UCSF 650-16 Addendum B - UCSF Minimum Security Standards for Electronic Information Resources

<!DOCTYPE html> <html lang="en" dir="ltr" prefix="og: https://ogp.me/ns#"> <head> <meta charset="utf-8" /> <meta name="description" content="Effective Date: December 2007, Updated February 2025" /> <link rel="canonical" href="https://it.ucsf.edu/standards-and-guidelines/ucsf-650-16-addendum-b-ucsf-minimum-security-standards-electronic-information" /> <meta name="google-site-verification" content="xEaB4dnmBmiRU7eUe_PAFXLsD1MjDF2dg4vZUgP1W0U" /> <meta name="Generator" content="Drupal 10 (https://www.drupal.org)" /> <meta name="MobileOptimized" content="width" /> <meta name="HandheldFriendly" content="true" /> <meta name="viewport" content="width=device-width, initial-scale=1.0" /> <meta itemprop="acquia_lift:content_title" content="UCSF 650-16 Addendum B - UCSF Minimum Security Standards for Electronic Information Resources" /> <meta itemprop="acquia_lift:content_type" content="policy" /> <meta itemprop="acquia_lift:page_type" content="node page" /> <meta itemprop="acquia_lift:context_language" content="en" /> <meta itemprop="acquia_lift:content_section" content="" /> <meta itemprop="acquia_lift:content_keywords" content="" /> <meta itemprop="acquia_lift:post_id" content="5520" /> <meta itemprop="acquia_lift:content_uuid" content="9ddc9241-e8b4-4cfb-bf9c-5f7c542ae9a5" /> <meta itemprop="acquia_lift:published_date" content="1581727541" /> <meta itemprop="acquia_lift:persona" content="" /> <meta itemprop="acquia_lift:engagement_score" content="1" /> <meta itemprop="acquia_lift:account_id" content="UCSF_IT" /> <meta itemprop="acquia_lift:site_id" content="prod-sherpa" /> <meta itemprop="acquia_lift:liftAssetsURL" content="https://lift3assets.lift.acquia.com/stable" /> <meta itemprop="acquia_lift:bootstrapMode" content="auto" /> <meta itemprop="acquia_lift:contentReplacementMode" content="trusted" /> <meta itemprop="acquia_lift:cdfVersion" content="1" /> <script src="https://lift3assets.lift.acquia.com/stable/lift.js" async></script> <link rel="icon" href="/themes/custom/its_default/favicon.ico" type="image/vnd.microsoft.icon" /> <title>UCSF 650-16 Addendum B - UCSF Minimum Security Standards for Electronic Information Resources | UCSF IT</title> <link rel="stylesheet" media="all" href="/sites/it.ucsf.edu/files/css/css_FBBRL_qmni-VFlN0kJYFaDjoTloDYxzHHT9AzmdfXak.css?delta=0&language=en&theme=its_default&include=eJxVjutyAyEIhV-I6CPtsIqGDkpGMNvt09d2tp3kD7cDHwfNyDfuH5RcR0xmYZ8ia1b4kwyKdseDTBvFlzrYs4IRjnTfcLombY91RNHvtNTGnRtKWDhIOijmMR-rf10FO82pxR2NIAmanW91IzOsdAG6jgXkLwJ22zIVnOKxiu4oN_NTuNc36cfs7XILB-1lAeKVQ2YUrfBkOiz-xtA0T_l_3jUTFMG6Ydf-5-Ub1bZ1rw" /> <link rel="stylesheet" media="all" href="/sites/it.ucsf.edu/files/css/css_mrWG7NuQ1tD6GmDgsPzDrhMGBsjRLZg3ZQfxi38TDRE.css?delta=1&language=en&theme=its_default&include=eJxVjutyAyEIhV-I6CPtsIqGDkpGMNvt09d2tp3kD7cDHwfNyDfuH5RcR0xmYZ8ia1b4kwyKdseDTBvFlzrYs4IRjnTfcLombY91RNHvtNTGnRtKWDhIOijmMR-rf10FO82pxR2NIAmanW91IzOsdAG6jgXkLwJ22zIVnOKxiu4oN_NTuNc36cfs7XILB-1lAeKVQ2YUrfBkOiz-xtA0T_l_3jUTFMG6Ydf-5-Ub1bZ1rw" /> <link rel="stylesheet" media="all" href="/sites/it.ucsf.edu/files/css/css_xKSbp5cPSWe-Io6Tw18ONmCTBf_DQL5aL8avjxAqkEA.css?delta=2&language=en&theme=its_default&include=eJxVjutyAyEIhV-I6CPtsIqGDkpGMNvt09d2tp3kD7cDHwfNyDfuH5RcR0xmYZ8ia1b4kwyKdseDTBvFlzrYs4IRjnTfcLombY91RNHvtNTGnRtKWDhIOijmMR-rf10FO82pxR2NIAmanW91IzOsdAG6jgXkLwJ22zIVnOKxiu4oN_NTuNc36cfs7XILB-1lAeKVQ2YUrfBkOiz-xtA0T_l_3jUTFMG6Ydf-5-Ub1bZ1rw" /> <script src="https://kit.fontawesome.com/051d69e97e.js" defer crossorigin="anonymous"></script> </head> <body class="page-node-5520 path-node page-node-type-policy"> <a href="#main-content" class="visually-hidden focusable skip-link"> Skip to main content </a> <div class="dialog-off-canvas-main-canvas" data-off-canvas-main-canvas> <div class="layout-container app"> <header class="bg-coral" data-search-and-menu-visibility> <section class="topnavbar"> <div class="container"> <nav> <a href="http://www.ucsf.edu" target="_blank" class="">University of California San Francisco</a> <a href="https://giving.ucsf.edu" target="_blank" class="header-give hide-mobile">Give to UCSF</a> </nav> </div> </section> <div class="main-navigation"> <div class="container"> <div class="flex-grid"> <a href="/" aria-current="page" class="router-link-exact-active router-link-active"> <div class="site-title"> <h1>UCSF IT Technology</h1> </div> </a> <div class="navbar"> <nav role="navigation" aria-labelledby="block-mainnavigation-menu" id="block-mainnavigation" class="block block-menu navigation menu--main"> <h2 class="visually-hidden" id="block-mainnavigation-menu">Main navigation</h2> <ul class="menu menu-top-level"> <li class="menu-item menu-item--expanded dropdown-menu-parent"> <a href="/status" data-drupal-link-system-path="node/108351">Status</a> <svg aria-hidden="true" focusable="false" data-prefix="far" data-icon="chevron-down" role="presentation" xmlns="http://www.w3.org/2000/svg" viewbox="0 0 448 512" class="icon svg-inline--fa fa-chevron-down fa-w-14"> <path fill="currentColor" d="M441.9 167.3l-19.8-19.8c-4.7-4.7-12.3-4.7-17 0L224 328.2 42.9 147.5c-4.7-4.7-12.3-4.7-17 0L6.1 167.3c-4.7 4.7-4.7 12.3 0 17l209.4 209.4c4.7 4.7 12.3 4.7 17 0l209.4-209.4c4.7-4.7 4.7-12.3 0-17z" class=""></path> </svg> <ul class="dropdown-menu"> <li class="menu-item dropdown-menu-item"> <a href="/ucsf-security-update-announcements" data-drupal-link-system-path="node/117061">Security Announcements</a> </li> </ul> </li> <li class="menu-item menu-item--expanded dropdown-menu-parent"> <a href="/services" data-drupal-link-system-path="node/108356">Services</a> <svg aria-hidden="true" focusable="false" data-prefix="far" data-icon="chevron-down" role="presentation" xmlns="http://www.w3.org/2000/svg" viewbox="0 0 448 512" class="icon svg-inline--fa fa-chevron-down fa-w-14"> <path fill="currentColor" d="M441.9 167.3l-19.8-19.8c-4.7-4.7-12.3-4.7-17 0L224 328.2 42.9 147.5c-4.7-4.7-12.3-4.7-17 0L6.1 167.3c-4.7 4.7-4.7 12.3 0 17l209.4 209.4c4.7 4.7 12.3 4.7 17 0l209.4-209.4c4.7-4.7 4.7-12.3 0-17z" class=""></path> </svg> <ul class="dropdown-menu"> <li class="menu-item