University of California, Berkeley
Policy Issued: [TBA]
Effective Date: [TBA + 1 year]
Supersedes: N/A - New policy
Next Review Date: [TBA + 5 years]
Roles and Responsibilities for the Protection of University Institutional Information and IT Resources (Roles and Responsibilities Policy) - DRAFT
Responsible Executive: Associate Vice Chancellor for Information Technology and Chief Information Officer
Responsible Office: IT Policy Office
Contact: IT Policy Manager, firstname.lastname@example.org
A fundamental principle of information security at UC Berkeley is that all individuals in the university community have a responsibility for the security and protection of university Institutional Information and IT Resources over which they have control, according to their role(s). This policy establishes these roles and responsibilities.
This Policy applies to all individuals who use or access UC Berkeley Institutional Information or IT Resources.
The purpose of this Policy is to identify, define, and clarify roles and responsibilities at UC Berkeley with respect to the security and protection of Institutional Information and IT Resources.
Unit: In the context of information security, a Unit is a Campus academic or administrative entity led by a Campus appointed Unit Head with budgetary authority and resources of a level sufficient to accept and manage the organization’s information security risk. Units are the point of accountability and responsibility for Institutional Information and IT Resources. At UC Berkeley, the organizational level of a Unit in this context is Dean, VC, or AVC. Delegation is allowed if the delegation is explicit and includes budget and resources necessary to fully accept and manage information security risk at the delegated level, including covering an adverse information security event such as a data breach or system compromise.
Role titles listed in Section V are linked directly to their definitions in UC Berkeley’s Information Security Policy Glossary.
Definitions of other Key Terms (capitalized and italicized) used in this Policy are also included in UC Berkeley’s Information Security Policy Glossary.
Key roles and responsibilities for the protection of university Institutional Information and IT Resources are listed below. Responsibilities range in scope from the protection of one's own password to security controls administration for a large system or an entire Unit.
All Workforce Members have the responsibilities listed in Section V.A, “Workforce Member”. A particular individual may also have one or more additional roles based on the nature of their relationship with the university. Additional roles are listed in alphabetical order in Section V.B.
Specific responsibilities under UC’s Electronic Information Security Policy, Business and Finance Bulletin IS-3 (BFB IS-3), for many of the roles listed below are available in Section IV of that Policy: https://policy.ucop.edu/doc/7000543/BFB-IS-3
A. Workforce Member:
Individuals working for the university in any capacity, whether paid or unpaid, including student employees, volunteers, contingent workers, and those to whom other roles in this Policy apply, are responsible for:
- Following minimum information security standards (see MSSND, MSSEI, and UC’s Minimum Security Standards);
- Knowing and understanding the Protection Level and Availability Level of Institutional Information and IT Resources that they access, and adhering to the appropriate security controls;
- Complying with information security obligations stated in UC policy, laws, governmental regulations, contracts, external obligations, and grants;
- Appropriate use of Institutional Information and IT Resources; this includes:
- Only using Institutional Information and IT Resources for the purposes for which access was granted;
- Not attempting to gain unauthorized access, disrupt operations, gain access to confidential information security strategies, or inappropriately alter Institutional Information;
- Only using Suppliers that have been approved for use of Institutional Information.
- Additional examples of appropriate and inappropriate use are included in UC Berkeley’s Computer Use Policy, Campus Online Activities Policy, Campus Information Technology Security Policy, and the UC Electronic Communications Policy.
- Completing all required security-related training;
- Promptly reporting security-related incidents, violations, and inappropriate use of Institutional Information or IT Resources, according to Unit and Campus procedures. This includes reporting to their manager any gaps in, or failure of, information security controls in the assigned area of responsibility;
- Promptly returning all UC property, IT Resources, physical access keys/cards, Institutional Information (and copies), token encryption keys, and UC-licensed software and tools upon separation or change of employment.
Additional details are available in Section III, Subsection 7 of UC’s Electronic Information Security Policy at https://policy.ucop.edu/doc/7000543/BFB-IS-3, and at https://security.ucop.edu/policies/quick-start-guides-by-role/workforce-member.html
B. Other defined roles, in alphabetical order.
A Chief Information Officer (CIO) is a senior executive responsible for information technology or information system functions throughout a Location. UC Berkeley's Chief Information Officer responsibilities include:
- Overall coordination and operational oversight for Campus compliance with university security policies and guidelines, including UC BFB IS-3, Electronic Information Security;
- Operational oversight for the delivery of information technology services that meet the requirements of UC information security policies;
- Planning and directing information security risk assessments for UC Berkeley;
- Providing management oversight for information security planning, implementation, budgeting, staffing, program development and reporting;
- Setting operational priorities and obtaining alignment with the Cyber-risk Responsible Executive (CRE) and UC Berkeley leadership.
