UC Business and Finance Bulletin IS-3 is the University of California’s systemwide information security policy. A major update to IS-3 was finalized in September 2018 and the new IS-3 changes the way information security risk is handled within the university. For more information visit our IS-3 Implementation Project page
The following resources provide additional information on the IS-3 policy. We will continue to post more information and supporting documents as they become available.
Documents, Templates, & Guides:
- Campus Incident Response Plan - This plandescribes the overall plan for responding to Information Security Incidents at UC Berkeley and must be followed accordingly.
- Classification of Availability Levels webpage - This page includes summary definitions and key examples of each Availability level.
- Data Classification and Protection Levels webpage - This page includes summary definitions and key examples of each Data Protection level.
- Information Security Management Program (ISMP) - Thisdocument describes the overall Information Security Management Program for UC Berkeley.
- Information Security Policy Unit Guide - This guide creates a “one stop shop” of Unit responsibilities at UC Berkeley with respect to the security and protection of Institutional Information and IT Resources.
- Key Responsibilities Under the Roles and Responsibilities Policy - Everyone plays a vital role in protecting Berkeley Campus data. This guide contains key responsibilities under the Roles and Responsibilities Policy for everyone and links to Faculty, Staff, and Student specific content.
- Minimum Security Standards for Networked Devices (MSSND) How to Secure Devices - Step-by-step instructions below for how to configure your device to meet campus policy.
- Unit-Level Information Security Management Program - This document is inclusive of the Campus ISMP and allows Unit's to supplement the Program with any additional controls or mitigations that are in place at the Unit-level.
Policies & Standards:
- BFB-IS-3: Electronic Information Security (IS-3) - IS-3 is the University of California’s systemwide information security policy.
- Campus Information Technology Security Policy - Each member of the campus community is responsible for the security and protection of electronic information resources over which they have control.
- Data Classification Standard - This Standard provides the foundation for establishing security requirements for each classification of data.
- Glossary - Contains definitions of key terms used in UC Berkeley's Information Security Policies.
- Minimum Security Standards for Electronic Information - These standards define the baseline data protection profiles for UC Berkeley campus data.
- Minimum Security Standards for Networked Devices Draft - These standards define the requirements that all devices connected to the UC Berkeley network need to comply with.
- Roles and Responsibilities Policy Home Page - This page outlines the Policy on information security-related roles and responsibilities.
- UC Berkeley’s Implementation of IS-3 - A collection of UC Berkeley policies, standards and related documents that constitute UC Berkeley's Implementation of IS-3.
- The Information Security Office "roadshow" slide deck addressing implementation plan (login required)
- Roles and Responsibilities Policy - Highlights
- IS-3 Resources for Researchers - This page highlights changes to Protection Levels on certain data types that may affect researchers.
- How to Classify Research Data - This page provides a guideline for the considerations necessary to determine the data classification protection level for research data.
Security Lead Resources:
- Unit Heads and Security Leads - A list of currently onboarded Units, Unit Heads, and Security Leads.
- Unit Information Security Lead (UISL) Job Description - (Long Version) - A detailed overview of the key tasks and time commitment associated with this role.
- Unit Information Security Lead (UISL) Job Description - (Short Version) - A summary of key tasks and time commitment associated with this role.
- Unit Information Security Lead Resources - All documentation and assets created by the Information Security Office for Security Lead's.
- Unit Self-Assessment and Isora GRC - Isora GRC is an information security risk assessment application (e.g., a survey tool) that ISO is using to facilitate assessment of campus-wide compliance with IS-3.
- UCOP FAQs page: https://security.ucop.edu/files/documents/policies/is-3-faq.pdf
For questions about UC Berkeley's IS-3 implementation project, contact us at firstname.lastname@example.org.
Units interested in detailed information about IS-3 controls; roles and responsibilities; and implementation tools from the UC Systemwide Policy Office can contact ISO at email@example.com to request access to the systemwide materials.