University of California, Berkeley
Policy Issued: [TBA]
Effective Date: [TBA + 1 year]
Supersedes: N/A - New policy
Next Review Date: [TBA + 5 years]
Roles and Responsibilities for the Protection of University Institutional Information and IT Resources (Roles and Responsibilities Policy) - DRAFT
Responsible Executive: Associate Vice Chancellor for Information Technology and Chief Information Officer
Responsible Office: Information Security Office
Website Address for Draft Policy: https://security.berkeley.edu/roles-and-responsibilities-policy
A fundamental principle of information security at UC Berkeley is that all individuals in the university community have a responsibility for the security and protection of university Institutional Information and IT Resources over which they have control, according to their role(s). This policy establishes these roles and responsibilities.
This Policy applies to all individuals who use or access UC Berkeley Institutional Information or IT Resources
The purpose of this Policy is to identify, define, and clarify roles and responsibilities at UC Berkeley with respect to the security and protection of Institutional Information and IT Resources
Unit: In the context of information security, a Unit is a Campus academic or administrative entity led by a Campus appointed Unit Head with budgetary authority and resources of a level sufficient to accept and manage the organization’s information security risk. Units are the point of accountability and responsibility for Institutional Information and IT Resources. At UC Berkeley, the organizational level of a Unit in this context is Dean, VC, or AVC. Delegation is allowed if the delegation is explicit and includes budget and resources necessary to accept and manage information security risk at the delegated level, including covering an adverse information security event such as a data breach or system compromise.
Role titles listed in Section V are linked directly to their definitions in UC Berkeley’s Information Security Policy Glossary
Definitions of other Key Terms (capitalized and italicized) used in this Policy are also included in UC Berkeley’s Information Security Policy Glossary.
Key roles and responsibilities for the protection of university Institutional Information and IT Resources are listed below. Responsibilities range in scope from the protection of one's own password to security controls administration for a large system or an entire Unit
The two primary roles, User and Workforce Member, are described in section A, below. A particular Workforce Member may also have one or more additional roles based on the nature of their relationship with the university. These additional roles are listed in alphabetical order in Section B.
Specific responsibilities under UC’s Electronic Information Security Policy, Business and Finance Bulletin IS-3 (BFB IS-3), for many of the roles listed below are available in Section IV of that Policy: https://policy.ucop.edu/doc/7000543/BFB-IS-3
Everyone who uses or accesses campus electronic information resources is a User. Some Users are also Workforce Members. These primary roles and their responsibilities are described in this section.
Anyone — students, Workforce Members (see below), affiliates, guests, members of the public, and anyone else -- who uses or accesses Campus electronic information resources, including connecting to the Campus network or Campus services, is considered a “User” of these resources. All Users have certain basic responsibilities for the protection of these resources:
- Ensuring that all devices connected to the UC Berkeley network comply with the Minimum Security Standard for Networked Devices (MSSND);
- Engaging in appropriate use of university electronic information resources under UC and UC Berkeley policies and the law;
- Becoming knowledgeable about and following relevant security requirements and guidelines;
- Protecting the resources under their control, such as passwords, computers, and data that they create, receive, or download;
- Promptly reporting security-related incidents and violations, and responding to official reports of security incidents involving their systems or accounts.
Also see UC Berkeley’s Email Service Policy for specific responsibilities associated with that service.
Individuals working for the university in any capacity, whether paid or unpaid, including student employees, volunteers, contingent workers, and those to whom other roles in Section B of this Policy apply, are considered “Workforce Members” and have the following additional responsibilities:
- Following minimum information security standards (see MSSND, MSSEI, and UC’s Minimum Security Standards). This applies to all devices that connect to the Campus network, Campus services, or Institutional Information;
- Knowing and understanding the Protection Level and Availability Level of Institutional Information and IT Resources that they access, and adhering to the appropriate security controls;
- Complying with information security obligations stated in UC policy, laws, governmental regulations, contracts, external obligations, and grants;
- Appropriate use of Institutional Information and IT Resources; this includes:
- Only using Institutional Information and IT Resources for the purposes for which access was granted;
- Not attempting to gain unauthorized access, disrupt operations, gain access to confidential information security strategies, or inappropriately alter Institutional Information;
- Only using Suppliers that have been approved for use of Institutional Information.
