IS-3 Resources for Researchers


Increasingly, data sharing agreements and research funding agreements include cyber security requirements. Researchers working with protected data may be affected by the updates from the system-wide Information Security Policy (IS-3)

Examples of changes affecting research data:

Here are some example research data types that will be affected by the changes:

Type(s) of data: Old Classification New Classification
  • Individually identifiable human subject research data containing P4 data elements that the Institutional Review Board (IRB) or Campus Privacy Office determines is high risk/P4
  • Human genomic data subject to GDPR or HIPAA
  • Other research information classified as P4 by an Institutional Review Board (IRB)
  • High risk export controlled data or technology (DoE 10 CFR Part 810, high-risk EAR/ITAR)
  • Personally identifiable Human Subject data that is not classified as P4. This includes human genomic data that can be re-identified using publicly available data.
  • Medical devices supporting diagnostics (not containing P4 information)
  • Low risk export controlled data or technology (EAR/ITAR)
  • De-identified Human Subject data with negligible re-identification risk and no Notice-Triggering data elements

Follow this checklist to prepare for appropriate handling of data:

  1. Classify your research. Once you know which Protection Level your research data fall under, you can take the appropriate steps to meet campus policies for securing those data.
  2. Fill out a MSSEI Self Assessment Plan. This plan will identify the needed controls based on the classification of your data. 
  3. Submit the MSSEI Self Assessment Plan. We will review the plan and provide recommendations and feedback.

Other items to consider:

  • Invest appropriately. Be aware that bad things can happen to your data – anything from outright theft to the use of ransomware to encrypt it so you no longer have access. UC has lost research data that can’t be replaced because of ransomware … and UC researchers are often targeted. If you need help or have questions, email
  • Manage suppliers responsibly. If you work with external Suppliers in any capacity, make sure they review the system-wide Information Security Policy (IS-3) and comply with all applicable requirements.
    • See Section 15: Supplier Relationships for a list of specific tasks and considerations for external Suppliers.