Departmental Security Contact Policy Draft

DRAFT: The Information Security Office is currently updating the Departmental Security Contact Policy. The current Policy is available and still in effect during campus review.

I. Purpose / Policy Statement

This Policy establishes responsibilities of Departments and Security Contacts in order to ensure that the UC Berkeley Information Security Office (ISO) is able to contact departments in the event of a security incident. The ability to quickly contact responsible personnel and have them take appropriate action is critical in mitigating the negative effects of an incident. 

II. Scope of This Policy

This Policy applies to all Campus Departments and Security Contacts as defined below.

III. Background

When the Information Security Office becomes aware of an IT security incident that threatens Campus IT Resources or the Internet, a timely response is critical. ISO must be able to quickly contact responsible personnel and have them take appropriate action and/or pass the information on to the appropriate support personnel to mitigate the negative effects of the incident. 

In cases where an incident poses a potentially serious threat to Campus IT Resources or the Internet, ISO will immediately block the offending device(s) from network access and contact the affected Unit. 

ISO refers to a registry of network assets and associated contact information for this communication. 

IV. Key Definitions and Glossary

  1. Department: The word "department", as used within this Policy, includes various types of organizational entities on the Berkeley Campus, for example: an academic department, administrative department, or organized research unit. Departments must be associated with a Campus org node that rolls up to a Unit as defined under Campus Information Security Policies.
  2. Security Contact: A Security Contact is a group of individuals who have been designated to receive and respond to security notices from UC Berkeley’s Information Security Office (ISO) for their department or for a specific set of IT Resources. Like Departments, Security Contacts must be associated with a Campus org node that rolls up to a Unit. They are accountable to their Unit Information Security Lead(s).
  3. Definitions of other Key Terms used in this policy are included in UC Berkeley’s Information Security Policy Glossary. 

V. Requirements and Responsibilities

    1. Each Campus Department with IT Resources must:
      1. Establish a Security Contact for the UC Berkeley Information Security Office (ISO) to contact in the event of a security incident. 
        • Security Contacts must include responsible personnel able to take appropriate action to mitigate the negative effects of an incident. Security Contact members need to have some familiarity with the computers in their department and be able to determine who a responsible technical person is; it is not necessary for the Security Contact members to have extensive security expertise.
        • Each Security Contact must have an email address that reaches multiple people so that security incidents involving a department or group's IT Resources receive prompt attention. This can be accomplished by using a CalNet SPA, bConnected List, group email address, or any other type of email address that is monitored by, and reliably reaches more than one person.
        • Large organizational Units, such as schools or colleges, may choose to consolidate their Security Contact function under a single contact. In all cases, the designated Security Contact must be able to identify responsible administrators for every registered asset.
      2. Create their Security Contact(s) in ISO's Security Contact and Asset Registration Portal ("Asset Registration Portal"). See Related Documents and Policies and Getting Help below.
      3. Review each Security Contact's email address (used for security notices) at least annually to ensure it is correct and is monitored by more than one person.
    2. Security Contact members must:
      1. Maintain registration of IT Resources for which they are responsible, in ISO's Asset Registration Portal (Cloud Accounts, Subnets, IP addresses, devices, offsite hostnames, Protected Data applications, etc.) – see Getting Help below;
        • Ensure new assets are registered to the Security Contact as they come online and obsolete assets are de-registered when they are decommissioned;
        • Ensure Protected Data computers, systems, and applications are registered as Protected Data Applications as required under the MSSEI.
        • Review and update Security Contact membership and asset registrations for correctness/completeness at least annually;
      2. Respond to security notices from ISO. This includes:
        • Ensuring that the appropriate personnel take timely action to address the vulnerability or compromise in response to each security notice;
        • Escalating the incident to an appropriate departmental authority if action is not taken;
        • Replying to ISO promptly when receiving a security notice, and reporting the resolution of each incident to security@berkeley.edu.
      3. Actively monitor the UCB-Security mailing list.

C. Unit Information Security Leads are responsible for ensuring that the above activities happen within their area of responsibility.

VI. Consequences of Violations

Violations of this Policy may result in devices being blocked from network access without prior notice due to either the lack of an appropriate contact or contact information; or delays in responding to security notices from the Information Security Office. Violations may also lead to costs to the Department and Unit resulting from unaddressed security issues.

VII. Related Documents and Policies

Policies and Procedures

Procedures for Blocking Network Access

Roles and Responsibilities Policy

Documentation and Instructions

Socreg - Asset Management Portal:

See the Soceg Documentation page 1 for the following resources and more:

  • General instructions for using Socreg, ISO’s Asset Registration Portal - under Basic Socreg Functions & Use Cases".
  • How to establish a new Security Contact or update an existing one.
  • Instructions for registering network assets including cloud accounts, subnets, IP addresses, devices, offsite hostnames, and Protected Data applications.
  • Frequently asked questions (FAQ)

CalNet SPAs:

CalNet SPAs (Special Purpose Accounts) are CalNet IDs that can be shared by multiple people for collaborative purposes, and are one of the recommended options for Security Contacts. See CalNet's SPA page for information and instructions on setting up a SPA account for a Security Contact to receive security notices.

VIII. Getting Help

Departments that receive IT support from another Unit or department, such as IT Client Services or another centralized group, can reach out to their IT Service Provider for assistance. 


For general assistance, please contact the Information Security Office at security@berkeley.edu

—----------

[1] Please note: On Mar. 1, 2022 ISO’s Asset Registration Portal converted from netreg.berkeley.edu to socreg.berkeley.edu. Learn more at: https://security.berkeley.edu/services/socreg-asset-registration-portal

Email iso@berkeley.edu for questions on the draft or to provide feedback.