ISO Services questions
Common questions about The Information Security Office service offerings
- How do I register P4 workstations as Protected Data Applications in Socreg?
- How is the rVPN monitoring different from being on campus?
- What traffic is blocked by the rVPN?
- Should the Restricted VPN (rVPN) be used full time?
- How does the rVPN monitoring differ from that of the normal VPN?
- How is the rVPN different from the regular VPN service?
- Who is eligible for the Restricted VPN (rVPN) service?
- What do I do if I've disclosed or shared data that was protected?
- What should I do after my CalNet gets unlocked?
- Where can I get detailed questions answered regarding the new IS-3?
- How can I get help from IT on Windows 7 End of Life?
- What can I do to prepare for an OS upgrade?
- How do I request a security exception for Win 7 EOL?
- What happens if I am running a Windows 7 computer after Jan. 14, 2020?
- How do I upgrade my computer to a new operating system?
- What should I do to prepare for Red Hat Enterprise Linux 7 end of life?
- How do I request a security exception for RHEL7 EOL?
- Who has been involved in approving EDR?
- I am an employee performing work functions on my personal computer. Can I install EDR?
- Can I request an exception from EDR?
- What can I do to protect my privacy?
- What data is analyzed by the EDR software?
- How can I tell if EDR has been installed on my machine?
- What does EDR software do?
- How do I know if my machine is managed?
- When will EDR be deployed to my computer?
- What is the difference between Trellix and FireEye?
- Who do I contact for help with Endpoint Detection & Response (EDR)?
Application Security Testing Program (ASTP) questions
- My application received a Pass grade. Does this mean my application is certified for UC P4 data?
- What if I cannot meet the remediation due dates presented to me in the final report?
- Based on my data, I have external regulatory requirements like PCI, HIPAA, or CPHS. Does an ASTP assessment cover me for those requirements?
- How often am I required to have an assessment against my application?
Nessus Network Vulnerability Scanning questions
Socreg - Asset Registration Portal questions
- How Do I Update My Socreg Profile Settings?
- How are Protected Data Applications and Systems monitored?
- How are security notices routed?
- Does the application support IPv6?
- Why can’t two Security Contacts share the same subnet? We both have IP addresses on the subnet.
- What is the process if another Security Contact is non-responsive when I want to claim or transfer something immediately?
- What are the types of email generated by Socreg? Can I opt out from receiving any/all of them?
- I've received an "IP address to transfer" message.
Vendor Security Assessment Program questions
Frequently asked questions concerning the ISP Vendor Security Assessment Program (VSAP).
- What is a "3rd-party service provider"?
- What is the purpose of the Vendor Security Assessment Program?
- Who needs to be involved in a vendor security assessment?
- Are vendor services available that have already been approved?
- I have UC P2/3 data, what do I do?
- The contract has already been signed, what do I do?
- The Data Security & Privacy Appendix was not included in the vendor contract, what do I do?
- How do I get started?
- How long will a VSA take using Venminder?
- Will there be additional information or documents I need to provide when requesting a VSA?
- The Vendor is requiring a Non-Disclosure Agreement (NDA) in order to release security documentation. Who should sign the NDA?
- What should I do with the Venminder report and ISO guidance letter after an assessment is completed?
- Can I ask for another Vendor Security Assessment for a Vendor that previously received a “Not Recommended” rating?
- What are the responsibilities and expectations for Units and Vendors during the VSA process?
ISO Services answers
Please see Instructions for Registering P4 Workstations in Socreg for step-by-step instructions.
The degree of monitoring on campus varies depending on the location of the system. For most users the only traffic that is inspected for signs of compromise is traffic that goes off of the campus network or is directed at systems protected by our firewalls. For people on networks protected by a firewall there is additional monitoring at the firewall location.
When it comes to the Restricted VPN the monitoring occurs for almost every packet that leaves the systems connected to the VPN.
