Policies, Standards, Guidelines, Procedures, and Forms

Information security is governed primarily by Cal Poly's Information Security Program (ISP) and Responsible Use Policy (RUP). The ISP and RUP are supplemented by additional policies, standards, guidelines, procedures, and forms designed to ensure campus compliance with applicable policies, laws and regulations.

To help safeguard and secure campus information and information resources, all users and campus departments are expected to adhere to these policies and standards where applicable or to request an exception. These policies are not intended to prevent, prohibit or inhibit the sanctioned use of campus information assets as required to meet Cal Poly's core mission and academic and administrative goals.

Please report suspected violations to abuse@calpoly.edu and direct comments, questions and other inquiries to infosec@calpoly.edu

All documents linked to on this page are PDF format unless otherwise noted.

Topics	Policies	Standards	Guidelines/Procedures/Forms
Access/Accounts/Authorization	Information Security Program (ISP)   Responsible Use Policy   Cal Poly Core Computer Accounts	Managing Computer Accounts	Account Eligibility and Purge Information   Account Request Forms   Confidentiality Agreements   Data Disposition Guidelines for Employees Whose Status Changes   Password Expiration
Anti-Virus (see Malware)
Appropriate Use	Responsible Use Policy	RUP Overview and Summary	RUP FAQs   RUP Examples of Responsible and Irresponsible Uses   RUP Implementation Practices   Use of Electronic Recording Devices
Asset Management	Information Security Program (ISP)
Business Continuity and Disaster Recovery	Information Security Program (ISP)		Cal Poly Business Continuity Planning
Classification, Handling, and Protection of Information	Information Security Program (ISP)   Responsible Use Policy	Information Classification and Handling Standard   Computing Devices Standard   Electronic and IT User Activity Logs: Handling Standard	Encryption Methods and Recommended Practices
Commercial Use	Responsible Use Policy
Computer Crimes	Responsible Use Policy   Computer Crimes Policy
Computer/Device Security	Information Security Program (ISP)   Responsible Use Policy	Computing Devices Standard   Vulnerability Assessment and Management Standard	Information Security Risk Asset Definition and Risk Asset Examples   Computing Device: Configuration (server) Cooling and Backup Power Guide (DOCX) Fire Notification and Equipment Guide (DOCX) Computing Devices Inventory - for both server and non-server devices (XLSX)   Equipment Decommissioning Checklist - for both server and non-server devices (DOCX)
Confidentiality and Privacy	Information Security Program (ISP)   Responsible Use Policy   Use and Release of Student Information (FERPA)   HIPAA   Confidentiality of Library Records   Privacy Notice		Confidentiality Security Agreements   Security Breach Notifications (1386)   University Advancement Security and Confidentiality Agreement
Copier/Printer Security	Information Security Program (ISP)   Responsible Use Policy	Computing Devices Standard	White Paper: Canon imageRUNNER Security (PDF   AFD Response to imageRUNNER Security White Paper (PDF)   AFD ANTS Technical Documents: Canon Copier Configuration (DOC)   How to use the "Initialize All Data/Settings Option" on Canon Devices (PDF)
Copyright, Trademark, and Patents	Responsible Use Policy	Compliance with HEOA Peer-to-Peer File Sharing Requirements	DMCA Procedures: Cal Poly Response to Copyright Infringement Claims   DMCA Notifications Procedures   Cal Poly Trademark Licensing   OSSR Student Conduct Process
Disposition of Protected Data and University Devices	Information Security Program (ISP)   Responsible Use Policy	Disposition of Protected Data Standard   Record Retention and Disposition Standard   Email Retention Standard	Confidential Shred Services   ITS Storage Media Disposal Form (DOC)   Data Disposition Guidelines for Employees Whose Status Changes   Record Retention and Disposition Schedules   Designated Information Authorities of CP Records   Property Procedures
Dropbox Services	Information Security Program (ISP)	Information Classification and Handling Standard	Data and Cloud Storage & Sharing (OneDrive)
Electronic Mail	Responsible Use Policy   Electronic Mail Policies	Email Retention Standard	Electronic Mail and Messaging: Reporting Policy Violations   Reporting Phishing Emails with ARPA Headers   Electronic Mail Guidelines and Related Procedures   Data Disposition Guidelines for Employees Whose Status Changes
Encryption	Information Security Program (ISP)	Information Classification and Handling Standard   Computing Devices Standard	Encryption Methods and Recommended Practices
Family Educational Rights and Privacy Act (FERPA)	A Summary of FERPA Student Access to Records	Records Maintained by Cal Poly	FERPA FAQs Departmental FERPA Release Form
Harassment	Responsible Use Policy   Electronic Mail and Messaging Policy		Equal Opportunity Office Complaint Process
HIPAA	CSU HIPAA Policy
