Sensitive Data (Level 1 & Level 2)

CSU Asset Management Standards 

The CSU Information Security policy (ICSUAM) provides direction and support for managing information technology security and guidance for: monitoring CSU information assets; protecting information assets from malicious software; and managing network security and mobile devices

What is Confidential Data?

As state and federal laws evolve, a number of formal and informal categorizations of data have emerged which dictate whether singular or combined data elements is considered "confidential."  Various terms may be used depending on the legislation applicable to the state or entities in which the data is held or exchanged with other entities.

Level 1: Confidential

Confidential Information is information maintained by the University that is exempt from disclosure under the provisions of the California Public Records Act or other applicable state or federal laws. Confidential information is information whose unauthorized use, access, disclosure, acquisition, modification, loss, or deletion could result in severe damage to the CSU, its students, employees, or customers. Financial loss, damage to the CSU’s reputation, and legal action could occur. Level 1 information is intended solely for use within the CSU and limited to those with a “business need-to-know.” Statutes, regulations, other legal obligations or mandates protect much of this information. Disclosure of Level 1 information to persons outside of the University is governed by specific standards and controls designed to protect the information.

Level 1 information stored in a system must be encrypted in CA to avoid a breach notification.

Examples of Level 1:

  • Passwords or credentials  
  • PINs (Personal Identification Numbers)
  • Birth date combined with last four digits of SSN and name
  • Credit card numbers with cardholder name  
  • Tax ID with name
  • Driver’s license number, state identification card, and other forms of national or international identification (such as passports, visas, etc.) in combination with name  
  • Social Security number and name

Level 2: Internal Use

Level 2 information subject to review should not be released except by designated units. Non-directory educational information may not be released except under certain prescribed conditions. Contact the CSUMB ISO for clarification before releasing any information.

Examples of Level 2:

  • Identity Validation Keys (name with)
    • Birth date (full: mm-dd-yy)
    • Birth date (partial: mm-dd only)
  • Student Information-Educational Records - (excludes directory information) including:
    • Grades
    • Courses taken
    • Test Scores
    • Disciplinary actions
  • Employee Information Including:
    • Employee net salary
    • Employment history
    • Home address
    • Birthplace (City, State, Country)
    • Gender
  • Other
    • Trade secrets or intellectual property such as research activities
    • Licensed software

Supplemental Resources




Print Article


Article ID: 51473
Wed 4/4/18 5:26 AM
Thu 11/17/22 4:36 PM

Related Services / Offerings (1)

Campus Departments submit this form for IT approval of all contracts or service agreements that involve Information Technology resources. The Procurement Office requires IT approval prior to finalizing any IT related service agreement or contract.