Campus Information Technology Security Policy - Draft

DRAFT: The Information Security Office is currently updating the Campus Information Technology Security Policy. The current Policy is available and still in effect during campus review.

University of California, Berkeley

Policy Issued: Original issue date unknown

Effective Date: Original effective date unknown

Revision Date: 2022 TBD

Supersedes: Previous version

Next Review Date: Revision Date + 5 years

UCB Seal


Responsible Executive:

  • Associate Vice Chancellor for Information Technology and Chief Information Officer, and
  • Associate Chancellor, Chief of Staff to the Chancellor, & Chief Ethics, Risk, and Compliance Officer (CERCO)


Responsible Offices:

  • Information Security Office
  • Campus Privacy Office

Contacts:


Website Address for Draft Policy: https://security.berkeley.edu/policy/campus-information-technology-security-policy-draft 


I. Introduction

In order to fulfill its mission of teaching, research and public service, the campus is committed to providing a secure yet open network that protects the integrity and confidentiality of information while maintaining its accessibility.

II. Policy Statement

All members of the campus community are responsible for the security and protection of Institutional Information and IT Resources over which they have control. Resources to be protected include networks, computers, software, and data. The physical and logical integrity of these resources must be protected against threats such as unauthorized intrusions, malicious misuse, or inadvertent compromise. Activities outsourced to off-campus entities must comply with the same or equivalent security requirements as in-house activities.

III. Scope

This policy applies to all members of the campus community who use or access UC Berkeley Institutional Information or IT Resources.

IV. Purpose

The purpose of this Policy is to:

  • Outline key information security, privacy, and confidentiality elements, laws, and policies that apply to all members of the campus community who use or access UC Berkeley Institutional Information or IT Resources;

  • Identify relevant roles and responsibilities;

  • Identify activities that are specifically prohibited; and 

  • Establish that activities outsourced to off-campus entities must comply with the same or equivalent security requirements as in-house activities.

V. Key Definitions and Glossary

See UC Berkeley’sInformation Security Policy Glossary for definitions of Key Terms used in this Policy (capitalized and italicized).

VI. Policy Details

A. Roles and Responsibilities

A fundamental principle of information security at UC Berkeley is that all individuals in the university community have a responsibility for the security and protection of university Institutional Information and IT Resources over which they have control, according to their role(s).

Roles and responsibilities for the protection of university Institutional Information and IT Resources are described in the Campus Roles and Responsibilities Policy

B. Key Security Elements

All devices connected to the UC Berkeley network, regardless of ownership, must comply with the Minimum Security Standards for Networked Devices (MSSND). Devices that store, process, or access Institutional Information hosted at any location must also comply with the MSSND.

Devices that host Protected Data as defined in the Campus Information Security Policy Glossary are required to conform to the Minimum Security Standards for Electronic Information (MSSEI).

C. Key Privacy and Confidentiality Elements

Applications must be designed and computers must be used so as to protect the privacy and confidentiality of the various types of electronic data they process, in accordance with applicable laws and policies.

Users who are authorized to obtain data must ensure that it is protected to the extent required by law or policy after they obtain it. For example, when Protected Data is transferred from a well-secured enterprise system to a User's location, adequate security measures must be in place at the destination computer to protect this "downstream data".  

Users should also adhere to the UC Statement of Privacy Values and UC Policy BFB-RMP-7 Protection of Administrative Records Containing Personally Identifiable Information, when accessing or sharing Protected Data. Protected data should never be sold or used for commercial purposes. Further, notice should be provided to data subjects when their protected data is used or disclosed for a secondary purpose that differs in nature from the original use case for which the data was collected, and consent obtained when required by law or policy.

Technical staff assigned to ensure the proper functioning and security of University electronic information resources and services are not permitted to search the contents of electronic communications or related transactional information except as provided for in the University of California (UC) Electronic Communications Policy. For example, any scanning of network traffic to detect intrusive activities must follow established campus guidelines or organizational procedures to ensure compliance with laws and policies protecting the privacy of the information.

D. Compliance with Law and Policy

Campus Units should establish security guidelines, standards, or procedures that refine the provisions of this Policy for specific activities under their purview, in conformance with this Policy and other applicable policies and laws.

Policies that apply to all campus Institutional Information and IT Resources include, but are not limited to, the UC Electronic Communications Policy and the Campus Computer Use Policy, Minimum Security Standards for Networked Devices (MSSND), Minimum Security Standards for Electronic Information (MSSEI), BFB-RMP-7 Protection of Administrative Records Containing Personally Identifiable Information and the Policy on Privacy and Online Monitoring. Institutional Information and IT Resources used in support of university business administration must be protected according to the provisions of UC Business and Finance Bulletin IS-3, Electronic Information Security (IS-3), and Federal and state laws prohibit theft or abuse of computers and other electronic resources.

The following activities are specifically prohibited under this Policy:

  • Interfering with, tampering with, or disrupting IT Resources;
  • Intentionally transmitting any computer viruses, worms, or other malicious software;
  • Attempting to access, accessing, or exploiting resources you are not authorized to access;
  • Knowingly enabling inappropriate levels of access or exploitation of resources by others;
  • Downloading or uploading sensitive or confidential electronic information/data to computers that are not adequately configured to protect it from unauthorized access;
  • Disclosing any electronic information/data you do not have a right to disclose.
  • Selling any UC Berkeley protected data

VII. Consequences of Policy Violations

In addition to any possible legal sanctions, violators of this Policy may be subject to disciplinary action up to and including dismissal or expulsion, pursuant to UC and UC Berkeley policies, collective bargaining agreements, codes of conduct, or other instrument governing the individual’s relationship with the University. Recourse to such actions shall be as provided for under the provisions of those instruments.

Insufficient security measures may result in devices being blocked from network access. The campus "Procedures for Blocking Network Access" specify how the decision to block is made and the procedures involved.

VIII. Related Documents and Policies

UC Systemwide

UC Berkeley

IX. Contact Information

Questions about this Policy or other campus electronic information resource policies may be directed to the IT Policy Manager: "itpolicy@berkeley.edu".

Questions about information security requirements may be directed to the campus Information Security Office (ISO): "security@berkeley.edu " (https://security.berkeley.edu).

Report information security incidents to: "security@berkeley.edu".

For reports about general computer use violations see "Report a Security Incident".

For questions regarding UC Berkeley’s Privacy policies or practices, contact the Privacy Office: “privacyoffice@berkeley.edu”.