Overview

BFB IS-3 Information Security is the systemwide information security policy that was ratified in late 2018. The policy is supported by 9 standards and several interpretive guides. All IT staff should familiarize themselves with the policy and the standards. IT activity, especially the creation or update of shared services, must be conducted according to the policy.

The policy introduces several roles. One of them of particular interest to IT groups is the service provider. There is a glossary available to aid understanding of the roles and other concepts featured throughout the policy.

Unlike the prior policy, the current IS-3 is prescriptive with a large number of mandatory controls. There are also mechanisms to allow adjustment of the controls to meet the level of organizational and technical risk. Few IT systems are fully compliant with the policy yet many are protected in a manner consistent with risk.

IS-3 at UCSB

UCSB has more than 300 organizational units, not including major research projects, which are classified as units under the policy. It is impractical to fully implement IS-3 at that level of granularity. The policy has a relationship to BUS-80 Insurance Programs for Institutional Information Technology Resources (https://policy.ucop.edu/doc/3520504/BFB-BUS-80) that suggests that Unit Heads be more senior executives. Toward that end, the Vice Chancellors for Administration and Student Affairs will act as Unit Heads for their respective divisions. The Associate Vice Chancellor for IT and CIO will act as Unit Head for Information Technology Services. The assignment of Unit Heads for the remainder of the campus is ongoing. 

Each Unit Head will appoint one or more Unit Information Security Leads (UISL) to oversee technical compliance. For Administrative Services, Ben Price, Director of Administrative and Residential Information Technology and Associate CIO will be the lead UISL. For Student Affairs, Joe Sabado, Executive Director of Student Information Systems and Technology and Associate CIO will be the lead UISL. UCSB's Chief Information Security Officer will be the lead UISL for Information Technology Services. Other UISLs may be appointed for smaller units within these organizations.

The Office of the CIO is preparing facilitated risk assessments based on IS-3 controls. These will be used to create prioritized compliance plans for units. These risk assessments will be conducted on a periodic basis starting in 2020. In the meantime, there are several elements of the policy that IT staff and IT Service Providers should turn their attention to immediately.

  • Inventory and classify your Information & Resources 
  • Bring infrastructure and services into compliance
    • Section 9: Access Control
    • Section 12: Operations Management
    • Minimum Security Standard
    • Account and Authentication Management Standard
    • Secure Software Configuration Standard
    • Secure Software Development Standard
       

Security policy exception and risk acceptance

IT security at the University of California and UCSB is governed by BFB IS-3 and supporting standards. The policy (Section 2.2) recognizes that there are occasions where a system or process cannot be compliant with the policy as written and that alternative equivalent mitigations may be acceptable. There may also be occasions when mitigations may be inadequate to reach an equivalent level of protection, and risk acceptance may be required.

Learn more about security policy exceptions and risk acceptance

Standards

Interpretive guides

Additional references

UCSB-Specific Documents