dropdown-menu-item"> <a href="https://one.ucsf.edu">Projects</a> </li> </ul> </li> <li class="menu-item"> <a href="/how-to" data-drupal-link-system-path="node/108361">How To</a> </li> <li class="menu-item"> <a href="/news-events" data-drupal-link-system-path="node/132106">News & Events</a> </li> <li class="menu-item"> <a href="/about-us" title="About UCSF IT" data-drupal-link-system-path="node/108071">About Us</a> </li> <li> <a href="/saml_login?destination=/standards-and-guidelines/ucsf-650-16-addendum-b-ucsf-minimum-security-standards-electronic-information" class="user"> <svg aria-hidden="true" focusable="false" data-prefix="far" data-icon="user-alt" role="presentation" xmlns="http://www.w3.org/2000/svg" viewbox="0 0 512 512" class="svg-inline--fa fa-user-alt fa-w-16"> <path fill="currentColor" d="M384 336c-40.6 0-47.6-1.5-72.2 6.8-17.5 5.9-36.3 9.2-55.8 9.2s-38.3-3.3-55.8-9.2c-24.6-8.3-31.5-6.8-72.2-6.8C57.3 336 0 393.3 0 464v16c0 17.7 14.3 32 32 32h448c17.7 0 32-14.3 32-32v-16c0-70.7-57.3-128-128-128zm80 128H48c0-21.4 8.3-41.5 23.4-56.6C86.5 392.3 106.6 384 128 384c41.1 0 41-1.1 56.8 4.2 23 7.8 47 11.8 71.2 11.8 24.2 0 48.2-4 71.2-11.8 15.8-5.4 15.7-4.2 56.8-4.2 44.1 0 80 35.9 80 80zM256 320c88.4 0 160-71.6 160-160S344.4 0 256 0 96 71.6 96 160s71.6 160 160 160zm0-272c61.8 0 112 50.2 112 112s-50.2 112-112 112-112-50.2-112-112S194.2 48 256 48z" class=""></path> </svg> Log In </a> </li> </ul> </nav> <div id="global-search-dropdown" class=""> <div class="search-icon"> <div> <span class="visually-hidden">Open</span> <span class="visually-hidden">Close</span> <span class="hide-mobile">Search</span> </div> </div> <div class="search--dropdown"> <form action="/search" accept-charset="utf-8" method="get" autocomplete="off" class="search"> <label for="header-search" class="search__label">Small screen search</label> <input type="text" name="search" value="" placeholder="Search services, how-to articles, other IT information" class="search__input"> <input type="submit" value="Search" class="search__submit"> </form> </div> </div> <div class="toggle-nav"> <span class="visually-hidden">Open menu</span> </div> </div> </div> </div> </div> <div class="give-mobile"> <a href="https://giving.ucsf.edu" class="give">Give to UCSF</a> </div> </header> <div class="region-breadcrumb"> <div id="block-breadcrumbs" class="block block-system block-system-breadcrumb-block"> <div class="content"> <nav role="navigation" aria-labelledby="system-breadcrumb"> <h2 id="system-breadcrumb" class="visually-hidden">Breadcrumb</h2> <ol class="breadcrumb"> <li class="breadcrumb-item"><a href="/">Home</a></li> <li class="breadcrumb-item"><a href="/standards-and-guidelines">Standards and Guidelines</a></li> <li class="breadcrumb-item">UCSF 650-16 Addendum B - UCSF Minimum Security Standards For Electronic Information Resources</li> </ol> </nav> </div> </div> </div> <main role="main"> <a id="main-content" tabindex="-1"></a> <div class="layout-content content"> <div class="region-content"> <div id="block-its-default-content" class="block block-system block-system-main-block"> <article data-history-node-id="5520" class="node node--type-policy node--view-mode-full"> <div class="node__content"> <div class="container sidebar-visible"> <main class="page-content"> <div class="privacy-warning"> <div class="iconography"><svg aria-hidden="true" focusable="false" data-prefix="fal" data-icon="eye" role="presentation" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 576 512" class="svg-inline--fa fa-eye fa-w-18"><path fill="currentColor" d="M288 288a64 64 0 0 0 0-128c-1 0-1.88.24-2.85.29a47.5 47.5 0 0 1-60.86 60.86c0 1-.29 1.88-.29 2.85a64 64 0 0 0 64 64zm284.52-46.6C518.29 135.59 410.93 64 288 64S57.68 135.64 3.48 241.41a32.35 32.35 0 0 0 0 29.19C57.71 376.41 165.07 448 288 448s230.32-71.64 284.52-177.41a32.35 32.35 0 0 0 0-29.19zM288 96a128 128 0 1 1-128 128A128.14 128.14 0 0 1 288 96zm0 320c-107.36 0-205.46-61.31-256-160a294.78 294.78 0 0 1 129.78-129.33C140.91 153.69 128 187.17 128 224a160 160 0 0 0 320 0c0-36.83-12.91-70.31-33.78-97.33A294.78 294.78 0 0 1 544 256c-50.53 98.69-148.64 160-256 160z" class=""></path></svg></div> <p class="viewable-by">This content is viewable by <span class="">Everyone</span></p> </div> <p class="page-label"><span class="rectangle"></span><span class="label-text">Standard</span></p> <div class="row page-title"> <h1>UCSF 650-16 Addendum B - UCSF Minimum Security Standards for Electronic Information Resources</h1> </div> <div class="block block-layout-builder block-extra-field-blocknodepolicyflag-save"> <p class="flag flag-anon-message flag-save js-flag-save-5520 action-flag"> <span class="label" data-selector=".flag-anon-save-5520"><span class="far fa-bookmark"></span> Save</span> <p title="Want to save this page for later?" class="flag-anon-message flag-anon-save-5520" style="display:none"><a href="/saml_login?flag_anon=save-5520&destination=/standards-and-guidelines/ucsf-650-16-addendum-b-ucsf-minimum-security-standards-electronic-information">Log in via MyAccess to save</a>.</p> </p> </div> <div class="row"> <ul class="list-group"> <li class="list-group-item"> </li> </ul> </div> <div class="row"> <ul class="list-group"> <li class="list-group-item"> <p class="field field--name-field-impacted-services field--type-entity-reference field--label-above"> <strong class="field__label">Impacted Services</strong> <span><a href="/service/it-security-outreach-and-training" hreflang="en">IT Security Outreach and Training</a> </span> </p> </li> </ul> </div> <div class="wysiwyg-content row"> <div class="field-body"><p>Effective Date: December 2007, Updated February 2025</p><h2>Contents</h2><ol><li>Purpose</li><li>Overview and Scope</li><li>Exception from Minimum Security Standards<ol><li>Exception Requests Covering Legacy Systems</li><li>Compatibility Exemptions</li></ol></li><li>Enforcement</li><li>Minimum Security Standards<ol><li>System Inventory and Protection Level Classification (PLC)</li><li>Transmission of Restricted Information</li><li>Email</li><li>Physical Security</li><li>System Management Agent</li><li>Network Access Control (NAC)</li><li>Anti-Virus</li><li>Host-Based Firewall</li><li>Security Endpoint Detection and Response Agent (EDR)</li><li>Device Encryption</li><li>Authentication</li><li>Passwords</li><li>Software Patch Updates</li><li>Application and Website Security</li><li>Enterprise Vulnerability Management</li></ol></li></ol><h2>Purpose</h2><p>UCSF Policy 650-16, Addendum B, defines a requirement for Minimum Security Standards for IT Resources. This document is a living document that defines the UCSF Minimum Security Standards that all campus IT Resources must comply with.