Frequently Asked Questions - ISP Services

Common questions about Information Security and Policy's service offerings

My application received a Pass grade. Does this mean my application is certified for Protection Level 2 data?

No. Information Security and Policy does not "certify" applications. A Pass or Fail grade is intended to indicate whether or not an application meets the campus minimum security requirements for application security at the time at which it was assesssed. 

An application security assessment is intended to find the most critical and high risk vulnerabilities; however, the assessment process is often accelerated due to time and resource constraints meaning all vulnerabilities may not be discovered in a single assessment.

What if I cannot meet the remediation due dates presented to me in the final report?

Remediation due dates are generated based on the risk and the breadth of the vulnerability. Due dates can be negotiated with the Information Security and Policy team at the time of disclosure. For example, some due dates may be changed for reasons like:

  • Reliance upon a vendor to implement a fix for a discovered vulnerability
  • Development time
  • Retirement of a vulnerable portion of an application

Ultimately, it is the responsibility of the application owner to make or coordinate best efforts to remediate and/or adequately mitigate the risks in a timely fashion.

Based on my data, I have external regulatory requirements like PCI, HIPAA, or CPHS. Does an ASTP assessment cover me for those requirements?

No. ASTP assessments only measure compliance with campus minimum application security requirements. Though, it should be noted that achieving compliance with campus standards will lay a lot of ground work for meeting PCI, HIPAA, CPHS, or other external standards. The campus Minimum Security Standards for Electronic Information (MSSEI) is based off the SANS Top 20 Critical Controls, so there is some overlap with external standards.

How often am I required to have an assessment against my application?

Currently, applications handling PL2 data should plan for an application security assessment once every two years. However, scheduling will depend on available resources and other factors such as how drastically an application has changed since the prior assessment.

What is the source network for security scans conducted by Information Security and Policy?

All Information Security and Policy (ISP) scanning is initiated from the following subnet:

128.32.30.64/27

Scanning will be initiated only from IP addresses with DNS hostnames in the "security.berkeley.edu" subdomain. All ISP scanners have hostnames that reflect their role, such as "sns-campus-scanner-1.security.berkeley.edu".

If you detect scanning activity and are unsure if an ISP scanner is the source, please contact security@berkeley.edu for verification.

How do I run a credentialed Nessus scan of a Windows computer?

Credentialed scans are scans in which the scanning computer has an account on the computer being scanned that allows the scanner to do a more thorough check looking for problems that can not be seen from the network. Examples of the sorts of checks that a credentialed scan can do includes checks to see if the system is running insecure versions of Adobe Acrobat or Java or if there are poor security permissions governing a service. Information Security and Policy (ISP) runs Nessus scanners that are capable of running these credentialed scans; however, without accounts on the local machines, we are unable to use this functionality. With this in mind, ISP will create accounts on one of the Nessus scanners for departmental security administrators to do their own credentialed scans. In order to use the ISP scanners to perform a credentialed scan of a Windows system, the following settings are required by Nessus:

  1. The Windows Management Instrumentation (WMI) service must be enabled on the target.
  2. The Remote Registry service must be enabled on the target or the credentials used by Nessus must have the permissions necessary to start the remote registry service and be configured appropriately.
  3. File & Printer Sharing must be enabled on the system to be scanned.
  4. An SMB account must be used that has local administrator rights on the target. A non-administrator account can do some limited scanning; however, a large number of checks will not run without these rights. According to Tenable, the company behind Nessus, in Windows 7 it is necessary to use the Administrator account, not just an account in the Administrators group. ISP is currently in the process of testing this and looking for potential workarounds.
  5. Ports 139 (TCP) and 445 (TCP) must be open between the Nessus scanner and the computer to be scanned. Information on the what IP block to open in the firewalls can be found here: What is the source network for security scans conducted by Information Security and Policy?
  6. Ensure that no Windows security policies are in place that block access to these services. Two common problems are the SEP configurations that block off the scanners even after the scanners is authenticated and a network access model that sets network access to "Guest only" permissions (see below for information on changing this).
  7. The default administrative shares (i.e. IPC$, ADMIN$, C$) must be enabled (AutoShareServer = 1). Since these are enabled by default and can cause other issues if disabled, this is rarely a problem.


To check if a system has a "Guest only" sharing and security model go to the Control Panel, open "Administrative Tools," and then "Local Security Policy". In that window go to Local Policies --> Security Options --> Network access: Sharing and security model for local accounts. On some Windows installations, this is set to "Guest only - local users authenticate as Guest" by default. If this is the setting on your box, you will need to change it to "Classic - local users authenticate as themselves".

PLEASE NOTE: Some of the settings above may, in some environments, actually decrease the security of a system. If this is the case, once the credentialed scan is performed, it is advisable to return the system to its previous state.

