NetReg Best Practices

Registration & Incident Notification - Overview

Below is a high-level description of the routing of information across NetReg and Sock (and its sensors and scanners), that result in security incident notification. Complete and accurate information input into the system is imperative for information security and to safeguard Protected Data.

NetReg - Asset registration

(1) A Security Contacts registers Assets in NetReg for which it is responsible for. And it defines Protected Data (PD) Applications (which include its own and possibly other Unit Security Contacts’ assets)

Sock - Incident Management

(2) Sock, the Campus Incident Management System uses the PD Application and Service registration information to:

  • (3) Initiate enhanced scanning of PD Assets 
  • (4) Set the significance of other incoming security events 
  • (5, 6) To route security incident notices back to Security Contacts 

Registration & Incident Notification - Diagram

NetReg _ Sock Diagram

Periodically Review Registrations

Things change and people move out of roles; therefore, it's important to periodically review your registrations and specifically, to look for the following:

1. Membership

Periodically review your Security Contacts and their membership. Review registered assets (subnets, IP addresses, offsite hostnames and devices) for completeness and correctness.

To review membership of a Security Contact, click ‘View Security Contact’ from the sidebar. This will display the Name, the Org node (or Parent Security Contact), the email address of the Security Contact role, and members. 

Things to look for: 

  • Is the Security Contact email address correct? This is the email address that is used by ISO to send security notices. 
  • Is the member list correct and complete? 
  • Does at least one member have ‘Receive FYI Email?’ set to Yes? 
  • Does at least one member have Admin privilege within the Security Contact? 

2. Registered Assets 

There are two ways to review the registered assets: click on “List Network Assets” or click directly on the item in the left sidebar. 

List Network Assets 

To see a simple, abbreviated list of all your registered assets click on the blue “List Network Assets” in the left sidebar. This will display any items that are registered in the following categories:

  • Subnets 
  • IP Addresses 
  • Subdomains 
  • Offsite Hostnames 
  • CC IP Addresses 
  • Devices 
  • Protected Data Applications 
  • Protected Data Services 

Tip: reviewing this list is a good first step. If the list is short, this may be the only review needed for the Security Contact. Otherwise, the list can help point to which categories need a more thorough review. 

Sidebar Direct Links 

The other method is to click directly on the asset class (category) in the left sidebar. 

Use the sidebar link for each type of asset. This is particularly necessary for reviewing Subnets, Offsite Hostnames, Register devices for DHCP Service, IP Addresses, and Protected Data Applications. 

Subnets and IP addresses 

Click the ‘Subnets’ and ‘Subnet Firewall Information’ sidebar options. 

‘Subnets’ displays a complete list of each registered subnet claimed by the Security Contact or where it has at least one registered IP address. It also displays the highest Protection Level of any asset on the subnet and whether it is protected by a firewall.

Tip: look for subnets with registered protected data but without firewall protection, these will need to be addressed. 

‘Subnet Firewall Information’ displays detailed protection level and firewall information for the subnets registered to this Security Contact, namely the highest Protection Level of any asset on the subnet and specific firewall information, such as firewall name, zone name, etc. 

Offsite Hostnames 

Click the ‘Offsite Hostname’ sidebar option. 

Offsite hostnames displays a list of any websites that your Unit hosts “offsite”. 

Things to look for: 

  • Are there offsite hostnames with a Protection Level above P1? Is that still correct?
  • Are there offsite hostnames in a requested status? If so, there is an open ticket with ISO requesting more information or confirmation. 


Click the ‘Subdomain’ sidebar options. 

The subdomains page displays a list of any subdomains registered in by Security Contacts. Subdomains are DNS subdivisions within Berkeley.EDU. For example, These subdomains are usually registered to facilitate self-service DHCP registration. 

Things to look for: 

  • Is the list complete and correct? 
  • If there are obsolete subdomains that need to be removed from DNS contact the Campus DNS Administrator at

CC IP Addresses 

Click the ‘CC Security Contact IP Addresses’ sidebar options. These are IP addresses for which one Security Contact is responsible and another would like to be notified if there is a security incident because they have other assets on the same subnet. 

Things to look for: 

  • Is the list complete and correct? 


Click the ‘Register Devices for DHCP Service’ sidebar option. 

This screen displays all devices (MAC addresses) registered to the Security Contact for DHCP service. If the Fixed DHCP IP Address is protected by a firewall it will be indicated to the right of the IP address with a ‘fire’ icon. 

Things to look for: 

  • University-owned devices should be registered to a Unit Security Contact and not to individuals. (This is particularly true if the device is part of a Protected Data Application.) 
  • Only personally-owned devices should be registered to individuals. If that is not the case, a list of MAC addresses for the personally-owned devices will need to be sent to along with the name of the Security Contact the devices should be registered to. 

3. Protected Data Applications and Services

Review Applications/Services:

Security Contacts will be sent a notice annually to review PD Application or Service registrations. Security Contacts will need to log into NetReg and review the PD Application (or Service) attributes and network components and make any necessary changes or updates. If nothing needs to be changed, simply 'Edit' and 'Save' the PD Application (or Service) itself.

  • Review Protection Level(s) and record quantity

  • Review components:

    • Subnets, Offsite hostnames should be registered to a Unit Security Contact (not an individual)

    • Devices: University owned devices should be registered to a Unit Security Contact (not an individual)

  • Unit Security Contact do not need to be the same as the Unit Security Contact that registers the PD Application. PD Applications should be registered to the Unit Security Contact that is responsible for responding to security incidents involving the components. If you aren’t sure, contact

For PD Service Owners: In addition to reviewing all of the above, review which PD Applications are consuming your PD Services

For PD Partners: If one Security Contact's asset is used in another Security Contacts' PD Application, that makes the first Security Contact a partner of the PD Application. Partners can add and remove their own components from the PD Application. Partners will be notified when their asset is included in someone else's PD Application. If a Security Contact feels that is incorrect they can remove the component or contact

Protection Level Matching:

A component within a PD Application should have a PL number equal to or higher than the PD Application it is a component of. That is, the controls applied to a component should be better than, or equal to, the controls necessary to protect data within the PD Application. 

For example: “Medium-Secret Application” with P3 data can consume a PD Service “Encrypted Backup Service” as long as the service is rated for P3 or above.  If the service is only rated for P2 then Netreg will alert the Security Contact.

Registering Components:

All components within a PD Application should be registered. In the case of devices, they should be registered to a Unit Security Contact as opposed to an Individual.

Protected Data Applications with No Components:

Each PD Application registration includes certain attributes (name, description, protection level, record count, etc.) AND one or more network components (IP address, Subnet, Device, etc.) The first set of information is necessary to classify the PD Application appropriately. The second set is necessary to correctly identify the components within the PD Application, and more importantly, give the Information Security Office (ISO) information on which network assets to monitor. Until you add at least one network component to the PD Application, this registration does NOT result in increased protection from ISO.

Making Changes & Updates 

If changes to the Security Contact’s registered assets are needed, someone in the Security Contact role with the appropriate level of access should be able to perform these updates. 

For more substantial changes like: 

  • A Security Contact needs to be reorganized 
  • Assets need to be moved from one Security Contact to another 
  • A Security Contact needs to be retired 
  • Move a Security Contact into a subgroup beneath a parent 

Send an email to describing the change needed and our office will work with you. 

Please contact for any questions, or additional support.