</p><h2>Overview and Scope</h2><p>These standards apply to all units within UCSF, including UCSF Health.</p><p>Non-UCSF devices, including personal computing devices, are expected to meet these standards when used to connect to the UCSF network. For example, a personal computer that accesses the UCSF network through a VPN connection would be expected to meet these standards. Additionally, non-UCSF devices are expected to meet these standards when used to conduct UCSF business, including storing or processing UCSF information.</p><p>The minimum standards in this document are reviewed, updated for applicability, and approved by the Committee on IT Security at least once a year or more often as determined by the UCSF Chief Information Security Officer.</p><h2><a class="ck-anchor" id="exception"></a>Exception from Minimum Security Standards</h2><p>Individuals who believe that their devices or applications are unable to meet UCSF’s Minimum Security Standards must apply for a yearly exception by completing and digitally signing the online form linked below. Upon receiving the completed form with signatures from the individual's department leadership, IT Security will contact you for a consultation. After this consultation the University's Chief Information Security Officer (CISO) will respond to your request.</p><p><a href="https://wiki.library.ucsf.edu/display/ITSI/IT+Security+Exception+Request+Process" target="_blank">Instruction for filling out Security Exception Request Form</a> </p><h3>Exception Requests Covering Legacy Systems</h3><p style="margin-bottom:11px;">If granted, exception requests for an operating system that is no longer supported by the vendor will be for 12 months from the date of approval. All exception requests, including renewals of previous exception requests, must document the controls implemented to mitigate the risk to the system and to UCSF. Failure to renew an exception may result in disconnection from UCSF's network.</p><p>For systems which access to or which store ePHI, departments are advised that this exception documentation and controls should be considered carefully to remain compliant with HIPAA section § 164.308(a)(1)(ii)(B), which requires UCSF to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level. Controls are countermeasures to help avoid or minimize security risks. These controls are generally implemented as technologies not directly associated with the system seeking exception from UCSF's Minimum Security Standards.</p><h3>Compatibility Exemptions</h3><p>Systems incompatible with or unsupported by the UCSF-specific tools will be exempted from that requirement(s) of the Minimum Security Standards. Any Compatibility Exemption will be listed by security application and OS in the <a href="https://wiki.library.ucsf.edu/display/ITS/Security+2.0+FAQ">Security 2.0 FAQs</a>.</p><p>For vendor-supported systems and/or appliances residing on the UCSF network where UCSF staff do not have administrative access, the vendor maintaining this system is responsible for adherence to standards. When P3/P4 data is involved in these circumstances, a Business Associates Agreement and/or <a href="https://www.ucop.edu/procurement-services/policies-forms/legal-forms-current/appendix-data-security.pdf">Appendix DS</a> may be required.</p><h3>Enforcement</h3><p>Computing devices found to be non-compliant to these standards and without an exception on file are subject to being disconnected from the UCSF network and prohibited from connecting to UCSF resources.</p><h2>Minimum Security Standards</h2><h3>System Inventory and Protection Level Classifications</h3><p>Systems must be inventoried as a configuration item in the enterprise configuration management database (CMDB); this includes but is not limited to: physical servers, virtual servers, systems, endpoints, networking devices, printers, load balancers, and Virtual IPs (VIP) . This applies to all devices used for UCSF business. Any changes to the system throughout its lifecycle must be recorded in the enterprise CMDB.</p><p>Devices meeting the System Management Agent standard are automatically inventoried. Devices that are incompatible or not supported by the System Management standards can be inventoried and/or their registration updated using the <a href="https://it.ucsf.edu/how-to/cmdb">ServiceNow CMDB</a>.</p><p>Additionally, systems must have their protection level classification set in the enterprise CMDB. UCSF protection level classifications are defined <a href="https://it.ucsf.edu/standard-guideline/ucsf-policy-650-16-addendum-f-ucsf-data-classification-standard">here</a>.</p><h3>Transmission of Restricted Information</h3><p>Restricted and Sensitive Information (P4 and P3 data) that is transmitted over non-UCSF networks must be encrypted. Restricted and Sensitive Information includes, but is not limited to, ePHI and personally identifiable information such as Social Security numbers.</p><p>Transmit P4 and P3 data only when necessary.