Unit Information Security Lead (UISL) Responsibilities

The Unit Information Security Lead (UISL), in the context of the University of California IS-3 Electronic Information Security Policy, refers to the workforce member(s) assigned responsibility for the implementation and enforcement of security controls in IS-3 policy. 

At UC Santa Cruz, UISLs are liaisons between their units and the Information Security team. They address their unit’s questions about security policy compliance, including data classification and encryption requirements. UISLs also relay security risks to their Unit Heads, advocate for security best practices, and ensure their departments make risk-based decisions. 

UISLs don't need to be technical people (though they can be). Their primary responsibility is to ensure that units implement the security controls rather than personally executing them. There may be a coordination aspect for some of the tasks such as security risk briefings, vendor risk assessments, and incident response. 

At UC Santa Cruz, the UISL role has been further defined into the following three tiers, with corresponding areas of responsibility:

• Tier 1 UISLs apply basic concepts of the IS-3 Policy & Standards, such as data classification, security requirements, exception process and risk decision process, as well as understand resources available to help with these activities.
• Tier 2 UISLs meet Tier 1 objectives and perform additional activities in support of the cybersecurity needs of a unit, such as keeping track of information, systems, and Suppliers, and providing guidance on the required security controls based on the classifications for protection and availability levels.
• Tier 3 UISLs meet Tier 2 objectives and provide cybersecurity expertise where and when it is needed, facilitate risk assessments, prepare risk treatment plans, and consult with Unit Heads on risk-based decisions.

All UISLs, regardless of tier, will be invited to participate in regular and periodic sessions with the UC Santa Cruz Chief Information Security Officer (CISO) and Information Security team to learn about the latest vulnerabilities, tools, and techniques that will help keep our campus safe and secure.

UISL Expectations

• Complete the Tier 1 UISL Training. This training aims to provide UISLs with an understanding of the requirements set forth in the UC Information Security (IS-3) Policy, clarify your responsibilities as a UISL, and introduce the range of ITS services available to assist you in achieving compliance.
• Attend the UISL Quarterly Briefings. The Chief Information Security Officer (CISO) provides security and policy updates at these meetings. These meetings are recorded and published on the UISL Google Site under Past Meeting Recordings. To request access to the meetings, please navigate to the "Get Help" section below to contact the Information Security team.
• Maintain active membership in UISL Google Group (mailing list) and share announcements with your respective unit(s). Email ispolicy@ucsc.edu to request access.
• Familiarize yourself with UC IT policies and standards, including UC Santa Cruz IT policies.

• Provide guidance to your unit in topics such as the classification of data and IT resources, security exceptions process, vendor risk assessments process, and how to stay secure.

• Collaborate with Information Security. Reach out to the UISL Coordinator or Information Security team if you have any questions.

IS-3 Policy Responsibilities 

• Ensure the unit implements the required security controls outlined in policy and standards, especially with UC Minimum Security Standards. See the Unit Responsibilities page for more information.
• Develop a unit security plan and review it annually.
• Complete a unit risk assessment for P3-P4 assets or create a Risk Treatment Plan to mitigate security risk. Review and update Risk Assessments and Risk Treatment Plans in accordance with IS-3 policy.
• Review and update unit-managed access rights, including privileged access, at least annually.
• Maintain an inventory of all the unit’s P3-P4 assets (institutional information and IT Resources). Review unit assets and owner contacts periodically.
• Classify data and IT resources in your unit's area of responsibility.
• Establish procedures for handling, storing, and disposing of electronic media within the Unit. Use the UC Records Retention Schedule as a guide on how long to keep that data. 
• Work with Staff Human Resources to ensure consistent HR security processes and procedures are in place.
• Work with Procurement and Supply Chain Services to ensure proper data security provisions for Suppliers. Review requested changes to a Supplier’s security controls before approving of such changes. 

Resources

IT Policies and Standards

• UC IT Policies and Standards
• UC Santa Cruz IT Policies

Information Security 

• Classification of Data and IT Resources

• How to Stay Secure

• Minimum Security Requirements

• Practices for Protecting Electronic P3-P4 Data 

• Report an Information Security Incident 

• Requirements for Supplier Access to Sensitive Data (P3-P4) 
• Vulnerability Scans

UISL 

• UC Santa Cruz UISL Google Site
• UC Santa Cruz UISL Training
• Campus UISL/Unit Head List
• UISL Frequently Asked Questions (FAQs) 
• UC Systemwide UISL Quick Start Guide

Get Help

If you have questions about your role or responsibilities as a UISL, email the Compliance/UISL Coordinator at ispolicy@ucsc.edu or submit a ticket through the ITS Support Center.