IT Policy Changes

IT Policy Record of Changes

Acceptable Use Policy - update May 2015
Minimum Network Connectivity Requirements Policy - update May 2015
Scanning for Personally Identifiable Information (PII) on Campus Systems - update May 2015
Digital Certificate Policy Appendix A - update March 2015
Policy Review Cycle - update February 2015
UCSC Password Policy - update January 2015
UCSC PII Inventory and Security Breach Procedures - update January 2015
ITS Routine System Monitoring Practices - update 8/1/14
UCSC Digital Certificate Policy Policy - update March 2014
UCSC HIPAA Security Rule Compliance Policy - update December 2013
UCSC Implementation of the UC Electronic Communications Policy - update September 2012
UCSC Information Security Log Policy - NEW June 2012
Notice Regarding Disposition of and Access to Records upon Separation from Employment - update June 2012
Procedures for Blocking Network Access - update February 2012
ITS Backup Retention Standards - NEW January 2012; REMOVED July 2014 (replaced by service definition)
UCSC Password Strength and Security Standards - update January 2012
UCSC Acceptable Use Policy - update October 2011
UCSC Minimum Network Connectivity Requirements Policy - update October 2011
UCSC Password Policy - update October 2011
UCSC PII Inventory and Security Breach Procedures - update October 2011
Notice Regarding Disposition of and Access to Records upon Separation from Employment - NEW June 2011
UCSC Password Strength and Security Standards - update June 2011
UCSC HIPAA Security Rule Compliance Policy - update December 2010
UCSC PII Inventory and Security Breach Procedures - update October 2010
UCSC PII Inventory and Security Breach Procedures - update July 2010
UCSC Implementation of the UC Electronic Communications Policy - NEW February 2010
Policy for use of SSL certificates at UCSC - operational since 1/7/10
UCSC Password Strength and Security Standards - update October 2009
UCSC Minimum Network Connectivity Requirements Policy - NEW March 2009
UCSC Acceptable Use Policy - update November 2008
UCSC Implementation Plan for Protection of Electronic Restricted Data - update May 2008
UCSC Password Policy - update April 2008
UCSC HIPAA Policy - update January 2008

Acceptable Use Policy
Updated May 2015; originally issued May 26, 1992. Prior updates: October 2011, November 2008

The Acceptable Use Policy identifies appropriate and inappropriate uses of UCSC electronic information resources. Regular review was initiated in October 2013. The updated version includes the following changes:

Rewrote the Accessibility and Anonymity sections (Sec II.4 and II.5, respectively) to mirror the UC Electronic Communications Policy; removed campus-specific language.
Removed requirements relating to “Off-Campus Network Connections” as out of scope because they addressed non-UCSC resources.
Related change: The definition of UCSC "Electronic Information Resources" ( http://its.ucsc.edu/policies/glossary.html#e) was modified to include services that UCSC provides, including through contracts with the university. This is not actually a change, but a clarification that the term includes all campus-provided electronic services.

Minimum Network Connectivity Requirements Policy
Updated May 2015; originally issued March 4, 2009. Prior update: October 2011

UCSC's Minimum Network Connectivity Requirements Policy identifies minimum security requirements for devices connected to the campus network. It also applies to other devices used for University business purposes, regardless of ownership or location. Regular review was initiated in October 2013. The updated version includes the following changes:

Sec III, Detailed Policy Statement: Expanded the explicit list of conditions for blocking or disconnecting a device from the campus network to include “devices found to be disruptive to the operation of the campus network”.
Sec III.B: Removed UCSC-specific requirements relating to “Transmission of Restricted Data” and “Physical Security” as out of scope because they go beyond minimum requirements.
Sec IV, Exceptions: Simplified this section. Removed preamble and simplified statement of requirements surrounding exceptions to this policy.

Scanning for Personally Identifiable Information (PII) on Campus Systems
Updated May 2015; originally issued April 2006.

This document outlines authorities and requirements for scanning systems for personal information such as Social Security Numbers. Regular review was initiated in October 2013. The updated version includes the following changes:

Added a “Scope” statement to clarify that the model applies to scans performed outside of ITS’ Routine System Monitoring Practices.
Added that if an exemption from a scan is requested, “additional security controls may be required for data excluded from scans.”
Addressed the situation where it may not be possible or practical for IT Security to provide advance notice of a scan in response to a potential security incident (Sec III).
Significant structural changes were made to this document (combining and reorganizing sections). Content is not affected by these changes, but they are notable enough to mention here.

