IS-3 Resources

Overview

UC Business and Finance Bulletin IS-3 is the University of California’s systemwide information security policy. A major update to IS-3 was finalized in September 2018 and changed the way information security risk is handled within the university. 

The following resources provide additional information on the IS-3 policy and campus implementation. We will continue to post more information and supporting documents as they become available. For historical information about the campus' multi-year roll-out of foundational IS-3 elements to academic and administrative units, visit our IS-3 Implementation Project page.

Documents, Templates, & Guides:

• Campus Information Security Incident Response Plan - This plan describes the overall plan for responding to Information Security Incidents at UC Berkeley. 
• Classification of Availability Levels webpage - This page includes summary definitions and key examples of each Availability Level.
• Data Classification and Protection Levels webpage - This page includes summary definitions and key examples of each Protection Level.
• Information Security Management Program (ISMP) - Thisdocument describes the overall Information Security Management Program for UC Berkeley. 
• Information Security Policy Unit Guide - This guide creates a “one stop shop” of Unit responsibilities at UC Berkeley with respect to the security and protection of Institutional Information and IT Resources. 
• Key Responsibilities Under the Roles and Responsibilities Policy - Everyone plays a vital role in protecting Berkeley Campus data. This guide contains key responsibilities under the Roles and Responsibilities Policy for everyone and links to Faculty, Staff, and Student specific content.
• Minimum Security Standards for Networked Devices (MSSND) How to Secure Devices - Step-by-step instructions below for how to configure your device to meet campus policy.
• Unit-Level Information Security Management Program Template - This template uses the Campus ISMP as a starting point and allows Unit's to supplement the campus-level information with any additional controls or mitigations that are in place at the Unit-level. 

Policies & Standards:

• BFB-IS-3: Electronic Information Security (IS-3) - IS-3 is the University of California’s systemwide information security policy.
• Campus Information Technology Security Policy - Each member of the campus community is responsible for the security and protection of electronic information resources over which they have control. 
• Data and IT Resource Classification Standard - This Standard provides classification information for Institutional Information and IT Resources as well as the foundation for establishing security requirements for each classification level.
• Glossary - Contains definitions of key terms used in UC Berkeley's Information Security Policies. 
• Minimum Security Standards for Electronic Information - These standards define the baseline security requirements and data protection profiles for UC Berkeley campus data and IT Resources. 
• Minimum Security Standards for Networked Devices - These standards define the requirements that all devices connected to the UC Berkeley network need to comply with. 
• Roles and Responsibilities Policy Home Page - This is the campus policy establishing information security-related roles and responsibilities.
• UC Berkeley’s Implementation of IS-3 - A collection of UC Berkeley policies, standards and related documents that constitute UC Berkeley's Implementation of IS-3.

Researcher Resources:

• IS-3 Resources for Researchers - This page highlights changes to Protection Levels on certain data types that may affect researchers.
• How to Classify Research Data - This page provides a guideline for the considerations necessary to determine the data classification protection level for research data.

Security Lead Resources:

• IS-3 Unit Heads and Security Leads - The current list of campus academic and administrative IS-3 Units, Unit Heads, and Security Leads.
• Unit Information Security Lead (UISL) "Job Description" - (Long Version) - A detailed overview of the key tasks and approximate time commitment associated with this role.
• Unit Information Security Lead (UISL) "Job Description" - (Short Version) - A summary of key tasks and approximate time commitment associated with this role. 
• Unit Information Security Lead Resources - User guides, "cheat sheets",  information about annual IS-3 related tasks, and other documentation and resources created by the Information Security Office for Security Leads.
• Unit Self-Assessment and Isora GRC - Information about the IS-3 unit self-assessment survey tool (Isora GRC), roles and responsibilities, and process associated with completing (or updating) IS-3 unit self-assessments per campus compliance requirements. 

FAQs:

• UCOP FAQs page: https://security.ucop.edu/files/documents/policies/is-3-faq.pdf

For questions about UC Berkeley's IS-3 implementation project, contact us at is3@berkeley.edu.

Units interested in detailed information about IS-3 controls; roles and responsibilities; and implementation tools from the UC Systemwide Policy Office can contact ISO at is3@berkeley.edu to request access to the systemwide materials.