Overview

BFB IS-3 Information Security is the systemwide information security policy that was ratified in late 2018. The policy is supported by 9 standards and several interpretive guides. All IT staff should familiarize themselves with the policy and the standards. IT activity, especially the creation or update of shared services, must be conducted according to the policy.

The policy introduces several roles. One of them of particular interest to IT groups is the service provider. There is a glossary available to aid understanding of the roles and other concepts featured throughout the policy.

Unlike the prior policy, the current IS-3 is prescriptive with a large number of mandatory controls. There are also mechanisms to allow adjustment of the controls to meet the level of organizational and technical risk. Few IT systems are fully compliant with the policy yet many are protected in a manner consistent with risk.

IS-3 at UCSB

UCSB has more than 300 organizational units, not including major research projects, which are classified as units under the policy. It is impractical to fully implement IS-3 at that level of granularity. The policy has a relationship to BUS-80 Insurance Programs for Institutional Information Technology Resources (https://security.ucop.edu/files/documents/uc-availability-level-classification-guide.pdf) that suggests that Unit Heads be more senior executives. Toward that end, the Vice Chancellors for Administration and Student Affairs will act as Unit Heads for their respective divisions. The Associate Vice Chancellor for IT and CIO will act as Unit Head for Enterprise Technology Services. The assignment of Unit Heads for the remainder of the campus is ongoing. 

Each Unit Head will appoint one or more Unit Information Security Leads (UISL) to oversee technical compliance. For Administrative Services, Ben Price, Director of Administrative and Residential Information Technology and Associate CIO will be the lead UISL. For Student Affairs, Joe Sabado, Executive Director of Student Information Systems and Technology and Associate CIO will be the lead UISL. Sam Horowitz, Chief Information Security Officer will be the lead UISL for Enterprise Technology Services. Other UISLs may be appointed for smaller units within these organizations.

The Office of the CIO is preparing facilitated risk assessments based on IS-3 controls. These will be used to create prioritized compliance plans for units. These risk assessments will be conducted on a periodic basis starting in 2020. In the meantime, there are several elements of the policy that IT staff and IT Service Providers should turn their attention to immediately.

  • Inventory and classify your Information & Resources 
  • Bring infrastructure and services into compliance
    • Section 9: Access Control
    • Section 12: Operations Management
    • Minimum Security Standard
    • Account and Authentication Management Standard
    • Secure Software Configuration Standard
    • Secure Software Development Standard
       

Standards

Interpretive guides

Security policy exception and risk acceptance

BFB IS-3 and supporting standards govern IT security for systems at the University of California and UCSB. The policy (Section 2.2) recognizes that there are occasions where a system or process cannot be compliant with the policy as written and that alternative equivalent mitigations may be acceptable. There may also be occasions when mitigations may be inadequate to reach an equivalent level of protection, and risk acceptance may be required. 

The mechanism to request an exception or risk acceptance is to complete a form that specifies the nature of the request and the context. The form should be completed by the Unit Information Security Lead (UISL) or their designee. An exception requires three approvers:

  • The UISL requesting the exception or risk acceptance
  • The Unit Head approving the request and indicating acceptance of responsibility
  • The Chief Information Security Officer (CISO)

The CISO, at their discretion, may choose to specify additional approvers and may raise approval to the Cyber Risk Responsible Executive (CRE). 

To begin the process, the UISL should download and complete the request document. Much of the information requested is self-explanatory. Five items are of particular importance. Failure to fully and accurately provide this information will result in the exception being denied.

  1. What is the specific policy or standard for which you are seeking an exception or risk acceptance? This reason must include reference to the applicable section of the policy or standard.
  2. Why is the exception needed?
  3. What mitigations are in place to manage the risk of non-compliance to the same or similar level as compliance? 
  4. For how long is the exception needed?
  5. Are there any special requirements, such as regulatory or contractual requirements?

The UISL should discuss the exception request with the Unit Head and gain their approval.

If the Unit Head agrees, the UISL should forward the completed request document and all supporting documents to the CISO. 

The CISO will evaluate the request and determine if an exception or risk acceptance is appropriate. At their discretion, they may add approvers up to and including the campus CRE if they feel the risk is warranted. 

The CISO will inform the requestor when the exception is approved, for how long, and any contingent requirements. If the exception or risk acceptance is granted, the CISO will prepare the document for final approval and initiate a DocuSign workflow. The UISL and Unit Head must complete the DocuSign workflow to finalize the request.

The UISL is responsible for ensuring that any system covered by the exception is decommissioned or brought into compliance with the policy before the expiration of the approval or acceptance. 

For questions about the process, please contact Sam Horowitz, Chief Information Security Officer, at samh@ucsb.edu.

Additional references

UCSB-Specific Documents