DRAFT: The Information Security Office is currently updating the Campus Information Technology Security Policy. The current Policy is available and still in effect during campus review.
University of California, Berkeley
Policy Issued: Original issue date unknown
Effective Date: Original effective date unknown
Revision Date: 2022 TBD
Supersedes: Previous version
Next Review Date: Revision Date + 5 years
- Associate Vice Chancellor for Information Technology and Chief Information Officer, and
- Associate Chancellor, Chief of Staff to the Chancellor, & Chief Ethics, Risk, and Compliance Officer (CERCO)
- Information Security Office
- Campus Privacy Office
Website Address for Draft Policy: https://security.berkeley.edu/policy/campus-information-technology-security-policy-draft
In order to fulfill its mission of teaching, research and public service, the campus is committed to providing a secure yet open network that protects the integrity and confidentiality of information while maintaining its accessibility.
All members of the campus community are responsible for the security and protection of Institutional Information and IT Resources over which they have control. Resources to be protected include networks, computers, software, and data. The physical and logical integrity of these resources must be protected against threats such as unauthorized intrusions, malicious misuse, or inadvertent compromise. Activities outsourced to off-campus entities must comply with the same or equivalent security requirements as in-house activities.
This policy applies to all members of the campus community who use or access UC Berkeley Institutional Information or IT Resources.
The purpose of this Policy is to:
Outline key information security, privacy, and confidentiality elements, laws, and policies that apply to all members of the campus community who use or access UC Berkeley Institutional Information or IT Resources;
Identify relevant roles and responsibilities;
Identify activities that are specifically prohibited; and
Establish that activities outsourced to off-campus entities must comply with the same or equivalent security requirements as in-house activities.
See UC Berkeley’sInformation Security Policy Glossary for definitions of Key Terms used in this Policy (capitalized and italicized).
A. Roles and Responsibilities
A fundamental principle of information security at UC Berkeley is that all individuals in the university community have a responsibility for the security and protection of university Institutional Information and IT Resources over which they have control, according to their role(s).
Roles and responsibilities for the protection of university Institutional Information and IT Resources are described in the Campus Roles and Responsibilities Policy.
B. Key Security Elements
All devices connected to the UC Berkeley network, regardless of ownership, must comply with the Minimum Security Standards for Networked Devices (MSSND). Devices that store, process, or access Institutional Information hosted at any location must also comply with the MSSND.
Devices that host Protected Data as defined in the Campus Information Security Policy Glossary are required to conform to the Minimum Security Standards for Electronic Information (MSSEI).
C. Key Privacy and Confidentiality Elements
Applications must be designed and computers must be used so as to protect the privacy and confidentiality of the various types of electronic data they process, in accordance with applicable laws and policies.
Users who are authorized to obtain data must ensure that it is protected to the extent required by law or policy after they obtain it. For example, when Protected Data is transferred from a well-secured enterprise system to a User's location, adequate security measures must be in place at the destination computer to protect this "downstream data".
Users should also adhere to the UC Statement of Privacy Values and UC Policy BFB-RMP-7 Protection of Administrative Records Containing Personally Identifiable Information, when accessing or sharing Protected Data. Protected data should never be sold or used for commercial purposes. Further, notice should be provided to data subjects when their protected data is used or disclosed for a secondary purpose that differs in nature from the original use case for which the data was collected, and consent obtained when required by law or policy.
Technical staff assigned to ensure the proper functioning and security of University electronic information resources and services are not permitted to search the contents of electronic communications or related transactional information except as provided for in the University of California (UC) Electronic Communications Policy. For example, any scanning of network traffic to detect intrusive activities must follow established campus guidelines or organizational procedures to ensure compliance with laws and policies protecting the privacy of the information.
D. Compliance with Law and Policy
Campus Units should establish security guidelines, standards, or procedures that refine the provisions of this Policy for specific activities under their purview, in conformance with this Policy and other applicable policies and laws.
Policies that apply to all campus Institutional Information and IT Resources include, but are not limited to, the UC Electronic Communications Policy and the Campus Computer Use Policy, Minimum Security Standards for Networked Devices (MSSND), Minimum Security Standards for Electronic Information (MSSEI), BFB-RMP-7 Protection of Administrative Records Containing Personally Identifiable Information and the Policy on Privacy and Online Monitoring. Institutional Information and IT Resources used in support of university business administration must be protected according to the provisions of UC Business and Finance Bulletin IS-3, Electronic Information Security (IS-3), and Federal and state laws prohibit theft or abuse of computers and other electronic resources.
The following activities are specifically prohibited under this Policy:
- Interfering with, tampering with, or disrupting IT Resources;
- Intentionally transmitting any computer viruses, worms, or other malicious software;
- Attempting to access, accessing, or exploiting resources you are not authorized to access;
- Knowingly enabling inappropriate levels of access or exploitation of resources by others;
- Downloading or uploading sensitive or confidential electronic information/data to computers that are not adequately configured to protect it from unauthorized access;
- Disclosing any electronic information/data you do not have a right to disclose.
- Selling any UC Berkeley protected data
In addition to any possible legal sanctions, violators of this Policy may be subject to disciplinary action up to and including dismissal or expulsion, pursuant to UC and UC Berkeley policies, collective bargaining agreements, codes of conduct, or other instrument governing the individual’s relationship with the University. Recourse to such actions shall be as provided for under the provisions of those instruments.
Insufficient security measures may result in devices being blocked from network access. The campus "Procedures for Blocking Network Access" specify how the decision to block is made and the procedures involved.
- UC Business and Finance Bulletin (BFB) IS-3, Electronic Information Security (IS-3)
- BFB-RMP-7 Protection of Administrative Records Containing Personally Identifiable Information (RMP-7)
- Electronic Communications Policy (UC ECP)
- UC Statement of Privacy Values
- Computer Use Policy
- Information Security Policy Glossary
- Minimum Security Standards for Electronic Information (MSSEI)
- Minimum Security Standards for Networked Devices (MSSND)
- Online Monitoring Policies and Resources
- Procedures for Blocking Network Access
- Roles and Responsibilities Policy
Questions about this Policy or other campus electronic information resource policies may be directed to the IT Policy Manager: "email@example.com".
Report information security incidents to: "firstname.lastname@example.org".
For reports about general computer use violations see "Report a Security Incident".
For questions regarding UC Berkeley’s Privacy policies or practices, contact the Privacy Office: “email@example.com”.