• Report an Incident
• Incident Information
• Self Service Security
• Services and Products
• Best Practices
• Policies, Guidelines and Procedures
  • Access Without Consent
  • California Senate Bill 1386 (SB1386)
• Security Awareness, Training and Education (SATE)
• Vulnerability Information
• About EIS
• What's New

---

Information Security Polices, Procedures, and Guidelines

Each member of the UCSF community is responsible for the security and protection of electronic Information Resources. Electronic Information Resources include electronic information itself and also the systems that are used to store, manipulate or translate electronic information.

Examples of Electronic Systems Workstations, including workstations at home Laptops Mobile Devices (cellular phones, PDAs) Memory sticks, USB fobs Network Storage Devices

Examples of Electronic Information electronic Personal Health Information (ePHI) electronic Research Health Information (rPHI) Personally Identifiable Information Social Security Numbers, financial information Student Records Any electronic information used for UC purposes

The University of California, along with UCSF, has created policies, guidelines and standards to assist individuals in protecting their electronic information. All members of the UCSF community are responsible for familiarizing themselves with and complying with all UC and UCSF policies.

Policies

A policy is typically a document that outlines specific requirements or rules that must be met.

• UC Related Policies
• UCSF Campus Administrative Policy 650-16: Information Security and Confidentiality
• Addendum A - UCSF Roles and Responsibilities for Securing Electronic Information Resources
• Addendum B - UCSF Minimum Security Standards for Electronic Information Resources
• Addendum C - Incident Investigation
• University of California Electronic Communications Policy (ECP)
• UCSF Implementation of the Electronic Communications Policy - Access without Consent process.

• Relevant External Laws and Regulations
• Health Insurance Portability Accountability Act (HIPAA)
• California Senate Bill 1386 (SB1386)
• Digital Millennium Copyright Act (DMCA)
• Family Education Rights and Privacy Act (FERPA)
• e-Discovery

Standards

A standard is typically a collection of system-specific or procedure-specific requirements that must be met.

• UCSF Minimum Security Standards for Electronic Information Resources
• Unified UCSF Enterprise Password Standard
• OAAIS Active Directory Password Protocol
  

Guidelines

A guideline is typically a collection of system-specific or procedure-specific "suggestions" for best practice. They are not requirements to be met but are strongly recommended.

• UCOP Management Guide for Information Security
• UCOP Business & Finance Bulletins
• IS-3 - Electronic Information Security
• IS-2 - Inventory, Classification, and Release of University Electronic Information
• IS-11 - Identity and Access Management
• IS-12 - Continuity Planning and Disaster Recovery
• Determine if you need to use encryption (for information "at rest" or "in flight")
• UCOP encryption guidelines (full document)
• Enterprise Information Security Best Practices

Procedures

• UCSF Incident Investigation Procedures
• Procedure for Unscheduled Outages (application/pdf, 34.3 kB, info)
• Flowchart for Unscheduled Outages (application/pdf, 25.4 kB, info)
• UCOP instructions to IT employees for handling information requests from the FBI or other Federal agents

Proposed Policies and Procedures

The following proposed policies are currently under review for implementation. All  UCSF polices undergo the Request for Comment  process. The comment period is closed on both of these documents and the CIO group has approved them.

• UCSF 650-XX UCSF Authorized and Acceptable Use Policy
• This policy formally defines the scope of authorized and acceptable use of UCSF systems. A campus authorized and acceptable use policy is recommended in UCOP IS-3, Information Security.
• Examples: Policy allows all members of the UCSF community to conduct incidental personal use (with certain constraints) on UCSF computer systems, (e.g. Instant Messaging, sending emails, and listening to music) Policy explicitly prohibits several activities including: illegal activities, violations of copyrights, use of systems for financial gain and mis-representing the University.
• The Authorized and Acceptable Use Policy refers to the UCSF Guest Access form (application/msword, 129.5 kB, info).

• UCSF 650-XX UCSF Network Security Monitoring Policy
• The UCOP Electronic Communications Policy allows for monitoring, logging and retention of network communications for administrative and security purposes and states that Campuses must make this practice known and to provide policy and guidelines to its use. The policy describes the use of monitoring, logging and retention of network traffic at UCSF for the purposes of ensuring the confidentiality, integrity and availability of UCSF systems, Electronic Information Resources (EIRs) and Electronic Communication Records (ECRs).
• Examples: System administrators are allowed to monitor systems for information security and administrative purposes without consent. Policy allows for intrusion detection systems, system logging, etc.

The following procedure is currently undergoing revision.

• Proposed Account Management Procedures

Please tell us what you think of our new website