MSSEI Self Assessment Plan Application Name Data Classification Protection Level 1 Resource Proprietor (Functional Owner) Application Coordinator Department/Unit Name Table of Contents 1. Project / System Overview 2 2. Target Audience 2 3. Architecture Model 2 4. Data Flow Description 2 5. Support Model 2 6. Meeting MSSEI Requirements 3 Appendix A – Hardware inventory 19 Appendix B – Software Inventory 19 Template Revision History Date 4/23 5/14 UC Berkeley Author Leon Wong Leon Wong Description Version 1 Updated with to match administrative changes to MSSEI Page 1 of 19 1. Project / System Overview Describe the overall application / system purpose, the data classification level given by IT Policy, as well as the sensitive data elements that qualifies the application at specified data protection level. 2. Target Audience Describe the users who will use and be affected by the application. 3. Architecture Model Attach a high-level diagram of data flow and data storage, including all the interconnected system names and interfaces. 4. Data Flow Description Provide description of data movement and data storage depicted in the architecture model. Please include brief description of how each component in the architecture model is being secured. 5. Support Model Please list any support and development staff that have elevated privileges in the application or its underlying systems, including their roles and responsibilities in supporting/developing this application. In the responsibilities column, please make note if a role is temporary. Examples of temporary roles may include short-term contractors or support staff that will lose their elevated access to application in the near future (3 – 6 months). Elevated privileges in this case may mean permissions to change application configuration, bulk access to covered data, etc. Name UC Berkeley Role Application Responsibilities Email Address Page 2 of 19 6. Meeting MSSEI Requirements The Minimum Security Standards for Electronic Information (MSSEI) define the minimum set of confidentiality controls required for Electronic Information as well as the device types for which these controls are applicable. For each MSSEI standard (1.1 – 17.1), describe how compliance with the standard are achieved for the device types listed with existing tools and practices. If a standard is a future requirement (+) on a device, indicate how the standard will be met or document the considerations for not meeting the control. Device type definitions, and detailed descriptions of each control with links to implementation guidelines are available at: security.berkeley.edu/mssei. Assessment questions are provided here as prompts, with the caveat that they are subject to change. They are not intended to be comprehensive and may not be applicable for all systems. If compliant controls are not yet implemented, describe any future plans or proposal to meet applicable standard, and use “Progress” column to indicate whether implementation status of the security standard is “Not Started”, “In Progress”, “Fully Implemented”. MSSEI 1.1 Removal of non-required covered data Progress: What do you do with systems or storage media that are being replaced or otherwise decommissioned and have handled covered data? Do you have a documented process for securely deleting covered data from decommissioned devices? What tools do you use to securely delete covered data? Institutional Devices: Privileged Access Devices: MSSEI 1.2 Covered system inventory Progress: Is there a documented inventory of devices used in the covered system? Do you have a list of devices that are used to support covered system? See Appendix at the end of the document for a device inventory template. Is there a documented process to update inventory list as the devices and covered system are updated (e.g. changes in business function, specification) Institutional Devices: UC Berkeley Page 3 of 19 Privileged Access Devices: MSSEI 1.3 Covered system registration Progress: Is a security contact assigned in Security Contacts application and maintained for each IP address? Are covered devices registered in RDM? Covered devices may include privileged devices such as system admin workstations that are used to access institutional devices. Institutional Devices: Privileged Access Devices (Future Requirement): MSSEI 1.4 Annual renewal Progress: Do you have a written procedure that assigns the responsibility to an individual to annually review your RDM registration and Security Contacts? Is it apart of their responsibilities to verify all information provided is accurate and up to date? Be sure to provide the name of the individual responsible. Institutional Devices: Privileged Access Devices: MSSEI 2.1 Managed software inventory Progress: Do you have an inventory of all installed software on all Privileged Access and Institutional devices? Does this inventory include software title, version and patch level? Do you have a list of authorized software which is necessary to meet business needs for