Security Incident
Report Problem
VPN
Login to vpn@ucsf
Help
Login to help@ucsfInformation Security Polices, Procedures, and Guidelines
Each member of the UCSF community is responsible for the security and protection of electronic Information Resources and are responsible for familiarizing themselves with and complying with all UC and UCSF policies. Electronic Information Resources include electronic information itself and also the systems that are used to store, manipulate or transmit electronic information.
Policies |
Standards |
Guidelines |
Procedures |
Best Practices |
Policies
UCSF Campus Administrative Policy 650-16: Information Security and Confidentiality
Addendum A - UCSF Roles and Responsibilities for Securing Electronic Information Resources
Addendum B - UCSF Minimum Security Standards for Electronic Information Resources
Addendum C - Incident Investigation
Addendum D - Wireless Networks
Interim Policies
These policies have been approved by the CIO Group and are pending posting to the Chancellor's administrative policies website.
UCSF Campus Administrative Policy 650-XX: UCSF Authorized and Acceptable Use Policy
This policy formally defines the scope of authorized and acceptable use of UCSF systems and refers to the UCSF Guest Access form (application/msword, 129.5 kB, info).
UCSF Campus Administrative Policy 650-XX: UCSF Network Security Monitoring Policy
The policy describes the use of monitoring, logging and retention of network traffic at UCSF for the purposes of ensuring the confidentiality, integrity and availability of UCSF systems, Electronic Information Resources (EIRs) and Electronic Communication Records (ECRs).
University of California Electronic Communications Policy (ECP)
UCSF Implementation of the Electronic Communications Policy - Access without Consent process
Standards
- UCSF Minimum Security Standards for Electronic Information Resources
- Unified UCSF Enterprise Password Standard
- ITS Active Directory Password Protocol
- Wireless Networking and Security Standards
Guidelines
- IS-3 - Electronic Information Security
- IS-2 - Inventory, Classification, and Release of University Electronic Information
- IS-11 - Identity and Access Management
- IS-12 - Continuity Planning and Disaster Recovery
- UCOP Management Guide for Information Security
- UCOP Business & Finance Bulletins
- UCOP encryption guidelines (full document)
- Determine if you need to use encryption (for information "at rest" or "in flight")
Procedures
- UCSF Incident Investigation Procedures
- Procedure for Unscheduled Outages (application/pdf, 34.3 kB, info)
- Flowchart for Unscheduled Outages (application/pdf, 25.4 kB, info)
- UCOP instructions to IT employees for handling information requests from the FBI or other Federal agents
The following procedure is currently undergoing revision:
Proposed Account Management Procedures
Relevant External Laws and Regulations
- Health Insurance Portability Accountability Act (HIPAA)
- California Senate Bill 1386 (SB1386)
- Digital Millennium Copyright Act (DMCA)
- Family Education Rights and Privacy Act (FERPA)
- e-Discovery
Best Practices
Information security practices for faculty, students, staff, administrators, guests, and affiliates as well as personal systems, CSCs, and systems administrators can be found here.
These systems each have best practices specific to their functions: Servers, Workstations, Mobile Devices, Medical Devices.
Additional Resources for Best Practices
- SATE - Security Awareness, Training & Education
- Information Security for Students (Provided by the School of Pharmacy)
Minimum Standards Checklists