Traffic from this service is blocked if it is going to or coming from a list of IP addresses, hostnames and URLs the security department believes are involved in malicious activity. These lists are derived from both our own monitoring and from reputable third party sources. Additionally, traffic that is detected as malicious, where the severity of the activity is set as a medium (or higher) level by Palo Alto networks (our VPN and firewall vendor), is also blocked.
Because of the increased monitoring, most users will only want to use the Restricted VPN for access to the systems that host the restricted data. Beyond that, it is probably preferable to use the normal VPN.
The normal VPN has only minimal traffic monitoring beyond information about logins. In comparison, the Restricted VPN monitors all traffic as it exits the VPN and employs the vulnerability, anti-spyware, AV, file monitoring, and threat detection and blocking features of the Palo Alto firewalls.
The regular VPN service is intended to allow members of the campus community to access campus resources without having to be physically present on the campus. The Restricted VPN is meant to not only allow people remote access to the network, but to also enforce stricter security controls including blocking some traffic, logging all network traffic, detecting signs of unusual activity to or from the clients and using security profiles to block any malicious or vulnerability related traffic that has a rating of medium severity or higher.
As part of its monitoring service, information about the security of the host system (information like the OS, malware protections, disk encryption, and missing patches) is also monitored and recorded. As the service evolves this information will also be used to further restrict access to the network.
Individuals who access and control a large quantity of restricted data or key IT infrastructure as part of their normal business activity may be eligible for this service. Individuals who use the data are not necessarily eligible. This service is for those with a high level of access to bulk quantities of this data. Additionally, researchers working in heavily targeted areas may be eligible for this service.
To confirm eligibility, please contact rvpn@berkeley.edu with a description of the types and quantities of data you are accessing, and where it is stored.
First off, what is a disclosure?
It's the intentional or unintentional release of protected or private/confidential information to an untrusted environment or to unauthorized individuals.
Process for reporting a disclosure
- Remove the disclosed information as soon as possible
- Immediately report the incident to the Information Security Office
- Notify your supervisor
Now that your CalNet account has been unlocked, you must reset your passphrase as follows:
-
Select "Forgot my CalNet ID / Passphrase"
-
Enter your Student, Employee, or Affiliate ID NUMBER, or recovery email address
-
Confirm that you are not a robot by selecting all of the applicable images
-
Once you receive the email to reset your passphrase, enter your Student, Employee, or Affiliate ID number again to set a new passphrase
Because your exposed CalNet passphrase puts the security of your personal data at risk, you must also complete each of the following tasks after you reset your passphrase.
-
If you are a UC Berkeley employee, confirm that no changes have been made to your Direct Deposit account. From a safe and malware-free computer, access the Direct Deposit link from https://ucpath.berkeley.edu/ or call Payroll (510-642-1336).
-
Confirm that your email is not being redirected to any account you do not recognize via unauthorized email forwarding, and make sure there are no filters you did not create (e.g. send all <my bank emails> to my Trash folder.
-
How to forward emails from bMail account: https://support.google.com/mail/answer/10957?hl=en
-
How to use filters in bMail: https://support.google.com/mail/answer/6579?hl=en
-
Review bMail account logs and sign out of active sessions
-
Log into your bMail account
-
In the very lower right corner, under "Last account activity" click the "Details" link
-
This will show the last few connections to your account; review for unknown logins
-
On the same page, click the large gray button "Sign out of all other web sessions"
-
Re-secure your Recovery Email Address by changing the password. The recovery email address is a non-"berkeley.edu" email address attached to your CalNet account. Resetting the password on this account helps ensure that it is also not compromised.
-
Recreate your bConnected Google Key. If you had a Google key set, it has been scrambled. Create a new one using the Manage My Keys application: https://idc.berkeley.edu/mmk/ or contact bConnected support: bconnected@berkeley.edu or 510-664-9000 press 1 and follow the prompts.