</p><h3>Email</h3><p>All email that contains electronic Protected Health Information (ePHI) or other Restricted Information must be encrypted if it is addressed outside the UCSF network environment. An existing service is available to accommodate encrypted email at the <a href="https://it.ucsf.edu/how-to/secure-email">Secure Email Procedure Page</a>. </p><p>In accordance with UCSF <a href="https://policies.ucsf.edu/policy/650-18">Campus Administrative Policy 650-18</a>, all business-related email communications by UCSF staff, students, and faculty must be conducted through the UCSF IT enterprise email service. Using non-UCSF email addresses—including personal, departmentally managed, or third-party services not managed by UCSF IT—for UCSF business is prohibited. Additionally, requiring others to use such addresses is not allowed. <span class="EOP SCXP3164050 BCX0" style="-webkit-tap-highlight-color:transparent;-webkit-text-stroke-width:0px;-webkit-user-drag:none;background-color:rgb(231, 238, 246);color:rgb(5, 32, 73);font-family:Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, sans-serif;font-size:16pt;font-style:normal;font-variant-caps:normal;font-variant-ligatures:normal;font-weight:400;letter-spacing:normal;line-height:0px;margin:0px;orphans:2;padding:0px;text-align:left;text-decoration-color:initial;text-decoration-style:initial;text-decoration-thickness:initial;text-indent:0px;text-transform:none;touch-action:pan-x pan-y;user-select:text;white-space:pre-wrap;widows:2;word-spacing:0px;"></span></p><h3>Physical Security</h3><p>Unauthorized physical access to an unattended device (including mobile devices) can result in harmful or fraudulent modification of data, fraudulent email use, or any number of other potentially dangerous situations. Whenever possible and appropriate, devices must be configured to "lock" and require a user to re-authenticate if left unattended for more than 20 minutes.</p><p>Computing devices that are left unattended must be located in locked areas or otherwise physically secured (e.g., with a cable lock).</p><h3>System Management Agent</h3><p>In order to inventory computers and enable basic security compliance, users must install system management software provided by IT. This applies to both UCSF-owned and non-UCSF-owned endpoints.</p><p>The system management software uses BigFix and is available through the <a href="https://software.ucsf.edu/">UCSF IT Software Download Page</a>.</p><h3>Network Access Control (NAC)</h3><p>In order to identify computers connected to the UCSF network, assess endpoint security compliance, and prevent unauthorized computers from connecting to the UCSF network, users must install network access control software provided by IT. This applies to both UCSF-owned and non-UCSF-owned endpoints.</p><p>The network access control software, SecureConnector, is available through the <a href="https://software.ucsf.edu/">UCSF IT Software Download Page</a>. More information is available at the <a href="https://nac.ucsf.edu/">NAC Overview</a>.</p><h3>Anti-Virus Software</h3><p>Anti-virus software must be active with current anti-virus signatures on computing devices connected to the network including laptop computers, desktop computers, and servers, except where there are significant compensating controls that would prevent virus infiltration.</p><p>IT currently has a contract with Symantec by Broadcom to provide anti-virus software as part of the Symantec Endpoint Protection (SEP) solution bundled with host-based firewall and IPS, available on the <a href="https://software.ucsf.edu/">UCSF IT Software Download Page</a>.</p><h3>Host-Based Firewall Software</h3><p>Firewalls that run on desktops, laptops, and servers are often referred to as host-based and/or personal firewalls. Host-based firewall software (if available for the platform) must be running and configured on networked computing devices, including laptop computers, desktop computers, and servers. While the use of departmental network firewalls is encouraged, they do not necessarily obviate the need for host-based firewalls.</p><p>IT currently has a contract with Symantec by Broadcom to provide host-based firewall software as part of the Symantec Endpoint Protection (SEP) solution bundled with anti-virus and host-based IPS, available on the <a href="https://software.ucsf.edu/">UCSF IT Software Download Page</a>.</p><h3>Security Endpoint Detection and Response Agent (EDR)</h3><p>In order to provide advanced protection monitoring and response capabilities, users must install the security endpoint detection and response agent provided by IT. This applies to both UCSF-owned and non-UCSF-owned endpoints.</p><p>The IT supported/integrated endpoint detection and response (EDR) agent is delivered through the system management software (BigFix). More information about the EDR agent is available at the <a href="https://it.ucsf.edu/service/endpoint-detection-and-response">EDR Service Page</a>.</p><h3>Device Encryption</h3><p>Given the prevalence of restricted data in the UCSF environment, all endpoints (desktops, laptops, and mobile devices including smartphones and tablets) used for UCSF business must be encrypted. This applies to both UCSF-owned and non-UCSF-owned endpoints.</p><p>Encryption keys must be securely escrowed to allow emergency access when approved by the CISO. Units or Individuals within UCSF who cannot use an IT-prescribed method of key escrow due to technical or business requirements must submit their key as prescribed by the <a href="https://it.ucsf.edu/service/proof-encryption">Proof of Encryption Service Page</a>.</p><p>Servers that store or process restricted information must be encrypted or have compensating security controls, such as those found in UCSF data centers.<br><br>IT provides encryption software for laptops and desktops at the <a href="https://it.ucsf.edu/how-to/encrypt-your-computer-not-supported-itfs">How to Encrypt Your Computer Page</a>.</p><p>Mobile devices must be connected to the UCSF Exchange/O365 email server with either Intune mobile device management (using Microsoft Intune Company Portal) or Intune mobile application management (MAM using Microsoft Authenticator) , which enforces the required security settings. More information regarding connecting your mobile device can be found at the <a href="https://it.ucsf.edu/how-to/email-mobile">Mobile Device Email Page</a>.  <br><br>Those who believe they need an exception to this device encryption standard due to a hardware or software incompatibility must submit a computer encryption waiver at the <a href="https://it.ucsf.edu/how-to/request-device-encryption-waiver" title="Request a Device Encryption Waiver">Request a Device Encryption Waiver Page</a>.