The MSSEI Assessment Service is a service for assessing compliance with campus data security policies that is required for all systems and applications that handle data classified as Protection Level 4. The service is provided for IT Resource Managers who maintain protected data systems on behalf of the campus. The assessment is managed by a member of the Information Security Office (ISO) Assessments team.
The purpose of the MSSEI Assessment Service is to identify gaps in meeting campus security policy requirements for P4 data applications. As an outcome of the service, ISO will provide a report listing recommended actions to reduce the security risk to protected data.
Below is a diagram showing an overview of the process:
Self Assessment Process
|Confirm Data Classification||Complete Self Assessment Plan||Submit Self Assessment Plan||Meet with ISO||Remediate Findings||Update Self Assessment Plan|
ISO Assessment Process
|Receive Self Assessment Plan||Confirm Scope of Engagement||Interview Stakeholders||Security Analysis||Write report||Debrief|
The first step in the MSSEI assessment process is to complete and submit an MSSEI Self Assessment Plan (SAP). The completion of the SAP is a prerequisite for the assessment.
The purpose of the SAP is to gather information about the application and to describe the security controls in place (or planned) to meet each MSSEI control requirement. The SAP is a tool for accurately capturing how security processes and procedures are currently implemented (or will be). IT Resource Managers are responsible for the completion and submission of MSSEI self assessment plans for P4 data applications.*
Refer to the MSSEI SAP Step-by-Step Guide for detailed information about how to complete and submit an MSSEI self assessment plan. If you need help completing a MSSEI SAP, you may create a ServiceNow ticket by emailing firstname.lastname@example.org.
* While it's not required to submit a self assessment plan to ISO for P2 or P3 (formally UCB PL1) data applications, Resource Proprietors are required to meet MSSEI requirements for these systems per campus policy. ISO recommends using the SAP P2/P3 template to document security controls and demonstrate compliance with campus security policies.
There are 3 steps to the ISO MSSEI assessment process:
Initial review of the SAP to confirm completeness
Meetings and interviews with the application team to review the contents of the SAP
Final ISO report documenting gaps or risks that have been identified during the assessment, along with a list of recommendations for addressing these risks
Once an MSSEI SAP has been submitted, an IT Security Analyst will be assigned to the assessment and respond to confirm that the SAP has been received. The analyst may ask for additional clarification and will confirm that the SAP is complete before taking further action.
To speed up the process and avoid confusion, the ISO analyst will work with one main contact person to coordinate and pull in additional staff resources when needed (this is the Point of Contact identified in the SAP). The Point of Contact will be asked to assemble members of the “application team”, technical experts who are responsible for all or part of the infrastructure and processes supporting the application.
Meetings and Interviews
During the initial kick-off meeting, ISO will review the SAP application overview with the application team to determine the scope of the assessment engagement (e.g., large-scale enterprise system vs. simpler application system). Based upon the scope of the engagement, ISO will propose a timeline for completion of the assessment. Large-scale applications will often entail multiple meetings to cover all MSSEI requirements, over several weeks.
The IT security analyst will work together with the Point of Contact to schedule meetings and identify the necessary staff resources to participate.
Once the interviews have been completed and the ISO analyst has collected all of the application system details supporting the implementation of the MSSEI requirements, the analyst will prepare an assessment report to be delivered to the application stake-holders.
The report will include:
Gaps identified in the planning or implementation of security control requirements
An assessment of the risk related to each of these gaps (e.g, high, medium, or low risk)
Recommendations for actions to mitigate security risk findings
Depending upon the severity of the risk, the report will include a recommended timeline for remediation. Once the risks identified in the report have been resolved, the SAP should be updated to reflect the new implementation progress status.
To get started with an MSSEI assessment, follow the links below to start filling out the SAP for your application.
- MSSEI Self Assessment Plan (SAP) Step-by-Step Guide
- Download MSSEI Self Assessment Plan Templates:
- Submit Your MSSEI Self Assessment Plan (form requires CalNet login)