- Additional examples of appropriate and inappropriate use are included in UC Berkeley’s Acceptable Use Policies.
- Completing all required security-related training;
- Promptly reporting security-related incidents, violations, and inappropriate use of Institutional Information or IT Resources, according to Unit and Campus procedures. This includes reporting to their manager any gaps in, or failure of, information security controls in the assigned area of responsibility;
- Promptly returning all UC property, IT Resources, physical access keys/cards, Institutional Information (and copies), token encryption keys, and UC-licensed software and tools upon separation or change of employment.
Additional details are available in Section III, Subsection 7 of UC’s Electronic Information Security Policy at https://policy.ucop.edu/doc/7000543/BFB-IS-3, and at https://security.ucop.edu/policies/quick-start-guides-by-role/workforce-member.html
B. Other defined roles, in alphabetical order.
Workforce Members may have one or more additional roles based on the nature of their relationship with the university. These additional roles are listed below in alphabetical order, and in the Table of Contents.
A Chief Information Officer (CIO) is a senior executive responsible for information technology or information system functions throughout a Location. UC Berkeley's Chief Information Officer responsibilities include:
- Overall coordination and operational oversight for Campus compliance with university security policies and guidelines, including UC BFB IS-3, Electronic Information Security;
- Operational oversight for the delivery of information technology services that meet the requirements of UC information security policies;
- Planning and directing information security risk assessments for UC Berkeley;
- Providing management oversight for information security planning, implementation, budgeting, staffing, program development and reporting;
- Setting operational priorities and obtaining alignment with the Cyber-risk Responsible Executive (CRE) and UC Berkeley leadership.
UC BFB IS-3, Electronic Information Security, establishes the role of the Chief Information Security Officer (CISO). The CISO is responsible for security functions throughout a Location. UC Berkeley CISO responsibilities include:
- Assisting in the interpretation and application of UC and UC Berkeley information security policies;
- Reporting information security incidents to University of California Office of the President (UCOP), UC Berkeley leadership, and UC Berkeley’s CRE; and serving on the Campus incident response team;
- Managing the information security policy exception process, and approving and documenting exceptions;
- Providing management and execution oversight of the Information Security Management Program (ISMP) defined in Section 5 of UC BFB IS-3 through collaborative relationships with CRE, CIO, academic and administrative officials, using Campus governance structures and compliance strategies;
- Helping Units manage cyber risk;
- Approving risk treatment plans;
- Participating in UC Berkeley’s cyber risk governance;
- Working with Campus governance to identify Critical IT Infrastructure in scope for full risk assessments;
- Approving security tools, technologies, and methods for Campus use including, but not limited to, encryption, authentication, network security controls, digital certificates, key escrow, event logging, and disposal of media.
The Cyber-risk Responsible Executive (CRE) is appointed by, and reports to, the Chancellor or designee, and is accountable for all information risk assessments, security strategies, planning and budgeting, incident management, and information security implementation at UC Berkeley including:
- Ensuring that the responsible parties understand and execute their responsibilities under this policy;
- Ensuring the Campus-wide adoption of the ISMP, and an information security risk management strategy;
- Evaluating the Campus’ level of cyber risk to make decisions about risk mitigation and Risk Acceptance, and ensure appropriate funding for information security;
- Approving UC Berkeley’s policy exception process and information security incident response plan.
A Workforce Member who is assigned specific information technology (IT) duties or responsibilities. This applies to individuals working for the university in any capacity, whether paid or unpaid, including student employees, volunteers, contingent workers, and those to whom other roles in this Policy apply. Responsibilities include:
- Following all applicable security policies and requirements, and implementing relevant security controls according to their job responsibilities;
- Being informed and aware of security constraints of IT Resources with which they interact;
- Proactively ensuring they receive training necessary to maintain required standards of information security in their IT-related role;
- Identifying information security risk and educating others as appropriate to their role.
