To better protect UC information and systems from growing cyber threats, the UC President has called on all UC campuses to update their information security investment plans to comply with new requirements. Below is information about UC Riverside’s plan to come into compliance and the specific actions our Highlander community will need to take.
All UC locations must comply with new information security requirements by May 2025, as mandated by the UC President at the direction of the UC Regents.
These requirements apply to all UC employees, including faculty. UCOP has outlined enforcement measures. UCR-specific enforcement measures will be shared with campus once finalized.
UCR is currently implementing its plan to meet these new requirements, which includes mandatory cybersecurity training and the use of industry-standard security toolsets.
As part of this plan, applications for three specific toolsets must be installed on all devices that connect to secure UCR networks and cloud resources. These applications are not optional.
UCR is actively working to inform all employees about the new security requirements and how to meet them (please continue to check this page for the most up-to-date information).
UC President and Regents
Call UCR to Action
The development of a comprehensive information security program was already in motion at UCR, demonstrating the University's proactive commitment to safeguarding its valuable data and systems. However, the UC President's letter has introduced a renewed sense of urgency into the implementation of this program.
The letter's firm deadlines and potential consequences for non-compliance underscore the critical importance of cybersecurity in today's digital landscape. As such, the successful execution of UCR's security program now necessitates the active cooperation and participation of all faculty, staff, and students. Everyone plays a crucial role in maintaining a secure digital environment, and collective efforts are essential to protect our research and personal data, prevent cyberattacks, and ensure the continued success of the University's mission.
Select a tab below to view key takeaways from the letter and UCR's planned response:
The UC President's letter calls for all UC campuses to achieve key cybersecurity outcomes by May 28, 2025, to help protect sensitive data, maintain operational continuity, comply with regulations, and mitigate financial risks.
The UC President's letter explicitly states that all UCR units and employees, including faculty, must comply.
Note: Students are exempt unless they are administrative (non-academic) employees of the university
As stated in the UC President's letter, campus consequences for non-compliance include:
- 15% increase in cyber insurance premiums
- Up to $500,000 in costs for security incidents
- Merit increases for unit heads require Chancellor's approval
According to the the UC President's letter, all UC campuses are expected the achieve the following outcomes by May 28, 2025:
- Ensure 100% of faculty and staff complete cybersecurity awareness training.
- Ensure timely escalation of security incidents by adhering to UC incident response and cybersecurity escalation standards.
- Identify, track, and manage vulnerabilities of all devices that connect to campus resources.
- Deploy UC-approved Endpoint Detection and Recovery (EDR) software on 100% of assets.
- Deploy and configure multi-factor authentication (MFA) on 100% of campus and health email systems.
- Deploy and configure a robust Data Loss Prevention (DLP) solution for health email systems
UCR’s Information Security Office is responding to these requirements accordingly, with six projects that will achieve each of these outcomes.
UCR is currently implementing its plan to meet these new requirements, which includes the use of industry-standard security toolsets and best practices. The following campus enforcement measures apply to all UCR employees:
- Completion of UC Cyber Security Awareness Fundamentals training to access UCR applications and resources
- Installation and use of the three UCR-mandated security tool applications* in order to connect a device to UCR's secure networks and cloud resources
- Although already required to access most secure UCR resources, multi-factor authentication (MFA) will now be required of anyone using campus and heath email systems
- Additional enforcement measures (guidance will be provided as soon as details are available)
*These tools will be provided to employees at no cost. Employees who use devices that are not managed by ITS or their local IT department will need to install the tools themselves. Resources will be provided in the coming months.
Tools to Protect Your Work and Preserve Your Legacy
UCR-mandated tools to access secure campus resources
UCR has identified three industry-standard security toolsets known for their effectiveness in helping organizations identify and manage vulnerabilities, mitigate risks and respond swiftly to events by monitoring systems for signs of cyber threats, and keep track of vital data. These tools also provide more robust security services for university-managed devices, such as delivering automatic updates and maintaining the health of the devices.
As part of UCR's plan to meet the new UCOP mandate, our campus policy now requires that the applications for these three devices be installed and run on all devices that connect to secure UCR networks and cloud resources. All devices must be in compliance by May 28, 2025.
Which UCOP security outcomes do these tools address?
- “Identify, track, and manage vulnerabilities of all devices that connect to campus resources.”
