Guideline

Authenticated Scans Guideline

UC Berkeley security policy mandates compliance with Minimum Security Standard for Electronic Information for devices handling covered data. The recommendations below are provided as optional guidance for continuous vulnerability assessment and remediation.

Requirement

Resource Custodians must implement authenticated scans for vulnerability assessment for core systems. Campus-provided scanning resources and campus-...

Security Audit Logging Guideline

Requirement

Resource Custodians must maintain, monitor, and analyze security audit logs for covered devices.

Description of Risk

Without appropriate audit logging, an attacker's activities can go unnoticed, and evidence of whether or not the attack led to a breach can be inconclusive.

Recommendations

Regular log collection is critical to understanding the nature of security incidents during an active investigation and post mortem analysis. Logs are also useful for establishing...

Guidelines for Use of Campus Network Data Reports

Campus network data reports may be sent to campus departments by Network Operations and Services (NOS) or the Information Security Office (ISO), either because operational or security issues have been observed, or when otherwise requested by the departments. This access is given on the condition that the use of the data must respect all governing laws and policies. In particular, its use must comply with the University's firmly-held principles of academic freedom and shared governance, freedom of speech, and privacy, within the context of the University's legal and other obligations....

Security Audit Log Analysis Guideline

UC Berkeley security policy mandates compliance with Minimum Security Standard for Electronic Information for devices handling covered data. The recommendations below are provided as optional guidance for audit logging requirements.

Requirement

Resource Custodians must maintain, monitor, and analyze security audit logs for covered devices.

Description of Risk

Without appropriate...

Intrusion Detection Guideline

UC Berkeley security policy mandates compliance with Minimum Security Standard for Electronic Information for devices handling covered data. The recommendations below are provided as optional guidance to meet continuous vulnerability assessment and remediation requirements.

Requirement

Resource Custodians must continuously monitor for signs of attack and compromise on all covered devices....

Block Auto-run on Removable Devices Guideline

UC Berkeley security policy mandates compliance with Minimum Security Standard for Electronic Information for devices handling covered data. The recommendations below are provided as optional guidance to meetmalware defenses requirement.

Requirement

Resource Custodians must configure covered systems to not auto-run content from removable or remotely-mounted media.

Description of Risk

...

Managed Software Inventory Guideline

UC Berkeley security policy mandates compliance with Minimum Security Standard for Electronic Information for devices handling covered data. The recommendations below are provided as optional guidance to assist with achieving requirement 2.1, Managed Software Inventory.

Requirement

Resource Custodians must manage and regularly review installed software, and install only software packages required for business...

No Unencrypted Authentication Guidelines

UC Berkeley security policy mandates that all devices connected to the UCB network comply with Minimum Security Standard for Networked Devices. The recommendations below are provided as optional guidance to assist with achieving the No Unencrypted Authentication requirement.

Requirement

All network-based authentication must be strongly encrypted.

In particular, historically insecure services...

Secure Device Configuration Guideline

UC Berkeley security policy mandates compliance with Minimum Security Standard for Electronic Information for devices handling covered data. The recommendations below are provided as optional guidance to assist with achieving requirement 3.1, Secure Device Configuration.

Requirement

Resource Custodians must utilize well-managed security configurations for hardware, software, and operating systems based on an industry...

Commercial Software Assessment Guideline

UC Berkeley security policy mandates compliance with Minimum Security Standard for Electronic Information for devices handling covered data. The recommendations below are provided as optional guidance for meeting application software security requirements.

Requirement

Resource Proprietors and Resource Custodians must validate that commercial software meets security criteria used by the...