Details of the CPHS Data Security Assessment service

Overview

As part of the on going development of Security Assessment Program at UC Berkeley, Information Security and Policy (ISP) is offering a security assessment service for researchers working with Personally Identifiable Data (PID) from California Health and Human Services Agency Data (CHHS).  The security assessment’s main objective is to ensure researchers and staff handling PID properly understand the new set of data security requirements from state agencies and maintain a secure computing environment that meets those requirements.

To get more background information on the CPHS data security requirements, please go the the CPHS Data Security Assessment service page.  

Scope

The scope of the assessment is limited to the PID associated with research project/protocol for which Data Security Letter to the California Committee for the Protection of Human Subjects (CPHS) is required.  Any systems or person (including researchers, contractors and subcontractors) with access to covered PID will also be assessed. PID requested in previous or future projects will not be considered covered.

Roles and Responsibilities

The following describes the key stakeholders in this assessment process and each stakeholder's role and associated responsibilities.

Research Unit Principal Investigator (PI) – The person ultimately responsible for the research data obtained from CHHS.  The person in this role must have the authority to implement change in the systems and process to meet security requirements.  This person will be the signatory representing the Research Unit in completing the Internal Security Agreement and Data Security Letter.

Research Unit Contact – The person to provide operation support in the assessment process such as providing documentation on covered systems and processes, participate in interview sessions with Security Analyst(s).  The person in this role could be the same person as the Principal Investigator role.

Research Unit IT Staff– In the case where Research Unit PI and Contact does not have sufficient information on covered systems, the Research Unit IT Staff role is the operational IT support staff that can provide details of IT systems storing, transmitting and processing covered PID.

Security Analyst – ISP analyst(s) performing the security assessment.

Chief Information Security Officer (CISO) – The CISO will be the signatory representing the UC Berkeley information technology organization in “certifying” the compliance against state CPHS data security requirements, along with Research Unit Principal Investigator.

Assessment Methodology

An assessment will have activities roughly divided into the following four chronological phases:

  • Planning
  • Interview
  • Analysis
  • Reporting

While activities are generally grouped chronologically to illustrate the assessment process and provide a framework for performing the assessment, the activities phases may overlap each other as security analysts work through the timing and logical conflicts to maximize efficient use of resources. To validate the security of processes and systems, Security analyst(s) will conduct interviews with research unit stakeholders to get insight into the architecture and operational processes.  Specifically, the interview sessions will request details on how covered systems and processes comply with data security requirements.  This typically includes

  1. providing details on how covered data flows through the various IT system components
  2. describing processes involved in handling of PID
  3. describing features and functionalities on covered systems that address data security requirements

Additional clarification may be requested in the form of internal or external (vendor) documentation as well as demonstration of processes and tools.  The objective is to acquire sufficient level of evidence that the requirements are addressed by implemented procedures or tools.

Each phase is elaborated in more details below to show the expected activities and the responsible parties involved in those activities. 

Planning

Once the assessment request is received by ISP, the security analyst assigned to assessment will start planning phased activities that include coordinating schedules, communication and resources to setup for upcoming assessment activities. 

Activities Responsible Party
Identify Research Unit Contact if not already identified.  In the case where the Research Unit PI is not available for detailed interview or does not possess the operational knowledge of the IT system hosting PID, the Research Unit Contact will be the person that will walk thru the IT system(s) and processes with Security Analyst. Security Analyst
Research Unit Contact
Identify Research Unit PI if different than Research Unit Contact.  This person should be the person signing the Internal Security Agreement (see below). Security Analyst
Research Unit Contact
If applicable, identify IT contact in research unit.  If there isn’t a researcher with operational knowledge of the systems hosting PID, the primary IT person supporting these systems should be contacted and made available to walk through the IT system(s) and processes with Security Analyst. Security Analyst
Research Unit Contact
Send kick-off email to stakeholders with
  • General description of the assessment process
  • Interviews questions and document requests to appropriate contacts
Security Analyst
Schedule interviews with the appropriate contact(s) Security Analyst
Perform background research to look for
  • Previous incidents involving in-scope systems
  • Previous assessments involving in-scope systems
Security Analyst

Interview

During the Interview phase, Security Analyst(s) and Research Unit Contact will collaboratively review IT environment in which PID will be hosted.  An in-depth discussion on the data security requirements and how the requirements are addressed in existing systems and processes will also take place, along with gathering initial set of evidence to demonstrate compliance.

