What should I do if my Vendor receives a Low (Recommended) or Medium (Recommended with Stipulations) risk rating for a Vendor Security Assessment (VSA)?
If the Vendor receives a Low (Recommended) or Medium (Recommended with Stipulations) risk rating, we recommend the following steps:...
Running Remote Desktop Protocols (RDP) open to the Internet has become a significant threat to campus and RDP access must be secured according to the “How can I secure my remote connection” section below. The Information Security Office will notify users through our ticketing system upon detection of RDP open to the Internet.
Who is affected:
People using personally-managed or -owned computers and who have no restrictions for remote access to the campus computer they are connecting...
Security best practices, as well as campus Minimum Security Standards for Network Devices (MSSND), require the use of supported software for which the vendor will make security updates available in a timely fashion. As vendors are unable to support all previous versions of software, older programs are dropped from support and must be upgraded or removed from the network. It is especially important to be aware of your operating system “end of life”, as major upgrades often require time and planning....
You may not always know. Scams and malware that steal passwords are designed to be stealthy and unnoticed. Passwords are most frequently compromised one of three ways: Being tricked to giving up your credentials at a real-looking but scam website (AKA Phishing) Malware or other compromises of your device which installs software designed to run in the background and steal passphrases Re-using CalNet credentials for non-UCB websites, and the non-UCB websites are hacked and all credentials exposed
However, a couple of tell-tale signs of credential compromise are:
For evaluating cloud service providers that handle P4 data on behalf of the University, the Information Security Office offers the Vendor Security Assessment Program (VSAP). The VSAP is intended to ensure that campus third-party service providers adhere to the same baseline level of security practices required for campus systems and applications that contain protected information and are managed and maintained by internal campus resources.
The distinction here is that just because there is a contract in place with a supplier doesn't mean that it is appropriate for all use cases.
An example is our Google agreement which will meet the overwhelming majority of our needs in the e-mail/calendar space, but that is not HIPAA compliant and as such is not a good fit for use cases where Protected Health Information is in play. For assistance with IT policy questions, contact security-policy@berkeley.edu.
How do I request early termination of the CalNet or bMail accounts for an ex-employee before the end of the standard 90-day grace period?
Employees have a standard 90-day grace period after they have separated from UC Berkeley, during which they can access limited campus services, such as bMail. In rare cases, a department may want to request early termination of a former employee’s CalNet or Berkeley email (bMail) account before the end of the standard 90-day grace period.
