I have UC P2/3 (formerly UCB PL1) data, what do I do?

My unit is contracting with a 3rd-party service provider to host campus UC P2/3 (formerly UCB PL1) classified data. How can the vendor be assessed to meet campus security policies in the absence of ISO resources?

Units can ensure that 3rd-party service providers meet the campus data security policy requirements for the handling of UC P2/3 (formerly UCB PL1) data through the following actions:

The Data Security & Privacy Appendix was not included in the vendor contract, what do I do?

The contract with the 3rd-party service provider has already been signed and the UCOP Data Security & Privacy Appendix was not included. How will this affect the vendor security assessment?

For all UC contracts involving third-party access to covered data, the University of California Office of the President (UCOP) requires the inclusion of the Data Security and Privacy Appendix.  The appendix establishes baseline protection for the University in the event of a data breach.  Campus units that engage with service providers to handle covered data must ensure the appendix is included in new contracts without edits.

Who needs to be involved in a vendor security assessment?

The roles that are typically involved in participating with a vendor security assessment include the following:

Security contact X and my security contact used to both claim subnet A. Why can't we still do that?

Overlap is not allowed in NetReg. If two departments share a subnet, during the data conversion the department who claims the most IP addresses for that subnet will get the entire subnet. The other department will get individual IP addresses.

Additionally, one SC will own and be primarily responsible for an IP address, although other SCs may be provided shared notification..

What are Service Provider Security Contacts and how do they work?

Service Provider Security Contacts (SCs) are a special purpose security contact.  As a service provider, they don't have registered network assets, but they are flagged within NetReg as providing support for another SC.  For example, the Service Provider SC might register devices for the Client SC. Service Provider SCs have "device-based" privileges with the Client SC; they can create, edit and delete devices from the Client SC.

How are security notices routed?

Security notices are routed based upon the most specific registration information available in NetReg.

For example, if an IP address has a registered security contact, the security notice is sent to that contact. If there is no specific IP address registration then the notice is sent to the security contact that claimed the subnet. Notices will also be sent to:

•    the registrant contact role's service provider if any
•    its departmental / parent contact role if any,
•    and any contact roles that have 'CC SC' status for the IP address

What are the privileges for members in a security contact?

There are four privilege levels for any member of a security contact:

  • View-only: can view registration information.

  • Device: can make changes to Device registrations.

  • IP Information: can claim subnets, request IP Addresses, register subdomains and offsite hostname.  Can register RD Applications. Can also make changes to Device registrations.

What are Group Security Contacts used for?

A Group Security Contact (GSC) is created by a Department Security Contact (DSC) when a separation of responsibilities is needed.  Each DSC will have an orgnode set, and the GSC will be associated to the department via its parent, the DSC.

Is this service suitable for me?

Yes, if: 

  • Your service contains printers and workstations only.
  • You don't have any custom rules.
  • You don't have technical staff who can configure your firewall rules. 
  • Your security needs are not extensive. 

No, if: 

  • Your subnet(s) hosts servers and services used outside the firewall.

  • You host sensitive data.

  • You have regulatory or contractual obligations to safeguard data that resides on your network.

Can I make customizations to the shared firewall rules?

No. Customizations are not made for individual departments. However, it is an evolving service and changes will be made if necessary to support the general needs of campus workstation computing.