What is the purpose of the Vendor Security Assessment Program?

The Vendor Security Assessment Program is intended to ensure that service providers who handle UC P4 data on behalf of the University meet campus security policy requirements. This is achieved in two ways:

By evaluating the vendor's security controls in comparison to campus policy. Ensuring that the UCOP Data Security & Privacy Appendix is included in the vendor contract to...

The contract has already been signed, what do I do?

My unit is contracting with a 3rd-party service provider for the handling of campus protected data. The contract has already been signed, should I still engage with ISO for a vendor security assessment?

Although there is less bargaining power with the service provider to address security concerns after the contract has already been signed, it is still a good idea to perform a vendor security assessment for service providers who are handling UC P3 or P4 data:

If the overall risk level is acceptable, the unit is assured that the vendor meets campus policy for the protection of...

Are vendor services available that have already been approved?

Are vendor services available to campus that have already been approved for UC P2/3 or UC P4 data?

There are several 3rd-party vendor services that are readily available to campus that have been approved for UC P2/P3 or UC P4 data. Campus units that adopt these 3rd-party services for the purpose of storing and sharing covered data can be assured that these vendors meet campus policy requirements.

Campus units that utilize these services for the handling of protected data should keep in mind that careful configuration and management of these applications is required to meet campus policy standards.

UC P4...

I have UC P2/3 data, what do I do?

My unit is contracting with a 3rd-party service provider to host campus UC P2/3 classified data. How can the vendor be assessed to meet campus security policies in the absence of ISO resources?

Units can ensure that 3rd-party service providers meet the campus data security policy requirements for the handling of UC P2/3 data through the following actions:

Be sure to include the UCOP Data Security & Privacy Appendix, required for all UC contracts involving 3rd-party access to protected data, without edits, in the service provider contract. This ensures baseline...

Can I self-register Dynamic DNS hostnames?

Yes. Security Contacts can assign a Dynamic DNS (DDNS) hostname to a device when using Dynamic IP addressing (DDNS is not available for devices registered with a Fixed IP address assignment). Please review the "Register Devices" page in the NetReg documentation for details.

Note: Dynamic DNS hostnames will be reviewed by the campus DNS Administrator and changed if inappropriate.

What email address should I use for my security contact?

The email address should reach multiple people via a listserv, group address, or, ideally, a CalNet SPA account so that security incidents involving a department or group's IT Resources receive prompt attention. CalNet SPAs (Special Purpose Accounts) are CalNet IDs that can be shared by multiple users for collaborative purposes, and are recommended for this purpose.


How to Respond to Campus Blocking RDP Open to Internet Ticket


Running Remote Desktop Protocols (RDP) open to the Internet has become a significant threat to campus and RDP access must be secured according to the “How can I secure my remote connection” section below. The Information Security Office will notify users through our ticketing system upon detection of RDP open to the Internet.

Who is affected:

People using personally-managed or -owned computers and who have no restrictions for remote access to the campus computer they are connecting...

What do I do if I believe my system has been infected by Ransomware?

Signs your system may have been infected by Ransomware:

Your web browser or desktop is locked with a message about how to pay to unlock your system and/or your file directories contain a "ransom note" file that is usually a .txt file All of your files have a new file extension appended to the filenames Examples of Ransomware file extensions: .ecc, .ezz, .exx, .zzz, .xyz, .aaa, .abc, .ccc, .vvv, .xxx, .ttt, .micro, .encrypted, .locked, .crypto, _crypt, .crinf, .r5a, .XRNT, .XTBL, .crypt, .R16M01D05, .pzdc, .good, .LOL!, .OMG!, .RDM, .RRK, .encryptedRSA...

How would I know if my CalNet credentials were compromised?

You may not always know. Scams and malware that steal passwords are designed to be stealthy and unnoticed. Passwords are most frequently compromised one of three ways: Being tricked to giving up your credentials at a real-looking but scam website (AKA Phishing) Malware or other compromises of your device which installs software designed to run in the background and steal passphrases Re-using CalNet credentials for non-UCB websites, and the non-UCB websites are hacked and all credentials exposed

However, a couple of tell-tale signs of credential compromise are:

Your colleagues and...

How do I request early disabling of CalNet ID or Berkeley email (bMail) accounts?

How do I request early termination of the CalNet or bMail accounts for an ex-employee before the end of the standard 90-day grace period?

Employees have a standard 90-day grace period after they have separated from UC Berkeley, during which they can access limited campus services, such as bMail. In rare cases, a department may want to request early termination of a former employee’s CalNet or Berkeley email (bMail) account before the end of the standard 90-day grace period.

Departments can contact itpolicy@berkeley.edu to discuss how to...