UC Business and Finance Bulletin IS-3 is the University of California’s systemwide information security policy. A major update to IS-3 was finalized in September 2018. The policy and related standards are available here: https://security.ucop.edu/policies/it-policies.html.
The new IS-3 changes the way information security risk is handled within the university. Foundational elements include:
- Security is a shared responsibility - everyone has a role
- IS-3 focuses on risk management; risk assessment is key
- Units are responsible for managing their own risk
- Many requirements are based on Protection Level and Availability Level
- UC Berkeley’s Protection Levels (currently PL0-PL3) will be updated to align with the new systemwide scale (P1-P4) and requirements
- There is a new concept of Availability Level -- the impact of loss of availability of information and resources, also on a scale of A1-A4