This page is currently under review and is being updated by the Information Security Office. If you have questions, contact us at security.berkeley.edu. See the draft of the Campus Information Technology Security Policy here.
In order to fulfill its mission of teaching, research and public service, the campus is committed to providing a secure yet open network that protects the integrity and confidentiality of information while maintaining its accessibility.
Each member of the campus community is responsible for the security and protection of electronic information resources over which he or she has control. Resources to be protected include networks, computers, software, and data. The physical and logical integrity of these resources must be protected against threats such as unauthorized intrusions, malicious misuse, or inadvertent compromise. Activities outsourced to off-campus entities must comply with the same security requirements as in-house activities.
Responsibilities range in scope from security controls administration for a large system to the protection of one's own access password. A particular individual often has more than one role.
Administrative Officials (individuals with administrative responsibility for campus organizational units [e.g., control unit heads, deans, department chairs, principal investigators, directors, or managers] or individuals having functional ownership of data) must:
- identify the electronic information resources within areas under their control;
- define the purpose and function of the resources and ensure that requisite education and documentation are provided to the campus as needed;
- establish acceptable levels of security risk for resources by assessing factors such as:
- how sensitive the data is, such as research data or information protected by law or policy,
- the level of criticality or overall importance to the continuing operation of the campus as a whole, individual departments, research projects, or other essential activities;
- how negatively the operations of one or more units would be affected by unavailability or reduced availability of the resources,
- how likely it is that a resource could be used as a platform for inappropriate acts towards other entities,
- limits of available technology, programmatic needs, cost, and staff support;
- for systems in support of University business administration, ensure compliance with relevant provisions of BFB IS-3 "Electronic Information Security";
- ensure that requisite security measures are implemented for the resources;
Providers (individuals who design, manage, and operate campus electronic information resources, e.g. project managers, system designers, application programmers, or system administrators) must:
- become knowledgeable regarding relevant security requirements and guidelines;
- analyze potential threats and the feasibility of various security measures in order to provide recommendations to Administrative Officials;
- implement security measures that mitigate threats, consistent with the level of acceptable risk established by administrative officials;
- establish procedures to ensure that privileged accounts are kept to a minimum and that privileged users comply with privileged access agreements;
- for systems in support of University business administration, establish procedures to implement relevant provisions of BFB IS-3;
- communicate the purpose and appropriate use for the resources under their control (See "Guidelines for Administering Appropriate Use of Campus Computing and Network Services").
Users (individuals who access and use campus electronic information resources) must:
- become knowledgeable about relevant security requirements and guidelines;
- protect the resources under their control, such as access passwords, computers, and data they download.
Other entities with important campus electronic information resource security responsibilities include Departmental Security Contacts, the campus Information Security Office (ISO) (http://security.berkeley.edu), the Campus Information Security and Privacy Committee (CISPC) (http://security.berkeley.edu/CISPC), and the campus Chief Information Officer (CIO) (http://technology.berkeley.edu).
Insufficient security measures at any level may cause resources to be damaged, stolen, or become a liability to the campus. Therefore, responsive actions may be taken. For example, if a situation is deemed serious enough, computer(s) posing a threat will be blocked from network access. (The campus "Guidelines and Procedures for Blocking Network Access" specify how the decision to block is made and the procedures involved.)
Computers must have the most recently available and appropriate software security patches, commensurate with the identified level of acceptable risk. For example, installations that allow unrestricted access to resources must be configured with extra care to minimize security risks.
Adequate authentication and authorization functions must be provided, commensurate with appropriate use and the acceptable level of risk.
Attention must be given not only to large systems but also to smaller computers which, if compromised, could constitute a threat to campus or off-campus resources, including computers maintained for a small group or for an individual's own use.
Appropriate controls must be employed to protect physical access to resources, commensurate with the identified level of acceptable risk. These may range in scope and complexity from extensive security installations to protect a room or facility where server machines are located, to simple measures taken to protect a User's display screen.
Applications must be designed and computers must be used so as to protect the privacy and confidentiality of the various types of electronic data they process, in accordance with applicable laws and policies.
Users who are authorized to obtain data must ensure that it is protected to the extent required by law or policy after they obtain it. For example, when sensitive data is transferred from a well-secured mainframe system to a User's location, adequate security measures must be in place at the destination computer to protect this "downstream data".
Technical staff assigned to ensure the proper functioning and security of University electronic information resources and services are not permitted to search the contents of electronic communications or related transactional information except as provided for in the University of California (UC) Electronic Communications Policy. For example, any scanning of network traffic to detect intrusive activities must follow established campus guidelines or organizational procedures to ensure compliance with laws and policies protecting the privacy of the information.
Campus departments, units, or groups should establish security guidelines, standards, or procedures that refine the provisions of this Policy for specific activities under their purview, in conformance with this Policy and other applicable policies and laws.
Policies that apply to all campus electronic information resource security include, but are not limited to, the UC Electronic Communications Policy and the campus Computer Use Policy. Electronic information resources used in support of University business administration must comply with the provisions of BFB IS-3 and its companion "Implementing IS-3 Electronic Information Security." Federal and state laws prohibit theft or abuse of computers and other electronic resources.
The following activities are specifically prohibited under this Policy:
- interfering with, tampering with, or disrupting resources;
- intentionally transmitting any computer viruses, worms, or other malicious software;
- attempting to access, accessing, or exploiting resources you are not authorized to access;
- knowingly enabling inappropriate levels of access or exploitation of resources by others;
- downloading sensitive or confidential electronic information/data to computers that are not adequately configured to protect it from unauthorized access;
- disclosing any electronic information/data you do not have a right to disclose.
In addition to any possible legal sanctions, violators of this Policy may be subject to disciplinary action up to and including dismissal or expulsion, pursuant to Berkeley Campus policies, collective bargaining agreements, codes of conduct, or other instrument governing the individual’s relationship with the University. Recourse to such actions shall be as provided for under the provisions of those instruments.
Questions about this Policy or other campus electronic information resource policies may be directed to the IT Policy Services unit: email@example.com.
Questions about network security requirements may be directed to the campus Information Security Office (ISO): firstname.lastname@example.org.
Report network security incidents to: email@example.com.
For reports about general computer use violations see Responding to Inappropriate Use of Computing and Network Resources.