IT security is a shared responsibility, and every member of the UC Merced community has a role to play. This article is focused on the roles of faculty, staff, and graduate students within the IS-3 policy.
- Do you have a spreadsheet with student grades on your laptop?
- Do you have identifiable human subjects data on your lab file share?
- Do you have research data from federal or state agencies that may be covered by regulations?
- Do you have a spreadsheet containing payroll information on your computer?
- Do you have emails from students regarding coursework or advising in your email account?
If you answered ‘yes’ to any of those, then you have sensitive data that requires special handling under IS-3. Please read on!
The first thing to understand about IS-3 is why it matters to you, personally, and to your department: under IS-3, the financial risk of a data security breach that used to fall to UCOP or the central campus now falls to the college, department, or even a lab or research group. While these costs vary widely, they range from tens of thousands of dollars to many millions.
The second thing to understand about IS-3 is that it is risk-based. In total, IS-3 defines more than 350 IT security controls, but most of those controls only apply when dealing with high-risk data. To make it easier to determine which controls apply to which types of data, IS-3 defines four "protection levels" from low-risk P1 data to high-risk P4 data. By implementing the required controls for each protection level, you mitigate most of the financial risk of a data security breach in your lab, school, unit, or area.
While the majority of the IS-3 controls involve basic hygiene like passphrases and encryption, the most stringent of the IS-3 controls only apply to P3 and P4 data. Therefore, this article focuses on identifying and managing data classified at the P3 and P4 levels.
Detailed Mapping of IS-3 Classifications (UCOP)
Illustrative Sample of Protection Level Classifications
|
Protection Level Classification |
|
|
Level |
Impact of disclosure or compromise |
|
P4 - High |
Institutional Information and related IT Resources whose unauthorized disclosure or modification could result in significant fines, penalties, regulatory action, or civil or criminal violations. Statutory, regulatory and contract obligations are major drivers for this risk level. Other drivers include, but are not limited to, the risk of significant harm or impairment to UC students, patients, research subjects, employees, guests/program participants, UC reputation, the overall operation of the Location or essential services. (Statutory.)
|
|
P3 - Moderate |
Institutional Information and related IT Resources whose unauthorized disclosure or modification could result in small to moderate fines, penalties or civil actions. Institutional Information of which unauthorized use, access, disclosure, acquisition, modification, loss or deletion could result in moderate damage to UC, its students, patients, research subjects, employees, community and/or reputation; could have a moderate impact on the privacy of a group; could result in moderate financial loss; or could require legal action. This classification level also includes lower risk items that, when combined, represent increased risk. (Proprietary.)
|
|
P2 - Low |
Institutional Information and related IT Resources that may not be specifically protected by statute, regulations or other contractual obligations or mandates, but are generally not intended for public use or access. In addition, information of which unauthorized use, access, disclosure, acquisition, modification or loss could result in minor damage or small financial loss, or cause minor impact on the privacy of an individual or group. (Internal.)
|
|
P1 - Minimal |
Public information or information intended to be readily obtainable by the public, but whose integrity is important and for which unauthorized modification is the primary protection concern. IT Resources for which the application of minimum security requirements is sufficient. (Public.)
|
Proposed Required Availability Level Classifications
|
Availability Level Classification |
|
|
Level |
Impact of loss of availability or service |
|
A4 - High |
Loss of availability would result in major impairment to the overall operation of the Location and/or essential services, and/or cause significant financial losses. IT Resources that are required by statutory, regulatory and legal obligations are major drivers for this risk level. |
|
A3 - Moderate |
Loss of availability would result in moderate financial losses and/or reduced customer service. |
|
A2 - Low |
Loss of availability may cause minor losses or inefficiencies. |
|
A1 - Minimal |
Loss of availability poses minimal impact or financial losses. |
What may jump out at you from these classification tables is that many (most?) faculty laptops, lab computers, and administrative staff computers and file shares contain a mix of data from most of these protection levels. Moreover, there is no automatic way to identify that P3 and P4 data in most cases. Each of us needs to help in the effort to identify the P3 and P4 data on the devices and services we use.
Much of the work of implementing IS-3 over the coming months and years will be to identify the P3 and P4 data across our IT environment and ensure that it is being handled appropriately. One of the best strategies, once the P3 and P4 data has been identified, is to isolate that data in secure locations rather than leaving it mixed in with the lower-risk data.
Here are some ideas about what you can do to help out with this effort:
- Start thinking about where you have P3 and P4 data: On your computers? On file servers? In Box or Dropbox or other cloud services? On backup drives? On USB thumb drives?
- If you have P3 or P4 data on laptops or thumb drives or USB backup drives or other devices that can be easily lost or stolen, consider moving that data to a more secure location. If you can't move it, make sure your devices are encrypted!
- If you have P3 or P4 data in any cloud services like Box or Dropbox, make sure that you have multi-factor authentication (like Duo!) enabled for those services.
- If you have P3 or P4 data (e.g., old communications with students about courses or advising), consider purging those messages or archiving them to a secure location if they need to be preserved.
