Skip to content

IT Policy Quick Reference Guide

What are IS-3 and IS-12?

IS-3

BFB IS-3 Information Security is the University of California’s systemwide information security policy. All information activity at UC Merced, especially the management and protection of institutional information, must be conducted according to policy.

BFB IS-3 defines several key roles which are responsible, to varying levels, for enacting the IS-3 policy within a particular unit, group, or area. All Unit Heads, Unit Information Security Leads and IT staff should familiarize themselves with the policy, standards, and should further understand which role they inhabit and who fills the other roles related to protected data in their area(s). Please refer to the IS-3 Roles section below for more information.

More information about IS-3 can be found here: https://it.ucmerced.edu/IS3_Policy

IS-12

BFB IS-12 IT Recovery is the University of California’s systemwide IT recovery policy. The policy helps UC Merced faculty and staff prepare for IT recovery and business continuity after an unavoidable or unforeseen disaster (whether natural or human-made).

The ability to recover this Institutional Information and IT Resources requires appropriate governance, funding, design, development, testing, maintenance, protection, and procurement procedures. The IS-12 policy lays out those procedures and compliance with the policy helps UC Merced divisions prepare for disaster recovery. 

IS-3 and IS-12: Key Classifications

Data Protection Levels (IS-3)

Protection Level Classification

Level

Impact of disclosure or compromise

P4 - High

Institutional Information and related IT Resources whose unauthorized disclosure or modification could result in significant fines, penalties, regulatory action, or civil or criminal violations. Statutory, regulatory and contract obligations are major drivers for this risk level. Other drivers include, but are not limited to, the risk of significant harm or impairment to UC students, patients, research subjects, employees, guests/program participants, UC reputation, the overall operation of the Location or essential services. (Statutory.)

  • Sensitive identifiable human subjects data
  • Patient health records
  • Financial records, including payroll or student financial aid
  • Genetic data

P3 - Moderate

Institutional Information and related IT Resources whose unauthorized disclosure or modification could result in small to moderate fines, penalties or civil actions. Institutional Information of which unauthorized use, access, disclosure, acquisition, modification, loss or deletion could result in moderate damage to UC, its students, patients, research subjects, employees, community and/or reputation; could have a moderate impact on the privacy of a group; could result in moderate financial loss; or could require legal action. This classification level also includes lower risk items that, when combined, represent increased risk. (Proprietary.)

  • Video recordings of individuals in both research and security contexts
  • Any student education records (grades, communications between students and instructors, student coursework)
  • Exams and answer keys
  • Animal research protocols
  • Identifiable human subjects data without sensitive identifiers

P2 - Low

Institutional Information and related IT Resources that may not be specifically protected by statute, regulations or other contractual obligations or mandates, but are generally not intended for public use or access. In addition, information of which unauthorized use, access, disclosure, acquisition, modification or loss could result in minor damage or small financial loss, or cause minor impact on the privacy of an individual or group. (Internal.)

  • Unpublished research work and other unpublished intellectual property
  • De-identified human subjects data (low risk of re-identification)

P1 - Minimal

Public information or information intended to be readily obtainable by the public, but whose integrity is important and for which unauthorized modification is the primary protection concern. IT Resources for which the application of minimum security requirements is sufficient. (Public.)

  • Course catalog information
  • Department websites
  • Published research

Data Availability Levels (IS-3)

Availability Level Classification

Level

Impact of loss of availability or service

A4 - High

Loss of availability would result in major impairment to the overall operation of the Location and/or essential services, and/or cause significant financial losses. IT Resources that are required by statutory, regulatory and legal obligations are major drivers for this risk level.

A3 - Moderate

Loss of availability would result in moderate financial losses and/or reduced customer service.

A2 - Low

Loss of availability may cause minor losses or inefficiencies.

A1 - Minimal

Loss of availability poses minimal impact or financial losses.

Data Recovery Levels (IS-12)

Recovery Level Classification

Recovery Level & Time Objective

Description of IT Resources and Institutional Information

RL5 - 15 Minutes

Core technology and infrastructure

RL4 - Up to 6 Hours

Critical 1 - Life/safety/alternatives not sustainable

RL3 - Up to 24 Hours

Critical 2 - Alternatives sustainable up to 24 hours

RL2 - Up to 5 Days

Necessary

RL1 - Up to 30 Days

Deferrable