UCR

UCR Policies and Procedures

Printer Friendly Version

Revised 

 

Campus Policy Number:   400-32
Campus Policy Title:         Electronic Information Security Policy
Policy Owner:                   Computing and Communications 
Effective Date:                  07/11/2011
Revision Date:                   06/25/2012
 
 
  1. Introduction, Scope, and Objective
Computing and Communications (C&C) utilizes a combination of tools/techniques/staff to support desktop, network, server, database, and application security. These efforts help stop problems at campus border routers, detect intrusions, monitor traffic for denial of service patterns, and ensure the integrity and privacy of protected (personal) data.
 
Nevertheless, UCR is a research university that maintains a network that is more open than most networks found in the private sector. Moreover, the computing infrastructure that the network supports (web servers, applications servers, etc.) is more distributed than that deployed in many for-profit companies.
 
While this topology supports the research and instructional missions of the university, UCR's open and distributed network & computing infrastructure requires that the security, confidentiality, and privacy of campus electronic communications and data are a shared responsibility. Thus, security should be given the highest possible level of attention not only by C&C, but by any and all individuals, groups, departments, or organizations that provide, host, or enable electronic communications, data storage, or other computing infrastructure.
 
The UCR Information Security Plan, instantiated in the UCR Electronic Information Security Policy, includes efforts, tools, and programs to secure core, enterprise systems, as well as processes, policies, and outreach to assist campus organizations and departments to ensure the security of non-centrally maintained data and systems.
 
    1. Scope
The UCR Electronic Information Security Policy implements the University of California’s primary information security policy, IS-3. The Electronic Information Security Policy defines campus responsibilities, including those related to utilizing appropriate security measures based on the risk associated with the electronic resource in question. The policy also provides a set of definitions relating to IS-3 and UCR local implementation of this system-wide policy.
 
    1. Objective
IS-3 policy requires campuses to evaluate electronic information resources, to determine which resources contain Personal Protected Information (PPI) and/or essential or restricted (sensitive and protected) information, to develop local guidelines and/or policies for securing these electronic assets, and to institute a mechanism for ensuring that these guidelines are appropriately implemented and reviewed on a periodic basis. 
 
  1. Background
The UCR campus-wide and departmental security plans must address the following key issues:  Risk assessment; essential data/electronic resources; and restricted data/electronic resources (including Personal Protected Information, as defined by California law). The following notes apply to these terms:
 
    1. Risk Assessment
Campus security plans must include risk assessments and/or business impact analyses that inventory and determine the nature of electronic information assets held or managed by campus units and to understand and document the risks in the event of failures that may cause loss of confidentiality, integrity, or availability of electronic systems and resources.
 
    1. Essential Data/Electronic Resources
Data or systems are deemed essential if failure and/or compromise of these systems/data  could result in an inability to perform a mission-critical function, a significant loss of funds or information, or a significant liability or other legal exposure to a campus. Campus security plans must afford essential systems and data the highest level of security protection.
 
    1. Restricted Data/Electronic Resources
Restricted information describes any confidential or personal information that is protected by law or policy and that requires the highest level of access control and security protection, whether in storage or in transit (e.g., Protected Personal Information (PPI), FERPA protected data, and HIPAA protected information). Campus security plans must afford systems that support the storage, transmission, or processing of restricted information the highest level of security protection.
 
  1. Requirements
 
    1. Campuswide Responsibilities
Per IS-3 requirements, UCR has developed an Information Security Plan consisting of the following five discrete elements:
 
·         Computing and Communications Security Organization
·         Operationalized Security Implementation Documents
·         IS-3 Campus Security Departmental Planning Template
·         Security, Privacy, and Confidentiality Communications and Awareness Program
·         Security Breach Prevention and Incident Reporting Program
 
UCR has operationalized its central security plan via the creation and ongoing review/updating of six security implementation documents. An overview of these documents is as follows:
 
·         Risk Assessment, Disaster Recovery, and Organizational Structures. This document provides an overview of the C&C Risk Assessment approach, the planning assumptions behind its disaster recovery plan, and includes other details concerning C&C security staff and organizational structure.
 
·         Identity Management Systems. This document provides an overview of C&C Identity Management practices, processes, and technologies, as well as UCR Identity Management stakeholders and their various roles and responsibilities.
 
·         Servers and Operating Systems Security. This document defines the various measures adopted to ensure server and operating system security (e.g., firewalls, log management, patching, access controls, etc.), as well as the approaches used to document and record compliance with these measures.
 
·         Database Security. This document defines the various measures adopted to ensure database security (e.g., change control, access controls, etc.), as well as the approaches that are used to document and record compliance with these measures.
 
·         Physical Security. This document defines the various measures adopted to ensure appropriate physical security, as well the approaches that are used to document and record compliance with these measures.
 
·         Network Security. This document defines the various measures adopted to ensure network security (e.g., access control lists, firewalls, change control, log management, patching, etc.), as well the approaches used to document and record compliance with these measures.
 
