Important changes to improve cybersecurity

October 15, 2015

To: UC Santa Cruz Community
From: Chancellor George Blumenthal and Vice Chancellor for Information Technology Services Mary Doyle
Subject: Important changes to improve cybersecurity

The University of California has been working to address systemwide challenges in cyber-security and develop a culture to effectively manage and respond to these on-going threats. A core element of President Napolitano's plan to strengthen the university's defenses and fortify against future cyberattacks is a new Cyber-Risk Governance Committee.

We would like to update you on three important recommendations that have emerged from the Cyber-Risk Governance Committee.

1) All of us have a responsibility to safeguard the information that's entrusted to us. All employees are now required to take Cyber-Security Awareness Training, which will be delivered through the UC Learning Center. The training should take about 50 minutes and must be completed by January 31, 2016. It will be required annually. We will soon share more details about the training and when it will be available.

Further, ITS managers will identify staff members responsible for our campus cyber-security so that those people can take UC-sponsored in-person technical training on IT security topics, taught by leading information security experts. Additionally, an IT Security Symposium on emerging security trends and approaches will be offered to all UC IT staff.

2) Each campus has appointed an individual to serve as a Cyber-Risk Responsible Executive (CRE). For our campus, Vice Chancellor for Information Technology Mary Doyle will serve in that role.

3) The UC system will pilot a cyber incident escalation protocol through the end of this calendar year. The protocol establishes a consistent means and clear responsibilities across UC for assessing, responding to, escalating, and communicating cyberattacks. In January, the Cyber-Risk Responsible Executives will meet and review the protocol for effectiveness and manageability, and recommend changes, if necessary.

Systemwide leaders recognize that it can be a challenge to balance the number of events that occur in a system of our size with the need to create a culture of reporting for visibility and measurability. The pilot is meant to see if we have the best approach.

Relevant staff members have been briefed on the protocol. However, it is equally important that everyone in our campus community report all security incidents.
These changes come in the midst of National Cyber Security Awareness Month, a time to think about all the technology-related threats we face in our professional and personal lives and a reminder to make sure we have the resources needed to stay safer and more secure online.

More information can be found on the ITS National Cyber Security Awareness Month web page at http://its.ucsc.edu/security/ncsam.html.