UC Davis begins campuswide information security assessment

UC Davis has hired a consultant to assess the campus's information security posture, look at its current risks, and offer ideas for improvement.

"We hope to get a holistic view of where the campus and UC Davis Health System are, in terms of information security best practices," said Chief Information Security Officer Cheryl Washington.

Chancellor Linda P.B. Katehi and Provost and Executive Vice Chancellor Ralph J. Hexter commissioned the assessment. It comes in the wake of high-profile cyberattacks this year that have targeted UCLA Health, private businesses and federal government computer systems, but is not directly related to any individual event.

"The chancellor, provost, CIO, and all senior leaders are firmly committed to enhancing UC Davis' strong security posture," Washington said.

No problems stemming from the UCLA incident have been discovered at UC Davis.

Viji Murali, chief information officer and vice provost of Information and Educational Technology, and Audit & Management Advisory Services will manage this project with assistance from Health System CIO Michael Minear and with help from the consulting firm. The consultant will:

  • Look at current security practices at UC Davis, and identify a set of processes and controls suitable for the environment at UC Davis and its Health System.
  • Develop a strategy and plan to continuously evaluate and reduce cyber-risks across campus.
  • Establish a roadmap that outlines an approach to remediate risks, and to improve processes and controls based on the assessment.

The consultant will look at dozens of specific areas as they relate to the confidentiality, availability, and integrity of data, ranging from support structures among upper management, and core IT practices, to IT infrastructure and data management policies.

The consultant will review and observe systems and processes, gather documents, and interview people an d departments throughout UC Davis.

"If you're asked to cooperate, please do so," Washington said. "It is important that we get accurate and complete information."

The consultant's report is due within four months.