Institutional Information Proprietors and IT Resource Proprietors are responsible for the Institutional Information, IT Resources, and associated processes supporting a university function. Proprietor responsibilities include, but are not limited to:
- Classifying Institutional Information and IT Resources under their area of responsibility in terms of their Protection Level and Availability Level, and documenting the classifications;
- Notifying the Information Security Office (ISO), Units, Users, Service Providers, and Suppliers of these classifications
- This includes reassessing the classification levels if the data, system or use case changes, and communicating any resulting changes to the groups listed above;
- Ensuring compliance with the law, regulations, and university policy regarding the classification, protection, location, release, retention, disposition of, access to, and removal of access to Institutional Information and IT Resources;
- Overall responsibility for establishing the access to and release of a defined set of Institutional Information;
- Ensuring that Institutional Information and IT Resources under their area of responsibility are used in ways consistent with the mission of the university as a whole.
In addition to the above, Institutional Information Proprietors have the following responsibilities:
- Establishing and documenting rules for use of, access to, approval for use of, and removal of access to the Institutional Information related to their area of responsibility;
- Approving Institutional Information transfers and access related to their area of responsibility.
Additional details about Proprietor responsibilities are available at https://security.ucop.edu/policies/quick-start-guides-by-role/proprietor.html and https://security.berkeley.edu/data-classification-and-protection-profiles#resource
Researchers, including students who are conducting research in a Workforce Member capacity, are responsible for:
- Complying with all responsibilities of Workforce Members (see Section V.A above);
- Following security protocols established by the Principal Investigator/Project Lead. These may include, but are not limited to:
- Meeting confidentiality and data security obligations relating to research data
- Creating and maintaining documentation relating to the implementation of and adherence to security controls
In addition to the above, the individual ultimately responsible for the research (Project Lead) — e.g., Principal Investigator, Project Director, faculty sponsor, supervising instructor, mentor, etc. — has the following responsibilities. Tasks to satisfy these responsibilities may be delegated; however, the responsibilities themselves may not.
- Identifying the appropriate Protection Level and Availability Level for research data and associated IT Resources;
- Identifying and meeting confidentiality, data security, and incident response obligations based on laws, regulations, policies, grants, contracts, binding commitments (such as data use, participant consent, and confidentiality agreements), Institutional Review Board (IRB) requirements, and other Campus and external requirements relating to the research data;
- For research involving Protected Data:
- Using a Campus-approved risk treatment plan or conducting a risk assessment to ensure that information security requirements are met;
- Prior to creating or receiving data, ensuring confidentiality and data security requirements and agreements are in place;
- Creating and maintaining evidence that demonstrates how security controls were implemented and kept current throughout the project, including appropriate disposal of data;
- Developing and following an information security plan that manages security risk over the course of their project;
- Approving and monitoring access to Protected Data;
- Ensuring that Suppliers who store or process Institutional Information during the project follow UC policy for written contracts;
- Ensuring that Supplier agreements are negotiated and approved through established campus procurement processes, thereby ensuring that information security terms required by policy and UC purchasing requirements are included.
Additional details about Researcher responsibilities are available at https://security.ucop.edu/policies/quick-start-guides-by-role/researcher.html
A Security Contact is a role at the IT Resource or department level made up of individuals who have been designated to receive and respond to security notices from UC Berkeley’s Information Security Office (ISO). Responsibilities include:
- Maintaining registration of IT Resources for which they are responsible, in the ISO-managed registration portal;
- Receiving and responding to security notices from the ISO about the resource or department;
- Ensuring that appropriate personnel take action in response to each security notice, and that the resolution of each notice is reported to the ISO (email@example.com);
- Membership in and active monitoring of the UCB-Security mailing list.
Additional details about Security Contact responsibilities are available at: https://security.berkeley.edu/departmental-security-contact-policy
A Security Lead (also known as Unit Information Security Lead) is designated by the Unit Head and is responsible for ensuring execution of information security activities within the Unit. This includes:
- Acting as the primary contact for security for the Unit, in consultation with the Unit Head;
- Being the liaison between the Unit and UC Berkeley Information Security Office (ISO);
- Identifying and inventorying Institutional Information and IT Resources that the Unit uses and is responsible for. This includes identifying of Protection Level and Availability Level classification, and ensuring that an IT Resource Proprietor is identified for systems that the Unit procures or installs;
- Implementing security controls for the Unit, and devising procedures for the proper handling, storage, and disposal of electronic media within the Unit, under applicable policies, laws, regulations, and contractual agreements;
- Reviewing and updating risk assessments and risk treatment plans for the Unit;
- Reviewing and maintaining access rights within the Unit, including managing privileged access;
- Promptly reporting security-related incidents and violations to the Unit Head, ISO, and applicable governing entities;
- Ensuring prompt response to security incident reports and notices from the ISO, and ensuring that appropriate personnel take action in response to each one;
- Membership in and active monitoring of the UCB-Security mailing list;
- Active membership in the ISO Security Workgroup.
