Protecting Institutional Information and IT Resources is a collective responsibility shared across the UC system.
All UC users should follow a set of baseline cyber hygiene practices, regardless of role. Please review and comply with our Security Controls for Everyone and All Devices.
Some roles do require additional cybersecurity measures depending on the types of information and/or resources they manage, transmit or access. UC’s cybersecurity team is working to create role-specific guides to help clarify specific responsibilities.
Select your role from the list of links on the left for specific guidelines on how you can do your part to support strong cybersecurity practices at UC.
The following guides are based on a draft version of the Electronic Information Security Policy, IS-3, which is under systemwide review as part of the approval process. Making the guides available now helps reviewers see how the policy can be adopted. While some details may change during the review process, the content within the guides is still broadly applicable. Guides will be updated as necessary to align with the final policy.
Here are the draft classification levels for Section III, Subsection 8 of the Electronic Information Security policy, IS-3:
Proposed Protection Level classifications:
|Protection Level Classification|
|Level||Impact of disclosure or compromise|
|P4 - High||Institutional Information and related IT Resources whose unauthorized disclosure or modification could result in significant fines, penalties, regulatory action, or civil or criminal violations. Statutory, regulatory and contract obligations are major drivers for this risk level. Other drivers include, but are not limited to, the risk of significant harm or impairment to UC students, patients, research subjects, employees, guests/program participants, UC reputation, the overall operation of the Location or essential services. (Statutory.)|
|P3 - Moderate||Institutional Information and related IT Resources whose unauthorized disclosure or modification could result in small to moderate fines, penalties or civil actions. Institutional Information of which unauthorized use, access, disclosure, acquisition, modification, loss or deletion could result in moderate damage to UC, its students, patients, research subjects, employees, community and/or reputation; could have a moderate impact on the privacy of a group; could result in moderate financial loss; or could require legal action. This classification level also includes lower risk items that, when combined, represent increased risk. (Proprietary.)|
|P2 - Low||Institutional Information and related IT Resources that may not be specifically protected by statute, regulations or other contractual obligations or mandates, but are generally not intended for public use or access. In addition, information of which unauthorized use, access, disclosure, acquisition, modification or loss could result in minor damage or small financial loss, or cause minor impact on the privacy of an individual or group. (Internal.)|
P1 - Minimal
Public information or information intended to be readily obtainable by the public, but whose integrity is important and for which unauthorized modification is the primary protection concern. IT Resources where the application of minimum security requirements is sufficient. (Public.)
Proposed Availability Level classifications:
|Availability Level Classification|
|Level||Impact of loss of availability or service|
|A4 - High||Loss of availability would result in major impairment to the overall operation of the Location and/or essential services, and/or cause significant financial losses. IT Resources that are required by statutory, regulatory and legal obligations are major drivers for this risk level.|
|A3 - Moderate||Loss of availability would result in moderate financial losses and/or reduced customer service.|
|A2 - Low||Loss of availability may cause minor losses or inefficiencies.|
|A1 - Minimal||Loss of availability poses minimal impact or financial losses.|