Introducing the UC IS-3: Electronic Information Security Policy

October 01, 2019

Introducing the UC IS-3: Electronic Information Security Policy

Ready to be a pinball wizard? The goal is to keep the ball rolling by improving our security posture. Flippers are the primary way to move a ball through the playfield; they introduce the security controls available to us. Work hard to avoid the traps and holes which can represent threats, risks and vulnerabilities. The bumpers help keep the ball in play and your score goes up, showing an increase in security maturity and resilience. pinball image

Pull the plunger and let’s get that ball in motion.

What is it, why is it needed?

The IS-3 is a systemwide policy that helps to:

  • Protect user confidentiality.
  • Maintain the integrity of all data created, received or collected by UC (Institutional Information).
  • Meet legal and regulatory requirements.
  • Ensure timely, efficient and secure access to information technology resources (IT Resources).

Security is a Shared Responsibility

There are many roles defined within the policy. Let’s cover the two most common.

Workforce Member

  • Employee, faculty, staff, volunteer, contractor, researcher, student worker.

All Workforce Members are responsible for ensuring the protection of Institutional Information and IT Resources.

  • Follow minimum security standards.
  • Complete all assigned security-related training. 
  • Promptly report violations, gaps/failure of information security controls.
    • Unnecessary access rights that are outside assigned roles or responsibilities.
    • Use of any supplier or service not provided by UC when used to store or process Institutional Information.
  • If you're not sure what to do, ask.

Workforce member quick start guide

Workforce Manager

  • A person who supervises/manages other personnel or approves work or research on behalf of the University.

In addition to Workforce Member responsibilities, add in:

    • Keep up with training. Ensure your team completes training required for their positions. Everyone must complete a basic cybersecurity awareness training module. Make sure your technical staff has access to the resources it needs to complete security duties.
    • Review access rights annually. Follow the principle of least access privilege to ensure people only have access to the minimum applications needed to do their jobs. Remember to remove access as needed when employees leave or change roles.

Impacts of not complying

For Workforce Members:

    • Confirmed serious violations of this policy may result in sanctions, such as:
      • Restriction or suspension of computer accounts and/or access to IT Resources or Institutional Information.
      • Employment or educational consequences, up to and including disciplinary actions and termination.

For Units and Campus:

    • Breaches
      • Downtime, time to recover, loss of business, reputation.
    • Cost of an Information Security incident
      • Significant failure to comply with this policy may result in denial of cyber insurance reimbursement.
    • Audits
      • Findings based on IS-3 or other security standards may result in management corrective actions.

You'll be hearing more about ways you can comply with this policy throughout the month of October. Always remember, if you're not sure what to do, ask.

OPEN A SUPPORT TICKET

Call:  831-459-HELP (9-4357)

Email:  help@ucsc.edu