Minimum Security Standards for Electronic Information

UC Berkeley’s Minimum Security Standards for Electronic Information (MSSEI) define the minimum level of protection for UC Berkeley Institutional Information and IT Resources. It represents UC Berkeley’s implementation of the security controls from UC’s systemwide Electronic Information Security Policy, IS-3.

What’s Covered Under This Standard?

The MSSEI applies to all devices used with Institutional Information, and to all IT infrastructure and services. Its requirements apply regardless of device ownership (e.g., University-owned, personal, third-party vendor, partner institution) or location (e.g., on-site, off-site, cloud).

Some Examples:

  • Individual Devices: 

    • Laptops, desktop computers, tablets, check-out equipment for use by individuals

    • Personal/home computers and devices used to work with Institutional Information

    • Lab workstations

    • Hoteling workstations

  • IT Infrastructure (physical or virtual, on premise or in the cloud):

    • Servers

    • Back-up and storage systems

    • Network appliances 

    • Bastion hosts

    • Life safety systems

  • Services:

    • Web applications

    • Database applications

    • Cloud-based applications

    • Mobile applications

What Are the Requirements?

The MSSEI includes both foundational elements that govern its use, and specific, risk-based security requirements. More sensitive systems and data have more requirements; less sensitive ones have fewer requirements. 

Foundational Elements:

The opening sections of the MSSEI (Sec I-VIII) provide the context, framing, and applicability. Foundational elements include the implementation timeline, scope, exceptions, required usage, documentation, and updates.

Security Requirements:

The specific security requirements are divided into the following categories. Summary tables are provided for each category, with details below each table. Most requirements link to additional implementation information.

  1. Security Planning

  2. MSSND Compliance

  3. Information Security Training

  4. Asset Management

  5. Access Control

  6. Encryption

  7. Physical and Environmental Security

  8. Change Management

  9. Monitoring, Detection, and Vulnerability Management

  10. Security Audit Logging and Analysis

  11. Network Security

  12. System and Software Acquisition, Development and Maintenance

  13. Supplier Relationships

  14. Information Security Incident Management

  15. Business Continuity and Disaster Recovery

Who Administers the MSSEI?

The UC Berkeley Minimum Security Standards for Electronic Information (MSSEI) are approved by the Campus Information Risk Governance Committee and issued under the authority vested in the UC Berkeley Chief Information Officer by the UC’s Electronic Information Security Policy, IS-3. Questions about the MSSEI can be directed to the Information Security Office: security-policy@berkeley.edu