Overview
As part of UC Berkeley’s implementation of UC Electronic Information Security Policy BFB-IS-3 (IS-3), each Unit will be responsible for annually reviewing and updating a high-level IS-3 Unit Self-Assessment. The assessment and resulting report are designed to identify areas of risk to help focus a Unit’s security activities for the following year.
The value of the Unit Self-Assessment comes from the process of completing it, which identifies strengths and areas for improvement with respect to high-level IS-3 requirements.
A typical initial IS-3 Unit Self-Assessment evaluation takes approximately ten weeks. Subsequent assessments will be more streamlined.
Isora GRC Resources
ISO is using Isora GRC (an information security risk assessment application) to facilitate the self-assessment and to gauge the maturity level of the security program for each Unit. The Unit Self-Assessment User Guide provides additional information on ISORA and the Unit Self-Assessment Process.
Roles & Responsibilities
The campus roles that typically participate in a IS-3 Unit Assessment include the following:
Unit Head |
The Unit Head appoints the Security Lead (who will be responsible for the completion of the assessment). The Unit Head does not need to interact with the assessment directly, however they may if they want to. The Unit Head will review and sign off on the final report from the Information Security Office (ISO). |
Security Lead |
The Security Lead coordinates the completion of the Unit Assessment. The Security Lead can have varying levels of involvement with the actual filling out of the questionnaire. The Security Lead can either gather information and complete the assessment themselves or delegate portions or all of the assessment to other individuals. |
Assessment Manager |
Assessment Managers are individuals who work with the Security Lead to complete the assessment in the questionnaire tool itself (ISORA). They are typically subject matter experts identified by the Security Lead. |
ISO Analyst |
A member of the ISO Assessments Team assigned as the primary analyst responsible for the engagement with the Unit. The analyst will work with the Security Lead, review the Unit Self-Assessment, and write the final report with recommendations. |
Preparation
Identify Subject Matter Expert(s)
Before a Unit Self-Assessment is started, ISO will ask the Security Lead to identify any people who may need to be involved to help answer the survey questions. These are typically subject matter experts and may include:
- HR professionals
- System administrators
- Managers or other experts who are familiar with the types of data and procedures the Unit uses
- ITCS, if used for technical support, can be engaged in this process by opening a ticket with the Subject line: IS-3 Assistance
To prepare for the Unit Self-Assessment:
- Review your Unit's information security metrics through Socreg. (User Guide)
- Review your Unit’s assets, registrations, and Security Contacts through Socreg. (User Guide)
- Identify the information and IT resources the Unit uses and is responsible for and the classification levels for each.
- Any changes or modifications to the Unit’s assets, registrations, and Security Contacts are made in Socreg.
- Note: Socreg only contains IT resources that have been registered. IT resources may exist that were never registered.
- Ask other managers or IT support for assets you may not be aware of.
Process
Responsible Party | Activities | Estimated Time Required |
Security Lead and/or Assessment Manager(s) |
Complete the Self-Assessment using the Isora GRC survey tool. (ISORA Self-Assessment User Guide) |
4-6 weeks |
ISO Analyst |
ISO will schedule a check-in meeting to discuss any questions about completing the Unit Self-Assessment with the Security Lead or Assessment Manager(s). |
Within 4 weeks of the start date |
ISO |
Once the Unit Self-Assessment is complete, the ISO Assessment Team analysts will review it and prepare a final report with an Overall Report Rating and a recommendation of 3-5 specific risk areas to focus on over the next year. |
2-4 weeks |
Security Lead and Unit Head |
The Security Lead has a conversation with the Unit Head to share the final report(s) and recommendations. The Unit Head reviews the final report and signs an IS-3 Acknowledgement letter. |
2 weeks |
Support
For support or questions about the IS-3 Unit Assessment, email uisl-help@berkeley.edu
For Units supported by ITCS, assistance for IS-3 can be requested by opening a ticket with the Subject line: IS-3 Assistance
Units interested in detailed information about IS-3 controls; roles and responsibilities; and implementation tools from the UC Systemwide Policy Office can contact ISO at is-3@berkeley.edu to request access to the systemwide materials.