Secure UCSB Frequently Asked Questions (FAQ)

In February 2024, UC Office of the President (UCOP) issued a mandate for all campuses to improve their network infrastructure’s cybersecurity posture. In order to do that, UCSB must standardize and centralize its network operations.

The project is divided into four phases:

1. Network Location Discovery: Understanding the current state of network infrastructure.
2. Assessment and Planning: Once we have the data from the discovery phase, we can collaborate with network leads to determine the scope of work (e.g. what equipment needs to be procured and remediation efforts). Depending on the scope of work, areas will be categorized as either red, yellow, or green.
   • Red areas: require remediation before network upgrades can be done
   • Yellow areas: upgrades can be done without remediation, but it may not be ideal, and future work is needed to properly address issues
   • Green areas: upgrades can proceed immediately
3. Perform Upgrades: Once the plan is finalized, the project team will coordinate with network leads to schedule the work and communicate with impacted populations to minimize disruptions. 
4. Network Segmentation: This allows us to put traffic on different "lanes" in the network depending on usage and data access. If there is a breach in security, only that particular "lane" is affected.

Network segmentation is a network security technique that divides a network into smaller, more manageable subnetworks. Each subnetwork acts like its own network, allowing for more control over traffic flow and security. Segmentation reduces network congestion, improves cybersecurity by limiting how far an attack can spread, and can stop harmful traffic from reaching devices that are unable to protect themselves from an attack.

Faculty, students, and staff will see a consistent network experience regardless of location across campus, which includes a centralized service support request model. A centrally managed network also allows for more proactive security measures through segmentation capabilities.

In the short term, the network transition work will include updating equipment in buildings across campus. The scope of that work is still being mapped, but we expect outages of varying time frames depending on the extent of remediation needed in each building. The long-term goal is to move away from “unmanaged” network equipment across campus. Students, faculty, and staff wishing to buy equipment that connects to the network will have to coordinate with their local IT groups in order to ensure all network-related equipment is accounted for, has appropriate configurations, and can be supported through a centralized service model.

We're in the process of assessing all buildings and determining the scope of work needed to upgrade the network and communications equipment. Every attempt is being made to send outage notifications at least 14 days in advance to identified building contacts. We encourage you to bookmark it.ucsb.edu/network-outages and check back on a regular basis as more buildings are scheduled. 

That depends on the complexity of each building’s existing network infrastructure. Plan for at least a one day outage from 8 a.m. to 5 p.m. unless otherwise noted.

Given the complexity, pin-pointing specific downtime of each network / communications closet (e.g. by floor, area, etc.) is not feasible with the aggresive timeframe and volume of buildings involved. Building occupants should prepare for full day outages on their assigned dates even though the downtime in their area of the building may be shorter. 

We will be replacing network hardware, specifically network switches. This equipment must be standardized across campus to eventually centralize and segment the network. 

Any functionality that requires connecting to the internet will be down during the outages, including office phones. Calls received during this time will be forwarded to voicemail. As much as possible, we recommend working remotely, or from a different campus building that is not undergoing upgrades at the same time. 

There will be limited coordination for specific buildings, but not most. There are 447 buildings on campus requiring some form of upgrade before May 2025. We are still collecting information to determine the scope for each building, and the accelerated pace of the mandate limits our ability to do as much coordination as we would prefer. We are taking some considerations in mind before finalizing schedules to minimize the impact on our community.

Scheduling poses a complex challenge as it involves aligning information gathering from IT leads, procurement and ordering equipment, availability of installation vendors, and the impacts to building activities. Due to the project's scope, we are unable to accommodate schedule changes. If timing presents a safety risk or prevents a critical activity, please coordinate with your control point.

Because of the UCOP mandate’s aggressive deadline (May 2025), we have had to move quickly to find compliant solutions. We recognize the incredible expertise of our colleagues across campus, and want to hear from you on how we can improve the implementation of these solutions within the timeframe provided by the mandate. Please reach out to secure-ucsb@it.ucsb.edu.

Network leads should work with ITS to complete the equipment assessment as soon as possible. Once we know more, we’ll be able to address specific concerns for more complex configurations. Please contact Shea Lovan (salovan@ucsb.edu) if you have any concerns.

No, though there may be a few exceptions (i.e. HPC cluster interconnects).

It's important to include any equipment that has connectivity to the campus network. We may not end up replacing or upgrading certain components, but the more we know about it, the more we can understand the existing infrastructure and plan for the future. We do not want to degrade capabilities. The more we can understand the full picture about what exists currently, the more informed we are as we determine next steps. 

No, the management of network equipment will be part of the centralized network service. Requests to enable or reconfigure ports will be facilitated via ServiceNow.
 

Initially, this will be the case. However, as the campus transitions from departmental networks to policy-based networks, this capability will go away.  Instead, requests for UTM changes associated with specific services may be made via ServiceNow.

It depends. For example, the switch infrastructure as part of the high-performing computing in Eling Hall will not be replaced. There will likely be a transition of network responsibility in the North Hall Data Center (NHDC). Most machine rooms will have switches replaced, but there will be instances where this is not the case.
 

Not at this time due to the accelerated mandate deadline. With additional time would’ve preferred to address outside plant issues, updated fiber connections between buildings, and additional improvements to building wiring. We hope to continue looking into these improvements in the future. 

