Information Security Practices for SiteFarm
UCOP has created the Electronic Information Security, also known as IS-3, a policy for the UC System designed to simplify “the process of cyber risk management at a systemwide level” and prepare “UC for a world in which information security is increasingly critical.” The tenets of the policy address these overarching goals:
- Preserve academic freedom and research collaboration
- Protect privacy
- Follow a risk-based approach
- Maintain confidentiality
- Protect integrity
- Ensure availability
The document is available for you to review, but we’re going to boil down this weighty bit of work to the pieces most relevant to your use of SiteFarm.
SiteFarm is designated as a service with Level 1 and Level 2 Protections
Services are approved for data types rated on a scale of Protection Levels from P1 (minimal) to P4 (High). SiteFarm is rated for P1 and P2. And remember, that not only includes your published content, but any Webform submissions by your site visitors.
Protection Level 1 (P1 – Minimal/Public)
P1 includes publicly available content or intended to be readily obtainable by the public, but the edit access to which should be protected to ensure the integrity of the information is maintained.
This is the most common level we see used on SiteFarm since the majority of the content is public-facing and all authorized users must have an account on the site in order to add, modify, or delete content. Accounts use CAS with two-factor authentication through Duo. It should also be mentioned that contact information you would commonly see listed in our UC directory system is allowed unless the individual (faculty, staff, student) has requested a block, especially in cases of FERPA.
Protection Level 2 (P2 – Low/Sensitive/Internal)
P2 looks to cover requirements for protecting institutional information and related IT resources that may not be specifically protected by statute, regulations, or other contractual obligations or mandates, but are generally not intended for public use or access. In addition, information of which unauthorized use, access, disclosure, acquisition, modification, or loss could result in minor damage or small financial loss, or cause a minor impact on the privacy of an individual or group.
We see this protection level come into play for departments who wish to create an intranet to restrict access to sensitive information. Due to the nature of the definition of Sensitive Data, it is impossible to have an exhaustive list of examples, but this outline gives you an overview of the types of information permitted under P2:
- Public safety and security information
- Certain types of information about hazardous substances
- Certain types of blueprints and building plans
- Proprietary information such as computer source code developed at the university
- Certain types of information related to university investments and investment planning
- Certain types of information related to university insurance claims
- Information about misconduct proceedings
- Animal research
- Form submissions with private inquiries and contact information that do NOT include P3 and P4 data
Not Permitted on SiteFarm:
Protection Level 3 (P3 – Moderate) and Protection Level 4 (P4 – High)
Any content that is classified as P3 or P4 is not permitted on SiteFarm; this includes text information, files, images, and media that matches these criteria:
- Attorney/Client Privileged Information
- Certain types of federal data (Pre-CUI)
- Credit Card Cardholder Information (Examples: Credit card numbers, Registration fee collection, Donations for Giving, Commencement payments)
- The credit card holder’s name without any actual card data associated with it is permitted
- Disability information or other medical information collected from students to provide services
- Export Controlled Research (ITAR, EAR)
- Financial Aid Information/Student Loans
- Personal Information (California Code) and/or Personally Identifiable Information (PII)
- Personally Identifiable Information (PII) and Personal Data as defined in GDPR contained in large sets (Article 4)
- Protected Health Information (PHI) / Patient Records
- Student Education Records/Student Special Services Records
SiteFarm’s platform and its hosting service, Acquia, are not intended to support the level of security necessary to meet the very strict requirements set by UC Davis’ Information Security department to protect P3 and P4 data. If your web site data requirements include P3 or P4 data, there are other options available. Please email webservices@ucdavis.edu for a free consultation.
It’s critical to appreciate the seriousness of the risks a disclosure (deliberate or not) or breach could mean to the person(s) personally affected as well as the larger campus and UC System. The potential impacts are described in the table below.
| Level | Impact of disclosure or compromise |
|---|---|
| P4 - High | Institutional Information and related IT Resources whose unauthorized disclosure or modification could result in significant fines, penalties, regulatory action, or civil or criminal violations. Statutory, regulatory and contract obligations are major drivers for this risk level. Other drivers include, but are not limited to, the risk of significant harm or impairment to UC: students, patients, research subjects, employees, guests/program participants, UC reputation related to a breach or compromise, the overall operation of the Location or operation of essential services. (Statutory.) |
| P3 - Moderate | Institutional Information and related IT Resources whose unauthorized disclosure or modification could result in small to moderate fines, penalties or civil actions. Institutional Information of which unauthorized use, access, disclosure, acquisition, modification, loss or deletion could result in moderate damage to UC: students, patients, research subjects, employees, community, reputation related to a breach or compromise; could have a moderate impact on the privacy of a group; could result in moderate financial loss; or could require legal action. This classification level also includes lower risk items that, when combined, represent increased risk. (Proprietary.) |
Feeling concerned? Have questions? Speak with the experts
This is obviously serious business, but chances are you’re not looking to add P3 and P4 type information to your site.
If you’re wondering if you’ve accidentally strayed over the line and need some guidance as to whether any of your content might be questionable, consider temporarily unpublishing the page, removing the section, or disabling the webform you’re worried about, and then contacting your department's Unit Information Security Lead contact. Every unit on campus has a designated individual as noted in the last column labeled "Unit IT Partner (IS-3 UISL)" who has the training and knowledge to help you evaluate any risks associated with the content you're posting or collecting on your site.
Likewise, should any of our team come across any possible P3 or P4 data, we hope you’ll understand that we may need to proactively unpublish your content and then contact you immediately to advise you to reach out to your UISL contact to evaluate any security risks. If you are unsure of the classification of your data, feel free to reach out to the UC Davis Information Security Office via cybersecurity@ucdavis.edu.
We appreciate your collaboration in the process of keeping everyone who interacts with UC Davis safe and protected.