</p><h3>Authentication</h3><p>All forms of authentication must use adequate encryption to protect against unauthorized access to login credentials, such as user accounts and passwords. Use of unencrypted authentication is prohibited. UCSF also requires MFA for administrative access to servers. Multi-Factor Authentication (MFA) is required in circumstances dictated by the <a href="https://security.ucop.edu/files/documents/policies/account-and-authentication-management-standard.pdf">UC Account and Authentication Management Standard</a>.</p><h3>Passwords</h3><p>Campus electronic communication systems or services must identify users and authorize access by means of passwords or other secure authentication processes. Shared-access systems must enforce the <a href="https://it.ucsf.edu/standard-guideline/unified-ucsf-enterprise-password-standard" title="Unified UCSF Enterprise Password Standard">Unified UCSF Enterprise Password Standard</a> whenever possible. Shared-access systems must, whenever possible and appropriate, require that users change any pre-assigned passwords immediately upon initial access to the account.</p><p>All default passwords for access to network-accessible devices must be modified. Passwords used by system administrators for their personal access to a service or device must not be the same as those used for privileged access to any service or device.</p><p>Privileged administrator accounts with access to sensitive Windows systems should use passphrases that are 15 or more characters.</p><h3>Software Patch Updates</h3><p>Networked computing devices must be kept updated with the most recent applicable security patches. Departments should document and implement a process to apply security patches in a timely fashion. Exceptions may be made for patches that compromise the usability of critical applications; these exceptions should be documented.</p><h3>Application and Website Security</h3><p>Application and website owners are responsible to ensure that applications and sites are secure, and must conduct periodic vulnerability assessments of these applications and sites. More information regarding secure coding best practices and vulnerability scanning services can be found at the <a href="https://it.ucsf.edu/service/application-and-website-security">Application and Website Security Page</a>.</p><h3>Enterprise Vulnerability Management</h3><p paraeid="{a214cbb0-cf25-42e7-83d6-f9805305da9c}{203}" paraid="1013663260">Systems connected to the UCSF network are scanned for vulnerabilities by IT Security regularly. System owners must not block or otherwise impede UCSF enterprise vulnerability scanning tools from accessing their systems.  </p><p paraeid="{a214cbb0-cf25-42e7-83d6-f9805305da9c}{239}" paraid="681246149">Authenticated vulnerability scans are required for all Internet-accessible systems, all servers in UCSF Enterprise IT data centers, and internal servers that are classified as PLC P3 or P4.   </p><p paraeid="{3f868cfb-d573-40b3-90e1-92dab3c0faf2}{28}" paraid="1560684477">System owners must mitigate vulnerabilities within the timelines below. Timelines are based on exposure, vulnerability criticality, and protection level classification. The remediation timeline begins with the announcement or discovery of a vulnerability.  </p><p paraeid="{3f868cfb-d573-40b3-90e1-92dab3c0faf2}{74}" paraid="664639508">IT security may elevate the severity of certain serious vulnerabilities based on threat intelligence and real-world exploitation activity. These situations will be uncommon, and IT Security will communicate the severity escalation. See the following link for more information about <a href="https://it.ucsf.edu/standard-guideline/urgent-and-emergency-vulnerability-remediation">Urgent and Emergency Vulnerability Remediation</a>.</p><h4 paraeid="{3f868cfb-d573-40b3-90e1-92dab3c0faf2}{100}" paraid="807605285"><strong>Definitions </strong></h4><p paraeid="{3f868cfb-d573-40b3-90e1-92dab3c0faf2}{106}" paraid="776255561">Internet-accessible - systems and applications that are accessible from outside the UCSF network. This includes directly exposed systems, systems behind an internet-accessible load balancer or proxy, or servers residing in an internet accessible network zone </p><p paraeid="{3f868cfb-d573-40b3-90e1-92dab3c0faf2}{150}" paraid="107386938">Severity – classification based on the industry standard Common Vulnerability Scoring System (CVSS) score </p><p paraeid="{3f868cfb-d573-40b3-90e1-92dab3c0faf2}{174}" paraid="2006424407">Remediation – activities that mitigate the impact of vulnerability exploitation. Remediation methods may include (but are not limited to): </p><ul role="list"><li aria-setsize="-1" data-aria-level="1" data-aria-posinset="1" data-font="Symbol" data-leveltext="" data-list-defn-props="{"335552541":1,"335559684":-2,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" data-listid="3" role="listitem"><p paraeid="{3f868cfb-d573-40b3-90e1-92dab3c0faf2}{194}" paraid="1883421546">Patching/Updating (most common method) </p></li><li aria-setsize="-1" data-aria-level="1" data-aria-posinset="2" data-font="Symbol" data-leveltext="" data-list-defn-props="{"335552541":1,"335559684":-2,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" data-listid="3" role="listitem"><p paraeid="{3f868cfb-d573-40b3-90e1-92dab3c0faf2}{203}" paraid="1013853223">Limiting or removing network access </p></li><li aria-setsize="-1" data-aria-level="1" data-aria-posinset="3" data-font="Symbol" data-leveltext="" data-list-defn-props="{"335552541":1,"335559684":-2,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" data-listid="3" role="listitem"><p paraeid="{3f868cfb-d573-40b3-90e1-92dab3c0faf2}{210}" paraid="1740585605">User input sanitization </p></li><li aria-setsize="-1" data-aria-level="1" data-aria-posinset="4" data-font="Symbol" data-leveltext="" data-list-defn-props="{"335552541":1,"335559684":-2,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" data-listid="3" role="listitem"><p paraeid="{3f868cfb-d573-40b3-90e1-92dab3c0faf2}{217}" paraid="1044978361">Other documented vendor mitigation </p></li><li