Overview
UC Berkeley's Minimum Security Standards for Electronic Information (MSSEI) are essential security controls for managing campus data securely. This service evaluates System Security Plans (SSPs) for P4, P3, and A4 IT Infrastructure and Services to ensure they comply with MSSEI. The Information Security Office's Assessments Team reviews SSPs for MSSEI compliance and provides assessment reports with the results. Service Providers benefit from identification of security control deficiencies that need remediation, and regular assessments boost customer confidence that minimum security standards are met and institutional data is protected.
Requirements
-
SSPs for P3, P4, and A4 IT Infrastructure and Services must be submitted to and reviewed by the Information Security Office upon creation and at least every three years.
-
MSSEI compliance documentation should be reviewed at least annually and updated in response to changes.
-
Units and Service Providers are responsible for knowing if more frequent reviews are needed; for example, to meet external compliance requirements or due to changes in technology affecting security controls.
How to Get Started
-
Confirm Data Classification: Identify the data types processed, stored, and transmitted by the system and classify data according to the Data and IT Resource Classification Standard.
-
Complete a System Security Plan (SSP): Document the security controls in place (or planned) to meet each MSSEI control requirement in the SSP template. See Additional Resources below for P4 and P3 SSP templates.
-
Submit SSP: Once completed, submit the SSP to ISO using the MSSEI Assessment Service Request Form.(link is external)
-
Assess SSP: A security analyst from the Assessments Team will review the SSP to evaluate how well the implemented security controls meet MSSEI requirements.
-
Prepare Assessment Report: A security analyst will provide you with a report with any findings and recommendations for remediation.
-
Conduct Remediation Actions: Implement necessary remediation actions to address the findings in the assessment report.
-
Update SSP: Document the implemented remediation in the SSP and update it regularly in response to changes.
-
Reassess SSP: Submit the SSP for reassessment at least every three years.
Additional Resources
- System Security Plan Templates
- P4 System Security Plan(link is external) (link creates a copy)
- P3 System Security Plan(link is external) (link creates a copy)
- Examples of Filled-Out SSP Sections (Coming Soon)