• Skip to Content
• Accessibility Policy
• Site Map

• AS Home Page
• Aztec Center
• Aztec Recreation (ARC)
• Cox Arena & Open Air Theatre
• Cultural Arts and Special Events (CASE)
• Mission Bay Aquatic Center (MBAC)
• Photo Gallery
• SDSU Children's Center
• Student Government
• Employment
• AS Administrative

Section 18 - Business Information Technology

Section 18.2 - Financial Information Access and Security

Date: 10/16/06 — Approved: AS Finance Board

AS divisions have unlimited (read-only) access to most business information. Access to restricted information that could risk someone's privacy, such as payroll information, requires advance approval of the AS Associate Director or designee.

The information in this section applies to business information systems and:

• Mainframe, mid-range, local area networks, and personal computers.
• Systems and applications used for electronic processing of AS business information.
• Users of those systems and applications.
• Personnel who install, develop, maintain, and administer those systems and applications.

AUTHORIZATION FOR USE OF FINANCIAL INFORMATION

Request for Information from Members

All requests for financial information from members of the Associated Students must be sent to the AS Associate Director.

Non-AS organizations

Organizations outside of the AS wishing to use financial information maintained by the AS accounting office (electronic and paper copy) must submit a request to the AS Controller or designee for approval.

AS-Wide

The AS Controller or designee determines what data are collected, maintained, and stored as the basis of AS business information systems, and authorizes the use of financial information on an AS-wide basis.

Auditors

Because of the scope and nature of their work, internal (AS and CSU trustee) and external auditors (outside public accounting firms) have unlimited read only access to information from computer data files or printed records.

RESPONSIBILITIES

Anyone accessing AS business information must preserve the security and confidentiality of it, because they assume a fiduciary responsibility concerning the information. Such information is to be used only for conducting AS business, or as authorized.

Staff and students are expected to exercise responsible, ethical behavior when using the AS computers, information, networks, or resources for business information purposes. Individual responsibilities include preserving the confidentiality and security of data to which they have been granted access and ensuring that data are used for and in the conduct of AS business. These responsibilities include the proper storage, access control, and disposal of private and confidential data presented to the user in any form. Individuals must also report known or suspected security violations to the AS Controller or designee.

Data Custodian

The AS has delegated operational data control to the Systems Administrator. Directors or designees, as Data Custodians, are authorized to grant permission to access data maintained by them to other AS units and their staff members when necessary for the efficient management of the AS Their responsibilities include:

• Identifying and classifying data that are collected and maintained.
• Authorizing access to data.
• Interpreting pertinent laws and AS policies which determine the levels of confidentiality and security required for data.
• Aiding users in accessing and interpreting data.
• Reviewing security violations for appropriate action.

The term "data" is a general term used to describe facts, numbers, letters, and symbols that refer to or describe an object, idea, condition, or situation.

Supporting Divisions

Any divisions supporting servers on which business information resides must implement the Data Custodian's access authorization and maintain system security functions as outlined in this section. Each division must:

• Implement consistent data security policies and standards (that is, technical standards).
• Assure compliance for each system that falls within the scope of its direct responsibility.

This includes development and maintenance of an internal security plan and associated documents which assure data integrity, authentication, recovery and continuity of operations which support administrative data. It also includes such details as type of access controls, disaster recovery plans, and contingency plans for continuous operation in case of power outages, etc. These documents are considered a part of the policy statement.

OWNERSHIP

The AS of SDSU owns all information (data, programs, and procedures) gathered, stored, or maintained for business purposes, unless otherwise stated in a contractual agreement. This ownership includes all forms of the information—electronic or printed. It includes all copies of information on mainframe, mid-range, and personal computers, and local area networks, wherever the equipment or networks are located.

VIOLATIONS

Violation of any provision of this section may cause the AS to:

• Limit the individual's access to some or all AS systems.
• Initiate legal action, including, but not limited to, criminal prosecution under appropriate state and federal laws.
• Require the violator to provide restitution for any improper use of service.

Need something else? Go back to the Table of Contents.