California State University System Office

Featuring one of the most diverse student bodies in the United States, the California State University (CSU) system is made up of 23 campuses across the state of California. All campuses in the system follow a basic set of information security policies that are designed to facilitate information security standardization across the system. Over the past decade, the basic set of policies grew to 21 system-level policies and 23 related standards.

Vantage was brought in to help the CSU system re-imagine its information security policy framework, focusing on reducing the number of policies and standards and ensuring that any remaining policies and standards followed an industry-recognized information security best practices framework. Ultimately Vantage’s work with the CSU system was completed in two phases.

In phase 1, we worked with CSU constituent campus information security leaders to discuss the current CSU System information security policy process. During a one-day facilitated workshop, we explored the risks and major institutional drivers around policy development. Workshop exercises focused on understanding the policy challenges the CSU System currently faces, such as a lengthy process for policy and standard creation and hard-to-read documents. Using the appreciative inquiry process, we built consensus among workshop participants around the next steps for information security policy improvement. Following the workshop, Vantage made recommendations for information security policy improvement that focused on CSU culture, policy content, and improved processes.

In phase 2, we worked with CSU system office personnel to create a standard information security policy format to be used for CSU system policies and standards and then applied that format to create a single CSU system information security policy. As part of that work, we consolidated the 21 system-level policies into one policy aligned with ISO 27002:2013 (Information technology — Security techniques — Code of practice for information security controls). Similarly, we consolidated the 23 different standards into a single standards manual designed to support the system’s new information security policy.

Our deliverables included all workshop facilitation materials, information security policy documentation, and a phased roadmap outlining future information security policy and standards improvements focused on reducing institutional risk. A key feature of this project was providing the CSU system with highly customized, approval-ready information security policy documentation.