UC Business and Finance Bulletin IS-3 is the University of California’s systemwide information security policy. A major update to IS-3 was finalized in September 2018. The policy and related standards are available here: https://security.ucop.edu/policies/it-policies.html.
The new IS-3 changes the way information security risk is handled within the university. Foundational elements include:
- Security is a shared responsibility - everyone has a role
- IS-3 focuses on risk management; risk assessment is key
- Units are responsible for managing their own risk
- Many requirements are based on Protection Level and Availability Level
- UC Berkeley’s Protection Levels (currently PL0-3) will be updated to align with the new systemwide scale (1-4) and requirements
- There is a new concept of Availability Level -- the impact of loss of availability of information and resources, also on a scale of 1-4