Information Security Management Program - College of Letters and Science

The Information Security Management Program (ISMP) at the College of Letters and Science is designed to protect our institutional data and IT resources. It applies to all Workforce Members (employees, contractors, volunteers) of the College and all Institutional Information and IT Resources owned or managed by the College.

About

The Information Secuity Management Program (ISMP) for the College of Letters and Science:

  • ensures compliance with the University of California's security policies and federal and state regulations
  • outlines essential security practices, such as regular software updates, secure data handling, and risk management, to safeguard sensitive information. 

By implementing these measures, the ISMP helps maintain a secure and efficient environment for academic and research activities, while supporting the diverse needs of our faculty, staff, and students.

The ISMP is available to review to Workforce Members (employees) of the College of Letters and Science at this address:

https://ucdavis.box.com/v/letters-and-science-ismp 

The ISMP is considered proprietary information and may not be shared outside of the College of Letters and Science Workforce Members without explicit permission from the Unit Information Security Leads for the College.

ISMP Frequently Asked Questions

 

How will the new security protocols impact productivity?

The new security protocols are designed to enhance the protection of our institutional data and IT resources, ensuring compliance with University of California policies. We understand that implementing new security measures can raise concerns about potential impacts on productivity. Our approach balances stringent security requirements with the practical needs of our faculty and staff, aiming to minimize disruptions.

  1. Risk-Based Approach: The protocols are tailored based on the risk associated with different types of data and systems. This ensures that high-risk areas receive the necessary attention without imposing unnecessary burdens on lower-risk activities.
  2. Exceptions Management: Recognizing the diverse and specialized needs across the college, we have an exceptions management process in place. This allows for flexibility where strict adherence to protocols might impede specific work requirements, provided that compensating controls are implemented to maintain security.
  3. Standardization and Automation: We are leveraging industry-standard services and tools, such as UC Davis ServiceNow for asset and incident management, and Aggie Desktop for patch management. These tools streamline processes, reducing the manual workload on IT staff and minimizing delays in addressing security needs.
  4. Support and Training: We are committed to providing the necessary support and training to ensure smooth adoption of these protocols. Our IT team is available to assist with any issues that arise, ensuring that faculty and staff can continue their work with minimal interruption.
  5. Feedback and Continuous Improvement: We encourage ongoing feedback from faculty and staff to identify any challenges or areas for improvement. This feedback loop allows us to make adjustments and enhance the program continuously, ensuring it meets the evolving needs of our community.

Overall, while the new security protocols aim to enhance our security posture, we are committed to doing so in a way that acknowledges the practical realities and diverse needs of our college. Our goal is to protect our data and IT resources without significantly impacting productivity.

(top)

How can we ensure compliance with device usage policies when university-provided devices are not always available?

We understand that the use of personally-owned devices for university business is often necessary due to the limited availability of university-provided devices. To address this, we emphasize the importance of adhering to the UC-wide IS-3 policies, which require that personal devices used to access or process data classified at Protection Level 3 (P3) or higher must meet the UC Minimum Security Standards.

These standards include:

  • Ensuring Operating Systems and Applications are Patched: Regular updates are critical to protect against vulnerabilities.
  • Running Anti-Malware Software: Use antivirus software to protect your device from malicious software.
  • Using Built-In Disk Encryption Tools: Encrypt your device to protect sensitive data in case of loss or theft.

Our primary method of ensuring compliance is through education and awareness. We aim to inform users of the importance of these standards and the potential risks associated with working with sensitive data on devices that do not comply with security requirements.

Strategies to Maintain Security on Personal Devices:

  1. Accessing Data Within Source Systems: When accessing university data from a personal device, it is advisable to keep the data within the source system whenever possible. For instance, when using Canvas, stay within your web browser and avoid downloading class rosters or assignments containing personally identifiable information to your device.
  2. Support and Resources: We offer support services to assist with the secure configuration of personal devices. This includes guidance on setting up VPN access, configuring email services securely, and ensuring your device is encrypted.
  3. Regular Reminders and Updates: We send periodic reminders and updates about security practices and the importance of maintaining compliance with the UC Minimum Security Standards.

