Security Contacts

Definition

A Security Contact is a group of authorized members who register IT Resources and receive security notices involving those resources. 

The email address for a Security Contact should reach multiple people so that security incidents receive prompt attention. This can be accomplished by using a CalNet SPA, listserv, bConnected List, group email address, or any other type of email address that is monitored by, and reliably reaches more than one person.

One significant advantage of Socreg are the different types of Security Contacts: Department, Group, Individual, Service Provider, and Client. These types allow the application to support the different ways IT is managed within departments and groups, and to correctly route security notices to the responsible party.

Department Security Contact

The Department Security Contact is the Security Contact whose members respond to security notices, including routing as necessary, for a University organization or department. By definition, they are associated with an Org node in the organizational tree. Only Department Security Contacts can have child Security Contacts (i.e., Group Security Contacts).

The initial creation of a Department Security Contact requires review by the Information Security Office (ISO).

Group Security Contact

Group Security Contacts are created by Department Security Contacts when a separation of responsibility is necessary. Group Security Contacts will not have an Org node set but will have a Department Security Contact “parent”.

Both Group Security Contacts and Department Security Contacts have the same functionality within Socreg: they can claim, request, and transfer IP address entities. They have membership, receive and respond to security notices, and can register devices for use with the Campus DHCP service. Group Security Contacts do not have an Org node, but must have a parent Department Security Contact so that security incident reporting can ‘roll up’ to Org nodes within the organizational tree. Group Security Contacts themselves cannot have children so as to avoid the situation where Group Security Contacts link to each other but not to a parent Department Security Contact.

Group Security Contacts can be created for a variety of reasons:

• Separating devices into sets that receive (or do not receive) IT support from a Service Provider Security Contact (see below).

• To create sets of members for the purpose of providing service, as related above, i.e., Group Security Contact as Service Provider.

• When the response to security incidents is the responsibility of different groups, e.g., a research lab within a department.

Note: It is not necessary to use Group Security Contacts to provide or receive support from another Security Contact but it may make it more convenient.

When someone in a Department Security Contact creates a Group Security Contact they will be added as the first member and can then add additional members. The Group Security Contact is authorized by the Department Security Contact to register devices and Protected Data Applications, claim IP addresses, and so on.  A person can be a member in both the Department and Group Security Contacts. In addition, notices sent to the Group Security Contact can also be sent to the parent Department Security Contact. This configuration option is set by the parent Department Security Contact.

Currently, there is no restriction to how many Department Security Contacts can exist at a given Org node in the organizational tree. However, to maintain accountability and strong authorization processes, it is highly recommended that the fewest number of Department Security Contacts exist at an Org node as is possible. The use of Group Security Contacts to separate areas of responsibility within a department is preferred to using multiple Department Security Contacts.

Department and Group Security Contacts are collectively known as Unit Security Contacts.

Privilege Levels for Security Contact Members

Security Contact members can have one of the following privilege levels:  View-only, Device, IP Information, and Admin.

Individual Security Contacts

Each user of Socreg can request membership in other Security Contacts or request creation of a Group Security Contact within a Department Security Contact. Users can register personally-owned devices for use with the campus DHCP service and they can request approval for a new Offsite hostname. However, part of the approval process will be determining which Unit Security Contact should be the home of the Offsite hostname.

Service Provider Security Contact

The Service Provider Security Contact provides IT management for another Security Contact, or ‘Client’. As part of providing service, they may need to update information belonging to the Client Security Contact (e.g., the Service Provider might register devices for the Client.) Service Providers can be a Group or Department. For example, if a Security Contact has some devices that are managed by another party (e.g., an IT group in another department, IT Client Services, etc.)

Notifications about security events (compromises, vulnerabilities, etc.) will go to members of both the Service Provider and Client Security Contacts. Security reports will show incidents belonging to both the Service Provider and Client Security Contacts, in their respective parent departments.

Client Security Contact

The Client Security Contact is the customer of a Service Provider and can be a Group or Department Security Contact. The Client Security Contact selects the Service Provider from a list within Socreg. Before selecting a Service Provider, be sure to contact them first to go through their onboarding process.

Service Providers and Privilege Level within a Client Security Contact

Service Providers may be granted the following privilege level functionality within a Client Security Contact:

Regardless of the member’s privilege level within the Service Provider Security Contact, Service Providers cannot modify Security Contact information for their clients.