The University of California (UC) Electronic Information Security policy (BFB IS-3), requires that all systems that create, store, process or transmit data internally at UCSF or externally through a supplier or other third party must be assessed for risk. This applies to all UCSF data, including, but not limited to:
- Protected Health Information (PHI)
- Personally identifiable information (PII)
- Payment Card Industry (PCI)
- Research Health Information (RHI)
- Family Educational Rights and Privacy Act (FERPA)
- Other restricted or sensitive data
UCSF prioritizes the highest-risk systems for a full security risk assessment.
When Does an IT Security Risk Assessment Apply?
Things I Need to Know or Do
BearBuy Form to Use
Other Useful References
Related Policy
Version Date: May 2018