Matching Data with IT Services
The Berkeley Data and IT Resource Classification Standard and associated Protection Profiles are designed to properly protect campus systems and data, and also to help match campus data with appropriate IT services.
This framework helps answer questions such as:
- What kinds of data require extra security protections?
- Where can I store data that requires extra security protection? Central campus services | Research IT services | campus storage services |
- What service providers (on or off-campus) are appropriate for my data/system?
- What kind of data is under my custodianship?
- Can I host sensitive/notice-triggering data?
- What security controls are required for sensitive data?
Data Classification Standard and Protection Profiles
Classification
The Berkeley Data and IT Resource Classification Standard groups data into one of four Protection Levels based on data (or system) sensitivity, measured by the level of adverse business impact that would be caused by a breach of confidentiality or integrity. It also groups data into one of four Availability Levels based on the level of business impact that would result from a loss of availability.
Protection Profiles
The Minimum Security Standard for Electronic Information (MSSEI) specifies the security controls required to protect the integrity, confidentiality, and availability of Berkeley campus data. The specific security controls required under the MSSEI (a.k.a the "protection profile") vary based on the Protection Level, Availability Level, and IT Resource type.
The Minimum Security Standard for Networked Devices (MSSND) is required for all devices that handle institutional data, AND all devices connected to the campus network, regardless of whether they handle institutional data.
All covered devices and applications must be inventoried and then registered with the Information Security Office according to MSSEI requirement 4.3 and MSSEI requirement 4.4.
Are you unsure about the classification of a certain data set or system? Follow these steps:
- Review the Berkeley Data and IT Resource Classification Standard to see if your data set is listed in any of the examples. The associated Guidelines can also help classify many common types of data.
- If after reviewing the standard or guideline you are still unsure, email the Information Security Office office with any classification questions. Please include as much detail as possible such as (be careful not to include any real, sensitive data records in the request):
- Source and owner of the data set
- Full list of data elements in question (the types of data, not the actual sensitive data itself)
- Approximate number of records (e.g., number of individuals, number of credit card numbers, etc.)
- Any potential external compliance requirements for the data set (e.g. FERPA, HIPAA, CPHS, FISMA, GDPR, PCI)
Resource Proprietor Approval
All Berkeley systems require a Berkeley Campus Resource Proprietor.
Resource Proprietors have multiple responsibilities defined in Berkeley's Roles and Responsibilities Policy and Minimum Security Standard for Electronic Information. At a high level, these responsibilities include ensuring compliance with University policy regarding the classification, protection, access to, location, and disposition of IT Resources. Proprietors are also responsible for ensuring compliance with federal or state law or regulation.
Ultimately, Units and Resource Proprietors are responsible for ensuring that systems and data for which they are responsible are protected properly according to the protection profiles associated with their classification.
For More Information
Contact the Information Security Office: security-policy@berkeley.edu