UC Santa Cruz - Information Technology Services - UCSC Information Security - Security & Technology Policies and Guidelines


Home About ITS Services ITS News Policies Governance ITS Staff Site Jobs Find An Answer Feedback

Security Information

Security Awareness

Security Resources

UCSC | Campus Safety

Web Statistics by Google Analytics

IT Policy Changes

Home UCSC Information Security Security & Technology Policies and Guidelines IT Policy Changes

IT Policy Record of Changes

UCSC Password Strength and Security Standards - update 10/22/09
UCSC Minimum Network Connectivity Requirements Policy - new UCSC policy 3/4/09
UCSC Acceptable Use Policy - update 11/19/08
UCSC Implementation Plan for Protection of Electronic Restricted Data - update May 2008
UCSC Password Policy - update 4/22/08
UCSC HIPAA Policy - update 1/22/08

UCSC Password Strength and Security Standards
Updated October 22, 2009; originally issued May 22, 2006

The primary purpose of this update was to clarify that "password vault-type" tools are acceptable for securely storing passwords, including passwords that provide access to restricted data. The update also clarifies that, per UCSC's Password Policy, these Standards are requirements for passwords that provide access to University restricted data, or where otherwise required by law, UC or campus policy, or contract.

UCSC Minimum Network Connectivity Requirements Policy
Issued March 4, 2009

UCSC's Minimum Network Connectivity Requirements Policy identifies minimum security requirements for devices connected to the campus network. It also applies to other devices used for University business purposes, regardless of ownership or location.

This policy brings a number of already-existing UC requirements to UCSC at a local level. It identifies security requirements for devices connecting to UCSC’s network and specifies that devices not meeting these requirements may be blocked or disconnected from the campus network according to our existing procedures. These requirements represent common security best practices and generally are not unique to UCSC.

The Minimum Network Connectivity Requirements address the following topics:

Software Updates/Patches
Malicious Software Protection
Host-Based Firewall Software
Access Control Measures
Transmission of Restricted Data including Passwords
Email Relays
Network Proxy Servers
Physical Security and Session Timeouts
Unnecessary Network Services
Security Audit Agents

Information designed to help people understand and meet these requirements is available at http://its.ucsc.edu/security_awareness/minreqmain.php.

This policy also includes a mechanism for obtaining exceptions; however, exceptions are not automatic, and special security protections may be required for exceptions to be granted.

-------------

If you have questions about the Minimum Network Connectivity Requirements Policy, please submit an IT Request ticket or contact the ITS Support Center at help@ucsc.edu, 459-HELP (4357), or in-person M-F 8AM-5PM Room 54 Kerr Hall.

UCSC Acceptable Use Policy
Updated November 19, 2008; originally issued May 26, 1992

UCSC's Policies for use of UCSC computing facilities, also known as our Acceptable Use Policy, were updated in November 2008. This policy identifies acceptable and unacceptable behavior when using campus computing resources.

The primary function of this update was to

clarify and update UCSC’s Acceptable Use Policy, which was originally adopted in 1992,
remove an obsolete requirement for individuals to register personally-owned computers in order to connect them to the campus network, and
incorporate related UC policy at a campus level.

Key unacceptable behaviors to be aware of include copyright and other intellectual property violations, harassment, inappropriate personal use of resources, inappropriately implying University representation or endorsement, and sending spam.

If you have questions about the Acceptable Use Policy, please submit an IT Request ticket or contact the ITS Support Center at help@ucsc.edu, 459-HELP (4357), or in-person M-F 8AM-5PM Room 54 Kerr Hall.

UCSC Implementation Plan for Protection of Electronic Restricted Data
Updated May 2008; originally issued June 6, 2003

This Implementation Plan outlines procedures relating to information security breaches and management of restricted data. The update revises campus security breach procedures to more accurately reflect actual procedures, and clarifies responsibilities and resources for protecting restricted data. It also incorporates requirements from UC policy for data inventory and incident response planning and notification.

Changes will primarily affect those with specific responsibilities for security incident response, and those directly responsible for managing our campus inventory of personal identity information (PII).

For all others, this update provides an opportunity to review some important information regarding the protection of restricted data and what to do in the case of a suspected information security breach:

Protecting Restricted Data:
Everyone in the UCSC community is responsible for the appropriate protection of restricted data. This includes being aware of what restricted data you use and store, as well as properly protecting it. Please see ITS' Restricted Data Resources web page for information and resources.

Information Security Breaches:
A security breach could include, for example, an infected computer, inappropriate disclosure or access of restricted data, unauthorized access to a computer, and theft.

Suspected security breaches should be reported to your supervisor and the ITS Support Center (contact info below). If theft of UCSC-related computing equipment is involved, also file a report with the UCSC Police Department, and with local authorities if the theft occurred away from campus.

-------------

If you have questions regarding this Implementation Plan, please submit an IT Request ticket or contact the ITS Support Center at help@ucsc.edu, 459-HELP (4357), or in-person M-F 8AM-5PM Room 54 Kerr Hall.

UCSC Password Policy
Updated April 22, 2008; originally issued February 11, 2007

The primary purpose of this update was to clarify when passwords must comply with the campus Password Standards. This is not a change in scope or requirements, but instead is an attempt to simplify the original policy language, which was somewhat difficult to dissect, and leverage UC vocabulary that has been standardized since the original policy was adopted.

The Password Standards are required for passwords that provide access to university restricted data, or where otherwise required by law, UC or campus policy, or contract.
The Password Standards are recommended for passwords that provide access to other types of confidential information.
Passwords that do not provide access to confidential information in any system are not required to comply with the campus Password Standards.

Please contact the ITS Support Center for technical assistance with passwords or other technical help by submitting an IT Request ticket, by email at help@ucsc.edu, telephone at 459-HELP (4357), or in-person at Kerr Hall Room 54.

Please direct questions about UCSC’s Password Policy or Standards to the ITS Support Center (contact info above).

Additional Resources:
ITS Security Awareness Web Site

UCSC HIPAA Policy,
Updated January 22, 2008; originally issued December 20, 2006

Content changes:

Added a requirement to the detailed policy statement (Sec III) specifying that HIPAA Security Rule compliance and associated documentation for each HIPAA entity must be reviewed and updated at least annually;
Clarified that the policy, itself, will be reviewed annually in conjunction with the annual review of campus HIPAA Security Rule compliance (Sec VI);
Added an attachment listing all campus entities that must comply with the HIPAA Security Rule (Sec VIII).

Administrative changes:

Added a "last revision date" (header);
Two spelling corrections (Medicade --> Medicaid);
Updated the contact information for the ITS Support Center (Sec V);
Clarified that the policy was *originally* reviewed and approved on 12/20/06 (Sec VI)
Added the UCSC HIPAA Security Rule web page to the "References" section (Sec VII) (this web page didn't exist when the policy was originally adopted);
Linked to the UCSC HIPAA Security Rule web page for all attachments instead of listing separate URLs for each attachment (Sec VIII) (this web page didn't exist when the policy was originally adopted).