- “Deploy UC-approved Endpoint Detection and Recovery (EDR) software on 100% of assets.”
Why are these tools required?
Imagine our collective University data – research findings, financial records, sensitive personal information – as priceless works of art and historical artifacts housed within the Smithsonian. This vast collection represents the heart and soul of our institution, a treasure trove of knowledge, innovation, and individual contributions to our shared legacy.
Much like the Smithsonian’s sprawling complex of museums, UCR’s colleges, schools, departments, and administrative units house important artifacts that require preservation and protection from theft, damage, and unauthorized access. To protect these invaluable assets, a multi-layered approach is employed. View the cards below to explore this approach:
The Architects
Vulnerability Management, Detection, and Response (VMDR) provides cloud-based cybersecurity and compliance solutions. UCR will use VMDR to identify and manage vulnerabilities.
Imagine VMDR as the museum's team of expert architects and engineers. They meticulously assess the museum building's structural integrity, identifying potential weaknesses like cracks in the foundation or leaks in the roof. By proactively addressing these structural issues, they ensure the building remains a safe and secure environment for the valuable artifacts within without needing to inspect the contents of individual exhibits or storage rooms.
Similarly, VMDR assesses the digital infrastructure of the University, identifying vulnerabilities in software, hardware, or configurations that cyber threats could exploit. By identifying potential vulnerabilities so that the Information Security Office can address them, VMDR strengthens the overall security of the University's digital environment, safeguarding sensitive data without intruding on the content of individual files or activities.
The Environmental Controls
Endpoint Management (EM) helps organizations manage their computer networks efficiently and securely. UCR will use EM to perform vital data inventory. For devices managed via the ITS Secure Device Service, EM will also be used to maintain the health of the device.
Think of EM as the museum's sophisticated climate control system. It constantly monitors the temperature, humidity, and air quality throughout the building to ensure optimal conditions for preserving the priceless artifacts. While it does focus its attention on each exhibit and storage room, it does not evaluate the specific artifacts within them. Its purpose is to maintain a stable and secure environment for the entire collection.
Similarly, EM maintains an inventory of devices and software on the university network, monitoring the overall health and performance of the University's digital infrastructure. It tracks metrics like device health and software updates to ensure everything is functioning properly and securely. It doesn't delve into the specific contents of individual files or monitor user activity, but rather focuses on maintaining a stable and secure digital environment for the entire Highlander community.
The Security System
Endpoint Detection and Response (EDR) is used for threat detection and response, helping an organization identify, investigate, and respond to cyber threats across its entire digital environment.
Envision EDR as the museum's advanced security system, incorporating high-tech surveillance cameras, motion detectors, and laser grids. This system constantly monitors the environment, detecting any unauthorized access or suspicious activity. If an intruder attempts to breach security, the system triggers alarms, alerts security personnel, and activates countermeasures to protect the artifacts.
Similarly, EDR acts as our digital guardian, continuously monitoring our systems for signs of cyber threats like malware or unauthorized access attempts. It swiftly detects and neutralizes these threats, safeguarding our valuable data.
Security Investment Roadmap
Campus completion of UC Cyber Security Awareness Fundamentals training and use of the three UCR-mandated security tool applications is an important first step in meeting the required cybersecurity outcomes. The campus can expect that additional measures will be implemented as UCR works to come into full compliance.
We are committed to transparency throughout this process. Information about these next steps will be communicated to campus on this webpage and, where possible, through other campus communication channels and forums, including town halls. Regular progress reports on our collective compliance will be provided to campus leadership, including deans, vice chancellors, the Vice Provost, the Provost, and other unit leaders and stakeholders. These reports will highlight our achievements and identify areas that require improvement.
UCR Secure Trust Program
While the UC Cybersecurity Mandate 2025 catalyzes immediate action, it's important to understand that UCR has already embarked on a journey to enhance its information security through the UCR Secure Trust program. This program is based on the Zero Trust security model, which prioritizes security at every layer of the technology stack, from network and device to user and application. The UCR Secure Trust program is built on five key pillars: Identity and Access Management (IAM), Managed Endpoints, Application Security, Network Segmentation, and Data Security.
The UC mandate aligns with and reinforces the goals of the UCR Secure Trust program. While the mandate requires specific actions to be taken by a certain deadline, the UCR Secure Trust program provides a broader framework for continuous improvement and long-term cybersecurity resilience.
