Skip to content


As the person responsible for the Institutional Information, IT Resources and their respective processes that support a UC function, you play one of the most critical roles at UC in protecting our valuable assets from loss or compromise. 

Essentially, you’re the gatekeeper for all security aspects of the information or resource you own – from compliance with policy, to protection, to access, to release, to location, to disposition. (An example is the Registrar, who is the Proprietor of student data.)

In addition to becoming familiar with IS-3, your key action items include the following: 

  1. Establish the ground rules. You set the requirements for protection level classification, access to and release of a defined set of Institutional Information. You also classify this information in terms of its protection level and availability level.
  2. Limit Access. Follow the principle of least access privilege to ensure people only have access to the minimum information and resources needed to do their jobs. Plan, track and control secondary uses.
  3. Communicate. Notify Units, Service Providers and Suppliers of the protection level and of any changes in requirements. You may need to follow regulation, monitor agreements/contracts and understand recent court or regulatory rulings to understand your obligations.
  4. Approve. Review and approve requests for transfers and access to Institutional Information. Remember to take a risk-based approach to decision making, operating by the principle of least access privilege to ensure people only get access to the minimum amount of information and/or resources needed to do their jobs.
  5. Observe. UC’s Records Retention Schedule requirements.

Copyright © Regents of the University of California | Terms of use