By following these guidelines and utilizing the resources available, we can collectively ensure that our data remains secure, even when using personally-owned devices.

(top)

How will exceptions to the new policies be managed?

We recognize that the diverse and specialized needs of our faculty and staff may occasionally necessitate exceptions to the new information security policies. To manage these exceptions effectively and responsibly, we have established a clear and streamlined exceptions management process designed to deliver decisions within one business week.

  1. Valid Business Reasons: Exceptions to the security policies will be considered for valid business reasons. These reasons must be clearly documented and demonstrate why compliance with the standard policy is not feasible or would significantly impede the work.
  2. Compensating Controls: In most cases where an exception is granted, compensating controls must be implemented to address the associated risks. These controls will be designed to maintain an acceptable level of security while accommodating the unique needs of the request.
  3. Exception Request Process:
    • Submission: Workforce members requesting an exception must complete the College of Letters and Science Cyber Security Exemption Form. This form requires detailed information about the nature of the exception, the business justification, and the proposed compensating controls.
    • Review: The Unit Information Security Lead (UISL) will review the submitted request. The UISL will assess the risk and define the necessary compensating controls, timelines, and end dates for the exception.
    • Recommendation: The UISL will make a recommendation to the Unit Head based on the assessment.
    • Approval: The Unit Head or their delegate will review the UISL’s recommendation and either approve or deny the exception. If the UC Davis Information Security Management Program (ISMP) requires it, the exception will also be routed to the campus Chief Information Security Officer (CISO) for review and approval.
    • Implementation: Once approved, the requestor will be informed, and the agreed compensating controls will be implemented and monitored. Exceptions are approved with an expiration date depending on the Protection Level of the data involved. If an exception is needed past the expiration date, a new exception request must be submitted and approved.
  4. Efficient Decision-Making: We have streamlined the exception process to ensure timely decisions. Our goal is to review and decide on exception requests within one business week, minimizing delays and ensuring that your work can proceed without unnecessary interruptions.
  5. Documentation and Accountability:
    • Risk Assessment and Treatment Plan: For each exception, a Risk Assessment and Risk Treatment Plan will be documented and maintained. This ensures that all exceptions are recorded and reviewed periodically to ensure they remain justified and that compensating controls are effective.
    • Periodic Review: All granted exceptions will be reviewed periodically by the UISL and the Unit Head to determine if they are still necessary or if changes in the operational environment allow for compliance with the original policy.
  6. Communication and Transparency: The exception process is designed to be transparent and communicative. Requestors will receive feedback throughout the process, and decisions will be documented and communicated clearly to ensure understanding and compliance.

Importance of Compliance and Risks of Non-Compliance:

Working against the established policies without an approved exception entails significant risks. Both the organization and the individual may face severe consequences, including data breaches, legal ramifications, and potential personal liability. It is crucial to follow the proper process for requesting exceptions to avoid these risks and ensure that any deviations from policy are managed appropriately and securely.

By adhering to this structured and efficient approach, we aim to balance the need for security with the practical requirements of our faculty and staff, ensuring that our information security policies are both effective and adaptable.

(top)

What support will be provided for IT issues and repairs?

We understand that the predictability of repair times and the reliability of Wi-Fi connectivity are critical for the smooth operation of our college's activities. While we acknowledge the current challenges, we are committed to providing the necessary support and ensuring compliance with security policies.

  1. Ensuring Compliance:
    • Security Policies: Adhering to university security policies is essential to protect our network and data. Using non-compliant devices, such as personal routers, can create significant security vulnerabilities. Our IT team is dedicated to offering compliant alternatives to ensure you have the necessary connectivity and support without compromising security.
    • Incident Reporting: If you encounter persistent IT issues or connectivity problems, please report them to your IT support team. We are committed to identifying root causes and implementing long-term solutions to prevent recurrence.
  2. Support for IT Issues and Repairs:
    • Communication and Transparency: We strive to provide clear communication regarding the status of IT issues and repairs. This includes regular updates and estimated completion times to manage expectations and reduce uncertainty.
    • Prioritization of Repairs: Repairs are prioritized based on their impact on university operations. Critical issues that affect a large number of users or essential services are addressed as a priority.
    • Dedicated IT Support Team: Our IT support team is available to assist with any issues you encounter. Please reach out via [contact methods, e.g., phone, email, support portal] to report problems and request assistance.

