inadequate accountability over information assets, especially those containing critical and/or personal confidential information, increases the risk of loss and inappropriate use of campus resources and exposure to information security breaches. Recommendation 2 We recommend that the campus perform periodic inventory and controls assessments of all protected data maintained in electronic and paper files. Page 7

11 OBSERVATIONS, RECOMMENDATIONS, AND CAMPUS RESPONSES Campus Response We concur. The ISO has expanded Section 4.5 of the CSUSB Safeguarding Confidential Information standard for departments to provide periodic reports to the ISO of their registry of level 1 and level 2 data maintained in electronic and paper files. Revisions to this standard are pending approval. Implementation date: December 2013 DISPOSITION OF PROTECTED DATA Administration of disposed and obsolete computers needed improvement. Specifically, we found that: Decentralized departments were not required to document the deletion of protected data on disposed computers. Obsolete computers had not been wiped, disposed of, and removed from inventory. CSUSB Safeguarding Confidential Information states that employees should ensure that confidential, sensitive, or personal data is properly cleansed from internal disks or removable media prior to disposal or transfer. The AVP of IT stated that managers of the decentralized areas were not ensuring that proper records were maintained on information systems that were disposed of and recycled. Inadequate control over equipment assets, especially those containing protected data, increases the risk of loss, inappropriate use of state resources, and campus exposure to information security breaches. Recommendation 3 We recommend that the campus: a. Require that decentralized departments document the deletion of protected data on disposed computers. b. Ensure that obsolete computers are wiped, disposed of, and removed from inventory. Page 8

12 OBSERVATIONS, RECOMMENDATIONS, AND CAMPUS RESPONSES Campus Response We concur. a. The requirements for documenting the deletion of protected data on disposed computers have been incorporated as part of the CSUSB Safeguarding Confidential Information standard in Section 4 and are pending approval. b. The requirements for proper disposition of obsolete computers have been incorporated as part of the CSUSB Safeguarding Confidential Information standard in Section 4. Revisions to this standard are pending approval. Implementation date: December 2013 RECORD RETENTION AND DISPOSAL Electronic data records were not consistently disposed of at the end of the required retention period. CSUSB Information Retention Management Standards states that CSUSB records shall be retained for the time periods indicated in the CSU or CSUSB records retention and disposition schedules, destroyed when the time period for retention has been met, and disposed of in accordance with university standards. Executive Order 1031, Systemwide Records/Information Retention and Disposition Schedules Implementation, dated February 27, 2008, states that each campus must ensure appropriate and timely disposal of records/information in accordance with retention and disposition schedule time frames. The campus is responsible for instituting a process for reviewing its records/information as listed on the schedules to determine if they should be destroyed or maintained. At a minimum, this review should be conducted once a year. The AVP of IT stated that the campus did not ensure all electronic data records were disposed of after the required retention period because no feasible procedure had been developed to systematically identify and enforce record retention policies for electronic data. Retention of records beyond their expiration date could make them subject to public records requests and could lead to unnecessary expenditure for their storage and maintenance. Recommendation 4 We recommend that the campus consistently dispose of all electronic data records at the end of the required retention period. Page 9

13 OBSERVATIONS, RECOMMENDATIONS, AND CAMPUS RESPONSES Campus Response We concur. The CSUSB Safeguarding Confidential Information standard, Section 4, has been updated to include the requirement that the disposition of electronic records should follow the recommended CSU and CSUSB retention schedule. Revisions to this standard are pending approval. Implementation date: December 2013 BACKUP STORAGE Backup tapes of college and departmental data were not always stored in a secure offsite facility. Specifically, we reviewed four colleges and departments, and we found that two were storing backup tapes in the same facility where the backups were performed. ICSUAM 8085, Business Continuity and Disaster Recovery, dated April 19, 2010, states that an information security program needs to support the maintenance and potential restoration of operations through and after both minor and catastrophic disruptions. Campuses must ensure that their information assets can, in the case of a catastrophic event, continue to operate and be appropriately accessible to users. The AVP of IT stated that tapes were not always stored in an offsite facility because the managers of the decentralized areas may not have been aware that the recommended security controls from the ISO were applicable to decentralized departmental systems and applications. Inadequate storage of backup media increases the risk that systems will not be recovered in the event of a disaster. Recommendation 5 We recommend that the campus ensure that all backup tapes of college and departmental data are stored in a secure offsite facility. Campus Response We concur. The CSUSB Safeguarding Confidential Information standard, Section 4, has been updated to include the requirement that backup tapes of critical systems and data be stored in a secure offsite facility. Revisions to this standard are pending approval. Implementation date: December 2013 Page 10

