Frequently Asked Questions

ISO Services answers

How do I register P4 workstations as Protected Data Applications in Socreg?
How is the rVPN monitoring different from being on campus?

The degree of monitoring on campus varies depending on the location of the system. For most users the only traffic that is inspected for signs of compromise is traffic that goes off of the campus network or is directed at systems protected by our firewalls. For people on networks protected by a firewall there is additional monitoring at the firewall location. 

When it comes to the Restricted VPN the monitoring occurs for almost every packet that leaves the systems connected to the VPN.

What traffic is blocked by the rVPN?

Traffic from this service is blocked if it is going to or coming from a list of IP addresses, hostnames and URLs the security department believes are involved in malicious activity. These lists are derived from both our own monitoring and from reputable third party sources. Additionally, traffic that is detected as malicious, where the severity of the activity is set as a medium (or higher) level by Palo Alto networks (our VPN and firewall vendor), is also blocked.

Should the Restricted VPN (rVPN) be used full time?

Because of the increased monitoring, most users will only want to use the Restricted VPN for access to the systems that host the restricted data. Beyond that, it is probably preferable to use the normal VPN. 

How does the rVPN monitoring differ from that of the normal VPN?

The normal VPN has only minimal traffic monitoring beyond information about logins. In comparison, the Restricted VPN monitors all traffic as it exits the VPN and employs the vulnerability, anti-spyware, AV, file monitoring, and threat detection and blocking features of the Palo Alto firewalls.

How is the rVPN different from the regular VPN service?

The regular VPN service is intended to allow members of the campus community to access campus resources without having to be physically present on the campus. The Restricted VPN is meant to not only allow people remote access to the network, but to also enforce stricter security controls including blocking some traffic, logging all network traffic, detecting signs of unusual activity to or from the clients and using security profiles to block any malicious or vulnerability related traffic that has a rating of medium severity or higher.

As part of its monitoring service, information about the security of the host system (information like the OS, malware protections, disk encryption, and missing patches) is also monitored and recorded. As the service evolves this information will also be used to further restrict access to the network.

Who is eligible for the Restricted VPN (rVPN) service?

Individuals who access and control a large quantity of restricted data or key IT infrastructure as part of their normal business activity may be eligible for this service. Individuals who use the data are not necessarily eligible. This service is for those with a high level of access to bulk quantities of this data. Additionally, researchers working in heavily targeted areas may be eligible for this service.

To confirm eligibility, please contact with a description of the types and quantities of data you are accessing, and where it is stored.

What do I do if I've disclosed or shared data that was protected?

First off, what is a disclosure?

It's the intentional or unintentional release of protected or private/confidential information to an untrusted environment or to unauthorized individuals.

Process for reporting a disclosure

  1. Remove the disclosed information as soon as possible
  2. Immediately report the incident to the Information Security Office
  3. Notify your supervisor
What should I do after my CalNet gets unlocked?

Now that your CalNet account has been unlocked, you must reset your passphrase as follows:

  1. Go to

  2. Select "Forgot my CalNet ID / Passphrase"

  3. Enter your Student, Employee, or Affiliate ID NUMBER, or recovery email address

  4. Confirm that you are not a robot by selecting all of the applicable images

  5. Once you receive the email to reset your passphrase, enter your Student, Employee, or Affiliate ID number again to set a new passphrase

Because your exposed CalNet passphrase puts the security of your personal data at risk, you must also complete each of the following tasks after you reset your passphrase.

  1. If you are a UC Berkeley employee, confirm that no changes have been made to your Direct Deposit account. From a safe and malware-free computer, access the Direct Deposit link from or call Payroll (510-642-1336).  

  2. Confirm that your email is not being redirected to any account you do not recognize via unauthorized email forwarding, and make sure there are no filters you did not create (e.g. send all <my bank emails> to my Trash folder.

    1.  How to forward emails from bMail account:

    2. How to use filters in bMail:

  3. Review bMail account logs and sign out of active sessions

    1. Log into your bMail account

    2. In the very lower right corner, under "Last account activity" click the "Details" link

    3. This will show the last few connections to your account; review for unknown logins

    4. On the same page, click the large gray button "Sign out of all other web sessions"

  4. Re-secure your Recovery Email Address by changing the password. The recovery email address is a non-"" email address attached to your CalNet account. Resetting the password on this account helps ensure that it is also not compromised.

  5. Recreate your bConnected Google Key. If you had a Google key set, it has been scrambled. Create a new one using the Manage My Keys application:  or contact bConnected support: or 510-664-9000 press 1 and follow the prompts.

  6. Review your CalNet 2-Step devices to make sure no changes have been made. Log in to, click on Manage 2-Step Verification, perform a 2nd 2-Step to see the Device Control Panel, and review your devices, there. See:

Where can I get detailed questions answered regarding the new IS-3?

Units interested in detailed information about IS-3 controls; roles and responsibilities; and implementation tools from the UC Systemwide Policy Office can contact ISO at to request access to the systemwide materials. 

How can I get help from IT on Windows 7 End of Life?

Please fill out this request form only if you have not already been in contact with campus IT professionals (either through your department or IT Client Services) regarding the upgrade of your current Windows 7 computer, purchase of a new computer, or security exception application.

What can I do to prepare for an OS upgrade?
  1. Begin by backing up your files. You can do this to a local device or move your data from the computer to servers or cloud-based platforms. Please note that location is dependent on the protection level of the data you have: UC P1 and UC P2/P3 data can be stored on Google Drive and Box. UC P4 data may only be stored on Calshare
  2. Confirm that any software (outside of the standard MS Office, Chrome, Adobe Acrobat) is compatible with Windows 10 and that you have the installation files and activation keys needed 
  3. Go to: and download your desired operating system.
How do I request a security exception for Win 7 EOL?

Exceptions are allowed only if the system cannot be upgraded and depending on the data classification level and the amount of data of that type. Submit your security exception request by November 1, 2019, to allow time to implement mitigations needed before End of Life.

Visit here for the exception process

What happens if I am running a Windows 7 computer after Jan. 14, 2020?

If you are running Windows 7 you are unsupported and out of compliance with campus policy.

