IS-3 Implementation

Overview

Currently, the responsibility for managing information security risk is not sufficiently addressed at UC Berkeley. This project will ensure that risk is understood and addressed at the appropriate organizational levels. The Information Security Office (ISO) will align UC Berkeley’s information security risk management strategy with principles of IS-3 and campus priorities and values. This includes updating the fundamentals of the campus’ security program to current UC and industry standards.

Our Plan

As part of our multi-year program for implementing IS-3, ISO will roll out a comprehensive plan to enable Units to comply with their obligations under UC Berkeley’s local implementation of IS-3. Refer to these slides for more details (login required)

Our goal is to integrate IS-3 into UC Berkeley’s existing information security program in a way that makes sense for campus:

• Maintain MSSND/MSSEI concepts
• Identify/define key roles and responsibilities
• Update policies, standards, exception process, etc. 
• Move to systemwide Protection Levels and incorporate Availability Level
• Broad collaboration and communication around program changes

Spring 2021 Focus - “Phase 2”:

1. Identify and onboard the first non-pilot cohort of Units into the IS-3 framework
2. Continue to update and develop foundational IT policies, including:
   1. Finalize Roles and Responsibilities Policy and MSSND update
   2. Convene MSSEI workgroup and begin work on the update project
   3. Finalize and publish a formal campus Information Security Incident Response Plan and Information Security Management Program
   4. Formalize risk acceptance processes
   5. Continue to publicize updated data Protection Levels* and begin to incorporate the concept of Availability Level

3. Refine tools, processes, and resources to facilitate and streamline the onboarding process

Initial efforts began in 2019-2020 and focused on:

1. Updating/developing foundational policies: 
   1. Roles and Responsibilities Draft
   2. Data Classification Standard*
   3. Exception Process
   4. MSSND Draft | Article highlighting MSSND changes
   5. MSSEI PL “quick fix”: updating the Protection Level numbers in the MSSEI without changing requirements*

2. Identifying and orienting Pilot Units, Unit Heads, and Unit Security Leads
3. Updating NetReg with new data classifications and having Security Contacts review and confirm/update their assets
4. Developing high-level dashboard for Pilot Units
5. High-level IS-3 assessment for Pilot Units

What Units Can Do Now:

Campus-level implementation of IS-3 will happen in phases. However, there are things that Units at all levels can do to get started.

Roles and Responsibilities

Familiarize yourself with the roles and responsibilities identified in IS-3 through our Roles and Responsibilities Policy Home Page. This policy consolidates existing UC Berkeley responsibilities and key IS-3 responsibilities. Identified roles include Workforce Members, Researchers, Unit Heads, Unit Security Leads, Information and Resource Proprietors, Service Providers, and Workforce Managers. Learn even more at the UCOP Quick Start Guide(link is external).

• Identify your Unit Head and Unit Information Security Lead(s). These people have key roles in IS-3. Also visit our Unit Heads and Security Leads page for additional resources for these roles.

• Identify any IT Services that your Unit provides. Many of the Service Provider responsibilities in this policy are not new, but were previously divided among several policies. Service Providers may benefit from this consolidated list of responsibilities.

Be aware that Protection Levels have changed

UC Berkeley’s Protection Level scale has been updated to align with the rest of the UC system. We now have a P1-P4 scale instead of our old PL0-PL3 scale. This means that all Protection Level numbers have changed. There are also category changes for certain types of information, so it's not as simple as just adding 1 to the old PL number. Please refer to Berkeley's Data Classification Standard for details. At a high level, this is what you’ll see:

Learn about the new Availability Levels

This is a new concept for information security at UC. Availability Level refers to the impact of loss of availability or service, measured on a scale of 1-4. A4 is the highest level of impact and A1 is the lowest. Availability Level helps to determine what protections are required to ensure that information and resources are available when needed. The four Availability Levels are described in the updated Berkeley Data Classification Standard. Additional information is also available in the UC Data Classification Standard and Guide(link is external). 

Identify and classify your Unit's Institutional Information and IT Resources

• Use the new Protection Levels to re-classify your information and IT Resources.

• Register any UC P3 and UC P4 assets in NetReg that would be considered Institutional Devices or Privileged Access Devices. 

• Begin to think about the Availability Levels of your information and IT Resources and start to identify your A4 assets

• This is a good time to confirm and update your Unit’s information in BC Catalyst(link is external) (UC Berkeley's business continuity/disaster recovery tool). All A4 IT Resources and data maintained by your unit should be registered in BC Catalyst. For questions or assistance, contact itdrhelp@berkeley.edu(link sends e-mail).

• Work on bringing your Unit into compliance with UC Berkeley’s current minimum security standards. IS-3 will build on these, so this is a good place to start:

• Minimum Security Standards for Networked Devices

• Minimum Security Standards for Electronic Information

Update outdated references to Protected Data and PL numbers on your websites and internal documentation

We've put together the following table to help you convert general references to Protection Levels. You can convert straight over to the new UC P# directly.

*Please note: These general conversions are only best approximations and are not a perfect mapping. For documents that speak to specific references refer to the Data Classification Standard https://security.berkeley.edu/data-classification-standard#plclassification

For example: FERPA-protected data used to be listed as UCB PL1, but became UC P3 in the new numbering system. 

*UC Berkeley’s Data Protection Levels were updated to align with the new UC systemwide scale. However, the associated controls or requirements were not modified to help support a smooth migration. Review and update of the controls and requirements for each classification level are taking place separately.