Skip to content

Campus Security Initiative

PROJECT OVERVIEW

The Campus Security Initiative, compliant with IS-3, focuses on endpoint management and data protection.  The endpoint management program will allow UCM/OIT to centrally manage end user devices such as desktops, laptops, tablets, mobile devices, etc., and ensure protection, mitigate business risks by timely alerts, and security patch deployment.

 

 

PROJECT IMPACT

  • Centrally manage UC Merced endpoints
  • Increased security
  • Meet compliance and regulatory needs

 

Future State

Provide visibility and protection for all UC Merced endpoints following a risk-based approach mitigating associated risks for the institutional resources, assets, and data.

TIMELINE

IS-3 Implementation consists of multiple phases covering multiple years.

 High Level Deployment of IS-3 Deployment

 
Completion of Unit 1-1 discussions to go over Baseline Security projects June 2021
Data Classification/Record Management efforts

 June 2022
Unit Risk Assessments (RA) conducted June 2022
Completion of Baseline Security Efforts for All Units June 2023
Additional Controls implemented based on RA June 2023

IMPACTED USERS & STAKEHOLDERS

Project Stakeholders include UC Merced Unit Heads and Leads.

Impacted users are:

  • Staff
  • Faculty
  • Students
  • Researchers

IS-3

UC Business and Finance Bulletin IS-3 is the University of California’s systemwide information security policy. A major update to IS-3 was finalized in September 2018. The policy and related standards are available here: https://security.ucop.edu/policies/it-policies.html.

The new IS-3 changes the way information security risk is handled within the university.

The financial risk of a data security breach that used to fall to UCOP or the central campus is now the responsibility of the individual units, i.e., college, department, lab or research group. While these costs vary widely, they range from tens of thousands of dollars to many millions.

The risk based IS-3 defines more than 350 IT security controls, but most of these controls only apply when dealing with high-risk data, classified at P3 or P4 levels. By implementing the required controls for each protection level, units mitigate most of the financial risk of a data security breach. IS-3 also focuses on minimum security standards that UC Merced’s baseline security efforts cover.

IS-3 policy highlights the following foundational elements:

  • Security is a shared responsibility
  • Focuses on risk management; risk assessment is key
  • Data classification is key and affects security controls
  • Applies to all users (workforce members not students) and devices
  • All UC users should follow a set of baseline cyber hygiene practices
  • Units are responsible for managing their own information security risk

 

IS-3 Roles

Unit

A point of accountability and responsibility that results from creating/collecting or managing/possessing Institutional Information or installing/managing IT Resources. A Unit is typically a defined organization, such as a college/school, or a set of departments. May be a research project under a Principal Investigator.

Unit Head

A generic term for dean, vice chancellor, or other accountable executive in a senior role who has the authority to allocate budget and is responsible for Unit performance, administration, and risk acceptance. Unit Heads are the executives accountable and responsible for overseeing the execution of UC and Campus information security policies within the Unit.

  • Overall accountability for implementation of IS-3
  • Planning and budgeting including resources and staffing
  • Names a Unit Information Security Lead to assist technical implementation
  • Reports incidents and non-compliance to Chief Information Security Officer (CISO)
  • Ensures completion of assessments
  • Recommends approval of exceptions including financial risk acceptance
  • Participate personally and actively in maturing compliance
  • Appoint one or more Unit Information Security Leads (UISL), technical and/or business focus
  • Communicate importance of compliance
  • Set the tone by instructing compliance with basic technical controls and completing an initial assessment with the UISL
  • Implement prioritized recommendations from assessment

Unit Information Security Lead (UISL)

UISL is a workforce member and is designated by the Unit Head and is responsible for ensuring the tactical execution of information security activities within their Unit including, but not limited to:

  • Implementing security controls
  • Reviewing and updating risk assessments and asset inventory
  • Procedures for proper handling, storing, and disposing of the Unit’s electronic information and media
  • Reviewing access rights
  • Providing technical oversight and execution of information security within the Unit.
  • Maintaining assessments, inventorying assets
  • Informing CISO and Unit Head of incidents and non-compliance
  • Recommending approval of exceptions to Unit Head

Service Provider

  • A UC internal organization that offers IT services to Units

 

UC Institutional Information and IT Resource Classification Standard

Protecting our Institutional Information and IT Resources is critical to the campus mission. This standard defines requirements for the appropriate classification of Institutional Information and IT Resources to ensure their confidentiality, integrity and availability.

