Unit Self-Assessment and Isora GRC

Overview

As part of UC Berkeley’s implementation of UC Electronic Information Security Policy BFB-IS-3 (IS-3), each Unit will be responsible for annually reviewing and updating a high-level IS-3 Unit Self-Assessment. The assessment and resulting report are designed to identify areas of risk to help focus a Unit’s security activities for the following year. 

The value of the Unit Self-Assessment comes from the process of completing it, which identifies strengths and areas for improvement with respect to high-level IS-3 requirements. 

A typical initial IS-3 Unit Self-Assessment evaluation takes approximately ten weeks. Subsequent assessments will be more streamlined.

Isora GRC Resources

ISO is using Isora GRC (an information security risk assessment application) to facilitate the self-assessment and to gauge the maturity level of the security program for each Unit. The Unit Self-Assessment User Guide provides additional information on ISORA and the Unit Self-Assessment Process.

Roles & Responsibilities

The campus roles that typically participate in a IS-3 Unit Assessment include the following:

Unit Head 




The Unit Head appoints the Security Lead (who will be responsible for the completion of the assessment). The Unit Head does not need to interact with the assessment directly, however they may if they want to. The Unit Head will review and sign off on the final report from the Information Security Office (ISO). 

Security Lead 

The Security Lead coordinates the completion of the Unit Assessment. The Security Lead can have varying levels of involvement with the actual filling out of the questionnaire. The Security Lead can either gather information and complete the assessment themselves or delegate portions or all of the assessment to other individuals. 

Assessment Manager 

Assessment Managers are individuals who work with the Security Lead to complete the assessment in the questionnaire tool itself (ISORA). They are typically subject matter experts identified by the Security Lead.

ISO Analyst

A member of the ISO Assessments Team assigned as the primary analyst responsible for the engagement with the Unit. The analyst will work with the Security Lead, review the Unit Self-Assessment, and write the final report with recommendations. 

Preparation  

Identify Subject Matter Expert(s)

Before a Unit Self-Assessment is started, ISO will ask the Security Lead to identify any people who may need to be involved to help answer the survey questions. These are typically subject matter experts and may include:

  • HR professionals
  • System administrators
  • Managers or other experts who are familiar with the types of data and procedures the Unit uses
  • ITCS, if used for technical support, can be engaged in this process by opening a ticket with the Subject line: IS-3 Assistance

To prepare for the Unit Self-Assessment:  

  • Review the Unit Information Security Metrics Dashboard (UISM User Guide)
  • Update the Unit’s assets, registrations, and Security Contacts in NetReg. (NetReg for UISLs User Guide)
  • Identify the information and IT resources the Unit uses and is responsible for and the classification levels for each
  • Check NetReg:
    • NetReg only contains IT resources that have been registered. IT resources may exist that were never registered. 
    • Ask other managers or IT support 

Process

Responsible Party

Activities

Estimated Time Required

Security Lead and/or Assessment Manager(s) 

Complete the Self-Assessment using the Isora GRC survey tool. (ISORA Self-Assessment User Guide)  

4-6 weeks

ISO Analyst

ISO will schedule a check-in meeting to discuss any questions about completing the Unit Self-Assessment with the Security Lead or Assessment Manager(s).

Within 4 weeks of the start date

ISO

Once the Unit Self-Assessment is complete, the ISO Assessment Team analysts will review it and prepare a final report with an Overall Report Rating and a recommendation of 3-5 specific risk areas to focus on over the next year. 

2-4 weeks 

Security Lead and Unit Head

The Security Lead has a conversation with the Unit Head to share the final report(s) and recommendations. The Unit Head reviews the final report and signs an IS-3 Acknowledgement letter.

2 weeks

Support

For support or questions about the IS-3 Unit Assessment, email uisl-help@berkeley.edu

For Units supported by ITCS, assistance for IS-3 can be requested by opening a ticket with the Subject line: IS-3 Assistance

Units interested in detailed information about IS-3 controls; roles and responsibilities; and implementation tools from the UC Systemwide Policy Office can contact ISO at is-3@berkeley.edu to request access to the systemwide materials.