Information Security Policy
Reason for Policy
The Cal Lutheran Cyber Security Policy (CSP) provides the guiding principles for securing information technology (IT) resources at Cal Lutheran.
Cal Lutheran students, faculty and staff are responsible for protecting the security of all Cal Lutheran data and IT Resources to which they have access. This includes implementing appropriate security measures on personally owned devices which access Cal Lutheran IT Resources. In addition, users must keep their accounts and passwords secure in compliance with the Computer Use Policy.
Cal Lutheran employees may grant IT Resource guest access to third parties (e.g., visiting scholars). Any Cal Lutheran employee who grants guest access to IT Resources is responsible for the actions of their guest users.
Information Technology Services (ITS) is responsible for planning, implementing, and managing the Cal Lutheran network, including wireless connections.
The following network appliances cannot be implemented at Cal Lutheran without prior written approval by ITS:
- Wireless access points
- Voice over IP (VOIP) infrastructure devices
- Intrusion detection systems (IDS)
- Intrusion prevention systems (IPS)
- Virtual Private Networking (VPN)
- Consumer grade network technologies
- Other networking appliances that may not be included in this list
Every Cal Lutheran owned IT Resource (including virtual resources such as virtual machines and cloud based services) must be managed by an ITS system administrator.
The system administrator is responsible for proper maintenance of the machine, applying appropriate and timely patches and maintaining system access level security.
All Cal Lutheran IT resource users and all Cal Lutheran IT resources are covered by this policy.
Endpoint - Laptop computers, desktop computers, workstations, group access workstations, USB drives, personal network attached storage.
Cal Lutheran IT Resources – Cal Lutheran owned Computers, Networks, Devices, Storage, Applications, or other IT equipment. “Cal Lutheran owned” is defined as equipment purchased with either Institute funding (including sources such as Foundation funds etc.) or Sponsored Research funding (unless otherwise specified in the research agreement).
Reporting an Incident
If a Cal Lutheran IT Resource user suspects that a security incident has occurred or will occur, they should report the suspicion immediately to the ITS help desk at email@example.com or by calling 805-493-3119.
System administrators and unit technical leads who have identified any of the following security events should report the suspected security event to the Chief Information Officer (CIO).
- Any occurrence of a compromised user account
- Any breach or exposure of sensitive data
- Any occurrence of a server infected with malware
- Three or more simultaneous occurrences of endpoints infected with malware
- Any other instance of malware or suspected intrusion that seems abnormal
Chief Information Officer
The Chief Information Officer is responsible for creating and maintaining a cyber security program and leading the Cal Lutheran Cyber Security efforts. The purpose of the cybersecurity program is to maintain the confidentiality, integrity, and availability of Institute IT Resources and Institute data. In addition, the Chief Information Security Officer, or a designee, is responsible for leading the investigation of and response to cyber security incidents. The response to any incident will be developed in collaboration with the data steward, Institute Communications, General Counsel, and other campus offices as appropriate.
Violations of this policy may result in loss of Cal Lutheran system and network usage privileges, and/or disciplinary action, up to and including termination or expulsion as outlined in applicable Cal Lutheran policies.