UCI's Information Security Strategy

July, 2005

(Comments to DRoode@UCI.EDU)

Items of Most Concern:

• Sensitive data in nooks and crannies around campus that are not being protected
• Huge amount of sensitive data in central IT organizations that is being protected, but by very busy staff who may have missed something (it’s a constantly evolving jungle out there and staff have "real work" to do to)
• Collective amount of time and energy campus faculty, students, staff and IT professionals spend on security related issues

What can UCI do (or do more of) to enhance security?

Campus Risk Assessment

• SB1386 Inventory
• Security audits of central IT shops (and/or questionnaire ?)

Strategic Communications

• Share results of Inventory with UCI Vice Chancellors
• Enlist the participation of UCI Accounting, Internal Audit, Risk Management to help get the message across about the costs of poor information security
• ASMs, who else?
• Disseminate monthly OIT security report regularly

Outreach / Coordination

• Administrative and Academic IS-3 Coordination Groups
• Interactive tutorials: a) for everyone; b) for folks who have sensitive data;  c) for system administrators or those who act like them;  d) for system administrators who have sensitive data;  e) for management
• RGS Institutional Review Board tie-ins
• Adding someone to OIT Security Team to focus on campus-wide security coordination

Central Facilitation

• Encryption software recommendations, bulk licensing, how-to's
• Other software recommendations/licensing: desktop firewalls, anti-virus
• Hardware recommendations: portable memories with built in encryption
• Security Guides, How-to's: encryption, de-identification, what else?
• Central, end-user centric, information security web site to tie all of the above together

Policy / Recommendations

• IS-3
• Possible IS-3 Highlight document, "don't put sensitive data on portable devices" etc.?
• UCInet Connected Device Security Guidelines
• Local UCI policy for information security ???

Network Security

• Central services (IDS, Firewall, Firewall services, host registration, probing for vulnerabilities, patching etc)
  • Network/Server registration
  • Working on new IDS/Firewall for VPN, discussing the value of reconfiguring wireless to allow IDS/Firewall there
  • What about off-the shelf products to make patching, vulnerability detection and other security-related tasks easier and more effective?
    • Cisco Clear Access, Cisco Security Agent, what else?
• Departmental and Individual efforts

Updated: December 10, 2010

Site Feedback