14 OBSERVATIONS, RECOMMENDATIONS, AND CAMPUS RESPONSES HUMAN RESOURCES The campus did not have a method to track and monitor information security training for computer users on accounts that were created by decentralized departments, nor had it ensured that all users had completed the training. CSUSB Information Security Requirements state that information security training is required for all CSUSB computer information users. ICSUAM , Information Security Awareness and Training, dated April 19, 2010, states that each campus must implement a program for providing appropriate information security awareness and training to employees appropriate to their access to campus information assets. The campus information security awareness program must promote campus strategies for protecting information assets containing protected data. All employees with access to protected data and information assets must participate in appropriate information security awareness training. When appropriate, information security training must be provided to individuals whose job functions require specialized skill or knowledge in information security. The AVP of IT stated that managers of the decentralized areas may not have been aware that the security training provided by the ISO was required for individuals who were given access to CSUSB information resources, and that they were required to track and document the training. Lack of information security awareness training for employees with access to computer resources increases the risk of mismanagement of protected data, which increases campus exposure to security breaches and could compromise compliance with statutory information security requirements. Recommendation 6 We recommend that the campus develop and implement a method to track and monitor information security training for computer users on accounts that were created by decentralized departments and ensure that all users complete the training. Campus Response We concur. The CSUSB Safeguarding Confidential Information standard, Section 4, has been updated to include the requirement that all employees with access to information systems and repositories containing level 1 and level 2 information must complete the online information security training as part of the requirements for granting access. Revisions to this standard are pending approval. Implementation date: December 2013 Page 11

15 OBSERVATIONS, RECOMMENDATIONS, AND CAMPUS RESPONSES NETWORK SECURITY The campus had not appropriately segmented servers within the campus network. Specifically, we found that: The library s Internet-accessible web server had not been placed on a separate network segment from other internal production servers. The College of Education server with protected data had not been placed on a separate network from user computers. ICSUAM , Information Technology Security, dated April 19, 2010, states that campuses must develop and implement appropriate technical controls to minimize risks to their information technology infrastructure. Each campus must take reasonable steps to protect the confidentiality, integrity, and availability of its critical assets and protected data from threats. ICSUAM , Network Security, dated April 19, 2010, states that campuses must appropriately design their networks based on risk, data classification, and access in order to ensure the confidentiality, integrity, and availability of their information assets. Each campus must implement and regularly review a documented process for transmitting data over the campus network. This process must include the identification of critical information systems and protected data that is transmitted through the campus network or is stored on campus computers. Campus processes for transmitting or storing critical assets and protected data must ensure confidentiality, integrity, and availability. The AVP of IT stated that the web server was not placed on a separate network segment from other internal production servers because the vendor-provided application did not allow the campus to segment the web server from the application server. He also stated that network segmentation for the College of Education needed improvement because the managers of the decentralized areas may not have been aware that the recommended security controls from the ISO were applicable to decentralized departmental systems and applications. Placing Internet-accessible devices and servers with sensitive information on the same network segment with other internal servers increases the risk of compromise, unauthorized access to protected data, and exposure of protected data. Recommendation 7 We recommend that the campus: a. Place the library s Internet-accessible web server on a separate network segment from other internal production servers. Page 12

