Security with Purpose — Protecting Campus, Not Surveilling It
The ProtectUs Pledge
"As a member of the UC Merced community, I understand that cybersecurity at UC Merced is a shared responsibility. I pledge to use university systems responsibly, complete required trainings, and support the use of security tools that help protect our community.
In return, OIT pledges to use data transparently, minimally, and only to protect the safety and security of UC Merced's technology infrastructure.”
ProtectUs Essentials Suite
The ProtectUs Essentials Suite is a collection of security software required on all university-managed devices. These tools work together to ensure devices meet UC policy standards and remain protected against modern threats:
- Endpoint Detection & Response (EDR): Managed by Microsoft Defender for Endpoint; anti-malware software that detects and responds to malicious and suspicious behavior
- Vulnerability Management: Managed by Tenable Nessus; scans operating systems and installed software for known vulnerabilities so we can remediate them quickly.
- Full Drive Encryption: Managed by BitLocker on Windows and FileVault on macOS; provides full-disk encryption to keep sensitive data safe in case a device is lost or stolen
- Cloud Backup: Managed by CrashPlan; automatically backs up your device to a secure cloud location accessible only to the device owner
These tools align with UC’s Electronic Communications Policy (ECP), IS-3, IS-12 cybersecurity standards as well as UC Merced's Acceptable Use Policy (AUP) and are deployed solely to protect the university and its community.
Myths and Facts
| Myth | Fact | ||
|---|---|---|---|
| ❌ | OIT monitors my mail and personal files. | ✅ |
UC Electronic Communication Policy (ECP) prohibits access to files, messages, and email outside of the explicit cases authorized by the access without consent process (see "Transparency & Oversight" below). (UC Electronic Communication Policy IV.B., page 10) |
| ❌ | My personal device is being watched. | ✅ |
Only university-owned devices are eligible to be enrolled in our Device Management Program. Personal devices are not subject to management unless they are used to access systems with protected (P3/P4) data. That said, all University records are subject to California’s Public Records Act regardless of where they are stored. When personal data is mixed with University data, it may become necessary to examine some personal data to determine if they are "public records" and subject to disclosure via a records request. (UC Electronic Communication Policy III.D.8., page 8) |
| ❌ | System monitoring means surveillance. | ✅ |
We only gather technical metadata needed for device safety and policy compliance. Routine monitoring is limited to the least intrusive methods necessary to maintain security and system health, as described in the ECP. (UC Electronic Communication Policy IV.C.2.b., page 14) |
| ❌ | I won’t know if OIT accesses my account. | ✅ |
If access without consent is required, a formal review and documentation process is followed. Should an account ever be accessed without prior consent, the account holder will be notified when policy and process permit it. (see "Transparency & Oversight" below) (UC Electronic Communication Policy IV.B., page 10) |
| ❌ |
I’m being punished if I don’t use these tools. |
✅ |
These tools are about protecting the community, not penalizing you — though access to some systems will require you use only secured and/or managed devices. |
What We Collect and Why
Personal Devices
| ✅ What We Collect | ❓ Why We Collect It | ❗Where it's stored |
|---|---|---|
| Device name | Identify and inventory devices connected to campus networks | Device Inventory (ServiceNow) |
| IP & MAC address | Assign network access levels (Slate, Blue, Gold) and look for anomalous network activity patterns that match malicious behaviors | Network system logs & Device Inventory (ServiceNow) |
| Network login & metadata | To contact the owner of a device when anomalous or threatening activity is detected | Network system logs & Device Inventory (ServiceNow) |
| Network Vulnerability Scanning | Our network passively scans all connected devices to ensure they don't have any known vulnerabilities such as outdated operating systems or applications |
Vulnerability Management (Tenable) + Device Inventory (ServiceNow) |
University Owned Devices
| ✅ What We Collect | ❓ Why We Collect It | ❗Where it's stored |
|---|---|---|
| Device name | Identify and inventory campus-connected devices | Device Inventory (ServiceNow) |
| IP & MAC address | Assign network access levels (Slate, Blue, Gold) and look for anomalous network activity patterns that match malicious behaviors | Network system logs & Device Inventory (ServiceNow) |
| Network login & metadata | To contact the owner of a device when anomalous or threatening activity is detected | Network system logs & Device Inventory (ServiceNow) |
| Device model & serial number | Track lifecycle and enable support | Device Management Program (Intune, JAMF) → ServiceNow |
| Operating system & version | Ensure compliance and patching | Vulnerability Management (Tenable) + Device Inventory (ServiceNow) |
| CPU, GPU, RAM, disk specs | Confirm compatibility with security tools, track lifecycle, and enable support | Device Management Program (Intune, JAMF) → Device Inventory (ServiceNow) |
| Installed software version | Protect against malware, detect vulnerabilities, software updates, policy enforcement | Microsoft Defender for Endpoint, Tenable Nessus, Device Inventory (ServiceNow) |
What We Don't Collect on ANY Devices
- ❌ File or email content
- ❌ Browser history or search terms
- ❌ Webcam or microphone data
- ❌ Location data
- ❌ Keystrokes or personal messages
Governance & Policy
OIT follows the principles of the UC Electronic Communications Policy and related systemwide standards. When data access or inspection is required, it follows a documented, auditable process. Monitoring is always conducted with the least amount of inspection necessary and is never used for non-security purposes.
