Protected Data Applications

Please note: If you are connecting to socreg.berkeley.edu from OFF CAMPUS you must first connect to the campus VPN to access the portal.

Security Contacts can register Protected Data (PD) Applications or systems that handle, store, or transmit institutional data restricted by laws and policies. This registration information is used to provide enhanced monitoring to the components within the PD Application and, in the case of a security incident, the registration information will serve as an inventory of what components may be involved. It is appropriate to register the same component in more than one PD Application if it is used that way. Read How are PD applications monitored? for more information.

Security Contacts are required  to register PD Applications, including their components. They are also required to review the registration information at least annually for completeness and correctness. 

Registration for applications or information systems with a Protected Data classification of P2 and higher is required. See the Berkeley Data Classification Standard to understand your application's classification level.

Registration for applications or information systems with an Availability Level (AL) classification of A3 and higher is highly recommended. See Classification of Availability Levels for summary definitions and key examples of each level.

Terms

Term

Definition

PD Application

Any IT system (application, service, collection of devices, etc.) that stores, transmits, or otherwise handles institutional data classified as UC P2 or higher as defined by the Berkeley Data Classification Standard

PD Services

Shared IT services provided to multiple Campus units. Typically, these are Berkeley IT-managed services or other centralized IT services broadly available to Campus. PD Services can be components of PD Applications. Each PD Service is managed by its own Security Contact and can be a part of multiple PD Applications.

Subnets

Subnets are blocks of IP Address space and can be components of a PD Application.

IP Addresses

IP Addresses are network addresses and can be components of a PD Application.

Offsite Hostnames

Offsite Hostnames are Fully Qualified Domain Names (FQDN) in the Internet’s Domain Name Service (DNS).  Offsite hostnames are within the ‘Berkeley.EDU’ domain but resolve to a non-Berkeley IP Address. Offsite Hostnames can be components of a PD Application.

Devices 

Devices are specified by Ethernet MAC Address, which are unique identifiers tied to a network interface of a particular device. Devices can be components of a PD Application.

Security Contact

The Security Contact that registered the components used within a PD Application.  See <link>. 

PD Application Owner

A PD Application Owner is the Security Contact that maintains the registration of a PD Application.

PD Application Attributes

A description of each field and expected input is shown below:

Form Field

Expected Input

Example

PD Application Name

A human readable, friendly name for your PD Application.

My Web App

Description

A brief description of your PD Application, its function, and types of data handled. Include any common names/acronyms of the application.

The My UC P3 Web App (MPWA) stores student and staff Social Security Numbers for the purposes of enrollment.

Data Protection Level

Select the appropriate Data Protection Level for your PD Application according to the Berkeley Data Classification Standard

P3

Data Protection Level Approved

Whether ISO has reviewed and approved the Data Protection Level. (Field designated by ISO)

Availability Level

Impact on Business operations if the application or system goes down.

A3

Availability Level Approved

Whether ISO has reviewed and approved the Availability Level. (Field designated by ISO)

Application URLs

A list of URLs or Windows file share URLs used to access or identify your application or system.

https://mpwa.berkeley.edu\\mpwa.berkeley.edu\P3_File_Share

Record Quantity

Approximate number of data records stored, transmitted, or handled by your application.

> 5000

Link to Review Document

If a review has been completed by ISO, a link will be available here. (Field designated by ISO)

https://docs.google.com/def4

PD Application Components

PD Applications are made up of Cloud Accounts, Cloud Services, bIT Services, Subnets, IP Addresses, Subdomains, Offsite hostnames, and Devices. 

Each of the above components can be registered to any Security Contact, not just the PD Application Owner. This model is designed to accommodate PD Applications consisting of multiple components managed by different groups or individuals.

For some components, you must choose a Scope:

Institutional Device

Use this Scope for servers, credential stores, and other large data stores of Protected Data.

Privileged Access Device

Use this Scope for devices where credentials are entered in order to gain privileged access (root, Administrator, database admin, etc.) to Institutional Devices handling Protected Data. Usually this Scope is specified for administrative endpoints or management devices.


Please contact socreg@berkeley.edu for any questions or additional support.