IS-3 Information Security Policy

Every UC Merced unit (defined as a school, research project, administrative office, or collection of departments) has 4 specific directives:

1. Units must complete Risk Assessments.
2. Units must encrypt institutional information.
3. Units must have an approval process for granting access to protected data.
4. Units must ensure that agreements with suppliers contain security requirements.

BFB IS-3 affects the following:

1. Locations: All UC campuses and medical centers, the UC Office of the President, UC Agriculture and Natural Resources, UC-managed national laboratories and all other UC locations.
    
2. People: All Workforce Members*, Suppliers, Service Providers and other authorized users of institutional information and IT resources.
    
3. Data: All use of institutional information, independent of the location (physical or cloud), ownership of any device or account that is used to store, access, process, transmit or control institutional information.
    
4. Devices: All devices, independent of their location or ownership, when connected to a UC network or cloud service used to store or process institutional information.
    
5. Research: Research projects performed at any location and UC-sponsored work performed by any location.

*Workforce members are defined as: Employees, faculty, staff, contractors, student workers, volunteers, student interns, student volunteers, researchers, students supporting/performing research, medical center staff/personnel, clinicians, medical school students treating patients, people working for UC in any capacity or other augmentation to UC staffing levels.

• CISO: The Chief Information Security Officer (CISO) is responsible for security functions throughout a Location, including assisting in the interpretation and application of IS-3. IS-3 requires each Location to “identify or appoint” a CISO. It is possible to identify one or more individuals to fulfill the role, as long as responsibilities are clearly defined per individual. At some Locations, the CISO might hold the title of ISO, or Information Security Officer.

• CRE: The Cyber-risk Responsible Executive (CRE) is an individual in a senior management or academic position who reports to the Location chancellor or top Location executive. The CRE is accountable for all information risk assessments, security strategies, planning and
  budgeting, incident management, and information security implementation.

• Proprietor:
  1) The individual responsible for the Institutional Information and processes supporting a University function (i.e. the Registrar is responsible for student data).
  2) The individual responsible for the IT Resources and processes supporting a University function.
  3) An identified group, committee or board responsible for the Institutional Information and processes supporting a University function.
   
• Researcher: A UC faculty member conducting research on behalf of UC. Also a Workforce Member.
   
• Service Provider: A UC group or organization providing specific IT services to a Unit (i.e. the Library provides specific IT services to campus while OIT provides other specific IT services to campus).
   
• Unit:
  1) A point of accountability and responsibility that results from creating or collecting, managing or possessing Institutional Information or from installing or managing IT Resources. A Unit is typically a defined organization or set of departments.
  2) An IT, academic, research, administrative, or other entity operating within UC.
  3) An academic school or administrative organization led by a Location appointed Unit Head. Service Providers are considered Units.
   
• Unit Head:
  1) A generic term for Dean, Vice Chancellor, or similarly senior role who has the authority to allocate budget and is responsible for Unit performance.
  2) A senior management role with the authority to allocate budget and responsibility for Unit performance.
  3) At a specific location or in a specific situation, the following senior roles may also be Unit Heads: department chairs, assistant/associate vice chancellor (AVC), principal investigators, directors, senior directors, or senior managers.
   
• Unit Information Security Lead: The Workforce Member(s) assigned responsibility for tactical execution of information security activities associated with IS-3.
   
• Workforce Manager: A person who supervises/manages Workforce Members or approves work or research on behalf of the University.
   
• Workforce Member: An employee, faculty, staff, volunteer, contractor, researcher, student worker, student supporting/performing research, medical center staff/personnel, clinician, student intern, student volunteer, or person working for UC in any capacity or other augmentation to UC staffing levels.

The following policies and standards are hosted on the University of California Office of the President (UCOP) Systemwide Information Security site:

• Minimum Security Standard: UC’s Security Standard for Everyone and All Devices
• Account and Authentication Management Standard - Full Standard
• Classification of Information and IT Services
• Institutional Information Destruction Standard
• Encryption Key and Certificate Management
• Event Logging Standard
• Incident Response Standard 
• Secure Software Configuration Standard - Full Standard
• Secure Software Development Standard - Full Standard

• Familiarize yourself with the IS-3 policy, related standards, roles, and other documentation provided on this site. 
• Identify your Unit Head
• Identify your Unit Information Security Lead
• Coordinate any security-related activities with your area's Unit Information Security Lead (UISL).

As you wait for your unit's facilitated risk assessment performed by the UC Merced Information Security team, there are several elements of the IS-3 policy that UISLs, IT staff and IT Service Providers should turn their attention to immediately:

• Inventory and classify your Information & Resources 
• Bring infrastructure and services into compliance
  • Section 9: Access Control (page 23)
  • Section 12: Operations Management (page 26)
  • Minimum Security Standards
  • Account and Authentication Management Standard - Summary
  • Secure Software Configuration Standard - Summary
  • Secure Software Development Standard - Summary

To prepare for your consultation, please answer the following questions to the best of your ability:

1. What is the specific policy or standard for which you are seeking an exception or risk acceptance? This reason must include reference to the applicable section of the policy or standard.
2. Why is the exception needed?
3. What mitigations are in place to manage the risk of non-compliance to the same or similar level as compliance? 
4. For how long is the exception needed?
5. Are there any special requirements, such as regulatory or contractual requirements?

The UISL should discuss the exception request with the Unit Head and Institutional Information Proprietor and get their approval before submitting the form.

The CISO will inform the requestor when the exception is approved, for how long, and any contingent requirements. 

The UISL is responsible for ensuring that any system covered by the exception is decommissioned or brought into compliance with the policy before the expiration of the approval or acceptance. 

For questions about the process, please email infosecurity@ucmerced.edu.

• Electronic Communication Policy
• IS-3 FAQs
• IT Policy Glossary

UC Merced Specific Documents

UC Merced Information Security IS-3 Unit Presentation (pdf)

To find answers to your questions about BFB-IS-3, information about scheduling a Risk Assessment or to request an informational session about IS-3 for your unit, please email infosecurity@ucmerced.edu.