IS-3 Implementation

Overview

UC's Electronic Information Security Policy, IS-3, brings changes to the way information security risk is managed at UC, and here at Berkeley. This project is designed to integrate IS-3's requirements and principles into Berkeley's existing information security program in a way that aligns with core campus priorities and values. It will help to ensure that risk is understood and addressed at the appropriate organizational levels, and includes updating the fundamentals of the campus’ security program to current UC and industry standards.

Our Plan

As part of our multi-year program for implementing IS-3, ISO will roll out a comprehensive plan to enable Units to comply with their obligations under UC Berkeley’s local implementation of IS-3. Refer to these slides for more details (login required)

Our goal is to integrate IS-3 into UC Berkeley’s existing information security program in a way that makes sense for campus:

• Maintain MSSND/MSSEI concepts
• Identify/define key roles and responsibilities
• Update policies, standards, exception process, etc. 
• Move to systemwide Protection Levels and incorporate Availability Level
• Broad collaboration and communication around program changes

Implementation Schedule

We've started an estimated onboarding schedule for campus Academic and Administrative Units through 2022 and will begin scheduling the remaining Units in Fall 2022 for onboarding in Spring 2023. Visit our IS-3 Unit Onboarding Schedule page (CalNet protected) for more information. 

Phase 3:

Fall 2021 - Fall 2022 Focus:

1. Identify and onboard high-risk Units into the IS-3 framework using a cohort model -- currently scheduled to extend through Dec. 2022.
2. Beginning to incorporate the concept of Availability Level.
3. Continuing to update and develop foundational policies.
4. Develop a process for periodic review.

Phases 1 & 2:

Began in 2019-2020 and focused on:

1. Updating/developing foundational policies: 
   1. Roles and Responsibilities
   2. Data Classification Standard*
   3. Exception Process
   4. MSSND Draft | Article highlighting MSSND changes
   5. MSSEI PL “quick fix”: updating the Protection Level numbers in the MSSEI without changing requirements*

2. Identifying and orienting Pilot Units, Unit Heads, and Unit Security Leads
3. Updating Socreg (formerly known as NetReg) with new data classifications and having Security Contacts review and confirm/update their assets
4. Developing high-level dashboard for Pilot Units
5. High-level IS-3 assessment for Pilot Units

Spring 2021 Focus - “Phase 2”:

1. Identifying and onboarding the first non-pilot cohort of Units into the IS-3 framework
2. Continue to update and develop foundational IT policies, including
   1. Convening MSSEI workgroup and beginning work on updating the Standard
   2. Finalizing and publishing the formal campus Information Security Incident Response Plan and Information Security Management Program
   3. Formalized risk acceptance processes
   4. Continuing to publicize the updated data Protection Levels* 

3. Refining tools, processes, and resources to facilitate and streamline the onboarding process

What Units Can Do Now:

Campus-level implementation of IS-3 will happen in phases. However, there are things that Units at all levels can do to get started. 

Roles and Responsibilities

Familiarize yourself with the roles and responsibilities identified in IS-3 through our Roles and Responsibilities Policy Home Page. This policy consolidates existing UC Berkeley responsibilities and key IS-3 responsibilities. Identified roles include Workforce Members, Researchers, Unit Heads, Unit Security Leads, Information and Resource Proprietors, Service Providers, and Workforce Managers. Learn even more at the UCOP Quick Start Guide.

• Identify your Unit Head and Unit Information Security Lead(s). These people have key roles in IS-3. Also visit our Unit Heads and Security Leads page for additional resources for these roles.

• Identify any IT Services that your Unit provides. Many of the Service Provider responsibilities in this policy are not new, but were previously divided among several policies. Service Providers may benefit from this consolidated list of responsibilities.

Be aware that Protection Levels have changed

UC Berkeley’s Protection Level scale has been updated to align with the rest of the UC system. We now have a P1-P4 scale instead of our old PL0-PL3 scale. This means that all Protection Level numbers have changed. There are also category changes for certain types of information, so it's not as simple as just adding 1 to the old PL number. Please refer to Berkeley's Data Classification Standard for details. At a high level, this is what you’ll see:

Learn about the new Availability Levels

This is a new concept for information security at UC. Availability Level refers to the impact of loss of availability or service, measured on a scale of 1-4. A4 is the highest level of impact and A1 is the lowest. Availability Level helps to determine what protections are required to ensure that information and resources are available when needed. The four Availability Levels are described in the updated Berkeley Data Classification Standard. Additional information is also available in the UC Data Classification Standard and Guide). 

Identify and classify your Unit's Institutional Information and IT Resources

• Use the new Protection Levels to re-classify your information and IT Resources.

• Register any UC P3 and UC P4 assets in Socreg that would be considered Institutional Devices or Privileged Access Devices. 

• Begin to think about the Availability Levels of your information and IT Resources and start to identify your A4 assets

• This is a good time to confirm and update your Unit’s information in BC Catalyst (UC Berkeley's business continuity/disaster recovery tool). All A4 IT Resources and data maintained by your unit should be registered in BC Catalyst. For questions or assistance, contact itdrhelp@berkeley.edu.

• Work on bringing your Unit into compliance with UC Berkeley’s current minimum security standards. IS-3 will build on these, so this is a good place to start:

• Minimum Security Standards for Networked Devices

• Minimum Security Standards for Electronic Information

Update outdated references to Protected Data and PL numbers on your websites and internal documentation

We've put together the following table to help you convert general references to Protection Levels. You can convert straight over to the new UC P# directly.

*Please note: These general conversions are only best approximations and are not a perfect mapping. For documents that speak to specific references refer to the Data Classification Standard https://security.berkeley.edu/data-classification-standard#plclassification

For example: FERPA-protected data used to be listed as UCB PL1, but became UC P3 in the new numbering system. 

*UC Berkeley’s Data Protection Levels were updated to align with the new UC systemwide scale. However, the associated controls or requirements were not modified to help support a smooth migration. Review and update of the controls and requirements for each classification level are taking place separately.