UC BFB IS-3, Electronic Information Security, establishes the role of the Chief Information Security Officer (CISO). The CISO is responsible for security functions throughout a Location. UC Berkeley CISO responsibilities include:
- Assisting in the interpretation and application of UC and UC Berkeley information security policies;
- Reporting information security incidents to University of California Office of the President (UCOP), UC Berkeley leadership, and UC Berkeley’s CRE; and serving on the Campus incident response team;
- Managing the information security policy exception process, and approving and documenting exceptions;
- Providing management and execution oversight of the Information Security Management Program (ISMP) defined in Section 5 of UC BFB IS-3 through collaborative relationships with CRE, CIO, academic and administrative officials, using Campus governance structures and compliance strategies;
- Helping Units manage cyber risk;
- Approving risk treatment plans;
- Participating in UC Berkeley’s cyber risk governance;
- Working with Campus governance to identify Critical IT Infrastructure in scope for full risk assessments;
- Approving security tools, technologies, and methods for Campus use including, but not limited to, encryption, authentication, network security controls, digital certificates, key escrow, event logging, and disposal of media.
The Cyber-risk Responsible Executive (CRE) is accountable for all information risk assessments, security strategies, planning and budgeting, incident management, and information security implementation at UC Berkeley including:
- Ensuring that the responsible parties understand and execute their responsibilities under this policy;
- Ensuring the Campus-wide adoption of the ISMP, and an information security risk management strategy;
- Evaluating the Campus’ level of cyber risk to make decisions about risk mitigation and risk acceptance, and ensure appropriate funding for information security;
- Approving UC Berkeley’s policy exception process and information security incident response plan.
A Workforce Member who is assigned specific information technology (IT) duties or responsibilities. This applies to individuals working for the university in any capacity, whether paid or unpaid, including student employees, volunteers, contingent workers, and those to whom other roles in this Policy apply. Responsibilities include:
- Following all applicable security policies and requirements, and implementing relevant security controls according to their job responsibilities;
- Being informed and aware of security constraints of IT Resources with which they interact;
- Proactively ensuring they receive training necessary to maintain required standards of information security in their IT-related role;
- Identifying information security risk and educating others as appropriate to their role.
Institutional Information Proprietors and IT Resource Proprietors are responsible for the Institutional Information, IT Resources, and associated processes supporting a university function. Proprietor responsibilities include, but are not limited to:
- Classifying Institutional Information and IT Resources under their area of responsibility in terms of their Protection Level and Availability Level, and documenting the classifications;
- Notifying the Information Security Office (ISO), Units, Users, Service Providers, and Suppliers of these classifications
- This includes reassessing the classification levels if the data, system or use case changes, and communicating any resulting changes to the groups listed above;
- Ensuring compliance with the law, regulations, and university policy regarding the classification, protection, location, release, retention, disposition of, access to, and removal of access to Institutional Information and IT Resources;
- Overall responsibility for establishing the access to and release of a defined set of Institutional Information;
- Ensuring that Institutional Information and IT Resources under their area of responsibility are used in ways consistent with the mission of the university as a whole.
In addition to the above, Institutional Information Proprietors have the following responsibilities:
- Establishing and documenting rules for use of, access to, approval for use of, and removal of access to the Institutional Information related to their area of responsibility;
- Approving Institutional Information transfers and access related to their area of responsibility.
Additional details about Proprietor responsibilities are available at https://security.ucop.edu/policies/quick-start-guides-by-role/proprietor.html and https://security.berkeley.edu/data-classification-and-protection-profiles#resource
Researchers, including student researchers, are responsible for:
- Complying with all responsibilities of Workforce Members (see Section V.A above);
- Meeting confidentiality and data security obligations relating to research data, as defined by the Principal Investigator;
- Creating and maintaining documentation relating to the implementation of and adherence to security controls, as required by the Principal Investigator.
