Information Assets Responsible Use Policy

SDSU Research Foundation has adopted the CSU Responsible Use Policy. All use of Research Foundation information systems, data, and network resources must comply with Research Foundation, SDSU, and CSU information security policies.

Definition of Information Assets

Information Assets: Include all data, information systems, and network resources, regardless of the medium (physical or electronic) in which the asset is held or transmitted. This includes assets owned, leased, or entrusted to the Research Foundation.

Information Systems: Encompass the applications, hardware, and network resources, including cloud-based services and third-party hosted environments—used to support the Foundation's mission.

Purpose of Information Assets

Information assets are provided to employees, Principal Investigators, Project Directors, students, and authorized third parties solely to support Research Foundation business operations.

To protect these resources, the Research Foundation may inspect property, suspend accounts, or change passwords when necessary for business or security reasons.

General Principles & Responsible Use

All users share responsibility for protecting the confidentiality, integrity, and availability of Research Foundation information assets. Users must apply good judgment and reasonable care when handling Research Foundation equipment, software, and data.

User Responsibilities

Accounts and passwords are assigned to individuals and must not be shared. Use of online credentials is legally equivalent to a signature.
Users must safeguard credentials, follow password policies, and must not embed passwords in code or documentation.
Users must not disable security updates without authorization.
Electronic files, email, and voicemail are business records and must be managed according to record retention policies.
Users must comply with the McKee Transparency Act and respond appropriately to public records requests.

Responsible Use of Information Assets

Authorization is required before removing Research Foundation property from premises.
Users must report theft or loss of any device or credential immediately.
Only licensed and approved software may be used.
Users must secure personal or Foundation‑issued devices before connecting to Foundation systems.
Users must log off or secure remote connections when devices are unattended.
Users must avoid malware by exercising caution with attachments, links, and downloads.
Users must report unauthorized use or security gaps immediately.
Users must follow all laws, including California restrictions on recording conversations without consent.

Restrictions and Prohibited Uses

Users must not engage in activities that conflict with the Foundation's mission, violate laws or contracts, or harm information assets.
Security circumvention, unauthorized access, identity misrepresentation, malware installation, and interference with system operations are prohibited.
Users are prohibited from disclosing passwords to any party, including passwords in documentation, or embedding passwords in software code.
Unauthorized disclosure of confidential information is prohibited.
Users must not create or distribute discriminatory, threatening, or offensive messages.
Illegal file‑sharing, copyright violations, unauthorized software installation, and excessive non‑business use are prohibited.
Texting or emailing while driving on Foundation business is prohibited.
Posting statements on behalf of the Foundation without authorization is prohibited.
Political messaging requires prior approval.

Protection of Sensitive Data

Level 1 (Confidential) and Level 2 (Internal Use) data must be protected against unauthorized access or disclosure.
Protected data may not be stored or transmitted via personal cloud services or unapproved third‑party systems.
Protected data must not be entered into public AI/LLM systems unless covered by a CSU‑approved enterprise contract.
Users must not process Level 1 or Level 2 data in a way that will train a publicly accessible Large Language Model or Generative AI system.
Protected data must not be transmitted via unsecured methods.
Protected data must not be stored on personal devices.
Unencrypted Level 1 data may not be transmitted across public networks.

Social Media

Official SDSU Research Foundation social media pages must be supervisor‑approved, follow SDSU Social Media Guidelines, and be approved by the SDSURF Communications Officer.

Privacy and Disclosure

Research Foundation systems are for business use. Users should not expect privacy when using them.

System administrators may access files as required for operations and security and must maintain confidentiality unless otherwise required by law.

Personal information such as financial documents must not be stored on Foundation systems.

All business records must comply with retention requirements and may be subject to disclosure under the McKee Transparency Act.

Incidental Personal Use

Personal use must be minimal (de minimis), must not interfere with work duties, system performance, or violate any policy, and must not involve financial gain.

Non‑work files must be stored separately from business records.

External Communications

Users must exercise caution when communicating with external parties and must protect confidential information.

Confidential information must not be left visible on unattended screens.

Mass mailings must be approved by the SDSURF Communications Officer.

Policy Enforcement

Violations may result in disciplinary action up to and including termination and may be referred to law enforcement.

The Foundation may restrict access when necessary to protect systems or reduce liability.

Separation from the Research Foundation

When a user's affiliation ends, access to Foundation systems will be deactivated and all equipment must be returned.

Revised 01/2026