Unit Information Security Lead (UISL) Job Description - Long

Overview: 

A Unit Information Security Lead (UISL) is a  Workforce Member(s) * appointed by the Unit Head and assigned responsibility for ensuring tactical execution of information security activities. These activities are performed in consultation with the Unit Head. 

UISLs don’t need to be technical (though they can be). They are responsible for making sure that the security activities under their area of responsibility occur, not necessarily for doing the technical work. For IT Client Services-supported Units, the UISL will work with the ITCS zone contact for areas requiring technical support. This means that some UISLs will primarily have a coordination role, while UISLs with more technical skills may be directly involved in implementation.

Skills & Knowledge for This Role

  • A good understanding of your Unit’s policies, procedures, and IT tools, i.e., working knowledge of the services used - or the ability to gather this info.
  • A direct relationship to your Unit Head.
  • Good communication, collaboration, and coordination/project management skills.
  • General understanding of campus information security policies. 
  • Some IT background, or the ability to have a close partnership with ITCS or IT partners to work on more technical items.

Responsibilities

The UISL doesn’t need to be a technical person (though they can be). The role is responsible for ensuring the following, not necessarily for performing the implementation; there may be a coordination aspect for some of the tasks. For IT Client Services-supported Units, the UISL is expected to work in partnership with the ITCS zone contact for areas requiring technical support.

  • Acting as the primary contact for security for the Unit, in consultation with the Unit Head; 
  • Being the liaison between the Unit and UC Berkeley Information Security Office (ISO);
  • Ensuring Institutional Information and IT Resources that the Unit uses and is responsible for are identified and inventoried. This includes identifying Protection Level and Availability Level classification, and ensuring that an IT Resource Proprietor is identified for systems that the Unit procures or installs;

  • Ensuring implementation of security controls for the Unit, including devising procedures for the proper handling, storage, and disposal of electronic media within the Unit, under applicable policies, laws, regulations, and contractual agreements;
    • This includes working with Procurement to ensure that Supplier agreements include required data security contract language.
  • Ensuring Unit risk assessments and risk treatment plans, such as MSSEI Self Assessment Plans, are reviewed and updated;
  • Ensuring that access rights within the Unit are reviewed and maintained, including managing privileged access;
  • Promptly reporting security-related incidents and violations to the Unit Head, ISO, and applicable governing entities;
  • Ensuring prompt response to security incident reports and notices from the ISO, and ensuring that appropriate personnel take action in response to each one;
  • Membership in and active monitoring of the UCB-Security mailing list;
  • Active membership in the ISO Security Workgroup (ISWorkgroup).
  • NOTE: Units that are also Service Providers must also meet all Service Provider responsibilities for their services. These are separate from UISL responsibilities, but in some cases there may be overlap.

Time Estimate

As stated above, UISLs are responsible for ensuring that the activities under their area of responsibility occur, not necessarily for performing the implementation. For IT Client Services-supported Units, the UISL is expected to work in partnership with the ITCS zone contact for areas requiring technical support. This means that some UISLs will primarily have a coordination role, while UISLs on the technical side will likely be directly involved in implementation. Where a UISL falls on this spectrum will impact the workload associated with the role. If time exceeds these expected ranges, please contact the Information Security Office for review.

Time Estimates: 

Initial Tasks: 20 hours (2-3 days):

  • May take longer for large, complex units; units that are also IT Service Providers; and units with significant compliance obligations (HIPAA, PCI, Federal regulatory requirements, units with significant P4 or A4 assets).
  • May take less time for small units without the factors listed above, and ITCS-supported units.

Ongoing Tasks: 5-10% FTE*

  • Pilot units indicated that workload will likely be in spurts, not constant throughout the year. 
  • Initial tasks will be repeated annually. This should be factored into the anticipated time commitment.

* Does not include security-related work already being done by the unit.

Initial Tasks

  • Review your Unit's information security metrics through Socreg. (User Guide)
  • Review your Unit’s assets, registrations, and Security Contacts through Socreg. (User Guide)
  • Confirm with your Security Contacts that they have reviewed and confirmed (in Socreg) the Protection Levels of their Protected Data Applications and Services in the last year.
  • Complete a high-level IS-3 Unit self-assessment using the ISORA User Guide.

Ongoing Tasks

  • Annual review and update of high-level IS-3 Unit Assessment 
  • Annual review of Socreg assets and Security Contacts
  • Ongoing liaison role with Unit Head and ISO
  • Development and annual review of a Unit security plan (NOTE: UC Berkeley’s Unit Information Security Management Program Template can be used to meet this requirement.)
  • Ensure Unit compliance with MSSND, MSSEI, and UC Minimum Security Standards. (NOTE: a current MSSEI Self Assessment Plan (SAP) is required for P4 assets and services.)
  • Ensure processes/procedures are in place to review Unit-managed access rights at least annually and remove access that is no longer needed (including privileged and administrator-level access)
  • Work with Procurement to ensure that agreements with external Suppliers include the necessary data security contract language
  • Work with your Unit’s HR resources to ensure that consistent HR processes and procedures are in place for managing information security (See Sec O. HR Responsibilities)
  • Report potential security incidents and ensure security notices from ISO are addressed
  • Maintain active membership in UCB-Security mailing list and ISWorkgroup.

UISL Resources

 *The number of UISLs in a Unit is established by the Unit Head. A single person could oversee the responsibilities for an entire Unit or different UISLs could be assigned to different functional areas. This will largely be determined by the size and structure of the Unit and the Unit Head’s reporting preferences. Smaller Units may also be able to share one UISL.