August 28, 2009: IT Security Policy Bargaining Report #1

The CSU claimed that they received more than 1,000 comments on a draft policy that was issued in October, 2008. CSUEU met with the CSU about that draft in February, 2009. Many of CSUEU’s suggestions were incorporated into a July, 2009, version that we reviewed during the August 25 meeting.

Representing CSUEU were Rich McGee (BU 9, San Bernardino), Alisandra Brewer (BU 9, Sonoma), Joseph Dobzynski (BU 9, Channel Islands), Matthew Black (BU 9, Long Beach), and Teven Laxer (CSUEU Senior Labor Relations Representative). Cheryl Washington (Interim Senior Director, Systemwide Information Security Management, Chancellor’s Office), Sharyn Abernatha (Senior Manager, Employee and Labor Relations, Chancellor’s Office) and Teresa Macklin (Information Security Officer, San Marcos) represented the CSU.

As a result of our meeting, the CSU agreed to make the following additional modifications to their proposed policy:

• The policy will acknowledge that the CSUEU assisted in the development of the IT security policy (the latest draft had only acknowledged the input of faculty)
• The policy will state that the CSU does not intend to monitor, restrict, or utilize the content of legitimate academic or organizational communications
• The policy will acknowledge that the assignment of risk should be given to the appropriate administrator, not to any individual IT employee
• There will be periodic review of risk assessments by appropriate administrators

In September, the CSU will review and modify its draft policy with additional organizations and will be issuing another draft policy shortly thereafter. CSUEU will review that draft as soon as it is released.

In addition to the discussion regarding the IT security policy, we reviewed and discussed a proposed Information Security Awareness Program which the CSU intends to provide to all employees who have access to sensitive information (Level I, Level II or protected data). The CSU agreed to the following modifications: