Departmental Information Security Contact Policy

University of California, Berkeley

Policy Issued: 2001 (exact date unknown)

Effective Date: 4/19/2001

Revision Date: 11/14/2022, effective 12/1/2022

Supersedes: Previous version

Next Review Date: 12/1/2027

Responsible Executive: Associate Vice Chancellor for Information Technology and Chief Information Officer

Responsible Office: Information Security Office

Contact: security-policy@berkeley.edu

Website Address for Policy: https://security.berkeley.edu/policy/departmental-security-contact-policy

I. Purpose / Policy Statement

This Policy establishes responsibilities of Departments and Information Security Contacts in order to ensure that the UC Berkeley Information Security Office (ISO) is able to contact departments in the event of a security incident. The ability to quickly contact responsible personnel and have them take appropriate action is critical in mitigating the negative effects of an incident.

II. Scope of This Policy

This Policy applies to all Campus Departments and Information Security Contacts as defined below.

III. Background

When the Information Security Office becomes aware of an IT security incident that threatens Campus IT Resources or the Internet, a timely response is critical. ISO must be able to quickly contact responsible personnel and have them take appropriate action and/or pass the information on to the appropriate support personnel to mitigate the negative effects of the incident.

In cases where an incident poses a potentially serious threat to Campus IT Resources or the Internet, ISO will immediately block the offending device(s) from network access and contact the affected Unit.

ISO refers to a registry of network assets and associated contact information for this communication.

IV. Key Definitions and Glossary

Department: The word "department", as used within this Policy, includes various types of organizational entities on the Berkeley Campus, for example: an academic department, administrative department, or organized research unit. Departments must be associated with a Campus org node that rolls up to a Unit as defined under Campus Information Security Policies.
Information Security Contact: An Information Security Contact is a group of individuals who have been designated to receive and respond to security notices from UC Berkeley’s Information Security Office (ISO) for their department or for a specific set of IT Resources. Like Departments, Information Security Contacts must be associated with a Campus org node that rolls up to a Unit. They are accountable to their Unit Information Security Lead(s). Information Security Contacts are known informally (and historically) as "Security Contacts".
Definitions of other Key Terms used in this policy are included in UC Berkeley’s Information Security Policy Glossary.

V. Requirements and Responsibilities

Each Campus Department with IT Resources must:
1. Establish an Information Security Contact for the UC Berkeley Information Security Office (ISO) to contact in the event of a security incident.
  - Information Security Contacts must include responsible personnel able to take appropriate action to mitigate the negative effects of an incident. Information Security Contact members need to have some familiarity with the computers in their department and be able to determine who a responsible technical person is; it is not necessary for the Information Security Contact members to have extensive security expertise.
  - Each Information Security Contact must have an email address that reaches multiple people so that security incidents involving a department or group's IT Resources receive prompt attention. This can be accomplished by using a CalNet SPA, bConnected List, group email address, or any other type of email address that is monitored by, and reliably reaches more than one person.
  - Large organizational Units, such as schools or colleges, may choose to consolidate their Information Security Contact function under a single contact. In all cases, the designated Information Security Contact must be able to identify responsible administrators for every registered asset.
2. Create their Information Security Contact(s) in ISO's Information Security Contact and Asset Registration Portal ("Asset Registration Portal"). See Related Documents and Policies and Getting Help below.
3. Promptly update Information Security Contact membership and email distribution lists when members leave in order to ensure that more than one person is included. At a minimum, departments must review each Information Security Contact's email address (used for security notices) at least annually to ensure it is correct and is monitored by more than one person.
Information Security Contact members must:
1. Maintain registration of IT Resources for which they are responsible, in ISO's Asset Registration Portal (Cloud Accounts, Subnets, IP addresses, devices, offsite hostnames, Protected Data applications, etc.) – see Getting Help below;
  - Ensure new assets are registered to the Information Security Contact as they come online and obsolete assets are de-registered when they are decommissioned;
  - Ensure Protected Data computers, systems, and applications are registered as Protected Data Applications as required under the MSSEI.
  - Review and update Information Security Contact membership and asset registrations for correctness/completeness at least annually;
2. Respond to security notices from ISO. This includes:
  - Ensuring that the appropriate personnel take timely action to address the vulnerability or compromise in response to each security notice;
  - Escalating the incident to an appropriate departmental authority if action is not taken;
  - Replying to ISO promptly when receiving a security notice, and reporting the resolution of each incident to security@berkeley.edu.
3. Actively monitor the UCB-Security mailing list.

C. Unit Information Security Leads are responsible for ensuring that the above activities happen within their area of responsibility.

VI. Consequences of Violations

Violations of this Policy may result in devices being blocked from network access without prior notice due to either the lack of an appropriate contact or contact information; or delays in responding to security notices from the Information Security Office. Violations may also lead to costs to the Department and Unit resulting from unaddressed security issues.

VII. Related Documents and Policies

Policies and Procedures

Procedures for Blocking Network Access

Roles and Responsibilities Policy

Documentation and Instructions

Socreg - Asset Management Portal:

See the Soceg Documentation page ₁ for the following resources and more:

General instructions for using Socreg, ISO’s Asset Registration Portal - under “Basic Socreg Functions & Use Cases".
How to establish a new Information Security Contact or update an existing one.

Instructions for registering network assets including cloud accounts, subnets, IP addresses, devices, offsite hostnames, and Protected Data applications.
Frequently asked questions (FAQ)

CalNet SPAs:

CalNet SPAs (Special Purpose Accounts) are CalNet IDs that can be shared by multiple people for collaborative purposes, and are one of the recommended options for Information Security Contacts. See CalNet's SPA page for information and instructions on setting up a SPA account for an Information Security Contact to receive security notices.

VIII. Getting Help

Departments that receive IT support from another Unit or department, such as IT Client Services or another centralized group, can reach out to their IT Service Provider for assistance.

For general assistance, please contact the Information Security Office at security@berkeley.edu

—----------

[1] Please note: On Mar. 1, 2022 ISO’s Asset Registration Portal converted from netreg.berkeley.edu to socreg.berkeley.edu. Learn more at: https://security.berkeley.edu/services/socreg-asset-registration-portal

Change Log

Administrative update 4/14/2023: Updated the term "Security Contact" to "Information Security Contact" to address ambiguity.