Introduction to IS-3: UC's Information Security Policy

What Is IS-3?

The IS-3 is University of California's systemwide electronic information security policy that aims to:

• Protect user confidentiality.
• Maintain the integrity of all data created, received, or collected by UC (Institutional Information).
• Meet legal and regulatory requirements.
• Ensure timely, efficient, and secure access to information technology resources (IT Resources).

IS-3 establishes a framework that ensures all UC locations follow the same approach to reduce and manage cyber risk, protect information, and support the proper functioning of IT Resources. 

For more details, view the Introduction to IS-3 playlist on the ITS YouTube channel.

What Are My Responsibilities Under IS-3?

Your responsibilities under IS-3 depend on your role at the university. There are many roles defined in the policy. The two most common roles are Workforce Members and Workforce Managers. Other roles include Institutional Information Proprietors, Researchers, Units, Unit Heads, Unit Information Security and Leads (UISL), Service Providers, and Suppliers.

Workforce Members include:

Workforce Managers include any person who supervises/manages other personnel or approves work or research on behalf of the university.

In addition to Workforce Member responsibilities, Workforce Managers must:

• Keep up with training, and ensure that everyone on their team completes the required training for each position, including the UC Cyber Security Awareness Fundamentals Training. 
• Ensure that technical staff has access to the resources it needs to carry out security duties. 
• Review access rights annually, and ensure that people only have access to the minimum applications needed to do their jobs. 
• Remember to remove access as needed when employees leave or change roles. This includes reviewing and updating Google drive access.

Proprietors, Researchers, Units, Unit Heads, Unit Information Security and Leads (UISL), Service Providers, and Suppliers

IS-3 also defines the roles and responsibilities of Proprietors, Researchers, Units, Unit Heads, Unit Information Security and Leads (UISL), Service Providers, and Suppliers. For more information specific to those roles, view UC Santa Cruz's "IS-3 Roles and Responsibilities" video or review the IS-3 Roles and Responsibilities webpage. 

Consequences of Non-Compliance

Confirmed and serious violations of this policy may result in:

• The restriction or suspension of computer accounts and/or access to IT Resources or Institutional Information.
• Initiating the security exception process and obtaining risk acceptance from the unit head.

Violations of IS-3 can also have negative consequences for both individual units and the entire university, such as:

• Security breaches that result in downtime, loss of business, and damage to reputation. 
• The unit incurring some or all of the cost resulting from the security incident.
• Denial of cyber insurance reimbursement.
• Audit corrective actions.

Security Policy Exception and Risk Acceptance

When institutional information and/or IT resources (Data Protection Levels P1-P4) cannot comply with an information security policy or standard, a unit must request a Security Exception. Units must propose compensating controls to mitigate security risks that UC security policies or standards would otherwise address. 

The UC Santa Cruz Information Security team will review the request, determine a risk rating, and document any other relevant information for consideration. The request must be approved by the security exception sponsor, unit head, or data proprietor. Additional approval from the Chief Information Security Officer (CISO) or a higher authority may be required if an exception poses an exceptionally high security, financial, reputational, and operational risk to the institution.

IS-3 Related Policies and Standards

The UC Santa Cruz Information Security team will review the request, determine a risk rating, and document any other relevant information for consideration. The request must be approved by the security exception sponsor, unit head, or data proprietor. Additional approval from the Chief Information Security Officer (CISO) or a higher authority may be required if an exception poses an exceptionally high security, financial, reputational, and operational risk to the institution.

• UC Minimum Security Standard 
• Account and Authentication Management Standard
• Classification of Information and IT Resources
• Institutional Information Disposal Standard
• Encryption Key and Certificate Management  
• Event Logging Standard 
• Incident Response Standard
• Secure Software Configuration Standard
• Secure Software Development Standard

Additional IS-3 Resources

• Data Resource Classification 
• Log Management
• Report an Information Security Incident 
• UC Santa Cruz PII Inventory and Security Breach Procedures 
• Virtu Email & File Encryption Service 
• Vulnerability Scans
• Security Exceptions
• Security Review