Units Responsibilities

The Unit, in the context of the University of California IS-3 Electronic Information Security Policy, refers to any department, division, or organizational entity operating within the university system. 

Units are responsible for:

• Implementing IS-3 policy security controls.
• Managing security risk.
• Reporting security incidents.
• Allocating sufficient budget to protect data and IT resources.

As part of risk management, units must identify assets, classify data, and assess, treat, and document security risks. Units must also implement compensating controls for security risks deemed acceptable by the Unit Head. If data or assets cannot fully comply with IS-3 policy, units must request a security exception.

IS-3 Policy Responsibilities

Access Control

• Implement an approval process for granting access to Institutional Information and IT Resources. 
• Implement role-based access. Assign roles based on a person’s job duties or functions.
• Access must follow the “Need-to-Know” and Least Privilege principles.
• Audit access and roles periodically, including after changes to employment or job duties.
• Keep a documented record of access and changes to access rights.

Asset Management

• Maintain an inventory of assets (Institutional Information and IT resources) classified as Protection Level P3-P4. Update your documentation as inventory changes or moves. The inventory record must contain at least:
  • Identifier of the asset (e.g., name, asset tag, service tag)
  • Data Proprietor Name and Contact Information
  • Unit Name
  • Protection Level
  • Availability Level
  • Physical or virtual location
  • Configuration or security documentation
  • Data retention policy
• Protect your assets with appropriate levels of security controls in accordance with their classification (including physical and environmental security controls).
• Review and update Protection Level and Availability Level classification periodically or when changes occur.
• Comply with the UC Santa Cruz Acceptable Use Policy.
• Label data and IT resources as needed (e.g., digital tags for sensitive data or physical labels on paper or devices).
• Encrypt P3-P4 data when stored on portable media (USB, External Hard Drive, etc.). Ensure it is stored in a secure location.
• Securely dispose of electronic media containing P2-P4 data (including damaged electronic media and non-removable memory). 
• Use secure methods for physical transfer of electronic media containing P2-P4 data.

Encryption

• Encrypt data classified as Protection Level 3 or 4 when transmitted over a network, stored on any electronic media or portable computing devices (e.g., laptops, cell phones, USBs, and external hard drives).
• Consult with Information Security on the most appropriate encryption methods for your devices and data. 

Human Resource Security

Prior to Employment

• Conduct background checks for non-academic workforce members (staff, student workers, etc.) accessing P3-P4 data or IT resources.
• Include security duties in the job description.
• Follow the appropriate onboarding procedures related to information security.

During Employment

• Review access rights annually and remove access that is no longer needed.
• Promptly address reported, suspected or actual policy violations.
• Ensure workforce members complete UC Cyber Security Awareness Fundamentals training.
• Ensure workforce members comply with the UC Minimum Security Standard.

Separation and Change of Employment

• Ensure off-boarding and change of employment procedures are followed and documented.
• Collect UC property, IT Resources and physical access keys/cards. 
• Ensure the return and/or secure deletion of data.
• Revoke access.

Physical and Environmental Security

• Ensure that physical access to IT resources is restricted to authorized personnel only.
• Implement controls to prevent unauthorized access, theft, or damage to IT assets and infrastructure.
• Establish procedures for secure storage and disposal of IT equipment, including data-bearing devices.
• Maintain appropriate environmental conditions, such as temperature and humidity, to safeguard IT resources.
• Regularly inspect and maintain physical security controls, including locks, alarms, and surveillance systems.
• Conduct periodic risk assessments and security audits to identify vulnerabilities in physical security measures.
• Provide security awareness training to staff regarding the importance of physical security practices.
• Consult with the ITS Physical Security Systems team for guidance on assessing and enhancing the physical and environmental security of your unit's P3-P4 assets.

Supplier Relationships

• Comply with the UC Minimum Security Standard.
• Report security incidents, breaches, and observed supplier security lapses.
• Follow UC records retention and disposal requirements.
• Complete a Vendor Risk Assessment for suppliers accessing or processing P3-P4 data. Obtain assurance from a third-party audit report, or other security documentation, demonstrating that appropriate information security safeguards and controls are in place.
• Review requirements for supplier access to P3-P4 data. Include applicable terms in the agreement based on the type of data involved, such as Appendix - Data Security (DS).

Vulnerability Management

• Use supported and patched versions of hardware and software.
• Perform authenticated vulnerability scans for IT Resources that process or store P3-P4 data or A4 systems.
• Request a Security Exception if an IT Resource cannot be patched to current standards.
• Remove an IT Resource from network access if it poses a threat.

Additional Resources

Security Awareness

• How to Stay Secure 
• Security Awareness Training

IT Policies and Standards

• UC Santa Cruz IT Policies and Guidelines  
• UC Systemwide Policies and Standards 

Third-Party Technology Services

• Practices for Protecting Electronic P3-P4 Data
• Use of Third-Party Technology Services
• UC Santa Cruz Financial Affairs: Software Payment Guide

Get Help