UCOP Electronic Information Security Policy

Revision History

This policy will be subject to revision in response to changes in technology and UCOP operational initiatives. Proposed changes will be shared with the UCOP IT Planning Group. Significant changes to this policy will be documented here.

• January 26, 2005: Policy issued. Announcement
• May 31, 2006: Section III.A. Protection of Information Assets added. Announcement

 

---

Table of Contents

I. Background
II. Purpose of This Policy

III. Electronic Information Security Policy

A. Departmental Protection of Information Assets

B. Security of Networked Resources

IV. Comments

I. Background

Appropriate IT security measures are required to support business processes and to protect information assets at the Office of the President. Information assets are at risk from potential threats that range from employee error to malicious or criminal action, system failure, and natural disasters. Such events could result in damage to or loss of information resources, corruption or loss of data integrity, interruption of the activities of the University, or compromise to the privacy of members of the University community.

Information Resources and Communications (IR&C) has been delegated leadership within the Office of the President to ensure effective, innovative, and accountable uses of information and communications technologies and responsible stewardship of UCOP IT assets. The Associate Vice President - IR&C directs information security planning at the Office of the President and is responsible for the development and maintenance of information technology related policies and procedures.

An important aspect of information security is the assurance that only authorized users have access to UCOP information resources, and that their use of those resources is conducted in a professional manner, consistent with University policy. The University of California Electronic Communications Policy (ECP) sets forth extensive provisions relating to electronic communications resources. At the Office of the President, the UCOP Policy on Acceptable Use of UCOP Electronic Information Resources implements selected provisions of the ECP. The UCOP acceptable use policy

• articulates appropriate use of UCOP electronic communications resources, and
• identifies those categories of individuals eligible to use UCOP electronic information resources.

II. Purpose of This Policy

The purpose of the UCOP Electronic Information Security Policy is to identify the obligations and responsibilities of UCOP departments and employees regarding their stewardship and protection of UCOP electronic information resources. Business and Finance Bulletin IS-3 Electronic Information Security identifies a broad set of measures that guide all University of California electronic information security strategies. This policy describes specific measures that comprise the information security program for UCOP. The Web site Information Security at the Office of the President offers informational resources to assist UCOP departments in improving information security.

III. Electronic Information Security Policy

Each member of the UCOP community is responsible for the protection and security of information assets and electronic information resources over which he or she has control (see Security Is Everyone's Responsibility).

A. Departmental Protection of Information Assets

Pursuit of the University's mission of teaching, research, and public service necessitates that information assets and administrative data be safeguarded and that the privacy of personally identifying information be maintained. In conformance with BFB IS-3 Electronic Information Security, UCOP departments should implement procedures and practices that ensure, to the extent possible, the confidentiality, integrity, and availability of the University's information assets, as well as the protection of sensitive data, such as Social Security numbers, personal financial data, health information, and student educational records. Sensitive data includes any information whose unauthorized access, modification, or loss could adversely affect the University. Departments may use the UCOP Information Security Checklist to document their information security program.

Department Security Review

1. Identify the individual(s) responsible for electronic information security in the department.
2. Identify and determine the nature of electronic information assets held or managed by the department to understand the risks in the event data is subject to unauthorized access, modification, or destruction. In particular, identify data that is subject to federal and state law and University policy (see BFB IS-3, Electronic Information Security, section IV, Risk Assessment, Sensitivity, and Criticality and information about laws protecting personal information at http://www.ucop.edu/irc/itsec/infoprotect.html.)
3. Examine the flow of information in the department and resources used to support workflow.
4. Identify possible vulnerabilities and threats that may put information assets at risk, whether stored, transmitted, or processed.

Departmental Security Plan

1. Identify administrative, physical, or technical measures to address identified risks.
   • Administrative controls include the identification of individuals authorized to access data, or the establishment of procedures for authorizing access to data.
   • Physical controls include requirements for locking rooms that contain sensitive information or equipment and other measures to reduce the possibility of unauthorized access to information resources or theft of portable devices, such as laptop computers, PDAs, or thumb drives.
   • Technical controls include implementation of security technologies, such as appropriate access controls (passwords), secure e-mail, or encryption.

All systems that host "restricted" data or provide "essential" services, as defined in BFB IS-3 Electronic Information Security, must meet specific requirements with respect to their physical environment; recovery procedures; and configuration management, change management, and patch procedures. A system administrator responsible for meeting these requirements must be designated.

2. Review any vendor-hosted systems and contracts for compliance with BFB IS-3 Electronic Information Security.
3. Establish procedures for reporting the suspicion or detection of compromised computers.
4. Ensure appropriate security awareness education and training for all employees.

The departmental security plan should be

• communicated to current departmental staff through meetings, local Intranets or Web sites, manuals, or newsletters, and to new staff upon hire, and
• reviewed whenever major changes occur in workflow, physical location, assignment of responsibilities, equipment, or software so that new threats and vulnerabilities created by those changes are examined. If no changes have occurred, the departmental plan should be reviewed annually to evaluate the effectiveness of existing control measures.

See Department Security Review and Planning and Successful Risk Assessment for more information.

B. Security of Networked Resources

Shared resources are vulnerable to a variety of attacks; consequently, damage to any resource connected to the UCOP data network could result in broad impact across UCOP. Resources to be protected include the data network, computers, software, and data.

Access to and use of UCOP computer and network services are privileges accorded at the discretion of UCOP. No computer or other device may be connected to the UCOP network that is likely to pose a threat to the network, other devices connected to the network, or to information stored on a device connected to the network. Devices connected to the UCOP data network must conform to the requirements and minimum standards described in this policy.

• Departments may develop stricter standards than those required by this policy.
• Devices that do not meet these requirements and minimum standards may be disconnected from the UCOP network by UCOP IT security or support staff.

If you are unable to meet the requirements or standards, or if your unit has non-Windows based servers or devices that require greater protections than specified in this policy, contact the IR&C Technology Service Desk at TechDesk@ucop.edu. Information Resources and Communications (IR&C) operates a data center that provides the appropriate physical environment and capabilities to meet these requirements. IR&C staff will work with your department to implement security requirements.

Requirements and Minimum Standards

1. Servers connected to the network must be registered.
   UCOP IT security and support personnel must be able to readily identify devices connected to the UCOP data network. All UCOP servers must be registered with IR&C. Failure to register departmental servers with IR&C may result in disconnection from the UCOP network. Contact the IR&C Technology Service Desk at Tech.Desk@ucop.edu to review and complete the UCOP server registration form.
2. All devices connected to the network must meet specific requirements.
   The requirements identified in Security Requirements for All UCOP Networked Devices are intended to help protect not only an individual device, but also other devices connected to the network in order to prevent exploitation of UCOP resources by unauthorized individuals. This policy applies to all devices connected to the UCOP data network in any manner or using an Internet Protocol (IP) address managed by UCOP to originate electronic communication. Devices include computers, printers, and other network appliances, as well as hardware connected to the UCOP network from behind firewalls or Network Address Translation (NAT) systems.
3. Windows and Macintosh desktop computers and servers must meet minimum standards.
   IR&C has established minimum standards for specific operating systems. See
   • Minimum Standards for Connecting Microsoft Windows-based Computers and Servers to the UCOP Network, and
   • Minimum Standards for Connecting Apple Macintosh Desktop and Laptop Computers to the UCOP Network

for detailed information. These standards may change periodically. Users should frequently consult the minimum standards documents to make sure their practices are current. Personal productivity devices must comply with the minimum standards appropriate to their operating system or service.

IV. Comments

Comments or feedback on this policy should be directed to itpolicy@ucop.edu.