What are 'read/write' vs. 'read-only' privileges for members in a contact role?

A member of a contact role can be 'read-only' within the contact role, which means he or she cannot edit anything. A 'read-write' member on the other hand, can approve or deny requests, make additions and edits to the contact role itself or any registered network assets.

What are Group Contact Roles used for?

A Group Contact Role (GCR) is created by a Department Contact Role (DCR) when a separation of responsibilities is needed.  Each DCR will have an org node set, and the GCR will be associated to the department via its parent, the DCR.

A Group Contact Role can be used to help departments separate devices into sets that receive (or do not receive) IT support from a Service Provider Contact Role (SP CR).  Additionally, when responses to security incidents is the responsibility of different groups (e.g., a research lab within a larger department, a student systems vs. an admininistrative one) a DCR can create a GCR to receive targeted notices.

What are Service Provider Contact Roles and how do they work?

Service Provider Contact Roles (CRs) are a special purpose contact role.  As a service provider, they don't have registered network assets, but they are flagged within NetReg as providing support for another CR.  For example, the Service Provider CR might register devices for the Client CR.  Service Provider CRs have "device-based" privileges with the Client CR; they can create, edit and delete devices from the Client CR.

Service Provider CRs can be grouped or departmental.  Notifications about security events (compromises, vulnerabilities, etc.) will go to members of both Service Provider and Client CRs.

How are security notices routed?

Security notices are routed based upon the most specific registration information available in NetReg.

For example, if an IP address has a registered security contact, the security notice is sent to that contact. If there is no specific IP address registration then the notice is sent to the security contact that claimed the subnet. Notices will also be sent to:

•    the registrant contact role's service provider if any
•    its departmental / parent contact role if any,
•    and any contact roles that have 'CC CR' status for the IP address

OR, if the IP addresses is for a DHCP device (in the LIPs subdomain) the security notice will go to whomever was using the address at that time (to CalNet ID).

Does the application support IPv6?
Does the application support DHCP registration?

DHCP registration was added to NetReg in Oct 2015.  For instructions on how to use NetReg to register devices for use with the Campus DHCP Service, please visit the "Register Devices" page in the NetReg documentation.

What is the process if another contact is non-responsive when I want to claim or transfer something immediately?

Contact Information Security and Policy: netreg@security.berkeley.edu

Security contact X and my security contact used to both claim subnet A. Why can't we still do that?

Overlap is not allowed in NetReg. If two departments share a subnet, during the data conversion the department who claims the most IP addresses for that subnet will get the entire subnet. The other department will get individual IP addresses.

Additionally, one CR will own and be primarily responsible for an IP address, although other CRs may be provided shared notification..

For complicated situations, e.g., where two different groups are responsible for systems on a subnet, a Contact Role created just for that shared responsibility might be the best solution.

Why can I see the name of another security contact that claims an individual IP address on some subnets but not on others?

NetReg is designed to facilitate communication between security contacts for the purpose of keeping network registration information up-to-date, without revealing private security mailing list addresses or allowing out-of-band communication between security contacts on other issues.

If you claim the entire subnet you can view the names of the security contacts that claim individual IP addresses on that subnet.  If you only claim an individual address then you cannot see the names of the other security contacts.

Can you display the email address of the other security contacts so I can contact them directly?

No.  Requests for IP addresses, CC IP Address status are handled via the request/approve/deny process.  Any other communication issue can be handled by contacting ISP.

What are the different types of email generated by NetReg? Can I opt out from receiving any/all of them?

There are three types of email generated by NetReg:

  1. FYI emails: These emails are rolled up into a single digest which is sent once per day. Users can opt out of receiving the digest by setting "Receive FYI digest" to off. However, at least one CR member should continue to receive them.
     
  2. Notices of "requests to approve or deny": These are sent within 5 minutes from when the request is made via the NetReg application, and are sent to all members in the CR. Users do not have the option to opt out of receiving these.

    There are 4 kinds of "requests to approve or deny" which users may receive:
    • Request to transfer an individual IP address. (Note: the request can be initiated by either the CR that currently claims it (request to give), or by the CR that wants it (request to take).)
    • Request for CC CR status for an IP address
    • Request for membership within a CR
    • Request to create of a group CR within a department CR
       
  3. Notices to "outside" entities (i.e., ISP RT ticketing system, Hostmaster, or IT Policy): These are initiated by NetReg backend processes or sometimes by NetReg users and are cc'd to any relevant CR's membership.

    For example, when a request is made for a new departmental CR the request will go to Information Security and Policy (ISP). ISP will conduct an intake process and will create the DCR.
I've received an "IP address to transfer" message. Can you explain what it means and what I need to do.

