Policies, Standards, Guidelines, Procedures, and Forms

Information security is governed primarily by Cal Poly's Information Security Program (ISP) and Responsible Use Policy (RUP). The ISP and RUP are supplemented by additional policies, standards, guidelines, procedures, and forms designed to ensure campus compliance with applicable policies, laws and regulations.

To help safeguard and secure campus information and information resources, all users and campus departments are expected to adhere to these policies and standards where applicable or to request an exception. These policies are not intended to prevent, prohibit or inhibit the sanctioned use of campus information assets as required to meet Cal Poly's core mission and academic and administrative goals.

Please report suspected violations to abuse@calpoly.edu and direct comments, questions and other inquiries to iso@calpoly.edu.

All documents linked to on this page are PDF format unless otherwise noted.

Topics	Policies	Standards	Guidelines/Procedures/Forms
Access/Accounts/Authorization	Information Security Program Responsible Use Policy Cal Poly Core Computer Accounts	Managing Computer Accounts	Account Eligibility and Purge Information Account Request Forms Confidentiality Agreements Data Disposition Guidelines for Employees Whose Status Changes Leaving Cal Poly Password Expiration
Anti-Virus (see Malware)
Appropriate Use	Responsible Use Policy	RUP Overview and Summary	Use of Electronic Recording Devices RUP FAQs RUP Examples of Responsible and Irresponsible Uses RUP Implementation Practices
Asset Management	Information Security Program
Business Continuity and Disaster Recovery	Information Security Program		Cal Poly Business Continuity Plan
Classification, Handling, and Protection of Information	Information Security Program Responsible Use Policy	Information Classification and Handling Standard Computing Devices Standard	Encryption Methods and Recommended Practices How to Encrypt Items How to Open Encrypted Items How to Encrypt Full Disk How to Decrypt Full Disk Using Zimbra Briefcase to Share Protected Files
Commercial Use	Responsible Use Policy
Computer Crimes	Responsible Use Policy Computer Crimes Policy		Removing Networked Devices from the Cal Poly Network
Computer/Device Security	Information Security Program Responsible Use Policy	Computing Devices Standard Vulnerability Assessment and Management Standard	Information Security Risk Asset Definition and Risk Asset Examples Computing Device: Configuration (server) Cooling and Backup Power Guide (DOCX) Fire Notification and Equipment Guide (DOCX) Computing Device: Documentation (server) Computing Device: Configuration (nonserver) Computing Device: Documentation (nonserver) Computing Devices Inventory - for both server and non-server devices (XLSX) Equipment Decommissioning Checklist - for both server and non-server devices (DOCX)
Confidentiality and Privacy	Information Security Program Responsible Use Policy Use and Release of Student Information (FERPA) Confidentiality of Library Records HIPAA		Confidentiality Security Agreements Security Breach Notifications (1386) University Advancement Security and Confidentiality Agreement
Copier/Printer Security	Information Security Program Responsible Use Policy	Computing Devices Standard	White Paper: Canon imageRUNNER Security (PDF) AFD Response to imageRUNNER Security White Paper (PDF) AFD ANTS Technical Documents: Canon Copier Configuration (DOC) How to use the "Initialize All Data/Settings Option" on Canon Devices (PDF)
Copyright, Trademark, and Patents	Responsible Use Policy	Compliance with HEOA Peer-to-Peer File Sharing Requirements	DMCA Procedures: Cal Poly Response to Copyright Infringement Claims DMCA Notifications Procedures Cal Poly Trademark Licensing OSSR Student Conduct Process
Disposition of Protected Data and University Devices	Information Security Program Responsible Use Policy	Disposition of Protected Data Standard Record Retention and Disposition Standard Email Retention Standard	Confidential Shred Services ITS Storage Media Disposal Form (DOC) Data Disposition Guidelines for Employees Whose Status Changes Record Retention and Disposition Schedules Designated Information Authorities of CP Records Property Procedures
Dropbox Services	Information Security Program	Information Classification and Handling Standard	Dropbox Guidance
Electronic Mail	Responsible Use Policy Electronic Mail Policies	Email Retention Standard Administration of Decentralized Electronic Mail Standard	Electronic Mail and Messaging: Reporting Policy Violations How to View Full Message ARPA Headers Electronic Mail Guidelines and Related Procedures Data Disposition Guidelines for Employees Whose Status Changes
Encryption	Information Security Program	Information Classification and Handling Standard Computing Devices Standard	Encryption Methods and Recommended Practices How to Encrypt Items How to Open Encrypted Items How to Encrypt Full Disk How to Decrypt Full Disk
