Highlighting Changes to the Departmental Information Security Contact Policy

January 1, 2023

Overview

An update to the Departmental Information Security Contact Policy was approved by the campus Compliance & Enterprise Risk Committee (CERC) in November 2022. The Policy defines Department-level responsibilities for ensuring prompt and appropriate action in the event of an information security incident. The main purpose of the Policy remains unchanged: to ensure that ISO is able to contact the proper people in each Department and have them take appropriate action in the event of a security incident. The specific responsibilities for both Departments and Information Security Contacts have been updated and clarified, along with the definitions and resources associated with this Policy.

Summary

The below table breaks out the sections of the Policy on the left and provides a summary of the updates made in that section on the right. Additional resources are linked as needed. We wanted to display these key updates in a clear and concise way so that users may quickly see the changes that were made. 

If you have questions about any of the changes, please email us at security-policy@berkeley.edu.


Section

Summary of Changes

I. Purpose

Section now called “Purpose / Policy Statement” to align with Campus policy format. Reframed as a policy statement. No new content.

II. Scope

New section to align with Campus policy format. No new content, but highlights that this policy applies to all Campus Departments and Information Security Contacts.

III. Background

Removed some narrative. Incorporated background info from other sections of the Policy. Added link to ISO’s Procedures for Blocking Network Access.

IV. Key Definitions and Glossary

  • New section. Includes existing policy-specific definition of Department. 

  • Added definition of Information Security Contact

  • Added org tree clarifications to align with Campus IS-3 implementation: 

    • Departments and Information Security Contacts must be associated with a Campus org node that rolls up to a Unit

    • Unit Information Security Lead(s) are responsible for ensuring that the activities outlined in this Policy happen for their area of responsibility.

  • Added reference to Information Security Policy Glossary for other key terms.

V. Requirements

  • Section now called “Requirements and Responsibilities”. 

  • Organized section by role - (A) Campus Departments, (B) Information Security Contacts, (C) Security Leads 

  • Moved all responsibilities and requirements from other sections into this section, listed each separately, and cleaned up the language.

  • New requirements to meet current expectations not explicit in the original Policy:

    • Departments must promptly update Information Security Contact membership and email distribution lists when members leave in order to ensure that more than one person is included. At a minimum, departments must review each of their Information Security Contacts’ email addresses at least annually to ensure they are correct and are monitored by more than one person.

    • Information Security Contacts must maintain registration of IT Resources for which they are responsible in ISO’s Asset Registration Portal, Socreg. Includes registering and deregistering assets as needed; ensuring that assets are registered as Protected Data Applications where required under the MSSEI; and annual review of their registered assets and members. 

    • Information Security Contacts must actively monitor the UCB-Security mailing list

  • Removed the requirement for a single departmental encryption key for exchanging secure messages with central campus security personnel.

  • Provided additional information about creating an email address that reaches multiple people (required for Information Security Contacts).

  • Added that Unit Information Security Leads are responsible for ensuring that the activities outlined in this section happen within their area of responsibility. The Unit Information Security Lead role, introduced by IS-3, didn’t exist when the original Policy was written/adopted. This addition aligns with the Campus IS-3 implementation.

VI. Consequences of Violations

New section to align with Campus policy format. Reiterates that violations of this Policy may result in devices being blocked from network access. Also highlights that violations may lead to costs to the Department and Unit resulting from unaddressed security issues.

VII. Related Documents and Policies

New section to align with Campus policy format. Consolidated references from other sections into this section. Also changed NetReg references to Socreg to reflect the 3/1/2022 conversion of NetReg to Socreg.

VIII. Getting Help

New section to address early feedback. Includes information for Departments that receive IT support from another Unit or department; and how to obtain general assistance.