Campus-level implementation of IS-3 will happen in phases. However, there are things that Units at all levels can do to get started, even as campus-level implementation is in progress:
Be aware that Protection Levels are changing. UC now uses a 1-4 scale, while Berkeley has been using a 0-3 scale. This means that all PL numbers will be changing. There are also category changes for certain types of information, so its not as simple as just adding 1 to the current PL number. ISO is currently working on a draft of Berkeley's updated Data Classification Standard and will link here when available. In the meantime, the UC Data Classification Standard and Guide are here: https://security.ucop.edu/policies/institutional-information-and-it-resource-classification.html. At a high level, this is what you’ll see:
Learn about the new Availability Levels. This is a new concept for information security at UC. Availability Level refers to the impact of loss of availability or service, measured on a scale of 1-4. A4 is the highest level of impact and A1 is the lowest. Availability Level helps to determine what protections are required to ensure that information and resources are available when needed. The four Availability Levels are described in the UC Data Classification Standard and Guide: https://security.ucop.edu/policies/institutional-information-and-it-resource-classification.html and will be added to the Berkeley Data Classification Standard, and linked here, when available.
- Identify and classify Institutional Information and IT Resources that the Unit is responsible for:
- Use the new UC Protection Levels
- Register any UC P3 and UC P4 assets in NetReg that would be considered Institutional Devices or Privileged Access Devices. For UC P3, use Berkeley Data Protection Level 1; for UC P4, use Berkeley Data Protection Level 2 or 3, as appropriate.
- Begin to think about the Availability Levels of your information and IT Resources
- Work on bringing your Unit into compliance with UC Berkeley’s current minimum security standards. IS-3 will build on these, so this is a good place to start:
- Familiarize yourself with the roles and responsibilities identified in IS-3. Key roles include Workforce Members, Researchers, Unit Heads, Unit Security Leads, Information and Resource Proprietors, Service Providers, and Workforce Managers. https://security.ucop.edu/policies/quick-start-guides-by-role/index.html