Skip to content


If you’re conducting research on behalf of UC, you’re considered a Workforce Member and thus should follow the requirements for that role. However, if you’re working with information classified at Protection Levels 3 or 4, you’ll need to adhere to a few additional guidelines. (Click here to learn more about Protection Levels and Availability Levels.)

Your Chief Information Security Officer (CISO) can help you plan for your research project. In many cases, the CISO can provide a pre-approved approach called a Risk Treatment Plan.

Your checklist includes the following steps:

  1. Use a risk-based approach. Use your Location’s pre-approved Risk Treatment Plan or develop a Risk Assessment that matches your research project. Implement needed controls. Your research may be public, but what if ransomware encrypts it and you can’t get it back?
  2. Incorporate safe information security practices into your research strategy. That means identifying the appropriate protection level of your research and creating a Risk Treatment Plan if needed to ensure requirements are met. What kind of data do you have? Are there contractual controls? Do you have personally identifiable or human subject data? Do you have to protect privacy? Know before you start and have a reasonable plan.
  3. Document. Gather and maintain evidence that shows how security controls were implemented and kept current throughout your research project.
  4. Invest appropriately. Be aware that bad things can happen to your data – anything from outright theft to the use of ransomware to encrypt it so you no longer have access. UC has lost research data that can’t be replaced because of ransomware … and UC researchers are often targeted. If you need help or have questions, ask your Unit Information Security Lead, CISO or CIO.
  5. Manage suppliers responsibly. If you work with external Suppliers in any capacity, make sure they review UC's Information Security Policy and comply with all applicable requirements. See Section 15: Supplier Relationships in the policy for a list of specific tasks and considerations for external Suppliers.

Copyright © Regents of the University of California | Terms of use