·         Application Development – Change Control & Vulnerability Scanning. This document defines the C&C approach to application develop including request intake, testing, user approvals, migration management, change control, source code management, and vulnerability scanning, as well as the approaches that are used to document and record compliance with these measures.
 
                  B.        Departmental and Unit Responsibilities
 
Campus organizations and departments must utilize appropriate safeguards to protect systems/ information resources based upon the sensitivity of data in question, legal requirements, and risks to the university. Departmental/unit responsibilities include the following:
 
·         Security Plan. Developing and implementing a security plan, including a process for risk assessment that addresses, at a minimum, the issues outlined in the UCR Security Planning Template (http://cnc.ucr.edu/security/downloads/is3_local_campus_overview-departmental_planning_template_042011.pdf).
 
·         Minimum Security Standards. Ensuring servers and systems meet or exceed campus minimum security standards (found at http://cnc.ucr.edu/security/server.html). 
 
·         Other Legal, Industry, or other Policy Security Requirements. Ensuring servers and systems meet or exceed industry, statutorily required, or UC policy specialized security requirements (e.g., PCI, FERPA, HIPAA, etc. requirements).
 
·         Annual Risk Assessment and Inventory of Systems Containing Personal Protected Data. Completing the annual risk assessment and inventory of all systems that contain PPI and/or essential or restricted data as defined in this document.
 
·         Security Communications. Communicating policy requirements and implications of security breaches to departmental and unit staff who are involved with systems containing PPI and/or essential or restricted data as defined in this document.
 
·         Contractual Agreements. Ensuring contractual arrangements with non-campus entities include third party obligations regarding PPI, and/or essential or restricted data as defined in this document.
 
The UCR Security Planning Template (See the above section or the References section for the URL for the complete planning template.)
 
Administrative Workforce Controls
o   Workforce and authorization management
o   Critical positions
o   Violations
 
Operational and Technical Controls
o   Identity and access management
o   Access controls
§ Passwords and other authentication credentials
§ Session protection
§ Privileged access
 
Systems and Application Security
o   Systems personnel
o   Backup and retention
o   System protection
o   Patch management
o   Systems and application software development
 
Network Security
o   Change management
o   Audit logs
o   Encryption
 
Physical and Environmental Controls
o   Risk mitigation measure
o   Physical access controls
o   Tracking reassignment or movement of devices and stock inventories
o   Disposition of equipment
o   Portable devices and media
 
IV.        Remediation
 
The UCR Electronic Information Security Policy is designed to ensure robust and secure academic and administrative operations. Failure to accommodate/address the requirements outlined in this policy places all campus electronic resources at risk and, therefore, threatens UCR teaching, research, and public service missions. Thus, if policy violations are discovered, C&C will remove the impacted systems from the campus network. After the issues in question have been remediated and, in consultation with the appropriate Dean, Vice Chancellor, or responsible administrative official, C&C will re-enable network access.
 
References and Links to Electronic Resources.
 
National and State Resources

(1) California Information Practices Act of 1977 (IPA)
(http://www.dhcs.ca.gov/formsandpubs/laws/priv/Pages/StateInformationPracticesAct.aspx)
 
(2) California Public Records Act (CPRA)
(
http://www.leginfo.ca.gov/cgi-bin/displaycode?section=gov&group=06001-07000&file=6250-6270)

(3) Federal Family Educational Rights and Privacy Act of 1974 (FERPA)
(
http://www2.ed.gov/policy/gen/guid/fpco/ferpa/index.html)
 
University of California Resources

(1) UCOP Electronic Communications Policy, August 2005
(
http://www.ucop.edu/ucophome/policies/ec/)
 
(2) UCOP Policies Applying to Campus Activities, Organizations, and Students, October 2009
(
http://www.ucop.edu/ucophome/uwnews/aospol/toc.html)

(3) UC Business and Finance Bulletins
(
http://www.ucop.edu/ucophome/policies/bfb/)
 
(4) UCOP IS-3, Electronic Information Security, February 2011
(
http://www.ucop.edu/ucophome/policies/bfb/is3.pdf)
 
(5) UCOP IS-10, Systems Development and Maintenance Standards, May 2001 (http://www.ucop.edu/ucophome/policies/bfb/is10.pdf)

(6) UCOP RMP-8, Legal Requirements on Privacy of and Access to Information (
http://www.ucop.edu/ucophome/policies/bfb/rmp8toc.html)
 
University of California, Riverside Resources
 
(1) Campus Policies and Procedure Manual
(
http://fboapps.ucr.edu/policies/)

(2) UCR Server Minimum Standards
(http://cnc.ucr.edu/security/server.html)
 
(3) Departmental/Unit Security Plan Template
(http://cnc.ucr.edu/security/downloads/is3_local_campus_overview-departmental_planning_template_042011.pdf)
 
(4) Computing & Communications Security Web Site
(http://cnc.ucr.edu/security)