Minimum Security Standards
The Minimum Security Standards for Networked Devices (MSSND) apply to all devices that connect to the campus electronic communications network or use a berkeley.edu origin address in their electronic communication. These devices include computers, laptops, phones, printers, gaming consoles, lab equipment, and other networked appliances.
The Minimum Security Standards for Electronic Information (MSSEI) define the minimum set of confidentiality controls for systems handling UCB Protection Level 1 (UC P2-UC P3) and UCB Protection Level 2 (UC P4) data as defined in the Berkeley Data Classification Standard.
Exception Request Procedure
NOTE: This procedure applies to devices containing or accessing University Institutional Information. It does not generally apply to students who are not Workforce Members. For exceptions for personally owned devices not used for University business purpose and not containing Institutional Information, click here.
Resource Proprietors and Service Providers who believe their environments require configurations that do not comply with the Minimum Security Standards or whose environments do not currently comply with Minimum Security Standards must request an exception using the form below. This process and form are also required where campus, regulatory, legal or contract requirements related to information security cannot be met.
An exception is required for each control that is not met. (Multiple devices can be covered by a single request, but each request can only cover one control, e.g., a request for an exception to MSSND 1: Software Patch Updates may list multiple devices, but a separate request is required if those devices are also not in compliance with control MSSND 4: Use of Authentication).
Exceptions must be approved by the Chief Information Security Officer (CISO) and a Unit Head with the level of authority that matches the risks identified. Additional approvals may also be required based on the level of risk the exception represents.
Unit risk acceptance includes acceptance of potential financial loss associated with UC's insurance deductibles. These are based on Protection Level as follows:
- $100,000 for incidents involving Institutional Information classified at UCB Protection Level 2 or 3 (UC P4)
- $40,000 - $75,000 for incidents involving Institutional Information classified at UCB Protection Level 1 (UC P2-P3)
- $20,000 for incidents involving Institutional Information classified at UCB Protection Level 0 (UC P1)
Exception requests are evaluated by the Information Security Office (ISO) for risk and mitigating factors. ISO may grant a temporary exception while working with the requester to establish a timeline for compliance and implementation of interim mitigating controls, or may approve an exemption for atypical systems with appropriate alternative controls. All exceptions will be granted for a maximum of one year. Annual review is required for renewal.
Non-compliant systems that pose significant risk to campus resources may face removal from the campus network and/or other take-down action. Unapproved requests or expired exceptions may be escalated by ISO, the Resource Proprietor, or the Service Provider to the CISO for review via email@example.com. The CISO will coordinate an IT and/or functional stakeholder review and response. Unresolved compliance issues will be further escalated to the IT Leadership Group, and/or other campus IT Governance and campus enterprise risk bodies, as appropriate.
If you have questions about the Minimum Security Standards or the exception process, please email firstname.lastname@example.org
Use the following forms to submit an information security policy exception request:
- Request Form for Resource Proprietors and Service Providers
- Request Form for Personally Owned Devices not used for University business purpose and not containing Institutional Information
Oct. 12, 2019: added version of form for personally owned devices not used for University business purposes and containing no University Institutional Information; additional questions on institutional form regarding data classification and risk identification. Exceptions must be approved by the CISO and the Unit responsible for the data/business function impacted by the exception.