Highlighting Changes to the Campus Information Technology Security Policy

July 18, 2022

Overview

The Information Security Office recently proposed updates to the Campus Information Technology Security Policy, and the Draft of those changes is currently under Campus review. The Policy outlines key information security, privacy, and confidentiality elements, laws, and policies that apply to all members of the campus community who use or access UC Berkeley Institutional Information or IT Resources.  Additionally, the Policyidentifies relevant roles and responsibilities, identifies activities that are specifically prohibited, and establishes that activities outsourced to off-campus entities must comply with the same or equivalent security requirements as in-house activities.

Summary

The below table breaks out the sections of the Policy on the left and provides a summary of the updates made in that section on the right. Additional resources are linked as needed. We wanted to display these key updates in a clear and concise way so that users may quickly see the changes that were made. 

If you have any questions about the new Draft or any of the changes made, email us at itpolicy@berkeley.edu.

Section

Summary of Changes

Ownership

New section (everything before the Intro) to align with the campus policy template and identify policy ownership.

I. Introduction

No change

II. Policy Statement

Updated terminology; Clarified that activities outsourced to off-campus entities must comply with the same or equivalent security requirements as in-house activities (“or equivalent” was added).

III. Scope

New section to align with campus policy template. Scope is implied in the old version, but not explicitly stated.

IV. Purpose

New section to align with campus policy template. Purpose is implied in the old version, but not explicitly stated.

V. Key Definitions and Glossary

New section to align with campus policy template. Refers to UC Berkeley’s Information Security Policy Glossary for definitions of Key Terms used in this Policy (capitalized and italicized).

VI. Policy Details

A. Roles and Responsibilities:

Major modification of this sub-section -- removed itemized roles and responsibilities and instead pointed to the new Information Security Roles and Responsibilities Policy


B. Key Security Elements:

Removed portions describing a few specific logical and physical security requirements, and pointed instead to MSSND and MSSEI for security requirements. 


C. Key Privacy and Confidentiality Elements:

  • Added references to UC Statement of Privacy Values and UC BFB-RMP-7, which both apply when accessing or sharing Protected Data. 

  • Added explicit prohibition against selling Protected Data or using it for commercial purposes. 

  • Added requirement about providing notice and/or obtaining consent as required by law or policy before using or disclosing someone’s Protected Data for a purpose other than that for which the data was collected. 

  • Updated terminology and links.


D. Compliance with Law and Policy:

Added specific prohibition against selling any UC Berkeley protected data. Also updated list of policy references.

VII. Consequences of Policy Violations

New section to align with campus policy template. No new content, just moved info from other sections and shortened/simplified.

VIII. Related Documents and Policies

New section to align with campus policy template. Compilation of all links in this Policy.

IX. Contact Information

Renamed section (used to be “Resources”) and updated everyone’s contact info.