Campus Information Technology Security Policy

Responsible Executive: 

Associate Vice Chancellor for Information Technology and Chief Information Officer

Responsible Office:

Information Security Office



In order to fulfill its mission of teaching, research, and public service, the campus is committed to providing a secure yet open network that protects the integrity and confidentiality of information while maintaining its accessibility.


Each member of the campus community is responsible for the security and protection of electronic information resources over which they have control. Resources to be protected include networks, computers, software, and data. The physical and logical integrity of these resources must be protected against threats such as unauthorized intrusions, malicious misuse, or inadvertent compromise. Activities outsourced to off-campus entities must comply with the same or equivalent security requirements as in-house activities.

Roles and Responsibilities

Responsibilities range in scope from security controls administration for a large system to the protection of one's own access password. A particular individual often has more than one role.

Roles and responsibilities for the protection of university Institutional Information and IT Resources are described in the Campus Roles and Responsibilities Policy

Insufficient security measures at any level may cause resources to be damaged, stolen, or become a liability to the Campus. Therefore, responsive actions may be taken. For example, if a situation is deemed serious enough, computer(s) posing a threat will be blocked from network access. (The campus "Procedures for Blocking Network Access" specify how the decision to block is made and the procedures involved.)

Key Security Elements

Logical Security:

Computers must have the most recently available and appropriate software security patches, commensurate with the identified level of acceptable risk. For example, installations that allow unrestricted access to resources must be configured with extra care to minimize security risks.

Adequate authentication and authorization functions must be provided, commensurate with appropriate use and the acceptable level of risk.

Attention must be given not only to large systems but also to smaller computers which, if compromised, could constitute a threat to campus or off-campus resources, including computers maintained for a small group or for an individual's own use.

Physical Security:

Appropriate controls must be employed to protect physical access to resources, commensurate with the identified level of acceptable risk. These may range in scope and complexity from extensive security installations to protect a room or facility where server machines are located, to simple measures taken to protect a User's display screen.

Privacy and Confidentiality

Applications must be designed and computers must be used so as to protect the privacy and confidentiality of the various types of electronic data they process, in accordance with applicable laws and policies.

Users who are authorized to obtain data must ensure that it is protected to the extent required by law or policy after they obtain it. For example, when Protected Data is transferred from a well-secured enterprise system to a User's location, adequate security measures must be in place at the destination computer to protect this "downstream data".

Technical staff assigned to ensure the proper functioning and security of University electronic information resources and services are not permitted to search the contents of electronic communications or related transactional information except as provided for in the University of California (UC) Electronic Communications Policy. For example, any scanning of network traffic to detect intrusive activities must follow established campus guidelines or organizational procedures to ensure compliance with laws and policies protecting the privacy of the information.

Compliance with Law and Policy

Campus departments, units, or groups should establish security guidelines, standards, or procedures that refine the provisions of this Policy for specific activities under their purview, in conformance with this Policy and other applicable policies and laws.

Policies that apply to all campus electronic information resource security include, but are not limited to, the UC Electronic Communications Policy and the Campus Computer Use Policy. Electronic information resources used in support of university business administration must comply with the provisions of UC Business and Finance Bulletin IS-3, Electronic Information Security (IS-3). Federal and state laws prohibit theft or abuse of computers and other electronic resources.

The following activities are specifically prohibited under this Policy:

  • interfering with, tampering with, or disrupting IT Resources;
  • intentionally transmitting any computer viruses, worms, or other malicious software;
  • attempting to access, accessing, or exploiting resources you are not authorized to access;
  • knowingly enabling inappropriate levels of access or exploitation of resources by others;
  • downloading sensitive or confidential electronic information/data to computers that are not adequately configured to protect it from unauthorized access;
  • disclosing any electronic information/data you do not have a right to disclose.

In addition to any possible legal sanctions, violators of this Policy may be subject to disciplinary action up to and including dismissal or expulsion, pursuant to Berkeley Campus policies, collective bargaining agreements, codes of conduct, or other instrument governing the individual’s relationship with the University. Recourse to such actions shall be as provided for under the provisions of those instruments.



Questions about this Policy or other campus electronic information resource policies may be directed to the IT Policy Manager:

Questions about information security requirements may be directed to the campus Information Security Office (ISO): (

Questions about UC Berkeley’s Privacy policies or practices may be directed to the campus Privacy Office:

Report information security incidents to:

For reports about general computer use violations see Report a Security Incident

Change Log:

Administrative update 9/26/2022:

  • Replaced obsolete Roles and Responsibilities with a pointer to the new Information Security Roles and Responsibilities Policy

  • Clarified that off-campus entities must comply with the same or equivalent security requirements as in-house activities (not just the same requirements). 

  • Updated obsolete terminology

  • Fixed links

  • Added contact information for the Campus Privacy Office

  • Added policy ownership and contact information