  3. Improving Wi-Fi Connectivity:

    Recent Improvements: The College of Letters and Science Dean’s Office recently partnered with IET to significantly improve Eduroam and UCDGuest Wi-Fi network coverage in many of our buildings, including Voorhies, Sproul, Hart, Physics, Chemistry and Chem Annex, Art, Music, and Wright.
    Reporting Issues: We encourage you to report any Wi-Fi connectivity issues to our IT support team. By understanding the specific problems, we can work on targeted solutions to improve reliability.
    Compliant Solutions: While non-compliant routers may seem like a quick fix, they pose security risks. We are committed to providing compliant alternatives and working on long-term solutions to enhance Wi-Fi connectivity in your offices.

By focusing on these key areas, we aim to address your IT support needs effectively while ensuring that our network and data remain secure.

(top)

What measures are being taken to ensure the effectiveness of the proposed security changes?

We understand that there may be concerns about the effectiveness of the new security measures being implemented under the UC IS-3 policy and the college Information Security Management Program (ISMP). It is important to clarify that these measures are not merely bureaucratic requirements but are carefully designed to improve our overall security posture significantly.

  1. Foundation in National and International Standards:
    • ISO 27001 and NIST 800-171: The security measures we are implementing are based on well-established national and international standards such as ISO 27001 and NIST 800-171. These standards are widely recognized and adopted for their effectiveness in managing information security risks. They provide a comprehensive framework for ensuring the confidentiality, integrity, and availability of institutional information.
  2. Focus on High-Risk Areas:
    • Risk-Based Approach: The UC IS-3 policy emphasizes a risk-based approach to information security. This means that our efforts are focused on high-risk areas where the potential impact of security breaches is greatest. By prioritizing these areas, we can allocate resources more effectively and ensure that our security measures have the most significant impact.
  3. Basic Security Hygiene:
    • Essential Security Practices: Many of the security measures we are implementing constitute basic security hygiene. This includes practices such as regular patching of operating systems and applications, using anti-malware software, and ensuring encryption of sensitive data. These measures are fundamental to protecting our systems and data against common threats and vulnerabilities.
  4. UC-Wide Mandates:
    • UC System-Wide Policies: The security measures are mandated at the UC-wide level, not developed independently by UC Davis or our college. The UC Office of the President has established these policies to ensure consistent and effective security practices across all campuses. This consistency helps protect the entire UC system's data and IT resources.
    • Compliance Requirements: Many of these measures are also required by our grant funding agencies, insurers, and federal and state regulations such as FERPA (Family Educational Rights and Privacy Act). Compliance with these regulations and requirements is essential for maintaining our eligibility for funding and insurance coverage and for meeting legal obligations.
  5. Ongoing Evaluation and Improvement:
    • Continuous Monitoring: We continuously monitor the effectiveness of our security measures and make adjustments as needed. This includes regular risk assessments, audits, and reviews to identify areas for improvement and ensure that our security practices remain current with evolving threats.

By implementing these security measures, we aim to create a robust security environment that protects our institutional information and IT resources from potential threats. These measures are grounded in proven standards, focused on high-risk areas, and represent essential security practices that are crucial for maintaining a secure academic and research environment.

(top)

How will the new software management policies affect the use of open source software?

We understand that open source software is widely used in research due to its flexibility, cost-effectiveness, and collaborative nature. The new software management policies under the UC IS-3 framework aim to balance security with practicality, ensuring that the use of open source software can continue effectively while maintaining our security posture.