Information and Communication Technology (ICT) Decisions	Information Security Program (ISP)   ICT Decisions Policy   Accessible Technology Initiative	ICT Decisions Standard and Responsibilities   Section 508 Standards   ICT Refresh Standards (Section 508 and Section 255)	ICT Decision Review Process and Overview, Process Flow and Related Forms (Online Form, VPAT, EEAAP, etc.)   HECVAT    Third-Party Vendor Review Process Flow
Identity Theft	Information Security Program (ISP)	Identity Theft (Red Flag) Program and Security Incident Reporting Procedure	Identity Theft Resource Center
Incident Response and Management	Information Security Program (ISP)   Responsible Use Policy	Computing Devices Standard   Incident Response Program Standard	RUP Implementation Practice   Reporting Abuse   IT Policy Violation Notification   Litigation Holds Guidelines
Litigation Holds	Information Security Program (ISP)	Email Retention Standard	Litigation Holds Guidelines
Malware (e.g., Viruses, Worms, Spyware)	Information Security Program (ISP)   Responsible Use Policy   Computer Crimes Policy	Computing Devices Standard	Removal, FAQs, and Reporting Procedures   Potentially Infected Computer Notification to Users
Network Security (see also Wireless Network)	Information Security Program (ISP)   Responsible Use Policy	Network Security   Network Configuration Compliance   Devices: Standards and Responsibilities   Residence Hall Student Computing Agreement	Exception Procedure for Connecting Non-Standard Equipment to the Network
Organization/Governance	Information Security Program (ISP)		Designated Information Authorities of CP Records   Security Contacts
Passwords	Information Security Program (ISP)   Responsible Use Policy	Cal Poly Passwords	Password Expiration
Payment Card Industry Data Security Standards	Information Security Program (ISP)	Payment Card Industry Data Security Standards
Peer-to-Peer File Sharing (see Copyright, Trademark, and Patents)
Personnel Security	Information Security Program (ISP)		Confidentiality Security Agreements
Phishing	Responsible Use Policy   Electronic Mail and Messaging Policy		Report Phishing and Spam   What is Phishing?
Physical Security	Information Security Program (ISP)
Policy Management	Cal Poly Administrative Policy
Political Advocacy	Responsible Use Policy
Recording Devices	Responsible Use Policy		Use of Electronic Recording Devices
Record Retention/Disposition	Information Security Program (ISP)	Record Retention and Disposition Standard   Email Retention Standard	Record Retention and Disposition Schedules   Data Disposition Guidelines for Employees Whose Status Changes   Designated Information Authorities of CP Records
Risk Management/Assessment	Information Security Program (ISP)	Risk Self-Assessment Standard   Vulnerability Assessment and Management Standard	Level 1 Information Asset Form for workstations (XLS)   Information Security Risk Asset Definition and Risk Asset Examples
Security Awareness Training	Information Security Program (ISP)		Information Security Awareness Training Resources
Software/System Acquisition (see also  Electronic & Information Technology Decisions, Web Applications)	Information Security Program (ISP)   ICT Decisions Policy   Accessible Technology Initiative	ICT Decisions Standard and Responsibilities   Section 508 Standards   ICT Refresh Standards (Section 508 and Section 255)	ICT Decision Review Process and Overview, Process Flow and Related Forms (Online Form, VPAT, EEAAP, etc.)   HECVAT Light and Full forms.   Third-Party Vendor Review Process Flow   Technology Purchases
SPAM	Responsible Use Policy   Electronic Mail and Messaging Policy		SPAM Alerts Reporting SPAM
Third Party Contracts	Information Security Program (ISP)   ICT Decisions Policy   Accessible Technology Initiative	ICT Decisions Standard and Responsibilities   Section 508 Standards   ICT Refresh Standards (Section 508 and Section 255)	ICT Decision Review Process and Overview, Process Flow and Related Forms (Online Form, VPAT, EEAAP, etc.)   HECVAT    Third-Party Vendor Review Process Flow     Technology Purchases
Viruses/Worms (see Malware)
Web Applications, Websites, and Accessibility to Digital Content	Information Security Program (ISP)   Responsible Use Policy   ICT Decisions Policy   Accessible Technology Initiative	ICT Decisions Standard and Responsibilities   Section 508 Standards   ICT Refresh Standards (Section 508 and Section 255)   Web Accessibility Standards   Web Application: Approval Process   Web Application: Development Standard   Web Application: Security Vulnerabilities   Web Application: Software Testing   Web Application: Version Control	ICT Decision Review Process and Overview, Process Flow and Related Forms (Online Form, VPAT, EEAAP, etc.)   Technology Purchases   Information Security Risk Asset Definition and Risk Asset Examples
Wireless Networks	Information Security Program (ISP)   Responsible Use Policy   Two-Way Radio Communications in VHF and UHF Bands		Exception Procedure for Connecting Non-Standard Equipment to the Network   Wireless Clicker (Classroom Response System) FAQs   Wireless Clicker (Classroom Response System) Strategy