Information Security Investment Program

Safeguard UC Berkeley: Protect Data, Preserve Excellence

UC Berkeley’s reputation for excellence in research and academic integrity depends on the reliability and security of our data. By committing to cybersecurity best practices, each of us helps to protect groundbreaking research, preserve student privacy, and maintain the integrity and availability of our academic and administrative services. Our cybersecurity program enables UC Berkeley to continue innovating while complying with UC System-mandated safeguards. 

To better protect UC information and systems from growing cyber threats, the UC President has called on all UC campuses to comply with new security requirements and introduced consequences if they are not met by May 28, 2025. 

Benefits to Campus

UC Berkeley is dedicated to strengthening cybersecurity methods to protect our data and research. Through the Information Security Investment Program, we are focused on protecting research integrity and funding opportunities, enable seamless teaching and learning experiences, and to uphold our institutional mission and reputation. 

The combined benefits of these efforts will include increased protection of our vital information and systems, a strengthened cybersecurity posture, and a mitigated cybersecurity risk profile. 

Goals of the Program

Our program includes mandatory cybersecurity awareness training for all employees, swift incident response aligned with UC standards, and installation and management of security software on university-owned computers. We are also strengthening our multi-factor authentication (MFA) protocols and ensuring all health email systems have a Data Loss Prevention solution.

Technology Scope

Technology IN SCOPE Technology OUT OF SCOPE
  • University-owned laptops, desktops, & servers
  • Includes Administration, Instruction, Research
  • MacOS, Windows, some Unix operating systems
  • Personally-owned computers & servers
  • Mobile devices (phones, tablets, e-readers, etc)
  • IoT devices (cameras, sensors, etc)
  • Chrome OS
  • Computers with approved exceptions 

Program Timeline

Improving our overall cybersecurity posture involves coordinating our projects, carefully considering project dependencies, and sequencing rollout to minimize disruption to the campus community. 

Timeline of ISIP rollout in graphic form (details listed below in text)

Detailed Milestones & Timeline

Important dates and major milestones for this program. All dates are estimated, and information may shift as our program advances.

Berkeley Security Software

UC Berkeley has identified two industry-standard security tools to deploy to university-owned computers. Our Berkeley Security Software identifies assets, manages vulnerabilities, and provides more robust security services using Endpoint Detection and Response (EDR) software.

Milestones:
Month Activity
November

Develop self-service installers so users can download the software on university-owned machines
December

Run Pilot with select Units to identify and fix potential problems before rolling out to larger campus
January

Incorporate feedback from Pilot

Phased Campus Rollout - Unit Engagement Schedule (CalNet Authentication Needed) 

Deploy EDR for non-centrally-managed servers
May

Reporting on unit compliance

Development of enforcement mechanisms

Cybersecurity Awareness Training

UC Berkeley’s mandatory Annual Cybersecurity Awareness Training equips faculty, staff, and student workers with critical skills to combat threats like phishing and stolen credentials. Delivered online, this refresher provides important cybersecurity updates and reminders, ensures compliance, and promotes a secure environment for institutional data.

Milestones:
Month Activity
October

Draft Project Charter

Identify populations and current compliance rate

Communications plan and awareness campaigns
November

Engagement with People & Culture to clean up appointment data.
January

Develop tools for ongoing compliance enforcement
May Reporting on training completion by staff, faculty and student workers to Supervisors and People & Culture.

Data Loss Prevention for Health Email Systems

Data Loss Prevention (DLP) software is essential for UC Berkeley health email systems to safeguard sensitive patient information, ensure regulatory compliance, prevent costly data breaches, and maintain the integrity and trustworthiness of services. It helps monitor, detect, and block unauthorized access to or transmitting confidential data through emails.

  • Project Complete

Multi-factor Authentication (MFA) Security Improvements

To reduce attempts to bypass two-step protections through “push fatigue” and “push harassment” attacks, we are strengthening the methods for CalNet MFA verification and widening the scope of users required to use MFA to access Berkeley services.

Alumni Digital Experience

We successfully deployed, enabled, and configured multifactor authentication (MFA) to all Alumni Accounts. Berkeley now has 100 percent of campus and health email systems in conformance with established UC MFA configuration standards. 

  • Project Complete

MFA Security - Risk-based Authentication  

Several higher education institutions have experienced phishing attacks, which resulted in the theft of credentials and redirection of paycheck deposits. Berkeley is committed to keeping our community safe from such attacks. Therefore, we are strengthening our multi-factor authentication (MFA) protections and using a risk-based approach for CalNet MFA verification. Visit our New MFA Security Enhancements page for more details.

  • Project Complete

Install Berkeley Security Software

Employees: Install on university-owned machines

Resources:

President Drake's letter

(CalNet login required.)

Berkeley's Security Investment Plan

(CalNet login required.)
Team Members & Roles

Primary contact

Faye Snowden, Program Manager

Mira Roseman, Alumni Digital Experience Project Manager

Luqi Jia, Data Loss Prevention for Health Email Systems Project Manager

Yoshita Mukherjee, Cybersecurity Awareness Training and Berkeley Security Software Project Manager

Casey Hennig, Organizational Change Management and Communications Lead

Program Sponsors

Tracy Shinn, Associate Vice Chancellor for Information Technology & Chief Information Officer

Allison Henry, Chief Information Security Officer

Anthony Joseph, Chancellor's Professor in Electrical Engineering and Computer Science, and Cyber-risk Responsible Executive

Sharon Inkelas, Deputy Compliance Officer