UC Berkeley security policy mandates compliance with Minimum Security Standard for Electronic Information for devices handling covered data. The recommendations below are provided as optional guidance to assist with achieving requirement 1.2, Registration Review.
Requirement
Resource Proprietors and Custodians must review and update these registrations at least annually and at the time of any changes that affect registration information.
Description of Risk
Attackers can discover and compromise covered data on devices not authorized to store, process, or transmit such data. If data on a device is not correctly registered, it will not receive sufficient security monitoring and appropriate prioritization of response to vulnerabilities and compromises.
Recommendations
Due to the evolving nature of information systems, undocumented changes to the covered devices could render the control ineffective in its operational goals. During the course of time, covered devices could be updated to align its functions with evolving institutional and business initiatives. Such changes may, directly and indirectly, alter the risk profile of covered devices and the applicability of campus security standards. It's critical for resource proprietors and resource custodians to establish a process to review registered systems and data elements to ensure registered devices accurately reflect the current system environment, and the associated security services are applied to the appropriate devices. The registration review process should be planned and executed on an annual basis. Annual review results should be documented to include:
- Decisions made during the review process (e.g. approval or rejection of changes, reverting system to previous state, acknowledging no changes were made)
- Name and authority of the decision maker during review process
- Review timestamp
In addition to an annual review process, security registration review must also be integrated into any existing change management process so that significant changes to the system trigger a review. Significant system changes may include:
- Major version upgrades*
- Changes to business processes supported by the application, such that covered data are added, updated, or removed on covered devices
- Personnel changes that require updates to Security Contact or Socreg contact
* Major version upgrades typically introduce large number of new or enhanced functionalities to the system relative to other upgrades.