IS-3 Informational Page


UC Business and Finance Bulletin IS-3 is the University of California’s systemwide information security policy. A major update to IS-3 was finalized in September 2018. The policy and related standards are available here: 

The new IS-3 changes the way information security risk is handled within the university. Foundational elements include:

  • Security is a shared responsibility - everyone has a role
  • IS-3 focuses on risk management; risk assessment is key
  • Units are responsible for managing their own risk 
  • Many requirements are based on Protection Level and Availability Level
    • UC Berkeley’s Protection Levels (currently PL0-3) will be updated to align with the new systemwide scale (1-4) and requirements
    • There is a new concept of Availability Level -- the impact of loss of availability of information and resources, also on a scale of 1-4