UC Security Policy for IT Professionals

As a member of the UC Santa Barbara IT professionals community, you are responsible for ensuring the securitization of data and other information technology property. 

If you need to report an incident please go to our Report Harassing or Unwanted Email page, the Report Scanning, Hacking, and Other Hostile Activity page, or the Report a Lost or Stolen Device page.

KeePass keyboard secured hand IT security


UC Security Policy

The University of California ratified systemwide policy BFB IS-3 Information Security in October 2019. IS-3 is an overarching policy that is supported by nine technical standards. The collective governance is based on ISO 27001 and 27002 standards and closely follows their form.

The policy sets out roles and responsibilities for members of the UC workforce and organizations to achieve and maintain compliance with policy provisions. Principle among these is the Cyber-risk Responsible Executive (CRE), the Chief Information Security Officer (CISO), Unit Heads, and Unit Information Security Leads (UISL). Among the responsibilities of the CISO are the creation and maintenance of Risk Treatment Plans and other guidance documents laying out how the policy will be implemented at each location. 

This site will be the principal repository for processes documentation, risk treatment plans, and other documentation related to compliance with IS-3.

Other relevant policies include IS-11 Identity and Access management, IS-12 Continuity Planning and Disaster Recovery, and the UC Electronic Communications Policy. You can find all of these policies at the systemwide policy site at the UC Office of the President: security.ucop.edu/policies/.

Download the UCSB Risk Treatment Plan - Password/Passphrase Management