Unit Information Security Leads

There are 6 goals IS-3 aims to achieve:

• The preservation of academic freedom and research collaboration
• The protection of privacy
• Following a risk-based approach
• The maintenance of confidentiality
• The protection of integrity
• Ensuring availability

IS-3 defines the varying roles and responsibilities of authorized users of institutional information and IT resources:

Chief Information Security Officer (CISO) - The CISO is responsible for security functions throughout a Location, including assisting in the interpretation and application of this policy. The CISO has many other responsibilities, including approving exceptions, helping Units manage cyber risk, approving Risk Treatment Plans and participating in a Location’s cyber risk governance.

Institutional Information Proprietor - Assumes overall responsibility for establishing the Protection Level classification, access to and release of a defined set of Institutional Information. Classifies Institutional Information under their area of responsibility in accordance with this policy. Establishes and documents rules for use of, access to, approval for use of and removal of access to the Institutional Information

Unit - A point of accountability and responsibility that results from creating/collecting or managing/possessing Institutional Information or installing/managing IT Resources. A Unit is typically a defined organization, such as the school of engineering, or a set of departments, such as student affairs. Because UC is a highly decentralized and independent federation of organizational units, the policy provides Units with the flexibility and responsibility to manage cyber risk.

Unit Head - A generic term for dean, vice chancellor or person in a similarly senior role who has the authority to allocate budget and is responsible for Unit performance. At a particular Location or in a specific situation, the following senior roles may also be Unit Heads: department chairs, assistant/associate vice chancellor (AVC), principal investigators, directors or senior managers. Unit heads have important responsibilities to ensure effective management of cyber risk.

Unit Information Security Lead (UISL) - A term for the Workforce Member(s) assigned responsibility for tactical execution of information security activities including, but not limited to, implementing security controls; reviewing and updating Risk Assessment and Risk Treatment plans; devising procedures for the proper handling, storage and disposal of electronic media within the Unit; and reviewing access rights.

Service Provider - A UC internal organization that offers IT services to Units. Service Providers typically assume most of the security responsibility and help Units understand Unit responsibilities with respect to cyber security.

Supplier - An external, third-party entity that provides goods or services to UC. Section III Subsection 15 describes what Suppliers must do. UC has specific contract terms that clarify the responsibilities of Suppliers and protect UC.

Workforce Manager - A person who supervises/manages other personnel or approves work or research on behalf of the University.

Workforce Member - An employee, faculty, staff, volunteer, contractor, researcher, student worker, student supporting/performing research, medical center staff/personnel, clinician, student intern, student volunteer or person working for UC in any capacity or through any other augmentation to UC staffing levels.

UCLA continues to strive towards IS-3 compliance by demonstrating a commitment to an improved cybersecurity posture. IS-3 is split into sections covering different information security principles:

• Governance
• Risk Management Process
• Human Resource Security
• Asset Management
• Access Control
• Encryption
• Physical and Environmental Security
• Operations Management
• Communications Security
• System Acquisition, Development, and Maintenance
• Supplier Relationships
• Information Security Incident Management
• Information Security Aspects of Business Continuity
• Compliance with External Requirements