The University of California ratified systemwide policy BFB IS-3 Information Security in October 2019. IS-3 is an overarching policy that is supported by nine technical standards. The collective governance is based on ISO 27001 and 27002 standards and closely follows their form.
The policy sets out roles and responsibilities for members of the UC workforce and organizations to achieve and maintain compliance with policy provisions. Principle among these is the Cyber-risk Responsible Executive (CRE), the Chief Information Security Officer (CISO), Unit Heads, and Unit Information Security Leads (UISL). Among the responsibilities of the CISO are the creation and maintenance of Risk Treatment Plans and other guidance documents laying out how the policy will be implemented at each location.
This site will be the principal repository for processes documentation, risk treatment plans, and other documentation related to compliance with IS-3.
Other relevant policies include IS-11 Identity and Access management, IS-12 Continuity Planning and Disaster Recovery, and the UC Electronic Communications Policy. You can find all of these policies at the systemwide policy site at the UC Office of the President: security.ucop.edu/policies/.