What happens next:

  • Feb. 1, 2020 - ISO notifies Windows 7 systems users to disconnect from the campus network
  • Mar. 1, 2020 - ISO blocks Windows 7 devices seen on the campus network

Please note: In the event that a Windows 7 exploit is released before Mar. 1, ISO reserves the right to immediately block any vulnerable device per the Blocking Network Access Policy.


Exceptions are allowed only if the system cannot be upgraded and depending on the data classification level and the amount of data of that type. Learn more about security exceptions at our Exception Process for Windows 7 End of Life (EOL) page.

How do I upgrade my computer to a new operating system?

If the computer is managed by ITCS: Submit a ticket: is external)

If the computer is managed by your department IT: Submit a ticket directly to them

If you do not have campus IT support you can download the software here: is external)

Is it a personal computer? Yes, then you can download the software here:

What should I do to prepare for Red Hat Enterprise Linux 7 end of life?
  1. Upgrade to a supported operating system. Red Hat Enterprise Linux (RHEL) subscriptions are available for departments who have a large number of systems and wish to migrate to RHEL8 or RHEL9 and manage their own RHN organization instance.  Software download location and links to installation instructions will be provided with delivery of access keys. Contact sends e-mail)(link sends e-mail) to request access.

  2. Remove or retire the system.

How do I request a security exception for RHEL7 EOL?

Exceptions will only be approved if there is a valid reason why the system cannot be upgraded and remediation steps such as obtaining extended support, EDR clients, and network firewalls have been put in place (these are just examples and not an exhaustive list). Submit a security exception as early as possible, to allow time to implement mitigations needed before End of Life. More information on exception requests here

Application Security Testing Program (ASTP) answers

My application received a Pass grade. Does this mean my application is certified for UC P4 data?

No. Information Security and Policy does not "certify" applications. A Pass or Fail grade is intended to indicate whether or not an application meets the campus minimum security requirements for application security at the time at which it was assesssed. 

An application security assessment is intended to find the most critical and high risk vulnerabilities; however, the assessment process is often accelerated due to time and resource constraints meaning all vulnerabilities may not be discovered in a single assessment.

What if I cannot meet the remediation due dates presented to me in the final report?

Remediation due dates are generated based on the risk and the breadth of the vulnerability. Due dates can be negotiated with the Information Security Office at the time of disclosure. For example, some due dates may be changed for reasons like:

  • Reliance upon a vendor to implement a fix for a discovered vulnerability
  • Development time
  • Retirement of a vulnerable portion of an application

Ultimately, it is the responsibility of the application owner to make or coordinate best efforts to remediate and/or adequately mitigate the risks in a timely fashion.

Based on my data, I have external regulatory requirements like PCI, HIPAA, or CPHS. Does an ASTP assessment cover me for those requirements?

No. ASTP assessments only measure compliance with campus minimum application security requirements. Though, it should be noted that achieving compliance with campus standards will lay a lot of ground work for meeting PCI, HIPAA, CPHS, or other external standards. The campus Minimum Security Standards for Electronic Information (MSSEI) is based off the SANS Top 20 Critical Controls, so there is some overlap with external standards.

How often am I required to have an assessment against my application?

Currently, applications handling UC P4 data should plan for an application security assessment once every two years. However, scheduling will depend on available resources and other factors such as how drastically an application has changed since the prior assessment.

Nessus Network Vulnerability Scanning answers

What is the source network for security scans conducted by ISO?

All Information Security Office network vulnerability scanning is initiated from the following network subnets:




  • 2607:f140:1:14::/64

If you detect scanning activity and are unsure if an ISO scanner is the source, please contact for verification.

How do I run a credentialed Nessus scan of a Windows computer?

Credentialed scans are scans in which the scanning computer has an account on the computer being scanned that allows the scanner to do a more thorough check looking for problems that can not be seen from the network. Examples of the sorts of checks that a credentialed scan can do include checks to see if the system is running insecure versions of Adobe Acrobat or Java or if there are poor security permissions governing a service. Information Security Office (ISO) runs Nessus scanners that are capable of running these credentialed scans; however, without accounts on the local machines, we are unable to use this functionality. With this in mind, ISO will create accounts on one of the Nessus scanners for departmental security administrators to do their own credentialed scans. In order to use the ISO scanners to perform a credentialed scan of a Windows system, the following settings are required by Nessus:

  1. The Windows Management Instrumentation (WMI) service must be enabled on the target.
  2. The Remote Registry service must be enabled on the target or the credentials used by Nessus must have the permissions necessary to start the remote registry service and be configured appropriately.
  3. File & Printer Sharing must be enabled on the system to be scanned.
  4. An SMB account must be used that has local administrator rights on the target. A non-administrator account can do some limited scanning; however, a large number of checks will not run without these rights. According to Tenable, the company behind Nessus, in Windows 7 it is necessary to use the Administrator account, not just an account in the Administrators group. ISO is currently in the process of testing this and looking for potential workarounds.
  5. Ports 139 (TCP) and 445 (TCP) must be open between the Nessus scanner and the computer to be scanned. Information on what IP block to open in the firewalls can be found here: What is the source network for security scans conducted by Information Security and Policy?
  6. Ensure that no Windows security policies are in place that blocks access to these services. Two common problems are the SEP configurations that block off the scanners even after the scanners is authenticated and a network access model that sets network access to "Guest only" permissions (see below for information on changing this).
  7. The default administrative shares (i.e. IPC$, ADMIN$, C$) must be enabled (AutoShareServer = 1). Since these are enabled by default and can cause other issues if disabled, this is rarely a problem.

To check if a system has a "Guest only" sharing and security model go to the Control Panel, open "Administrative Tools," and then "Local Security Policy". In that window go to Local Policies --> Security Options --> Network access: Sharing and security model for local accounts. On some Windows installations, this is set to "Guest only - local users authenticate as Guest" by default. If this is the setting on your box, you will need to change it to "Classic - local users authenticate as themselves".

PLEASE NOTE: Some of the settings above may, in some environments, actually decrease the security of a system. If this is the case, once the credentialed scan is performed, it is advisable to return the system to its previous state.

Socreg - Asset Registration Portal answers

How Do I Update My Socreg Profile Settings?

To change your profile settings in Socreg, log in and click your name in the top bar and then click ‘Settings’.  Current options are:

  • Receive Release Email - this toggles whether or not you would like to receive the Socreg release notifications.