You've received the message because Netreg has encountered a mismatch between the security contact that claimed an IP address (individually or by subnet) and the security contact that registered a subdomain.

(Note: In Netreg the assignment of a subdomain enables the transfer of IP address responsibility to the right party, but does not assign security contact responsibility).

For example, if security contact A registers a subdomain xyz.berkeley.edu and another security contact B claims subnet a.b.c.0/24 and there is a set of hostnames defined in DNS:

a.b.c.11   h1.xyz.berkeley.edu

a.b.c.12   h2.xyz.berkeley.edu

a.b.c.13   h3.xyz.berkeley.edu

security contact A and B will each get a message suggesting that the IP addresses be transferred from B to A.

Either security contact can initiate the transfer: Security contact A can 'request to take'; B can 'request to give'.

If the other party agrees and approves the transfer then B ends up with the subnet and A has 3 individual IP records out of that subnet because of its subdomain registration.

Remember: NetReg does not automatically make the transfer because there may be alternate solutions to resolve the discrepancy.  In the above example, security contact A could relinquish the IP addresses, or have their DNS hostname changed to something not in the xyz subdomain.

You are receiving this "IP address to transfer" message so that you can choose the best solution.

Can I self-register Fixed IP address assignments?

Department and Group Security Contact roles can register devices for Fixed IP address assignment – where a device always gets the same IP on its primary subnet, but a Dynamic IP on any other subnet – provided that the contact role has a registered subnet, with available IP address space, and a registered subdomain.

For details about registering devices for Fixed IP address assignment, please review the "Register Devices" page in the NetReg documentation.

Can I self-register Dynamic DNS hostnames?

Yes.  Security Contacts can assign a Dynamic DNS (DDNS) hostname to a device when using Dynamic IP addressing (DDNS is not available for devices registered with a Fixed IP address assignment).  Please review the "Register Devices" page in the NetReg documentation for details.

Note:  Dynamic DNS hostnames will be reviewed by the campus hostmaster and changed if inappropriate.

How are Restricted Data applications and systems monitored?

Information Security and Policy (ISP) takes privacy issues very seriously, and we use the same approach for balancing security and privacy for restricted data hosts as for all hosts on campus. Monitoring of systems occurs through two methods, monitoring of network traffic crossing the campus border and vulnerability scanning of hosts on the campus network. The methods used to do this are similar for all hosts on the campus network.

The enhanced services for restricted data hosts are:

  • More frequent scanning -- network vulnerability scans for RDM registered hosts occur nightly
  • A greater range of intrusion detection signatures are reviewed with notifications sent to the security contact
  • Elevated responses to alerts – ISP staff are alerted immediately and will attempt to reach an administrator as soon as possible.
  • Longer retention of network data for future analysis if a breach is confirmed -- this can help to confirm if a hacker was able to access the restricted data during the breach incident

What is a "3rd-party service provider"?
What is a "vendor" or a "3rd-party service provider"?

A "vendor" or "3rd-party service provider" is an entity (e.g., a person or a company), separate from the University, that offers something for sale.  The typical types of vendor services that require an ISP vendor security assessment are technologies used to store, process, and/or transport covered data on behalf of the University, such as:

  • Software as a Service (SaaS) providers - companies that provide hosted application services (e.g., Google bmail)
  • Infrastructure as a Service (IaaS) providers - companies that provide hosted data storage or processing services (e.g., Amazon AWS)

These types of vendors are required to meet the same campus policy standards for the protection of covered data that is required for applications and services that are managed by internal campus IT resources.

What is the purpose of the Vendor Security Assessment Program?

The Vendor Security Assessment Program is intended to ensure that service providers who handle Protection Level 2 data on behalf of the University meet campus security policy requirements.  This is achieved in two ways:

  • By evaluating the vendor's security controls in comparison to campus policy.
  • Ensuring that the UCOP Data Security & Privacy Appendix is included in the vendor contract to provide baseline protection for the University in the event of a data breach.
Who needs to be involved in a vendor security assessment?

The roles that are typically involved in participating with a vendor security assessment include the following:

Resource Owner or Proprietor Campus unit representative who has overall responsibility for the application (e.g., budgeting and resource allocation).
Implementation Project Manager Unit member responsible for the roll-out of the application or service, including (but not limited to) vendor selection, contract specifications, configuration, process-flow design, personnel training, etc.
UC Buyer Representative in the UC Procurement department responsible for the vendor contract negotiation.
Vendor Representative Staff member of the service provider responsible for completing the Vendor Security Assessment Questionnaire.  Ideally, this person is affliated with the IT department and is knowleagable regarding the vendor's security framework.  Often times, the person in this role is a Sales or Customer Support Representative who facilitates communication between the vendor's IT staff and the ISP Assessor.
ISP Assessor A member of the ISP analysts team assigned as the primary assessor resonsible for the engagement with the unit.
Are vendor services available that have already been approved?
Are vendor services available to campus that have already been approved for PL1 or PL2 data?


