UC Cybersecurity Mandate 2025 | UCI Information Security

Home

Project Spotlight

UC Cybersecurity Mandate 2025

The UC President shared a letter detailing cybersecurity requirements that every UC location is expected to achieve by May 2025, including 100% compliance with:

Requirement	General Staff/Faculty Actions	Unit IT & Leadership Actions
1. Annual completion of cybersecurity awareness training for all employees	Ensure you are not overdue on your annual cybersecurity awareness training, otherwise access to most campus applications will be blocked until you are in compliance	Supervisors should ensure their employees have completed the training in UCLC Unit Leadership can review their overall progress via the compliance dashboard
2. Timely escalation of cybersecurity incident response in alignment with UC standards	Be familiar with how to report an information security incident and report promptly when there is a suspected incident Be familiar with your local Unit’s Incident Response Plan	Document and communicate a Unit Incident Response Plan in alignment with the Campus Incident Response Plan
3. Identification, tracking and vulnerability management of all computing devices connected to university networks	Contact your local IT group to ensure you have the ZotDefend Security Package installed on your University endpoints and that those are used to do University work, otherwise access to some campus IT services will be blocked until the device is in compliance	Deploy Tenable Nessus agent to all University computers within your Unit (user endpoints and servers) Leverage the Campuswide IT Asset Inventory System to identify and track assets within your Unit
4. UC-approved Endpoint Detection & Response (EDR) software deployed on all compatible university computing devices	Contact your local IT group to ensure you have the ZotDefend Security Package installed on your University endpoints and that those are used to do University work, otherwise access to some campus IT services will be blocked until the device is in compliance	Deploy full ZotDefend Security Package (Trellix EDR and Duo Desktop) to all University user endpoints within your Unit Additionally, deploy Trellix EDR agent to all compatible University servers within your Unit
5. Multi-factor authentication (MFA) enforced for all university email	Only access University email using an approved University email service with UCI’s Duo multi-factor authentication enforced	Work with OIT to ensure all of your Unit’s email accounts are using central OIT email services, HS email, or (if approved) another solution that is integrated with UCI Single Sign-on
6. Data Loss Prevention (DLP) implemented for all health email systems	UCI Health only	UCI Health only

UCI is also including improvement of other cybersecurity metrics that get reported to the UC Regents into this effort, including endpoint encryption and IS-12 compliance with backups.

- - Endpoint Encryption Requirements (ref: UC IS-3 Section 10.1 and UC Minimum Security Standard 4.4)
    - Portable computing devices: must at least encrypt P3/P4 data at rest, always recommend full disk encryption
    - Servers (physically secured): must encrypt P4 data at rest in all forms (files, database, etc)
  - Backup Requirements (ref: UC IS-12 Sections 4.2 and 7.3.1, and UC Minimum Security Standard 4.8)
    - IT Resources classified at Recovery Level 4 or 5 must have a tested backup or recovery system in the last 12 months

More implementation details will be shared with Unit Information Security Leads (UISL) as the year progresses, and they will provide status updates on behalf of their Units. UISLs are provided a Calendar of Changes and Due Dates related to this initiative.

UCI Campus Unit Prep Guide provides an overview for Unit Heads.

OIT will broadly communicate any required changes to using their services, branded as ZotDefend.

Additionally, Procurement needs assurance from the Unit’s Technical UISL or IT Department that the computing devices will be configured to meet the related requirements when purchased and are configured appropriately before getting reimbursed.