Note: This setting is different than the ‘Receive FYI messages’ setting.  FYI messages are set per unit Security Contact and are FYI messages about the Security contact and its assets.

How are Protected Data Applications and Systems monitored?

The Information Security Office (ISO) takes privacy issues very seriously and we use the same approach for balancing security and privacy for Protected Data hosts as for all hosts on campus. Monitoring of systems occurs through two methods, monitoring of network traffic crossing the campus border and vulnerability scanning of hosts on the campus network. The methods used to do this are similar for all hosts on the campus network.

The enhanced services for Protected Data hosts are:

  • More frequent scanning 

  • A greater range of intrusion detection signatures are used

  • Elevated responses to alerts by ISO staff 

  • Longer retention of network data for future analysis if a breach is confirmed -- this can help to confirm if an attacker was able to access the Protected Data during a breach incident.

How are security notices routed?

Security notices are routed based on the registration information in Socreg.

For example, if an IP address has a registered Security Contact, the security notice is sent to that Security Contact, but if there is no specific IP address registration, then the notice is sent to the Security Contact that registered the subnet that contains the IP Address. Notices will also be sent to:

  • The registrant Security Contact’s Service Provider, if any.

  • The registrant Security Contact’s Departmental / Parent Security Contact, if any.

  • Any Security Contacts that have 'CC' status for the IP address.

  • The Device registrant if the IP Address is a DHCP IP address.  

Does the application support IPv6?

Yes, Socreg supports IPv6.

Why can’t two Security Contacts share the same subnet? We both have IP addresses on the subnet.

Overlap is not allowed in Socreg. If two departments share a subnet, the department who claims the most IP addresses for that subnet will get the entire subnet. The other department will get individual IP addresses.

Additionally, one Security Contact will register and be primarily responsible for an IP address, although other Security Contacts may also receive security notices for that IP address.  

For complicated situations, e.g., where two different groups are responsible for systems on a subnet, a Security Contact created just for that shared responsibility might be the best solution.

What is the process if another Security Contact is non-responsive when I want to claim or transfer something immediately?

Contact the Information Security Office at:

What are the types of email generated by Socreg? Can I opt out from receiving any/all of them?

There are three types of email generated by Socreg:

  1. FYI emails: These emails are rolled up into a single digest which is sent once per week. Users can opt-out of receiving the digest by setting "Receive FYI digest" to “off”. However, at least one member of the Security Contact should continue to receive them.  Some FYI emails are sent immediately, for example when a PD Application or one of its components is modified.

  2. Notices about Access or Asset Requests.  Others may submit a request in Socreg for:

  • Membership within a Security Contact

  • New Group Security Contact

Or an asset:

  • IP Address

  • CC IP Address

  • Device

  • PD Application

Notifications are sent when the request is made and will repeat weekly until either approved or denied in Socreg.  

  1. Notices to "outside" entities (i.e., ISO ticketing system, DNS Administrator, or IT Policy): These are initiated by Socreg backend processes or sometimes by Socreg users and are copied to the Security Contact’s membership.For example, when a request is made for a new Department Security Contact, the request will go to ISO and we will conduct an intake process before creating the Department Security Contact.

I've received an "IP address to transfer" message.
Here we explain what it means and what you need to do.

You've received the message because Socreg has encountered a mismatch between the security contact that claimed an IP address (individually or by subnet) and the security contact that registered a subdomain.

(Note: In Socreg the assignment of a subdomain enables the transfer of IP address responsibility to the right party, but does not assign security contact responsibility).

For example, if security contact A registers a subdomain and another security contact B claims subnet a.b.c.0/24 and there is a set of hostnames defined in DNS:




security contact A and B will each get a message suggesting that the IP addresses be transferred from B to A.

Either security contact can initiate the transfer: Security contact A can 'request to take'; B can 'request to give'.

If the other party agrees and approves the transfer then B ends up with the subnet and A has 3 individual IP records out of that subnet because of its subdomain registration.

Remember: Socreg does not automatically make the transfer because there may be alternate solutions to resolve the discrepancy.  In the above example, security contact A could relinquish the IP addresses, or have their DNS hostname changed to something not in the xyz subdomain.

You are receiving this "IP address to transfer" message so that you can choose the best solution.

Vendor Security Assessment Program answers

What is a "3rd-party service provider"?
What is a "vendor" or a "3rd-party service provider"?

A "vendor" or "3rd-party service provider" is an entity (e.g., a person or a company), separate from the University, that offers something for sale.  The typical types of vendor services that require an ISO vendor security assessment are technologies used to store, process, and/or transport protected data on behalf of the University, such as:

  • Software as a Service (SaaS) providers - companies that provide hosted application services (e.g., Google bmail)
  • Infrastructure as a Service (IaaS) providers - companies that provide hosted data storage or processing services (e.g., Amazon AWS)

These types of vendors are required to meet the same campus policy standards for the protection of protected data that is required for applications and services that are managed by internal campus IT resources.

What is the purpose of the Vendor Security Assessment Program?

The Vendor Security Assessment Program is intended to ensure that service providers who handle UC P4 data on behalf of the University meet campus security policy requirements.  This is achieved in two ways:

  • By evaluating the vendor's security controls in comparison to campus policy.
  • Ensuring that the UCOP Data Security & Privacy Appendix is included in the vendor contract to provide baseline protection for the University in the event of a data breach.
Who needs to be involved in a vendor security assessment?

The roles that are typically involved in participating with a vendor security assessment include the following:

Resource Owner or Proprietor Campus unit representative who has overall responsibility for the application (e.g., budgeting and resource allocation).
Implementation Project Manager Unit member responsible for the roll-out of the application or service, including (but not limited to) vendor selection, contract specifications, configuration, process-flow design, personnel training, etc.
UC Buyer Representative in the UC Procurement department responsible for the vendor contract negotiation.
Vendor Representative Staff member of the service provider responsible for completing the Vendor Security Assessment Questionnaire.  Ideally, this person is affiliated with the IT department and is knowledgable regarding the vendor's security framework.  Often times, the person in this role is a Sales or Customer Support Representative who facilitates communication between the vendor's IT staff and the ISO Assessor.
ISO Assessor A member of the ISO analysts team assigned as the primary assessor responsible for the engagement with the unit.
Are vendor services available that have already been approved?
Are vendor services available to campus that have already been approved for UC P2/3 or UC P4 data?