aria-setsize="-1" data-aria-level="1" data-aria-posinset="5" data-font="Symbol" data-leveltext="" data-list-defn-props="{"335552541":1,"335559684":-2,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" data-listid="3" role="listitem"><p paraeid="{3f868cfb-d573-40b3-90e1-92dab3c0faf2}{230}" paraid="1953456444">Short-term deferral (approval required) </p></li></ul><p paraeid="{3f868cfb-d573-40b3-90e1-92dab3c0faf2}{237}" paraid="1099399174"><strong>Internet-Accessible Vulnerability Mitigation Timeline (calendar days) </strong></p><ul role="list"><li aria-setsize="-1" data-aria-level="1" data-aria-posinset="1" data-font="Symbol" data-leveltext="" data-list-defn-props="{"335552541":1,"335559684":-2,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" data-listid="2" role="listitem"><p paraeid="{3f868cfb-d573-40b3-90e1-92dab3c0faf2}{255}" paraid="268497400">Critical severity – 7 days </p></li><li aria-setsize="-1" data-aria-level="1" data-aria-posinset="2" data-font="Symbol" data-leveltext="" data-list-defn-props="{"335552541":1,"335559684":-2,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" data-listid="2" role="listitem"><p paraeid="{ddc52ec0-ddd9-4c46-9836-a66e279942a9}{15}" paraid="834137746">High severity – 14 days  </p></li><li aria-setsize="-1" data-aria-level="1" data-aria-posinset="3" data-font="Symbol" data-leveltext="" data-list-defn-props="{"335552541":1,"335559684":-2,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" data-listid="2" role="listitem"><p paraeid="{ddc52ec0-ddd9-4c46-9836-a66e279942a9}{26}" paraid="515409820">Medium severity – 30 days </p></li></ul><p paraeid="{ddc52ec0-ddd9-4c46-9836-a66e279942a9}{37}" paraid="684241627"><strong>Internal-Only Vulnerability Mitigation Timeline (calendar days) </strong></p><ul role="list"><li aria-setsize="-1" data-aria-level="1" data-aria-posinset="1" data-font="Symbol" data-leveltext="" data-list-defn-props="{"335552541":1,"335559684":-2,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" data-listid="2" role="listitem"><p paraeid="{ddc52ec0-ddd9-4c46-9836-a66e279942a9}{57}" paraid="20601762">Critical severity – 30 days </p></li><li aria-setsize="-1" data-aria-level="1" data-aria-posinset="2" data-font="Symbol" data-leveltext="" data-list-defn-props="{"335552541":1,"335559684":-2,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" data-listid="2" role="listitem"><p paraeid="{ddc52ec0-ddd9-4c46-9836-a66e279942a9}{68}" paraid="920258056">High severity – 30 days  </p></li><li aria-setsize="-1" data-aria-level="1" data-aria-posinset="3" data-font="Symbol" data-leveltext="" data-list-defn-props="{"335552541":1,"335559684":-2,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" data-listid="2" role="listitem"><p paraeid="{ddc52ec0-ddd9-4c46-9836-a66e279942a9}{79}" paraid="1697002209">Medium severity – 45 days </p></li></ul><h2> </h2></div> </div> <div class="row"> <div class="ownership-well"> <ul class="list-group"> <li class="list-group-item"> <strong class="field__label">Owning Team: </strong> <a href="/directory/team/it-security" hreflang="en">IT Security</a> </li> <li class="list-group-item"></li> </ul> </div> </div> <div class="row"> <div class="related-content"> <div class="row"> <div class="related-content-title"> <h2 class="title">Related Information</h2><div class="flare"></div> </div> <ul class="list-group"> <li class="list-group-item list-group-title"><a href="/standards-and-guidelines/best-practices-application-and-website-security" hreflang="en">Best Practices for Application and Website Security</a></li> <li class="list-group-item list-group-title"><a href="/standards-and-guidelines/ucsf-it-security-cloud-computing-guidance-cloud-service-basics" hreflang="en">UCSF IT Security Cloud Computing Guidance - Cloud Service Basics</a></li> <li class="list-group-item list-group-title"><a href="/how-to/manage-your-ucsf-password" hreflang="en">Manage Your UCSF Password</a></li> <li class="list-group-item list-group-title"><a href="/standards-and-guidelines/unified-ucsf-enterprise-password-standard" hreflang="en">Unified UCSF Enterprise Password Standard</a></li> <li class="list-group-item list-group-title"><a href="/how-to/how-determine-your-computer-encryption-status" hreflang="en">How to Determine Your Computer Encryption Status</a></li> <li class="list-group-item list-group-title"><a href="/how-to/device-encryption" hreflang="en">Device Encryption</a></li> </ul> </div> <div class="views-element-container block block-views block-views-blockrelated-news-block-1"> <div><div class="view view-related-news view-id-related_news view-display-id-block_1 js-view-dom-id-cef538748b9ae32b7ba8b300acbe34224084e16f9100117ebe8ade799e3201a6"> <div class="view-header"> <div class="related-content-title"><h2 class="title">Related News</h2><div class="flare"></div></div> </div> <div class="view-content"> <div> <ul class="list-group"> <li class="list-group-item list-group-title"><div class="views-field views-field-title"><span class="field-content"><a href="/news-events/news/follow-uc-and-ucsf-it-security-policies-protect-ucsfs-patients-research-learners" hreflang="en">Follow UC and UCSF IT Security Policies to Protect UCSF’s Patients, Research, Learners, and Employees</a></span></div><span class="views-field views-field-uid"><span class="field-content">Esther Silver</span></span>/<span class="views-field views-field-field-news-date"><span class="field-content">Tuesday, May 14, 2024</span></span></li> <li class="list-group-item list-group-title"><div class="views-field views-field-title"><span class="field-content"><a href="/news-events/news/new-feature-when-setting-university-managed-macs" hreflang="en">New Feature When Setting Up University-Managed Macs</a></span></div><span class="views-field views-field-uid"><span class="field-content">David Ng</span></span>/<span class="views-field views-field-field-news-date"><span class="field-content">Thursday, April 18, 2024</span></span></li> <li class="list-group-item list-group-title"><div class="views-field views-field-title"><span class="field-content"><a href="/news-events/news/follow-uc-policies-meet-regulatory-requirements" hreflang="en">Follow UC Policies to Meet Regulatory Requirements</a></span></div><span class="views-field views-field-uid"><span