Responsibilities and activities involving security fall into two categories:
- Campus security
- Security of electronic information resources
The University of California, Berkeley Police Department (UCPD) provides high-quality, professional crime prevention, protection, and law enforcement services to maintain and promote human safety and the security of property for the campus and its associated locations. The department handles all patrol, investigation, crime prevention education, emergency preparedness, and related law enforcement duties for the campus community and operates 24 hours a day, seven days a week.
The Community Outreach unit within the UC Berkeley Police Department’s Administration/Outreach Division has the responsibility for operational and system management of the campus's alarm, access control, and video systems. In addition, the program manager assists departments with the planning and implementation of new security systems on the campus. See the campus access control policy and UCPD contact information.
The Chief of Police, acting as the Access Control Director, is responsible for approving all new access control systems and modifications to existing systems. In addition, the Chief of Police oversees audits of campus departments and units to determine the level of adherence to the access control policy. The Facilities Services Key Control Manager is responsible for creating a mechanical keying system that ensures security and convenience to departments occupying buildings or facilities, and for coordinating new systems. Administrative officials are responsible for overseeing the process of controlling department keys and maintaining records of access control activities. See the Key Request and Fabrication Guide for information on requesting and replacing keys.
The UC Berkeley Police Department web site describes physical security issues including safety programs and services, prevention strategies, UC Berkeley policies, crime statistics, and instructions on how to report a crime.
Electronic Information Resources Security
UC Berkeley's electronic information resources (EIR), including data, applications, systems, hardware, networks, and software, are valuable assets which each member of the campus community has responsibility for protecting. Threats to these assets include insufficient access protection, inappropriate use by insiders, malicious activity by outsiders, and natural disasters. EIR security responsibilities may range in scope from coordinating the security plan for the campus, or a large information processing system, to the simple requirement that a user must protect the confidentiality of his or her own password.
UC Berkeley's Chief Information Officer has overall coordination responsibility for campus compliance with University security policies and guidelines, including Business & Finance Bulletin IS-3, Electronic Information Security.
The System and Network Security Office is responsible for working with the campus community to protect the computer and network infrastructure from electronic attack. Security incidents should be reported by sending an e-mail communication to firstname.lastname@example.org.
The Campus Information Security Committee is responsible for developing campuswide strategy in the area of EIR security, and for developing and reviewing campuswide EIR security policy and procedures.
All administrative officials, as users of electronic information resources, are responsible for complying with UC Berkeley policies, procedures and standards relating to EIR security. They are also responsible for securing their own workstation from unauthorized use, and for not sharing passwords. Administrative officials who are authorized to obtain data from protected systems are responsible for adequately protecting the data after it is downloaded to their own location.
Campus departments have different responsibilities for EIR security depending on their relationship (role) with the resources.
Administrative officials in EIR Proprietor (functional owner) departments have the responsibility for specifying the uses for a departmentally owned server; establishing the functional requirements during the development of a new application; and maintaining existing applications. The functional owner is responsible for determining the level of security required for access controls, and the method for providing business continuity in case of disaster. The Proprietor is also responsible for specifying adequate data retention requirements.
An EIR Custodian (service provider) has physical or logical control over a functional owner's resource. Administrative officials in custodial departments are responsible for implementing security measures in accordance with the level of access security identified by the functional owner, ensuring that data retention requirements are met, and overseeing the process of recovering from a disaster. This role includes central departments with maintenance responsibility for an application, departmental system administrators of a local area network, and the database administrator for a campuswide database.
All administrative officials are responsible for ensuring that EIR users in their jurisdiction:
- Do not share passwords;
- Protect data downloaded into the department's control from secured systems on the same level as the secured system;
- Develop and periodically test a disaster recovery/business resumption plan for essential departmental systems, applications, and/or databases;
- Be familiar with, and follow, the acceptable use provisions of UC Berkeley computer use policy; and
- Comply with all applicable EIR related laws and policies.
Departmental Security Contacts, appointed by department heads, are responsible for responding to security incident reports from the System and Network Security Office. They are responsible for ensuring that appropriate personnel take action in response to each security incident. Only in cases where the incident poses a potentially serious threat to the campus or the Internet will the System and Network Security Office immediately block network access. See Departmental Security Contact Policy.