Guidelines and Strategies
Active Policies
IS-3 Electronic Information Security
IS-3 establishes a framework that ensures all UC locations follow the same approach to reduce and manage cyber risk, protect information, and support the proper functioning of IT resources.
IS-5 Licensing and Operations, University Radio, Television, and Microwave Facilities
The purpose of IS-5 is to set the minimum requirements and procedures for the licensing and operations of radio, television, microwave stations, and other FCC-licensed systems.
IS-12 IT Recovery
IS-12 was created to guide and prepare for IT Recovery and business continuity in the event of an unavoidable or unforeseen disaster, whether natural or human-made.
Resource Updates
The IT Policy Glossary includes more than 90 defined terms relevant to using UC’s IT and information security policies and standards. This year, the formatting of the glossary was updated to make it easier to use.
Sharing Best Practices
UC’s IS-3 Electronic Information Security Policy establishes the framework for UC to achieve electronic information security goals. While IS-3 provides the structure, the individual UC locations make IS-3 actionable. To that end, UC Berkeley and UC San Diego each shared how they implemented IS-3 on their campuses during different Information Technology Policy and Security (ITPS) meetings this year. UC Berkeley shared their IS-3 implementation plan and focus, and UC San Diego focused on the roles and responsibilities associated with IS-3. Presentations like these enable the ITPS community to learn best practices from each other.
Staying Current with Rapidly Changing Requirements
No matter what changes occur in city, county, state, federal, global, and industry regulations, UC must stay informed, analyze changes, and ensure that our policies and guidance incorporate the latest requirements. The changes are recorded, requirements are mapped to policies and standards, collaboration with key stakeholders occurred, and the UC community is informed.
An example of changing requirements is the Graham-Leach-Bliley Act (GLBA), which requires that institutions protect customer information security, confidentiality, and integrity. The FTC implements the cybersecurity requirements in GLBA through the FTC Safeguards Rule.
Established in 2015, the Information Technology Policy and Security Community (ITPS) group has grown through word of mouth to include members who want to focus on major challenges, legal and policy issues, and campus security issues through collaboration and information sharing. This active community of participation meets monthly, 10 times a year, and has an average attendance of 150+ members. The community also communicates regularly outside of the meetings to share information about threats and vulnerabilities, best practices, trends, and other topics related to information resources. ITPS is open to anyone at UC with a role or interest in IT policy or cybersecurity.
Presentations Included:
Research Security UpdatesMarci Copland, Systemwide Associate Director, Research Security and Export Control, Office of the President
Case StudyUC San Diego IS-3 Program and Status
IS-3 Implementation at UC BerkeleyAllison Henry, Chief Information Security Officer
Scott Seaborn, Campus Privacy Officer
Julie Goldstein, Info Security Policy Program Manager
An Identity Makeover: Transforming a Campus IAM (Identity and Access Management) System
Sureyya Tuncel and Dewight Kramer, UC Riverside
One Year as CISO
April Sather, Chief Information Security Officer, Office of the President
Jerome Mayer-Cantú, Principal Counsel, Litigation, UC Office of the General Counsel
Trackers, Cookies and LitigationHillary Noll Kalay, Principal Counsel, UC Legal
We Are Not Alone: Leveraging Cross-Industry Insights for Higher Education Cybersecurity SuccessBrian Kelly, Compass IT, VCISO
Digital Accessibility and Security: Why Not Both?Judy Thai, Director of Application Engineering, Office of the President
Trevor Finneman, Principal Counsel, Office of the President
Monte Ratzlaff, Cyber Risk Program Director, Office of the President
IT Recovery and Business Continuity PlanningTara Brown, Business Continuity Planner and Adam Quilty, IT Services Continuity Lead from UCLA
Amina Assefa, Director of Emergency Management & Business Continuity, Office of the President
Lony HaleyNelson, San Francisco, Dept. of Emergency Management, Emergency Services Coordinator, Integrated Preparedness Team
Ransomware PlaybookAlex Lichtenstein, Program Manager of the Office of Emergency Preparedness, UCLA Health
IS-3 is the systemwide information security policy that ensures all UC locations follow the same approach to reducing and managing cyber risk, protecting information, and supporting the proper functioning of IT resources while leaving the implementation up to the UC locations.
A core requirement of IS-3 is for each unit to identify a Unit Information Security Lead (UISL). UISLs provide oversight and execution of information security respon-sibilities, including implementing security controls, reviewing risk assessments, reporting information security incidents to the CISO, and more.
Capacity has been the challenge for many units in fulfilling this role since its introduction in 2019. Effectively executing UISL responsibilities while continuing to deliver on existing priorities and projects is not easy. Additional resources would clearly be needed to meet policy require-ments successfully. The question was— from where?
Chief Information Officer (CIO), Office of the President, Molly Greek, built a business case and secured organizational support for what is now known as Unit Information Security Leads “as-a-service.” In early 2022, units started signing up for the service. The percentage of a UISL recommended for each unit was derived from the number of sensitive applications (i.e., classified as P3 or P4) in their portfolio. At the Office of the President, over 70% of units leverage the service, with the remainder naming existing staff to the UISL role. During the first year, the focus was ensuring a complete application inventory, reviewing access, measuring unit alignment to IS-3, and orienting units to the service. As UISL-as-a-service enters its second year, priorities will shift towards developing unit metrics and creating unit security plans and risk registers to share with leadership to bring greater visibility to cyber risk.
April Sather, Office of the President Chief Information Security Officer, shared that UISL as-a-service provides a dedicated cybersecurity capacity while building acommunity at the same time. “While our team provides the structure, technology, and guidance to help UISLs succeed, the relationships they build with one another, and with unit stakeholders, make the difference. This model slices through silos and builds bridges in a really effective way.” The Office of the President’s local security team also brings the UISLs together quarterly to share tools, techniques, and templates and hosts monthly lunch-and-learns on various topics.
"Teams should always iterate on processes to discover gaps, make improvements, and test communication channels. As cybersecurity is constantly evolving, teams must be set up for success to be prepared for whatever may occur and minimize impacts to our people and communities."
—Wendy Rager, Cyber-risk Coordination Center Manager, Office of the President
When a cyber incident occurs, the response team must know their roles and responsibilities, and be prepared to act and communicate swiftly with the appropriate parties to mitigate cybersecurity impacts. The UC Information Security Incident Response Standard, stemming from the IS-3 Electronic Information Security policy, is the guiding systemwide cyber incident response coordination process.
In 2022, C3 held a workshop that tackled executive communication during a cyber incident and received rich feedback to im-prove the process. As a result, the process was updated, and training occurred within the Office of the President.
In the spirit of continuous improvement, C3 organized two tabletop exercises in 2023 to test the updated process. The goals of the tabletop were to raise aware-ness of expectations and identify gaps. Led by a third party, the two-part learning exercise simulated a realistic cyber scenario with twists and surprises—like a real cyber event—to test the team’s response.
- In part one, the team followed the coordination and awareness process, including the communication methods. The group included C3, External Relations and Communications (ER&C), UC Legal, Privacy/Compliance, and subject matter experts.
- In part two, the team tested the communication process with select Office of the President executives, including the President’s Executive Office.
In preparation for the exercises, the team gathered to review the process. The engaged team provided feedback and enhancements that will be a benefit in the future. The prep work and the exercises highlighted areas for further development and showcased how well the team was prepared for the exercise.
$1.49M Cost savings achieved by organizations with high levels of incident response planning and testing.(Source: IBM Cost of a Data Breach Report 2003, IBM Security)