Information Security Investment Plan (ISIP) Project
Overview
To strengthen UC's cybersecurity posture and mitigate potential risks, UC President Drake has outlined six cybersecurity requirements that every UC location is required to achieve by the end of May 2025. To align with President Drake’s directive, UC Santa Cruz (UCSC) has launched the Information Security Investment Plan (ISIP) project.
The new requirements are grouped into six key outcomes aimed at integrating cybersecurity into all behaviors, processes, and technologies at UC locations. This will help us enhance our security practices, address emerging cybersecurity threats, and ensure the uninterrupted delivery of UC's mission. The ISIP project aligns with UCSC’s broader goals of improving efficiency, effectiveness, and resilience while increasing the research profile and impact.
Cybersecurity Requirements
The six cybersecurity requirements mandated by President Drake are:
- Ensure cybersecurity awareness training for 100 percent of location employees.
- Ensure timely cyber escalation of incidents in alignment with UC Incident response and cybersecurity escalation standards.
- Ensure identification, tracking and vulnerability management of all computing devices connected to university networks.
- Deploy and manage UC-approved endpoint detection and recovery (EDR) software on 100 percent of assets defined by UC EDR deployment standards.
- Deploy, enable, and configure multi-factor authentication (MFA) on 100 percent of campus and health email systems in conformance with established UC MFA configuration standards.
- Deploy and configure a robust data loss prevention (DLP) solution for all health email systems to mitigate unauthorized data exfiltration.
What you can do now to meet two of these new requirements
- Complete the employee UC Cybersecurity Awareness Fundamentals Training.
- Use multi-factor authentication (MFA) for all UCSC email accounts. While individual accounts already require MFA, sundry, operational (aka functional), and sponsored accounts will also need it. If you manage one of these accounts, you’ll receive an email with instructions soon.
Project Phases and Timeline
Information Technology Services (ITS) has developed the following project phases, which involve collaboration with campus leadership, representatives from the Committee on Information Technology (CIT), appointed representatives from academic divisions, and technical experts from ITS to develop a structured implementation and change management plan for UCSC.
- Project Initiation (May 2024)
The ISIP project was initiated in May 2024. This project will be used to plan, implement, and rollout changes to achieve the six cybersecurity requirements outlined in President Drake’s letter. - Discovery Phase (June - Aug. 2024)
Discovery, assessment, and documentation of the current state of systems and processes pertaining to each of the requirements. - Planning Phase (Aug. - Oct. 2024)
Collaborative development of a structured implementation and change management plan in consultation with campus leadership, representatives from CIT, and appointed representatives of academic divisions, as well as several technical experts from ITS. - Implementation Phase (Oct. 2024 - May 28, 2025)
Implementation details will be provided toward the end of the planning phase in October 2024.
Questions
Please use the Discovery Phase Engagement and Questions form to submit your questions. Frequently asked questions will be created and posted to this project page soon.