class="field-content">Esther Silver</span></span>/<span class="views-field views-field-field-news-date"><span class="field-content">Wednesday, May 17, 2023</span></span></li> </ul> </div> </div> </div> </div> </div> </div> </div> </main> <aside class="sidebar"> <div class="mobile-sidebar-controls"><div class="toggle-sidebar"></div><span>Section Menu</span></div> <div class="views-element-container block block-views block-views-blockhierarchical-sidebar-content--block-3"> <div><div class="view view-hierarchical-sidebar-content- view-id-hierarchical_sidebar_content_ view-display-id-block_3 js-view-dom-id-b72fda4964e0dcc44edc888a3e0954a87370e780ff8aa973e3f500ac97e1a2a0"> <div class="view-content"> <div><div class="views-field views-field-title sidebar-menu"><div class="field-content menu-heading">IT Security Outreach and Training</div></div> <div><ul class="sidebar-menu"><li><a class="depth-0" href="/how-to/information-security-everyones-responsibility">Information Security Is Everyone's Responsibility </a> </li><li><a class="depth-0" href="/how-to/it-security-awareness-stay-sharp-stay-safe">IT Security Awareness - Stay Sharp to Stay Safe</a> </li><li><a class="depth-0" href="/how-to/it-security-and-awareness-champion-program-overview">IT Security and Awareness Champion Program: Overview</a> </li><li><a class="depth-0" href="/how-to/view-it-security-awareness-videos">View IT Security Awareness Videos</a> </li><li><a class="depth-0" href="/how-to/request-it-security-awareness-posters">Request IT Security Awareness Posters</a> </li><li><a class="depth-0" href="/how-to/it-security-orientations-and-education">IT Security Orientations and Education</a> </li><li><a class="depth-0" href="/how-to/it-security-educational-meetings-and-webinars">IT Security Educational Meetings and Webinars</a> </li><li><a class="depth-0" href="/how-to/advanced-it-security-training-ucsf-learning-management-system">Advanced IT Security Training on the UCSF Learning Management System</a> </li></ul></div></div> </div> </div> </div> </div> </aside> </div> </div> </article> </div> </div> </div> </main> <footer class="global-footer" role="contentinfo"> <div class="container-lg"> <div class="flex-row"> <div class="col"> <figure class="logo"> <a href="/" aria-current="page" class="logo__link" title="Home" rel="home"> <picture class="logo__image"> <img src="/themes/custom/its_default/img/ucsf-it-logo-white.svg" alt="Home" class="logo__img"> </picture> </a> </figure> </div> <div class="col"> <div class="region-footer-col1"> <nav role="navigation" aria-labelledby="block-footercol1-menu" id="block-footercol1" class="block block-menu navigation menu--footer-col-1"> <h2 class="visually-hidden" id="block-footercol1-menu">Footer Col 1</h2> <ul class="menu"> <li class="menu-item"> <a href="/status">Status </a> </li> <li class="menu-item"> <a href="/services">Services </a> </li> <li class="menu-item"> <a href="/how-to">How To </a> </li> <li class="menu-item"> <a href="/news-events">News & Events </a> </li> </ul> </nav> </div> </div> <div class="col"> <div class="region-footer-col2"> <nav role="navigation" aria-labelledby="block-footercol2-menu" id="block-footercol2" class="block block-menu navigation menu--footer-col-2"> <h2 class="visually-hidden" id="block-footercol2-menu">Footer Col 2</h2> <ul class="menu"> <li class="menu-item"> <a href="/about-us">About </a> </li> <li class="menu-item"> <a href="/directory">IT Directory </a> </li> <li class="menu-item"> <a href="/standard-guideline">Standards & Guidelines </a> </li> </ul> </nav> </div> </div> <div class="col"> <div class="region-footer-col3"> <nav role="navigation" aria-labelledby="block-footercol3-menu" id="block-footercol3" class="block block-menu navigation menu--footer-col-3"> <h2 class="visually-hidden" id="block-footercol3-menu">Footer Col 3</h2> <li class="menu-item"> <a href="https://help.ucsf.edu">Get Help</a> </li> <li class="menu-item"> <a href="https://recognize.ucsf.edu">Recognize IT Staff</a> </li> </nav> </div> <div class="modal-wrapper" data-sn-modal> <div role="dialog" aria-labelledby="modal-title" aria-modal="true" class="modal" style="z-index: 10;"> <div class="service-now-modal"> <button aria-label="close reveal" role="button" tabindex="0" class="close-modal"> <svg aria-hidden="true" focusable="false" data-prefix="far" data-icon="times" role="presentation" xmlns="http://www.w3.org/2000/svg" viewbox="0 0 320 512" class="svg-inline--fa fa-times fa-w-10"> <path fill="currentColor" d="M207.6 256l107.72-107.72c6.23-6.23 6.23-16.34 0-22.58l-25.03-25.03c-6.23-6.23-16.34-6.23-22.58 0L160 208.4 52.28 100.68c-6.23-6.23-16.34-6.23-22.58 0L4.68 125.7c-6.23 6.23-6.23 16.34 0 22.58L112.4 256 4.68 363.72c-6.23 6.23-6.23 16.34 0 22.58l25.03 25.03c6.23 6.23 16.34 6.23 22.58 0L160 303.6l107.72 107.72c6.23 6.23 16.34 6.23 22.58 0l25.03-25.03c6.23-6.23 6.23-16.34 0-22.58L207.6 256z" class=""></path> </svg> </button> <h1 id="modal-title">Submit a Support Inquiry</h1> <p>For emergencies and high priority issues please call the IT Service Desk (415) 514-4100</p> <p class="validation-message"></p> <form> <div class="description-radios"> <div class="radio"> <input name="u_short_description" type="radio" id="one" value="The content on this page has an error…" checked> <label for="one">The content on this page has an error…</label> </div> <div class="radio"> <input name="u_short_description" type="radio" id="two" value="The page doesn’t work right…"> <label for="two">The page doesn’t work right…</label> </div> </div> <div class="description-custom" hidden> <label for="u_short_description">Short Description</label> <div> <input type="text" id="u_short_description" name="u_short_description" disabled required/> </div> </div> <label for="u_long_description">Please provide a detailed description of the issue:</label> <div> <textarea id="u_long_description" name="u_long_description" rows="5" cols="60" required></textarea> </div> <button class="btn btn-secondary" type="submit">Submit</button> </form> </div> </div> <div class="overlay"></div> </div> </div> <div class="col"> <div class="region-footer-social-links"> <nav> <ul class="social-links"> <li> <a