Overview
As part of UC Berkeley’s implementation of UC Electronic Information Security Policy BFB-IS-3 (IS-3), each Unit is responsible for completing and periodically reviewing and updating a high-level IS-3 Unit Self-Assessment. The assessment and resulting report are designed to identify areas of risk to help focus a Unit’s security activities for the following year.
The value of the Unit Self-Assessment comes from the process of completing it, which identifies strengths and areas for improvement with respect to high-level IS-3 requirements.
A typical initial IS-3 Unit Self-Assessment evaluation takes approximately three months. Subsequent assessments are more streamlined because they are updates; units do not start from scratch each time.
Isora GRC Resources
ISO is using Isora GRC (an information security risk assessment application) to facilitate the self-assessment and to gauge the maturity level of the security program for each Unit. The Unit Self-Assessment User Guide provides additional information on ISORA and the Unit Self-Assessment Process.
Roles & Responsibilities
The campus roles that typically participate in a IS-3 Unit Assessment include the following:
| Unit Head |
The Unit Head appoints Security Lead(s) for their unit. The Unit Head does not need to interact with the assessment directly, however they may if they want to. The Unit Head will review and sign off on the final report from the Information Security Office (ISO). |
| Security Lead |
The Security Lead coordinates the completion of the Unit Self-Assessment. The Security Lead can have varying levels of involvement with the actual filling out of the questionnaire. The Security Lead can gather information and complete the assessment themselves or delegate portions or all of the assessment to other individuals. Security Leads have an "Assessment Manager" role in Isora. |
| Assessment Manager |
Assessment Managers are individuals who work with the Security Lead to complete the assessment in the questionnaire tool itself (ISORA). They are typically subject matter experts identified by the Security Lead. |
| ISO Analyst |
A member of the Information Security Office (ISO) Assessments Team assigned as the primary analyst responsible for working with the Unit. The analyst will work with the Security Lead, review the Unit Self-Assessment, and write the final report with recommendations. |
Preparation
Identify Subject Matter Expert(s)
Before a Unit Self-Assessment is started, ISO will ask the Security Lead to identify any people who may need to be involved in helping answer the survey questions. These are typically subject matter experts and may include:
- HR professionals
- System administrators or local IT support (if any)
- Managers or other experts who are familiar with the types of data and procedures the Unit uses
- IT Client Services, if used for technical support, can be engaged in this process by opening a ticket with the Subject line: IS-3 Assistance
To prepare for the Unit Self-Assessment:
- Review and update your Unit's information security metrics through Socreg. (User Guide)
- Review and update your Unit’s assets, registrations, and Security Contacts through Socreg. (User Guide)
- Identify the information and IT resources the Unit uses and is responsible for, and the classification levels for each.
- Note: Socreg only contains IT resources that have been registered by your Unit's Security Contact members. IT resources may exist that were never registered. Ask other managers or IT support for computers and applications you may not be aware of, and work with your Unit's Security Contact members to add or update anything that is missing or incorrect in Socreg.
Process
| Responsible Party | Activities | Estimated Time Required |
|
Security Lead |
Coordinate completion of the Unit Self-Assessment using the Isora GRC survey tool. (ISORA Self-Assessment User Guide) |
6-8 weeks |
|
Assessment Manager(s) |
Assist the Security Lead in completion of the Unit Self-Assessment using the Isora GRC survey tool. (ISORA Self-Assessment User Guide) |
6-8 weeks |
|
ISO |
ISO will schedule open office hours where Security Leads and Assessment Managers can drop in to discuss any questions about completing the Unit Self-Assessment. |
Ongoing throughout the assessment period |
|
ISO Analyst |
Once the Unit Self-Assessment is complete, the ISO Assessment Team analysts will review it and prepare a report with 3-5 prioritized recommendations for reducing risk for the unit to focus on over the next year. |
Approximately 4 weeks from completion of Unit self-assessment |
|
Security Lead and Unit Head |
The Security Lead discussed ISO's report and recommendations with the Unit Head and determine the unit's information security priorities for the next year. For units completing their very first unit self-assessment, the Unit Head also acknowledges a copy of the report in Docusign. |
2 weeks |
Support
For support or questions about the IS-3 Unit Assessment, email uisl-help@berkeley.edu
For Units supported by ITCS, assistance for IS-3 can be requested by opening a support ticket with the Subject line: IS-3 Assistance
Units interested in detailed information about IS-3, including required controls, roles and responsibilities, and implementation tools can contact the Information Security Office at is3@berkeley.edu.