Cyber-risk Responsible Executive (CRE)

• Ensures that the responsible parties understand and execute their responsibilities under these policies[1].
• Ensures the Location-wide adoption of the ISMP covered in the University of California – Policy BFB-IS-3: Electronic Information Security: Information Security Management Program, and an information security risk management strategy as well as the adoption of the University of California San Francisco – Policy 650-16: Information Security & Confidentiality. 
• Reviews the Location’s overall information security Risk Assessments and identifies key risks affecting the Location. Evaluates the Location’s level of cyber risk to make decisions about risk mitigation and risk acceptance.
• Approves the Location policy exception process.
• Participates in systemwide initiatives related to information security and information security risk management.
• Evaluates information security risk and ensures appropriate funding for information security.

UC Systemwide Chief Information Security Officer

• Ensures implementation of systemwide policies in coordination with Location officials.
• Supports systemwide policy and facilitates regular communication among Locations to address consistent implementation of systemwide policies throughout UC.

May be appointed by the UC executive vice president and chief operating officer to act as CISO for assigned Office of the President Locations.

Chief Information Officer (CIO)

• Provides operational oversight for the delivery of information technology services that meet the requirements of these policies.
• Plans and directs information security Risk Assessments for the Location.
• Provides management oversight for information security planning, implementation, budgeting, staffing, program development and reporting.
• Sets operational priorities and obtains alignment with the CRE and Location leadership.

Senior IT executive, IT Leadership Council member.

Chief Information Security Officer (CISO)

• Assists the Location in the interpretation and application of these policies.
• Provides management and execution oversight of the ISMP through collaborative relationships with CRE, CIO, academic and administrative officials, using Location governance structures and compliance strategies.
• Reports Information Security Incidents to UCOP, appropriate Location leadership and the Location CRE.
• Manages the Location exception process for these policies.
• Provides annual cybersecurity awareness training to all Workforce Members to ensure they understand common security risks and their role in protecting Institutional Information and IT Resources, managing security risk, and reporting security incidents.

Unit Head

• Oversees the execution of these policies within the Unit.
• Assigns one or more individual(s) with oversight of the execution of information security responsibilities within the Unit. This role is called the Unit Information Security Lead.
• Identifies and inventories Institutional Information and IT Resources managed by the Unit.
• Ensures that Risk Assessments are complete and Risk Treatment Plans are implemented.
• Specifies the Protection Level and Availability requirements to Service Providers who manage IT Resources on behalf of the Unit.
• Through the risk management process, ensures that protection of Institutional Information and IT Resources managed by Service Providers meets the requirements of these policies.
• Through the risk management process, ensures that Institutional Information and IT Resources managed by Suppliers meet the requirements of these policies.
• Reports Information Security Incidents to the CISO.
• Reports to the CISO any information security policy or standard that is not fully met by the Unit, or by a Service Provider managing Institutional Information or IT Resources on behalf of the Unit.
• Ensures the above responsibilities are included in the overall Unit planning and budgeting process.
• Maintains relationship with and inventory of Service Providers managing Institutional Information or IT Resources on behalf of the Unit.
• Ensures that all Workforce Members in the Unit complete annual cybersecurity awareness training. 
• Ensures that IT Workforce Members in the Unit have appropriate IT security skills and qualifications, receive regular training related to their job requirements, and understand policies, procedures, and best practices to maintain acceptable standards of information security.

• Units are defined as Control Points for purposes of this standard.  UCSF Control Points are:
  • School of Medicine
  • School of Pharmacy
  • School of Nursing
  • School of Dentistry
  • Financial and Administrative Services
  • Executive Vice Chancellor and Provost
  • Community and Government Relations
  • Development
  • UCSF Health
  • Global Health
  • Langley Porter
  • Diversity & Outreach
  • Communications
  • Chancellor’s Office
•  A Unit Head is characterized by having budget control and/or control or authority over IT Resources and/or Institutional Information.
• Unit Heads may delegate specific information security responsibilities to Workforce Members under their area of responsibility, Service Providers or Suppliers. The Unit Head must ensure that this delegation of responsibility is clear and unambiguous by developing additional roles within their Control Point. Any Unit information security responsibilities not expressly delegated to, and accepted by, a Service Provider or Supplier remain the responsibility of the Unit Head.

Service Provider

• Documents and delivers IT services in compliance with these policies, other UC policies and applicable Location policies.
• Notifies the Unit Head of any policy provisions that are unmet or require additional controls by the Unit.
• Supports Units in completing Risk Assessments related to the services provided.
• Coordinates with Units to implement appropriate security measures in conjunction with UCSF IT Security.
• Coordinates with Units to respond to potential and confirmed Information Security Incidents in conjunction with UCSF IT Security.   

• Can be a central IT group, another Unit, another UC Location or UC service center providing specific IT services to a Unit.
• Service Providers can be Units for the purposes of these policies.
• Service Providers are internal UC entities for the purposes of these policies.
• External suppliers are covered under UC Policy BFB IS-3, section 15.

Institutional Information Proprietor

• Assumes overall responsibility for establishing the Protection Level classification, access to and release of a defined set of Institutional Information.
• Classifies Institutional Information under their area of responsibility in accordance with these policies.
• Establishes and documents rules for use of, access to, approval for use of and removal of access to the Institutional Information related to their area of responsibility.
• Notifies Units, users, Service Providers and Suppliers of the Institutional Information Protection Level.
• Approves Institutional Information transfers and access related to their areas of responsibility.
• Notifies Units, Service Providers and Suppliers of any changes in requirements set by the Institutional Information Proprietor.

• The Institutional Information Proprietor is responsible for their defined set of Institutional Information regardless of the Unit holding the data.
• Responsibilities of this role may affect Unit, Service Provider and Supplier requirements.  Examples of Institutional Information include such things as Human Resource and Financial Data.

Workforce Manager

• Complies with these policies.
• Performs duties assigned by the Unit Head. 

See UC IT Policy Glossary. Typically managers or supervisors.

Workforce Member

• Complies with these policies.
• Completes annual cybersecurity awareness training.

See UC IT Policy Glossary. A broad term encompassing all individuals who perform work for UC in any capacity.

Researcher

• Complies with all responsibilities of Workforce Members.
• Uses a Location-approved Risk Treatment Plan or conducts a Risk Assessment to ensure that information security requirements are met.
• Identifies the appropriate Institutional Information Protection Level defined in these policies for research data.
• Identifies and meets confidentiality and data security obligations based on laws, regulations, policies, grants, contracts and binding commitments (such as data use agreements and participant consent agreements) relating to research data.
• Creates and maintains evidence that demonstrates how security controls were implemented and kept current throughout the project.
• Develops and follows an information security plan that manages security risk over the course of their project.
• Ensures that Suppliers who store or process Institutional Information during the project follow UC policy for written contracts.
• Ensures that Supplier agreements include approved terms supporting the information security controls specified in these policies and applicable UC purchasing requirements.

Unit Information Security Lead

• Provides oversight and execution of information security responsibilities within the Unit.
• Performs duties assigned by the Unit Head. 

The Unit Head assigns this role to Workforce Member(s) to carry out Unit responsibilities under these policies. The Unit Head can also perform this role.