Skip to content

UC’s Important Security Controls for Everyone and All Devices

UC's knowledge -- its discovery, advancement, transmission and organization -- lies at the heart of our fundamental mission to provide world-class teaching, research and public service. Protecting the confidentiality, integrity and availability of this Institutional Information, as well as our IT Resources, is critical to support our mission. UC is equally committed to protecting the privacy of our students, faculty, staff, patients, research participants and other stakeholders whose information we receive, create and maintain (Private Information).

The following standards describe some of the key practices necessary to protect UC’s Institutional Information, IT Resources and Private Information. UC, its workforce members, partners, consultants and suppliers are also required to comply with any additional obligations imposed by contract, law and/or regulation.

Please begin implementing these standards and, where there are gaps, prioritize adoption by risk level. These standards will be revised periodically as UC navigates a continually evolving cybersecurity landscape. Beginning in fiscal year 2018 the current version of these standards will be required, and units will need to develop plans to implement them over the ensuing 12 months.

UC’s Security Standard for Everyone and All Devices

# Topic Mobile Windows MAC Linux
1

Anti-malware

Requirement:
Install current anti-malware software and set it to automatically update.

Tips:
Enable real-time protection. Enable regular full scans.

Not required Required Required Recommended
2

Patching

Requirement:
Supported security patches must be applied to all operating systems and applications within 30 days of release.

Tips:
Where possible, use automatic updating or connect to your IT department patching and upgrade service.

Required Required Required Required
3

Local admin or Administrator

Requirement:
Create a non-privileged user account and only elevate to root or Administrator when necessary.

Tips:
Do not run your day-to-day account as Administrator on Windows/Mac OS or Root/SU on Linux.

Create a user account and only elevate to Administrator when necessary.

Most web and e-mail compromise tools are ineffective or less effective if you are logged in as a regular (non-admin) user.

Required Required Required Required
4

Encryption

Requirement:

  1. Laptops and mobile devices must be encrypted.
  2. Institutional Information classified at Protection Level 3 or higher must be encrypted when stored.

Tips:

  1. Use your Location’s recommended or required encryption solution. Otherwise use the native operating system encryption.
  2. If you don’t need it, don’t store it. If you need to store it, encrypt it.
  3. Device-level encryption is the best option, but if the device is not encrypted, the Institutional Information must be encrypted.
Required Required Required Required
5

Session timeout

Requirement:
Devices used to store or access Institutional Information or IT Resources classified at Protection Level 2 or higher must employ session timeout or lockout mechanisms to block access after a defined period of inactivity (15 minutes or your Location limit). Mechanisms must require re-authentication before users return to interactive use.

Tips:
Enable the locking screensaver on Windows or Mac OS. Enable inactivity timeout on portable devices.
Required Required Required Required
6

Password/PIN lock

Requirement:
All devices used for UC business, including laptops, tablets and smartphones, must be secured with a password, PIN or biometric lock.

Tips:
Strong passwords and PINs are one of UC’s best defenses against unauthorized access.

Required Required Required Required
7

Password strength and security requirements

Requirement:
Passwords/PINS used for UC business purposes must comply with the UC Password Management Standard.

Tips:
Top password tips:

  • Longer passwords are better.
  • Use a combo of letters, numbers and special characters.
  • Never share passwords or PINs.
  • Do not use common or similar passwords for different accounts.
  • Do not use your UC username and password for non-UC accounts.
  • Change default passwords.
  • Never use your name, username, dictionary words, common keyboard sequences (e.g. “12345678,” “qwerty”) as your password.
Required Required Required Required
8

Physical security

Requirement:
Workforce Members are responsible for physically securing all Institutional Information and devices in their possession that belong to the University or have P2 or higher Institutional Information stored. This includes safeguards such as using physical security cables and not leaving mobile or portable devices unattended.

Tips:
Most valuable information is lost or stolen at the workplace. Theft from vehicles is also common.

Required Required Required Required
9

Backup and recovery

Requirement:
Institutional Information classified at Availability Level 3 or higher must be backed up and recoverable. Backups must be protected according to the classification level of the information they contain.

Tips:
Implementation must be consistent with business, regulatory and records management requirements.

Required Required Required Required
10

Host-based firewall

Requirement:
On devices for which host-based software is available, it must be running and configured to block all inbound traffic that is not explicitly required for the intended use of the device.

Tips:
Windows, many popular anti-malware applications, Apple and Linux come with suitable firewalls. Default settings are typically acceptable.

Not required Required Required Required
11

Approval and inventory

Requirement:
Consult your Location IT department or online resources to determine if you need approval to use a device and/or record it in inventory.

Tips:
Many security breaches can be prevented or their impact minimized if your IT department is aware of your device and what’s stored on it.

Required Required Required Required
12

Operating Systems

Requirement:
Run a vendor supported version of their operating system.

Tips:
Operating systems that are End-of-Life (EOL) no longer receive security patches and are vulnerable to compromise (e.g. windows XP, server 2003, Vista, etc.) Other operating systems may not have a formal end-of-life, so check to make sure security vulnerabilities are being patched.

Required Required Required Required

Copyright © Regents of the University of California | Terms of use