UCI Information Security Plan

Guiding Principles

The University of California is committed to high standards of excellence for protection of information assets and information technology resources that support the University enterprise. The University processes, stores, and transmits an immense quantity of electronic information to conduct its academic and business functions. Without the implementation of appropriate controls and security measures, these assets are subject to potential damage or compromise to confidentiality or privacy, and the activities of the University are subject to interruption.

Management Principles

Stewardship and Accountability
Everyone has a responsibility to protect information and individuals are held accountable.
Risk Management
Information must not be stored without understanding and formally mitigating or accepting the risk.
Business Ownership
Information security is owned by all levels of the organization, not just IT. Senior managers are involved in determining and accepting information security risk.
Privacy and security is not a "zero-sum game." All aspects of privacy, including academic freedom, are weighed and incorporated into security practices.

Architecture Principles

Defense In Depth
A system should employ multiple levels of defense such that a single breach of one sub-system does not expose the entire system directly to an attacker.
Least Privilege Access
A user, system or process should only be granted the minimum set of privileges they require to perform their designated job.
Sub-systems should be partitioned logically and isolated using physical devices and/or security controls
Segregation of Duties
No single individual should have the power to effect change of a critical control process, system or transaction. In general, administrators should not be users of the application.
All actions exceeding a specified risk threshold should be undeniably traceable to an initiating user, process or system.
Do Not Trust Services
Systems or sub-systems outside the bounds of a secure environment must never be trusted implicitly
Minimize the complexity and therefore potential points of failure, security breaches and obscurity of the system
Existing security controls should be given preference over custom solutions
Secure Default
The default settings for each component or sub-system should be the most secure settings