| Contents |
|---|
| |
Guiding Principles
The University of California is committed to high standards of excellence for protection of information assets and information technology resources that support the University enterprise. The University processes, stores, and transmits an immense quantity of electronic information to conduct its academic and business functions. Without the implementation of appropriate controls and security measures, these assets are subject to potential damage or compromise to confidentiality or privacy, and the activities of the University are subject to interruption.
Management Principles
Stewardship and Accountability
Everyone has a responsibility to protect information and individuals are held accountable.
Risk Management
Information must not be stored without understanding and formally mitigating or accepting the risk.
Business Ownership
Information security is owned by all levels of the organization, not just IT. Senior managers are involved in determining and accepting information security risk.
Architecture Principles
Defense In Depth
Where one control would be reasonable, more controls that approach risks in different fashions are better. Controls, when used in depth, can make severe vulnerabilities extraordinarily difficult to exploit and thus unlikely to occur.
Least Privilege Access
The principle of least privilege recommends that accounts have the least amount of privilege required to perform their business processes.
Segmentation
Areas of risk must be separated by strongly defined and protected technical, logical, and physical segmentation and compartmentalization.
Segregation of Duties
A key control is separation of duties. Certain roles have different levels of trust than normal users. In particular, administrators are different to normal users. In general, administrators should not be users of the application.
Do Not Trust Services
Many departments utilize the processing capabilities of third party partners, who more than likely have differing security policies and posture than you. Therefore, implicit trust of externally run systems is not warranted. All external systems should be treated in a similar fashion.
Simplicity
Attack surface area and simplicity go hand in hand. System administrators, developers, and IT staff should avoid the use of complex architectures when a simpler approach would be faster and simpler.
Information Security and Privacy Policies
Information Security decision making is guided by documented policies.
See more: Information Security and Privacy Policies
Roles and Responsibilities
Information Security roles must be formally defined and individuals must be assigned to fulfill those roles.
See more: Roles and Responsibilities
Data Classification
Data must be formally inventoried and assigned a risk classification.
See more: Data Classification
Risk Management
The critical component to implenting information security is performing risk assessment on all information and infrastructure assets.
See more: Risk Management
Information Security Controls
Each risk classification has a baseline of controls for risk mitigation. These controls must be modified based on individual system risks.
See more: Information Security Controls