IT Policy Changes

IT Policy Record of Changes

UCSC HIPAA Security Rule Compliance Policy - update December 2013
UCSC Implementation of the UC Electronic Communications Policy - update September 2012
UCSC Information Security Log Policy - NEW June 2012
Notice Regarding Disposition of and Access to Records upon Separation from Employment - update June 2012
Procedures for Blocking Network Access - update February 2012
ITS Backup Retention Standards - NEW January 2012
UCSC Password Strength and Security Standards - update January 2012
UCSC Acceptable Use Policy - update October 2011
UCSC Minimum Network Connectivity Requirements Policyupdate October 2011
UCSC Password Policy - update October 2011
UCSC PII Inventory and Security Breach Procedures - update October 2011
Notice Regarding Disposition of and Access to Records upon Separation from Employment - NEW June 2011
UCSC Password Strength and Security Standards - update June 2011
UCSC HIPAA Security Rule Compliance Policy - update December 2010
UCSC PII Inventory and Security Breach Procedures - update October 2010 
UCSC PII Inventory and Security Breach Procedures - update July 2010 
UCSC Implementation of the UC Electronic Communications Policy - NEW February 2010
Policy for use of SSL certificates at UCSC - operational since 1/7/10 
UCSC Password Strength and Security Standards - update October 2009
UCSC Minimum Network Connectivity Requirements Policy - NEW March 2009
UCSC Acceptable Use Policy - update November 2008
UCSC Implementation Plan for Protection of Electronic Restricted Data - update May 2008 
UCSC Password Policy - update April 2008
UCSC HIPAA Policy - update January 2008


UCSC HIPAA Security Rule Compliance Policy
Updated December 2013; originally issued December 20, 2006. Prior updates: December 2010, January 2008

The primary purpose of this update was to shift the basis of the policy from compliance with HIPAA to consistency with the UC HIPAA Information Security Policy. Other changes were administrative in nature, such as fixing borken links.


UCSC Implementation of the UC Electronic Communications Policy (ECPI)
Updated September 2012; originally published Feb 2010

This update consisted of the following changes to Section VIII, Access Without Consent:

  • In order to to align with the current campus organizational structure, authority for authorizing nonconsensual access to student electronic communications records was changed from the Vice Chancellor, Student Affairs to the Vice Provost & Dean of Undergrad Education for undergraduate students, and the Vice Provost & Dean of Graduate Studies for graduate students.
  • In order to align with a change/clarification to the UC Electronic Communications Policy (UC ECP) made in April 2011, item A.5 was added to clarify that, "[r]outine monitoring of access to institutional collections of patient and student records is not subject to the nonconsensual access provisions of the ECP because these records are collected, stored and accessed for business purposes only." A corresponsing clarification was also added to the UCSC Authorization Form for Access to Electronic Communications Records without Consent.

UCSC Information Security Log Policy
Approved June 2012 - policy and related procedures

Log Policy:
Log collection and review is an important component of an information security program to identify and analyze security and other operational problems. The purpose of this policy is to establish a requirement to enable and review logs on electronic information resources (eIRs) that contain, access or transmit data classified by UCSC as confidential or restricted. This requirement supports compliance with Federal HIPAA law, Payment Card Industry regulation, UC and UCSC recommendations and industry best practice.

Log Procedures:
Log collection and review is an important component of an information security program. These procedures provide guidance regarding types of logs that should be enabled and reviewed, frequency of review, and escalation procedures. Readers are referred to the UCSC Information Security Log Policy (above) for requirements that apply to electronic information resources that contain, access or transmit data classified by UCSC as confidential or restricted.


Notice Regarding Disposition of and Access to Records upon Separation from Employment
Updated June 2011; originally published June 2011

The purpose of this update is to provide context to the Notice and to provide the following clarification regarding its use: "Where a unit incorporates this notice or an equivalent as part of its employee onboarding and offboarding process, the unit does not need to follow the procedures described in the "Access Without Consent" section of the UC Electronics Communications Policy (link below) to access records of separated employees. Guidance from Human Resources/Academic Personnel should be sought in the case of separations with special circumstances."


Procedures for Blocking Network Access
Updated February 2012; originally issued in 2002

These procedures outline campus network and security personnel's responsibility and authority to block harmful systems from the campus network. The original (2002) verson of these procedures only addressed blocking devices that pose a risk to campus systems or networks. The purpose of this update is to formalize procedures for disabling compromised accounts.


ITS Backup Retention Standards
Adopted January 2012

The purpose of these standards is to

  • Clarify responsibility for establishing retention periods for backups;
  • Establish a default retention period for ITS-managed backups;
  • Establish a process for determining actual retention requirements for backups.

These standards apply to ITS-managed backups. They are not intended to replace other records retention obligations or schedules, which must be addressed separately.


