The University of California is committed to high standards of excellence for protection of information assets and information technology resources that support the University enterprise. The University processes, stores, and transmits an immense quantity of electronic information to conduct its academic and business functions. Without the implementation of appropriate controls and security measures, these assets are subject to potential damage or compromise to confidentiality or privacy, and the activities of the University are subject to interruption. Stewardship and Accountability
Everyone has a responsibility to protect information and individuals are held accountable.
Risk Management
Information must not be stored without understanding and formally mitigating or accepting the risk.
Business Ownership
Information security is owned by all levels of the organization, not just IT. Senior managers are involved in determining and accepting information security risk.
Privacy
Privacy and security is not a "zero-sum game." All aspects of privacy, including academic freedom, are weighed and incorporated into security practices. Defense In Depth
A system should employ multiple levels of defense such that a single breach of one sub-system does not expose the entire system directly to an attacker.
Least Privilege Access
A user, system or process should only be granted the minimum set of privileges they require to perform their designated job.
Segmentation
Sub-systems should be partitioned logically and isolated using physical devices and/or security controls
Segregation of Duties
No single individual should have the power to effect change of a critical control process, system or transaction. In general, administrators should not be users of the application.
Accountability
All actions exceeding a specified risk threshold should be undeniably traceable to an initiating user, process or system.
Do Not Trust Services
Systems or sub-systems outside the bounds of a secure environment must never be trusted implicitly
Simplicity
Minimize the complexity and therefore potential points of failure, security breaches and obscurity of the system
Reuse
Existing security controls should be given preference over custom solutions
Secure Default
The default settings for each component or sub-system should be the most secure settings
Information Security decision making is guided by documented policies.
See more: Information Security and Privacy Policies
Information Security roles must be formally defined and individuals must be assigned to fulfill those roles.
See more: Roles and Responsibilities
Data must be formally inventoried and assigned a risk classification.
See more: Data Classification
The critical component to implenting information security is performing risk assessment on all information and infrastructure assets.
See more: Risk Management
Each risk classification has a baseline of controls for risk mitigation. These controls must be modified based on individual system risks.
See more: Information Security Controls |