Skip to content

UC’s Important Security Controls for Everyone and All Devices

Practicing good cybersecurity is essential to protecting UC's mission to provide world-class teaching, research and public service. Good cyber hygiene is also important to protect the privacy of our students, faculty, staff, patients, research participants and other stakeholders whose information we receive, create and maintain.

The following controls and practices are UC’s systemwide baseline designed to protect UC’s Institutional Information and IT Resources. UC, its Workforce Members, partners, consultants and Suppliers are also required to comply with any additional obligations imposed by local policy, contract, law and/or regulation. For information about cybersecurity resources near you, visit Location Information Security Resources.

To read the full standard, please click on the link below.

UC’s Security Standard for Everyone and All Devices

The following list offers basic information about the guidelines of the Minimum Security Standard. For more detail, including system requirements, either click on the topics below or scroll to the bottom of the page.

  1. Anti-malware: Anti-malware software must be installed and running up-to-date definitions.
  2. Approval and Inventory: Confirm that devices can be secured before making a purchasing decision. Make sure IT Resources and Institutional Information are appropriately recorded in Location inventory.
  3. Backup and Recovery: Institutional Information classified at Availability Level 3 or higher must be backed up and recoverable. Backups must be protected according to the classification level of the information they contain.
  4. Encryption: All portable computing devices must be encrypted.
  5. Encrypt Portable Media: Portable media containing Institutional Information classified at Protection Level 3 or higher must be encrypted and safely stored.
  6. Host-based Firewall: If host-based firewall software is available on a device, it must be running and configured to block all inbound traffic that is not explicitly required for the intended use of the device.
  7. Local Admin or Administrator: Non-privileged user accounts must be used and only elevated to root or administrator when necessary.
  8. Password/PIN lock: Secure devices with a strong password, PIN, smart card, or biometric lock.
  9. Patching: Supported security patches must be applied to all operating systems and applications.
  10. Physical Security: Devices and Institutional Information must be physically secured.
  11. Session Timeout: Devices used to store, or access Institutional Information or IT Resources classified at Protection Level 2 or higher must employ lockout/screen-lock mechanisms or session timeout to block access after a defined period of inactivity (15 minutes or Location limit). Mechanisms must require re-authentication before a return to interactive use.
  12. Supported Operating Systems: Run a version of the operating system that is supported by the vendor.


 

Anti-malware

Anti-malware software must be installed and running up-to-date definitions.

Tips

  • Enable real-time protection and regular full scans.

System

Mandatory – MAC, Windows

Recommended – Linux, Mobile

  

Approval and Inventory

Confirm that devices can be secured before making a purchasing decision. Make sure IT Resources and Institutional Information are appropriately recorded in Location inventory.

Tips

  • Consult your Location IT department or online resources to determine whether a device requires approval and recording in inventory.
  • Many security breaches can be prevented, or their impact minimized if your IT department is aware of your device and what’s stored on it.

System

Mandatory – Linux, MAC, Mobile, Windows

 

Backup and Recovery

Institutional Information classified at Availability Level 3 or higher must be backed up and recoverable. Backups must be protected according to the classification level of the information they contain.

Tips

  • Ensure the backup plan is consistent with business, regulatory and records management requirements.

System

Mandatory – Linux, MAC, Mobile, Windows

 

Encryption

All portable computing devices must be encrypted.

Tips

  • Use the approved encryption method for your Location.
  • If you don’t need it, don’t store it. If you need to store it, encrypt it.
  • Device-level encryption is the best option. If the device is not encrypted, encrypt any Institutional Information classified at Protection Level 3 or higher when stored on laptops and mobile devices.

System

Mandatory – Linux, MAC, Mobile, Windows

  

Encrypt Portable Media

Portable media containing Institutional Information classified at Protection Level 3 or higher must be encrypted and safely stored.

Tips

  • Encrypt all portable media and backups whenever possible. Lost or stolen media is a common cause of reportable data breaches.

System

Mandatory – Linux, MAC, Mobile, Windows

 

Host-based Firewall

If host-based firewall software is available on a device, it must be running and configured to block all inbound traffic that is not explicitly required for the intended use of the device.

Tips

  • Use the firewalls that come with Windows, many popular anti-malware applications, Apple and Linux. Default settings are typically acceptable.

System

Mandatory – Linux, MAC, Windows

Optional – Mobile

  

Local Admin or Administrator

Non-privileged user accounts must be used and only elevated to root or administrator when necessary.

Tips

  • Perform routine and daily activities using non-privileged accounts.
  • Use Administrator on Windows/Mac OS or Root/SU on Linux or UNIX only for a specific administrative action. Log out of the account after completing the action.
  • Contact your Location help desk or IT support center to set up root or administrator accounts if necessary.

System

Mandatory – Linux, MAC, Windows

Optional – Mobile

 

Password/PIN Lock

Secure devices with a strong password, PIN, smart card, or biometric lock.

Tips

  • Strong passwords and PINs are one of UC’s best defenses against unauthorized access.
  • Consult Location resources for guidance on creating strong passphrases/passwords/PINs, smart card, or biometric lock that complies with the UC Account and Authentication Management Standard.
  • Strong passwords are 10-64 characters in length and include upper and lowercase letters, numbers, and special characters.
  • Do not share passwords or PINs.
  • Do not use common or similar passwords across accounts.
  • Do not use your UC username and password for personal accounts.
  • Do not use default passwords, and change default passwords immediately.
  • Never use your username, “password,” “123456,” “12345678,” “qwerty,” common words, phrases or your name as your password.

System

Mandatory – Linux, MAC, Mobile, Windows

 

Patching

Supported security patches must be applied to all operating systems and applications. 

Tips

  • When possible, use automatic updating or connect to your IT department patching and upgrade service. Apply patching as soon as possible as it quickly reduces risk.

System

Mandatory – Linux, MAC, Mobile, Windows

  

Physical Security

Devices and Institutional Information must be physically secured.

Tips

  • Use physical security cables to protect against theft or loss of valuable information from your workplace or vehicle.
  • Lock devices in a cabinet at the end of the day/shift.
  • Do not leave unencrypted devices unattended.

System

Mandatory – Linux, MAC, Mobile, Windows

 

Session Timeout

Devices used to store or access Institutional Information or IT Resources classified at Protection Level 2 or higher must employ lockout/screen-lock mechanisms or session timeout to block access after a defined period of inactivity (15 minutes or Location limit). Mechanisms must require re-authentication before a return to interactive use.

Tips

  • Enable the locking screensaver on Windows or Mac OS.
  • Enable inactivity timeout on portable computing devices.
  • Use TMOUT or another method to automatically log out on LINUX or UNIX.

System

Mandatory – Linux, MAC, Mobile, Windows

 

Supported Operating Systems

Run a version of the operating system that is supported by the vendor.

Tips

  • Do not use end-of-life operating systems such as Windows XP, Server 2003 or Vista. They no longer receive security patches and are vulnerable to compromise.

System

Mandatory – Linux, MAC, Mobile, Windows

 

Copyright © Regents of the University of California | Terms of use