By combining the immediate actions required by the UC mandate with the comprehensive approach of the UCR Secure Trust program, we are confident in UCR’s ability to create a safer and more secure digital environment for our entire Highlander community.
UCR’s Information Security Office
The UC Riverside Information Security Office is here to inform and support UCR and its associated communities to improve UC Riverside’s information security posture. This will help the community securely generate, advance, disseminate, and apply data and knowledge as it pursues the UC mission of teaching, research, and public service.
-
Will these tools monitor my personal activity, emails, or browsing history?
These tools are designed to protect against cybersecurity threats. They focus on detecting unusual, malicious, or potentially harmful activity and not on monitoring personal information.
-
Will these tools slow down my device or interfere with my work?
We've carefully selected tools that are lightweight and have minimal impact on device performance. It is worth noting that these tools are not new. UCR currently utilizes these tools but now must expand coverage across campus to strengthen security. If you experience any issues, please submit an IT ticket.
-
Will I be able to control the settings or disable these tools if needed?
Settings on IT-managed devices will be managed centrally to ensure optimal security. For personal devices, you will have some control over settings, but default configurations should be preserved for maximum protection and program compliance. Please note that noncompliance will result in the inability to access secure UCR resources and applications.
-
Why are these tools necessary?
Universities are among the most targeted entities by Nation States and other bad actors, and their attempts to attack us are becoming more sophisticated and frequent. Each tool in the UCR security toolset serves a unique and important purpose. Together, these tools provide an additional layer of protection for our University data and systems and, importantly, your sensitive personal and financial information.
-
What happens if a threat is detected?
The tools will alert the ITS Information Security Office. UCR’s security professionals will then take appropriate action to investigate and mitigate the threat while adhering to strict UC and campus privacy policies and industry-standard operating procedures.
-
Do I need all three tools?
Yes, each tool is crucial in fulfilling UC's security requirements. To learn about the role of each tool, please refer to the “Tools to Protect Your Work and Preserve Your Legacy” section.
-
Will ITS or any of the tools be able to read my email?
The security tools are not designed to read your email content. Their purpose is to protect your device and university data, not to monitor personal communications. In the event that a potential threat is detected, the ITS Information Security Office is required to investigate while adhering to strict UC and campus privacy policies, including the UC Electronic Communications Policy.
-
What happens if I don't follow the mandate?
The UC President's letter outlines the campus consequences of non-compliance. In an effort to mitigate these consequences, UCR’s security plan employs additional consequences, which include but are not limited to restricted access to campus resources (such as networks, WiFi, and online service applications). These measures are necessary to help ensure the safety and security of both the UCR community and our larger UC community.
-
How do these requirements impact students?
These requirements do not directly impact students, however, student employees are required to complete the UC Cyber Security Awareness Fundamentals training. Moreover, non-academic student employees must use a compliant device when conducting university business.
-
Are personal devices, such as BYOD, included in the mandate?
Yes, the security tools must be installed on personal devices if the user wishes to connect to secure UCR resources and applications that hold sensitive institutional data. Mobile devices (phones and some tablets) are not currently subject to the same requirements.
-
Are mobile devices included in the mandate?
No, mobile devices such as phones and tablets* are not subject to the same requirements as computers and laptops under the mandate.
That said, it is still crucial to secure your mobile devices to protect your data. To safeguard your data, utilize complex passwords or biometric authentication, maintain up-to-date software, and exercise caution when using public Wi-Fi for sensitive activities. Be sure to remain vigilant against phishing attempts and establish regular data backup routines. For more information about best practices, refer to Mobile Security Guidance.
*Note: Microsoft Surface Tablets require installation and use of the security tools.
-
Will the mandate still go into effect now that President Drake is stepping down?
Yes, the mandate remains in effect. While President Drake has communicated the mandate, it is a directive endorsed and supported by the UC Regents, the governing board of the University of California. This ensures the mandate's continuity and prioritization as a critical component of UC's cybersecurity strategy, regardless of leadership changes.
More Resources
Learn from the experiences of other institutions that have faced cyber threats and understand the potential impact of cyberattacks on universities by visiting "It Happened to Us." For those using university-managed devices, Secure Device Services (SDS) ensures that your devices meet UCR's security standards, safeguarding your information and the university's network. If you suspect any security breaches or have concerns, report them promptly to help protect yourself and the UCR community by contacting abuse@ucr.edu.