16 OBSERVATIONS, RECOMMENDATIONS, AND CAMPUS RESPONSES b. Place the College of Education server with protected data on a separate network segment from user computers. Campus Response We concur. a. The campus will implement appropriate access controls to segregate Internet-accessible web servers from internal production servers containing sensitive data. b. The campus will implement appropriate measures to segregate the server with protected data from the user s network segment. Implementation date: December 2013 ACCESS CONTROLS SYSTEM ACCESS REVIEW The campus did not perform periodic, documented reviews of user access privileges for all decentralized systems containing sensitive data. CSUSB Information Classification Standards states that employee access to confidential data should be reviewed on an annual basis. ICSUAM 8060, Access Control, dated April 19, 2010, states that campuses must develop procedures to detect unauthorized access and privileges assigned to authorized users that exceed the required access rights needed to perform their job functions. Appropriate campus managers and data owners must review, at least annually, user access rights to information assets containing protected data. The results of the review must be documented. The AVP of IT stated that periodic, documented reviews of user access privileges were not performed for all decentralized systems storing sensitive data because the managers of the decentralized areas may not have been aware that the recommended security controls from the ISO were applicable to decentralized departmental systems and applications. Inadequate reviews of user access privileges increases the risk of unauthorized or inappropriate exposure to sensitive data and can adversely affect campus compliance with existing regulations regarding protection of such data. Page 13

17 OBSERVATIONS, RECOMMENDATIONS, AND CAMPUS RESPONSES Recommendation 8 We recommend that the campus perform periodic, documented reviews of user access privileges for all decentralized systems. Campus Response We concur. The CSUSB Safeguarding Confidential Information standard, Section 4, has been updated to include periodic reviews of user access privileges to information systems and repositories where sensitive information is processed, stored, or handled. Revisions to this standard are pending approval. Implementation date: December 2013 PASSWORD CONTROLS Password controls were not always adequate for college and departmental computer systems. We reviewed password controls for five colleges and departments, and we found that: In two instances, users were not prompted to change their password at first login, and IT maintained records of each password. In one instance, minimum character or complexity requirements for passwords were not in place, and there was no password expiration limit. ICSUAM 8060.S01, Access Control, dated April 19, 2010, states that campuses must identify and communicate acceptable password criteria. For strong passwords, either of the two following minimum characteristics is required Minimum length of eight characters, containing at least three out of the four following character types: at least one uppercase alphabetic character (A-Z), at least one lowercase alphabetic character (a-z), at least one special character, and at least one number (0-9); or minimum length of 15 characters, with use of a passphrase composed of four words and punctuation. Campuses must also identify and communicate a password change schedule, establish criteria for disabling user accounts on critical campus information assets after an established number of failed logon attempts, and must not display, transmit, or store passwords in clear text. The AVP of IT stated that password and security controls were not in place because the managers of the decentralized areas may not have been aware that the recommended security controls from the ISO were applicable to decentralized departmental systems and applications. He also stated that some of the areas may not have had the resources and tools to adequately maintain and administer their system. Inadequate password controls may compromise the authentication credentials of user accounts, increasing the risk of unauthorized access to campus systems and confidential data. Page 14

18 OBSERVATIONS, RECOMMENDATIONS, AND CAMPUS RESPONSES Recommendation 9 We recommend that the campus ensure that password controls for college and departmental computer systems are adequate. Campus Response We concur. The CSUSB Safeguarding Confidential Information standard, Section 4, has been updated to include the requirement that user IDs and passwords adhere to the CSUSB password controls standard. Revisions to this standard are pending approval. Implementation date: December 2013 SERVER ROOM SECURITY Physical security of college and departmental server rooms needed improvement. We examined four server rooms and found that: Server room doors were not always locked, and some server rooms did not contain either a video camera or an after-hours alarm system. Some server rooms could be accessed by individuals with a master key to the building, including custodial workers. Policies and procedures to periodically re-certify the list of individuals authorized to access the server rooms were not in place. Fire extinguishers were not installed in all server rooms. One server room was also used for storage of paper documents and obsolete computers and contained a printer that was frequently used by non-it personnel. ICSUAM 8060, Access Control, dated April 19, 2010, states that access to campus information assets containing protected data as defined in the CSU Data Classification Standard may be provided only to those having a need for specific access in order to accomplish an authorized task. Access must be based on the principles of need-to-know and least privilege. Users experiencing a change in employment status (e.g., termination or position change) must have their logical access rights reviewed, and if necessary, modified or revoked. Additionally, the campuses must develop procedures to detect unauthorized access and privileges assigned to authorized users that exceed the required access rights needed to perform their job functions. Appropriate campus managers and data owners must review, at least annually, user access rights to information assets containing protected data. The results of the review must be documented. Page 15

