This document describes the CHRS Security Plan and Requirements as required by the system owner, CSU Systemwide HR (SWHR). The protection measures described in this document were designed to ensure CHRS complies with CSU Systemwide HR Policies, CSU Systemwide Information Security Standards and Policies governing information technology (including those with specific relevance to HR operations), information security and human resources as well as all pertinent state and federal regulatory requirements.

Security within CHRS will be addressed throughout the software development life cycle and within the environment supporting CHRS, including but not limited to the production and non-production network, operating system, and application levels.

This strategy was developed to ensure the confidentiality, integrity and availability of CHRS information assets. It outlines security controls that must be in place to reduce and mitigate CSU security risks with associated data from 23 campuses and the Chancellor’s Office (CO) residing in one consolidated environment. The CHRS Security Plan and Requirements is not intended to be a campus procedural document or a campus operational guide; however, it will include specific protocols that will govern the security of CHRS Systemwide data. The CHRS Security team will develop and distribute additional documents to support the implementation of this plan.

• The core security design for CHRS will include the following elements:
  • Security Administrators will be assigned to CHRS to support the security management activities at the CO and campus offices.
  • The CO Chief Information Security Officer (CISO) will be an integral part of the Security Administrator group to ensure security within CHRS is managed by subject matter experts and complies with CSU Systemwide Information Security Standards and Policies governing information security.
  • CHRS users will be permitted to view data applicable to their job duties only.
  • Campus Distributed Security Administrators (DSAs) and other designated employees may be permitted to access systemwide data to support development within a specific CHRS workstream, for a specified time, with appropriate approvals from Systemwide HR.
  • Authentication controls will be managed similar to the Common Financial System (CFS) through Systemwide Identity Access Management (IAM) infrastructure.
  • Access to the CHRS systemwide data will be based on the principles of “need-to-know” and least privileges.
  • All users will comply with all CSU policies governing information security.

• The following system application security requirements, in addition to the information outlined above, must be adhered to for CHRS. These operational security requirements apply to production and non-production CHRS database instances.

• Employee information must be secured at the campus and department levels and only accessible to employees based upon a “need-to-know” basis to perform their assigned job duties.
• Employment information includes but is not limited to information identified as Level 1 and/or Level 2 data. Refer to the Data Classification standards referenced in section 2.1.5 below.

• The approach used for campus validation of converted data for CHRS must adhere to the security requirements outlined previously to ensure all data is secured by the campus. Access must be provided in a manner that enables campus designated employees to validate data at their respective campus by specific job function(s).

• CHRS development will be handled by the CMS central. Campus-specific modifications to CHRS are not allowed. Therefore, campus development access will not be authorized, unless it is granted to support a specific CHRS Program workstream activity.

• For CHRS, data will not be kept in sync between CHRS and the 23 CS systems. Instead there is a more complicated relationship with shared data elements that are documented in the CHRS Integration Guide.
• Each campus must secure their campus CS system to ensure any access to HR data is authorized and appropriate based on the employee’s assigned job duties. Periodic audits will be governed by a Central Security Administrator to ensure campus compliance; details of these audits and controls will be included in the CHRS Security Guide.
• Systemwide HR is the data owner of employee Person Data and a designated delegate will work with respective campus representative(s) to manage demographic related data discrepancies. Operational processes that govern how personal information will be updated within CHRS and how the Personal Data Management system will be defined for use for CHRS Integration Guide.

• Specific development functions must be performed in the CHRS non-production environments where data may not be fully secured. In these instances, sensitive data must be masked and/or scrambled to minimize the possibility that personally identifiable information could be associated with actual employees. (All exceptions must be approved by the CHRS Program Leadership.) To protect information in this category, the following data elements, at a minimum, are considered sensitive and must be protected as noted above.
  1. SSN – National ID
  2. Name
  3. Bank Account Number
  4. Credit Card Number
  5. Email Addresses

• Access, storage and transmissions of sensitive data are subject to restrictions as described in the CSU Asset Management Standards. The definitions of data items are defined in the Information Security Data Classification. Employees may be granted access to these data items only as it is relevant and necessary to perform their job duties.

• Access to PeopleSoft query and reporting capabilities will use delivered PeopleSoft application security controls and row level security. This is to ensure that query access maintains the same level of controls as access given to menus and pages.
• PeopleSoft online reporting and query is one of the reporting tools for CHRS. Direct SQL access is not intended for reporting and is provided for technical support and integration purposes. The CHRS data repository/reporting solution will be the primary reporting tool. Campuses will, for a specified time, maintain a copy of their legacy system to allow for historical reporting. Retention timeline of the legacy database will be required to adhere to data retention schedules.

• Access to the CHRS production database for technical support and service accounts, e.g. 3^rd-party integrations, will be allowed using Oracle accounts. The default and standard CSU_SELECT role as outlined in the Validating Oracle Users and Roles document will not include any tables that contain employee specified confidential data such as Social Security Number and Bank Information. The CSU_UPDATE role will be limited to CO staff within the CHRS environment.
  • Only a limited number of campus-based employees may be granted direct database access for their respective campus to view and/or query information containing sensitive data.
  • Level 1 and 2 data will be segregated by campus using campus specific Oracle views/roles which must be requested and approved by Systemwide HR.
  • A few predefined tables that include employee related data will be secured by campus and provided as a baseline.
  • Access to the campus-specific Oracle views will be provided by way of campus-specific Oracle roles.