-
Review your CalNet 2-Step devices to make sure no changes have been made. Log in to mycalnet.berkeley.edu, click on Manage 2-Step Verification, perform a 2nd 2-Step to see the Device Control Panel, and review your devices, there. See: https://calnetweb.berkeley.edu/calnet-2-step
Units interested in detailed information about IS-3 controls; roles and responsibilities; and implementation tools from the UC Systemwide Policy Office can contact ISO at security@berkeley.edu to request access to the systemwide materials.
Please fill out this request form only if you have not already been in contact with campus IT professionals (either through your department or IT Client Services) regarding the upgrade of your current Windows 7 computer, purchase of a new computer, or security exception application.
- Begin by backing up your files. You can do this to a local device or move your data from the computer to servers or cloud-based platforms. Please note that location is dependent on the protection level of the data you have: UC P1 and UC P2/P3 data can be stored on Google Drive and Box. UC P4 data may only be stored on Calshare
- Confirm that any software (outside of the standard MS Office, Chrome, Adobe Acrobat) is compatible with Windows 10 and that you have the installation files and activation keys needed
- Go to: https://software.berkeley.edu/microsoft-os and download your desired operating system.
Exceptions are allowed only if the system cannot be upgraded and depending on the data classification level and the amount of data of that type. Submit your security exception request by November 1, 2019, to allow time to implement mitigations needed before End of Life.
If you are running Windows 7 you are unsupported and out of compliance with campus policy.
What happens next:
- Feb. 1, 2020 - ISO notifies Windows 7 systems users to disconnect from the campus network
- Mar. 1, 2020 - ISO blocks Windows 7 devices seen on the campus network
Please note: In the event that a Windows 7 exploit is released before Mar. 1, ISO reserves the right to immediately block any vulnerable device per the Blocking Network Access Policy.
Exceptions
Exceptions are allowed only if the system cannot be upgraded and depending on the data classification level and the amount of data of that type. Learn more about security exceptions at our Exception Process for Windows 7 End of Life (EOL) page.
If the computer is managed by ITCS: Submit a ticket: https://sharedservices.berkeley.edu/it/(link is external)
If the computer is managed by your department IT: Submit a ticket directly to them
If you do not have campus IT support you can download the software here: https://software.berkeley.edu(link is external)
Is it a personal computer? Yes, then you can download the software here: https://software.berkeley.edu
-
Upgrade to a supported operating system. Red Hat Enterprise Linux (RHEL) subscriptions are available for departments who have a large number of systems and wish to migrate to RHEL8 or RHEL9 and manage their own RHN organization instance. Software download location and links to installation instructions will be provided with delivery of access keys. Contact unix-tickets@berkeley.edu(link sends e-mail)(link sends e-mail) to request access.
-
Remove or retire the system.
Exceptions will only be approved if there is a valid reason why the system cannot be upgraded and remediation steps such as obtaining extended support, EDR clients, and network firewalls have been put in place (these are just examples and not an exhaustive list). Submit a security exception as early as possible, to allow time to implement mitigations needed before End of Life. More information on exception requests here
Berkeley prioritizes privacy and data protection for individuals with Endpoint Detection and Response (EDR) software installed on university-owned computers and servers. Campus EDR is not intended for installation on personally owned devices.
The Campus Privacy Office and the Information Risk Governance Committee (IRGC) are currently reviewing our EDR program. The IRGC provides the campus framework for institutional governance of information risk under campus and systemwide privacy policies, including the Electronic Communications Policy.
- See our detailed EDR Service article for more information.
We are only installing the EDR software on campus-owned machines. Additionally, we strongly encourage staff to utilize Berkeley-owned and managed machines because IT staff will be better able to support those devices and configurations.
Most campus users are required to use EDR. Before requesting an exception, please review the exception requirements and process
Although the UC Electronic Communications Policy allows for the incidental personal use of University electronic resources, and use of EDR-collected information is limited to what is required for analysis and remediation of security incidents, you may feel that you do not want your personal online activity included in EDR data collection that security analysts could review. We recommend conducting such personal online activity on a device not owned or managed by the University.
