Unit Information Security Lead (UISL) Responsibilities

The Unit Information Security Lead (UISL), in the context of the University of California IS-3 Electronic Information Security Policy, refers to the workforce member(s) assigned responsibility for the implementation and enforcement of security controls in IS-3 policy. 

At UC Santa Cruz, UISLs are liaisons between their units and the information security team. They address their unit’s questions about security policy compliance, including data classification and encryption requirements. UISLs also relay security risks to their Unit Heads, advocate for security best practices, and ensure their departments make risk-based decisions. 

UISLs don't need to be technical people (though they can be). Their primary responsibility is to ensure that units implement the security controls rather than personally executing them. There may be a coordination aspect for some of the tasks such as security risk briefings, vendor risk assessments, and incident response

At UCSC, the UISL role has been further defined into the following three tiers, with corresponding areas of responsibility:

  • Tier 1 UISLs apply basic concepts of the IS-3 policy and standards, such as data classification, security requirements, exception process and risk decision process, as well as understand resources available to help with these activities.
  • Tier 2 UISLs meet Tier 1 objectives and perform additional activities in support of the cybersecurity needs of a unit, such as keeping track of information, systems, and suppliers, and providing guidance on the required security controls based on the classifications for protection and availability levels.
  • Tier 3 UISLs meet Tier 2 objectives and provide cybersecurity expertise where and when it is needed, facilitate risk assessments, prepare risk treatment plans, and consult with Unit Heads on risk-based decisions.

All UISLs, regardless of tier, will be invited to participate in regular and periodic sessions with the Chief Information Security Officer (CISO) and information security team to learn about the latest vulnerabilities, tools, and techniques that will help keep our campus safe and secure.

UISL Expectations

  • Complete the Tier 1 UISL Training. This training aims to provide UISLs with an understanding of the requirements set forth in the UC Information Security (IS-3) Policy, clarify your responsibilities as a UISL, and introduce the range of ITS services available to assist you in achieving compliance.
  • Attend the UISL Quarterly Briefings. The Chief Information Security Officer (CISO) provides security and policy updates at these meetings. These meetings are recorded and published on the UISL Google site under Past Meeting Recordings. To request access to the meetings, please navigate to the Get Help section below to contact the information security team.
  • Maintain active membership in UISL Google Group (mailing list) and share announcements with your respective unit(s). Email ispolicy@ucsc.edu to request access.
  • Familiarize yourself with UC IT policies and standards, including UCSC IT policies.
  • Collaborate with information security. Reach out to the UISL Coordinator or Information Security if you have any questions.

IS-3 Policy Responsibilities 

  • Ensure the unit implements the required security controls outlined in policy and standards, especially with UC Minimum Security Standards. See the Unit Responsibilities page for more information.
  • Develop a unit security plan and review it annually.
  • Complete a unit risk assessment for P3-P4 assets or create a Risk Treatment Plan to mitigate security risk. Review and update Risk Assessments and Risk Treatment Plans in accordance with IS-3 policy.
  • Review and update unit-managed access rights, including privileged access, at least annually.
  • Maintain an inventory of all the unit’s P3-P4 assets (institutional information and IT resources). Review unit assets and owner contacts periodically.
  • Classify data and IT resources in your unit's area of responsibility.
  • Establish procedures for handling, storing, and disposing of electronic media within the Unit. Use the UC Records Retention Schedule as a guide on how long to keep that data. 
  • Work with Staff Human Resources to ensure consistent HR security processes and procedures are in place.
  • Work with Procurement and Supply Chain Services to ensure proper data security provisions for suppliers. Review requested changes to a Supplier’s security controls before approving of such changes. 

Resources

IT Policies and Standards

Information Security 

UISL 

Get Help

If you have questions about your role or responsibilities as a UISL, email the Compliance/UISL Coordinator at ispolicy@ucsc.edu or submit a ticket through the ITS Support Center.