19 OBSERVATIONS, RECOMMENDATIONS, AND CAMPUS RESPONSES ICSUAM 8080, Physical Security, dated April 19, 2010, states that each campus must identify physical areas that must be protected from unauthorized physical access. Such areas would include data centers and other locations on the campus where information assets containing protected data are stored. Campuses must protect these limited-access areas from unauthorized physical access while ensuring that authorized users have appropriate access. Campus information assets that access protected data that are located in public and non-public access areas must be physically secured to prevent theft, tampering, or damage. The level of protection provided must be commensurate with that of identifiable risks. Campuses must review and document physical access rights to campus limited-access areas annually. The AVP of IT stated that physical security of college and departmental server rooms was inadequate because the managers of the decentralized areas may not have been aware that the recommended security controls from the ISO were applicable to decentralized departmental systems and applications. Lack of adequate physical security over computing equipment increases the risk of information security breaches, theft, and accidental damage to the systems. Recommendation 10 We recommend that the campus: a. Ensure that all server room doors are locked at all times, and install video cameras or after-hours alarm systems in all server rooms. b. Remove access to the server rooms from individuals who do not have a demonstrated need for access. c. Develop policies and procedures to periodically re-certify the list of individuals authorized to access the server rooms. d. Install appropriate fire extinguishers in all server rooms. e. Remove from server rooms all combustable materials, obsolete equipment, and other items that are frequently used by non-it personnel. Campus Response We concur. The CSUSB Safeguarding Confidential Information standard has been updated to: a. Ensure that all server room doors are locked at all times, and either video cameras or after-hours alarm systems are installed. b. Remove access to the server rooms from individuals who do not have a demonstrated need for access. Page 16

20 OBSERVATIONS, RECOMMENDATIONS, AND CAMPUS RESPONSES c. Require that the campus periodically re-certify the list of individuals authorized to access the server rooms. d. Require that the campus install appropriate fire extinguishers in all server rooms. e. Require that the campus remove from server rooms all combustible materials, obsolete equipment, and other items that are frequently used by non-it personnel. Revisions to this standard are pending approval. Implementation date: December 2013 FILE ROOM SECURITY Physical security of college and departmental file rooms used to store sensitive paper documents needed improvement. Specifically, we found that: Certain file rooms were not locked after business hours and also could be accessed by a number of individuals with a master key to the building, including custodial workers. Certain file cabinets used to store sensitive paper documents were not locked after business hours. One file room with unlocked cabinets was also used as a break room. ICSUAM 8060, Access Control, dated April 19, 2010, states that access to campus information assets containing protected data as defined in the CSU Data Classification Standard may be provided only to those having a need for specific access in order to accomplish an authorized task. Access must be based on the principles of need-to-know and least privilege. Users experiencing a change in employment status (e.g., termination or position change) must have their logical access rights reviewed, and if necessary, modified or revoked. Additionally, the campuses must develop procedures to detect unauthorized access and privileges assigned to authorized users that exceed the required access rights needed to perform their job functions. Appropriate campus managers and data owners must review, at least annually, user access rights to information assets containing protected data. The results of the review must be documented. ICSUAM 8080, Physical Security, dated April 19, 2010, states that each campus must identify physical areas that must be protected from unauthorized physical access. Such areas would include data centers and other locations on the campus where information assets containing protected data are stored. Campuses must protect these limited-access areas from unauthorized physical access while ensuring that authorized users have appropriate access. Campus information assets that access protected data that are located in public and non-public access areas must be physically secured to prevent theft, tampering, or damage. The level of protection provided must be commensurate with Page 17

