UC Berkeley security policy mandates compliance with Minimum Security Standard for Electronic Information for devices handling covered data. The recommendations below are provided as optional guidance for the registration requirement.
Requirement
Resource Proprietors, in conjunction with Unit Information Security Leads (UISLs), must register all IT Infrastructure and Services under their jurisdiction classified at P3, P4, or A4, and Individual Devices classified at P4, in the campus asset registry system.
Description of Risk
Attackers can discover and compromise protected data on devices not authorized to store, process, or transmit such data. If data on a device is not correctly registered, it will not receive sufficient security monitoring and appropriate prioritization of response to vulnerabilities and compromises.
Recommendations
Registration of protected devices requires a two-step process to create appropriate entries in the campus data registry application (Socreg):
Protected Data Management
Resource Proprietors and UISLs should register devices in Socreg that are used to store, process and transmit sensitive data as required in the MSSEI. Information entered in Socreg should follow the guidelines below:
- email address is current and actively monitored for security-related communication
- data elements are accurately and completely documented
- IP address(es) and device (host) names for protected devices are accurate and complete
- If the device is using dynamically allocated IP address (DHCP), please ensure the device is registered in the campus DHCP service
- Use text fields after Machine Type and Operation System to note version number. For example:
- Machine Type: Local Database Server.
- Operating System: Windows.
By registering in Socreg, devices are entitled to the following security services:
- More frequent scanning -- network vulnerability scans for Socreg registered Protected Data Applications occur nightly
- A greater range of intrusion detection signatures are reviewed with notifications sent to the security contact
- Elevated responses to alerts – the Information Security Office (ISO) staff are alerted immediately and will attempt to reach an administrator as soon as possible
- Longer retention of network data for future analysis if a breach is confirmed -- this can help to confirm if a hacker was able to access the protected data during the breach incident
Security Contact
ISO refers to a database of IP addresses and associated Security Contact information in Socreg when it needs to notify contact persons of any security issues regarding a computer under their responsibility. Each department needs to establish at least one Security Contact group in Socreg for this purpose, with a primary member and one or more backups. Registrations in Socreg are also associated with a Security Contact group. Additional details on the requirements of Security Contact registration include:
- Accurate IP address range(s) is essential to timely and effective response to security incidents in the future.
- All security contacts for a given department should be reachable through a single email address (e.g., security@me.berkeley.edu).
- Security contacts must respond to security incident reports from central campus security staff and pass them on to responsible departmental or third party support personnel as appropriate.
- Security contacts need to have some familiarity with the computers in their department and be able to determine who a responsible technical person is; it is not necessary for the contact to have extensive security expertise.
- Groups of departments may agree to share contacts for efficiency.
Security Contact members are responsible for ensuring that appropriate personnel takes action in response to each security incident (including escalating the incident to an appropriate departmental authority if action is not taken) and that resolution of each incident is reported to security@berkeley.edu.
For detailed instructions on how to setup Security Contact profiles, please refer to Socreg documentation.