Digital Certificate Policy Appendix A
Updated March 2015; originally issued January 7, 2010. Prior update: March 2014

Changed Appendix A, Server Certificate and Related Configuration Requirements, to peg requirements on industry standard and vulnerability scans instead of on locally developed requirements. The Service Team selected Qualys SSL Labs "SSL/TLS Deployment Best Practices" for the industry standard. Certificate renewal requirements are unchanged. Please see the link at the beginning of this section for details.

Policy Review Cycle Updated February 2015

As-of February 2015, ITS is adopting UC's standard 5-year policy review cycle for all IT policies. Significant changes related to a policy will trigger sooner review.

UCSC Password Policy
Updated January 2015; originally issued February 1, 2007. Prior updates: Oct 2011, April 2008

The Password Policy was due for regular review in October 2013. The updated version includes the following changes from the current version (last updated October 2011):

No substantive changes are recommended for this policy. A footnote was added to explicitly reference and link to the associated Password Strength and Security Standards, and outdated or broken links have been fixed.
Recommendations for updates to the Password Strength and Security Standards were received and will be considered separate from this policy update.

UCSC PII Inventory and Security Breach Procedures
Updated January 2015; originally issued June 6, 2003. Prior updates: Oct 2011, Oct 2010, July 2010, and May 2008

UCSC's Security Breach Procedures were updated to incorporate relevant portions of UC's Privacy and Data Security Incident Response Plan (UC IR Plan). Changes included:

Added “significant” and “high-visibility” incidents to the scope of the breach procedures, plus definitions for these terms
Additions and clarifications to roles and responsibilities consistent with the UC IR Plan
Incorporated use of UC's current security breach reporting tool
Clarified that decisions to disrupt services must be made in conjunction with the System Steward
Modified Appendices A & B (incident report forms) to align with the UC IR Plan requirements; also clarified responsibility for completion of forms and routing to VC IT
Added an Incident Response Checklist (Appendix C) for use by the Campus Incident Response Team, consistent with the UC IR Plan
Removed old Appendix C (Final Incident Report) and Appendix E (process diagram) as obsolete. Final Incident Report was replaced by UC's security breach reporting tool.
Added references to "University of California Information Breach Decision Tree for California State Law" (new Appendix E) and “Information Breach Decision Checklist for HIPAA,” plus procedures for when each must be used
Updated office names, titles, and links

ITS Routine System Monitoring Practices
Updated August 2014

The UC Electronic Communications Policy requires providers of electronic communications services to document and make available to their users general information about routine monitoring practices used to ensure the integrity and reliability of systems under their control. ITS’ Routine System Monitoring Practices identify routine monitoring activities and related policies and practices.

The Routine System Monitoring Practices were due for regular review in July 2013. The updated version includes the following changes from the previous version:

Section I, “Routine system monitoring activities,” was significantly expanded to more clearly identify the types and scope of routine monitoring performed. This section much more accurately reflects ITS’ routine monitoring activities.
Other administrative changes: Minor language tweaks and clarifications, fixed outdated and broken links, removed an obsolete footnote reference.

UCSC Digital Certificate Policy
Updated March 2014; originally issued January 7, 2010.

The purpose of this policy is to identify the appropriate use and implementation of digital certificates at UCSC, in support of UCSC's Minimum Network Connectivity Requirements.

