UC Berkeley’s Implementation of IS-3

Overview

UC BFB IS-3, Electronic Information Security, is UC’s systemwide electronic information security policy. 

UCB affirms the policy goals of IS-3:

1. Preserve academic freedom and research collaboration
2. Protect privacy
3. Follow a risk-based approach
4. Maintain confidentiality
5. Protect integrity
6. Ensure availability

The following UC Berkeley policies, standards, and related documents constitute UC Berkeley’s implementation of IS-3: 

• Roles and Responsibilities Policy
• Data Classification Standard
• Minimum Security Standards for Networked Devices (MSSND) 
• Minimum Security Standards for Electronic Information (MSSEI) (under review) 
• Information Security Policy Exception Process
• Campus Information Security Management Program (ISMP) (authentication required)
• Campus Information Security Incident Response Plan (IRP) (authentication required)
• ISO-Managed Registration Portal (Socreg) for registering P3, P4, and in the future A4, assets
• Information Security Policy Guide for Units 

Information Security Management Program (ISMP)

UC Berkeley has a documented campus-level Information Security Management Program (ISMP).

The ISMP includes:

• Campus Information Security Program Elements mapped to the NIST CSF Framework
• An overview of Information Security Risk Governance at UC Berkeley
• Information security risk decision authority and escalation
• Requirements for ISMP review and acceptance

Risk Treatment Plan Approach

UC Berkeley uses a Risk Treatment Plan approach for managing information security risk, as described in Section I of the MSSEI. The MSSEI constitutes UC Berkeley’s Risk Treatment Plan.

Additional Campus Resources Related to IS-3 Implementation

• Unit Heads and Security Leads Resource Page
• Faculty Guide to the Roles and Responsibilities Policy
• IS-3 Resources for Researchers
• UC Berkeley IS-3 Implementation Website
• Unit Information Security Metrics Dashboard (authentication required)