Here are the tasks to be accomplished in Interview phase of the assessment process:

Activities Responsible Party
Conduct physical walk-through of the environment where IT system resides Security Analyst
Research Contact
Develop data flow diagram if one does not already exist Security Analyst
Research Unit Contact
Walk through interview questions (CHHS Data Security Requirements) and gather compliance evidence Security Analyst
Research Unit Contact

Analysis

Once Interview is conducted and initial set of evidence is gathered, Security Analyst(s) will analyze the evidence and identify any gaps where current state systems and processes do not meet the data security requirements.  Security Analyst(s) may also request additional evidence from Research Unit Contact to support the analysis.    

Initial analysis results will be shared with Research Unit Contact to confirm and to allow for time to update results prior to assembling the final report (Internal Security Agreement).

Activities Responsible Party
Fill out Data Classification and Registration Questionnaire Research Unit Contact*
Register systems in RDM Research Unit Contact*
Analyze current state technology and processes to specific data security requirements Security Analyst
Identify data security requirements that are insufficiently addressed by current state systems and processes, and develop recommended action plan to remediate deficiency Security Analyst
Request and gather additional evidence and documentation if necessary Security Analyst
Research Unit Contact
Walk through initial analysis findings and action plan with Research Unit Contact Security Analyst
Research Unit Contact

* Security Analyst will provide support where needed

Reporting

In the reporting phase, Security Analyst will compile analysis results, which are incorporated into the Internal Security Agreement for review and signature.

Activities Responsible Party
Develop draft Internal Security Agreement to incorporate overview of assessment process, action plan Security Analyst
Review draft Internal Security Agreement and perform final edits Security Analyst
Research Unit Contact
Research Unit PI
Sign Internal Security Agreement and Data Security Letter CIO
Research Unit PI

Time Requirements:

Research Unit

In order to complete the security assessment in a timely manner, time commitment from research staff will be needed to provide documentation on how technology and processes are implemented to satisfy security requirements. The major components of time commitment from Research Unit Contact and PI are:

  • Interview:  3 hours
  • Evidence Gathering: 3 hours
  • Follow-up questions: 2 hours
  • Report Review: 1 hours

Total Research Unit time resource required is approximately 9 hours.

Depending on the knowledge of Research Unit Contact, additional time may be required from the Research Unit IT Staff supporting the systems that stores, transmits and processes PID.

ISP

Security Analyst(s) will have the following time components:

  • Planning: 1 hour
  • Interview (2 Analysts):  3 hours per Analyst
  • Evidence Analysis (2 Analysts): 3 hours per Analyst
  • Follow-up: 2 hours
  • Report Development: 3 hour

Total Security Analysts time resources required is approximately 18 hours.

Outputs

Internal Security Agreement (UCB)

The purpose of Internal Security Agreement is to document

  • Assessment process, scope and action plan
  • Research Unit’s acknowledgement on the responsibilities to ensure compliance against California State CPHS security requirements on an ongoing basis.
  • Research Unit’s acknowledgement that action plans developed as part of the assessment will be implemented prior to decrypting and accessing data from CHHS.

Data Security Letter (California State CPHS)

The purpose of Data Security Letter is to document

  • Research Unit PI's responsibility to safeguard the PID used (stored, transmitted or processed) for the referenced research project. 
  • CIO and Research Unit’s acknowledgement that the project’s systems is in compliance with data security requirements outlined by California State CPHS.


Back to the California State CPHS Data Security Assessment service page