Skip to content

UC’s Important Security Controls for Everyone and All Devices

UC's knowledge and its discovery, advancement, transmission and organization lies at the heart of our fundamental mission to provide world-class teaching, research and public service. Protecting the confidentiality, integrity and availability of this institutional information, as well as our IT Rresources, is critical to support our mission. UC is equally committed to protecting the privacy of our students, faculty, staff, patients, research participants and other stakeholders whose information we receive, create and maintain (private information).

The following standards describe some of the key practices necessary to protect UC’s institutional information, IT resources and private information. UC, its workforce members, partners, consultants and suppliers are also required to comply with any additional obligations imposed by contract, law and/or regulation.

Please begin implementing these standards and, where there are gaps, prioritize adoption by risk level. These standards will be revised periodically as UC navigates a continually evolving cybersecurity landscape. Beginning in fiscal year 2018 the current version of these standards will be required, and units will need to develop plans to implement them over the ensuing 12 months.

UC’s Security Standard for Everyone and All Devices

# Topic Mobile Windows MAC Linux
1

Anti-malware

Requirement:
Anti-malware software must be installed and running up-to-date definitions.

Tips:
Enable real-time protection and regular full scans.

Recommended Required Required Recommended
2

Patching

Requirement:
Supported security patches must be applied to all operating systems and applications.

Tips:
Where possible, use automatic updating or connect to your IT department patching and upgrade service. Apply patching as soon as possible as it quickly reduces risk.

Required Required Required Required
3

Local admin or Administrator

Requirement:
Non-privileged user accounts must be used and only elevated to root or administrator when necessary.

Tips:

Perform routine and daily activities using non-privileged accounts.

Use Administrator on Windows/Mac OS or Root/SU on Linux or UNIX only for a specific administrative action. Log out of the account after completing the action.

Contact your location help desk or IT support center to set up root or administrator accounts if necessary.

Not Required Required Required Required
4

Encryption

Requirement:
Laptops and mobile devices must be encrypted.

Separately, institutional Iinformation classified at Protection Level 3 or higher must be encrypted when stored by a workforce member.

Tips:

Use the approved encryption method for yourlocation.

If you don’t need it, don’t store it. If you need to store it, encrypt it.

Device-level encryption is the best option. If the device is not encrypted, encrypt any institutional information classified at Protection Level 3 or higher when stored on laptops and mobile devices.

Required Required Required Required
5

Session timeout

Requirement:
Devices used to store or access institutional information or IT resources classified at Protection Level 2 or higher must employ lockout/screen-lock mechanisms or session timeout or to block access after a defined period of inactivity (15 minutes or location limit). Mechanisms must require re-authentication before returning to interactive use.

Tips:

Enable the locking screensaver on Windows or Mac OS.

Enable inactivity timeout on mobile devices.

Use TMOUT or another method to automatically log out on LINUX or UNIX

Required Required Required Required
6

Password/PIN lock

Requirement:
Secure devices with a strong password, PIN, smart card or biometric lock.

Tips:

Strong passwords and PINs are one of UC’s best defenses against unauthorized access.

Consult location resources for guidance on creating strong passwords/PINs, smart card or biometric lock that complies with the UC Authentication Management Standard.

Strong passwords are 10-64 characters in length and include upper and lowercase letters, numbers and special characters.

Do not share passwords or PINs, and do not use common or similar passwords across accounts. Do not use your UC username and password for personal accounts.

Do not use default passwords, and change default passwords immediately.

Never use your username, “password,” “123456,” “12345678,” “qwerty,” common words, phrases or your name as your password.

Required Required Required Required
7

Physical security

Requirement:
Devices and institutional information must be physically secured.

Tips:

Use physical security cables to protect against theft or loss of valuable information from your workplace or vehicle.

Lock devices in a cabinet at the end of the day/shift.

Do not leave unencrypted devices unattended.

Required Required Required Required
8

Backup and recovery

Requirement:
Institutional information classified at Availability Level 3 or higher must be backed up and recoverable. Backups must be protected according to the classification level of the information they contain.

Tips:
Ensure the backup plan is consistent with business, regulatory and records management requirements.

Required Required Required Required
9

Encrypt portable media

Requirement:
Backups and portable media containing institutional information classified at Protection Level 4 must be encrypted and safely stored.

Tips:

Encrypt all portable media and backups whenever possible. Lost or stolen media is a common cause of reportable data breaches.

It’s a good practice to encrypt institutional information classified at Protection Level 3. Some locations require encryption for institutional information classified at Protection Level 3 when stored on portable media.

Required Required Required Required
10

Host-based firewall

Requirement:
If host-based firewall software is available on a device, it must be running and configured to block all inbound traffic that is not explicitly required for the intended use of the device.

Tips:
Use the firewalls that come with Windows, many popular anti-malware applications, Apple and Linux. Default settings are typically acceptable.

Not required Required Required Required
11

Approval and inventory

Requirement:
Make sure devices can be secured before making a purchasing decision.

Make sure IT Resources and Institutional Information are appropriately recorded in location inventory.

Tips:

Consult your location IT department or online resources to determine whether a device requires approval and recording in inventory.

Many security breaches can be prevented or their impact minimized if your IT department is aware of your device and what’s stored on it.

Required Required Required Required
12

Supported Operating Systems

Requirement:
Run a version of the operating system that is supported by the vendor.

Tips:
Do not use end-of-life operating systems such as Windows XP, Server 2003 or Vista. They no longer receive security patches and are vulnerable to compromise.

Required Required Required Required

Copyright © Regents of the University of California | Terms of use