Electronic Data Security-Portable Devices and Removable Media

  • Issue Date: February 2009
  • Revision Date: December 2018
  • Expiration Date: N/A

  1. Purpose

    The purpose of this Standard is to establish requirements to provide for the protection of information stored on portable electronic storage media and portable computing devices.

  2. Background

    Portable computing devices (including, but not limited to, laptops computers, PDAs, tablet PCs) and portable electronic storage media (including but not limited to, CDs and USB storage devices) are vulnerable to loss or theft. In the event of loss of theft, information stored on these devices or media may result in identity theft or unauthorized access to secure systems, networks, and resources.

    The Information Classification Standard requires that Confidential (Level 1) information stored on portable computing devices and portable electronic storage media be encrypted or otherwise rendered unreadable and unusable by unauthorized persons.

  3. Scope

    This Standard applies to:

    • All University faculty, staff, students, and volunteers (collectively referred to as “employees”), contractors and consultants,
    • All University owned portable computing devices and/or portable electronic storage media,
    • All CSULB Auxiliary owned portable computing devices and/or portable electronic storage media containing University confidential or internal use data/information,
    • All Confidential (Level 1) and Internal Use (Level 2) data/information.
  4. Portable Computing Devices

    The following requirements apply to all University owned portable computing devices containing confidential or internal use data/information or any CSULB Auxiliary owned portable computing device containing University confidential or internal use data/information:

    1. Confidential (Level 1) information should not be stored on portable computing devices unless absolutely necessary and removed when the business reason for storage is no longer required. Level 1 or Level 2 information may not be stored on non-university/auxiliary owned portable computing devices.
    2. Physically secured when not in use.
    3. Encryption software must be loaded and correctly configured.
    4. Strong password protection rules for all user profiles.
    5. Operating system software must be kept current and antivirus software must be kept current on devices capable of running such software.
  5. Portable Electronic Storage Media

    The following requirements apply to all University/Auxiliary owned portable electronic storage media containing confidential or internal use data/information or any CSULB auxiliary owned portable electronic storage media containing University confidential or internal use data/information:

    1. Confidential (Level 1) information should not be stored on portable electronic storage media unless absolutely necessary and removed when the business reason for storage is no longer required. Method for removal is outlined in the Electronic Media Sanitization Procedure. Level 1 or Level 2 information may not be stored on personally owned portable electronic storage media.
    2. All files must be encrypted.
  6. Disposal Requirements

    All confidential or internal use information stored on portable computing devices or portable electronic storage media must be sanitized prior to disposal in accordance with the Electronic Media Sanitization Procedure.

  7. Reporting Loss or Theft

    The loss or theft of a portable computing device or portable electronic storage media within the scope of this standard must be reported to the employee’s appropriate administrator, University Police and the Information Security Office. If lost or stolen off-campus, local law enforcement must be notified and a police report obtained.

Further Information

Information Security Office
Email: security@csulb.edu