UC Berkeley’s Implementation of IS-3

Overview

UC BFB IS-3, Electronic Information Security, is UC’s systemwide electronic information security policy. 

UCB affirms the policy goals of IS-3:

1. Preserve academic freedom and research collaboration
2. Protect privacy
3. Follow a risk-based approach
4. Maintain confidentiality
5. Protect integrity
6. Ensure availability

The following UC Berkeley policies, standards, and related documents constitute UC Berkeley’s implementation of IS-3: 

• Roles and Responsibilities Policy
• Data and IT Resource Classification Standard
• Minimum Security Standards for Networked Devices (MSSND) 
• Minimum Security Standards for Electronic Information (MSSEI)  
• Information Security Policy Exception Process
• Campus Information Security Management Program (ISMP) (authentication required)
• Campus Information Security Incident Response Plan (IRP) (authentication required)
• ISO-Managed Registration Portal (Socreg) for registering P3, P4, and A4 IT assets
• Information Security Policy Guide for Units 

Information Security Management Program (ISMP)

UC Berkeley has a documented campus-level Information Security Management Program (ISMP).

The ISMP includes:

• Campus Information Security Program Elements mapped to the NIST CSF Framework
• An overview of Information Security Risk Governance at UC Berkeley
• Information security risk decision authority and escalation
• Requirements for ISMP review and acceptance

Risk Treatment Plan Approach

UC Berkeley uses a Risk Treatment Plan approach for managing information security risk, as described in Section III and IX of the MSSEI. The MSSEI constitutes UC Berkeley’s Risk Treatment Plan.

Additional Campus Resources Related to IS-3 Implementation

• Cyber Risk Management Program
• Unit Heads and Security Leads Resource Page
• Faculty Guide to the Roles and Responsibilities Policy
• IS-3 Resources for Researchers
• UC Berkeley IS-3 Implementation Website
• Unit Information Security Metrics Dashboards (Socreg -- campus VPN required)