21 OBSERVATIONS, RECOMMENDATIONS, AND CAMPUS RESPONSES that of identifiable risks. Campuses must review and document physical access rights to campus limited-access areas annually. The AVP of IT stated that physical security of sensitive paper documents needed improvement because the managers of the decentralized areas may not have been aware that the recommended security controls from the ISO were applicable to decentralized departmental systems and applications. Inadequate physical security over sensitive data increases the risk of information security breaches and unauthorized access to sensitive information. Recommendation 11 We recommend that the campus ensure that: a. Doors to file rooms used to store sensitive paper documents are locked at all times, and access to the rooms is limited to only those individuals with a demonstrated need for access. b. File cabinets used to store sensitive paper documents are locked after business hours. c. File cabinets used to store sensitive paper documents in dual-use rooms are locked at all times. Campus Response We concur. The CSUSB Safeguarding Confidential Information standard has been updated to ensure that: a. Doors to file rooms, including dual-use rooms, used to store sensitive paper documents are locked at all times, and access to the rooms is limited to only those individuals with a demonstrated need for access. b. File cabinets used to store sensitive paper documents are locked after business hours. c. Doors to file cabinets used to store sensitive paper documents in dual-use rooms are locked at all times, and access to the rooms is limited to only those individuals with a demonstrated need for access. File cabinets used to store sensitive paper documents are locked after business hours. Revisions to this standard are pending approval. Implementation date: December 2013 Page 18

22 OBSERVATIONS, RECOMMENDATIONS, AND CAMPUS RESPONSES STORAGE OF PAPER RECORDS Physical security of paper records in storage was not always adequate. Specifically, we found that sensitive HR paper documents were not fully enclosed by security fencing at the warehouse used for long-term storage. ICSUAM 8080, Physical Security, dated April 19, 2010, states that each campus must identify physical areas that must be protected from unauthorized physical access. Such areas would include data centers and other locations on the campus where information assets containing protected data are stored. Campuses must protect these limited-access areas from unauthorized physical access while ensuring that authorized users have appropriate access. Campus information assets that access protected data that are located in public and non-public access areas must be physically secured to prevent theft, tampering, or damage. The level of protection provided must be commensurate with that of identifiable risks. Campuses must review and document physical access rights to campus limited-access areas annually. The interim assistant vice president of HR stated that the inadequate security over HR documents stored in the warehouse was a known issue that was being resolved and occurred when the HR storage area was repurposed from a low-security storage area to a secure storage area. Inadequate physical security over sensitive data increases the risk of information security breaches and unauthorized access to information assets. Recommendation 12 We recommend that the campus adequately secure sensitive HR paper documents at the warehouse used for long-term storage. Campus Response We concur. The campus has implemented physical security controls to adequately secure sensitive HR paper documents at the warehouse used for long-term storage. This project was completed on August 15, PROTECTION OF PAPER DOCUMENTS Faculty HR paper documents were not stored in a locked cabinet at all times. ICSUAM 8080, Physical Security, dated April 19, 2010, states that each campus must identify physical areas that must be protected from unauthorized physical access. Such areas would include data centers and other locations on the campus where information assets containing protected data are stored. Campuses must protect these limited-access areas from unauthorized physical access while ensuring that authorized users have appropriate access. Campus information assets that access Page 19

