Information Technology Services

Wave pattern

Project: Information Security Investment Plan (ISIP)

Colleges and universities across the United States face more frequent and sophisticated cybersecurity threats. In 2024, University of California President Dr. Michael V. Drake notified all UC locations of new requirements for campus information security investment plans. The Information Security Investment Plan (ISIP), is how UC Santa Cruz is implementing these requirements. Read President Drake’s letter (PDF)

About this project

Project contact

Please contact the Chief Information Security Officer’s office.

Orange dash

Project requirements

The UC cybersecurity mandate requires that all UC Santa Cruz employees, including faculty, staff, and student employees, meet six cybersecurity requirements by May 2025:

  1. Cybersecurity awareness training
    • “Ensure cybersecurity awareness training for 100 percent of location employees.”
  2. Cyber incident escalation response
    • “Ensure timely cyber escalation of incidents in alignment with UC Incident response and cybersecurity escalation standards.”
  3. Computing device identification and management
    • “Ensure identification, tracking and vulnerability management of all computing devices connected to university networks.”
  4. Endpoint detection and response (EDR)
    • “Deploy and manage UC-approved endpoint detection and recovery (EDR) software on 100 percent of assets defined by UC EDR deployment standards.”
  5. Multi-factor Authentication (MFA)
    • “Deploy, enable, and configure multi-factor authentication (MFA) on 100 percent of campus and health email systems in conformance with established UC MFA configuration standards.”
  6. Data Loss Prevention (DLP) for Health Email Systems
    • “Deploy and configure a robust data loss prevention (DLP) solution for all health email systems to mitigate unauthorized data exfiltration.”
Orange dash

High-level timeline

The ISIP timeline was developed in consultation with campus leadership, representatives from the Committee on Information Technology (CIT), appointed representatives from academic divisions, and technical experts within ITS.

May 2024

Project initiation

The ISIP project at UC Santa Cruz was formally initiated in response to the letter from President Drake.

June – August 2024

Discovery

Comprehensive review and documentation of the current state of systems and processes in order to assess readiness for meeting the cybersecurity requirements.

August – October 2024

Strategy

Development of a comprehensive and appropriately scoped implementation and change management approach to meeting the requirements by the May 2025 deadline.

October 2024 – April 2025

Development

Technical development, user experience design, communication planning, and support readiness activities.

April – May 2025

Implementation

Phased rollout of ISIP requirements, including training reminders and enforcement, security software updates (automatic deployment and manual), and enforcement of Verified Access requirements for systems on UC networks.

May 28, 2025

Compliance deadline

Deadline for complying with all six requirements from President Drake.

Orange dash

Campus engagement

The complexity of this initiative, inter-connectedness with campus technologies and processes, and the relatively short timeline to implementation, has necessitated engagement and close collaboration with numerous stakeholders, including:

  • Monthly briefings with the Chancellor
  • Regular engagement with Academic and IT governance committees
  • Weekly meetings with Office of Research
  • Quarterly briefings with Unit Information Security Leads (UISLs)
  • Multiple engagements with campus information technology professionals
  • Campuswide emails
Last modified: May 08, 2025