BFB IS-3 Information Security (http://policy.ucop.edu/doc/7000543/BFB-IS-3) is the systemwide information security policy that was ratified in late 2018. The policy is supported by 9 standards and several interpretive guides. All IT staff should familiarize themselves with the policy and the standards. IT activity, especially the creation or update of shared services, must be conducted according to the policy.
The policy introduces several roles. One of them of particular interest to IT groups is the service provider. There is a glossary available to aid understanding of the roles and other concepts featured throughout the policy.
Unlike the prior policy, the current IS-3 is prescriptive with a large number of mandatory controls. There are also mechanisms to allow adjustment of the controls to meet the level of organizational and technical risk. Few IT systems are fully compliant with the policy yet many are protected in a manner consistent with risk.
IS-3 at UCSB
UCSB has more than 300 organizational units, not including major research projects, which are classified as units under the policy. It is impractical to fully implement IS-3 at that level of granularity. The policy has a relationship to BUS-80 Insurance Programs for Institutional Information Technology Resources (https://security.ucop.edu/files/documents/uc-availability-level-classification-guide.pdf) that suggests that Unit Heads be more senior executives. Toward that end, the Vice Chancellors for Administration and Student Affairs will act as Unit Heads for their respective divisions. The Associate Vice Chancellor for IT and CIO will act as Unit Head for Enterprise Technology Services. The assignment of Unit Heads for the remainder of the campus is ongoing.
Each Unit Head will appoint one or more Unit Information Security Leads (UISL) to oversee technical compliance. For Administrative Services, Ben Price, Director of Administrative and Residential Information Technology and Associate CIO will be the lead UISL. For Student Affairs, Joe Sabado, Executive Director of Student Information Systems and Technology and Associate CIO will be the lead UISL. Sam Horowitz, Chief Information Security Officer will be the lead UISL for Enterprise Technology Services. Other UISLs may be appointed for smaller units within these organizations.
The Office of the CIO is preparing facilitated risk assessments based on IS-3 controls. These will be used to create prioritized compliance plans for units. These risk assessments will be conducted on a periodic basis starting in 2020. In the meantime, there are several elements of the policy that IT staff and IT Service Providers should turn their attention to immediately.
- Inventory and classify your Information & Resources
- Bring infrastructure and services into compliance
- Section 9: Access Control
- Section 12: Operations Management
- Minimum Security Standard
- Account and Authentication Management Standard
- Secure Software Configuration Standard
- Secure Software Development Standard
- Minimum Security Standard (https://security.ucop.edu/files/documents/policies/minimum-security-standard.pdf)
- Account and Authentication Management Standard (https://security.ucop.edu/files/documents/policies/account-and-authentication-management-standard.pdf)
- Classification of Information and IT Services (https://security.ucop.edu/files/documents/policies/institutional-information-and-it-resource-classification-standard.pdf)
- Institutional Information Destruction Standard (https://security.ucop.edu/files/documents/policies/uc-institutional-information-disposal-standard.pdf)
- Encryption Key and Certificate Management (https://security.ucop.edu/files/documents/policies/encryption-key-and-certificate-management-standard.pdf)
- Event Logging Standard (https://security.ucop.edu/files/documents/policies/event-logging-standard.pdf)
- Incident Response Standard (https://security.ucop.edu/files/documents/policies/incident-response-standard.pdf)
- Secure Software Configuration Standard (https://security.ucop.edu/files/documents/policies/secure-software-configuration-standard.pdf)
- Secure Software Development Standard (https://security.ucop.edu/files/documents/policies/secure-software-development-standard.pdf)
- Catalog of quick start guide by role (https://security.ucop.edu/policies/quick-start-guides-by-role/index.html)
- Glossary (https://security.ucop.edu/files/documents/policies/it-policy-glossary.pdf)
- Classification guide for protection levels (https://security.ucop.edu/files/documents/uc-protection-level-classification-guide.pdf)
- Classification guide for availability levels (https://security.ucop.edu/files/documents/uc-availability-level-classification-guide.pdf)
- Electronic Communication Policy (http://policy.ucop.edu/doc/7000470)
- Implementation of the Electronic Communication Policy -- IECP (https://www.policy.ucsb.edu/sites/www.policy.ucsb.edu/files/docs/policies/ecp.pdf)
- Presentation to campuswide IT January 24, 2020 (https://bit.ly/30Xs1xr)