All forms of UC electronic Institutional Information and IT Resources must be labeled with Protection Levels and Availability Levels in the associated inventory/tracking tools based on the Location/Unit Risk Assessment.

Protection Levels

The following protection levels relate to the confidentiality and integrity of data.

  • P4 – High:  Unauthorized disclosure or modification could result in significant fines, or civil or criminal violations
  • P3 - Moderate:  Unauthorized disclosure or modification could result in small or moderate fines, or civil or criminal violations
  • P2 – Low:  Unauthorized use, disclosure, acquisition, modification or loss could result in minor damage or small financial loss, or cause minor impact on the privacy of an individual or group
  • P1 – Minimal:  Public information or information intended to be readily obtainable by the public

Click here for a detailed mapping of data to protection levels on the UCOP website

Availability levels

The following availability levels determine the business impact with the loss of availability of data and/or service.

  • A4 – High:  Would result in major impairment to the overall operation of the Location
  • A3 - Moderate:  Would result in moderate financial losses
  • A2 - Low:  May cause minor losses or inefficiencies
  • A1 - Minimal:  Minimal impact or financial loss

 

High-Level Unit Self-Assessment

As part of the UC Merced’s IS-3 implementation, each Unit is now responsible for annually reviewing and updating a High-Level IS-3 Unit Self-Assessment; to be completed by the UISL. The assessment and resulting report are designed to identify areas of risk to help focus a Unit’s security activities for the following year.

End user Endpoint data collection

Purpose: For the Information Security team to deploy the baseline security efforts to the end user devices. End user data that is needed is device type and device Operating System.

You want to fill out this Endpoint Management Questionnaire form whenever a new employee and/or a new device is added.

Instructions:

  1. Select your Unit Number/Department name/ Unit Information Lead (USIL).
  2. Select the type of device(s). If you only have one device, select the type of device and enter none for all other devices.

         If you have no UC Merced devices, then select none for all devices and click the “Submit” button; you are done with the survey.

  1. If you have one device, enter the device name for your first device.
  2. If you have two devices, enter the device name for your second device. If you don’t have a second device, then submit the form; you are now done with the survey.
  3. Select “Yes” if you have more than 2 devices.
  4. If you answered yes to the previous question, enter the device name for your third device.
  5. If you have a fourth device, enter the name of the fourth device and submit the form; you are now done with the survey.

Where can I find more information regarding the new IS-3?

Units interested in detailed information about IS-3 controls, roles and responsibilities, and implementation tools from the UC Systemwide Policy Office can contact information security team via email at infosecurity@ucmerced.edu as well as access systemwide materials.

 

Baseline Security Project Components focused on Endpoints

CrashPlan is a cloud-based backup and recovery software that works in the background to back up your data. Recoveries can be done through the cloud anywhere in the world, and you can have up to 4 devices per account. Devices are on-boarded by using your UCMNetID and password. This service is offered by OIT as part of the Endpoint Protection Program, and works with Windows, OS X, and Linux Systems.

Self Service for CrashPlan is available at https://it.ucmerced.edu/crashplan-install

If you run into problems, please contact your department Unit Information Security Leads (UISL). If you have further issues, you can call the Service Desk at 209-228-4357 or you can file a ticket at https://it.ucmerced.edu/

 

FireEye HX is a next generation Anti-Malware, Anti-virus, Anti-Intrusion platform designed to run silently in the background and protect you while you work. It works with OIT resources to identify and defend against threats without causing unnecessary strain on your system. This service is offered by OIT as part of the Endpoint Protection Program, and works with Windows, OS X, and Linux Systems.

Self Service for FireEye HX is available at https://it.ucmerced.edu/FireEyeHX

If you run into problems, please contact your department Unit Information Security Leads (UISL). If you have further issues, you can call the Service Desk at 209-228-4357 or you can file a ticket at https://it.ucmerced.edu/

 

Patching, Encryption, and Endpoint Management

Designed to keep your devices up to date and managed. Devices can be managed and patched remotely, and encryption enabled, keeping devices up to date and secured. Device management and inventory is enforced by OIT created policies and reporting can be run to identify hardware and software inventories. Device Imaging can be done at any UC Merced On-Campus building and can be done both individually and in large groups, allowing for a quick deployment and return-to-service. Software installations, updates, and system patches are pushed out remotely and can be done quietly without the need for user interaction.

 

Departments work with their UISLs and OIT resources to create, manage, and deploy the resources listed here. For further information on this topic or to schedule a software installation, please contact Phil Herechski (pherechski@ucmerced.edu).