Overview

BFB IS-3 Information Security is the systemwide information security policy that was ratified in late 2018. The policy is supported by 9 standards and several interpretive guides. All IT staff should familiarize themselves with the policy and the standards. IT activity, especially the creation or update of shared services, must be conducted according to the policy.

The policy introduces several roles. One of them of particular interest to IT groups is the service provider. There is a glossary available to aid understanding of the roles and other concepts featured throughout the policy.

Unlike the prior policy, the current IS-3 is prescriptive with a large number of mandatory controls. There are also mechanisms to allow adjustment of the controls to meet the level of organizational and technical risk. Few IT systems are fully compliant with the policy yet many are protected in a manner consistent with risk.

IS-3 at UCSB

UCSB has more than 300 organizational units, not including major research projects, which are classified as units under the policy. It is impractical to fully implement IS-3 at that level of granularity. The policy has a relationship to BUS-80 Insurance Programs for Institutional Information Technology Resources (https://policy.ucop.edu/doc/3520504/BFB-BUS-80) that suggests that Unit Heads be more senior executives. Toward that end, the Vice Chancellors for Administration and Student Affairs will act as Unit Heads for their respective divisions. The Associate Vice Chancellor for IT and CIO will act as Unit Head for Information Technology Services. The assignment of Unit Heads for the remainder of the campus is ongoing. 

Each Unit Head will appoint one or more Unit Information Security Leads (UISL) to oversee technical compliance. For Administrative Services, Ben Price, Director of Administrative and Residential Information Technology and Associate CIO will be the lead UISL. For Student Affairs, Joe Sabado, Executive Director of Student Information Systems and Technology and Associate CIO will be the lead UISL. UCSB's Chief Information Security Officer will be the lead UISL for Information Technology Services. Other UISLs may be appointed for smaller units within these organizations.

The Office of the CIO is preparing facilitated risk assessments based on IS-3 controls. These will be used to create prioritized compliance plans for units. These risk assessments will be conducted on a periodic basis starting in 2020. In the meantime, there are several elements of the policy that IT staff and IT Service Providers should turn their attention to immediately.

  • Inventory and classify your Information & Resources 
  • Bring infrastructure and services into compliance
    • Section 9: Access Control
    • Section 12: Operations Management
    • Minimum Security Standard
    • Account and Authentication Management Standard
    • Secure Software Configuration Standard
    • Secure Software Development Standard
       

Standards

Interpretive guides

Security policy exception and risk acceptance

BFB IS-3 and supporting standards govern IT security for systems at the University of California and UCSB. The policy (Section 2.2) recognizes that there are occasions where a system or process cannot be compliant with the policy as written and that alternative equivalent mitigations may be acceptable. There may also be occasions when mitigations may be inadequate to reach an equivalent level of protection, and risk acceptance may be required. 

The mechanism to request an exception or risk acceptance is to complete the form in ServiceNow that specifies the nature of the request and the context.  It should be noted that not all exception requests will be granted. An exception requires three approvers:

1.    The UISL reviewing and approving the proposed exception or risk acceptance.
2.    The Unit Head reviewing and approving the request and indicating acceptance of responsibility.
3.    The Chief Information Security Officer (CISO) reviewing and approving the request.
The CISO, at their discretion, may choose to specify additional approvers and may raise approval to the Cyber Risk Responsible Executive (CRE). 

To begin the process, the requestor should complete the request form in ServiceNow

1.    Under the Advanced Technical Services section select Security Operations.
2.    In the Security Operations section select Information Security Policy Exception.
3.    Complete the Information Security Policy Exception. 

There is a knowledge base article to help you fill out the required information. Failure to fully and accurately provide this information will result in the exception being denied. The exception form will ask:

1.    What is the specific policy or standard for which you are seeking an exception or risk acceptance? This reason must include reference to the applicable section of the policy or standard.
2.    Why is the exception needed?
3.    For how long is the exception needed?
4.    What alternative security controls have you implemented to reduce risks associated with the exception?
5.    What is the long term mitigation plan to ensure that the system or process is compliant with university policies? 
6.    What is the system, application, service, vendor, or vulnerability name is the request for?
7.    What is the unique identifier or URL is this risk exception associated with?
8.    What types of data are hosted or used for this service?
9.    What data protection and availability level are associated with this request?

The UISL should discuss the exception request with the Unit Head and gain their approval, then forward the completed request ticket to the CISO. 

The CISO will determine if an exception or risk acceptance is appropriate. At their discretion, they may add approvers up to and including the campus CRE. 

The CISO will inform the requestor when the exception is approved, for how long, and any contingent requirements. If the exception or risk acceptance is granted, the CISO will document their findings and approval in the ticket.

Additional references

UCSB-Specific Documents