FAQ

How are security notices routed?

Security notices are routed based on the registration information in Socreg.

For example, if an IP address has a registered Security Contact, the security notice is sent to that Security Contact, but if there is no specific IP address registration, then the notice is sent to the Security Contact that registered the subnet that contains the IP Address. Notices will also be sent to:

The registrant Security Contact’s Service Provider, if any.

The registrant Security Contact’s Departmental...

Why can’t two Security Contacts share the same subnet? We both have IP addresses on the subnet.

Overlap is not allowed in Socreg. If two departments share a subnet, the department who claims the most IP addresses for that subnet will get the entire subnet. The other department will get individual IP addresses.

Additionally, one Security Contact will register and be primarily responsible for an IP address, although other Security Contacts may also receive security notices for that IP address.

For complicated situations, e.g., where two different groups are responsible for systems on a subnet, a Security...

What are the types of email generated by Socreg? Can I opt out from receiving any/all of them?

There are three types of email generated by Socreg:

FYI emails: These emails are rolled up into a single digest which is sent once per week. Users can opt-out of receiving the digest by setting "Receive FYI digest" to “off”. However, at least one member of the Security Contact should continue to receive them. Some FYI emails are sent immediately, for example when a PD Application or one of its components is modified.

Notices about Access or Asset Requests. Others may submit a request in Socreg for:...

How are Protected Data Applications and Systems monitored?

The Information Security Office (ISO) takes privacy issues very seriously and we use the same approach for balancing security and privacy for Protected Data hosts as for all hosts on campus. Monitoring of systems occurs through two methods, monitoring of network traffic crossing the campus border and vulnerability scanning of hosts on the campus network. The methods used to do this are similar for all hosts on the campus network.

The enhanced services for Protected Data hosts are:

More frequent scanning ...

What is the purpose of the Vendor Security Assessment Program?

The Vendor Security Assessment Program is intended to ensure that service providers who handle UC P4 data on behalf of the University meet campus security policy requirements. This is achieved in two ways:

By evaluating the vendor's security controls in comparison to campus policy. Ensuring that the UCOP Data Security & Privacy Appendix is...

The Data Security & Privacy Appendix was not included in the vendor contract, what do I do?

The contract with the 3rd-party service provider has already been signed and the UCOP Data Security & Privacy Appendix was not included. How will this affect the vendor security assessment?

For all UC contracts involving third-party access to covered data, the University of California Office of the President (UCOP) requires the inclusion of the Data Security and Privacy Appendix. The appendix establishes baseline protection for the University in the event of a data breach. Campus units that engage with service providers to handle covered data must ensure the appendix is included in new contracts without edits.

For VSAP engagements that...

Can I self-register Fixed IP address assignments?

Department and Group Security Contacts can register devices for Fixed IP address assignment – where a device always gets the same IP on its primary subnet, but a Dynamic IP on any other subnet – provided that the Security Contact has a registered subnet, with an available IP address space, and a registered subdomain.

For details about registering devices for Fixed IP address assignment, please review the "Devices" page in the Socreg...

What email address should I use for my Security Contact?

A Security Contact has one email address that is used to receive security notices. The email address should reach multiple people either via a listserv, group address, or, ideally, a CalNet Special Purpose Account so that security incidents involving a department or group's IT Resources receive prompt attention. SPAs are CalNet IDs that can be shared by multiple users for collaborative purposes and are recommended for this purpose. See ...