Note: Per UC-wide requirements, in future phases of the campus EDR project, personally-owned devices used to connect to University "trusted networks" and "enterprise systems" (to be defined by the campus) will also require EDR software.
EDR scans continuously and keeps a 10-minute record of your machine's activity, which is saved only if a security alert is triggered.
The regular scan includes:
- Network activity, such as URL data and DNS lookups
- File activity, such as downloads
- Images loaded
- System processes and registry events (applications and tasks running on the device)
When a security alert is triggered, EDR takes a copy of a second 10-minute interval, including:
- Applications running
- Web sites visited
- File activity, such as downloads
- Processes running on the machine
See our detailed EDR Service article (CalNet Authentication required) for more information.
Berkeley IT uses Trellix for our Endpoint Detection and Response software. To see if Trellix has been installed on your university machine, follow these steps based on your operating system.
Apple machines:
Search for a file called “FireEye Helper” in the applications folder
- or -
Open terminal and run:
ps aux | grep xagt
If you get a result that includes this in response to this prompt, Trellix is likely running:
/Library/FireEye/xagt/xagt.app/Contents/MacOS/xagt -M DAEMON
Windows machines:
Look for this image on your taskbar:
Linux machines:
Open terminal and run:
ps aux | grep xagt
If you get a result that includes this in response to this prompt, Trellix is likely running:
/opt/fireeye/bin/xagt -M DAEMON
Once installed, the software runs seamlessly in the background while you do your regular work. It uses real-time information and machine learning to detect, contain, and respond to threats quickly to mitigate further damage.
Specifically, EDR uses several techniques, including:
- Signature-based engine to find and block known malware (akin to traditional anti-virus and anti-malware software).
- MalwareGuard machine learning using seeded threat intelligence.
- Behavior-based analytics engine to stop advanced threats.
- Real-time discovery of Indicators of Compromise (IOC) using frontline threat intelligence.
See our detailed EDR Service article (CalNet Authentication required) for more information.
In general, you can tell if your computer is centrally managed if you see the Self Service app on your Apple machine, or the BigFix Self Service app on your Windows machine.
If your desktop or laptop computer is centrally managed by campus, EDR will automatically be installed on your machine. Beginning in October 2024, ISO will be working to roll out installation across campus for workstations.
If you wish to install EDR on your server before, please email us at endpoint-security@security.berkeley.edu
Trellix was formerly named FireEye. You may see references to FireEye on your computer after this product is installed on your machine. The screenshot below shows a popup message you may receive on your Apple machine after Trellix is installed via BigFix.
For questions or issues with this installation, email endpoint-security@security.berkeley.edu
Application Security Testing Program (ASTP) answers
No. Information Security and Policy does not "certify" applications. A Pass or Fail grade is intended to indicate whether or not an application meets the campus minimum security requirements for application security at the time at which it was assesssed.
An application security assessment is intended to find the most critical and high risk vulnerabilities; however, the assessment process is often accelerated due to time and resource constraints meaning all vulnerabilities may not be discovered in a single assessment.
Remediation due dates are generated based on the risk and the breadth of the vulnerability. Due dates can be negotiated with the Information Security Office at the time of disclosure. For example, some due dates may be changed for reasons like:
- Reliance upon a vendor to implement a fix for a discovered vulnerability
- Development time
- Retirement of a vulnerable portion of an application
Ultimately, it is the responsibility of the application owner to make or coordinate best efforts to remediate and/or adequately mitigate the risks in a timely fashion.
No. ASTP assessments only measure compliance with campus minimum application security requirements. Though, it should be noted that achieving compliance with campus standards will lay a lot of ground work for meeting PCI, HIPAA, CPHS, or other external standards. The campus Minimum Security Standards for Electronic Information (MSSEI) is based off the SANS Top 20 Critical Controls, so there is some overlap with external standards.
