California State CPHS Data Security Assessment

 California State CPHS Data Security Assessment

What We Do

Information Security and Policy (ISP) offers an assessment service to help the Berkeley research community comply with California State CPHS data security requirements.  ISP Security Analyst will engage research staff and/or primary IT support staff to evaluate the IT system according to State CPHS data security requirements.

Why We Do It

In early 2012, California State CPHS started to mandate a new set of data security requirements for researchers who are requesting personally identifiable data (PID) from state agencies.  In addition to 33 data security requirements, the State CPHS also require researchers to report any personally identifiable data breaches within 48 hours of the event.  

Compliance to these data security requirements requires Principal Investigators and an appropriate campus official, which was determined to be the campus Chief Information Security Officer (CISO), to certify that the applicable data security controls are implemented effectively as prescribed by the state CPHS.

The assessment will support the CISO's certification that applicable data security controls are indeed implemented effectively, which mean establishing roles and responsibilities in securing sensitive PID, as well as identifying technical measures to protect and monitor IT systems. 

The assessment process will also produce a data security letter, signed by CISO, to help the research team complete a required component of the online State CPHS application process. Without a signed data security letter, requests for PID will not be approved by CPHS. 

Who Benefits

Any researcher requesting PID from a California state agency will have to comply with this set of new data security requirements.  

See California State CPHS website for details to help understand if your project will be required to comply with new set of data security requirements.

How to Get Started

Please note that all requests for assessment must be submitted at least 6 weeks prior to the State CPHS application deadline.  If you have any questions on the process, or would like to schedule an assessment, please send an email to  
In your email request for a new assessment, please provide the following:
  1. Research Project Name
  2. Project ID Number
  3. Principal Investigator's Full Name
  4. Primary Research Contact Full Name (if different from Principal Investigator)
  5. CPHS Application Deadline Date

For a more detailed look into the assessment process and what is required to complete an assessment, please visit our  CPHS Data Security Assessment Process page.

Service Details and Additional Information

Service category