Take the UC Training
All UCR employees, including faculty, must complete and remain current on the UC Cyber Security Awareness Fundamentals training to ensure continued access to UCR applications and resources.
Verify Your Identity
UCR employees must use multi-factor authentication (MFA) when accessing campus resources and heath email systems. Prepare for upcoming enhancements by downloading and using the Duo Mobile app.
Download the Security Toolset
To meet compliance, UCR employees must install and use three UCR-mandated security tools in order to connect a device to UCR's secure networks and cloud resources. These applications are not optional.
Please note: Additional campus enforcement measures may be needed to meet compliance. Guidance will be provided as soon as details are available.
Top 5 Things to Know
-
All UC locations must comply with new information security requirements by May 2025, as mandated by the UC President at the direction of the UC Regents.
-
These requirements apply to all UC employees, including faculty. UCOP has outlined enforcement measures. UCR-specific enforcement measures will be shared with campus once finalized.
-
UCR is currently implementing its plan to meet these new requirements, which includes mandatory cybersecurity training, identity verification enhancements, and the use of industry-standard security tools.
-
As part of this plan, all three applications in the UCR security toolset must be installed on all devices that connect to secure UCR networks and cloud resources. These applications are not optional.
-
UCR is actively working to inform all employees about the new security requirements and how to meet them (please continue to check this page for the most up-to-date information).
UC President and Regents
Call UCR to Action
The development of a comprehensive information security program was already in motion at UCR, demonstrating the University's proactive commitment to safeguarding its valuable data and systems. However, the UC President's letter has introduced a renewed sense of urgency into the implementation of this program.
The letter's firm deadlines and potential consequences for non-compliance underscore the critical importance of cybersecurity in today's digital landscape. As such, the successful execution of UCR's security program now necessitates the active cooperation and participation of all faculty, staff, and students. As highlighted by the Provost, everyone plays a crucial role in maintaining a secure digital environment, and collective efforts are essential to protect our research and personal data, prevent cyberattacks, and ensure the continued success of the University's mission.
Select a tab below to view key takeaways from the letter and UCR's planned response:
The UC President's letter calls for all UC campuses to achieve key cybersecurity outcomes by May 28, 2025, to help protect sensitive data, maintain operational continuity, comply with regulations, and mitigate financial risks.
The UC President's letter explicitly states that all UCR units and employees, including faculty, must comply.
Note: Students are exempt unless they are administrative (non-academic) employees of the university.
As stated in the UC President's letter, campus consequences for non-compliance include:
- 15% increase in cyber insurance premiums
- Up to $500,000 in costs for security incidents
- Merit increases for unit heads require Chancellor's approval
According to the the UC President's letter, all UC campuses are expected the achieve the following outcomes by May 28, 2025:
- Ensure 100% of faculty and staff complete cybersecurity awareness training
- Ensure timely escalation of security incidents by adhering to UC incident response and cybersecurity escalation standards
- Identify, track, and manage vulnerabilities of all devices that connect to campus resources
- Deploy UC-approved Endpoint Detection and Recovery (EDR) software on 100% of assets
- Deploy and configure multi-factor authentication (MFA) on 100% of campus and health email systems
- Deploy and configure a robust Data Loss Prevention (DLP) solution for health email systems
UCR’s Information Security Office is responding to these requirements accordingly, with six projects that will achieve each of these outcomes.
UCR is currently implementing its plan to meet these new requirements, which includes the use of industry-standard security toolsets and best practices. The following campus enforcement measures apply to all UCR employees:
- Timely completion of annual UC Cyber Security Awareness Fundamentals training to access UCR applications and resources
- Although already required to access most secure UCR resources, multi-factor authentication (MFA) is now required of anyone using campus and health email systems
- Campus can also expect enhancements to the way users verify their identity when accessing secure resources, including the sunsetting of SMS and call options
- Installation and use of the three UCR-mandated security tool applications* in order to connect a device to UCR's secure networks and cloud resources
- Additional enforcement measures (guidance will be provided as soon as details are available)
*These tools are provided to employees at no cost. Employees who use devices that are not managed by ITS or their local IT department will need to install the tools themselves. Please see the Secure Your Devices section below.
Complete the UC Cyber Security Awareness Fundamentals training
To maintain access to UCR applications and resources, all employees need to complete the UC Cyber Security Awareness Fundamentals training every year when prompted by the UC Learning Center (LMS).
- Timely completion of the mandatory annual Cybersecurity Training is crucial to your annual performance appraisal (employee evaluation), and noncompliance may impact your eligibility for a merit award.
- Supervisors are responsible for ensuring that all employees comply with their training requirements.
Security Investment Roadmap
Campus completion of UC Cyber Security Awareness Fundamentals training, identify verification enhancements, and use of the three UCR-mandated security tools are, collectively, an important first step in meeting the required cybersecurity outcomes. The campus can expect that additional measures will be implemented as UCR works to come into full compliance.
We are committed to transparency throughout this process. Information about required actions and next steps will be communicated to campus on this webpage and, where possible, through other campus communication channels and forums, including webinars. Regular progress reports on our collective compliance will be provided to campus leadership, including deans, vice chancellors, the Vice Provost, the Provost, and other unit leaders and stakeholders. These reports will highlight our achievements and identify areas that require improvement.
UCR Secure Trust Program
While the UC Cybersecurity Mandate 2025 catalyzes immediate action, it's important to understand that UCR has already embarked on a journey to enhance its information security through the UCR Secure Trust program. This program is based on the Zero Trust security model, which prioritizes security at every layer of the technology stack, from network and device to user and application. The UCR Secure Trust program is built on five key pillars: Identity and Access Management (IAM), Managed Endpoints, Application Security, Network Segmentation, and Data Security.
The UC mandate aligns with and reinforces the goals of the UCR Secure Trust program. While the mandate requires that specific actions be taken by a certain deadline, the UCR Secure Trust program provides a broader framework for continuous improvement and long-term cybersecurity resilience.
By combining the immediate actions required by the UC mandate with the comprehensive approach of the UCR Secure Trust program, we are confident in UCR’s ability to create a safer and more secure digital environment for our entire Highlander community.
UCR’s Information Security Office
The UC Riverside Information Security Office is here to inform and support UCR and its associated communities to improve UC Riverside’s information security posture. This will help the community securely generate, advance, disseminate, and apply data and knowledge as it pursues the UC mission of teaching, research, and public service.
-
What happens if I don't follow the mandate?
The UC President's letter outlines the campus consequences of non-compliance. In an effort to mitigate these consequences, UCR’s security plan employs additional consequences, which include but are not limited to restricted access to campus resources (such as networks, WiFi, and online service applications). These measures are necessary to help ensure the safety and security of both the UCR community and our larger UC community.
-
How do these requirements impact students?
These requirements do not directly impact students, however, student employees are required to complete the UC Cyber Security Awareness Fundamentals training. Moreover, non-academic student employees must use a compliant device when conducting university business.
-
Will the mandate still go into effect now that President Drake is stepping down?
Yes, the mandate remains in effect. While President Drake has communicated the mandate, it is a directive endorsed and supported by the UC Regents, the governing board of the University of California. This ensures the mandate's continuity and prioritization as a critical component of UC's cybersecurity strategy, regardless of leadership changes.
-
Where can I learn more about the UC-mandated security toolset?
To learn more about the required security tool applications, including download and installation instructions and commonly asked questions, please visit the Security Toolset webpage.
-
Where can I learn more about the planned changes to UCR's multi-factor authentication (MFA) processes?
To learn more about the upcoming changes to UCR's MFA processes, including frequently asked questions, please visit the MFA webpage.