There are several 3rd-party vendor services that are readily available to campus that have been approved for UC P2/P3 or UC P4 data.  Campus units that adopt these 3rd-party services for the purpose of storing and sharing covered data can be assured that these vendors meet campus policy requirements.

Campus units that utilize these services for the handling of protected data should keep in mind that careful configuration and management of these applications is required to meet campus policy standards.

 UC P4 Approved Services

  • CalShare, a web-based document management and collaboration system utilizing Microsoft SharePoint. 
  • The Imagine document imaging and workflow service is a campus service with the core purpose to provide automated workflows and document management and storage and can be integrated with other campus systems if needed. 

UC P2/P3 Approved Services

Please visit the bConnected website to learn more about the MSSEI protection level ratings for each of these products:

I have UC P2/3 data, what do I do?
My unit is contracting with a 3rd-party service provider to host campus UC P2/3 classified data. How can the vendor be assessed to meet campus security policies in the absence of ISO resources?

Units can ensure that 3rd-party service providers meet the campus data security policy requirements for the handling of UC P2/3 data through the following actions:

  • Be sure to include the UCOP Data Security & Privacy Appendix, required for all UC contracts involving 3rd-party access to protected data, without edits, in the service provider contract.  This ensures baseline protection for the University in the event of a data breach, including:
    • Service provider compliance with applicable laws (e.g., FERPA, HIPAA), regulations and campus policy.
    • Requirements for a vendor information security plan and breach reporting process.
    • Adequate cyber-insurance to cover the cost of investigating and responding to a breach.
  • Notify the service provider that by signing off on the Data Security & Privacy Appendix, they are obligated to abide by campus policy, including adherence to the requirements of the UC Berkeley Minimum Security Standard for Electronic Information (MSSEI) policy for the protection of UC P2/3 data.
The contract has already been signed, what do I do?
My unit is contracting with a 3rd-party service provider for the handling of campus protected data. The contract has already been signed, should I still engage with ISO for a vendor security assessment?

Although there is less bargaining power with the service provider to address security concerns after the contract has already been signed, it is still a good idea to perform a vendor security assessment for service providers who are handling UC P3 or P4 data:

  • If the overall risk level is acceptable, the unit is assured that the vendor meets campus policy for the protection of UC P3 or P4 data.
  • If the overall risk level is High or Critical, it may be necessary to postpone or suspend the service until these issues have been addressed.

Vendors may be more inclined to participate in a security assessment after the contract has been signed, but before the service has been initiated - as billing often does not begin until services have started. 

For VSAP reports with an overall acceptable risk rating, any medium-level risk findings identified in the report should be discussed with the vendor during the next contract renewal period.

The Data Security & Privacy Appendix was not included in the vendor contract, what do I do?
The contract with the 3rd-party service provider has already been signed and the UCOP Data Security & Privacy Appendix was not included. How will this affect the vendor security assessment?

For all UC contracts involving third-party access to covered data, the University of California Office of the President (UCOP) requires the inclusion of the Data Security and Privacy Appendix.  The appendix establishes baseline protection for the University in the event of a data breach.  Campus units that engage with service providers to handle covered data must ensure the appendix is included in new contracts without edits.

For VSAP engagements that have been initiated after the contract has been approved, and the UCOP appendix has been omitted, the final assessment report will include contract-related risk findings.  These findings are generally of a Critical risk nature, e.g.:

  • No guarantee of service provider compliance with applicable laws (e.g., FERPA, HIPAA) or campus policies for the protection of covered data.
  • The absence of requirements for a vendor information security plan and breach reporting process.
  • Inadequate cyber-insurance to cover the cost of investigating and responding to a breach.

In these cases, the unit may be required to suspend the use of the service until the contract issues have been resolved with the vendor.

How do I get started?
What do I need to do to initiate a vendor security assessment with the Information Security Office?

To request a Vendor Security Assessment Program evaluation for a PL2 system that is vendor managed, review the Details of the Vendor Security Assessment Program and then send an email to

Please include the following information:

  • Name of the unit requesting VSAP service
  • Project Lead contact information
  • UC Provisioning Representative contact information (if applicable)
  • Name of third-party vendor/product/service
  • Service description
  • List of protected data elements that are known to be processed, stored, or transmitted by the service provider (see the UC Data Classification Standard for details)
  • Estimated number of records containing PL2 data
How long will a VSA take using Venminder?

A typical VSA takes 4 to 6 weeks to complete starting from the date the Vendor has provided all the information requested. Please plan accordingly.

Will there be additional information or documents I need to provide when requesting a VSA?

Yes, the Requester will be responsible for providing the following information when requesting a VSA:

  • Vendor primary point of contact (name, title, phone number, and email address)

  • Vendor name and product/service being purchased

  • A description of the Vendor product/service and how it will be used on campus

  • A completed UC Appendix DS Exhibit 1 form

Additionally, the following security documents will speed up the assessment process:

  • SOC 2 Type II report

    • If available, include the Vendor’s SOC 2 Type II report. NOTE: Venminder will need the Vendor’s own report and not the report of the Vendor’s hosting provider such as AWS, Azure, GCP, etc.

  • PCI DSS compliance documentation for Vendors that accept payment card data on behalf of UC.

    • Please include the vendor’s PCI DSS Self-Assessment Questionnaire (SAQ), Attestation of Compliance (AOC), and any other supporting policies or PCI compliance documentation.

ISO will no longer ask for the statement of work, contract/agreement, or the Vendor’s security plan.

The Vendor is requiring a Non-Disclosure Agreement (NDA) in order to release security documentation. Who should sign the NDA?

The Requester is responsible for signing any Non-Disclosure Agreements with the Vendor and informing ISO which documents are under NDA. 

Inform the ISO Assessments Team on the corresponding ServiceNow ticket for your VSA request if the Vendor is asking that ISO or Venminder sign the NDA.

What should I do with the Venminder report and ISO guidance letter after an assessment is completed?

Once a VSA is complete, ISO recommends reviewing the guidance letter and the Venminder report with your Unit Information Security Lead (UISL) to decide on the appropriate course of action for responding to the findings identified in the Venminder report. The ISO guidance letter in particular will provide information regarding what type of response the Unit requires per campus security policy.