  • Policy Overview:
    • Security Standards: The new software management policies require that all software, including open source, must meet certain security standards. This includes regular security patches and updates to mitigate vulnerabilities.
    • Risk-Based Approach: Our policies take a risk-based approach, prioritizing the security of systems that handle sensitive or high-risk data. This means that the requirements for security patches and updates are more stringent for software used in high-risk contexts.
  • Exceptions and Compensating Controls:
    • Exception Process: For open source software that is critical to research but does not receive regular security patches, an exception can be requested. The exception process involves a risk assessment and the implementation of compensating controls to mitigate potential security risks.
    • Compensating Controls: These may include isolating the software in a controlled environment, using additional security tools, or applying custom security patches developed in-house. Our IT support team can assist with implementing these controls to ensure compliance and security.
  • Support and Resources:
    • Security Resources: We provide resources and support for securing open source software. This includes guidelines for assessing the security of open source projects, tools for monitoring vulnerabilities, and best practices for secure configuration and usage.
    • Collaboration and Community Involvement: We encourage collaboration with the open source community to contribute to the security and maintenance of critical software projects. This not only helps improve the security of the software but also strengthens our research capabilities.

By incorporating these measures, we aim to support the continued use of open source software in research while ensuring that our security standards are met. The goal is to create a secure and practical environment that fosters innovation and collaboration.

(top)

What is being done to simplify complex documentation and policies?

The language used in policy documents can sometimes be opaque and challenging for people without IT security expertise to understand and comply with. To address these concerns, we are committed to making our documentation as clear and user-friendly as possible. Here are the steps we are taking to simplify complex documentation and policies:

  1. Distillation of Key Aspects:
    • Synthesis of Core Policies: The college Information Security Management Program (ISMP) is designed to distill and synthesize the key aspects of much longer and more complex documents. Underpinning policies, legal frameworks, and other documents often contain extensive details that are necessary for full compliance but can be overwhelming. Our ISMP aims to present these essentials in a more manageable format.
  2. User-Friendly Language:
    • Plain Language: We strive to use plain language in our documentation to make it more accessible. This involves avoiding technical jargon where possible and providing clear explanations for any necessary technical terms.
    • Simplified Explanations: Complex concepts are broken down into simpler explanations to help people without IT security expertise understand the requirements and their implications.
  3. Structured and Clear Layout:
    • Organized Sections: The ISMP and related documents are organized into clearly defined sections, making it easier to find relevant information. Each section addresses specific aspects of information security, such as risk management, device management, and data protection.
    • Summaries and Highlights: Key points and important policies are highlighted or summarized at the beginning of sections to provide quick, easy-to-understand overviews.
  4. Supplementary Materials:
    • Guides and FAQs: We are working to develop supplementary materials such as guides and FAQs to further simplify the understanding and implementation of policies. These resources are designed to answer common questions and provide practical advice on compliance.
  5. Feedback and Continuous Improvement:
    • Soliciting Feedback: We actively solicit feedback from faculty, staff, and other stakeholders to identify areas where our documentation can be improved. Comments and suggestions can be sent to lsuisl@ucdavis.edu. This feedback is invaluable in helping us make our policies clearer and more user-friendly.
    • Regular Updates: Based on the feedback received, we regularly update our documentation to ensure it remains relevant, accurate, and easy to understand.

By taking these steps, we aim to simplify complex documentation and policies, making it easier for everyone to understand and comply with our information security requirements. Our goal is to provide clear, concise, and practical guidance that supports our community in maintaining a secure and compliant environment.

(top)

How will changes in reimbursement policies for third-party cloud storage affect research?

Changes in reimbursement policies for third-party cloud storage (and all other software and cloud services) are designed to ensure that sensitive data is stored securely and in compliance with university policies. Here’s how these changes will be managed and their impact on research:

  1. Use of Approved Storage Solutions:
    • University-Approved Solutions: Researchers are encouraged to use university-approved storage solutions like Box, Microsoft OneDrive, and Google Drive for storing Institutional Information. These solutions are selected because they meet our security standards and compliance requirements as outlined in the ISMP​​.
  2. Exceptions for Low-Risk Data:
    • P1 and P2 Data: For low-risk data classified as P1 (Minimal) or P2 (Low), using other storage services like Apple iCloud is acceptable, provided a Vendor Risk Assessment (VRA) is completed. This ensures that even low-risk data is handled securely and any potential risks are identified and managed​​.
  3. Vendor Risk Assessments (VRAs):
    • Regular VRAs: VRAs must be conducted for third-party cloud storage services to evaluate their security posture. These assessments are generally valid for a specified period—3 years for P1 and P2, 2 years for P3, and 1 year for P4 data—ensuring ongoing compliance and security​​.
  4. Use of Existing Contracts:
    • Contracted Services: If a storage service is available under existing university contracts, it must be purchased through those contracts rather than individually and reimbursed. This policy helps manage costs and ensures that all data storage solutions comply with the university’s security standards​​.