Currently, applications handling UC P4 data should plan for an application security assessment once every two years. However, scheduling will depend on available resources and other factors such as how drastically an application has changed since the prior assessment.
Nessus Network Vulnerability Scanning answers
All Information Security Office network vulnerability scanning is initiated from the following network subnets:
IPv4:
- 128.32.30.64/27
IPv6:
- 2607:f140:1:14::/64
If you detect scanning activity and are unsure if an ISO scanner is the source, please contact security@berkeley.edu for verification.
Credentialed scans are scans in which the scanning computer has an account on the computer being scanned that allows the scanner to do a more thorough check looking for problems that can not be seen from the network. Examples of the sorts of checks that a credentialed scan can do include checks to see if the system is running insecure versions of Adobe Acrobat or Java or if there are poor security permissions governing a service. Information Security Office (ISO) runs Nessus scanners that are capable of running these credentialed scans; however, without accounts on the local machines, we are unable to use this functionality. With this in mind, ISO will create accounts on one of the Nessus scanners for departmental security administrators to do their own credentialed scans. In order to use the ISO scanners to perform a credentialed scan of a Windows system, the following settings are required by Nessus:
- The Windows Management Instrumentation (WMI) service must be enabled on the target.
- The Remote Registry service must be enabled on the target or the credentials used by Nessus must have the permissions necessary to start the remote registry service and be configured appropriately.
- File & Printer Sharing must be enabled on the system to be scanned.
- An SMB account must be used that has local administrator rights on the target. A non-administrator account can do some limited scanning; however, a large number of checks will not run without these rights. According to Tenable, the company behind Nessus, in Windows 7 it is necessary to use the Administrator account, not just an account in the Administrators group. ISO is currently in the process of testing this and looking for potential workarounds.
- Ports 139 (TCP) and 445 (TCP) must be open between the Nessus scanner and the computer to be scanned. Information on what IP block to open in the firewalls can be found here: What is the source network for security scans conducted by Information Security and Policy?
- Ensure that no Windows security policies are in place that blocks access to these services. Two common problems are the SEP configurations that block off the scanners even after the scanners is authenticated and a network access model that sets network access to "Guest only" permissions (see below for information on changing this).
- The default administrative shares (i.e. IPC$, ADMIN$, C$) must be enabled (AutoShareServer = 1). Since these are enabled by default and can cause other issues if disabled, this is rarely a problem.
To check if a system has a "Guest only" sharing and security model go to the Control Panel, open "Administrative Tools," and then "Local Security Policy". In that window go to Local Policies --> Security Options --> Network access: Sharing and security model for local accounts. On some Windows installations, this is set to "Guest only - local users authenticate as Guest" by default. If this is the setting on your box, you will need to change it to "Classic - local users authenticate as themselves".
PLEASE NOTE: Some of the settings above may, in some environments, actually decrease the security of a system. If this is the case, once the credentialed scan is performed, it is advisable to return the system to its previous state.
Socreg - Asset Registration Portal answers
To change your profile settings in Socreg, log in and click your name in the top bar and then click ‘Settings’. Current options are:
-
Receive Release Email - this toggles whether or not you would like to receive the Socreg release notifications.
Note: This setting is different than the ‘Receive FYI messages’ setting. FYI messages are set per unit Security Contact and are FYI messages about the Security contact and its assets.
The Information Security Office (ISO) takes privacy issues very seriously and we use the same approach for balancing security and privacy for Protected Data hosts as for all hosts on campus. Monitoring of systems occurs through two methods, monitoring of network traffic crossing the campus border and vulnerability scanning of hosts on the campus network. The methods used to do this are similar for all hosts on the campus network.
The enhanced services for Protected Data hosts are:
-
More frequent scanning
-
A greater range of intrusion detection signatures are used
-
Elevated responses to alerts by ISO staff
-
Longer retention of network data for future analysis if a breach is confirmed -- this can help to confirm if an attacker was able to access the Protected Data during a breach incident.
