Campus Information Technology Security Policy

Version 2.0, updated 6/4/2025

University of California, Berkeley

• Responsible Executive: Associate Vice Chancellor for Information Technology and Chief Information Officer

• Responsible Office: Information Security Office

• Contact Information: security-policy@berkeley.edu

• Policy Issued Date: Original issue date unknown; last revised 9/26/2022 (v1.1)

• Effective Date: Original effective date unknown; last revised 9/26/2022 (v1.1)

• Revision Date: 06/04/2025 version 2.0

• Supersedes: 9/26/2022 version 1.1

• Next Review Date: 06/04/2030

I. Policy Summary

The Campus Information Technology (IT) Security Policy establishes the policy basis for administration of and compliance with campus information security standards that have been approved by the campus Information Risk Governance Committee (IRGC).

II. Definitions

See UC Berkeley's Information Security Policy Glossary for definitions of Key Terms used in this Policy (capitalized and italicized). The first instance of each term is linked directly to the Glossary.

III. Scope of Policy

This policy applies to all individuals who use or access UC Berkeley Institutional Information or IT Resources.

IV. Policy

A. Purpose

The purpose of this Policy is to establish the basis for administration of and compliance with information security standards approved by the campus Information Risk Governance Committee (IRGC).

Due to the continually changing nature of information security risks and threats, the campus refers to IRGC-approved information security standards as the means for operationalizing this policy.

B. Policy Statement

In order to fulfill its mission of teaching, research, and public service, the campus is committed to providing a secure yet open network that protects the confidentiality, integrity, and availability of information.

Each member of the campus community is responsible for the security and protection of Institutional Information and IT Resources over which they have control. Resources to be protected include networks, computers, software, and data. The physical and logical integrity of these resources must be protected against threats such as unauthorized intrusions, malicious misuse, or inadvertent compromise.

To this end, UC Berkeley's IRGC-approved information security standards, including but not limited to the Minimum Security Standards for Networked Devices (MSSND) and Minimum Security Standards for Electronic Information (MSSEI), carry the weight of campus policy.

V. Responsibilities

The IRGC has oversight of the campus privacy and campus information security programs; approval of information security standards, including evaluation of risks as well as costs and benefits of mitigation, considering workload impact across campus. IRGC summary description and charge.

The Information Security Office (ISO) is responsible for management of campus information security policies and standards under IRGC's governance.

Roles and responsibilities for the protection of university Institutional Information and IT Resources are described in the campus Roles and Responsibilities Policy.

VI. Consequences of Policy Violations

In addition to any possible legal sanctions, violators of campus information security policies and standards approved by IRGC may be subject to disciplinary action up to and including dismissal or expulsion, pursuant to UC and UC Berkeley policies, collective bargaining agreements, codes of conduct, or other instrument(s) governing the individual's relationship with the University. Recourse to such actions shall be as provided for under the provisions of those instruments.

Insufficient security measures may also result in devices being blocked from network access and/or hosted services. The campus Information Security Office's Procedures for Blocking Network Access specify how the decision to block is made and the procedures involved.

Additional disciplinary sanctions for serious violations of information security policy, and responsibility for costs that result from an Information Security Incident resulting from a significant failure to comply, are included in Section 1 of UC Presidential Policy BFB IS-3 and are not re-stated here.

Violations of this policy can be reported to the Information Security Office: security-policy@berkeley.edu.

VII. Related Policies and Procedures

A. Information security standards covered by this policy

This list will be managed on an ongoing basis to include all IRGC-approved information security standards.

• Data and IT Resource Classification Standard
• Minimum Security Standards for Electronic Information (MSSEI)
• Minimum Security Standards for Networked Devices (MSSND)

B. Related policies and procedures

• Acceptable Use of Technology Resources ("Acceptable Use Policy")
• Information Security A-Z Policy Catalog
• Procedures for Blocking Network Access
• Report a Security incident
• Roles and Responsibilities Policy
• UC BFB IS-3, Electronic Information Security (IS-3)

Change Log:

Administrative update v1.1, 9/26/2022:

• Replaced obsolete Roles and Responsibilities with a pointer to the new Information Security Roles and Responsibilities Policy
• Clarified that off-campus entities must comply with the same or equivalent security requirements as in-house activities (not just the same requirements).
• Updated obsolete terminology, fixed links, added policy ownership and contact info

Version 2.0, 6/4/2025:

• Removed obsolete and superseded information and repurposed policy to clearly establish the policy basis for administration of and compliance with campus information security standards.
• Applied campus policy template.