Skip to Main Content

UC Information Security Investment Plan & UCLA Requirements

The University of California Office of the President has mandated that all UC campuses strengthen their cybersecurity posture to mitigate risks and protect institutional data.

If we do not reach full compliance, there will be financial consequences impacting our campus, including:  

  • Up to $500,000 of costs related to security incidents resulting from non-compliance being charged to the campus unit
  • UCLA’s cybersecurity insurance premiums may be increased by 15% and allocated to the campus unit that did not have full compliance
  • Merit increases for unit heads, whose units are found to be non-compliant, will require approval from the Chancellor

In response, UCLA has established campus-wide requirements and have initiated projects to ensure long-term compliance with the mandate while implementing sustainable and scalable security practices. These efforts will enhance UCLA’s ability to proactively manage vulnerabilities, safeguard university assets, and reduce risk.

Asset & Data Visibility Overview

The Asset & Data Visibility project is a key initiative to meet UCOP’s compliance requirements for asset identification. This project establishes a centralized IT asset repository, providing enhanced visibility into our IT environment. By focusing on automation, UCLA will create a long-term, sustainable approach to asset management and security.  

This initiative will enable the university to:

  • Proactively identify and address vulnerabilities before they become security risks.
  • Improve compliance and risk management through a comprehensive IT asset inventory.
  • Ensure long-term sustainability by automating asset discovery, tracking and data accuracy.
     

Campus IT Asset Requirements

Automation: The mechanism for populating and maintaining all campus IT asset data in a central asset repository must be driven through automation, leveraging one of the approved mechanisms established by the Office of the Chief Information Security Officer. 

Compliance & Risk Management: All university-owned IT assets within scope must be populated into the central asset repository by May 28, 2025, to comply with the mandate and avoid risking financial penalties for non-compliance.

Data Classification: All university-owned assets that store institutional information will need to be classified against Data Protection, Recovery, and Availability levels as specified in the UC Electronic Information Security Policy (IS-3) and IT Recovery Policy (IS-12). 
 

Email Multi-Factor Authentication 

Effective May 28, 2025, Multi-Factor Authentication (MFA) will be required for all campus and health email systems in alignment with UC standards. This enhanced security login protocol will be implemented across all email systems to ensure that only legitimate login requests are approved, minimizing the risk of fraudulent login attempts. This initiative will significantly strengthen UCLA's cybersecurity posture and help mitigate potential security risks.

As part of the mandate requirement, UCLA is working toward a unified email strategy that will improve security oversight, standardize services, and simplify email management. This Email Unification Program aims to streamline email platforms across campus, enhancing security while creating a standardized user experience for students, faculty, and staff. The initiatives outlined in the UCOP mandate will set the foundation for the success of this program.

Visit the Mutli-factor Authentication (MFA) page for more information about MFA requirements, eligibility, and how to get started. 

Trellix Endpoint Security (Antivirus)

Trellix (formerly known as FireEye Endpoint Security) is a modern endpoint protection (antivirus) software that can detect and prevent malicious digital threats that infiltrate our devices before they spread to our most critical data. Trellix is the only UC-approved anti-virus software. All university-owned devices, and personally-owned devices that store, process, or transmit university data are required to run Trellix.

For additional information, please visit the Trellix page on the Office of the Chief Information Security Officer website.