What is IS-3? 

Information System Policy 3 (IS-3), is the UC System information security policy, and it supports a risk-based approach to managing security and advises on a minimum set of security controls, practices and standards to ensure safety and appropriate use of university resources. IS-3 addresses the core pillars of information security: 

  • Confidentiality 

  • Integrity 

  • Availability 

IS-3 is based on an international security standard (ISO 27001 & 27002). It supports new cybersecurity compliance requirements governing data protection (NIST 800-171, PCI and HIPAA, etc.). 

IS-3 was approved by UC President, Janet Napolitano, on September 7, 2018. 

* Some environments (e.g., critical infrastructure and credit card merchants) will require more controls. 

IS-3 Directives

Every UC Riverside unit, defined as a school, research project, administrative office, or collection of departments, has four specific directives: 

  1. Units must complete Risk Assessments 
  2. Units must encrypt institutional information 
  3. Units must have an approval process for granting access 
  4. Units must ensure that agreements with suppliers contain security requirements 

For each of these directives, the Information Security Office has offerings to help units meet the directives. This includes data encryption when using ITS services and vendor risk assessment. 

IS-3 Scope

Locations: All UC campuses and medical centers, the UC Office of the President, UC Agriculture and Natural Resources, UC-managed national laboratories, and all other UC locations. 

People: All Workforce Members*, Suppliers, Service Providers, and other authorized users of institutional information and IT resources. 

Data: All use of institutional information, independent of the location (physical or cloud), ownership of any device or account that is used to store, access, process, transmit or control institutional information. 

Devices: All devices, independent of their location or ownership, when connected to a UC network or cloud service used to store or process institutional information. 

Research: Research projects performed at any location and UC-sponsored work performed by any location. 

*Workforce members: Employees, faculty, staff, contractor, student worker, volunteer, student intern, student volunteer, researcher, student/supporting/performing research, medical center staff/personnel, clinician, medical school student treating patients, a person working for UC in any capacity or other augmentation to UC staffing levels. 

Role Descriptions

Let us help you with your search