Security notices are routed based on the registration information in Socreg.
For example, if an IP address has a registered Security Contact, the security notice is sent to that Security Contact, but if there is no specific IP address registration, then the notice is sent to the Security Contact that registered the subnet that contains the IP Address. Notices will also be sent to:
-
The registrant Security Contact’s Service Provider, if any.
-
The registrant Security Contact’s Departmental / Parent Security Contact, if any.
-
Any Security Contacts that have 'CC' status for the IP address.
-
The Device registrant if the IP Address is a DHCP IP address.
Yes, Socreg supports IPv6.
Overlap is not allowed in Socreg. If two departments share a subnet, the department who claims the most IP addresses for that subnet will get the entire subnet. The other department will get individual IP addresses.
Additionally, one Security Contact will register and be primarily responsible for an IP address, although other Security Contacts may also receive security notices for that IP address.
For complicated situations, e.g., where two different groups are responsible for systems on a subnet, a Security Contact created just for that shared responsibility might be the best solution.
Contact the Information Security Office at: socreg@berkeley.edu
There are three types of email generated by Socreg:
-
FYI emails: These emails are rolled up into a single digest which is sent once per week. Users can opt-out of receiving the digest by setting "Receive FYI digest" to “off”. However, at least one member of the Security Contact should continue to receive them. Some FYI emails are sent immediately, for example when a PD Application or one of its components is modified.
-
Notices about Access or Asset Requests. Others may submit a request in Socreg for:
-
Membership within a Security Contact
-
New Group Security Contact
Or an asset:
-
IP Address
-
CC IP Address
-
Device
-
PD Application
Notifications are sent when the request is made and will repeat weekly until either approved or denied in Socreg.
-
Notices to "outside" entities (i.e., ISO ticketing system, DNS Administrator, or IT Policy): These are initiated by Socreg backend processes or sometimes by Socreg users and are copied to the Security Contact’s membership.For example, when a request is made for a new Department Security Contact, the request will go to ISO and we will conduct an intake process before creating the Department Security Contact.
You've received the message because Socreg has encountered a mismatch between the security contact that claimed an IP address (individually or by subnet) and the security contact that registered a subdomain.
(Note: In Socreg the assignment of a subdomain enables the transfer of IP address responsibility to the right party, but does not assign security contact responsibility).
For example, if security contact A registers a subdomain xyz.berkeley.edu and another security contact B claims subnet a.b.c.0/24 and there is a set of hostnames defined in DNS:
a.b.c.11 h1.xyz.berkeley.edu
a.b.c.12 h2.xyz.berkeley.edu
a.b.c.13 h3.xyz.berkeley.edu
security contact A and B will each get a message suggesting that the IP addresses be transferred from B to A.
Either security contact can initiate the transfer: Security contact A can 'request to take'; B can 'request to give'.
If the other party agrees and approves the transfer then B ends up with the subnet and A has 3 individual IP records out of that subnet because of its subdomain registration.
Remember: Socreg does not automatically make the transfer because there may be alternate solutions to resolve the discrepancy. In the above example, security contact A could relinquish the IP addresses, or have their DNS hostname changed to something not in the xyz subdomain.
You are receiving this "IP address to transfer" message so that you can choose the best solution.
Vendor Security Assessment Program answers
A "vendor" or "3rd-party service provider" is an entity (e.g., a person or a company), separate from the University, that offers something for sale. The typical types of vendor services that require an ISO vendor security assessment are technologies used to store, process, and/or transport protected data on behalf of the University, such as:
- Software as a Service (SaaS) providers - companies that provide hosted application services (e.g., Google bmail)
- Infrastructure as a Service (IaaS) providers - companies that provide hosted data storage or processing services (e.g., Amazon AWS)
These types of vendors are required to meet the same campus policy standards for the protection of protected data that is required for applications and services that are managed by internal campus IT resources.