The current version of this policy includes the following changes from the 2010 version:

Incorporated the ITS Digital Certificate Service into the policy, including the addition of a requirement that all University-related certificates must be issued by the Service.
Added additional information about how digital certificates are used to the Introduction/Overview. Also added a policy applicability statement.
Expanded and clarified requirements around wildcard certificates, and expanded the scope of this section to include Subject Alternative Name (SAN) and Unified Communication Certificate (UCC) certificates.
Updated requirements around self-signed certificates and situations under which they are allowed.
Simplified the section on “Private Key Management” and added a security requirement addressing departing employees with access to private keys that protect restricted data.
Identified circumstances under which certificates must be revoked.
Reframed the “Exceptions” section as “Conditions Requiring Additional Approval”.
Clarified that UCSC’s Digital Certificate Service Team is responsible for identifying when requirements in the Appendix need to be updated. Also added that “the affected community will be notified of significant changes.”
Updated and clarified Server Certificate and Related Configuration Requirements (Appendix A) and Certificate Authority (CA) requirements (Appendix B).
Deleted Appendix C, “Purchasing SSL Certificates”. This has been replaced by the requirement to use the ITS Certificate Service.
Other administrative changes: Re-ordered requirements for clarity; minor language tweaks and clarifications; fixed outdated and broken links.

UCSC HIPAA Security Rule Compliance Policy
Updated December 2013; originally issued December 20, 2006. Prior updates: December 2010, January 2008

The primary purpose of this update was to shift the basis of the policy from compliance with HIPAA to consistency with the UC HIPAA Information Security Policy. Other changes were administrative in nature, such as fixing borken links.

UCSC Implementation of the UC Electronic Communications Policy (ECPI)
Updated August 2016

This update consisted of the following changes to Section VIII, Access Without Consent:

In order to to align with the current campus organizational structure, authority for authorizing nonconsensual access to student electronic communications records was changed from the Vice Chancellor, Student Affairs to the Vice Provost & Dean of Undergrad Education for undergraduate students, and the Vice Provost & Dean of Graduate Studies for graduate students.
In order to align with a change/clarification to the UC Electronic Communications Policy (UC ECP) made in April 2011, item A.5 was added to clarify that, "[r]outine monitoring of access to institutional collections of patient and student records is not subject to the nonconsensual access provisions of the ECP because these records are collected, stored and accessed for business purposes only." A corresponsing clarification was also added to the UCSC Authorization Form for Access to Electronic Communications Records without Consent.

UCSC Information Security Log Policy
Approved June 2012 - policy and related procedures

Log Policy:
Log collection and review is an important component of an information security program to identify and analyze security and other operational problems. The purpose of this policy is to establish a requirement to enable and review logs on electronic information resources (eIRs) that contain, access or transmit data classified by UCSC as confidential or restricted. This requirement supports compliance with Federal HIPAA law, Payment Card Industry regulation, UC and UCSC recommendations and industry best practice.

Log Procedures:
Log collection and review is an important component of an information security program. These procedures provide guidance regarding types of logs that should be enabled and reviewed, frequency of review, and escalation procedures. Readers are referred to the UCSC Information Security Log Policy (above) for requirements that apply to electronic information resources that contain, access or transmit data classified by UCSC as confidential or restricted.

Notice Regarding Disposition of and Access to Records upon Separation from Employment
Updated June 2012; originally published June 2011

The purpose of this update is to provide context to the Notice and to provide the following clarification regarding its use: "Where a unit incorporates this notice or an equivalent as part of its employee onboarding and offboarding process, the unit does not need to follow the procedures described in the "Access Without Consent" section of the UC Electronics Communications Policy (link below) to access records of separated employees. Guidance from Human Resources/Academic Personnel should be sought in the case of separations with special circumstances."

Procedures for Blocking Network Access
Updated February 2012; originally issued in 2002

These procedures outline campus network and security personnel's responsibility and authority to block harmful systems from the campus network. The original (2002) verson of these procedures only addressed blocking devices that pose a risk to campus systems or networks. The purpose of this update is to formalize procedures for disabling compromised accounts.

ITS Backup Retention Standards
Adopted January 2012
REMOVED JULY 2014 - replaced by Data Center Backup Service description

The purpose of these standards is to

Clarify responsibility for establishing retention periods for backups;
Establish a default retention period for ITS-managed backups;
Establish a process for determining actual retention requirements for backups.

These standards apply to ITS-managed backups. They are not intended to replace other records retention obligations or schedules, which must be addressed separately.