UCSC Password Strength and Security Standards
Updated January 2012; originally issued May 22, 2006. Prior updates: June 2011 and October 2009

The primary purpose of this update was to:

  • Clarify which strength and complexity rules in Section II are requirements and which are "additional tips and hints".
  • Explicitly state that passwords that do not meet the requirements in these Standards or are otherwise found vulnerable by automatic password strength checkers may be rejected. This includes education that simply substituting common symbols for letters in a dictionary word, e.g. "Pa$$w0rd" instead of "Password," might result in a guessable password that will be rejected, even though it technically meets the requirements.
  • Remove the restriction on storing passwords in a computer's keychain as long as the master password meets the minimum strength and security standards stated in these Standards.
  • Provide additional advice on creating good, cryptic, hard-to-guess passwords.

UCSC Acceptable Use Policy
Updated October 2011; originally issued May 26, 1992. Prior update: November 2008

UCSC's Acceptable Use Policy identifies acceptable and unacceptable behavior when using campus computing resources.

This update consisted of the following administrative clarifications and fixes:

  • Clarified in the opening paragraph that this policy applies to all users of UCSC electric information resources (eIRs).
  • Added an explicit statement that use of any University resources in a manner that violates the law or UC policy constitutes unacceptable behavior under this policy. This was stated indirectly, but not explicitly.
  • Other administrative fixes, including link fixes, grammatical changes, using consistent terminology throughout the policy, and updating dates.

UCSC Minimum Network Connectivity Requirements Policy
Updated October 2011; originally issued March 4, 2009.

UCSC's Minimum Network Connectivity Requirements Policy identifies minimum security requirements for devices connected to the campus network. It also applies to other devices used for University business purposes, regardless of ownership or location.

This update consisted of the following administrative clarifications and fixes:

  • Clarified in the opening paragraph that this policy applies to all devices connecting to the campus network. This is also stated later in the policy.
  • Clarified that the minimum network connectivity requirements apply to all devices connecting to the campus network, regardless of location or ownership of those devices.
  • Other administrative fixes including the removal of a redundant sentence, link fixes,and updating dates.

UCSC Password Policy
Updated October 2011; originally issued February 1, 2007. Prior update: Aprill 2008

The Password Policy establishes the applicability of, and specific responsibilities relating to, the UCSC Password Strength and Security Standards (Password Standards). This policy applies to all passwords that provide access to UCSC electronic information resources.

This update consisted of the following administrative clarifications and fixes:

  • Clarified in the opening paragraph that this policy applies to all passwords that provide access to UCSC electronic information resources.
  • Changed some wording in the "Applicability" section to make the section more understandable.
  • Changed the contact information in the "Getting Help" section to reflect current procedures.
  • Other administrative fixes, including moving the "Definitions" section V of the policy to section II, grammatical changes, link fixes and updating dates.

UCSC PII Inventory and Security Breach Procedures
Updated October 2011; originally issued June 6, 2003. Prior updates: May 2008, July 2010, and October 2010

UCSC's PII Inventory and Security Breach Procedures outline procedures relating to information security breaches and management of personal identity information (PII) and other restricted data.

The purpose of this update was to add the Campus Registrar to list of Campus Incident Response Team (CIRT) members. The two CIRT report templates were also consolidated into a single template (Appendix B).

-------------

If you have questions regarding these procedures, please submit an IT Request ticket or contact the ITS Support Center at help@ucsc.edu, 459-HELP (4357), or in-person M-F 8AM-5PM Room 54 Kerr Hall.


Notice Regarding Disposition of and Access to Records upon Separation from Employment
Published June 2011

The purpose of this notice is provide a tool for units/departments to remind employees that all records they leave behind upon separation will revert to University custodianship. This will help units/departments avoid finding themselves in the position, due to lack of notification, of either having to contact a separated employee for permission to access their records or having to obtain Campus Counsel and Vice Chancellor approval to access the records.


UCSC Password Strength and Security Standards
Updated June 2011; originally issued May 22, 2006. Prior update: October 2009

The primary purpose of this update was to remove references to "passphrases," eliminating the potential implication that passphrases are distinct from passwords. Additional clarifications included changing the term "should" to "must" for requirements. Some of the educational information was also updated.


UCSC HIPAA Security Rule Compliance Policy
Updated December 2010; originally issued December 20, 2006. Prior update: January 2008

The purpose of this update was to:

  • Make necessary modifications to the Definitions and References section of the original policy to be consistent with new UC HIPAA Policies issued September 2010.
  • Clarify that in the event that this policy and UC's HIPAA Policies do not agree, UC’s Policies are controlling.
  • Reflect the transition in UCSC's HIPAA Security Official role from the Vice Chancellor of Information Technology to the campus Information Security Official (ISO). This transition required language changes in several sections of original policy.
  • Update the Background and Detailed Policy Statement sections to reflect the evolution of the campus HIPAA Security Rule Compliance Team and compliance processes.

