it.ucsf.edu

UCSF 650-16 Addendum B - UCSF Minimum Security Standards for Electronic Information Resources

Policy Type

Policy

I.        Introduction

Minimum Standards for Electronic Information Resources (EIRs) are required to protect all UCSF information resources and systems and to reduce the impact of information security incidents. Implementation of these standards is a joint responsibility of Technical Support Providers and Authorized Users.

II.       Scope

These minimum security standards are intended for all departments within the campus community. The UCSF Medical Center has minimum standards that must be met for the Medical Center environment.

Non-UCSF devices, including personal computing devices, are expected to meet these standards when used to store or process UCSF information or connect to the UCSF network to conduct UCSF business.

III.      Exceptions

Departments, units, or individuals who believe that their devices require configurations that do not comply with these standards need to apply for an exception with the Security & Policy (S&P) office.

IV.     Enforcement

Computing devices found to be non-compliant to these standards and without an exception on file are subject to being disconnected from the UCSF network and prohibited from connecting to UCSF resources.

V.      Minimum Standards

The minimum standards are reviewed, updated for applicability and approved on an annual basis at a minimum or as needed when determined by the Security & Policy office. The minimum standards can be found in the document, UCSF Minimum Security Standards. All EIRs must remain compliant with the standards within the document.

S&P is responsible for promulgating any changes to the minimum standards to the campus community.

VI.     Planning for Implementation

To plan for implementation of the minimum standards, departments should plan to accommodate the financial impact and create a timeline for implementation. The basic plan should include:

  1. gap analysis to determine where the environment does not meet minimum standards;
  2. assessment of licensing needs per product;
  3. interoperability testing of products; and
  4. product install on deficient machines.