What are my responsibilities as a Requester with the changes to the VSA service?

Venminder will make best efforts to gather all the required security documentation needed for an assessment directly from the Vendor contact that you provide.The Requester should be prepared to coordinate with the Vendor to ensure ISO and Venminder have all information required to complete the VSA and to respond to questions that arise during the VSA. The Requester should be knowledgeable regarding the Vendor’s service and the Unit’s use case.

ISO Security Notices answers

Why did I get a Compromised Host / Possibly Compromised System notice and what should I do?

Did you receive an email from with Compromised Host / Possibly Compromised System in the Subject line?

Please see our Respond to a Security Notice page for detailed information and instructions on how to respond.

Why did I get a Vulnerability Detected notice and what should I do?

Did you receive an email from with Vulnerability Detected in the Subject line?

Please see our Respond to a Security Notice page for detailed information and instructions on how to respond.

Why did I get a Credential Exposure notice and what should I do?

Did you receive an email from with Credential Exposure in the Subject line?

Please see our Respond to a Security Notice page for detailed information and instructions on how to respond.

How to Respond to Campus Blocking RDP Open to Internet Ticket


Running Remote Desktop Protocols (RDP) open to the Internet has become a significant threat to campus and RDP access must be secured according to the “How can I secure my remote connection” section below. The Information Security Office will notify users through our ticketing system upon detection of RDP open to the Internet. 

Who is affected:

  • People using personally-managed or -owned computers and who have no restrictions for remote access to the campus computer they are connecting to.

Who is not affected:

  • People using a university-managed Windows machine. How to tell if you have a managed machine

  • People using restricted access/secure connection protocols for connecting to virtual computers in the data center.

  • Sys Admins who have already configured MFA, Firewall restrictions, or other access security should not receive alerts.

How can I secure my remote connection:

Users running RDP open to the Internet will be notified through our ticketing system and will be given a window of time to do one of the following:

Additional Resources:

Campus VPN IP ranges:

How to secure RDP for Admin:

How to configure Microsoft Remote Desktop Connection for Mac:

If you have questions on this process change, please contact: 

If you need assistance with the Gateway Services contact:

Search for Sources

Congratulations on searching for "sources" in the search box. This is the best way to find content on our site.


                                                       - All your base are belong to us

I received a Security Notice saying my operating system is unsupported. How do I know if my operating system is supported?

Security best practices, as well as campus
Minimum Security Standards for Network Devices (MSSND), require the use of supported software for which the vendor will make security updates available in a timely fashion. As vendors are unable to support all previous versions of software, older programs are dropped from support and must be upgraded or removed from the network. It is especially important to be aware of your operating system “end of life”, as major upgrades often require time and planning.


Microsoft publishes current lifecycle information for Windows operating systems. If your version of Windows is past the date for extended support, or not listed, your operating system is not supported and you must retire the system or upgrade to a supported version of Windows. When planning for department equipment purchases and upgrades, be aware of any upcoming “end of life” dates for your version of Windows.

Mac OS X

While Apple does not officially acknowledge the end of support for Mac OS X operating systems, past experience shows that security updates addressing critical vulnerabilities are only released for the current and one previous version of Mac OS X. When Apple releases security updates for Mac OS X, operating systems with vulnerabilities that are not patched by Apple will be considered unsupported.

Mac OS X users should plan on upgrading their operating systems regularly as Apple releases new versions. We recommend updating to either the latest version, or one previous version, no more than 90 days after a new version is released.

A list of current security updates can be found on the Apple Support site:

Other Operating Systems

Check with your vendor to confirm whether or not your version is still under support and receiving security updates for known vulnerabilities. Operating system vendors often publish lifecycle information to assist customers with upgrade planning:

MSSND Exception Requests

If your operating system is not currently supported, and you cannot immediately upgrade to a supported release, you must request a policy exception to keep the machine connected to the campus network. Your request should include details such as:

  • Why you cannot upgrade your current unsupported operating system
  • Timeframe for upgrading or retiring the system
  • Full inventory of software running on the system
  • Expected use of the system including all network use
  • Firewall rules and other security controls mitigating the risk

Cloud Services answers

Having identified a service with attractive functionality, how do I find out whether there are similar services available or in use on campus?

The best campus resource for this the IST Service catalog. Additionally, the IST Procurement department may be able to assist you in finding services that have already been purchased on behalf of the campus.

How do I determine if there is an existing contract in place with the supplier?

Contact the UCB Procurement Office directly to find out whether an existing contract is in place with a service provider:

How do I know if my intended use of service is in compliance with University policies?

The distinction here is that just because there is a contract in place with a supplier doesn't mean that it is appropriate for all use cases.

An example is our Google agreement which will meet the overwhelming majority of our needs in the e-mail/calendar space, but that is not HIPAA compliant and as such is not a good fit for use cases where Protected Health Information is in play. For assistance with IT policy questions, contact

Who is responsible for my data?

By engaging with a service provider, you have the responsibility as the Resource Proprietor for ensuring compliance with laws, regulations and policies, including standards (UC Business Finance Bulletin IS-2 and IS-3).

For example, if notice-triggering data is involved, the service (whether on or off campus) must meet the protective measures defined in the campus Minimum Security Standard for Electronic Information.

Information that is subject to state or federal regulations will have use and disclosure restrictions that must be maintained.  Student records are protected by FERPA regulations.  Medical records are protected by HIPAA, FERPA, and state laws.

The Resource Proprietor, in consultation with the Resource Custodian, is responsible for determining the level of risk (subject to law, regulation, and policy) and ensuring the implementation of appropriate security controls to address that risk.  This puts responsibility for evaluation of the service's security controls (e.g., hardening, patching and monitoring) in the hands of the Resource Proprietor. Although not directly applicable to services outside of the campus network, the campus Minimum Security Standard for Networked Devices provides a useful set of baseline security requirements.

Where do I find additional Information about Cloud Services?

For evaluating cloud service providers that handle P4 data on behalf of the University, the Information Security Office offers the Vendor Security Assessment Program (VSAP).  The VSAP is intended to ensure that campus third-party service providers adhere to the same baseline level of security practices required for campus systems and applications that contain protected information and are managed and maintained by internal campus resources.