UCSC PII Inventory and Security Breach Procedures
Updated October 2010; originally issued June 6, 2003. Prior updates: May 2008 and July 2010

UCSC's PII Inventory and Security Breach Procedures outline procedures relating to information security breaches and management of personal identity information (PII) and other restricted data.

The purpose of this update was to clarify that the response to security breaches potentially involving electronic protected health information (ePHI/HIPAA data) must follow UC's newly issued (September 2010) HIPAA Breach Response Policy and the procedures that it references instead of our local campus procedures.

-------------

If you have questions regarding these procedures, please submit an IT Request ticket or contact the ITS Support Center at help@ucsc.edu, 459-HELP (4357), or in-person M-F 8AM-5PM Room 54 Kerr Hall.


UCSC PII Inventory and Security Breach Procedures
Updated July 2010; originally issued June 6, 2003. Prior update: May 2008

UCSC's PII Inventory and Security Breach Procedures outline procedures relating to information security breaches and management of personal identity information (PII) and other restricted data.

The primary purpose of this update was to

  • Clarify that these are campus procedures, not guidelines
  • Streamline and simplify the Scope, Applicability, and Management and Protection of Electronic Restricted Data sections
  • Clarify procedures and responsibilities for identifying where PII is used and stored
  • Identify additional triggers for proactively checking for PII and removing it when possible
  • Identify procedures for security breaches involving credit card data
  • Address credit monitoring services as part of security breach notification procedures
  • Clarify responsibilities and authorities of the Vice Chancellor of Information Technology, System Stewards, Service Providers, UCSC IT Security, and the IT Policy Office; identify responsibilities of the Campus Credit Card Coordinator

-------------

If you have questions regarding these procedures, please submit an IT Request ticket or contact the ITS Support Center at help@ucsc.edu, 459-HELP (4357), or in-person M-F 8AM-5PM Room 54 Kerr Hall.


UCSC Implementation of the UC Electronic Communications Policy
Issued February 5, 2010

The UCSC Implementation of the UC Electronic Communications Policy (UCSC ECPI) details the specific manner in which the campus will carry out its responsibilities under the UC Electronic Communications Policy (UC ECP). UCSC's ECPI applies to: (1) all electronic communications services and resources operated by UCSC units, (2) all users of UCSC electronic communications services and resources, and (3) all electronic communications generated by campus units or utilizing University facilities. Areas addressed include:

  • Areas of Responsibility
  • Allowable Users
  • Allowable Uses
  • Access Restrictions
  • Access Without Consent
  • Privacy Protections and Limits
  • Use of Specific Services
  • Security

The UCSC ECPI is not intended to repeat or elaborate upon all contents of the UC ECP. Users should consult the UC ECP for complete policy information (link above).


Policy for use of SSL certificates at UCSC
Operational since January 7, 2010

The SSL Certificate Policy identifies the appropriate use of SSL (secure socket layer) certificates (certs) at UCSC. Requests for SSL certs that do not meet the requirements in this policy may be denied or subject to revocation.


UCSC Password Strength and Security Standards
Updated October 22, 2009; originally issued May 22, 2006

The primary purpose of this update was to clarify that "password vault-type" tools are acceptable for securely storing passwords, including passwords that provide access to restricted data. The update also clarifies that, per UCSC's Password Policy, these Standards are requirements for passwords that provide access to University restricted data, or where otherwise required by law, UC or campus policy, or contract.


UCSC Minimum Network Connectivity Requirements Policy
Issued March 4, 2009

UCSC's Minimum Network Connectivity Requirements Policy identifies minimum security requirements for devices connected to the campus network. It also applies to other devices used for University business purposes, regardless of ownership or location.

This policy brings a number of already-existing UC requirements to UCSC at a local level. It identifies security requirements for devices connecting to UCSC’s network and specifies that devices not meeting these requirements may be blocked or disconnected from the campus network according to our existing procedures. These requirements represent common security best practices and generally are not unique to UCSC.

The Minimum Network Connectivity Requirements address the following topics:

  1. Software Updates/Patches
  2. Malicious Software Protection
  3. Host-Based Firewall Software
  4. Access Control Measures
  5. Transmission of Restricted Data including Passwords
  6. Email Relays
  7. Network Proxy Servers
  8. Physical Security and Session Timeouts
  9. Unnecessary Network Services
  10. Security Audit Agents

Information designed to help people understand and meet these requirements is available at Minimum Network Connectivity Requirements.

This policy also includes a mechanism for obtaining exceptions; however, exceptions are not automatic, and special security protections may be required for exceptions to be granted.