UCSC Password Strength and Security Standards
Updated January 2012; originally issued May 22, 2006. Prior updates: June 2011 and October 2009

The primary purpose of this update was to:

Clarify which strength and complexity rules in Section II are requirements and which are "additional tips and hints".
Explicitly state that passwords that do not meet the requirements in these Standards or are otherwise found vulnerable by automatic password strength checkers may be rejected. This includes education that simply substituting common symbols for letters in a dictionary word, e.g. "Pa$$w0rd" instead of "Password," might result in a guessable password that will be rejected, even though it technically meets the requirements.
Remove the restriction on storing passwords in a computer's keychain as long as the master password meets the minimum strength and security standards stated in these Standards.
Provide additional advice on creating good, cryptic, hard-to-guess passwords.

UCSC Acceptable Use Policy
Updated October 2011; originally issued May 26, 1992. Prior update: November 2008

UCSC's Acceptable Use Policy identifies acceptable and unacceptable behavior when using campus computing resources.

This update consisted of the following administrative clarifications and fixes:

Clarified in the opening paragraph that this policy applies to all users of UCSC electric information resources (eIRs).
Added an explicit statement that use of any University resources in a manner that violates the law or UC policy constitutes unacceptable behavior under this policy. This was stated indirectly, but not explicitly.
Other administrative fixes, including link fixes, grammatical changes, using consistent terminology throughout the policy, and updating dates.

UCSC Minimum Network Connectivity Requirements Policy
Updated October 2011; originally issued March 4, 2009.

This update consisted of the following administrative clarifications and fixes:

Clarified in the opening paragraph that this policy applies to all devices connecting to the campus network. This is also stated later in the policy.
Clarified that the minimum network connectivity requirements apply to all devices connecting to the campus network, regardless of location or ownership of those devices.
Other administrative fixes including the removal of a redundant sentence, link fixes,and updating dates.

UCSC Password Policy
Updated October 2011; originally issued February 1, 2007. Prior update: April 2008

The Password Policy establishes the applicability of, and specific responsibilities relating to, the UCSC Password Strength and Security Standards (Password Standards). This policy applies to all passwords that provide access to UCSC electronic information resources.

This update consisted of the following administrative clarifications and fixes:

Clarified in the opening paragraph that this policy applies to all passwords that provide access to UCSC electronic information resources.
Changed some wording in the "Applicability" section to make the section more understandable.
Changed the contact information in the "Getting Help" section to reflect current procedures.
Other administrative fixes, including moving the "Definitions" section V of the policy to section II, grammatical changes, link fixes and updating dates.

UCSC PII Inventory and Security Breach Procedures
Updated October 2011; originally issued June 6, 2003. Prior updates: May 2008, July 2010, and October 2010

UCSC's PII Inventory and Security Breach Procedures outline procedures relating to information security breaches and management of personally identifiable information (PII) and other restricted data.

The purpose of this update was to add the Campus Registrar to list of Campus Incident Response Team (CIRT) members. The two CIRT report templates were also consolidated into a single template (Appendix B).

-------------

If you have questions regarding these procedures, please submit a SlugHub ticket or contact the ITS Support Center at help@ucsc.edu or 459-HELP (4357).

Notice Regarding Disposition of and Access to Records upon Separation from Employment
Published June 2011

The purpose of this notice is provide a tool for units/departments to remind employees that all records they leave behind upon separation will revert to University custodianship. This will help units/departments avoid finding themselves in the position, due to lack of notification, of either having to contact a separated employee for permission to access their records or having to obtain Campus Counsel and Vice Chancellor approval to access the records.

UCSC Password Strength and Security Standards
Updated June 2011; originally issued May 22, 2006. Prior update: October 2009

The primary purpose of this update was to remove references to "passphrases," eliminating the potential implication that passphrases are distinct from passwords. Additional clarifications included changing the term "should" to "must" for requirements. Some of the educational information was also updated.

UCSC HIPAA Security Rule Compliance Policy
Updated December 2010; originally issued December 20, 2006. Prior update: January 2008

The purpose of this update was to:

Make necessary modifications to the Definitions and References section of the original policy to be consistent with new UC HIPAA Policies issued September 2010.
Clarify that in the event that this policy and UC's HIPAA Policies do not agree, UC’s Policies are controlling.
Reflect the transition in UCSC's HIPAA Security Official role from the Vice Chancellor of Information Technology to the campus Information Security Official (ISO). This transition required language changes in several sections of original policy.
Update the Background and Detailed Policy Statement sections to reflect the evolution of the campus HIPAA Security Rule Compliance Team and compliance processes.

