BFB IS-3 Information Security is the University of California’s systemwide information security policy. All information activity at UC Merced, especially the management and protection of institutional information, must be conducted according to policy.
Unlike the prior policy, the current IS-3 is prescriptive with a large number of mandatory controls. There are also mechanisms to allow adjustment of the controls to meet a particular unit’s or project’s level of organizational and technical risk. Few IT systems are fully compliant with the policy, yet many are protected in a manner consistent with risk.
BFB IS-3 defines several key roles which are responsible, to varying levels, for enacting the IS-3 policy within a particular unit, group, or area. All Unit Heads, Unit Information Security Leads and IT staff should familiarize themselves with the policy, standards, and should further understand which role they inhabit and who fills the other roles related to protected data in their area(s). Please refer to the IS-3 Roles section below for more information.
Every UC Merced unit (defined as a school, research project, administrative office, or collection of departments) has 4 specific directives:
Units must complete Risk Assessments.
Units must encrypt institutional information.
Units must have an approval process for granting access to protected data.
Units must ensure that agreements with suppliers contain security requirements.
BFB IS-3 affects the following:
Locations: All UC campuses and medical centers, the UC Office of the President, UC Agriculture and Natural Resources, UC-managed national laboratories and all other UC locations.
People: All Workforce Members*, Suppliers, Service Providers and other authorized users of institutional information and IT resources.
Data: All use of institutional information, independent of the location (physical or cloud), ownership of any device or account that is used to store, access, process, transmit or control institutional information.
Devices: All devices, independent of their location or ownership, when connected to a UC network or cloud service used to store or process institutional information.
Research: Research projects performed at any location and UC-sponsored work performed by any location.
*Workforce members are defined as: Employees, faculty, staff, contractors, student workers, volunteers, student interns, student volunteers, researchers, students supporting/performing research, medical center staff/personnel, clinicians, medical school students treating patients, people working for UC in any capacity or other augmentation to UC staffing levels.
CISO: The Chief Information Security Officer (CISO) is responsible for security functions throughout a Location, including assisting in the interpretation and application of IS-3. IS-3 requires each Location to “identify or appoint” a CISO. It is possible to identify one or more individuals to fulfill the role, as long as responsibilities are clearly defined per individual. At some Locations, the CISO might hold the title of ISO, or Information Security Officer.
CRE: The Cyber-risk Responsible Executive (CRE) is an individual in a senior management or academic position who reports to the Location chancellor or top Location executive. The CRE is accountable for all information risk assessments, security strategies, planning and
budgeting, incident management, and information security implementation.
1) The individual responsible for the Institutional Information and processes supporting a University function (i.e. the Registrar is responsible for student data).
2) The individual responsible for the IT Resources and processes supporting a University function.
3) An identified group, committee or board responsible for the Institutional Information and processes supporting a University function.
Researcher: A UC faculty member conducting research on behalf of UC. Also a Workforce Member.
Service Provider: A UC group or organization providing specific IT services to a Unit (i.e. the Library provides specifiic IT services to campus while OIT provides other specific IT services to campus).
1) A point of accountability and responsibility that results from creating or collecting, managing or possessing Institutional Information or from installing or managing IT Resources. A Unit is typically a defined organization or set of departments.
2) An IT, academic, research, administrative, or other entity operating within UC.
3) An academic school or administrative organization led by a Location appointed Unit Head. Service Providers are considered Units.
1) A generic term for Dean, Vice Chancellor, or similarly senior role who has the authority to allocate budget and is responsible for Unit performance.
2) A senior management role with the authority to allocate budget and responsibility for Unit performance.
3) At a specific location or in a specific situation, the following senior roles may also be Unit Heads: department chairs, assistant/associate vice chancellor (AVC), principal investigators, directors, senior directors, or senior managers.
Unit Information Security Lead: The Workforce Member(s) assigned responsibility for tactical execution of information security activities associated with IS-3.
Workforce Manager: A person who supervises/manages Workforce Members or approves work or research on behalf of the University.
Workforce Member: An employee, faculty, staff, volunteer, contractor, researcher, student worker, student supporting/performing research, medical center staff/personnel, clinician, student intern, student volunteer, or person working for UC in any capacity or other augmentation to UC staffing levels.
IS-3 Related Policies and Standards
The following policies and standards are hosted on the University of California Office of the President (UCOP) Systemwide Information Security site:
During 2020 - 2021, the UC Merced Information Security team conducted general informational and one-one unit sessions for UC Merced Unit heads and Unit Information Security Leads(UISLs).
During 2022, the UC Merced Information Security Team is preparing to conduct facilitated risk assessments for individual units. These audits will be be based on IS-3 controls and will be used to create a prioritized compliance plan for each unit.
I just learned about IS-3. What should I do first?
Coordinate any security-related activities with your area's Unit Information Security Lead (UISL).
I'm aware of IS-3 requirements. What should I do now?
As you wait for your unit's facilitated risk assessment performed by the UC Merced Information Security team, there are several elements of the IS-3 policy that UISLs, IT staff and IT Service Providers should turn their attention to immediately:
Inventory and classify your Information & Resources
BFB IS-3 and supporting standards govern IT security for systems at the University of California and UC Merced. The policy (Section 2.2) recognizes that there are occasions where a system or process cannot be compliant with the policy as written and that alternative equivalent mitigations may be acceptable. There may also be occasions when mitigations may be inadequate to reach an equivalent level of protection, and risk acceptance may be required.
The mechanism to request an exception or risk acceptance is to complete a form that specifies the nature of the request and the context. The form should be completed by the Unit Information Security Lead (UISL) or their designee. An exception requires three approvers:
The UISL requesting the exception or risk acceptance
The Unit Head approving the request and indicating acceptance of responsibility
The Chief Information Security Officer (CISO)
The CISO, at their discretion, may choose to specify additional approvers and may raise approval to the Cyber Risk Responsible Executive (CRE).
To find answers to your questions about BFB-IS-3, information about scheduling a Risk Assessment or to request an informational session about IS-3 for your unit, please email email@example.com.