As a contractor or contingent worker for UC ANR, you are expected to adhere to the following cybersecurity policies to ensure the protection of sensitive information. By doing so, you play a vital role in safeguarding UC ANR’s information and systems. Failure to comply with these requirements may result in termination of your contract/contingent employment and potential legal action.

Access Control

• Personal Credentials: Use your own account when accessing UC ANR systems. Do not share login information with others.
• Authentication and Authorization: Use strong, unique passwords and multi-factor authentication to protect UC information.
• Least Privilege Principle: Access is granted based on the minimum necessary privileges to perform your job responsibilities. If your access includes capabilities beyond the scope of your services, do not use those additional capabilities.

Data Protection

• Data Handling: Ensure proper handling, storage, and disposal of data according to UC ANR’s data protection policies. For example, lock your device when you step away, and do not store sensitive information locally on your work device.
• Device Security: Contractors and Contingent Workers must not use personal devices to access UC ANR systems. IT will provide a secure device with hard drive encryption, up-to-date Endpoint Detection and Response (EDR) software, and the latest security patches. This device must be returned upon termination of the contract, completion of the project, or offboarding of the contractor or contingent worker.
• VPN: Use the UC ANR VPN when accessing ANR systems remotely.

Incident Response

• Reporting: Immediately report any suspected or confirmed security incidents, breaches, or vulnerabilities to UC ANR IT.
• Please include the following information in your incident report:
  • Date and time of incident
  • Location of incident
  • Type (theft, hacking, etc.)
  • Brief description
  • How was the incident discovered?
  • Who discovered the incident?
  • Any other useful information

Compliance and Training

• Regulatory Compliance: Adhere to all relevant laws, regulations, and UC ANR policies regarding data security and privacy, including but not limited to:
  • Acceptable Use Policy
  • Electronic Communications Policy
  • BFB-IS-3, Electronic Information Security
  • California Public Records Act
  • California Information Practices Act

Offboarding

• Notification: Notify UC ANR IT immediately when your project or contract is finished, or when you leave your contracting company. Access to ANR systems should be revoked when no longer needed.
• Data Deletion: Any UC hardware (laptops, peripherals, etc.) must be returned. Any UC information should be provided to UC ANR for archival purposes and then deleted from the contractor's systems.

Resources

• Cybersecurity Expectations for Contractors & Contingent Workers (pdf)
• How do I report a security incident?
• For any questions, please contact UC ANR IT.