By adhering to these policies, we aim to balance the need for secure data storage with the practical requirements of researchers. Our goal is to protect research data while minimizing disruption to research activities.

(top)

How will IT resources be defined and managed in relation to personal devices and data?

Managing IT resources, especially in relation to personal devices and data, is crucial for maintaining security and compliance with university policies. Here’s how IT resources are defined and managed according to our Information Security Management Program (ISMP):

  1. Definition of IT Resources:
    • Inclusive Definition: IT resources encompass IT infrastructure, software, and hardware with computing and networking capabilities. This includes both UC-owned and personally owned devices when they store Institutional Information, are connected to UC systems, or are used for UC business​​.
  2. Use of Personal Devices:
    • Compliance Requirements: Personal devices used to access or process Institutional Information must comply with the UC Minimum Security Standard. This includes ensuring that operating systems and applications are patched, running anti-malware software, and using disk encryption tools​​.
    • Protection Levels: The ISMP outlines specific requirements based on the classification of data. For instance, Institutional Information classified at Protection Level 3 or higher must be handled with enhanced security measures, regardless of whether it is stored on personal or university-owned devices​​.
  3. Managing Exceptions:
    • Exception Process: Units can request exceptions to the standard security controls when necessary. This involves a risk-based approach, documenting the need for the exception, its duration, and the compensating controls that will be implemented to mitigate risks. Exceptions must be approved by the Chief Information Security Officer (CISO) and a Unit Head​​.
  4. Consistency in Policy Application:
    • Governance and Review: The ISMP establishes an information security risk governance framework to ensure consistent application of security policies. This includes regular reviews and updates to address changing business needs, operating environments, and threat landscapes​​.
    • Training and Awareness: Locations must implement training and awareness programs to ensure that all workforce members understand their roles and responsibilities in protecting Institutional Information and IT resources. This helps maintain consistent adherence to security policies across the organization​​.

By clearly defining IT resources, enforcing compliance on personal devices, managing exceptions through a structured process, and ensuring consistent policy application, we aim to maintain a secure and efficient environment for all users.

(top)

What is the policy on faculty taking hardware when they leave the institution?

Hardware
This is not explicitly addressed in the college ISMP, but it is clearly addressed under UC policy BFB-BUS-38. If you are moving to another institution and wish to take University-owned property, such as a laptop, you must follow specific procedures and rules:

  • The property must be sold to the recipient institution at fair market value, unless an exception is approved. Note that this is outside of the college ISMP exception process and must follow the BUS-38 exception process.
  • You need to submit a written request that includes a specific list of the property being transferred, the reason for the sale, and the name of the institution to which the property will be sold.
  • This request must be approved by the Department Head, Dean (or equivalent officer), and the campus-level Equipment Administrator (under FOA-Equipment Management).
  • A purchase order must be issued by the recipient institution, and all necessary approvals and full payment must be received before the property can be transferred.
  • The property must not become personal property but must vest with the recipient institution.

The policy clearly states that University-owned property cannot be taken as personal property by the departing faculty member and must involve specific institutional approvals for its transfer.

See: BFB-BUS-38: Disposition of Excess Property and Transfer of University-Owned Property

Data Agreements are governed by the language of the data agreement in question, these agreements can be very liberal or very restrictive. You will need to follow the data agreement as it was stipulated upon receipt. Office of Research is the best point of contact for data agreement questions.

(top)

How will software patches and updates be managed for frequently used but outdated libraries?

We understand that the use of specialized and sometimes outdated applications or libraries is common in research. Managing software patches and updates for these tools is crucial to maintaining security while supporting research needs. Here is how we address this within our Information Security Management Program (ISMP):

  1. Security Standards for Software:

    The ISMP requires that supported software for which security patches are regularly made available must be used unless an exception is in place​​. This ensures that all software meets a minimum security standard to protect our systems and data.

