IS-3 Resources for Researchers

Overview

Increasingly, data sharing agreements and research funding agreements include cyber security requirements. Researchers working with protected data may be affected by the updates from the system-wide Information Security Policy (IS-3)

  • If you’re conducting research on behalf of UC, you’re considered a Workforce Member and should follow the requirements for that role.
  • Additionally, if you’re working with information classified at Protection Levels 3 or 4, you’ll need to adhere to these extra responsibilities.

Examples of changes affecting research data:

Here are some example research data types that will be affected by the changes:

 

Type(s) of data: Old Classification New Classification
  • Individually identifiable human subject research data containing P4 data elements, or that the Institutional Review Board (IRB) determines is high risk/P4
  • Individually identifiable human genetic information
  • Other research information classified as P4 by an Institutional Review Board (IRB)
  • High risk export controlled data or technology (DoE 10 CFR Part 810, high-risk EAR/ITAR)
UCB PL2 UC P4
  • Personally identifiable Human Subject data that is not classified as P4
  • Medical devices supporting diagnostics (not containing P4 information)
  • Low risk export controlled data or technology (EAR/ITAR)
UCB PL1 UC P3
  • De-identified Human Subject data with negligible re-identification risk and no Notice-Triggering data elements
UCB PL1 UC P2

Follow this checklist to prepare for appropriate handling of data:

  1. Classify your research. Once you know which Protection Level your research data fall under, you can take the appropriate steps to meet campus policies for securing those data.
  2. Fill out a MSSEI Self Assessment Plan. This plan will identify the needed controls based on the classification of your data. 
  3. Submit the MSSEI Self Assessment Plan. We will review the plan and provide recommendations and feedback.

Other items to consider:

  • Invest appropriately. Be aware that bad things can happen to your data – anything from outright theft to the use of ransomware to encrypt it so you no longer have access. UC has lost research data that can’t be replaced because of ransomware … and UC researchers are often targeted. If you need help or have questions, email security@berkeley.edu
  • Manage suppliers responsibly. If you work with external Suppliers in any capacity, make sure they review the system-wide Information Security Policy (IS-3) and comply with all applicable requirements.
    • See Section 15: Supplier Relationships for a list of specific tasks and considerations for external Suppliers.