FAQ

The contract has already been signed, what do I do?

My unit is contracting with a 3rd-party service provider for the handling of campus protected data. The contract has already been signed, should I still engage with ISO for a vendor security assessment?


Although there is less bargaining power with the service provider to address security concerns after the contract has already been signed, it is still a good idea to perform a vendor security assessment for service providers who are handling UC P3 or P4 data:

If the overall risk level is acceptable, the unit is assured that the vendor meets campus policy for the protection of...

Are vendor services available that have already been approved?

Are vendor services available to campus that have already been approved for UC P2/3 or UC P4 data?


There are several 3rd-party vendor services that are readily available to campus that have been approved for UC P2/P3 or UC P4 data. Campus units that adopt these 3rd-party services for the purpose of storing and sharing covered data can be assured that these vendors meet campus policy requirements.

Campus units that utilize these services for the handling of protected data should keep in mind that careful configuration and management of these applications is required to meet campus policy standards.

UC P4...

I have UC P2/3 data, what do I do?

My unit is contracting with a 3rd-party service provider to host campus UC P2/3 classified data. How can the vendor be assessed to meet campus security policies in the absence of ISO resources?


Units can ensure that 3rd-party service providers meet the campus data security policy requirements for the handling of UC P2/3 data through the following actions:

Be sure to include the UCOP Data Security & Privacy Appendix, required for all UC contracts involving 3rd-party access to protected data, without edits, in the service provider contract. This ensures baseline...

How to Respond to Campus Blocking RDP Open to Internet Ticket

Background

Running Remote Desktop Protocols (RDP) open to the Internet has become a significant threat to campus and RDP access must be secured according to the “How can I secure my remote connection” section below. The Information Security Office will notify users through our ticketing system upon detection of RDP open to the Internet.

Who is affected:

People using personally-managed or -owned computers and who have no restrictions for remote access to the campus computer they are connecting...

What do I do if I believe my system has been infected by Ransomware?

Signs your system may have been infected by Ransomware:

Your web browser or desktop is locked with a message about how to pay to unlock your system and/or your file directories contain a "ransom note" file that is usually a .txt file All of your files have a new file extension appended to the filenames Examples of Ransomware file extensions: .ecc, .ezz, .exx, .zzz, .xyz, .aaa, .abc, .ccc, .vvv, .xxx, .ttt, .micro, .encrypted, .locked, .crypto, _crypt, .crinf, .r5a, .XRNT, .XTBL, .crypt, .R16M01D05, .pzdc, .good, .LOL!, .OMG!, .RDM, .RRK, .encryptedRSA...

What is a "3rd-party service provider"?

What is a "vendor" or a "3rd-party service provider"?

A "vendor" or "3rd-party service provider" is an entity (e.g., a person or a company), separate from the University, that offers something for sale. The typical types of vendor services that require an ISO vendor security assessment are technologies used to store, process, and/or transport protected data on behalf of the University, such as:

Software as a Service (SaaS) providers - companies that provide hosted application services (e.g., Google bmail) Infrastructure as...

Who is responsible for my data?

By engaging with a service provider, you have the responsibility as the Resource Proprietor for ensuring compliance with laws, regulations and policies, including standards (UC Business Finance Bulletin IS-2 and IS-3).

For example, if notice-triggering data is...

Who needs to be involved in a vendor security assessment?

The roles that are typically involved in participating with a vendor security assessment include the following:

Resource Owner or Proprietor Campus unit representative who has overall responsibility for the application (e.g., budgeting and resource allocation). Implementation Project Manager Unit member responsible for the roll-out of the application or service, including (but not limited to) vendor selection, contract specifications, configuration, process-flow design, personnel training, etc. UC Buyer Representative...

What are the privileges for members in a security contact?

There are four privilege levels for any member of a security contact:

View-only: can view registration information.

Device: can make changes to Device registrations.

IP Information: can claim subnets, request IP Addresses, register subdomains and offsite hostname. Can register RD Applications. Can also make changes to Device registrations.

Admin: includes Device and IP Information privileges. Can also make profile and membership changes to the security...

What are Group Security Contacts used for?

A Group Security Contact (GSC) is created by a Department Security Contact (DSC) when a separation of responsibilities is needed. Each DSC will have an orgnode set, and the GSC will be associated to the department via its parent, the DSC.

A Group Security Contact can be used to help departments separate devices into sets that receive (or do not receive) IT support from a Service Provider Security Contact (SP SC). Additionally, when responses to security incidents is the responsibility of different groups (e.g., a research lab within a larger...