Please Review: Updates to Information Security Minimum Standards (MSSEI)

April 9, 2024

To our campus community,

Following extensive campus review, we are pleased to announce that the updated Minimum Security Standards for Electronic Information (MSSEI) was ratified on Feb. 29, 2024, effective April 1, 2024. The Information Security Office is in the process of updating its website to reflect these changes. Visit the MSSEI home page to view the revised standards.

What does this mean?

If you work with Institutional Information or manage IT infrastructure or IT services, regardless of location or ownership, you must follow these standards. Compliance with the requirements designated as “high” priority should be met by April 1, 2025. 

What types of devices are included in these security standards?

These standards apply to individual devices that store or access institutional Information, IT infrastructure, and IT services. Examples include laptops, desktop computers, remote work systems that store or access Institutional Information, servers, network appliances, life-safety systems, web and database applications, and cloud-based applications. 

What are the requirements?

The MSSEI includes both foundational elements that govern its use, and specific, risk-based security requirements. More sensitive systems and data have more requirements; less sensitive ones have fewer requirements. A “requirement finder” will be developed to assist people with identifying relevant requirements.

Requirements fall into the following broad categories:

  • Foundational elements, such as implementation timeline, exceptions, required usage, documentation, and updates
  • Security Planning
  • Compliance with the Minimum Security Standards for Network Devices (MSSND) 
  • Information Security Training
  • Asset Management
  • Access Control
  • Encryption
  • Physical and Environmental Security
  • Change Management
  • Monitoring, Detection, and Vulnerability Management
  • Security Audit Logging and Analysis
  • Network Security
  • System and Software Acquisition, Development, and Maintenance
  • Supplier Relationships
  • Information Security Incident Management
  • Business Continuity and Disaster Recovery

Exceptions & Contact

If you – or your department/unit – have a device or IT service that cannot meet a requirement, please submit a request for a policy exception (as described in the MSSEI). If you have any questions, please contact iso@berkeley.edu

Thank you for your participation and feedback in this process.

Regards, 

Gabriel Gonzalez, Interim Associate Vice Chancellor for IT and Chief Information Officer

Allison Henry, Chief Information Security Officer

Related links:Electronic Information Security Policy, IS-3 | Information Security Office

This message was sent campus-wide to all faculty, staff, student employees, GSIs, and GSRs. If you are a manager who supervises UC Berkeley employees without email access, please circulate this information to all.