[Micronet] MSSEI Campus Comment Response

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

[Micronet] MSSEI Campus Comment Response

Lisa Ho
Dear Micronet,

We received valuable input from many of you during the Jan/Feb campus comment period for the Minimum Security Standards for Electronic Information (MSSEI).  The MSSEI revision now under consideration by the Compliance and Enterprise Risk Committee (CERC) bears improvements inspired by your input.

The page linked below summarizes and responds to that input:

        https://security.berkeley.edu/content/mssei-2013-campus-comment-response

(Please note that some of the responses refer to MSSEI guidelines as a resource for additional information.  Leon Wong has just done a fantastic job of finishing a complete set of MSSEI guidelines (Thanks Leon!), however, his focus was on Protection Level 2 data and the controls already approved and effective this July 2013.  Guidelines specific to Protection Level 1 data and controls newly proposed in MSSEI-2013 will be addressed in future revisions of the guidelines.)

The Micronet community is key to MSSEI implementation, so to continue the multi-way discussion, I encourage you to join the Micronet session this Wednesday, April 24 at 10:30 in 150 University Hall. 

We want to hear:

- What control is going to impact you the most?
- What is difficult to implement? What implementation barriers do you face?
- What parts are unclear?
- What campus services would be helpful for achieving compliance?
- What’s unclear about responsibilities?
- What control are you happy is finally in policy?
- and whatever else is an MSSEI "hot topic" for you.

Hope to see you Wednesday!

Lisa
--

Lisa Ho
IT Policy Manager
University of California, Berkeley
510.642.2422

 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
Reply | Threaded
Open this post in threaded view
|

Re: [Micronet] MSSEI Campus Comment Response

Rune Stromsness
On 22-Apr-13 12:48, Lisa Carol Ho wrote:

> Dear Micronet,
>
> We received valuable input from many of you during the Jan/Feb campus
> comment period for the Minimum Security Standards for Electronic
> Information (MSSEI).  The MSSEI revision now under consideration by the
> Compliance and Enterprise Risk Committee (CERC) bears improvements
> inspired by your input.
>
> The page linked below summarizes and responds to that input:
>
>        
> https://security.berkeley.edu/content/mssei-2013-campus-comment-response
>
> (Please note that some of the responses refer to MSSEI guidelines as a
> resource for additional information.  Leon Wong has just done a
> fantastic job of finishing a complete set of MSSEI guidelines (Thanks
> Leon!), however, his focus was on Protection Level 2 data and the
> controls already approved and effective this July 2013.  Guidelines
> specific to Protection Level 1 data and controls newly proposed in
> MSSEI-2013 will be addressed in future revisions of the guidelines.)
>
> The Micronet community is key to MSSEI implementation, so to continue
> the multi-way discussion, I encourage you to join the Micronet session
> this Wednesday, April 24 at 10:30 in 150 University Hall.
>
> We want to hear:
>
> - What control is going to impact you the most?
> - What is difficult to implement? What implementation barriers do you face?
> - What parts are unclear?
> - What campus services would be helpful for achieving compliance?
> - What’s unclear about responsibilities?
> - What control are you happy is finally in policy?
> - and whatever else is an MSSEI "hot topic" for you.
I am the on-call senior network engineer this week, and it looks like
that will keep me from attending the meeting today.

While I'm generally pretty pleased with the new policies and guidelines
I still believe that the requirements for Protection Level 1 systems are
too onerous.  Since Protection Level 1 data includes, among other
things, anything covered by FERPA that isn't directory information, it
includes data used by virtually every faculty and staff member on campus.

That means that the requirements for that level apply to virtually every
personally-owned or institutionally-owned device used by faculty or
staff to do their work from home or on campus.

The requirements as currently written seem to say that all network
communication of that data has to be encrypted (except for printing) and
that that data can't be put into email unless it is encrypted.  That
seems to me to then mean that all of a sudden the way everyone on campus
uses email will be considered a violation of policy.  And would seem to
say that the use of industry-standard file server or backup technology
like SMB, AFS, NFS, and Time Machine backups in any department or
research group is suddenly a violation of policy.  Also that any little
departmental server our there has to be on a "secure" subnet that
doesn't have any jacks in classrooms or conference rooms or other space
that isn't physically secure.

While I would love to get the campus to a place where all data transfers
over the network are encrypted and email is signed and encrypted
regularly I don't see that as being reasonable in the next 2 years.  So
I believe that it shouldn't be required by policy at this point --
anything that we require in policy should be reasonable for people to
comply with.


(Note that I still completely support requiring encryption on the wire
in _absolutely_ _every_ case for Protection Level 2 data -- instead of
being on virtually every system on campus that data should be very rare,
and more extensive efforts to protect such data on that very small
number of systems are more than justified.)


Rune



> Hope to see you Wednesday!
>
> Lisa
> --
>
> Lisa Ho
> IT Policy Manager
> University of California, Berkeley
> 510.642.2422
>
>
>  
> -------------------------------------------------------------------------
> The following was automatically added to this message by the list server:
>
> To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:
>
> http://micronet.berkeley.edu
>
> Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
>

 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.

signature.asc (269 bytes) Download Attachment