As faculty, student, or staff at UC Berkeley, you use different types of electronic information to carry out research, participate in your courses, do your job, or conduct your personal affairs. This complex environment of intermingled information requires correspondingly complex care. To cut through at least some of this complexity, the Campus Information Security and Privacy Committee (CISPC) has created a new policy on Minimum Security Standards for Electronic Information (MSSEI) for the Berkeley campus. This Policy will be issued shortly on a provisional basis for six months, to allow individuals time to assess their risk and meet the requirements of the Policy before it is fully enforced. The Policy will be available at http://security.berkeley.edu/MSSEI/.
The new policy describes detailed "protective measures" which are required for a specified "minimum" set of types of highly confidential electronic information. Following the six-month provisional period, penalties may be imposed for failure to comply with the MSSEI. The Policy currently focuses on highly confidential information, including Social Security Numbers, financial accounts, and credit-card numbers, as well as medical and health insurance data. At this time, the Standards include only types of information that are deemed to always be highly confidential, but additional types of electronic information that pose a risk to the University may be added over time. It is important to note that while this policy does not allow you to stop conducting risk assessments and implementing appropriate security measures for all types of electronic information, it does provide a very important "first things first" list.
It is simply not possible to identify and require specific security protection measures for every type of electronic information in every situation — especially since combinations with other types of information often change the level of sensitivity. To protect the important electronic information that you deal with, you must think diligently about what you're doing. For more information, see the University of California Management Guide for Information Security, which summarizes general requirements and links to UC Business and Finance Bulletins IS-2 Inventory, Classification, and Release of University Electronic Information [PDF] and IS-3 Electronic Information Security [PDF].
Both the list of electronic information types and the specific protective measures covered by the MSSEI policy are subject to regular review and change. Current versions of these requirements will be published and maintained on campus policy web pages, and updates will be publicized as extensively as possible. As with other campus and University policies, you are responsible for keeping current your knowledge of policy terms relevant to your role on campus.
Questions about the MSSEI may be addressed to