BFB IS-3 Information Security is the University of California’s systemwide information security policy. All information activity at UC Merced, especially the management and protection of institutional information, must be conducted according to policy.
Unlike the prior policy, the current IS-3 is prescriptive with a large number of mandatory controls. There are also mechanisms to allow adjustment of the controls to meet a particular unit’s or project’s level of organizational and technical risk. Few IT systems are fully compliant with the policy, yet many are protected in a manner consistent with risk.
BFB IS-3 defines several key roles which are responsible, to varying levels, for enacting the IS-3 policy within a particular unit, group, or area. All Unit Heads, Unit Information Security Leads and IT staff should familiarize themselves with the policy, standards, and should further understand which role they inhabit and who fills the other roles related to protected data in their area(s). Please refer to the IS-3 Roles section below for more information.
Every UC Merced unit (defined as a school, research project, administrative office, or collection of departments) has 4 specific directives:
- Units must complete Risk Assessments.
- Units must encrypt institutional information.
- Units must have an approval process for granting access to protected data.
- Units must ensure that agreements with suppliers contain security requirements.
BFB IS-3 affects the following:
- Locations: All UC campuses and medical centers, the UC Office of the President, UC Agriculture and Natural Resources, UC-managed national laboratories and all other UC locations.
- People: All Workforce Members*, Suppliers, Service Providers and other authorized users of institutional information and IT resources.
- Data: All use of institutional information, independent of the location (physical or cloud), ownership of any device or account that is used to store, access, process, transmit or control institutional information.
- Devices: All devices, independent of their location or ownership, when connected to a UC network or cloud service used to store or process institutional information.
- Research: Research projects performed at any location and UC-sponsored work performed by any location.
*Workforce members are defined as: Employees, faculty, staff, contractors, student workers, volunteers, student interns, student volunteers, researchers, students supporting/performing research, medical center staff/personnel, clinicians, medical school students treating patients, people working for UC in any capacity or other augmentation to UC staffing levels.
- CISO: The Chief Information Security Officer (CISO) is responsible for security functions throughout a Location, including assisting in the interpretation and application of IS-3. IS-3 requires each Location to “identify or appoint” a CISO. It is possible to identify one or more individuals to fulfill the role, as long as responsibilities are clearly defined per individual. At some Locations, the CISO might hold the title of ISO, or Information Security Officer.
- CRE: The Cyber-risk Responsible Executive (CRE) is an individual in a senior management or academic position who reports to the Location chancellor or top Location executive. The CRE is accountable for all information risk assessments, security strategies, planning and
budgeting, incident management, and information security implementation.
1) The individual responsible for the Institutional Information and processes supporting a University function (i.e. the Registrar is responsible for student data).
2) The individual responsible for the IT Resources and processes supporting a University function.
3) An identified group, committee or board responsible for the Institutional Information and processes supporting a University function.
- Researcher: A UC faculty member conducting research on behalf of UC. Also a Workforce Member.
- Service Provider: A UC group or organization providing specific IT services to a Unit (i.e. the Library provides specifiic IT services to campus while OIT provides other specific IT services to campus).
- Unit :
1) A point of accountability and responsibility that results from creating or collecting, managing or possessing Institutional Information or from installing or managing IT Resources. A Unit is typically a defined organization or set of departments.
2) An IT, academic, research, administrative, or other entity operating within UC.
3) An academic school or administrative organization led by a Location appointed Unit Head. Service Providers are considered Units.
- Unit Head:
1) A generic term for Dean, Vice Chancellor, or similarly senior role who has the authority to allocate budget and is responsible for Unit performance.
2) A senior management role with the authority to allocate budget and responsibility for Unit performance.
3) At a specific location or in a specific situation, the following senior roles may also be Unit Heads: department chairs, assistant/associate vice chancellor (AVC), principal investigators, directors, senior directors, or senior managers.
- Unit Information Security Lead: The Workforce Member(s) assigned responsibility for tactical execution of information security activities associated with IS-3.
- Workforce Manager: A person who supervises/manages Workforce Members or approves work or research on behalf of the University.
- Workforce Member: An employee, faculty, staff, volunteer, contractor, researcher, student worker, student supporting/performing research, medical center staff/personnel, clinician, student intern, student volunteer, or person working for UC in any capacity or other augmentation to UC staffing levels.