  2. Definition of Regularly Patched Software:

    Regularly patched software is defined as software that receives security updates from its supplier or community on a predictable and frequent basis. This is crucial for mitigating known vulnerabilities and protecting our IT resources.

  3. Exception Management:

    For software that is essential for research but does not receive regular security patches, an exception can be requested. The exception process involves a thorough risk assessment and the implementation of compensating controls to address potential security risks​​. This ensures that we can continue to use specialized software while maintaining security.

  4. Compensating Controls:

    When an exception is granted, compensating controls must be put in place. These may include isolating the software in a controlled environment, using additional security tools, or applying custom security patches developed in-house​​. These controls help mitigate the risks associated with using outdated or unsupported software.

  5. Support for Open Source and Specialized Software:

    We recognize that open source and research-specific software may not always be updated with an eye to security. We provide resources and support for assessing the security of these tools and applying necessary updates or controls. This includes guidelines for evaluating the security posture of open source projects and best practices for secure configuration and usage​​.

By following these measures, we aim to balance the need for specialized research tools with the imperative of maintaining a secure IT environment. Our goal is to support your research activities while ensuring that our systems and data are protected against potential threats.

(top)

How will the new policies accommodate vendor-supplied research data with specific security requirements?

We recognize that supplier-provided research data (whether the supplier is a commercial vendor, another research institution, a governmental agency, etc.) often come with specific security requirements, including restrictions on backups and the need for higher security levels. Our Information Security Management Program (ISMP) is designed to address these needs and ensure compliance with all relevant security standards and regulations.

  1. Risk Management and Classification:
    • Data Classification: All Institutional Information, including supplier-provided research data, is classified based on its Protection Level (P-Level) and Availability Level (A-Level). This classification helps in assessing risks and selecting appropriate security controls.
    • Risk Assessment: Regular risk assessments are conducted to evaluate the security requirements of vendor-supplied data and to ensure that appropriate controls are in place. These assessments consider the specific restrictions and higher security needs of such data.
  2. Supplier Risk Management:
    • Vendor Risk Assessment (VRA): All IT resources and services acquired from suppliers, including research data, must undergo a Vendor Risk Assessment. This process ensures that the security requirements of the data are met before it is integrated into our systems.
    • Data Transfer Agreements: In cases where data is coming from other institutions or agencies, Data Transfer Agreements are negotiated through Office of Research, and the OR process includes consultation with the campus Information Security Office to ensure that agreed information security terms in negotiated contracts are being followed.
    • Security Controls: The VRA process evaluates the protection levels required by the vendor and ensures that compensating controls are implemented where necessary. This includes ensuring compliance with federal and state regulations like FERPA, as well as any specific requirements set by grant funding agencies and insurers.
  3. Data Management and Storage:
    • Secure Storage Solutions: Vendor-supplied research data with higher security requirements are stored in secure fileservers or approved secure services that meet the necessary encryption and access control standards.
    • Backup Restrictions: For data with restrictions on backups, we adhere to the guidelines provided by the vendor. This includes using secure, encrypted storage solutions and ensuring that any backups comply with the specified restrictions.
  4. Exception Management:
    • Exceptions Process: In cases where the standard security measures cannot be applied due to the specific requirements of the vendor-supplied data, an exception can be requested. This involves a thorough risk assessment and the implementation of compensating controls to mitigate any associated risks.
    • Approval and Monitoring: Exceptions are reviewed and approved by the Unit Head, and if necessary, by the campus Chief Information Security Officer (CISO). Each exception is documented, and a Risk Treatment Plan is maintained to ensure ongoing compliance and security.

By following these measures, we ensure that vendor-supplied research data with specific security requirements are managed securely and in compliance with all relevant policies and regulations. Our approach is designed to protect the integrity and confidentiality of the data while accommodating the practical needs of our research community.

(top)

How does the number of supported devices relate to security policies?