To request a VSAP evaluation for a P4 system that is vendor managed, review the Details of the Vendor Security Assessment Program and then send an email request to (link sends e-mail).

If there are particular services or types of services that you believe would add significant value, please contact David Willson (

For questions concerning IT policy, contact

For all other questions, contact

Copyright & File Sharing answers

How do I respond to copyright infringement allegations?

1.  As a "takedown notice" under the DMCA:

See The Digital Millennium Copyright Act (DMCA) and Related Resources

2.  As a legal action taken by the copyright holder’s legal representative, e.g. an Early Settlement Offer or a Subpoena:

Campus legal counsel cannot represent individuals in matters of alleged copyright infringements.  Students may seek information from the Student Legal Services office, employees will need to obtain their own personal legal counsel.

General information:

Where can I download files legally?

EDUCAUSE maintains a list of legitimate download services.

Phishing answers

What is Phishing?

Phishing is a type of attack carried out in order to steal information or money. Phishing attacks can occur through email, phone calls, texts, instant messaging, or social media. Attackers are after your personal information: usernames, passwords, credit card information, Social Security numbers. However, they are also after intellectual property, research data, and institutional informationPhishing scams can have several goals, including:

  • Stealing from victims - modifying direct deposit information, draining bank accounts.
  • Performing identity theft - running up charges on credit cards, opening new accounts.
  • Purchasing items - buying gift cards, tricking victims into working on their behalf.
  • Getting victims to act - clicking on malicious links, installing malware on their devices.
How can I identify a Phishing scam?

The first rule to remember is to never give out any personal information in an email.  No institution, bank or otherwise, will ever ask for this information via email.  It may not always be easy to tell whether an email or website is legitimate and phishing emails are using social engineering tactics to make create sophisticated scams.

  • In the body of an email, you might see questions asking you to “verify” or “update your account” or “failure to update your records will result in account suspension.” It is usually safe to assume that no credible organization to which you have provided your information will ever ask you to re-enter it, so do not fall for this trap.
  • Any email that asks for your personal or sensitive information should be seriously scoured and not trusted. Even if the email has official logos or text or even links to a legitimate website, it could easily be fraudulent. Never give out your personal information.
Why is understanding the risk of Phishing important?

Phishing attacks are a constant threat to campus and are becoming increasingly sophisticated. Successful Phishing attacks can:

  • Cause financial loss for victims
  • Put their personal information at risk
  • Put university data and systems at risk
All workforce members are responsible for protecting institutional data and complying with information security obligations stated in UC policy, laws, governmental regulations, contracts, external obligations, and grants.
What can I do to avoid Phishing attacks?

We encourage the UC Berkeley community to take an active role in protecting themselves against phishing attacks. Use our helpful tips in our Fight the Phish campaign to recognize and report phishing attacks.


  • If you are worried about an account, call the organization which maintains it (like your bank)
  • Check the email address—does it really match the text of the email? Does it match the legitimate email of the organization it is supposed to be tied to?
  • Check the security certificate of any website into which you are entering sensitive data. They should usually begin with https:// Some browsers will display padlock symbols in the address and status bars. Anything on a website saying it is safe can be falsified and is not verified by the browser you are using, and so shouldn’t be trusted
  • Keep your software current
  • Install antivirus software
How would I know if my CalNet credentials were compromised?
You may not always know. Scams and malware that steal passwords are designed to be stealthy and unnoticed.
Passwords are most frequently compromised one of three ways:
  • Being tricked to giving up your credentials at a real-looking but scam website (AKA Phishing)
  • Malware or other compromises of your device which installs software designed to run in the background and steal passphrases
  • Re-using CalNet credentials for non-UCB websites, and the non-UCB websites are hacked and all credentials exposed

However, a couple of tell-tale signs of credential compromise are:

  • Your colleagues and friends have received unexpected messages from your email account (spam or additional Phishing emails)
  • You suddenly cannot login with your CalNet credentials because an attacker has changed your passphrase
The best defense addresses all three main threats:
  • Know how to evaluate whether websites asking for your passphrase are legitimate. When in doubt, ask by sending an email to or contacting ITCS at 510-664-9000
  • Only use devices that are up-to-date. This means patches for all software are installed as soon as the patches become available, that the browsers are configured for maximum security, and the device otherwise meets the campus Minimum Security Standards for Networked Devices.
  • Do not reuse your CalNet passphrase for other websites

If in doubt regarding the security of your CalNet account, change your CalNet passphrase!

When changing your CalNet passphrase, be sure to do so from a machine you believe is not infected by malware or otherwise compromised. Anti-malware and antivirus scans should result in a "clean" report (no infections) for the machine you intend to use to change your CalNet passphrase from.

Additionally, if you answer yes to any of the following questions, you should also reach out to the ISO office, by emailing

  • While performing your normal duties, do you access protected data (UC P4) from the workstation for University business, including access to the data through central campus applications/services (ImageNow, PeopleSoft, HCM, Payroll/PPS, BFS, etc)?
  • Do you suspect there are University (non-personal) documents containing protected data stored on the workstation?
  • Are there file shares (also known as network drives or mapped drives) mounted on your workstation with stored protected data, whether or not you work with those files?
  • Do you use accounts on this workstation that have privileged [administrator, superuser, database owner (dbo)] access to other systems with protected data?
  • Do you store any usernames and passwords in plain-text (not encrypted) on the workstation?
  • Do you work with Research data regulated by Campus Institutional Review Boards (IRB),  California Committee for the Protection Human Subjects(CPHS), or subject to other Data Access Agreements?

Note: The Information Security Office is sometimes informed when passwords associated with UC Berkeley accounts are exposed in public forums or discovered during breach investigations. In these cases, we may test the exposed passwords to see if they are valid CalNet passphrase. If the passphrase is validated, it will be scrambled immediately and the account deactivated until the account owner is contacted to create a new passphrase. This testing is done only for validation purposes and is not used for access to the account holder's email or other electronic services.

Please see Why did I get a Credential Exposure notice and what should I do? for information on what to do if you receive an ISO Security notification for exposure of your account credentials.

Who do I contact if I think my CalNet credentials were compromised?

