We know policies are dry and templates can be confusing. We're always happy to help translate, so email us at [email protected] with questions.

Policies and Procedures

Below is a collection of commonly requested policies, procedures, guidelines, and standards that apply at UCSF.

• UC-wide IT Policies & Guidelines: Includes UC's cybersecurity policy and standards with a glossary and FAQ as well as resources and guidelines for information security incidents that require notification.
• UC IS-3 Information Security Policy: UC's electronic information security policy, which is applicable to all UC campuses and medical centers.
• UCSF Minimum Security Standards: Applicable to all devices and electronic information resources across UCSF departments and UCSF Health.
• UCSF IT Standards and Policies: Covers a range of IT standards and policies from wireless networks to incident investigation.
• UCSF Campus Policies and Procedures: Includes HIPAA business associates and Unified UCSF Enterprise Password Standard.

Templates

All templates are intended for reference only – it is your responsibility to update them to reflect your actual procedures and technical details and remove any sections that are not relevant. MyAccess login required.

• Application Security Guidelines: Provides a comprehensive list of best practices and guidelines for managing and securing your applications at UCSF. Includes topics such as systems development, access management, third party considerations, encryption, patching, backups, logging, and auditing.
• Application Policies and Procedures Templates: These templates are intended as a starting document for you to customize and modify according to your specific application and procedures. They include major categories you’ll want to cover and some suggestions. Sample for General Department Application, Salesforce Orgs, and AWS.
• Data Management Plan Template: If a vendor or agency that you’re working with requires you to have a detailed data management plan for your research, this template provides a starting point based on using UCSF’s MyResearch environment. You will need to customize this according to your research plan, technical environment, and specific processes.
• Full Set of Policies and Procedures: This is an example of a comprehensive set (12) of policies and procedures, in this case, for the School of Medicine’s AWS Research Cloud (ARC) environment. You can look at these to model your own policies and procedures for a complex technical environment requiring high security.
• Comprehensive Security Plan: This is an example document for a comprehensive security plan, in this case, for the School of Medicine’s AWS Research Cloud (ARC) environment. You may be required to provide a security plan for external collaborators or from UCSF IT in certain scenarios. This document can be used to model your own security plan.