Guide: UC Electronic Information Security Policy (IS-3)
The University of California Electronic Information Security Policy (IS-3) aims make sure that all UC locations use the same methods to reduce and manage cyber risks, protect information, and keep IT resources running securely.
Report an information security incident
Learn how to report a compromise of the privacy, integrity, or availability of UC Santa Cruz data and systems.
About
The Information Security Policy (IS-3) aims to: protect user confidentiality; maintain the integrity of all data created, received, or collected by UC (institutional information); meet legal and regulatory requirements; and ensure timely, efficient, and secure access to information technology resources.
Roles and responsibilities
Workforce members
Including:
- Employees
- Faculty
- Staff
- Volunteers
- Contractors
- Researchers
- Student employees
- Anyone working for UC in any capacity
Workforce managers
Including any person who supervises/manages other personnel or approves work or research on behalf of the university.
In addition to Workforce Member responsibilities, Workforce Managers must:
- Keep up with training and ensure that everyone on their team completes the required training for each position, including the UC Cybersecurity Awareness Training.
- Ensure that technical staff has access to the resources it needs to carry out security duties.
- Review access rights annually and ensure that people only have access to the minimum applications needed to do their jobs.
- Remember to remove access as needed when employees leave or change roles. This includes reviewing and updating Google Drive access.
Other roles
Including: Proprietors, Researchers, Units, Unit Heads, Unit Information Security Leads (UISL), Service Providers, and suppliers
IS-3 also defines the roles and responsibilities of Proprietors, Researchers, Units, Unit Heads, Unit Information Security Leads (UISL), Service Providers, and suppliers. For more information specific to those roles, view UC Santa Cruz’s IS-3 Roles and Responsibilities video or review the IS-3 Roles and Responsibilities webpage.
For more: Roles defined in the IS-3 policy.
Consequences of non-compliance
Confirmed and serious violations of this policy may result in:
- The restriction or suspension of computer accounts and/or access to IT resources or institutional information.
- Initiating the security exception process and obtaining risk acceptance from the unit head.
Violations of IS-3 can also have negative consequences for both individual units and the entire university, such as:
- Security breaches that result in downtime, loss of business, and damage to reputation.
- The unit incurring some or all of the cost resulting from the security incident.
- Denial of cyber insurance reimbursement.
- Audit corrective actions.
Exceptions and risk acceptance
When institutional information and/or IT resources (Data Protection Levels P1-P4) cannot comply with an information security policy or standard, a unit must request a security exception.
Related services