UCSC PII Inventory and Security Breach Procedures
Updated October 2010; originally issued June 6, 2003. Prior updates: May 2008 and July 2010

The purpose of this update was to clarify that the response to security breaches potentially involving electronic protected health information (ePHI/HIPAA data) must follow UC's newly issued (September 2010) HIPAA Breach Response Policy and the procedures that it references instead of our local campus procedures.

-------------

If you have questions regarding these procedures, please submit a SlugHub ticket or contact the ITS Support Center at help@ucsc.edu or 459-HELP (4357).

UCSC PII Inventory and Security Breach Procedures
Updated July 2010; originally issued June 6, 2003. Prior update: May 2008

The primary purpose of this update was to

Clarify that these are campus procedures, not guidelines
Streamline and simplify the Scope, Applicability, and Management and Protection of Electronic Restricted Data sections
Clarify procedures and responsibilities for identifying where PII is used and stored
Identify additional triggers for proactively checking for PII and removing it when possible
Identify procedures for security breaches involving credit card data
Address credit monitoring services as part of security breach notification procedures
Clarify responsibilities and authorities of the Vice Chancellor of Information Technology, System Stewards, Service Providers, UCSC IT Security, and the IT Policy Office; identify responsibilities of the Campus Credit Card Coordinator

-------------

If you have questions regarding these procedures, please submit a SlugHub ticket or contact the ITS Support Center at help@ucsc.edu or 459-HELP (4357).

UCSC Implementation of the UC Electronic Communications Policy
Issued February 5, 2010

The UCSC Implementation of the UC Electronic Communications Policy (UCSC ECPI) details the specific manner in which the campus will carry out its responsibilities under the UC Electronic Communications Policy (UC ECP) . UCSC's ECPI applies to: (1) all electronic communications services and resources operated by UCSC units, (2) all users of UCSC electronic communications services and resources, and (3) all electronic communications generated by campus units or utilizing University facilities. Areas addressed include:

Areas of Responsibility
Allowable Users
Allowable Uses
Access Restrictions
Access Without Consent
Privacy Protections and Limits
Use of Specific Services
Security

The UCSC ECPI is not intended to repeat or elaborate upon all contents of the UC ECP. Users should consult the UC ECP for complete policy information (link above).

Policy for use of SSL certificates at UCSC
Operational since January 7, 2010

The SSL Certificate Policy identifies the appropriate use of SSL (secure socket layer) certificates (certs) at UCSC. Requests for SSL certs that do not meet the requirements in this policy may be denied or subject to revocation.

UCSC Password Strength and Security Standards
Updated October 22, 2009; originally issued May 22, 2006

The primary purpose of this update was to clarify that "password vault-type" tools are acceptable for securely storing passwords, including passwords that provide access to restricted data. The update also clarifies that, per UCSC's Password Policy, these Standards are requirements for passwords that provide access to University restricted data, or where otherwise required by law, UC or campus policy, or contract.

UCSC Minimum Network Connectivity Requirements Policy
Issued March 4, 2009

This policy brings a number of already-existing UC requirements to UCSC at a local level. It identifies security requirements for devices connecting to UCSC’s network and specifies that devices not meeting these requirements may be blocked or disconnected from the campus network according to our existing procedures. These requirements represent common security best practices and generally are not unique to UCSC.

The Minimum Network Connectivity Requirements address the following topics:

Software Updates/Patches
Malicious Software Protection
Host-Based Firewall Software
Access Control Measures
Transmission of Restricted Data including Passwords
Email Relays
Network Proxy Servers
Physical Security and Session Timeouts
Unnecessary Network Services
Security Audit Agents

Information designed to help people understand and meet these requirements is available at: Minimum Network Connectivity Requirements.

This policy also includes a mechanism for obtaining exceptions; however, exceptions are not automatic, and special security protections may be required for exceptions to be granted.

-------------

If you have questions about the Minimum Network Connectivity Requirements Policy, please submit a SlugHub ticket or contact the ITS Support Center at help@ucsc.edu or 459-HELP (4357).