Family Educational Rights and Privacy Act (FERPA)	A Summary of FERPA Student Access to Records	Records Maintained by Cal Poly	FERPA FAQs
Harassment	Responsible Use Policy Electronic Mail and Messaging Policy		Employment Equity Complaint Process
HIPAA	CSU HIPAA Policy
Identity Theft	Information Security Program (Red Flag Rule)	Identity Theft (Red Flag) Program and Security Incident Reporting Procedure	Identity Theft Resource Center
Incident Response and Management	Information Security Program Responsible Use Policy	Computing Devices Standard Incident Response Program Standard	RUP Implementation Practice Reporting Abuse IT Policy Violation Notification Litigation Holds Guidelines
Litigation Holds	Information Security Program	Email Retention Standard	Litigation Holds Guidelines
Malware (e.g., Viruses, Worms, Spyware)	Information Security Program Responsible Use Policy Computer Crimes Policy	Computing Devices Standard	Removal, FAQs, and Reporting Procedures Potentially Infected Computer Notification to Users
Network Security (see also Wireless Network)	Information Security Program Responsible Use Policy	Network Security Network Configuration Compliance Cal Poly Network Communication Devices: Standards and Responsibilities Residence Hall Student Computing Agreement	Attaching Network Communication Devices to the Cal Poly Network Removing Networked Devices from the Cal Poly Network Exception Procedure for Connecting Non-Standard Equipment to the Network
Organization/Governance	Information Security Program		Information Security Coordinators Designated Information Authorities of CP Records Security Contacts
Passwords	Information Security Program Responsible Use Policy	Cal Poly Passwords	Password Expiration
Payment Card Industry Data Security Standards	Information Security Program	Payment Card Industry Data Security Standards
Peer-to-Peer File Sharing (see Copyright, Trademark, and Patents)
Personnel Security	Information Security Program		Confidentiality Security Agreements
Phishing	Responsible Use Policy Electronic Mail and Messaging Policy		Reporting Abuse - Email Procedures What is Phishing?
Physical Security	Information Security Program
Policy Management	Information Security Program
Political Advocacy	Responsible Use Policy
Recording Devices	Responsible Use Policy		Use of Electronic Recording Devices
Record Retention/Disposition	Information Security Program	Record Retention and Disposition Standard Email Retention Standard	Record Retention and Disposition Schedules Data Disposition Guidelines for Employees Whose Status Changes Designated Information Authorities of CP Records
Risk Management/Assessment	Information Security Program	Risk Self-Assessment Standard Vulnerability Assessment and Management Standard	Risk Self-Assessment Form Level 1 Information Asset Form for workstations (XLS) Level 1 and 2 Information Asset Form for servers (XLS) Information Security Coordinators Information Security Risk Asset Definition and Risk Asset Examples
Security Awareness Training	Information Security Program		Information Security Awareness Training Handout Security Training, Materials, and Presentations
Software/System Acquisition (see also Web Applications)	Information Security Program Responsible Use Policy Software Acquisition Policy	Software Acquisition Standards	Software Decision Process Technology Purchases Electronic and Information Technology (E&IT) Acquisition Checklist (DOC)
SPAM	Responsible Use Policy Electronic Mail and Messaging Policy		SPAM Alerts Reporting SPAM
Third Party Contracts	Information Security Program Software Acquisition Policy	Software Acquisition Standards	Software Acquisition Process Technology Purchases Electronic and Information Technology (E&IT) Acquisition Checklist (DOC)
Viruses/Worms (see Malware)
Web Applications	Information Security Program Responsible Use Policy Software Acquisition Policy	Software Acquisition Standards Web Application: Approval Process Web Application: Development Standard Web Application: Security Vulnerabilities Web Application: Software Testing Web Application: Version Control	Software Decision Process Technology Purchases Electronic and Information Technology (E&IT) Acquisition Checklist (DOC) Compliance Process Guide (WARC) Information Security Risk Asset Definition and Risk Asset Examples
Websites and Accessibility to Digital Content	Responsible Use Policy	Web Accessibility Standards	Compliance Process Guide (WARC)
Wireless Networks	Information Security Program Responsible Use Policy University Airwaves Policy	Wireless Airwaves Standards	Attaching Network Communication Devices to the Cal Poly Network Removing Networked Devices from the Cal Poly Network Exception Procedure for Connecting Non-Standard Equipment to the Network Wireless Clicker (Classroom Response System) FAQs Wireless Clicker (Classroom Response System) Strategy

Information Security

Information Security

Quick References

Policies and Laws

Contacts

Policies, Standards, Guidelines, Procedures, and Forms