IS-3 Implementation

Overview

The update of UC's Electronic Information Security Policy, IS-3, in 2018 brought changes to the way information security risk is managed at UC, and here at Berkeley. This project is designed to integrate IS-3's requirements and principles into Berkeley's existing information security program in a way that aligns with core campus priorities and values. It will help to ensure that risk is understood and addressed at the appropriate organizational levels, and includes updating the fundamentals of the campus’ security program to current UC and industry standards.

Implementation Plan for UC Berkeley

As part of our multi-year program for implementing IS-3, ISO will roll out a comprehensive plan to enable Units to comply with their obligations under UC Berkeley’s local implementation of IS-3. Refer to these slides for background and the initial (Phase 1) implementation plan from 2019 (login required). 

Our goal is to integrate IS-3 into UC Berkeley’s existing information security program in a way that makes sense for campus:

• Maintain MSSND/MSSEI concepts
• Identify/define key roles and responsibilities
• Update policies, standards, exception process, etc. 
• Move to systemwide Protection Levels and incorporate Availability Level
• Broad collaboration and communication around program changes

Implementation Schedule

All campus academic and administrative units have completed their initial IS-3 onboarding. The history of this project is summarized below.

Next Steps

Beginning in 2025, this onboarding project will transition to a program of ongoing engagement and periodic review. Please see the Information Security Office's Cyber Risk Management Program homepage for details.

---

History - Phases 1-5:

"Phase 1" began in 2019-2020 and focused on:

1. Updating/developing foundational policies: 
   1. Roles and Responsibilities
   2. Data Classification Standard*
   3. Exception Process
   4. MSSND | Article highlighting MSSND changes
   5. MSSEI PL “quick fix”: updating the Protection Level numbers in the MSSEI without changing requirements*

2. Identifying and orienting Pilot Units, Unit Heads, and Unit Security Leads
3. Updating Socreg (formerly known as NetReg) with new data classifications and having Security Contacts review and confirm/update their assets
4. Developing high-level dashboard for Pilot Units
5. High-level IS-3 assessment for Pilot Units

Spring 2021 - “Phase 2”:

1. Identifying and onboarding the first non-pilot cohort of Units into the IS-3 framework
2. Continue to update and develop foundational IT policies, including
   1. Convening MSSEI workgroup and beginning work on updating the Standard
   2. Finalizing and publishing the formal campus Information Security Incident Response Plan and Information Security Management Program
   3. Formalized risk acceptance processes
   4. Continuing to publicize the updated data Protection Levels* 

3. Refining tools, processes, and resources to facilitate and streamline the onboarding process

Fall 2021-Fall 2022 - "Phase 3":

1. Identify and onboard high-risk Units into the IS-3 framework using a cohort model -- currently scheduled to extend through Dec. 2022.
2. Beginning to incorporate the concept of Availability Level.
3. Continuing to update and develop foundational policies.
4. Complete the first annual review.

Phase 4 - Spring 2023:

1. Retool the onboarding process and unit self-assessment questionnaire in preparation for lower risk unit onboarding, based on lessons-learned from higher-risk unit onboarding.
2. Develop an ongoing, operational program of periodic reviews. 
3. Develop Executive and unit-level reporting and metrics to identify progress and trends.
4. Continue to update and develop foundational policies.
5. Identify remaining Academic and Administrative Units, Unit Heads, and Unit Information Security Leads (UISLs).

Phase 5 - Summer 2023-Fall 2024:

1. Onboard remaining Academic and Administrative Units
2. Periodic review for Units originally onboarded in Fall 2021
3. Development of ongoing, operational program of review, metrics, and reporting

---

What Units Can Do Now (archive):

Campus-level implementation of IS-3 happened in phases. However, there were things that Units at all levels could do to get started. The information below was provided to Units during the initial onboarding project (2019-2024). It is available here for reference.

Familiarize yourself with the roles and responsibilities identified in IS-3 through our Roles and Responsibilities Policy Home Page. This policy consolidates existing UC Berkeley responsibilities and key IS-3 responsibilities. Identified roles include Workforce Members, Researchers, Unit Heads, Unit Security Leads, Information and Resource Proprietors, Service Providers, and Workforce Managers. Learn even more at the UCOP Quick Start Guide.

• Identify your Unit Head and Unit Information Security Lead(s). These people have key roles in IS-3. Also visit our Unit Heads and Security Leads page for additional resources for these roles.

• Identify any IT Services that your Unit provides. Many of the Service Provider responsibilities in this policy are not new, but were previously divided among several policies. Service Providers may benefit from this consolidated list of responsibilities.

Work on bringing your Unit into compliance with UC Berkeley’s current minimum security standards.

IS-3 will build on these, so this is a good place to start:

• Minimum Security Standards for Networked Devices

• Minimum Security Standards for Electronic Information

Be aware that Protection Levels have changed

UC Berkeley’s Protection Level scale has been updated to align with the rest of the UC system. We now have a P1-P4 scale instead of our old PL0-PL3 scale. This means that all Protection Level numbers have changed. There are also category changes for certain types of information, so it's not as simple as just adding 1 to the old PL number. Please refer to Berkeley's Data Classification Standard for details. At a high level, this is what you’ll see:

Learn about Availability Levels

This is a relatively new concept for information security at UC. Availability Level refers to the impact of loss of availability or service, measured on a scale of 1-4. A4 is the highest level of impact and A1 is the lowest. Availability Level helps to determine what protections are required to ensure that information and resources are available when needed. The four Availability Levels are described in the updated Berkeley Data Classification Standard. Additional information is also available in the UC Data Classification Standard and Guide). 

Identify and classify your Unit's Institutional Information and IT Resources

• Use the new Protection Levels to re-classify your information and IT Resources.

• Register any P3 and P4 assets in Socreg that would be considered Institutional Devices or Privileged Access Devices. 

• Begin to think about the Availability Levels of your information and IT Resources and start to identify your A4 assets

• A4 assets should be registered in Socreg, too.

• This is a good time to confirm and update your Unit’s information in UC Ready (UC's business continuity/disaster recovery tool). All A4 IT Resources and data maintained by your unit should be registered in UC Ready. For questions or assistance, contact itdrhelp@berkeley.edu.

• Work on bringing your Unit into compliance with UC Berkeley’s current minimum security standards. IS-3 will build on these, so this is a good place to start:

• Minimum Security Standards for Networked Devices

• Minimum Security Standards for Electronic Information

Update outdated references to Protected Data and PL numbers on your websites and internal documentation

We've put together the following table to help you convert general references to Protection Levels. You can convert straight over to the new UC P# directly.

*Please note: These general conversions are only best approximations and are not a perfect mapping. For documents that speak to specific references refer to the Data Classification Standard https://security.berkeley.edu/data-classification-standard#plclassification

For example: FERPA-protected data used to be listed as UCB PL1, but became P3 in the new numbering system. 

*UC Berkeley’s Data Protection Levels were updated to align with the new UC systemwide scale. However, the associated controls or requirements were not modified to help support a smooth migration. Review and update of the controls and requirements for each classification level are taking place separately. [NOTE: the campus Minimum Security Standards for Electronic Information were updated in April 2024.]