There are several 3rd-party vendor services that are readily available to campus that have been approved for PL1 and PL2 data.  Campus units that adopt these 3rd-party services for the purpose of storing and sharing covered data can be assured that these vendors meet campus policy requirements.

Campus units that utilize these services for the handling of protected data should keep in mind that careful configuration and management of these applications is required to meet campus policy standards.

PL2 Approved Services

  • CalShare, a web-based document management and collaboration system utilizing Microsoft SharePoint. 
  • The Imagine document imaging and workflow service is a campus service that’s core purpose is to provide automated workflows and document managment and storage and can be integrated with other campus systems if needed. 

PL1 Approved Services

Please visit the bConnected website to learn more about the MSSEI protection level ratings for each of these products:  https://bconnected.berkeley.edu/collaboration-services

I have PL1 data, what do I do?
My unit is contracting with a 3rd-party service provider to host campus PL1 classified data. How can the vendor be assessed to meet campus security policies in the absence of ISP resources?


Units can ensure that 3rd-party service providers meet the campus data security policy requirements for the handling of Protection Level 1 (PL1) data through the following actions:

  • Be sure to include the UCOP Data Security & Privacy Appendix (link is external), required for all UC contracts involving 3rd-party access to protected data, without edits, in the service provider contract.  This ensures baseline protection for the University in the event of a data breach, including:
    • Service provider compliance with applicable laws (e.g., FERPA, HIPAA), regulations and campus policy.
    • Requirements for a vendor information security plan and breach reporting process.
    • Adequate cyber-insurance to cover the cost of investigating and responding to a breach.
  • Notify the service provider that by signing-off on the Data Security & Privacy Appendix, they are obligated to abide by campus policy, including aherence with the requirements of the UC Berkeley Minimum Security Standard for Electronic Information (MSSEI) policy for the protection of PL1 data.
The contract has already been signed, what do I do?
My unit is contracting with a 3rd-party service provider for the handling of campus Protection Level 2 data. The contract has already been signed, should I still engage with ISP for a vendor security assessment?


Although there is less bargaining power with the service provider to address security concerns after the contract has already been signed, it is still a good idea to perform a vendor security assessment for service providers who are handling Protection Level 2 (PL2) data:

  • If the overall risk level is acceptable, the unit is assured that the vendor meets campus policy for the protection of PL2 data.
  • If the overall risk level is High or Critical, it may be necessary to postpone or suspend the service until these issues have been addressed.

Vendors may be more inclined to particpate in a security assessment after the contract has been signed, but before the service has been initiated - as billing often does not begin until services have started. 

For VSAP reports with an overall acceptable risk rating, any medium-level risk findings identified in the report should be discussed with the vendor during the next contract renewal period.

The Data Security & Privacy Appendix was not included in the vendor contract, what do I do?
The contract with the 3rd-party service provider has already been signed and the UCOP Data Security & Privacy Appendix was not included. How will this effect the vendor security assessment?

For all UC contracts involving third-party access to covered data, the University of California Office of the President (UCOP) requires the inclusion of the Data Security and Privacy Appendix.  The appendix establishes baseline protection for the University in the event of a data breach.  Campus units that engage with service providers to handle covered data must ensure the appendix is included in new contracts without edits.

For VSAP engagements that have been initiated after the contract has been approved, and the UCOP appendix has been ommitted, the final assessment report will include contract related risk findings.  These findings are generally of a Critical risk nature, e.g.:

  • No guarantee of service provider compliance with applicable laws (e.g., FERPA, HIPAA) or campus policies for the protection of covered data.
  • The absence of requirements for a vendor information security plan and breach reporting process.
  • Inadequate cyber-insurance to cover the cost of investigating and responding to a breach.

In these cases, the unit may be required to suspend use of the service until the contract issues have been resolved with the vendor.

How do I get started?
What do I need to do to initiate a vendor security assessment with ISP?

To request a Vendor Security Assessment Program evaluation for a PL2 system that is vendor managed, review the Details of the Vendor Security Assessment Program and then send an email to security@berkeley.edu

Please include the following information:

  • Name of unit requesting VSAP service
  • Project Lead contact information
  • UC Provisioning Representative contact information (if applicable)
  • Name of third-party vendor/product/service
  • Service description
  • List of protected data elements that are known to be processed, stored, or transmitted by the service provider (see the UC Data Classification Standard for details)
  • Estimated number of records containing PL2 data