If you believe your CalNet credentials have been compromised, and you still have access to your account, change your password immediately.  Instructions for changing your passphrase can be found online:

  • If you are not able to access your account, contact
  • If you have received notice from CalNet that your account has been locked, email
  • To regain access to your accounts, you will need to verify your ID by showing a government-issued photo ID via Zoom or in person, so be prepared.
  • To open a ticket with CalNet, email: calnet@berkeley.eduor call 510-664-9000 (Option 1, 1). 

Additionally, if you answer yes to any of the following questions, email the Information Security Office at immediately to report the compromise.

  • While performing your normal duties, do you access protected data (UC P4) from the workstation for University business, including access to the data through central campus applications/services (ImageNow, PeopleSoft, HCM, Payroll/PPS, BFS, etc)?
  • Do you suspect there are University (non-personal) documents containing protected data stored on the workstation?
  • Are there file shares (also known as network drives or mapped drives) mounted on your workstation with stored protected data, whether or not you work with those files? 
  • Do you use accounts on this workstation that have privileged [administrator, superuser, database owner (dbo)] access to other systems with protected data?
  • Do you store any usernames and passwords in plain-text (not encrypted) on the workstation?
  • Do you work with Research data regulated by Campus Institutional Review Boards (IRB), California Committee for the Protection Human Subjects(CPHS), or subject to other Data Access Agreements?
What if my personal email account, bank account, or other accounts were compromised?
  • Immediately change your passwords for any potentially compromised accounts
  • Contact your bank or financial advisor to let them know your accounts may be compromised and ask them to put a fraud alert on your accounts
  • Check your bank and financial statements and credit reports to regularly identify any false charges or suspicious activity
  • If you believe you are a victim of identity theft, please see the Federal Trade Commission's Immediate Steps to Repair Identity Theft.
How do I report a Phishing or suspicious email?

Reporting suspicious emails can dramatically reduce the duration and impact of an active phishing attack.

Using the bMail web interface:

  1. Open the message
  2. To the right of 'Reply' arrow, select 'More' (typically denoted with three vertical dots)
  3. Then 'Report phishing'

Reporting through Google allows the email to be blocked from further attacks against and may prevent others from falling victim to the attack.

If you are unable to log into bMail, forward the message to or call the ITCS Service Desk at 510-664-9000. 

Do I only need to worry about Phishing attacks via email?

No.  Phishing attacks can also occur through phone calls, texts, instant messaging, or malware on your computer which can track how you use your computer and send valuable information to identity thieves. It is important to be vigilant at all times and remain suspicious of sources that ask for your credentials and other personal information.

Privacy answers

Who owns the information you create?

As an employee of UC Berkeley, any information you create or receive during your employment that has anything to do with the business of UC or the Campus belongs to the Regents.  Whether it is information stored in your paper files, on your computer, voice messages, portable media, home laptop, or another account or device used by you,  the information is Regential property and must be created and managed according to policy.

Any personal information you may accumulate during your employment belongs to you.  You are responsible for the management of your own information.  This means at a minimum that if you move location, transfer to a new position, or separate from University employment you must take your personal information with you.  Any personal information left behind will be treated in the same manner as any tangible personal property.  It will be disposed of according to the campus procedure. 

What is FERPA?

FERPA, shorthand for the Family Educational Rights and Privacy Act, was enacted by Congress in 1974 [20 U.S.C. 1232g].   This legislation gives parents of minor students, and students who are over 18, the right to inspect, correct, amend, and control the disclosure of information in education records. It obliges educational institutions to inform parents and students of their rights and to establish policies and procedures through which their rights can be exercised. 

FERPA gives students of any age enrolled in a university or college the right to give or withhold consent for the educational institution to use or disclose personal information about them.  There are a number of exceptions to this general right. The main one is that institutions may use student information for legitimate business purposes. Requests to use or disclose UC Berkeley student information are approved by the Registrar who is the authorized data steward for all student information.

FERPA training: is external)

Can I access a former employee's email or files?

Access to former employee email or files is coordinated through the Campus Privacy Officer, Office of Ethics, Risk and Compliance Services:

How do I get approval to examine or disclose electronic communications records?

Authorization to access electronic communications, with or without consent, is coordinated through the the Campus Privacy Officer, Office of Ethics, Risk and Compliance Services:

How do I request early disabling of CalNet ID or Berkeley email (bMail) accounts?
How do I request early termination of the CalNet or bMail accounts for an ex-employee before the end of the standard 90-day grace period?

Employees have a standard 90-day grace period after they have separated from UC Berkeley, during which they can access limited campus services, such as bMail. In rare cases, a department may want to request early termination of a former employee’s CalNet or Berkeley email (bMail) account before the end of the standard 90-day grace period.

Departments can contact to discuss how to deactivate employee (including volunteer and affiliate) CalNet or bMail accounts immediately or otherwise earlier than the normal grace period. 

Forms and Process:

  • For early disabling of a separated employee’s access, download the Request for Exceptional Disabling of CalNet Account form below for information and instructions. This form is intended to be used for emergency early CalNet account termination. Signed approval by an authorized departmental official is required.
  • If the account suspension is temporary and the employee may eventually return to their position, download the Request for TEMPORARY Disabling of CalNet ID or bMail Account form below for information and instructions. This action is for exceptional circumstances only and must be approved by the employee's Department, Human Resources, and Campus Counsel. 
  • A scanned image of the printed form (with signature) may be submitted by email in lieu of a hard-copy.

Ransomware answers

What is Ransomware?

Ransomware is a type of malicious software that infects a computer and restricts users’ access to it until a ransom is paid to unlock it.  Ransomware variants have been observed for several years and often attempt to extort money from victims by displaying an on-screen alert. Typically, these alerts state that the user’s systems have been locked or that the user’s files have been encrypted. Users are told that unless a ransom is paid, access will not be restored. The ransom demanded from individuals varies greatly but is frequently $200–$400 dollars and must be paid in virtual currency, such as Bitcoin.

How does a computer become infected with Ransomware?

Ransomware is often spread through phishing emails that contain malicious attachments or through drive-by downloading. Drive-by downloading occurs when a user unknowingly visits an infected website and then malware is downloaded and installed without the user’s knowledge.

