MSSEI Assessment Overview
Information Security and Policy (ISP) offers an assessment service following the security requirements of MSSEI to identify technical and procedural weaknesses in campus applications that store, process or transmit Protection Level 2 (PL2) and Protection Level 3 (PL3) data. As part of the MSSEI Assessment service, ISP will also develop a list of recommended actions to reduce the security risk to institutional data. Below is a diagram showing an overview of the MSSEI Assessment process activities.
The first step in the MSSEI Assessment process is for Resource Proprietors and/or Application Coordinators to complete and submit a MSSEI Self Assessment Plan (SAP). The purpose of a SAP is to gather general information about the application and to describe the security controls in place, or planned, to meet each MSSEI requirement. It is the responsibility of the Resource Proprietors to ensure the SAP accurately describes how the security procedures and tools are implemented now or will be implemented in the future. Resource proprietors, working with an Application Coordinator who is familiar with the application and related systems, can use the one of two security plan templates (PL1, PL2+) to complete the documentation. For specific instructions on how to complete and submit the Self Assessment Plan, please refer to this step-by-step guide. The completion of the SAP is a a prerequisite for ISP assessment team to continue the assessment process.
For PL2+ applications, within 2 weeks after the SAP is submitted, a Security Analyst from ISP will respond via email to confirm the SAP is complete and unambiguous. Security Analyst may solicit additional clarification from the Resource Proprietor and Application Coordinator to ensure ISP has the information needed to proceed with the MSSEI assessment. Once the SAP review is done, the security analyst will also schedule the application for an assessment by ISP based on availability of the assessment team and application stakeholders.
At the start of the ISP Assessment step, Security Analysts from ISP will sit down with Resource Proprietor and other key stakeholders to plan out the details of the assessment process, including scope and timeline. The scope to be confirmed may include confirmation of the systems to be reviewed, systems NOT to be reviewed, confirmation of data classification, etc. Based on the scope and availability of Security Analysts and the application team, a more definitive timeline will be developed for the entire assessment process, including dates for interviews, milestones, and debriefing.
To help speed up the coordination and avoid confusion, the Security Analysts will need access to main contact person on the application team who can coordinate and pull in technical experts when needed. This is the Application Coordinator role identified in the Self Assessment Plan. The Security Analysts may also need access to technical experts who are responsible for all or part of the infrastructure supporting application.
Once the planning activities are finished, Security Analysts will move on to perform the assessment activities, including interviews, evidence collection and security analysis. The results of these assessment activities will be summarized in an assessment report showing findings in areas where MSSEI requirements are not met, as well as recommendations on how to met MSSEI requirements and better protect institutional data at risk.
For PL1 applications, while it's not required to submit SAP to ISP, resource proprietors are required to meet MSSEI PL1 requirements per campus policy. ISP strongly recommends Resource Proprietors and Resource Custodians to use the SAP template to document the security controls to monitor and document how PL1 applications are meeting their obligation to protect non-public institutional data. For applications using student data, SAP will help to meet FERPA documentation requirements to record any unauthorized disclosure of student education data. A well documented SAP will also serve as valuable resource in the event of a security incident where timely response may require detailed information about all relevant systems.
If Resource Proprietors or Application Coordinators have trouble understanding the MSSEI requirements for PL1 applications, please email firstname.lastname@example.org.
To get started with a MSSEI assessment, follow the links below to start filling out the SAP for your application.
- MSSEI Self Assessment Plan (SAP) Step-by-Step Guide
- Download MSSEI Self Assessment Plan Templates:
- PL1 SAP Template (Google Docs -> File -> Make a Copy)
- PL2 SAP Template (Google Docs -> File -> Make a Copy)
- Submit Your MSSEI Self Assessment Plan (CalNet login required)