Guidelines for Protecting UC's Information Assets

• Protect Assets
• Secure Your Computer
• Report Incidents
• Protect Restricted Data
• Unsafe Practices
• UCOP Policies
• Universitywide Policies
• UCOP Security Initiative
• Universitywide Information
• UCOP Security Home

Recommended Safeguards

The confidentiality, integrity, availability, and responsible management of the University's "information assets" – its intellectual property and administrative data – is of paramount importance to the educational and research enterprise. UC's information assets may be transmitted or stored as paper files or on a variety of "electronic resources" – fax machines, printers, computers, networks, and the applications that run on them. Each UC employee must exercise appropriate safeguards to reduce the risk of unauthorized access to or use of University assets and resources.

ALL EMPLOYEES

Comply with Policy and Departmental Procedures

• Consult privacy, security, and records retention policies to determine the level of confidentiality of the information you handle, and follow departmental procedures for handling departmental information. A rule of thumb is, "collect only what you need and keep it only as long as you need it." If you have questions, ask your supervisor.
• Read and follow the recommendations in Securing Your Computer.
  When you give information to others, either in person or on-line, be sure the recipient also knows what the confidentiality level and controls should be.
• In general, assume that what you're working on should be kept confidential.

Protect Paper Documents

• Don't leave sensitive documents in clear sight in work areas. Store confidential material in locked drawers.
• Shred sensitive documents when they are no longer needed.
Protect sensitive materials when using photocopiers, fax machines, etc. Don't leave the originals behind when you walk away.

Secure the Physical Location

• Do not prop open doors to secure areas.
• If you encounter unknown visitors in secured work areas, ask them if you can be of assistance: "May I help you?"
• Be sure you use appropriate protections on computers:
  • Protect the passwords you use to access e-mail, databases, Web sites, and other electronic resources.
  • Logout or otherwise protect information when you step away from your computer. For example, use password protection that has a suitable "time-out" setting or that can be activated when you walk away.
  • Be sure to delete all information from your old computer when you dispose of it. Be aware that "erased" data often may be recovered from your computer unless you take explicit measures to remove it. (See Securing Your Computer for more information.)

Keep Personal Information Separate

• When incidental personal use of electronic resources is allowed, organize and clearly mark information that is personal.
• For example, create a folder called "Personal" on your desktop or in your e-mail program to hold any personal files. This will help minimize their being reviewed when colleagues or supervisors need to find business-related information in your work area and you are not available to assist.
• Be aware that in some circumstances, as provided for in the UC Electronic Communications Policy, any information from your incidental personal activities may be accessed.

Report Suspicious Activity

• Immediately notify your supervisor if you suspect that private, confidential, or sensitive information is missing, has been accessed without authorization, or has been altered. This includes information pertaining to you or to others.

SUPERVISORS

Conduct Periodic Security Assessments and Training

• Include security awareness topics in your regular staff meetings.
• Review your current practices and determine what new security measures should be implemented in response to relocations or other changes that affect the working environment.

Update Equipment and Software

• Ensure that computer workstations used by staff reporting to you have adequate security configurations to protect the types of information accessed. This may include software configurations, position of the display, or ease of physical access by others.

Establish Local Procedures to Ensure Compliance with Policy

• Ensure that you, your staff, and those to whom you provide information are familiar with the privacy and confidentiality policy and laws applicable to activities within your unit.Inventory and classify the types of information handled by your staff. Establish procedures or recommendations for handling departmental information in a manner appropriate to its classification.
• Discuss with employees your right to access any information they maintain in the workplace, the methods you will use to ensure access it (such as knowing desktop computer passwords or having extra keys to cabinets), and that when you are required to access information you will strive to only look at what you need.

RELATED POLICIES AND RESOURCES

• Electronic Communications Policy
• IS-3 - Electronic Information Security
• Protection of Personal Information
• RMP 7 - Privacy of and Access to Information Responsibilities
• RMP 8 - Legal Requirements on Privacy of and Access to Information
• University of California Information Security Program