href="https://www.facebook.com/ucsf"> <svg aria-hidden="true" focusable="false" data-prefix="fab" data-icon="facebook" role="presentation" xmlns="http://www.w3.org/2000/svg" viewbox="0 0 512 512" class="svg-inline--fa fa-facebook fa-w-16"> <path fill="currentColor" d="M504 256C504 119 393 8 256 8S8 119 8 256c0 123.78 90.69 226.38 209.25 245V327.69h-63V256h63v-54.64c0-62.15 37-96.48 93.67-96.48 27.14 0 55.52 4.84 55.52 4.84v61h-31.28c-30.8 0-40.41 19.12-40.41 38.73V256h68.78l-11 71.69h-57.78V501C413.31 482.38 504 379.78 504 256z" class=""></path> </svg> <span class="hide-visually-offscreen">Facebook</span> </a> </li> <li> <a href="https://twitter.com/ucsf"> <svg aria-hidden="true" focusable="false" data-icon="twitter" role="presentation" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512" class="svg-inline--fa fa-w-16"> <path fill="currentColor" d="M389.2 48h70.6L305.6 224.2 487 464H345L233.7 318.6 106.5 464H35.8L200.7 275.5 26.8 48H172.4L272.9 180.9 389.2 48zM364.4 421.8h39.1L151.1 88h-42L364.4 421.8z"/> </svg> <span class="hide-visually-offscreen">Twitter</span> </a> </li> <li> <a href="https://www.youtube.com/ucsf"> <svg aria-hidden="true" focusable="false" data-prefix="fab" data-icon="youtube" role="presentation" xmlns="http://www.w3.org/2000/svg" viewbox="0 0 576 512" class="svg-inline--fa fa-youtube fa-w-18"> <path fill="currentColor" d="M549.655 124.083c-6.281-23.65-24.787-42.276-48.284-48.597C458.781 64 288 64 288 64S117.22 64 74.629 75.486c-23.497 6.322-42.003 24.947-48.284 48.597-11.412 42.867-11.412 132.305-11.412 132.305s0 89.438 11.412 132.305c6.281 23.65 24.787 41.5 48.284 47.821C117.22 448 288 448 288 448s170.78 0 213.371-11.486c23.497-6.321 42.003-24.171 48.284-47.821 11.412-42.867 11.412-132.305 11.412-132.305s0-89.438-11.412-132.305zm-317.51 213.508V175.185l142.739 81.205-142.739 81.201z" class=""></path> </svg> <span class="hide-visually-offscreen">YouTube</span> </a> </li> <li> <a href="https://www.instagram.com/ucsf/"> <svg aria-hidden="true" focusable="false" data-prefix="fab" data-icon="instagram" role="presentation" xmlns="http://www.w3.org/2000/svg" viewbox="0 0 448 512" class="svg-inline--fa fa-instagram fa-w-14"> <path fill="currentColor" d="M224.1 141c-63.6 0-114.9 51.3-114.9 114.9s51.3 114.9 114.9 114.9S339 319.5 339 255.9 287.7 141 224.1 141zm0 189.6c-41.1 0-74.7-33.5-74.7-74.7s33.5-74.7 74.7-74.7 74.7 33.5 74.7 74.7-33.6 74.7-74.7 74.7zm146.4-194.3c0 14.9-12 26.8-26.8 26.8-14.9 0-26.8-12-26.8-26.8s12-26.8 26.8-26.8 26.8 12 26.8 26.8zm76.1 27.2c-1.7-35.9-9.9-67.7-36.2-93.9-26.2-26.2-58-34.4-93.9-36.2-37-2.1-147.9-2.1-184.9 0-35.8 1.7-67.6 9.9-93.9 36.1s-34.4 58-36.2 93.9c-2.1 37-2.1 147.9 0 184.9 1.7 35.9 9.9 67.7 36.2 93.9s58 34.4 93.9 36.2c37 2.1 147.9 2.1 184.9 0 35.9-1.7 67.7-9.9 93.9-36.2 26.2-26.2 34.4-58 36.2-93.9 2.1-37 2.1-147.8 0-184.8zM398.8 388c-7.8 19.6-22.9 34.7-42.6 42.6-29.5 11.7-99.5 9-132.1 9s-102.7 2.6-132.1-9c-19.6-7.8-34.7-22.9-42.6-42.6-11.7-29.5-9-99.5-9-132.1s-2.6-102.7 9-132.1c7.8-19.6 22.9-34.7 42.6-42.6 29.5-11.7 99.5-9 132.1-9s102.7-2.6 132.1 9c19.6 7.8 34.7 22.9 42.6 42.6 11.7 29.5 9 99.5 9 132.1s2.7 102.7-9 132.1z" class=""></path> </svg> <span class="hide-visually-offscreen">Instagram</span> </a> </li> </ul> </nav> </div> </div> </div><hr><div class="flex-row"> <p>© 2025 The Regents of the University of California</p> </div> </div> </footer> </div> </div> <script type="application/json" data-drupal-selector="drupal-settings-json">{"path":{"baseUrl":"\/","pathPrefix":"","currentPath":"node\/5520","currentPathIsAdmin":false,"isFront":false,"currentLanguage":"en"},"pluralDelimiter":"\u0003","suppressDeprecationErrors":true,"ajaxPageState":{"libraries":"eJxVj1EOAiEMRC-EcKRNFwrWFGpocV1PL9E16k87mZdMZkAVbaF2wWjSQ1T162CeXqY7qosMqntYQfGjK6pC-bImaTLpGFIfV2APwyRKvc6UAzTpFZge6DJDWaBJ-8S4LM1gQ5WK4Ud7vRVHpkvCDIPtxU4H_AOFZQU-qe1MrThF6PG8_JYIdsaZWKnRrOHnSKe7Gtb3rhvhpuF1fZU0GN2Ga56dw_F9ImApT4cdda8","theme":"its_default","theme_token":null},"ajaxTrustedUrl":[],"component":{"plugins":[]},"search_autocomplete":{"service_search":{"source":"\/callback\/nodes","selector":"#service-list-search","minChars":2,"maxSuggestions":10,"autoSubmit":true,"autoRedirect":false,"theme":"minimal","filters":["q","title"],"noResult":{"group":{"group_id":"no_results"},"label":"No results found for [search-phrase]. Click to perform full search.","value":"[search-phrase]","link":""},"moreResults":{"group":{"group_id":"more_results"},"label":"View all results for [search-phrase].","value":"[search-phrase]","link":""}}},"css_js_query_string":"sromso","webform":{"dialog":{"options":{"narrow":{"title":"Narrow","width":600},"normal":{"title":"Normal","width":800},"wide":{"title":"Wide","width":1000}},"entity_type":"node","entity_id":"5520"}},"user":{"uid":0,"permissionsHash":"f4bc137c3b0e0417208499cfcce574068aa7e6d23310565c0f8c756bdf849489"}}</script> <script src="/sites/it.ucsf.edu/files/js/js_VrRdbqTfEA4XKKuZkwgd1OFu9IGC8g79MSKEnM9KiIc.js?scope=footer&delta=0&language=en&theme=its_default&include=eJxVjutyAyEIhV-I6CPtsIqGDkpGMNvt09d2tp3kD7cDHwfNyDfuH5RcR0xmYZ8ia1b4kwyKdseDTBvFlzrYs4IRjnTfcLombY91RNHvtNTGnRtKWDhIOijmMR-rf10FO82pxR2NIAmanW91IzOsdAG6jgXkLwJ22zIVnOKxiu4oN_NTuNc36cfs7XILB-1lAeKVQ2YUrfBkOiz-xtA0T_l_3jUTFMG6Ydf-5-Ub1bZ1rw"></script> <script src="/themes/custom/its_default/js/main.js?sromso" type="module"></script> <script src="/sites/it.ucsf.edu/files/js/js_KrvVL5yuqzAxqzdfJlVarZSqLY8baXIiEOcFUw-MlEI.js?scope=footer&delta=2&language=en&theme=its_default&include=eJxVjutyAyEIhV-I6CPtsIqGDkpGMNvt09d2tp3kD7cDHwfNyDfuH5RcR0xmYZ8ia1b4kwyKdseDTBvFlzrYs4IRjnTfcLombY91RNHvtNTGnRtKWDhIOijmMR-rf10FO82pxR2NIAmanW91IzOsdAG6jgXkLwJ22zIVnOKxiu4oN_NTuNc36cfs7XILB-1lAeKVQ2YUrfBkOiz-xtA0T_l_3jUTFMG6Ydf-5-Ub1bZ1rw"></script> <script type="text/javascript"> /*<![CDATA[*/ (function() { var sz = document.createElement('script'); sz.type = 'text/javascript'; sz.async = true; sz.src = '//siteimproveanalytics.com/js/siteanalyze_8343.js'; var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(sz, s); })(); /*]]>*/ </script> </body> </html>

CINXE.COM

UCSF 650-16 Addendum B - UCSF Minimum Security Standards for Electronic Information Resources | UCSF IT