The Vendor Security Assessment Program is intended to ensure that service providers who handle UC P4 data on behalf of the University meet campus security policy requirements. This is achieved in two ways:
- By evaluating the vendor's security controls in comparison to campus policy.
- Ensuring that the UCOP Data Security & Privacy Appendix is included in the vendor contract to provide baseline protection for the University in the event of a data breach.
The roles that are typically involved in participating with a vendor security assessment include the following:
Resource Owner or Proprietor | Campus unit representative who has overall responsibility for the application (e.g., budgeting and resource allocation). |
Implementation Project Manager | Unit member responsible for the roll-out of the application or service, including (but not limited to) vendor selection, contract specifications, configuration, process-flow design, personnel training, etc. |
UC Buyer | Representative in the UC Procurement department responsible for the vendor contract negotiation. |
Vendor Representative | Staff member of the service provider responsible for completing the Vendor Security Assessment Questionnaire. Ideally, this person is affiliated with the IT department and is knowledgable regarding the vendor's security framework. Often times, the person in this role is a Sales or Customer Support Representative who facilitates communication between the vendor's IT staff and the ISO Assessor. |
ISO Assessor | A member of the ISO analysts team assigned as the primary assessor responsible for the engagement with the unit. |
There are several 3rd-party vendor services that are readily available to campus that have been approved for UC P2/P3 or UC P4 data. Campus units that adopt these 3rd-party services for the purpose of storing and sharing covered data can be assured that these vendors meet campus policy requirements.
Campus units that utilize these services for the handling of protected data should keep in mind that careful configuration and management of these applications is required to meet campus policy standards.
UC P4 Approved Services
- CalShare, a web-based document management and collaboration system utilizing Microsoft SharePoint.
- The Imagine document imaging and workflow service is a campus service with the core purpose to provide automated workflows and document management and storage and can be integrated with other campus systems if needed.
UC P2/P3 Approved Services
- The bConnected suite of collaboration services, including Google Apps for Education (bMail, bCal, bDrive)
- Box
- bCourses Project Sites
Please visit the bConnected website to learn more about the MSSEI protection level ratings for each of these products: https://bconnected.berkeley.edu/collaboration-services
Units can ensure that 3rd-party service providers meet the campus data security policy requirements for the handling of UC P2/3 data through the following actions:
- Be sure to include the UCOP Data Security & Privacy Appendix, required for all UC contracts involving 3rd-party access to protected data, without edits, in the service provider contract. This ensures baseline protection for the University in the event of a data breach, including:
- Service provider compliance with applicable laws (e.g., FERPA, HIPAA), regulations and campus policy.
- Requirements for a vendor information security plan and breach reporting process.
- Adequate cyber-insurance to cover the cost of investigating and responding to a breach.
- Notify the service provider that by signing off on the Data Security & Privacy Appendix, they are obligated to abide by campus policy, including adherence to the requirements of the UC Berkeley Minimum Security Standard for Electronic Information (MSSEI) policy for the protection of UC P2/3 data.
Although there is less bargaining power with the service provider to address security concerns after the contract has already been signed, it is still a good idea to perform a vendor security assessment for service providers who are handling UC P3 or P4 data:
- If the overall risk level is acceptable, the unit is assured that the vendor meets campus policy for the protection of UC P3 or P4 data.
- If the overall risk level is High or Critical, it may be necessary to postpone or suspend the service until these issues have been addressed.
Vendors may be more inclined to participate in a security assessment after the contract has been signed, but before the service has been initiated - as billing often does not begin until services have started.
For VSAP reports with an overall acceptable risk rating, any medium-level risk findings identified in the report should be discussed with the vendor during the next contract renewal period.
For all UC contracts involving third-party access to covered data, the University of California Office of the President (UCOP) requires the inclusion of the Data Security and Privacy Appendix. The appendix establishes baseline protection for the University in the event of a data breach. Campus units that engage with service providers to handle covered data must ensure the appendix is included in new contracts without edits.