Additional details about Security Lead responsibilities are available on our Unit Heads and Security Leads page and at: https://security.ucop.edu/policies/quick-start-guides-by-role/unit-information-security-lead.html
A Service Provider, also known as a “Resource Custodian,” is any UC group or organization providing specific IT services to one or more Campus Units, including their own Unit. Service Providers must:
- Ensure that their services comply with all applicable security policies and guidelines, laws, regulations, and contract agreements;
- Proactively monitor vulnerabilities for platforms they manage, and implement patches or other mitigations as appropriate;
- Clearly identify and communicate to Users the Protection Level and Availability Level of the service;
- This includes reassessing the classification levels if the data, system, or use case changes, and communicating any resulting changes to the Information Security Office (ISO), Units, and Users;
- Clearly identify, document, and communicate to Users which required security controls are provided by the service and which are the responsibility of the User;
- For services with multiple Service Providers, each Service Provider must clearly document which required security controls are provided by their component of the service. (Optional template for documenting shared MSSEI Responsibilities)
- Use the policy exception process for any security requirements that cannot be met;
- Report any security incident, non-compliance issues, or cybersecurity concerns to ISO and the Security Leads and Unit Heads served;
- Coordinates with Units to respond to potential and confirmed information security incidents.
- Adhere to the requirements of the UC Electronic Communications Policy (ECP) and UC Berkeley’s Online Monitoring Policy with respect to inspection, monitoring and disclosure of electronic communications information.
- Support Units in completing risk assessments related to the services provided;
- Comply with the applicable Supplier requirements in UC BFB IS-3, Electronic Information Security, including use of UC’s Data Security and Privacy Appendix (Appendix DS), when external third parties are used to fulfill any portion of the service.
The above applies to all services developed or supported by UC Service Providers, regardless of where they are hosted.
Additional details about Service Provider responsibilities are available at https://security.ucop.edu/policies/quick-start-guides-by-role/service-provider.html
Unit Heads are the executives accountable and responsible for overseeing the execution of UC and Campus information security policies within the Unit. At UC Berkeley, the default level of a Unit Head in this context is Dean, VC, AVC, or other accountable executive in a senior role who is responsible for Unit performance and administration. Delegation is allowed if it is explicit, documented, and the delegate has the budget and resources necessary to manage information security risk, including an adverse information security event such as a data breach or system compromise. Responsibilities include:
- Delegating responsibilities and making planning and budget decisions that help ensure the necessary resources are in place to protect their Unit’s Institutional Information and IT Resources;
- Overall responsibility for managing cyber risk for their Unit, including establishing acceptable levels of security risk, making Risk Acceptance decisions for the Unit, and ensuring that Unit risk assessments and risk treatment plans are up to date;
- Appointing a Security Lead(s) for the Unit with the responsibilities outlined and linked within this Policy;
- Ensuring the following. Tasks to satisfy these responsibilities may be delegated; however, the responsibilities themselves may not:
- Appropriate protection of Institutional Information and IT Resources that the Unit uses and for which the Unit is responsible, according to the Protection and Availability Levels determined by or in conjunction with Proprietors;
- Appropriate information security training throughout the Unit, including security awareness training, and procedures for reporting suspected or confirmed security incidents or concerns;
- That services the Unit uses, including those managed by Service Providers or Suppliers, meet all applicable security-related requirements.
Development and maintenance of a Unit security plan that addresses campus security policy requirements;
Creation and maintenance of an inventory of Institutional Information and IT Resources that the Unit uses and for which the Unit is responsible, including classification;
Timely reporting of information security incidents or lack of security compliance to the UC Berkeley Information Security Office (ISO).
