UC Berkeley security policy mandates compliance with Minimum Security Standard for Electronic Information for devices handling covered data. The recommendations below are provided as optional guidance to assist with achieving the Covered System Inventory requirement.
Requirements
Resource Proprietors, in conjunction with Resource Custodians, must iventory all covered data and devices within their domain.
Description of Risk
Attackers can discover and compromise covered data on devices not authorized to store, process, or transmit such data. If data on a device is not correctly inventoried, it will not receive sufficient security safeguard and appropriate prioritization of response to vulnerabilities and compromises.
Recommendations
Attackers looking to compromise covered data often look for the weakest entry point into the system or application hosting covered data. Without proper inventory of critical devices making up the system/application that stores, trasmits or processes covered data, there would be inconsistently, or missing, implementation of information security safeguards that would otherwise prevent or promptly detect attacker's activities.
In response, resource proprietors and custodians should develop an inventory of covered devices that includes institutional devices and privileged access devices as defined in MSSEI. The inventory should at minimum include the following information about the covered devices:
- Host Name
- IP address
- Physical location
- Name of the system administrator or administrative group responsible for maintaining the device (hardware install, OS install, configuration, etc)
- Operating System (and version)
- MSSEI Device Type
- Server Function (Database, file server, web server, etc)
A template for collecting inventory information about covered devices is included in the Appendix of MSSEI Self Assessment Plan template for reference.
Resource proprietors and custodians should also create and document an automated or manual process to update device inventory when significant changes are made to covered devices. Significant changes includes any changes that affect the information about covered devices outlined in the bullet points above, such as an IP address change, moving phyiscal location, etc.