UC Davis Action Plan 

UC Davis is leading a comprehensive information security action plan. The UC System-Wide Cybersecurity Mandate only accelerates the timeline of the key pillars of our plan. Below you will find more information on our progress to achieve the goals outlined in the 2025 mandate. 

Cyber Investment Planning Summit (Spring 2024)

In March 2024, UC Davis hosted a planning summit for campus IT professionals. The event served as springboard for planning and implementation of the UC System-Wide Cybersecurity Mandate at UC Davis. 

Implementation Areas

• Cybersecurity Incident Response
• Requirement: Ensure timely cyber escalation of incidents in alignment with UC Incident response and cybersecurity escalation standards. 
  The Incident Response Plan (IRP) for UC Davis emphasizes the need for a consistent and systematic approach to managing security and privacy incidents.
  
  Fall 2024 Update: The campus incident response plan (IRP) is updated to align with new system-wide incident response requirements.  The Information Security Office (ISO) will work with campus units to create (or update) local incident response plans to align with the campus IRP.  
  
  Action: All unit heads will be asked to review and approve their local incident response plans. 
• Endpoint Security
• Requirement: Deploy and manage UC-approved Endpoint Detection and Recovery (EDR) software on 100 percent of assets defined by UC EDR deployment standards. 
  The Endpoint Security Strategy at UC Davis addresses the current decentralized IT security structure and proposes a centralized solution for managing endpoint security across campus. 
  Proposed Solution: A transition from multiple endpoint security tools to a centralized and standardized model to enhance visibility, protection, and compliance. 
  
  Fall 2024 Update: In accordance with UC’s EDR deployment standard, EDR software must be deployed on laptops, desktops, and servers that are procured or managed by UCD and that connect to a campus network or enterprise system. To meet this requirement, the ISO is working with campus technical UISLs to deploy UC’s approved EDR software to campus owned devices. For more information, please contact the ISO (cybersecurity@ucdavis.edu) or your technical UISL.
• Vulnerability Management
• Requirement: Ensure identification, tracking and vulnerability management of all computing devices connected to university networks. 
  The Vulnerability Management Program (VMP) Strategy for UC Davis proposes adopting a risk-based approach to vulnerability management. 
  
  Fall 2024 Update: The Information Security Office (ISO) currently manages a vulnerability management service that protects the campus network.  The ISO plans to engage with technical UISLs to determine if there is an opportunity to enhance utilization of this service.
  
  Some campus units manage a local asset inventory service for their departments. The ISO will be working with technical UISLs to determine if these local inventory systems meet the Drake requirements. 
  Campus units without the resources to discover assets on their campus network segments may leverage a new asset management service recently launched by IET. 
  
  IET is leading a campus-wide working group to develop a new service designed to help capture detailed information about assets discovered on our networks.  Please contact the ISO to learn more about this project. 
  
  Action: Campus units can contact the ISO (cybersecurity@ucdavis.edu) for more information about identification, tracking, and vulnerability management of computing devices at UC Davis.  
   
• Cybersecurity Awareness Training
• Requirement: Ensure cyber security awareness training for 100 percent of location employees. 
  
  Security awareness training is addressed in UCD’s Information Security Management Plan. All faculty, staff, and student workers are required to take UC’s mandatory security awareness training annually. Additionally, the ISO hosts target-based security training and a biennial information security symposium for our community that includes guests from other UC locations. 
  
  Fall 2024 Update: Anyone (including student workers) with an active appointment in UCPath is expected to complete mandatory training, with few exceptions.  All status changes come directly from UCPath. If an employee is currently on leave, units will need to ensure their leave is reflected in UCPath. Otherwise, the employee will be notified they must complete the training. 
  
  Action: Managers and supervisors to monitor their student employee compliance rates and ensure that all students on paid status complete security awareness training. If a student is no longer working for a department, this change must be reflected in UCPath. Otherwise, the student will be notified to complete the training. Managers can check for overdue training at any time through the manager dashboard hosted in the Learning Center. The Learning and Organizational Development team, within Human Resources, has also developed the following website where you can learn more about mandatory training. For training questions, feedback, or Learning Center requests, contact hr-learning@ucdavis.edu 
• Multi-Factor Authentication
• Requirement: Deploy, enable and configure multi-factor authentication (MFA) on 100 percent of campus and health email systems in conformance with established UC MFA configuration standards. 
  Expand implementation of multi-factor authentication, including risk-based authentication, beyond the campus two main enterprise email systems. 
  
  Fall 2024 Update:  Several campus departments maintain locally managed email services that do not enforce MFA or are not capable of supporting MFA. The ISO and IET email teams are currently working with local email system administrators to update their email systems to support MFA or begin a transition to the campus email systems. 
  
  Action: Messages tailored specifically to schools/colleges/units are in progress to identify the Active Directory accounts and email services without MFA and how to bring these to compliance by January 31, 2025. This date applies to MFA compliance only in preparation for the May 2025 deadline. 
• Data Loss Prevention
• Requirement: Deploy and configure a robust DLP solution for all health email systems to mitigate unauthorized data exfiltration. 
  While this requirement does not apply to the Davis campus, we plan to research the feasibility of deploying a DLP solution in our enterprise-supported email systems.  
  
  Fall 2024 Update:  IET developed a proposal to deploy DLP for Microsoft 365 in response to an audit finding. For more information about this project, please reach out to Mark Thonen (mthonen@ucdavis.edu), Executive Director and Chief of Staff, Office of the Vice Provost and CIO.