In addition to the above, Principal Investigators have the following responsibilities:
- Identifying the appropriate Protection Level and Availability Level for research data and associated IT Resources;
- Using a Campus-approved risk treatment plan or conducting a risk assessment to ensure that information security requirements are met;
- Identifying and meeting confidentiality, data security, and incident response obligations based on laws, regulations, policies, grants, contracts, and binding commitments (such as data use, participant consent, and confidentiality agreements), Institutional Review Board (IRB) requirements, Industry Alliance Office requirements, and other Campus governing office requirements relating to research data;
- Prior to creating or receiving data, ensuring confidentiality and data security requirements are in place;
- Creating and maintaining evidence that demonstrates how security controls were implemented and kept current throughout the project, including appropriate disposal of data;
- Developing and following an information security plan that manages security risk over the course of their project;
- Ensuring that all appropriate confidentiality agreements are in place for the project;
- Approving and monitoring access to protected data;
- Ensuring that Suppliers who store or process Institutional Information during the project follow UC policy for written contracts;
- Ensuring that Supplier agreements are negotiated and approved through established campus procurement processes, thereby ensuring that information security terms required by policy and UC purchasing requirements are included.
Additional details about Researcher responsibilities are available at https://security.ucop.edu/policies/quick-start-guides-by-role/researcher.html
A Security Contact is a role at the IT Resource or department level made up of individuals who have been designated to receive and respond to security notices from UC Berkeley’s Information Security Office (ISO). Responsibilities include:
- Maintaining registration of IT Resources for which they are responsible, in the ISO-managed registration portal;
- Receiving and responding to security notices from the ISO about the resource or department;
- Ensuring that appropriate personnel take action in response to each security notice, and that the resolution of each notice is reported to the ISO (email@example.com);
- Membership in and active monitoring of the UCB-Security mailing list.
Additional details about Security Contact responsibilities are available at: https://security.berkeley.edu/departmental-security-contact-policy
A Security Lead (also known as Unit Information Security Lead) is designated by the Unit Head and is responsible for ensuring execution of information security activities within the Unit. This includes:
- Acting as the primary contact for security for the Unit, in consultation with the Unit Head;
- Being the liaison between the Unit and UC Berkeley Information Security Office (ISO);
- Identifying and inventorying Institutional Information and IT Resources that the Unit uses and is responsible for, including classification of Protection Level and Availability Level;
- Implementing security controls for the Unit, and devising procedures for the proper handling, storage, and disposal of electronic media within the Unit, under applicable policies, laws, regulations, and contractual agreements;
- Reviewing and updating risk assessments and risk treatment plans for the Unit;
- Reviewing and maintaining access rights within the Unit, including managing privileged access;
- Promptly reporting security-related incidents and violations to the Unit Head, ISO, and applicable governing entities;
- Ensuring prompt response to security incident reports and notices from the ISO, and ensuring that appropriate personnel take action in response to each one;
- Membership in and active monitoring of the UCB-Security mailing list;
- Active membership in the ISO Security Workgroup.
Additional details about Security Lead responsibilities are available on our Unit Heads and Security Leads page and at: https://security.ucop.edu/policies/quick-start-guides-by-role/unit-information-security-lead.html
A Service Provider is any UC group or organization providing specific IT services to one or more Campus Units, including their own Unit. Service Providers must:
- Ensure that their services comply with all applicable security policies and guidelines, laws, regulations, and contract agreements;
- Proactively monitor vulnerabilities for platforms they manage, and implement patches or other mitigations as appropriate;
- Clearly identify and communicate to clients the Protection Level and Availability Level of the service;
- This includes reassessing the classification levels if the data, system, or use case changes, and communicating any resulting changes to the Information Security Office (ISO), Units, and Users;
- Clearly identify, document, and communicate to clients which required security controls are provided by the service and which are the responsibility of the client;
- For services with multiple Service Providers, each Service Provider must clearly document which required security controls are provided by their component of the service.
- Use the policy exception process for any security requirements that cannot be met;
- Report any security incident, non-compliance issues, or cybersecurity concerns to ISO and the Security Leads and Unit Heads served;
- Coordinates with Units to respond to potential and confirmed information security incidents.
- Adhere to the requirements of the UC Electronic Communications Policy (ECP) with respect to inspection, monitoring and disclosure of electronic communications information.
- Support Units in completing risk assessments related to the services provided;
- Comply with the applicable Supplier requirements in UC BFB IS-3, Electronic Information Security, including use of UC’s Data Security and Privacy Appendix (Appendix DS), when external third parties are used to fulfill any portion of the service;
The above applies to all services developed or supported by UC Service Providers, regardless of where they are hosted.
Additional details about Service Provider responsibilities are available at https://security.ucop.edu/policies/quick-start-guides-by-role/service-provider.html
Also see UC Berkeley’s Email Service Policy for specific responsibilities associated with that service, and Incident Response Plan (coming soon).