• Security Roles and Permissions lists for CHRS will be defined and maintained by the CHRS Security Team. A systemwide set of security roles and permission lists will support approved job functions required to implement the CHRS business practices defined and approved by Systemwide HR.
• Campuses will have the ability to assign roles to users based on the job function(s).
• Campuses may create/modify roles and permissions lists in a development instance for testing and may submit a request to the Central Security Office to implement those changes in PRD, supplying the required specific business need/function this addresses. The request will be reviewed by the CHRS Security Team and approved by the Systemwide HR for inclusion in CHRS.

• To highlight the shared responsibilities of CHRS, campus security administrators will be referred to as Distributed Security Administrators (DSA’s) and will have full access to Distributed User Profiles. They will have to submit a CMS Data Center Campus Security Administrator “CSA” Application in order to gain access.

• HR Person Data may be viewed by campus employees on a “need-to-know” basis to perform their job. Certain Person Data elements may also be viewed to preclude duplicate records from being added to the system, e. g. Search Match functionality. Data available for online viewing and searches include information contained in the existing CSU ID Search Modification.

• The data owner for CHRS are representatives within Systemwide Human Resources, Vice Chancellor for Human Resources and the Associate Vice Chancellor of Human Resources Management. The data owner is ultimately responsible ensuring that CHRS data is securely and consistently maintained.

• CHRS will bring about common usage of fields in the PeopleSoft application wherever required based on all campuses being in a single instance. Core Standardization team(s) were formed along with the designation of campus Data Coordinators. The Core CHRS Standardization team will work closely with campus teams to define
• 1 Refer to the data standards defined as part of the CHRS Systemwide HR Data Standardization project for a complete listing of Person Data elements (Phase I).
• and provide data definitions/standards in accordance with applicable laws, SWHR policies, CBA provisions and/or HR best practices. The Core Standardization team also facilitates agreement among campuses on fields to be used consistently where there are no applicable policies or CBA provisions.

• A review team, comprised of leads and subject matter experts (SMEs from campuses and CMS Central, was created to support CHRS information security requirements and initiatives. This team is responsible for developing the system roles and permission lists approved for CHRS which Distributed Security Administrators will use to control access for users. A security matrix that describes what access basic roles need will be made available based on position requirements, security guidelines and input from the CHRS Solution Module Design teams. Any requests to modify or add roles and permissions will be reviewed by this team and a recommendation and/or approval will be submitted to the Central Security Administrator.

• The Central Security Administrator (CSA) will work with the CO (CMS and SWHR) and campus staff, to validate the security design and provide post-implementation support. The CSA’s duties include but are not limited to the following:
  • Consultation with campus and CO staff to meet operational security needs.
  • Consultation with the project team to ensure CHRS compliance with CSU Systemwide Information Security Policies and Standards.
  • Evaluation of user security requests and consultation with appropriate resources to ensure requests comply with CHRS security policies, standards and audit guidelines.
  • Providing support to campuses and CO during audits.
  • Granting access of DSA User Accounts:
    • On-going responsibility will be performed by Systemwide Security Maintenance rather than Administration.
  • Monthly, quarterly, and annual review of CHRS security to ensure compliance with Segregation of Duties policies.

• CO Systemwide Security Maintenance will have full access to the CHRS User Profile pages and will manage the following tasks:
  • Completion of quarterly access reviews
  • Granting of access to all security roles as requested by campuses
  • Granting access of all Distributed Security Administrator (DSA) roles

• CMS Technical Services will manage the production infrastructure associated with the application and web tiers, supporting the CHRS environment in accordance with CSU Systemwide Information Policies and Standards.
• This includes all tasks associated with application server setup, configuration and management, process
• scheduler setup, configuration and management, FTP accounts, and web server setup configuration and management. CMS Technical Services is responsible for ensuring appropriate resources at the web and application tier and include responsibilities for capacity planning, tuning, and installation.

• To highlight the shared responsibilities of CHRS, campus security administrators will be referred to as Distributed Security Administrators (DSA’s). The DSA’s will be managed using PeopleSoft delivered Distributed User Profiles functionality. They will be given the capability of assigning roles restricted to those in their Role Grant domain.
• DSA’s will provide security support for operational activities at the campus within the limitations of the access provided to them. Other duties of the DSA’s include but are not limited to the following:
  • Establish and maintain user profiles in CHRS for their respective campus.
  • Process user access requests by assigning privileges to user accounts once campus approval process has been completed.
  • Maintain campus documentation related to users’ requests and approvals.
  • Accept and review user requests to access non campus-based security objects. Such requests are forwarded to the Central Security Administrator based on approval from Campus Application Owner.
  • Participate in audits of user accounts in accordance with CSU Information Security Policies.
  • De-provision accounts when a user has separated from the institution by removing administrative access.
  • Dynamic roles will be removed based on the criteria that has been defined.
  • Monthly, quarterly and annual reviews of SoD reports for compliance.
• DSA’s and their backups can grant any level of access or responsibility within the roles granted to them for the CHRS PeopleSoft application. This responsibility includes delegating limited administrative capabilities to Application Leads. This special role provides the ability to administer the rights to any menu, component, page or tool within CHRS, again delineated by the role granted through the Role Grant functionality, and therefore should be deployed sparingly.

• The PeopleSoft Password Management feature will NOT be used in CHRS. Campuses are responsible for managing their campus login credentials used for federated authentication and as a result are encouraged use implement strong passwords that meet or exceed the systemwide information security guidelines.

• Multi-factor authentication must be used with any login and is a requirement for access into CHRS.

• The Oracle account’s password controls will comply with CSU Policy Access Control and Standard 8060.S01 Access Control and Access Control Chancellor’s Office Password Standard 8060.COS001.