University of California, Riverside


General Security Measures

Developing a Security Plan

Develop a security plan as outlined in the UC Business and Finance Bulletin IS-3, Electronic Information Security. Components of this plan should include the following:

  1. Access Procedures and Controls - Create procedures and policies for computer / application access including methods used to control access. The process should include original access requests (requestor and approver), background checks for access to restricted or sensitive data, logging, monitoring, and designation of party responsible for enforcement and periodic review of access (by who and frequency).
  2. System Administration - System administration should be limited to as few individuals as practical. Methods to manage OS, application and services updates / patching, log management / review and host based firewalls should be implemented by the system administrator to ensure essential tasks are promptly performed.
  3. Software Development Controls - This includes the method used to control source code control, change request, development, testing, approval, and implementation procedures.
  4. Data Security - Include descriptions for RAID implementation for disk systems, encryption (key management) and backup policies (backup frequency, retention, and type of backups-full or incremental, success failure logging), and data destruction processes.
  5. Communications Security - Provide a description of network-based firewalls, including rules and periodic log review frequency.
  6. Host-based Security - This part of the plan should include frequent log review, file system integrity checking and intrusion monitoring by a responsible person.
  7. Physical Security - Protecting physical access would include resources such as a separate room(s) with limited access that can be kept locked and alarmed, the disabling of external ports, and limiting access to console/BIOS.
  8. Managerial Controls - This part of the policy would describe the method used to remove access authorizations for users who have terminated employment and performing background checks for employees that will have access to restricted data or essential data. An escalation procedure including system analysis procedures should be in place that could be instituted if violations of IS-3 occur.
  9. Disaster recovery - A disaster recovery plan must be in place for systems containing essential data. This would provide a contingency plan to recover in the event of a catastrophic event, including chain of responsibility, action items, and recovery plans.

To register your protected, HIPAA and or Sensitive Research Data, send email to the Responsible Administrative Official and C&C, indicating the system name/ip address of system(s) containing the sensitive data with a copy of the security plan. These systems will need to have a yearly audit completed by the system and data administrator.

More Information 

General Campus Information

University of California, Riverside
900 University Ave.
Riverside, CA 92521
Tel: (951) 827-1012

Department Information

Computing & Communications
Computing & Communications Bldg.

Tel: (951) 827-4741
Fax: (951) 827-4541