IS-3 Related Policies and Standards
The following policies and standards are hosted on the University of California Office of the President (UCOP) Systemwide Information Security site:
- Minimum Security Standard: UC’s Security Standard for Everyone and All Devices
- Account and Authentication Management Standard
- Classification of Information and IT Services
- Institutional Information Destruction Standard
- Encryption Key and Certificate Management
- Event Logging Standard
- Incident Response Standard
- Secure Software Configuration Standard
- Secure Software Development Standard
IS-3 at UC Merced
During 2020 - 2021, the UC Merced Information Security team conducted general informational and one-one unit sessions for UC Merced Unit heads and Unit Information Security Leads(UISLs).
During 2022, the UC Merced Information Security Team is preparing to conduct facilitated risk assessments for individual units. These audits will be be based on IS-3 controls and will be used to create a prioritized compliance plan for each unit.
I just learned about IS-3. What should I do first?
- Familiarize yourself with the IS-3 policy, related standards, roles, and other documentation provided on this site.
- Identify your Unit Head
- Identify your Unit Information Security Lead
- Coordinate any security-related activities with your area's Unit Information Security Lead (UISL).
I'm aware of IS-3 requirements. What should I do now?
As you wait for your unit's facilitated risk assessment performed by the UC Merced Information Security team, there are several elements of the IS-3 policy that UISLs, IT staff and IT Service Providers should turn their attention to immediately:
- Inventory and classify your Information & Resources
- Bring infrastructure and services into compliance
Security Policy Exception and Risk Acceptance
BFB IS-3 and supporting standards govern IT security for systems at the University of California and UC Merced. The policy (Section 2.2) recognizes that there are occasions where a system or process cannot be compliant with the policy as written and that alternative equivalent mitigations may be acceptable. There may also be occasions when mitigations may be inadequate to reach an equivalent level of protection, and risk acceptance may be required.
The mechanism to request an exception or risk acceptance is to complete a form that specifies the nature of the request and the context. The form should be completed by the Unit Information Security Lead (UISL) or their designee. An exception requires three approvers:
- The UISL requesting the exception or risk acceptance
- The Unit Head approving the request and indicating acceptance of responsibility
- The Chief Information Security Officer (CISO)
The CISO, at their discretion, may choose to specify additional approvers and may raise approval to the Cyber Risk Responsible Executive (CRE).
To begin the process to request an exception and accept the associated risk, the UISL can request a IS-3 Exception and Risk Assessment Consultation.
Prepare for your IS-3 Exception & Risk Assessment Consultation
To prepare for your consultation, please answer the following questions to the best of your ability:
- What is the specific policy or standard for which you are seeking an exception or risk acceptance? This reason must include reference to the applicable section of the policy or standard.
- Why is the exception needed?
- What mitigations are in place to manage the risk of non-compliance to the same or similar level as compliance?
- For how long is the exception needed?
- Are there any special requirements, such as regulatory or contractual requirements?
The UISL should discuss the exception request with the Unit Head and Institutional Information Proprietor and get their approval before submitting the form.
The CISO will inform the requestor when the exception is approved, for how long, and any contingent requirements.
The UISL is responsible for ensuring that any system covered by the exception is decommissioned or brought into compliance with the policy before the expiration of the approval or acceptance.
For questions about the process, please email email@example.com.
Risk Treatment Plans
Risk management may include a Risk Treatment Plan, which is a pre-approved response plan to address pre-identified risks in a specific situation.
The CISO may pre-approve standard Risk Treatment Plans in lieu of a full Risk Assessment. The CISO must establish when and how the Risk Treatment Plans are used and implemented.
Risk Treatment Plans must include at least the following:
- A standard set of controls based on this policy.
- Criteria for selecting alternate controls (one set vs. another set) to manage specific risks.
- Response plans to address the prioritized risks, including implementing controls to reduce risk.
- Documented actions and decisions related to scoping, approved exceptions, risk acceptance, residual risk, risk avoidance and risk transference
UC Merced Specific Documents
UC Merced Specific Documents
UC Merced Information Security IS-3 Unit Presentation (pdf)
To find answers to your questions about BFB-IS-3, information about scheduling a Risk Assessment or to request an informational session about IS-3 for your unit, please email firstname.lastname@example.org.