Information Security Program

Electronic Information Security

Protection of University information assets and the technology resources that support the UC enterprise is critical to the functioning of the University.  University information assets are at risk from potential threats such as, malicious or criminal action, system failure, natural disasters, and even employee error. Such events could result in damage to or loss of information resources, corruption or loss of data integrity, interruption of the activities of the University, or compromise to confidentiality or privacy of members of the University community.

The University recognizes that absolute security of electronic information resources against all threats is an unrealistic expectation that would require the commitment of a prohibitively high level of resources.  The University’s goals for risk reduction are based, therefore, on the principle that the level and type of security should reflect an assessment of:

• the criticality of an electronic information resource to the operation of the University,
• the sensitivity of the data residing in or accessible through the electronic information resource,
• the cost of preventive measures and controls designed to detect errors, irregularities, or unrecoverable loss or vandalism of data, and
• the amount of risk that management at a campus, laboratory, or the Office of the President is willing to absorb.

Campus information security program

The University of California policy and guidelines for information security are expressed in Business and Finance Bulletin IS-3, Electronic Information Security.  In conformance with IS-3, campuses are required to implement an Information Security Program that includes:

• designation of authority for information security
• risk assessment strategies
• security controls recommendations
• incident response and notification procedures
• security awareness training and education program
• review of contracts with external partners

Campus information security programs should incorporate appropriate strategies that ensure reliability and recoverability.  Security programs should undergo periodic evaluation of established safeguards to ensure that they adequately address operational or environmental changes or compliance with new legal requirements.

Minimum Standards
BFB IS-3 also requires that campuses establish minimum standards for devices connected to their networks. Such standards are intended to protect networked devices from a range of threats and vulnerabilities, such as malicious software, unauthorized access, unencrypted authentication, and known software and operating system vulnerabilities. Campuses should also identify specific software that is determined to pose serious security risks to their environments.

Encryption
Suitably strong encryption measures employed and implemented with appropriate assurance can reduce the risk of disclosure of electronic information to unauthorized parties. Portable devices and media (for example, laptops, PDAs, thumb drives, etc.) present major risks for unauthorized disclosure of electronic information. Appropriately deployed encryption can mitigate these risks.

• See Business and Finance Bulletin IS-3, Appendix E for encryption recommendations.