The number of supported devices is directly related to our security policies for several key reasons. Here’s how these policies are structured to ensure security and practicality:

  1. Per-Device Costs and Security Tools:
    • Cost Considerations: Many of the security tools we are required to use have per-device costs. This includes software for antivirus, encryption, and other security measures. There are also costs in IT staff time in managing additional devices. Limiting the number of supported devices helps manage these costs while ensuring that each device can be adequately protected.
    • Security Tool Deployment: Ensuring that each supported device is equipped with the necessary security tools is crucial for maintaining a secure environment. This includes tools like Aggie Desktop for patch management and antivirus software like Microsoft Defender for Endpoint​​.
  2. Decommissioning Older Devices:
    • Firmware and OS Updates: Older devices that no longer receive firmware or operating system updates are inherently insecure because they are vulnerable to known exploits that will not be patched. Our policy incentivizes the decommissioning of such devices to maintain a secure network environment​​.
    • Device Replacement Schedule: We have a recommended replacement schedule for devices to ensure that all hardware remains up-to-date and secure. This includes replacing desktops and laptops every five years and mobile devices every three years​​.
  3. Exceptions for Specialized Needs:
    • Research Labs and Specialized Equipment: We recognize that certain research and teaching labs labs or other specialized needs may require exceptions to these policies. The ISMP allows for such exceptions, provided they are documented and approved through the college Exception Management Process​​.
    • Compensating Controls: When exceptions are granted, compensating controls must be put in place to mitigate any additional risks. This ensures that even devices that fall outside the standard policies can still be used securely​​.

By limiting the number of supported devices, decommissioning outdated hardware, and allowing for exceptions in special cases, we aim to balance security with practicality. These measures help manage costs, maintain a secure IT environment, and accommodate the unique needs of our research community.

(top)

What are the consequences and enforcement mechanisms for non-compliance?

Ensuring compliance with our security policies is critical to maintaining the integrity and security of our institutional information. The Information Security Management Program (ISMP) and the UC IS-3 policy outline both the consequences of non-compliance and the mechanisms for enforcement. Here’s how we manage this:

  1. Consequences of Non-Compliance:
    • Organizational Accountability: Non-compliance with security policies can result in significant organizational consequences. For example, if a unit fails to comply with the IS-3 policy and this leads to an information security incident, the unit may be held financially accountable for the costs associated with the incident. This includes costs related to forensic investigations, fines, consumer notifications, and other remediation efforts​​. From past experiences within the UC system, these costs range from tens of thousands for minor breaches to millions of dollars for major breaches.
    • Personal Accountability: While financial responsibility for an information security incident is generally an organizational concern, individuals may still be held liable by external parties. Regulatory agencies may levy fines against individuals if they are found personally responsible for a breach. However, UC policy does not seek to recover costs from individuals within the organization for compliance failures​​.
  2. Enforcement Mechanisms:
    • Audits and Monitoring: Regular audits and monitoring activities are conducted to ensure compliance with security policies. This iterative process involves collaboration among the Cyber-risk Responsible Executive (CRE), Chief Information Officer (CIO), Chief Information Security Officer (CISO), and other stakeholders. These audits help identify areas of non-compliance and areas for improvement​​.
    • Shared Governance: Managing security risk requires shared governance, involving faculty, administrative leaders, and internal audit teams. This collaborative approach ensures that all stakeholders are engaged in maintaining compliance and managing cyber risks effectively​​.
  3. Exception Management:
    • Exception Process: The ISMP allows for exceptions in cases where compliance with standard policies may not be feasible. This is particularly relevant for research labs or specialized needs. Exceptions must be documented and approved through a formal process, which includes a risk assessment and the implementation of compensating controls to mitigate any additional risks​​.
    • Documentation and Accountability: All exceptions are documented, and a Risk Treatment Plan is maintained to ensure ongoing compliance and security. Regular reviews of these exceptions are conducted to ensure that they remain justified and that compensating controls are effective​​.

By implementing these enforcement mechanisms and clearly outlining the consequences of non-compliance, we aim to foster a culture of security and accountability. Our goal is to protect our institutional information while supporting the diverse needs of our research community.

(top)

How will the new security protocols handle printed "Institutional Information"?

The handling of printed materials is not fully addressed in the college Information Security Management Program, but it is addressed more fully in the UC-wide IS-3 policy as summarized below.

Handling printed Institutional Information securely is an important aspect of our overall information security strategy.

