Skip to content

UC’s Important Security Controls for Everyone and All Devices

UC's knowledge and its discovery, advancement, transmission and organization lie at the heart of our fundamental mission to provide world-class teaching, research and public service. Protecting the confidentiality, integrity and availability of this Institutional Information, as well as our IT Resources, is critical to support our mission. UC is equally committed to protecting the privacy of our students, faculty, staff, patients, research participants and other stakeholders whose information we receive, create and maintain (private information).

The following standards describe some of the key practices necessary to protect UC’s Institutional Information, IT Resources and private information. UC, its Workforce Members, partners, consultants and Suppliers are also required to comply with any additional obligations imposed by contract, law and/or regulation.

Please begin implementing these standards and, where there are gaps, prioritize adoption by risk level. These standards will be revised periodically as UC navigates a continually evolving cybersecurity landscape. Beginning in fiscal year 2019, the current version of these standards will be required, and Units will need to develop plans to implement them over the ensuing 12 months.

To read the full standard, please click on the link below.

UC’s Security Standard for Everyone and All Devices

# Topic Mobile Windows MAC Linux


Anti-malware software must be installed and running up-to-date definitions.

Enable real-time protection and regular full scans.

Recommended Required Required Recommended


Supported security patches must be applied to all operating systems and applications.

Where possible, use automatic updating or connect to your IT department patching and upgrade service. Apply patching as soon as possible as it quickly reduces risk.

Required Required Required Required

Local admin or Administrator

Non-privileged user accounts must be used and only elevated to root or administrator when necessary.


Perform routine and daily activities using non-privileged accounts.

Use Administrator on Windows/Mac OS or Root/SU on Linux or UNIX only for a specific administrative action. Log out of the account after completing the action.

Contact your Location help desk or IT support center to set up root or administrator accounts if necessary.

Not Required Required Required Required


Laptops and mobile devices must be encrypted.

Separately, Institutional Information classified at Protection Level 3 or higher must be encrypted when stored by a Workforce Member.


Use the approved encryption method for your Location.

If you don’t need it, don’t store it. If you need to store it, encrypt it.

Device-level encryption is the best option. If the device is not encrypted, encrypt any Institutional Information classified at Protection Level 3 or higher when stored on laptops and mobile devices.

Required Required Required Required

Session timeout

Devices used to store or access Institutional Information or IT Resources classified at Protection Level 2 or higher must employ lockout/screen-lock mechanisms or session timeout in order to block access after a defined period of inactivity (15 minutes or Location limit). Mechanisms must require re-authentication before returning to interactive use.


Enable the locking screensaver on Windows or Mac OS.

Enable inactivity timeout on mobile devices.

Use TMOUT or another method to automatically log out on LINUX or UNIX.

Required Required Required Required

Password/PIN lock

Secure devices with a strong password, PIN, smart card or biometric lock.


Strong passwords (passphrases) and PINs are one of UC’s best defenses against unauthorized access.

Consult Location resources for guidance on creating strong passwords/PINs, smart card or biometric lock that complies with the UC Authentication Management Standard.

Strong passphrases are 10-64 characters in length and include upper and lowercase letters, numbers and special characters.

Do not share passwords or PINs, and do not use common or similar passwords across accounts. Do not use your UC username and password for personal accounts.

Do not use default passwords, and change default passwords immediately.

Never use your username, “password,” “123456,” “12345678,” “qwerty,” common words, phrases or your name as your password.

Required Required Required Required

Physical security

Devices and Institutional Information must be physically secured.


Use physical security cables to protect against theft or loss of valuable information from your workplace or vehicle.

Lock devices in a cabinet at the end of the day/shift.

Do not leave unencrypted devices unattended.

Required Required Required Required

Backup and recovery

Institutional Information classified at Availability Level 3 or higher must be backed up and recoverable. Backups must be protected according to the classification level of the information they contain.

Ensure the backup plan is consistent with business, regulatory and records management requirements.

Required Required Required Required

Encrypt portable media

Backups and portable media containing institutional information classified at Protection Level 4 must be encrypted and safely stored.


Encrypt all portable media and backups when possible. Lost or stolen media is a common cause of reportable data breaches.

It’s a good practice to encrypt Institutional Information classified at Protection Level 3. Some Locations require encryption for Institutional Information classified at Protection Level 3 when stored on portable media.

Required Required Required Required

Host-based firewall

If host-based firewall software is available on a device, it must be running and configured to block all inbound traffic that is not explicitly required for the intended use of the device.

Use the firewalls that come with Windows, many popular anti-malware applications, Apple and Linux. Default settings are typically acceptable.

Not required Required Required Required

Approval and inventory

Make sure devices can be secured before making a purchasing decision.

Make sure IT Resources and Institutional Information are appropriately recorded in Location inventory.


Consult your Location IT department or online resources to determine whether a device requires approval and recording in inventory.

Many security breaches can be prevented or their impact minimized if your IT department is aware of your device and what’s stored on it.

Required Required Required Required

Supported Operating Systems

Run a version of the operating system that is supported by the vendor.

Do not use end-of-life operating systems such as Windows XP, Server 2003 or Vista. They no longer receive security patches and are vulnerable to compromise.

Required Required Required Required

Copyright © Regents of the University of California | Terms of use