2. Security and Privacy Policy The World Has Changed! Common Solutions Group Jack McCredie January 9, 2004

3. Agenda Share Progress & Request Help Security and privacy policy framework at UC Recommended policy structure & process Specter of emerging legislation - Illustration: CA SB-1386 Security policy evolution at UC Berkeley - Illustration: minimum security standards policy Request for help – are we nuts?

4. Recommended structure Purpose Scope Policy Roles and responsibilities Consequences Requests for exception Appendices that can be easily modified Set of standing committees to contribute and review, and approve Communicate, communicate, communicate

5. University-wide policies Campus-wide policies Information technology policies Security & Privacy Policies

6. System & campus-wide policies UC Electronic Communications Policy http://www.ucop.edu/ucophome/policies/ec/html/ UC Business and Finance Bulletin IS-3 http://www.ucop.edu/ucophome/policies/bfb/bfbis.html Guide to Administrative Responsibilities http://controller-fs.vcbf.berkeley.edu/TableofContents. html

7. Information Technology Policies Requirements for Protection of Computerized Personal Information (Implementation of SB 1386) http://socrates.berkeley.edu:7015/protected.data.html Guide to Selected Privacy and Confidentiality Regulations http://socrates.berkeley.edu:7015/privacy/guidelines.html Guidelines for Use of Campus Network Data Reports http://security.berkeley.edu:2002/CISC/gdlns.net.data.html

8. Security and Privacy Policies Campus Information Technology Security Policy http://socrates.berkeley.edu:2002/IT.sec.policy.html Minimum Security Standards http://socrates.berkeley.edu:2002/MinStds/policy.htm SNS Scanning of the UC Berkeley Campus Network http://sec-info.berkeley.edu/cgi-bin/scaninfo-login.pl/

9. Security and Privacy Policies Departmental Security Contact Policy http://socrates.berkeley.edu:2002/contacts.html Guidelines and Procedures for Blocking Network Access http://socrates.berkeley.edu:2002/blocking.html IT Security “Best Practices” http://socrates.berkeley.edu:2002/bestpractices.html

10. Specter of emerging legislation Illustrative law: California SB 1386 UC Berkeley incidents since July 1, 2003 Campus and system-wide response

11. Policy Evolution: Have we gone over the top? UC electronic communications policy Departmental security contact Guidelines and procedures for blocking network access Campus IT security policy Requirements for protection of computerized personal information SNS Scanning of the UCB campus network Required minimum security standards

12. Software patch updates Anti-virus software Passwords No unencrypted authentication No unauthenticated email relays No unauthenticated proxy servers Physical security Unnecessary services HOST-BASED FIREWALL SOFTWARE REQUIRED

13. Are We Nuts? Questions and discussion