Learn More

What is IS-3?

The UC security policy hasn't been updated in 10 years. The new policy, Information Security Policy 3 (IS-3), supports a risk-based approach to managing security and sets a minimum* security baseline. IS-3 addresses the core pillars of information security:

  • Confidentiality
  • Integrity
  • Availability

IS-3 is based on a security standard adopted by many other universities (ISO 27001 & 27002). It supports new cybersecurity compliance requirements (NIST 800-171, PCI and HIPAA, etc.) governing data protection.

IS-3 was approved by UC President, Janet Napolitano, on September 7, 2018.

* Some environments (e.g., critical infrastructure and credit card merchants) will require more controls.

Policies and Standards

Open Policies and Standards configuration options

These links are hosted on the University of California Office of the President (UCOP) Systemwide Information Security site:

IS-3 Directives

Open IS-3 Directives configuration options

Every UC Davis unit, defined as a school, research project, administrative office, or collection of departments, has 4 specific directives:

  1. Units must complete Risk Assessments
  2. Units must encrypt institutional information
  3. Units must have an approval process for granting access
  4. Units must ensure that agreements with suppliers contain security requirements

IS-3 Scope

Open IS-3 Scope configuration options

  1. Locations: All UC campuses and medical centers, the UC Office of the President, UC Agriculture and Natural Resources, UC-managed national laboratories and all other UC locations.
  2. People: All Workforce Members*, Suppliers, Service Providers and other authorized users of institutional information and IT resources.
  3. Data: All use of institutional information, independent of the location (physical or cloud), ownership of any device or account that is used to store, access, process, transmit or control institutional information.
  4. Devices: All devices, independent of their location or ownership, when connected to a UC network or cloud service used to store or process institutional information.
  5. Research: Research projects performed at any location and UC-sponsored work performed by any location.

*Workforce membersEmployees, faculty, staff, contractor, student worker, volunteer, student intern, student volunteer, researcher, student/supporting/performing research, medical center staff/personnel, clinician, medical school student treating patients, person working for UC in any capacity or other augmentation to UC staffing levels.

IS-3 at UC Davis

Open IS-3 at UC Davis configuration options

The UC Davis Information Security office:

  • Is responsible for IS-3 implementation and outreach at UC Davis
  • Has created this webpage to provide an overview of IS-3
  • Has created a secure space to share information and guidance to campus IS-3 leads. Login to CAS to view information.

IS-3 Support

Open IS-3 Support configuration options

Questions about IS-3?

Information about scheduling a Risk Assessment or requesting an informational session about IS-3 for your unit?

Send an email to cybersecurity@ucdavis.edu to get started.