The University campus is a unique environment to secure. Balancing the need to protect high risk information, important research, and critical infrastructure, in an open environment the size of a small city, while maintaining academic freedom and autonomy privacy.
To achieve the mission, we recognize that information security is a shared responsibility. Every member of the University has a unique role and responsibility. Leading this effort, the CISO works with Units across campus to reduce cybersecurity risk.
The UC Irvine program aligns with University of California system-wide information security policies & standards as well as localized specific standards and augmented policies. The program takes a risk-based approach, starting with asset classification, then risk assessment, and finally prioritized remediation or exception acceptance. An incident response process is also defined to properly handle potential security incidents when they occur.
Units are accountable for implementing information security and it should be embedded into the entire lifecycle where decision-making rights corresond to risk level.
Drivers that influence the strategic direction and prioritization of the program include:
-
- UCI specific trends and issues (local risk assessments, audits, incidents in aggregate)
- UC system-wide policy, initiatives, audits
- Compliance (PCI, CJIS, HIPAA, Research, etc)
- Industry Trends
- 3rd Party Assessments
- Cyber Insurance requirements
The overall maturity of the program is measured using the NIST Cybersecurity Framework, audits, 3rd party and self-assessments, and operational metrics.
Governance of the program is covered by:
-
- Information Security & Privacy Committee (ISPC)
- Campus Ethics & Compliance Risk Committee (CECRC)
- CISO/CRE/CIO security meetings, CISO/UISL security meetings, and CISO/OIT leadership meetings
- UC Information Security Council (ISC)
- Periodic touchpoints with Council on Research, Computing, and Libraries (CORCL)