UCSC Acceptable Use Policy
Updated November 19, 2008; originally issued May 26, 1992

UCSC's Policies for use of UCSC computing facilities, also known as our Acceptable Use Policy, were updated in November 2008. This policy identifies acceptable and unacceptable behavior when using campus computing resources.

The primary function of this update was to

clarify and update UCSC’s Acceptable Use Policy, which was originally adopted in 1992,
remove an obsolete requirement for individuals to register personally-owned computers in order to connect them to the campus network, and
incorporate related UC policy at a campus level.

Key unacceptable behaviors to be aware of include copyright and other intellectual property violations, harassment, inappropriate personal use of resources, inappropriately implying University representation or endorsement, and sending spam.

If you have questions about the Acceptable Use Policy, please submit a SlugHub ticket or contact the ITS Support Center at help@ucsc.edu or 459-HELP (4357).

UCSC Implementation Plan for Protection of Electronic Restricted Data
Updated and Renamed July, 2010; Updated May 2008; originally issued June 6, 2003,

This Implementation Plan outlines procedures relating to information security breaches and management of restricted data. The update revises campus security breach procedures to more accurately reflect actual procedures, and clarifies responsibilities and resources for protecting restricted data. It also incorporates requirements from UC policy for data inventory and incident response planning and notification.

Changes will primarily affect those with specific responsibilities for security incident response, and those directly responsible for managing our campus inventory of personally identifiable information (PII).

For all others, this update provides an opportunity to review some important information regarding the protection of restricted data and what to do in the case of a suspected information security breach:

Protecting Restricted Data:
Everyone in the UCSC community is responsible for the appropriate protection of restricted data. This includes being aware of what restricted data you use and store, as well as properly protecting it. Please see ITS' Restricted Data Resources web page for information and resources.

Information Security Breaches:
A security breach could include, for example, an infected computer, inappropriate disclosure or access of restricted data, unauthorized access to a computer, and theft.

Suspected security breaches should be reported to your supervisor and the ITS Support Center (contact info below). If theft of UCSC-related computing equipment is involved, also file a report with the UCSC Police Department, and with local authorities if the theft occurred away from campus.

-------------

If you have questions regarding this Implementation Plan, please submit a SlugHub ticket or contact the ITS Support Center at help@ucsc.edu or 459-HELP (4357).

UCSC Password Policy
Updated April 22, 2008; originally issued February 11, 2007

The primary purpose of this update was to clarify when passwords must comply with the campus Password Standards. This is not a change in scope or requirements, but instead is an attempt to simplify the original policy language, which was somewhat difficult to dissect, and leverage UC vocabulary that has been standardized since the original policy was adopted.

The Password Standards are required for passwords that provide access to university restricted data, or where otherwise required by law, UC or campus policy, or contract.
The Password Standards are recommended for passwords that provide access to other types of confidential information.
Passwords that do not provide access to confidential information in any system are not required to comply with the campus Password Standards.

Please contact the ITS Support Center for technical assistance with passwords or other technical help by submitting a SlugHub ticket, by email at help@ucsc.edu or by telephone at 459-HELP (4357).

Please direct questions about UCSC’s Password Policy or Standards to the ITS Support Center (contact info above).

Additional Resources:
ITS Security Web Site

UCSC HIPAA Policy
Updated January 22, 2008; originally issued December 20, 2006

Content changes:

Added a requirement to the detailed policy statement (Sec III) specifying that HIPAA Security Rule compliance and associated documentation for each HIPAA entity must be reviewed and updated at least annually;
Clarified that the policy, itself, will be reviewed annually in conjunction with the annual review of campus HIPAA Security Rule compliance (Sec VI);
Added an attachment listing all campus entities that must comply with the HIPAA Security Rule (Sec VIII).

Administrative changes:

Added a "last revision date" (header);
Two spelling corrections (Medicade --> Medicaid);
Updated the contact information for the ITS Support Center (Sec V);
Clarified that the policy was *originally* reviewed and approved on 12/20/06 (Sec VI)
Added the UCSC HIPAA Security Rule web page to the "References" section (Sec VII) (this web page didn't exist when the policy was originally adopted);
Linked to the UCSC HIPAA Security Rule web page for all attachments instead of listing separate URLs for each attachment (Sec VIII) (this web page didn't exist when the policy was originally adopted).