Wave pattern

Guide: UC Electronic Information Security Policy (IS-3)

The University of California Electronic Information Security Policy (IS-3) aims make sure that all UC locations use the same methods to reduce and manage cyber risks, protect information, and keep IT resources running securely.

Learn how to report a compromise of the privacy, integrity, or availability of UC Santa Cruz data and systems.

Green dash

The Information Security Policy (IS-3) aims to: protect user confidentiality; maintain the integrity of all data created, received, or collected by UC (institutional information); meet legal and regulatory requirements; and ensure timely, efficient, and secure access to information technology resources.

Green dash

Workforce members

Including:

  • Employees
  • Faculty
  • Staff
  • Volunteers
  • Contractors
  • Researchers
  • Student employees
  • Anyone working for UC in any capacity

Workforce managers

Including any person who supervises/manages other personnel or approves work or research on behalf of the university.

In addition to Workforce Member responsibilities, Workforce Managers must:

  • Keep up with training and ensure that everyone on their team completes the required training for each position, including the UC Cybersecurity Awareness Training. 
  • Ensure that technical staff has access to the resources it needs to carry out security duties. 
  • Review access rights annually and ensure that people only have access to the minimum applications needed to do their jobs. 
  • Remember to remove access as needed when employees leave or change roles. This includes reviewing and updating Google Drive access.

Other roles

Including: Proprietors, Researchers, Units, Unit Heads, Unit Information Security Leads (UISL), Service Providers, and suppliers

IS-3 also defines the roles and responsibilities of ProprietorsResearchersUnitsUnit HeadsUnit Information Security Leads (UISL), Service Providers, and suppliers. For more information specific to those roles, view UC Santa Cruz’s IS-3 Roles and Responsibilities video or review the IS-3 Roles and Responsibilities webpage. 

For more: Roles defined in the IS-3 policy.

Green dash

Confirmed and serious violations of this policy may result in:

  • The restriction or suspension of computer accounts and/or access to IT resources or institutional information.
  • Initiating the security exception process and obtaining risk acceptance from the unit head.

Violations of IS-3 can also have negative consequences for both individual units and the entire university, such as:

  • Security breaches that result in downtime, loss of business, and damage to reputation. 
  • The unit incurring some or all of the cost resulting from the security incident.
  • Denial of cyber insurance reimbursement.
  • Audit corrective actions.
Green dash

When institutional information and/or IT resources (Data Protection Levels P1-P4) cannot comply with an information security policy or standard, a unit must request a security exception.

Last modified: Jun 09, 2025