At the top layer of the hierarchy, policies, are general management directives. The second layer, standards, are specific mandatory controls which are to be implemented within a given environment. The third layer is additional subordinate guidance and procedures created to facilitate adherence to the policies and standards. 

UCOP IS-3 Electronic Information Security Policy and Associated Standards

BFB-IS-3: Electronic Information Security Policy

• Minimum Security Standard
• Account and Authentication Management Standard
• Institutional Information and IT Resource Classification Standard
  • Classification Guide: Protection Levels for Institutional Information and IT Resources (pdf)
  • Classification Guide: Availability Levels for Institutional Information and IT Resources (pdf)
• Institutional Information Disposal Standard
• Encryption Key and Certificate Management Standard
• Event Logging Standard 
• Incident Response Standard
• Secure Software Configuration Standard 
• Secure Software Development Standard 

UCSF IT Security Policies, Standards, and Guidance

650-10 Identity and Location Management System
650-12 Campus Cabling
650-13 Single Protocol Network Backbone
650-14 Network Gateway Policy
650-15 Population Definition
650-16 Info Security & Confidentiality

• Addendum A, UCSF Roles and Responsibilities for Securing Electronic Information Resources
• Addendum B, UCSF Minimum Security Standards for Electronic Information Resources
  • Minimum Security Standards Checklist
  • Unified UCSF Enterprise Password Standard
  • Application and Website Security
  • Cloud Computing Guidance - Cloud
  • Desktop locking (page is being updated)
  • Device Encryption Waive Request
  • Email
  • Email Settings for iPhone
  • Encrypt Your Computer
  • Mobile Devices
  • Physical Security
  • Security Exception Request Form - Instruction for filling out
  • ServiceNow CMDB
  • Software Download page
• Addendum C, UCSF Incident Investigation
  • UCSF Incident Investigation Procedures
• Addendum D, UCSF Wireless Networks
• Addendum E, PCI
• Addendum F, UCSF Data Classification Standard
• Addendum G, 3rd Party Remote Access

650-17 Multicasting Distribution of Video/Audio
650-18 Electronic Information Resources

• UCSF Implementation of the ECP - Access Without Consent
• Access With Consent

650-19 Network Security Monitoring