IS-3

What is IS-3?

Information System Policy 3 (IS-3), is the UC System information security policy, and it supports a risk-based approach to managing security and advises on a minimum set of security controls, practices and standards to ensure safety and appropriate use of university resources. IS-3 addresses the core pillars of information security:

Confidentiality
Integrity
Availability

IS-3 is based on an international security standard (ISO 27001 & 27002). It supports new cybersecurity compliance requirements governing data protection (NIST 800-171, PCI and HIPAA, etc.).

IS-3 was approved by UC President, Janet Napolitano, on September 7, 2018.

* Some environments (e.g., critical infrastructure and credit card merchants) will require more controls.

Policies and Standards

These links are hosted on the University of California Office of the President (UCOP) Systemwide Information Security site:

Secure Software Development

IS-3 Directives

Every UC Riverside unit, defined as a school, research project, administrative office, or collection of departments, has four specific directives:

Units must complete Risk Assessments
Units must encrypt institutional information
Units must have an approval process for granting access
Units must ensure that agreements with suppliers contain security requirements

For each of these directives, the Information Security Office has offerings to help units meet the directives. This includes data encryption when using ITS services and vendor risk assessment.

IS-3 Scope

Locations: All UC campuses and medical centers, the UC Office of the President, UC Agriculture and Natural Resources, UC-managed national laboratories, and all other UC locations.

People: All Workforce Members*, Suppliers, Service Providers, and other authorized users of institutional information and IT resources.

Data: All use of institutional information, independent of the location (physical or cloud), ownership of any device or account that is used to store, access, process, transmit or control institutional information.

Devices: All devices, independent of their location or ownership, when connected to a UC network or cloud service used to store or process institutional information.

Research: Research projects performed at any location and UC-sponsored work performed by any location.

*Workforce members: Employees, faculty, staff, contractor, student worker, volunteer, student intern, student volunteer, researcher, student/supporting/performing research, medical center staff/personnel, clinician, medical school student treating patients, a person working for UC in any capacity or other augmentation to UC staffing levels.

Role Descriptions

CSIO

The Chief Information Security Officer (CISO) is responsible for security functions throughout a Location, including assisting in the interpretation and application of IS-3. IS-3 requires each Location to “identify or appoint” a CISO. It is possible to identify one or more individuals to fulfill the role, if responsibilities are clearly defined per individual. At some Locations, the CISO might hold the title of ISO, or Information Security Officer.

Proprietor

The individual responsible for the IT Resources and processes supporting a university function. It could also be an identified group, committee or board responsible for the Institutional Information and processes supporting a university function.

Researcher

If you’re conducting research on behalf of UC, you’re considered a Workforce Member and thus should follow the requirements for that role. However, if you’re working with information classified at Protection Levels 3 or 4, you’ll need to adhere to a few additional guidelines. (Click here to learn more about Protection Levels and Availability Levels.)

Service Provider

If you’re part of a UC group or organization providing specific IT services to a Unit, you’re considered a Service Provider. Service Providers are Units that offer IT help to other Units. Much of your role involves partnering closely with the Unit you are assisting in ensuring strong information security practices.

Unit

A point of accountability and responsibility that results from creating or collecting, managing or possessing Institutional Information or from installing or managing IT Resources. A Unit is typically a defined organization or set of departments.

Unit Head

A generic term for Dean, Vice Chancellor, or similarly senior role who has the authority to allocate budget and is responsible for Unit performance. A senior management role with authority to allocate budget and responsibility for Unit performance.

Unit Information Security Lead

The Workforce Member(s) assigned responsibility for tactical execution of information security activities associated with IS-3. At UCR we are identifying two leads, one that is an Administrative Security lead, and one that is an IT security lead.

Workforce Manager

A person who supervises/manages Workforce Members or approves work or research on behalf of the University. As someone who manages other UC personnel, you set the tone for embedding cybersecurity practices into the day-to-day work of your teams.

Workforce Member

An employee, faculty, staff, volunteer, contractor, researcher, student worker, student supporting/performing research, medical center staff/personnel, clinician, student intern, student volunteer, or person working for UC in any capacity or other augmentation to UC staffing levels.

Information Technology Solutions

What is IS-3?

Policies and Standards

IS-3 Directives

IS-3 Scope

Role Descriptions

INFORMATION TECHNOLOGY SOLUTIONS

ITS Quicklinks