UC Office of the President signed a new security policy, dubbed IS-3, in September, 2018. The plans to implement this far-reaching policy are under way.

Short version

The new policy focuses on data risk management: how critical is your data, how is it stored. This defines the measures taken to both protect and make available your data. Unfortunately, there are dozens of ways data risk is determined: HIPPA, FERPA, ITAR, PII, Granting agency policies, departmental policies, etc etc. You need to be aware of what policies your data needs to abide by and you are ultimately responsible for abiding by those policies, even to a financial level should a breach of your data occur.

In the end, this policy will dictate how your store your data, where you store it, how you protect it, how you travel with it, and even where your data can travel internationally. The new policy will change the way you work.

UC Davis Learn More about IS-3


The long version of the policy can be read here:

IS-3 Policy




Data Classification Levels


The link above describes the data classification levels -- how well protected certain types of data should be and how available certain types of data should be. For example, Banner, the student information system, has data that is P4 and A4 as it needs to be tightly protected but would also hinder UC operations if the data was unavailable. Many times, only the owner of the data is familiar enough with the policies governing it to determine the protection and availability levels of the data.