23 OBSERVATIONS, RECOMMENDATIONS, AND CAMPUS RESPONSES protected data that are located in public and non-public access areas must be physically secured to prevent theft, tampering, or damage. The level of protection provided must be commensurate with that of identifiable risks. Campuses must review and document physical access rights to campus limited-access areas annually. The associate provost for academic personnel stated that the documents were maintained in unsecured containers or filing cabinets because the academic personnel office is considered a secure and confidential office. Additionally, she stated that HR documents are only accessed by the office staff analysts, who are authorized to view such documents, and for this reason, the files are maintained in a cabinet that is accessible to the analysts so they can conduct their daily work. Inadequate physical security over sensitive paper documents increases the risk of information security breaches and unauthorized access. Recommendation 13 We recommend that the campus store faculty HR paper documents in a locked cabinet at all times. Campus Response We concur. The campus will review the existing secure file storage and physical access controls and develop procedures to ensure that faculty HR paper documents are properly secured at all times. Implementation date: December 2013 ENCRYPTION The campus did not always store protected data in an encrypted format, nor did it always encrypt system backups that contained protected data. CSUSB Information Classification Standards states that confidential personal identifiable information should be encrypted when in transit and in storage. ICSUAM 8065, Information Asset Management, dated April 19, 2010, states that campuses must maintain an inventory of information assets containing level 1 or level 2 data as defined in the CSU Data Classification Standard and that these assets must be categorized and protected throughout their entire life cycle, from origination to destruction. The AVP of IT stated that encryption technology was not always in place because some vendorprovided applications in use did not provide this functionality. Lack of encryption for protected data increases the risk of loss or inappropriate use of such data and increases the risk of information security breaches, which could require the campus to notify all affected parties, adversely affecting the campus reputation. Page 20

24 OBSERVATIONS, RECOMMENDATIONS, AND CAMPUS RESPONSES Recommendation 14 We recommend that the campus store protected data in an encrypted format and encrypt system backups that contain protected data. Campus Response We concur. The CSUSB Safeguarding Confidential Information standard has been updated to include the requirements for encryption of sensitive data and backups. Revisions to this standard are pending approval. Implementation date: December 2013 Page 21

25 APPENDIX A: PERSONNEL CONTACTED Name Tomás D. Morales Deletta Anderson Debbie Burns Cesar Caballero Laura Carrizales Steve Cuddigan Larry Cummins Grace Dempsey Risa Dickson Charlene Earl Karen Eastman Twillea Evans-Carthen Lorraine Frost Robert Gardner Lorena Gomez Juan Gutierrez Kathy Hansen Ian Jacobs Beth Jaworski Lory Lewis Karen Logue Marita Mahoney Annel Martin Jim O Linger Roseanna Ruiz Terry Schmitt Tamanika Sells Jonathan Smith Patricia Smith Renee Smith Eva Sorrel Beth Stanton Javier Torner Rosie Torres Michael Verdi Dung Vu Grace Wichert Christia Williams Mike Zackary Title President Director of Accounting Assistant Vice President, Auxiliary and Business Services and Risk Management Dean, Library Information Security Analyst Analyst/Programmer, Student Health Center Computer Lab Technician, WorkAbility Director, Records, Registration, and Evaluation Associate Provost for Academic Personnel Administrative Support Coordinator, Property Management Administrative Analyst/Specialist, College of Arts and Letters Manager, Human Resources Programs and Employment Vice President/Chief Information Officer, Information Resources and Technology Vice President, Administration and Finance Administrative Support Coordinator, Nursing Director, College of Education Director, Procurement and Support Services Computer Resources Manager, Business and Public Administration Director, Services to Students with Disabilities Assistant to the Dean, College of Natural Sciences Interim Assistant Vice President, Human Resources Associate Academic and Institutional Studies, College of Education Administrative Analyst Specialist, Student Health Center Information Technology Consultant Director, Financial Aid Counselor, Psychological Center Administrative Analyst/Specialist, Academic Personnel Automation Librarian Director, Health and Counseling Centers Administrative Analyst/Specialist, College of Natural Sciences Librarian, Technical Services Purchasing Manager Assistant Vice President of IT/Information Security Officer Administrative Analyst/Specialist, Academic Personnel Teaching Performance Assessments Coordinator, College of Education Analyst/Programmer, Enrollment Services Administrative Support Coordinator, Human Resources Human Resources Manager, University Enterprises Corporation Internal Auditor

26

27

28

29

30

31

32

33

34