Crypto ransomware, a malware variant that encrypts files, is spread through similar methods and has also been spread through social media, such as Web-based instant messaging applications. Additionally, newer methods of ransomware infection have been observed. For example, vulnerable Web servers have been exploited as an entry point to gain access to an organization’s network.

Why is Ransomware so effective?

The authors of ransomware instill fear and panic into their victims, causing them to click on a link or pay a ransom, and users systems can become infected with additional malware. Ransomware displays intimidating messages similar to those below:

  • “Your computer has been infected with a virus. Click here to resolve the issue.”
  • “Your computer was used to visit websites with illegal content. To unlock your computer, you must pay a $100 fine.”
  • “All files on your computer have been encrypted. You must pay this ransom within 72 hours to regain access to your data.”
What is the possible impact of Ransomware?

Ransomware not only targets home users; businesses can also become infected with ransomware, leading to negative consequences, including

  • temporary or permanent loss of sensitive or proprietary information,
  • disruption to regular operations,
  • financial losses incurred to restore systems and files, and
  • potential harm to an organization’s reputation.

Paying the ransom does not guarantee the encrypted files will be released; it only guarantees that the malicious actors receive the victim’s money, and in some cases, their banking information. In addition, decrypting files does not mean the malware infection itself has been removed.

What do I do to protect against Ransomware?

Infections can be devastating to an individual or organization, and recovery can be a difficult process that may require the services of a reputable data recovery specialist.

US-CERT recommends that users and administrators take the following preventive measures to protect their computer networks from ransomware infection:

  • Employ a data backup and recovery plan for all critical information. Perform and test regular backups to limit the impact of data or system loss and to expedite the recovery process. Note that network-connected backups can also be affected by ransomware; critical backups should be isolated from the network for optimum protection.
  • Keep your operating system and software up-to-date with the latest patches. Vulnerable applications and operating systems are the targets of most attacks. Ensuring these are patched with the latest updates greatly reduces the number of exploitable entry points available to an attacker.
  • Maintain up-to-date anti-virus software, and scan all software downloaded from the internet prior to executing.
  • Restrict users’ ability (permissions) to install and run unwanted software applications, and apply the principle of “Least Privilege” to all systems and services. Restricting these privileges may prevent malware from running or limit its capability to spread through the network.
  • Avoid enabling macros from email attachments. If a user opens the attachment and enables macros, embedded code will execute the malware on the machine.
  • Do not follow unsolicited Web links in emails. Refer to the Phishing resources found on this website for more information.

Individuals or organizations are discouraged from paying the ransom, as this does not guarantee files will be released.  However, the FBI has advised that if Cryptolocker, Cryptowall or other sophisticated forms of ransomware are involved, the victim may not be able to get their data back without paying a ransom.

What do I do if I believe my system has been infected by Ransomware?

Signs your system may have been infected by Ransomware:

  • Your web browser or desktop is locked with a message about how to pay to unlock your system and/or your file directories contain a "ransom note" file that is usually a .txt file
  • All of your files have a new file extension appended to the filenames
    • Examples of Ransomware file extensions: .ecc, .ezz, .exx, .zzz, .xyz, .aaa, .abc, .ccc, .vvv, .xxx, .ttt, .micro, .encrypted, .locked, .crypto, _crypt, .crinf, .r5a, .XRNT, .XTBL, .crypt, .R16M01D05, .pzdc, .good, .LOL!, .OMG!, .RDM, .RRK, .encryptedRSA, .crjoker, .EnCiPhErEd, .LeChiffre, .keybtc@inbox_com, .0x0, .bleep, .1999, .vault, .HA3, .toxcrypt, .magic, .SUPERCRYPT, .CTBL, .CTB2, .locky or 6-7 length extension consisting of random characters

Responding to a Ransomware Infection

What to do if you believe your system has been infected with ransomware

1. Disconnect From Networks

  • Unplug Ethernet cables and disable wifi or any other network adapters. 
  • Put your device in Airplane Mode
  • Turn off Wi-Fi and Bluetooth

This can aid in preventing the spread of the ransomware to shared network resources such as file shares.

2. Disconnect External Devices

Immediately disconnect:

  • USB drives or memory sticks
  • Attached phones or cameras
  • External hard drives
  • Or any other devices that could also become compromised

3. Report the Incident

It is important that incidents are reported as early as possible so that campus can limit the damage and cost of recovery.

Shared Firewall Service answers

Is this service suitable for me?

Yes, if: 

  • Your service contains printers and workstations only.
  • You don't have any custom rules.
  • You don't have technical staff who can configure your firewall rules. 
  • Your security needs are not extensive. 

No, if: 

  • Your subnet(s) hosts servers and services used outside the firewall.

  • You host sensitive data.

  • You have regulatory or contractual obligations to safeguard data that resides on your network.

  • Restricting traffic based on malicious content or destinations known to be malicious is unacceptable to the users on your subnet.

What are the benefits of using this service?
  • You don’t need to write your own firewall rules.

  • You don’t need to define security profiles.

  • Increased security using profiles that block systems from connecting to or receiving traffic from known bad addresses

  • Malicious content (spyware, attempts to exploit known vulnerabilities, etc.) will be stopped by the firewall

Are there any drawbacks to using this service?
  • This service should not be used if you store restricted data.

  • Rules and profiles in the shared firewall are not customizable.

  • The only services on the protected side of the firewall that can be accessed from the unprotected side are printing and remote desktop services. These services can only be accessed from non-Calvisitor campus addresses.

  • Campus vulnerability scanners are allowed and there will be no firewall exceptions for devices that have issues with scanning

  • Since systems using the shared firewall service are not isolated from each other,  malicious insiders may still be able to access the systems on the protected side of the firewall.

  • This service can only accommodate entire subnets. If you only want a subset of your systems to use it,  those systems must be put on a new network.

Can I use the shared firewall service if I store sensitive or protected data?

The shared firewall service is not intended for systems storing sensitive data. Depending on the circumstances, you should either use a fully customizable Departmental Firewall or the High Security Managed Firewall service.

Can I make customizations to the shared firewall rules?

No. Customizations are not made for individual departments. However, it is an evolving service and changes will be made if necessary to support the general needs of campus workstation computing.

What if I have issues or feedback about this service?

If you have comments or suggestions for the service, please email sends e-mail) or share with the bSecure Mailing list(link is external).