Major revisions to the Electronic Information Security Policy

February 01, 2019

The University of California Office of the President has issued major revisions to the Electronic Information Security Policy (IS-3) following a systemwide review.

We would like to highlight a few of those changes in this message. The full policy is available online.

The policy was revised to provide an updated security framework that protects UC’s institutional information/data and IT resources from accidental or intentional unauthorized access, loss or damage. It follows both a standards- and risk-based approach to information security.

The policy now recognizes a set of best practices and security controls that are crucial for UC to:

  • obtain cybersecurity insurance
  • ensure faculty are eligible for certain federal research/grant contracts
  • comply with standards from the federal Department of Education
  • comply with the Office of Civil Rights guidance on HIPAA compliance and PCI 3.X

The revised policy will replace the current IS-3 policy and retire the Inventory, Classification, and Release of University Electronic Information (IS-2) and Systems Development Standards (IS-10) policies and the Incident Response Guide.

An Office of the President website also provides guidance on frequently asked questions https://security.ucop.edu/policies/frequently-asked-questions.html.

For questions about the implementation of this policy on the UC Santa Cruz campus, email ITpolicy@ucsc.edu.