Yes, there will be some capability for NAT going forward, but it will not be managed the way it has been previously. A key requirement of this mandate is that our Security and Network Operations teams have visibility into all campus endpoints.

A Mobile Device Management (MDM) solution is a software system used by organizations to manage, secure, and enforce policies on mobile devices such as smartphones, tablets, desktops, and laptops that are used for work purposes. It allows IT administrators to manage and protect the data on these devices, ensuring they comply with organizational security policies.

In cybersecurity, devices that connect to a network are considered “endpoints” as they are potential entry points for security threats. Endpoint Detection and Response (EDR) software specializes in detecting and responding to endpoint-level threats. UCSB already deploys an EDR tool called Trellix, which is in use by approximately 66% of campus endpoints. 

If your device(s) (e.g desktop, laptop, mobile phone or tablet) are owned by UCSB, your device(s) will have to be enrolled in the tools needed to maintain device security, which includes MDM.

Yes. Faculty startup funds are UCSB funds allocated to a faculty member by their college, division, or department. Because the university owns these devices, they must comply with the requirements.

No devices enrolled in MDM and EDR software (whether a UCSB-owned or personal device) will allow access to your emails, browsing history, or any other standard, activity-related information. Learn more about privacy considerations. 

Location services will be enabled. However the software tracking function will be disabled unless the device is reported stolen, lost, or if it’s doing something that’s exposing the network to potential vulnerabilities. 

The MDM doesn't directly track application usage time. It can monitor when apps are launched, closed, or updated, as well as time spent using some aspects of the device including logins and logouts, when the device is turned on or off, or when a user logs in or out. 

All cybersecurity tools must be in compliance with UCSB privacy policies and guidelines, including the UC Statement of Privacy. Although location services must be enabled on UCSB owned mobile devices, location tracking in the MDM tool will not be enabled unless two conditions are met: (1) The device is reported as lost or stolen by the user, and 2) the user of the device is notified that location tracking will be turned on. Employees will be informed about when and why location tracking is activated and how the data will be used. Location data access will be restricted to authorized personnel to ensure confidentiality.

The MDM solution will not inherently limit your ability to use your device for personal purposes unless specific restrictions are set by your department or local IT.  In most cases, personal use of the device is allowed as long as it complies with UCOP IT Policies and Guidelines, which ensures the security and proper use of University resources.

MDM is intended to enforce security measures and typically won't prevent normal personal use of your device unless this activity poses a security threat. However, since your device is owned by UCSB and intended for work related purposes and activities, it is typically advised that you avoid using your UCSB device for personal use. 

The MDM solution protects your sensitive data from unauthorized access through several key security features, such as device encryption, authentication policies, remote wipe in the event of a stolen or lost device, application management, and data separation (to protect campus vs. personal data).

“Sensitive data” is information falling under Protection Level 3 or Protection Level 4 (“P3” or “P4” data) as defined in the University of California IS-3 policy. Review the UC Protection Level Classification Guide here. 

The MDM does not block any application installation on personally-issued devices. The EDR software will block malicious applications per the guidelines provided by Legal and IT Leadership. Exception requests, such as research, will be reviewed on a case-by-case basis. 

Typically, device cameras or microphones will not be restricted unless requested by a department for a unique concern (i.e. sensitive work environment, GDPR compliance requirements)

Vulnerability scanners continuously scan the UCSB network for devices with listening ports and services. The Nessus Agent installed on endpoints collects software/version inventory information and regularly reports this list to the Tenable.io instance. This agent reporting activity is lightweight and does not impact device performance.

Yes, the MDM tool will deploy disk encryption to all devices, which ensures all data stored on the device is unreadable to anyone who gains unauthorized access.

No training will be required for end users. Users should contact the IT Service Desk for any support needs related to the Device Security Platform.
 

Any costs for the Device Security Platform will be absorbed by the Secure UCSB program per the new UCOP Cybersecurity Mandate. 
 

• Windows PCs / laptops
• Mac PCs / laptops
• University-owned mobile devices (Android and iOS)
• Chromebooks

Linux machines will not be required to install the MDM at this time. 

Personal devices, including those used by teaching assistants and graduate student researchers, are not currently included in the scope for May 2025. 

Yes, we encourage you to learn more about how you can secure your devices. Review best practices posted on the ITS website.

Local IT will be responsible for identifying any UCSB-owned devices, including VMs and remote devices within their groups. Local IT will then be working with those individuals to install the appropriate tools.

Your local IT groups will be updating their departments on timing and next steps for deployment of these tools. 

This service will not be impacted at this point in time.

Correct. These tools will operate in the background and only intervene if a threat is detected. What that intervention looks like will depend on the type of threat. Some threats are mitigated automatically and imperceptibly by the tools, while others may notify IT groups and require additional support. 

The help desk support model will remain the same. Faculty, students, and staff should continue to work with their local IT support, who will then work ITS as needed. Some departments will work directly with ITS. 

In addition to improving our cybersecurity through device and network security, there is a concerted effort behind the scenes to improve our service support model through working with local IT groups to modernize our helpdesk experience. More efficient and responsive. Within ServiceNow each area of network modernization will have a corresponding ServiceNow catalog item to be more efficiently routed to the right team or staff member.