Policies
Security Incident Reporting

Policies

It is the collective responsibility of all users to ensure the confidentiality, integrity, and availability of information assets owned, leased, or entrusted to SDSU Research Foundation in an effective, efficient, ethical, and legal manner. Users are expected to use good judgment and reasonable care in order to protect and preserve the integrity of research foundation equipment, its data and software, and its access. Users are responsible for observing policies related to the use of all internal and external computers or networks. Use of SDSU Research Foundation systems constitutes your understanding of agreement to the terms and conditions in the SDSURF Information Assets Responsible Use policy.

SDSU Research Foundation Information Security Policies

Information Assets Responsible Use Policy

Data Classification and Handling Policies

Password Policy

SDSU Information Security Plan

The SDSU Information Security Plan has been adopted by the President’s Cabinet. The Information Security Plan contains the minimum policies and standards necessary for protecting information, systems, and networks.

View the SDSU Information Security Plan

CSU System-wide Information Security Policies

System-wide policies are located in the CSU Integrated Administration Manual, ICSUAM, Section 8000, Information Security. The ICSUAM is established and maintained consistent with the responsibilities delegated by the CSU Trustees and the Chancellor.

View the "CSU System-wide Information Security Policies

Security Incident Reporting

If you become aware of a potential breach of protected data or of security issues regarding SDSU Research Foundation computers or network resources, you must report it to the SDSU IT Security Office immediately.

SDSU has a Security Incident Response Plan and a Cyber Incident Response Team (CIRT) to help coordinate investigations and responses to potential incidents.

CIRT has implemented the following incident response procedures if you suspect that your systems or information may have been compromised:

• If you become aware of or suspect potential exposure of protected data or security issues regarding SDSU Research Foundation or SDSU computers or network resources, report it to the SDSU Information Security Office immediately: https://ServiceNow.sdsu.edu/incident. Immediate reporting can help reduce potential exposure and help ensure legal and contractual reporting requirements are met.
• The SDSU Information Security Officer, or their designee, will act as the Incident Response Manager (IRM) and with the assistance of you and your team, will coordinate all aspects of the incident response process, engaging appropriate campus resources to help ensure investigations, communications and responses comply with all applicable policies, contractual agreements, and laws and are appropriately documented. You must coordinate with the SDSU Information Security Office before initiating any actions or communications during the incident response process.
• After reporting the incident to the SDSU IT Security Office, report it to your supervisor and to SDSURF Risk Management at sdsurfriskmanagement@sdsu.edu.
• If the incident involves lost, stolen or missing equipment, you must also file a report with SDSU Public Safety 619-594-1991 and coordinate with the asset custodian to complete the Lost Computer Equipment Form.
• Phishing and fraudulent emails should be forwarded to fraud@sdsu.edu

More detailed information about the SDSU Security Incident Response Plan (SIRP) is available in the SDSU Information Security Plan, Section 2.0 Introduction to the IT Security Response Program (SIRP).

* Note: Documents in Portable Document Format (PDF) require Adobe Acrobat Reader 9.0 or higher to view. Download Adobe Acrobat Reader