Details of the MSSEI Assessment Service

Overview

The MSSEI Assessment Service is a service for assessing compliance with campus data security policies that is required for all systems and applications that handle data classified as Protection Level 4.  The service is provided for IT Resource Managers who maintain protected data systems on behalf of the campus.  The assessment is managed by a member of the Information Security Office (ISO) Assessments Team.  

The purpose of the MSSEI Assessment Service is to identify gaps in meeting campus security policy requirements for P4 data.  As an outcome of the service, ISO will provide a report listing recommended actions to reduce the security risk to protected data. 

Below is a an overview of the process:


Activities


Description

Responsible Party

IT Service Provider

ISO

  1. Confirm Data Classification

Identify the data types processed, stored, and transmitted by the system, any security and privacy regulations that apply, and the data classification is determined.

  1. Complete System Security Plan (SSP)

Document in the SSP the security controls in place (or planned) for meeting each MSSEI control requirement. The completion of the SSP is a prerequisite for the assessment.


Note 1: Refer to the UC Berkeley System Security Plan Step-by-Step Guide for detailed information about how to complete and submit an SSP. 


Note 2: If you need assistance, you may create a ServiceNow ticket by emailing security-assessments@berkeley.edu(link sends e-mail).

  1. Submit SSP

Once the SSP is completed, submit it to ISO via the MSSEI Assessment Service Request Form.

  1. Assess SSP

A security analyst from the Assessments Team is selected to conduct the assessment and the SSP is reviewed to determine the extent to which the security controls implemented meet the MSSEI requirements for the system.

  1. Prepare Assessment Report

An assessment report is prepared to document the findings and recommendations from the assessment. An internal review of the report is performed and the report is delivered to the Unit.

  1. Conduct remediation actions

Remediation actions are implemented necessary to resolve the findings identified in the assessment report.

  1. Update SSP

The SSP is updated to reflect the remediation actions implemented and on an ongoing basis in response to changes.

Getting Started

To get started with an MSSEI assessment, follow the links below to start filling out the System Security Plan for your application. 


Back to the MSSEI Assessment Service page