-------------

If you have questions about the Minimum Network Connectivity Requirements Policy, please submit an IT Request ticket or contact the ITS Support Center at help@ucsc.edu, 459-HELP (4357), or in-person M-F 8AM-5PM Room 54 Kerr Hall.


UCSC Acceptable Use Policy
Updated November 19, 2008; originally issued May 26, 1992

UCSC's Policies for use of UCSC computing facilities, also known as our Acceptable Use Policy, were updated in November 2008. This policy identifies acceptable and unacceptable behavior when using campus computing resources.

The primary function of this update was to

  • clarify and update UCSC’s Acceptable Use Policy, which was originally adopted in 1992,
  • remove an obsolete requirement for individuals to register personally-owned computers in order to connect them to the campus network, and
  • incorporate related UC policy at a campus level.

Key unacceptable behaviors to be aware of include copyright and other intellectual property violations, harassment, inappropriate personal use of resources, inappropriately implying University representation or endorsement, and sending spam.

If you have questions about the Acceptable Use Policy, please submit an IT Request ticket or contact the ITS Support Center at help@ucsc.edu, 459-HELP (4357), or in-person M-F 8AM-5PM Room 54 Kerr Hall.


UCSC Implementation Plan for Protection of Electronic Restricted Data
Updated and Renamed July, 2010Updated May 2008; originally issued June 6, 2003,

This Implementation Plan outlines procedures relating to information security breaches and management of restricted data. The update revises campus security breach procedures to more accurately reflect actual procedures, and clarifies responsibilities and resources for protecting restricted data. It also incorporates requirements from UC policy for data inventory and incident response planning and notification.

Changes will primarily affect those with specific responsibilities for security incident response, and those directly responsible for managing our campus inventory of personal identity information (PII).

For all others, this update provides an opportunity to review some important information regarding the protection of restricted data and what to do in the case of a suspected information security breach:

Protecting Restricted Data:
Everyone in the UCSC community is responsible for the appropriate protection of restricted data. This includes being aware of what restricted data you use and store, as well as properly protecting it. Please see ITS' Restricted Data Resources web page for information and resources.

Information Security Breaches:
A security breach could include, for example, an infected computer, inappropriate disclosure or access of restricted data, unauthorized access to a computer, and theft.

Suspected security breaches should be reported to your supervisor and the ITS Support Center (contact info below). If theft of UCSC-related computing equipment is involved, also file a report with the UCSC Police Department, and with local authorities if the theft occurred away from campus.

-------------

If you have questions regarding this Implementation Plan, please submit an IT Request ticket or contact the ITS Support Center at help@ucsc.edu, 459-HELP (4357), or in-person M-F 8AM-5PM Room 54 Kerr Hall.


UCSC Password Policy
Updated April 22, 2008; originally issued February 11, 2007

The primary purpose of this update was to clarify when passwords must comply with the campus Password Standards. This is not a change in scope or requirements, but instead is an attempt to simplify the original policy language, which was somewhat difficult to dissect, and leverage UC vocabulary that has been standardized since the original policy was adopted.

  • The Password Standards are required for passwords that provide access to university restricted data, or where otherwise required by law, UC or campus policy, or contract.
  • The Password Standards are recommended for passwords that provide access to other types of confidential information.
  • Passwords that do not provide access to confidential information in any system are not required to comply with the campus Password Standards.

Please contact the ITS Support Center for technical assistance with passwords or other technical help by submitting an IT Request ticket, by email at help@ucsc.edu, telephone at 459-HELP (4357), or in-person at Kerr Hall Room 54.

Please direct questions about UCSC’s Password Policy or Standards to the ITS Support Center (contact info above).

Additional Resources: 
ITS Security Web Site


UCSC HIPAA Policy
Updated January 22, 2008; originally issued December 20, 2006

Content changes:

  • Added a requirement to the detailed policy statement (Sec III) specifying that HIPAA Security Rule compliance and associated documentation for each HIPAA entity must be reviewed and updated at least annually;
  • Clarified that the policy, itself, will be reviewed annually in conjunction with the annual review of campus HIPAA Security Rule compliance (Sec VI);
  • Added an attachment listing all campus entities that must comply with the HIPAA Security Rule (Sec VIII).

Administrative changes:

  • Added a "last revision date" (header);
  • Two spelling corrections (Medicade --> Medicaid);
  • Updated the contact information for the ITS Support Center (Sec V);
  • Clarified that the policy was *originally* reviewed and approved on 12/20/06 (Sec VI)
  • Added the UCSC HIPAA Security Rule web page to the "References" section (Sec VII) (this web page didn't exist when the policy was originally adopted);
  • Linked to the UCSC HIPAA Security Rule web page for all attachments instead of listing separate URLs for each attachment (Sec VIII) (this web page didn't exist when the policy was originally adopted).