FAQ

How do I request early disabling of CalNet ID or Berkeley email (bMail) accounts?

How do I request early termination of the CalNet or bMail accounts for an ex-employee before the end of the standard 90-day grace period?

Employees have a standard 90-day grace period after they have separated from UC Berkeley, during which they can access limited campus services, such as bMail. In rare cases, a department may want to request early termination of a former employee’s CalNet or Berkeley email (bMail) account before the end of the standard 90-day grace period.

What is a "3rd-party service provider"?

What is a "vendor" or a "3rd-party service provider"?

A "vendor" or "3rd-party service provider" is an entity (e.g., a person or a company), separate from the University, that offers something for sale.  The typical types of vendor services that require an ISO vendor security assessment are technologies used to store, process, and/or transport protected data on behalf of the University, such as:

Are vendor services available that have already been approved?

Are vendor services available to campus that have already been approved for UC P2/3 (formerly UCB PL1) or UC P4 (formerly UCB PL2) data?


There are several 3rd-party vendor services that are readily available to campus that have been approved for UC P2/P3 (formerly UCB PL1) or UC P4 (formerly UCB PL2) data.  Campus units that adopt these 3rd-party services for the purpose of storing and sharing covered data can be assured that these vendors meet campus policy requirements.

Can I use the shared firewall service if I store sensitive or protected data?

No. 

How are Protected Data applications and systems monitored?

The Information Security Office (ISO) takes privacy issues very seriously, and we use the same approach for balancing security and privacy for protected data hosts as for all hosts on campus. Monitoring of systems occurs through two methods, monitoring of network traffic crossing the campus border and vulnerability scanning of hosts on the campus network. The methods used to do this are similar for all hosts on the campus network.

The enhanced services for protected data hosts are:

Who is responsible for my data?

By engaging with a service provider, you have the responsibility as the Resource Proprietor for ensuring compliance with laws, regulations and policies, including standards (UC Business Finance Bulletin IS-2 and IS-3).

What is the purpose of the Vendor Security Assessment Program?

The Vendor Security Assessment Program is intended to ensure that service providers who handle UC P4 (formerly UCB PL2) data on behalf of the University meet campus security policy requirements.  This is achieved in two ways:

The contract has already been signed, what do I do?

My unit is contracting with a 3rd-party service provider for the handling of campus protected data. The contract has already been signed, should I still engage with ISO for a vendor security assessment?


Although there is less bargaining power with the service provider to address security concerns after the contract has already been signed, it is still a good idea to perform a vendor security assessment for service providers who are handling UC P3 or P4 (formerly UCB PL2+) data:

I have UC P2/3 (formerly UCB PL1) data, what do I do?

My unit is contracting with a 3rd-party service provider to host campus UC P2/3 (formerly UCB PL1) classified data. How can the vendor be assessed to meet campus security policies in the absence of ISO resources?


Units can ensure that 3rd-party service providers meet the campus data security policy requirements for the handling of UC P2/3 (formerly UCB PL1) data through the following actions:

The Data Security & Privacy Appendix was not included in the vendor contract, what do I do?

The contract with the 3rd-party service provider has already been signed and the UCOP Data Security & Privacy Appendix was not included. How will this affect the vendor security assessment?

For all UC contracts involving third-party access to covered data, the University of California Office of the President (UCOP) requires the inclusion of the Data Security and Privacy Appendix.  The appendix establishes baseline protection for the University in the event of a data breach.  Campus units that engage with service providers to handle covered data must ensure the appendix is included in new contracts without edits.