Here’s how UC security protocols address the storage and disposal of printed materials:

  1. Storage Security Measures:
    • Secure Storage: Printed Institutional Information classified at Protection Level 3 or higher must be stored in secure, locked locations when not in use. This ensures that sensitive information is protected from unauthorized access. Examples of secure storage include locked cabinets, drawers, or rooms with restricted access​​.
    • Access Control: Only authorized personnel should have access to these secure storage locations. Access control measures, such as key management or access logs, should be implemented to monitor and manage who has access to the printed materials​​.
  2. Disposal Security Measures:
    • Secure Disposal: Printed Institutional Information that is no longer needed must be disposed of securely. For information classified at Protection Level 2 or higher, shredding is the recommended disposal method. This prevents unauthorized access to sensitive information that could be retrieved from improperly discarded documents​​.
    • Compliance with Standards: Disposal practices must comply with the UC Institutional Information Disposal Standard. This ensures that all printed materials are destroyed in a manner that makes the information irretrievable and unreadable​​.
  3. Handling Practices:
    • Minimize Printing: To reduce the risk of information breaches, we encourage minimizing the printing of sensitive information whenever possible. Digital formats should be used where feasible and secure digital storage practices should be followed​​.
    • Labeling and Tracking: Printed documents containing sensitive information should be clearly labeled to indicate their classification level. Additionally, tracking who accesses these documents and when they are disposed of can further enhance security​​.
  4. Responsibility and Compliance:
    • Unit Information Security Lead (UISL): The UISL is responsible for ensuring that the handling, storage, and disposal of printed Institutional Information comply with the security protocols outlined in the ISMP and IS-3 policy​​.
    • Periodic Audits: Periodic audits will be conducted in cooperation with the campus Information Security Office to ensure compliance with these protocols. Units are required to review their practices periodically and make necessary adjustments to enhance security​​.

By implementing these measures, we aim to protect printed Institutional Information from unauthorized access and ensure its secure disposal, thereby maintaining the confidentiality, integrity, and availability of sensitive data.

(top)

How will exceptions and VRAs (Vendor Risk Assessments) be managed in persistent data relationships?

Managing exceptions and Vendor Risk Assessments (VRAs) is essential to maintaining security while accommodating the practical needs of ongoing data relationships. Here is how these processes are handled according to our Information Security Management Program (ISMP):

  1. Vendor Risk Assessments (VRAs):
    • Frequency of VRAs: VRAs are generally approved for specific periods based on the protection level of the data being accessed. For P1 and P2 use cases, VRAs are valid for up to 3 years; for P3, they are valid for 2 years; and for P4, they are valid for 1 year. This ensures that the security posture of the vendor is regularly reviewed and updated to reflect any changes in risk or compliance requirements​​.
    • Ongoing Data Relationships: For persistent data relationships, each new instance of data download or access does not require a separate VRA, provided the existing VRA is still valid and has not reached its expiration period. This streamlines the process while ensuring continuous compliance.
  2. Exceptions Management:
    • Risk-Based Approach: Exceptions to standard security controls are managed through a formal process that involves a thorough risk assessment. Units requesting an exception must document why the exception is needed, the duration of the exception, and the compensating controls that will be implemented to mitigate associated risks​​.
    • Approval and Documentation: Exceptions must be approved by the Chief Information Security Officer (CISO) and a Unit Head. All exceptions are documented and periodically reviewed to ensure they remain justified and that compensating controls are effective​​.
  3. Managing Persistent Data Relationships:
    • Continuous Monitoring: Even in persistent data relationships, continuous monitoring and periodic reviews are essential to ensure that the security measures remain effective and compliant with the latest standards and regulations. This includes reviewing the VRAs at their designated intervals and re-evaluating any granted exceptions​.
    • Adaptation to Changes: If there are significant changes in the vendor’s security posture, data handling practices, or regulatory requirements, a new VRA or an updated risk assessment may be necessary before continuing the data relationship​​.

By following these procedures, we ensure that security is maintained without unnecessary interruptions to research and operational workflows. Our goal is to provide a secure yet practical framework for managing ongoing data relationships.

(top)

Tags

Policies