MSSEI Briefing

The Berkeley IT Information Security Office (ISO), working with a cross-campus group of IT professionals, has developed a proposed revision to the campus Minimum Security Standards for Electronic Information (MSSEI). The MSSEI defines minimum security standards for all UC Berkeley institutional information and IT resources. This update, the first substantive update since 2012, incorporates elements from UC’s systemwide Electronic Information Security Policy, IS-3, and brings the standards into alignment with current industry best practices.

The updated MSSEI has completed an internal review and is currently undergoing the initial rounds of campus review. Key highlights of the update include:

• An iterative approach to implementation, focusing on implementing high-priority requirements first.

• Allows exceptions via the current, risk-based security exception process.

• Incorporates Availability Level and a new “high-risk” designation in order to help manage scope.

• Offers UC Berkeley-specific implementation information for UC systemwide requirements and Standards.

• Draft includes summary charts, prioritizations, and “New” ✅ requirement indicators for quick reference.

What’s new?

Most existing MSSEI requirements were updated, many new ones were added, and obsolete requirements were removed. Selected new or expanded requirements:

• security planning (Req #1) and documentation (Sec VII)

• encryption, encryption keys, and digital certificates (Req #6)

• access control, authentication, and privileged access (Req #5)

• logging, including log analysis, and log retention (Req #10)

• monitoring devices and network access (Req #9.1)

• change management (Req #8)

• Supplier relationships (Req #13)

• business continuity/disaster recovery (Req #15)

Some requirements may require additional resources. These include both existing and new requirements:

• asset inventory (Req #4.3)

• encryption for sensitive data at rest (Req #6.2)

• monitoring and detection for P3 and P4 devices, especially remote devices (Req #9.1)

• logging (Req #10)

• new requirements around allowed authentication mechanisms (Req #5.10)

• web application security testing (Req #9.4)

• segregation of P4 and high-risk P3 systems into security zones (Req #11.2)

• backups and testing of backups (Req #15.1)

Providing Feedback

The Information Security Office (ISO) invites your comments on the proposed MSSEI update by Feb. 23, 2024:

• Review the draft Minimum Security Standards for Electronic Information

• Provide feedback using this form or submit comments directly to iso@berkeley.edu

• Please include feedback on requirements in the draft that seem like the greatest challenges to implement.

We will incorporate any feedback and then continue on to the next phase of the campus review process. 

Questions

If you have questions regarding this draft standard or the review process or are interested in us coming to your team meeting for a presentation or discussion, please contact us at iso@berkeley.edu

Related Links

Current MSSEI | Information Security Exception Process | Procedures for Blocking Network Access | UC Electronic Information Security Policy, IS-3 | Information Security Office