IS-3 Implementation

Overview

UC's Electronic Information Security Policy, IS-3, brings changes to the way information security risk is managed at UC, and here at Berkeley. This project is designed to integrate IS-3's requirements and principles into Berkeley's existing information security program in a way that aligns with core campus priorities and values. It will help to ensure that risk is understood and addressed at the appropriate organizational levels, and includes updating the fundamentals of the campus’ security program to current UC and industry standards.

Our Plan

As part of our multi-year program for implementing IS-3, ISO will roll out a comprehensive plan to enable Units to comply with their obligations under UC Berkeley’s local implementation of IS-3. Refer to these slides for more details (login required)

Our goal is to integrate IS-3 into UC Berkeley’s existing information security program in a way that makes sense for campus:

  • Maintain MSSND/MSSEI concepts
  • Identify/define key roles and responsibilities
  • Update policies, standards, exception process, etc. 
  • Move to systemwide Protection Levels and incorporate Availability Level
  • Broad collaboration and communication around program changes

Implementation Schedule

We've started an estimated onboarding schedule for campus Academic and Administrative Units through 2022 and will begin scheduling the remaining Units in Fall 2022 for onboarding in Spring 2023. Visit our IS-3 Unit Onboarding Schedule page (CalNet protected) for more information. 

Phase 3:

Fall 2021 - Fall 2022 Focus:

  1. Identify and onboard high-risk Units into the IS-3 framework using a cohort model -- currently scheduled to extend through Nov 2022.
  2. Beginning to incorporate the concept of Availability Level.
  3. Continuing to update and develop foundational policies.
  4. Develop a process for periodic review.

Phases 1 & 2:

Began in 2019-2020 and focused on:

  1. Updating/developing foundational policies: 
    1. Roles and Responsibilities Draft
    2. Data Classification Standard*
    3. Exception Process
    4. MSSND Draft | Article highlighting MSSND changes
    5. MSSEI PL “quick fix”: updating the Protection Level numbers in the MSSEI without changing requirements*
  1. Identifying and orienting Pilot Units, Unit Heads, and Unit Security Leads
  2. Updating NetReg with new data classifications and having Security Contacts review and confirm/update their assets
  3. Developing high-level dashboard for Pilot Units
  4. High-level IS-3 assessment for Pilot Units

Spring 2021 Focus - “Phase 2”:

  1. Identifying and onboarding the first non-pilot cohort of Units into the IS-3 framework
  2. Continue to update and develop foundational IT policies, including
    1. Convening MSSEI workgroup and beginning work on updating the Standard
    2. Finalizing and publishing the formal campus Information Security Incident Response Plan and Information Security Management Program
    3. Formalized risk acceptance processes
    4. Continuing to publicize the updated data Protection Levels
  1. Refining tools, processes, and resources to facilitate and streamline the onboarding process

What Units Can Do Now:

Campus-level implementation of IS-3 will happen in phases. However, there are things that Units at all levels can do to get started. 

If your Unit would like to get on the waitlist, reach out us at: uisl-help@berkeley.edu.

Roles and Responsibilities

Familiarize yourself with the roles and responsibilities identified in IS-3 through our Roles and Responsibilities Policy Home Page. This policy consolidates existing UC Berkeley responsibilities and key IS-3 responsibilities. Identified roles include Workforce Members, Researchers, Unit Heads, Unit Security Leads, Information and Resource Proprietors, Service Providers, and Workforce Managers. Learn even more at the UCOP Quick Start Guide(link is external).

  • Identify your Unit Head and Unit Information Security Lead(s). These people have key roles in IS-3. Also visit our Unit Heads and Security Leads page for additional resources for these roles.

  • Identify any IT Services that your Unit provides. Many of the Service Provider responsibilities in this policy are not new, but were previously divided among several policies. Service Providers may benefit from this consolidated list of responsibilities.

Be aware that Protection Levels have changed

UC Berkeley’s Protection Level scale has been updated to align with the rest of the UC system. We now have a P1-P4 scale instead of our old PL0-PL3 scale. This means that all Protection Level numbers have changed. There are also category changes for certain types of information, so it's not as simple as just adding 1 to the old PL number. Please refer to Berkeley's Data Classification Standard for details. At a high level, this is what you’ll see:

UCB to UC protection level changes

Learn about the new Availability Levels

This is a new concept for information security at UC. Availability Level refers to the impact of loss of availability or service, measured on a scale of 1-4. A4 is the highest level of impact and A1 is the lowest. Availability Level helps to determine what protections are required to ensure that information and resources are available when needed. The four Availability Levels are described in the updated Berkeley Data Classification Standard. Additional information is also available in the UC Data Classification Standard and Guide(link is external)

AL Flags with Scale

Identify and classify your Unit's Institutional Information and IT Resources

Update outdated references to Protected Data and PL numbers on your websites and internal documentation

We've put together the following table to help you convert general references to Protection Levels. You can convert straight over to the new UC P# directly.

Former UCB Protection Level Numbers

New UC Protection Level Numbers

UCB PL0

UC P1

UCB PL1

UC P2* or UC P3*

UCB PL2/PL3

UC P4

*Please note: These general conversions are only best approximations and are not a perfect mapping. For documents that speak to specific references refer to the Data Classification Standard https://security.berkeley.edu/data-classification-standard#plclassification

For example: FERPA-protected data used to be listed as UCB PL1, but became UC P3 in the new numbering system. 

*UC Berkeley’s Data Protection Levels were updated to align with the new UC systemwide scale. However, the associated controls or requirements were not modified to help support a smooth migration. Review and update of the controls and requirements for each classification level are taking place separately.

Phase 3 Status Updates:

Process Changes:

  • Develop and announce new UCB Availability Level data element in NetReg. 
    - in progress

  • Formalize risk acceptance processes.
    - in progress

Policy Changes:

  • Finalize New Roles and Responsibilities Policy.- draft complete; final round of campus review in progress; pending governance approval 

  • Update MSSND.- draft complete; final round of campus review in progress 

  • MSSEI update project.
    - in progress

Unit Onboarding Status:

  • Currently onboarding the Sept. - Nov. 2021 cohort of Units