Additional details about Unit Head responsibilities are available on our Unit Heads and Security Leads page and at: https://security.ucop.edu/policies/quick-start-guides-by-role/unit-head.html
Individuals who supervise/manage other personnel or approve work or research on behalf of the university are responsible for:
- Reviewing and following the Workforce Manager quick start guide
- Communicating and facilitating information security practices among those whom they manage;
- Ensuring that Workforce Members understand their key responsibilities with respect to information security and are trained for their current roles or any roles for which they are considered;
- Promptly reporting security-related incidents and violations according to Unit and Campus procedures;
- Incorporating information security into processes for recruitment, hiring, onboarding, and separation or change of employment; this includes:
- Establishing security duties of positions and including them in the job description or appointment letter;
- Ensuring Workforce Member access to Institutional Information and IT Resources is appropriate and is modified, added, or removed as needed, including in response to separation or change of departments;
- Ensuring continued availability of Institutional Information required for UC Business continuity when a Workforce Member separates or changes departments;
- See Section III, Subsection 7 of UC’s Electronic Information Security Policy for additional cybersecurity tasks before, during and after employment of Workforce Members, including documentation requirements.
- Key Faculty Responsibilities Under the Roles and Responsibilities Policy
- Key Staff Responsibilities Under the Roles and Responsibilities Policy
- Key Student Responsibilities Under the Roles and Responsibilities Policy
- Key Researcher Responsibilities Under the Roles and Responsibilities Policy
- Key Responsibilities for Everyone Under the Roles and Responsibilities Policy
This policy is definitional in nature. It consolidates and clarifies existing key roles and responsibilities at the Berkeley Campus and UC systemwide levels. Lack of fulfilling the responsibilities in this policy may result in violations of other policies that have their own consequences for violations, such as IS-3. Such consequences may include costs to the Unit associated with an information security incident, or being blocked from the campus network. This policy does not introduce any new consequences for violations.
- UC Business and Finance Bulletin IS-3, Electronic Information Security (especially Section IV Compliance/Responsibilities; and Section III, Subsection 7 Human Resource Security)
- UC System-wide IS-3 Role Guides
- Campus Responsibilities Guide for Security
- Data Classification Standard
- Departmental Security Contact Policy
- Email Service Policy
- Incident Response Plan
- Information Security Policy Exception Process (because of its definitional nature, the policy exception process doesn’t apply to this policy directly; however, it does apply to security requirements in referenced policies)
- Minimum Security Standards for Electronic Information
- Minimum Security Standards for Networked Devices
- Online Monitoring Policy
- Records Retention webpage
- Oct. 11, 2019: Draft posted on Information Security Office website
- Mar. 2, 2020: Definition of IT Workforce Member clarified
- Jul. 10, 2020: Definition of Security Lead clarified
- Aug. 27, 2020: Clarified Researcher responsibility for Supplier agreements
- Sept. 9, 2020: Added the definition of "Unit" to Section IV, Key Definitions
- Nov. 2, 2020: Added UC's Minimum Security Standards to the list of information security standards that Workforce Members must follow; Added links for guidance and clarification to Proprietor and Security Lead sections re. record retention and classification, respectively; Highlighted documentation requirements for Workforce Managers; Added record retention link to references.
- Nov. 16, 2020: Clarified that all Users are responsible for responding to official reports of security incidents involving their systems or accounts.
- Dec. 2, 2020: Added additional resources and references to Section VI, Related Documents and Policies.
- Aug. 14 2021: Structural changes and clarifications to address feedback from campus review, including: Moved “User” role from Section V.B to Section V.A; added introductions to Sections V.A and V.B; clarified applicability of Researcher responsibilities to students; clarified which Researcher responsibilities only apply to Protected Data; additional clarifications, grammar fixes, and link updates throughout.
- Sept. 8, 2021: Modified the definition of “Unit Head” in the Policy Glossary to provide additional clarity around delegation. Also added the full definition to the Unit Head section of this Policy to increase clarity and reduce confusion, especially around delegation.
- Oct 19, 2021: Clarified Unit Head responsibilities that may be delegated; Added Section VII, Consequences of Violations clarifying that failure to fulfill responsibilities may result in violations of other policies; Expanded title of Sec IV to include the glossary; Added a link to the Information Security Policy Exception Process in Section VIII, Related Documents and Policies, and clarified that it doesn’t apply to this Policy directly but does apply to security requirements in referenced Policies.