Introduction to IS-3: Protecting Sensitive Data

This is the first in a short series of articles intended to introduce the recently-updated, UC-wide IS-3 security policy, which was signed into policy by President Napolitano in September 2018 and is now being implemented across all UC campuses.

IT security is a shared responsibility, and every member of the UC Davis community has a role to play. This article and planned future articles in this series are focused on the roles of faculty, staff, and graduate students within this policy.

  • Do you have a spreadsheet with student grades on your laptop?
  • Do you have identifiable human subjects data on your lab file share?
  • Do you have research data from federal or state agencies that may be covered by regulations?
  • Do you have a spreadsheet containing payroll information on your computer?
  • Do you have emails from students regarding coursework or advising in your email account?

If you answered yes to any of those, then you have sensitive data that requires special handling under IS-3. Please read on!

The first thing to understand about IS-3 is why it matters to you, personally, and to your department: under IS-3, the financial risk of a data security breach that used to fall to UCOP or the central campus now falls to the college, department, or even a lab, research group, or individual PI. While these costs vary widely, the costs for a significant breach range from tens of thousands to many millions of dollars.

The second thing to understand about IS-3 is that it is risk-based. In total, IS-3 defines more than 350 IT security controls, but most of those controls only apply when dealing with high-risk data. To make it easier to determine which controls apply to which types of data, IS-3 defines four "protection levels" from low-risk P1 data to high-risk P4 data. By implementing the required controls for each protection level, you mitigate most of the financial risk of a data security breach.

While the majority of the IS-3 controls involve basic hygiene like passphrases and encryption, the most stringent of the IS-3 controls only apply to P3 and P4 data. Therefore, this article focuses on identifying and managing data classified at the P3 and P4 levels.

You can find a more detailed mapping of data to protection levels on the UCOP website and a summary on this website, but here are some examples that are salient to the research, teaching, and administration within the College of Letters and Science:

Protection Level 1 (P1 - Low Risk):

  • Course catalog information
  • Department websites
  • Published research

Protection Level 2 (P2 - Medium Risk):

  • Unpublished research work and other unpublished intellectual property
  • De-identified human subjects data (low risk of re-identification)

Protection Level 3 (P3 - High Risk):

  • Video recordings of individuals in both research and security contexts
  • Any student education records (grades, communications between students and instructors, student coursework)
  • Exams and answer keys
  • Animal research protocols
  • Identifiable human subjects data without sensitive identifiers

Protection Level 4 (P4 - Critical Risk):

  • Sensitive identifiable human subjects data
  • Patient health records
  • Financial records, including payroll or student financial aid
  • Genetic data

What may jump out at you from that list is that many (most?) faculty laptops, lab computers, and administrative staff computers and file shares contain a mix of data from most of these protection levels.

Moreover, there is no automatic way to identify that P3 and P4 data in most cases. Each of us needs to help in the effort to identify the P3 and P4 data on the devices and services we use.

Much of the work of implementing IS-3 over the coming months and years will be to identify the P3 and P4 data across our IT environment and ensure that it is being handled appropriately.

One of the best strategies, once the P3 and P4 data has been identified, is to isolate that data in secure locations rather than leaving it mixed in with the lower-risk data.

Here are some ideas about what you can do to help out with this effort:

  • Start thinking about where you have P3 and P4 data: On your computers? On file servers? In Box or other cloud  storage services? On backup drives? On USB thumb drives?
  • If you have P3 or P4 data on laptops or thumb drives or USB backup drives or other devices that can be easily lost or stolen, consider moving that data to a more secure location. If you can't move it, make sure your devices are encrypted!
  • If you have P3 or P4 data in any cloud services like Box or Google Drive, make sure that you have multi-factor authentication (like Duo!) enabled for those services.
  • If you have P3 or P4 data (e.g., old communications with students about courses or advising), consider purging those messages or archiving them to a secure location if they need to be preserved.

Within the next few months, we expect to begin surveying our faculty, staff and researchers about where we have P3 and P4 data in our environment--please stay tuned for more information and for our next installment in this series.