The Minimum Security Standards for Networked Devices (MSSND) apply to all devices that connect to the campus electronic communications network or use a berkeley.edu origin address in their electronic communication. These devices include computers, printers, gaming consoles and other networked appliances.
The Minimum Security Standards for Electronic Information (MSSEI) define the minimum set of confidentiality controls for systems handling Protection Level 1 and Protection Level 2 data as defined in the Berkeley Data Classification Standard.
Resource Proprietors and Resource Custodians who believe their environments require configurations that do not comply with the Minimum Security Standards or whose environments do not currently comply with Minimum Security Standards must request an exception using the form below. An exception is required for each control that is not met. (Multiple devices can be covered by a single request, but each request can only cover one control, e.g., a request for an exception to control 2.1: Managed software inventory may list multiple servers, but a separate request is required if those servers are also not in compliance with control 3.1: Secure device configurations).
Exception requests are evaluated by Information Security and Policy (ISP) for risk and mitigating factors. ISP may grant a temporary exception while working with the requester to establish a timeline for compliance and implementation of interim mitigating controls, or may approve an exemption for atypical systems with appropriate alternative controls.
Non-compliant systems that pose significant risk to campus resources may face removal from the campus network and/or other take-down action. Unapproved requests or expired exceptions may be escalated by ISP, the Resource Proprietor or the Resource Custodian to the IT Policy Office (firstname.lastname@example.org) for review. IT Policy will coordinate an IT and/or functional stakeholder review and response. Unresolved compliance issues will be further escalated to the IT Leadership Group, and/or other campus IT Governance and campus enterprise risk bodies, as appropriate.
If you have questions about the Minimum Security Standards or the exception process, please email email@example.com.
Use the following form to submit an exception request: