FAQ

How are Restricted Data applications and systems monitored?

The Information Security Office (ISO) takes privacy issues very seriously, and we use the same approach for balancing security and privacy for restricted data hosts as for all hosts on campus. Monitoring of systems occurs through two methods, monitoring of network traffic crossing the campus border and vulnerability scanning of hosts on the campus network. The methods used to do this are similar for all hosts on the campus network.

The enhanced services for restricted data hosts are:

Read more about How are Restricted Data applications and systems monitored?

Are vendor services available that have already been approved?

Are vendor services available to campus that have already been approved for PL1 or PL2 data?

There are several 3rd-party vendor services that are readily available to campus that have been approved for PL1 and PL2 data. Campus units that adopt these 3rd-party services for the purpose of storing and sharing covered data can be assured that these vendors meet campus policy requirements.

Campus units that utilize these services for the handling of protected data should keep in mind that careful configuration and management of these applications is required to meet campus policy standards.

Read more about Are vendor services available that have already been approved?

How do I request early disabling of CalNet ID or Berkeley email (bMail) accounts?

How do I request early termination of the CalNet or bMail accounts for an ex-employee before the end of the standard 90-day grace period?

Employees have a standard 90-day grace period after they have separated from UC Berkeley, during which they can access limited campus services, such as bMail. In rare cases, a department may want to request early termination of a former employee’s CalNet or Berkeley email (bMail) account before the end of the standard 90-day grace period.

Read more about How do I request early disabling of CalNet ID or Berkeley email (bMail) accounts?

What is the purpose of the Vendor Security Assessment Program?

The Vendor Security Assessment Program is intended to ensure that service providers who handle Protection Level 2 data on behalf of the University meet campus security policy requirements. This is achieved in two ways:

Read more about What is the purpose of the Vendor Security Assessment Program?

The Data Security & Privacy Appendix was not included in the vendor contract, what do I do?

The contract with the 3rd-party service provider has already been signed and the UCOP Data Security & Privacy Appendix was not included. How will this affect the vendor security assessment?

For all UC contracts involving third-party access to covered data, the University of California Office of the President (UCOP) requires the inclusion of the Data Security and Privacy Appendix. The appendix establishes baseline protection for the University in the event of a data breach. Campus units that engage with service providers to handle covered data must ensure the appendix is included in new contracts without edits.

Read more about The Data Security & Privacy Appendix was not included in the vendor contract, what do I do?

I have PL1 data, what do I do?

My unit is contracting with a 3rd-party service provider to host campus PL1 classified data. How can the vendor be assessed to meet campus security policies in the absence of ISO resources?

Units can ensure that 3rd-party service providers meet the campus data security policy requirements for the handling of Protection Level 1 (PL1) data through the following actions:

Read more about I have PL1 data, what do I do?

How would I know if my CalNet credentials were compromised?

You may not always know. Scams and malware that steal passwords are designed to be stealthy and unnoticed.

Passwords are most frequently compromised one of three ways:

Being tricked to giving up your credentials at a real-looking but scam website (AKA Phishing)
Malware or other compromises of your device which installs software designed to run in the background and steal passphrases
Re-using CalNet credentials for non-UCB websites, and the non-UCB websites are hacked and all credentials exposed

Read more about How would I know if my CalNet credentials were compromised?

Who needs to be involved in a vendor security assessment?

The roles that are typically involved in participating with a vendor security assessment include the following:

Read more about Who needs to be involved in a vendor security assessment?

Security contact X and my security contact used to both claim subnet A. Why can't we still do that?

Overlap is not allowed in NetReg. If two departments share a subnet, during the data conversion the department who claims the most IP addresses for that subnet will get the entire subnet. The other department will get individual IP addresses.

Additionally, one SC will own and be primarily responsible for an IP address, although other SCs may be provided shared notification..

Read more about Security contact X and my security contact used to both claim subnet A. Why can't we still do that?

What are Service Provider Security Contacts and how do they work?

Service Provider Security Contacts (SCs) are a special purpose security contact. As a service provider, they don't have registered network assets, but they are flagged within NetReg as providing support for another SC. For example, the Service Provider SC might register devices for the Client SC. Service Provider SCs have "device-based" privileges with the Client SC; they can create, edit and delete devices from the Client SC.

Read more about What are Service Provider Security Contacts and how do they work?

1
2
3
4
5
next ›
last »