What is IS-3?

Information Security Policy 3 (IS-3), supports a risk-based approach to managing security and sets a minimum* security baseline. IS-3 addresses the core pillars of information security:

• Confidentiality
• Integrity
• Availability

IS-3 is based on a security standard adopted by many other universities (ISO 27001 & 27002). It supports new cybersecurity compliance requirements (NIST 800-171, PCI and HIPAA, etc.) governing data protection.

IS-3 was approved by UC President, Janet Napolitano, on September 7, 2018.

* Some environments (e.g., critical infrastructure and credit card merchants) will require more controls.

Policies and Standards

These links are hosted on the University of California Office of the President (UCOP) Systemwide Information Security site:

• IT Policies
• IT Policy Glossary
• Important Security Controls for Everyone and All Devices
• Account and Authentication Management
• Classification of Information and IT Resources
• I have a new smart phone. How do I set it up for Duo?
• Disposal of Institutional Information
• Encryption Key and Certificate Management
• Event Logging
• Incident Response
• Secure Software Configuration
• Secure Software Development

IS-3 Directives

Every UC Davis unit, defined as a school, research project, administrative office, or collection of departments, has four specific directives:

1. Units must complete Risk Assessments
2. Units must encrypt institutional information
3. Units must have an approval process for granting access
4. Units must ensure that agreements with suppliers contain security requirements

IS-3 Scope

1. Locations: All UC campuses and medical centers, the UC Office of the President, UC Agriculture and Natural Resources, UC-managed national laboratories and all other UC locations.
2. People: All Workforce Members*, Suppliers, Service Providers and other authorized users of institutional information and IT resources.
3. Data: All use of institutional information, independent of the location (physical or cloud), ownership of any device or account that is used to store, access, process, transmit or control institutional information.
4. Devices: All devices, independent of their location or ownership, when connected to a UC network or cloud service used to store or process institutional information.
5. Research: Research projects performed at any location and UC-sponsored work performed by any location.

*Workforce members: Employees, faculty, staff, contractor, student worker, volunteer, student intern, student volunteer, researcher, student/supporting/performing research, medical center staff/personnel, clinician, medical school student treating patients, person working for UC in any capacity or other augmentation to UC staffing levels.

IS-3 at UC Davis

The UC Davis Information Security office:

• Is responsible for IS-3 implementation and outreach at UC Davis
• Has created this webpage to provide an overview of IS-3
• Has created a secure space to share information and guidance to campus IS-3 leads. Login to CAS to view information.

IS-3 Support

Questions about IS-3? Need information about scheduling a Risk Assessment or requesting an informational session about IS-3 for your unit?

Send an email to cybersecurity@ucdavis.edu to get started.