Unit Heads are the executives accountable and responsible for overseeing the execution of UC and Campus information security policies within the Unit. This includes:
- Delegating responsibilities and making planning and budget decisions that help ensure the necessary resources are in place to protect their Unit’s Institutional Information and IT Resources;
- Overall responsibility for managing cyber risk for their Unit, including establishing acceptable levels of security risk, making risk acceptance decisions for the Unit, and ensuring that Unit risk assessments and risk treatment plans are up to date;
- Developing and maintaining a Unit security plan that addresses campus security policy requirements;
- Appointing a Security Lead(s) for the Unit with the responsibilities outlined and linked within this Policy;
- Creating and maintaining an inventory of Institutional Information and IT Resources that the Unit uses and for which the Unit is responsible, including classification;
- Reporting information security incidents or lack of security compliance to the UC Berkeley Information Security Office (ISO);
- Ensuring the following:
- Appropriate protection of Institutional Information and IT Resources that the Unit uses and for which the Unit is responsible, according to the Protection and Availability Levels determined by or in conjunction with Proprietors;
- Appropriate information security training throughout the Unit, including security awareness training, and procedures for reporting suspected or confirmed security incidents or concerns;
- That services the Unit uses, including those managed by Service Providers or Suppliers, meet all applicable security-related requirements.
Additional details about Unit Head responsibilities are available on our Unit Heads and Security Leads page and at: https://security.ucop.edu/policies/quick-start-guides-by-role/unit-head.html
Users are individuals who access and use campus electronic information resources and are responsible for:
- Ensuring that all devices connected to the UC Berkeley network comply with the Minimum Security Standard for Networked Devices (MSSND);
- Becoming knowledgeable about and following relevant security requirements and guidelines;
- Engaging in appropriate use of university electronic information resources under UC and UC Berkeley policies and the law;
- Protecting the resources under their control, such as accessing passwords, computers, and data that they create, receive, or download;
- Promptly reporting security-related incidents and violations, and responding to official reports of security incidents involving your systems or accounts.
Also see UC Berkeley’s Email Service Policy for specific responsibilities associated with that service.
Individuals who supervise/manage other personnel or approve work or research on behalf of the university are responsible for:
- Reviewing and following the Workforce Manager quick start guide
- Communicating and facilitating information security practices among those whom they manage;
- Ensuring that Workforce Members understand their key responsibilities with respect to information security and are trained for their current roles or any roles for which they are considered;
- Promptly reporting security-related incidents and violations according to Unit and Campus procedures;
- Incorporating information security into processes for recruitment, hiring, onboarding, and separation or change of employment; this includes:
- Establishing security duties of positions and including them in the job description or appointment letter;
- Ensuring Workforce Member access to Institutional Information and IT Resources is appropriate and is modified, added, or removed as needed, including in response to separation or change of departments;
- Ensuring continued availability of Institutional Information required for UC Business continuity when a Workforce Member separates or changes departments;
- See Section III, Subsection 7 of UC’s Electronic Information Security Policy (link is external) for additional cybersecurity tasks before, during and after employment of Workforce Members, including documentation requirements.
- UC Business and Finance Bulletin IS-3, Electronic Information Security (especially Section IV Compliance/Responsibilities; and Section III, Subsection 7 Human Resource Security)
- UC System-wide IS-3 Role Guides
- Campus Responsibilities Guide for Security
- Departmental Security Contact Policy
- Key Faculty Responsibilities Under the Roles and Responsibilities Policy
- UC Berkeley Data Classification Standard
- UC Berkeley’s Email Service Policy
- UC Berkeley Incident Response Plan (coming soon)
- UC Berkeley Minimum Security Standards for Electronic Information
- UC Berkeley Minimum Security Standards for Networked Devices
- UC Berkeley Records Retention webpage
- Oct. 11, 2019: Draft posted on Information Security Office website
- Mar. 2, 2020: Definition of IT Workforce Member clarified
- Jul. 10, 2020: Definition of Security Lead clarified
- Aug. 27, 2020: Clarified Researcher responsibility for Supplier agreements
- Sept. 9, 2020: Added the definition of "Unit" to Section IV, Key Definitions
- Nov. 2, 2020: Added UC's Minimum Security Standards to the list of information security standards that Workforce Members must follow; Added links for guidance and clarification to Proprietor and Security Lead sections re. record retention and classification, respectively; Highlighted documentation requirements for Workforce Managers; Added record retention link to references.
- Nov. 16, 2020: Clarified that all Users are responsible for responding to official reports of security incidents involving their systems or accounts.
- Dec. 2, 2020: Added additional resources and references to Section VI, Related Documents and Policies.