This is a role-based guide to the Letters and Science Information Security Managment Program.
This guide is relevant to ALL employees in Letters and Science and covers the basics of what everyone should be doing to keep our systems and data safe. This applies to faculty, staff, graduate students, undergraduate employees, volunteers, contractors, and all other affiliates of our college.
- Understand and follow minimum security standards* for basic information security hygiene on all devices where you do university-related work (store, access, or process any university data). This includes both university owned AND personally owned devices used with university data. This includes computers, tablets, smartphones, storage devices, network equipment, printers, etc.
- Only use devices, operating systems, and applications that are actively receiving security patches from the supplier.
- If a device, operating system, or application is no longer receiving regular security patches from the supplier (regardless of whether it is commercial or open source), it must be upgraded to or replaced with a supported version.
- Keep the operating system and applications up to date with the latest patches.
- You should regularly check for updates and install them within 7 days when available. Don’t forget to restart after installing patches to ensure that they are fully applied!
- Run antimalware software and ensure it is receiving up-to-date definitions.
- Enable storage encryption on all devices that support it.
- For personally owned devices, ensure that you store recovery keys in a safe, known place.
- Use strong login passwords, enable multi-factor authentication wherever possible, and ensure that your device has a screen time out of at most 15 minutes (i.e., how long before the device locks itself if left alone).
- Multi-factor authentication is one of the simplest, most effective security controls. It is much better to use an authenticator app like Duo than to use SMS text message codes.
- Use regular user accounts that to not have administrative rights unless you are actively making changes that require administrative rights.
- This often means having two accounts: one as your “daily driver” for normal work and a second for tasks that require administrative rights. Each account should have a separate, strong password and be enrolled in Duo MFA.
- Only use devices, operating systems, and applications that are actively receiving security patches from the supplier.
- Complete the Vendor Risk Assessment process BEFORE acquiring or using any software, online services, or data.
- This includes purchases, “free trials” (anything where you are required to accept terms on behalf of the university, including click-through agreements), open source software, and agreements with other institutions or agencies.
- Do not “shoot first and ask questions later” by purchasing on personal funds then seeking reimbursement. Reimbursement requests that have not been vetted through the VRA process PRIOR to purchase will be denied.
- Know what classifications of data you work with regularly, and where you have sensitive data stored. See https://lsit.ucdavis.edu/protection-levels-uc-institutional-information.
- Data classified as P3 and P4 should only be stored, processed, and accessed on university-owned and managed devices.
- You should not be storing, processing, or accessing P3-P4 data on personally owned devices including computers, mobile phones, or tablets.
- For any work involving P4 data, please consult with LS IT to develop and follow a data security plan.
- Data classified as P3 and P4 should only be stored, processed, and accessed on university-owned and managed devices.
* The minimum security standards are exerpted from the UC-wide minimum standards: https://security.ucop.edu/policies/security-controls-everyone-all-devices.html