For VSAP engagements that have been initiated after the contract has been approved, and the UCOP appendix has been omitted, the final assessment report will include contract-related risk findings. These findings are generally of a Critical risk nature, e.g.:
- No guarantee of service provider compliance with applicable laws (e.g., FERPA, HIPAA) or campus policies for the protection of covered data.
- The absence of requirements for a vendor information security plan and breach reporting process.
- Inadequate cyber-insurance to cover the cost of investigating and responding to a breach.
In these cases, the unit may be required to suspend the use of the service until the contract issues have been resolved with the vendor.
To request a Vendor Security Assessment Program evaluation for a PL2 system that is vendor managed, review the Details of the Vendor Security Assessment Program and then send an email to security@berkeley.edu.
Please include the following information:
- Name of the unit requesting VSAP service
- Project Lead contact information
- UC Provisioning Representative contact information (if applicable)
- Name of third-party vendor/product/service
- Service description
- List of protected data elements that are known to be processed, stored, or transmitted by the service provider (see the UC Data Classification Standard for details)
- Estimated number of records containing PL2 data
A typical VSA takes 4 to 6 weeks to complete starting from the date the Vendor has provided all the information requested. Please plan accordingly.
Yes, the Requester will be responsible for providing the following information when requesting a VSA:
-
Vendor primary point of contact (name, title, phone number, and email address)
-
Vendor name and product/service being purchased
-
A description of the Vendor product/service and how it will be used on campus
-
A completed UC Appendix DS Exhibit 1 form
Additionally, the following security documents will speed up the assessment process:
-
If available, include the Vendor’s SOC 2 Type II report. NOTE: Venminder will need the Vendor’s own report and not the report of the Vendor’s hosting provider such as AWS, Azure, GCP, etc.
-
PCI DSS compliance documentation for Vendors that accept payment card data on behalf of UC.
-
Please include the vendor’s PCI DSS Self-Assessment Questionnaire (SAQ), Attestation of Compliance (AOC), and any other supporting policies or PCI compliance documentation.
ISO will no longer ask for the statement of work, contract/agreement, or the Vendor’s security plan.
The Requester is responsible for signing any Non-Disclosure Agreements with the Vendor and informing ISO which documents are under NDA.
Inform the ISO Assessments Team on the corresponding ServiceNow ticket for your VSA request if the Vendor is asking that ISO or Venminder sign the NDA.
Once a VSA is complete, ISO recommends reviewing the guidance letter and the Venminder report with your Unit Information Security Lead (UISL) to decide on the appropriate course of action for responding to the findings identified in the Venminder report. The ISO guidance letter in particular will provide information regarding what type of response the Unit requires per campus security policy.
Units are allowed a maximum of one (1) resubmission for Vendors that receive an overall Not Recommended rating. Prior to resubmission, significant deficiencies identified in the previous assessment must be addressed. If a Vendor receives an overall Not Recommended rating after the one (1) resubmissions, then alternative Vendors should be considered or apply for an exception.
Why is there a limit on the number of resubmissions?
-
A limit on reassessments encourages Vendors to take the necessary steps to improve their offerings before seeking another evaluation. This fosters a culture of accountability and continuous improvement, ultimately benefiting both parties.
-
Our assessment team has finite capacity. Frequent reassessments of Vendors who have previously failed can overwhelm our resources, leading to delays in evaluating other potential vendors. By setting a limit, we ensure that our team can maintain a balanced workload and continue to assess new vendors effectively.
-
Each reassessment requires considerable time and effort from both our team and the Vendor. Limiting reassessments helps streamline our operations and ensures that we can focus on Vendors who meet our expectations.
-
Reassessing a Vendor incurs costs to order assessments from Venminder. By limiting reassessments, we can better manage our budget.
Units requesting a Vendor Security Assessment (VSA) should review the following document and share it with the Vendor so that they are prepared for the VSA process.