The University of California Office of the President has mandated that all UC campuses strengthen their cybersecurity posture to mitigate risks and protect institutional data. The expectations of the plan include the following components:
| Requirement | General Faculty/Staff Actions | Unit IT & Leadership Actions |
|---|---|---|
| 1. Annual completion of cybersecurity awareness training for all employees |
|
|
| 2. Timely escalation of cybersecurity incident response in alignment with UC standards |
|
|
| 3. Identification, tracking and vulnerability management of all computing devices connected to university networks |
|
|
| 4. UC-approved Endpoint Detection & Response (EDR) software deployed on all compatible university computing devices |
|
|
| 5. Multi-factor authentication (MFA) enforced for all university email |
|
|
| 6. Data Loss Prevention (DLP) implemented for all health email systems |
|
|
If we do not reach full compliance, there will be financial consequences impacting our campus, including:
- Up to $500,000 of costs related to security incidents resulting from non-compliance being charged to the campus unit
- UCLA’s cybersecurity insurance premiums may be increased by 15% and allocated to the campus unit that did not have full compliance
- Merit increases for unit heads, whose units are found to be non-compliant, will require approval from the Chancellor
In response, UCLA has established campus-wide requirements and have initiated projects to ensure long-term compliance with the mandate while implementing sustainable and scalable security practices. These efforts will enhance UCLA’s ability to proactively manage vulnerabilities, safeguard university assets, and reduce risk.
Cybersecurity Awareness Training
All UCLA employees are expected to complete the annual UC Cyber Security Awareness Fundamentals training through the UC Learning Center. To review your current training completion status, click on 'Required Training' on the UC Learning Center home screen and check the expiration date of the UC Cyber Security Awareness Fundamentals eCourse. The expiration date should be later than the current date.
Beginning June 1, 2025 -- if you are overdue beyond 14-days with completion of the UC Cybersecurity Awareness Fundamentals training, access will be restricted to UCLA applications behind our Single Sign-On (SSO). For additional information, please visit the Training Courses page on the Office of the Chief Information Security Officer website.
Asset & Data Visibility Overview
The Asset & Data Visibility project is a key initiative to meet UCOP’s compliance requirements for asset identification. This project establishes a centralized IT asset repository, providing enhanced visibility into our IT environment. By focusing on automation, UCLA will create a long-term, sustainable approach to asset management and security.
This initiative will enable the university to:
- Proactively identify and address vulnerabilities before they become security risks.
- Improve compliance and risk management through a comprehensive IT asset inventory.
- Ensure long-term sustainability by automating asset discovery, tracking and data accuracy.
Campus IT Asset Requirements
Automation: The mechanism for populating and maintaining all campus IT asset data in a central asset repository must be driven through automation, leveraging one of the approved mechanisms established by the Office of the Chief Information Security Officer.
Compliance & Risk Management: All university-owned IT assets within scope must be populated into the central asset repository by May 28, 2025, to comply with the mandate and avoid risking financial penalties for non-compliance.
Data Classification: All university-owned assets that store institutional information will need to be classified against Data Protection, Recovery, and Availability levels as specified in the UC Electronic Information Security Policy (IS-3) and IT Recovery Policy (IS-12).
Trellix Endpoint Security (Antivirus)
Trellix (formerly known as FireEye Endpoint Security) is a modern endpoint protection (antivirus) software that can detect and prevent malicious digital threats that infiltrate our devices before they spread to our most critical data. Trellix is the only UC-approved anti-virus software. All university-owned devices, and personally-owned devices that store, process, or transmit university data are required to run Trellix.
Beginning June 1, 2025 -- Trellix will be required before access is permitted to specific high-risk UCLA applications. For additional information, please visit the Trellix page on the Office of the Chief Information Security Officer website.
Email Multi-Factor Authentication
Effective May 28, 2025, Multi-Factor Authentication (MFA) will be required for all campus and health email systems in alignment with UC standards. This enhanced security login protocol will be implemented across all email systems to ensure that only legitimate login requests are approved, minimizing the risk of fraudulent login attempts. This initiative will significantly strengthen UCLA's cybersecurity posture and help mitigate potential security risks.
As part of the mandate requirement, UCLA is working toward a unified email strategy that will improve security oversight, standardize services, and simplify email management. This Email Unification Program aims to streamline email platforms across campus, enhancing security while creating a standardized user experience for students, faculty, and staff. The initiatives outlined in the UCOP mandate will set the foundation for the success of this program.
Visit the Mutli-factor Authentication (MFA) page for more information about MFA requirements, eligibility, and how to get started.
