UC Irvine   Office of Information Technology
UCI Information Security
  1. Home
    2.  » 
  2. Project Spotlight
    3.  » UC Cybersecurity Mandate 2025

UC Cybersecurity Mandate 2025

The UC President shared a letter detailing cybersecurity requirements that every UC location is expected to achieve by May 2025, including 100% compliance with:

    1. Current cybersecurity awareness training for all employees (ability to login to most UCI web applications will eventually be blocked until employees are in compliance with this)
    2. Timely escalation of cybersecurity incident response in alignment with UC standards
    3. Identification, tracking and vulnerability management of all computing devices connected to university networks
    4. Endpoint Detection & Response (EDR) software deployed on all compatible university computing devices (ability to login to some UCI web applications and parts of the UCI network will eventually require employee endpoints to be in compliance with this or be blocked)
    5. Multi-factor authentication (MFA) enforced for all university email (also prevent UCI email delivery to non-UCI systems)
    6. Data Loss Prevention (DLP) implemented for all health email systems (UCI Health only)

 

UCI is also including improvement of other cybersecurity metrics that get reported to the UC Regents into this effort, including endpoint encryption and IS-12 compliance with backups.

      • Endpoint Encryption Requirements (ref: UC IS-3 Section 10.1 and UC Minimum Security Standard 4.4)
        • Portable computing devices: must at least encrypt P3/P4 data at rest, always recommend full disk encryption
        • Servers (physically secured): must encrypt P4 data at rest in all forms (files, database, etc)
      • Backup Requirements (ref: UC IS-12 Sections 4.2 and 7.3.1, and UC Minimum Security Standard 4.8)
        • IT Resources classified at Recovery Level 4 or 5 must have a tested backup or recovery system in the last 12 months

 

More implementation details will be shared with Unit Information Security Leads (UISL) as the year progresses, and they will provide status updates on behalf of their Units.  UISLs are provided a Calendar of Changes and Due Dates related to this initiative.

UCI Campus Unit Prep Guide provides an overview for Unit Heads.

OIT will broadly communicate any required changes to using their services, branded as ZotDefend.

Additionally, Procurement needs assurance from the Unit’s Technical UISL or IT Department that the computing devices will be configured to meet the related requirements when purchased and are configured appropriately before getting reimbursed.