Privileged Access and Institutional devices? Is there an documented inventory process by which the Resource Custodian is UC Berkeley Page 4 of 19 notified when unauthorized software packages are discovered on Privileged Access and Institutional devices? Is there a written procedure to periodically review and who is assigned that responsibility to approve of a maintained software list? Institutional Devices: Privileged Access Devices (Future Requirement): MSSEI 3.1 Secure device configuration Progress: Are your devices built, configured, and deployed with a recognized security configuration benchmark? (e.g. RedHat KickStart, custom build scripts, hardening checklists) Does a process exist to regularly check device configurations and notify the Resource Custodian of any changes? What follow-up actions are planned when unplanned configuration changes are detected? For example, is there an email send to Resource Custodian listing configuration changes? Once an unplanned change is detected, will Resource Custodians create a ticket in a ticket tracking system to track the issue? Institutional Devices: Privileged Access Devices (Future Requirement): MSSEI 4.1 Continuous vulnerability assessment and remediation Progress: Have you verified that all Privileged Access and institutional devices allow the ISP scanners? What is the process to ensure covered devices have been scanned within the last week (5 business days)? If you do not allow ISP scanners, what is your documented process for continuous scans? Institutional Devices: UC Berkeley Page 5 of 19 Privileged Access Devices (Future Requirement): MSSEI 4.2 Authenticated scan Progress: Do you have a process in place to perform authenticated scan on covered devices? (Secunia for PC, Nessus departmental scanner for Unix/Macs) How are vulnerabilities remediated after they are identified in the authenticated scan? NOT Required. MSSEI 4.3 Intrusion detection Progress: Are your covered devices on the campus network to take advantage of centrally provided IDS service? Are the covered devices registered properly per MSSEI system registration requirement (1.2)? Institutional Devices (Future Requirement): Privileged Access Devices (Future Requirement): MSSEI 5.1 Device physical security Progress: Where are your institutional devices physically located? If not at Warren data center, o how is access to that room controlled (key, keycard, etc.)? o Do you have a documented process for adding or removing people granting/denying access to institutional device? o Do you have an audit trail of who entered and left your data center? What's your process to generate and review the list of personnel who have physical access to your institutional devices? (Including warren) Institutional Devices (Future Requirement): UC Berkeley Page 6 of 19 MSSEI 6.1 Secure coding training Progress: What coding training has been taken by developers of covered applications? Please highlight components of training specific to developing secure code. What is your training plan for your developers? How are you identifying developers that should go to training? What is the process to review training progress? NOT Required MSSEI 6.2 Code review Progress: Do you have documented code review process? How are staff identified to participate? Does all code go through the process? What Software Development Life Cycle(SDLC) methodologies were used to develop application? What security requirements are incorporated into SDLC? NOT Required MSSEI 6.3 Application security testing Progress: Have you contacted the Application Security Testing Program (ASTP) to schedule an assessment? If you've received an ASTP assessment, what was the grade given to your system from that assessment? If assessment was done by 3rd party, please describe the assessment methodology and results of that assessment. NOT Required MSSEI 6.4 Commercial software assessment Progress: What security requirements were included in the vendor review process? UC Berkeley Page 7 of 19 NOT Required MSSEI 7.1 No "institutional" devices on mobile/wireless devices Progress: Do any institutional systems have wireless network interface installed? If installed a) is it Enabled?; b) do you have a document process to ensure it is always disabled? Institutional Devices (Future Requirement): MSSEI 8.1 Privacy and Security training Progress: What privacy & security training are required for users in these following groups? o Resource Proprietors o Resource Custodians (Application Developers & Infrastructure Administrators) o End Users How are training requirements communicated to listed group of users? Institutional Devices (Future Requirement): MSSEI 9.1 Unique passphrases Progress: How are users made aware that they must use unique and significantly different passphrases for each separate account under their control? Is this documented process? How are users made aware that they cannot reuse passphrases for personal/consumer accounts? Institutional Devices: Privileged Access Devices: UC Berkeley Page 8 of 19 MSSEI 9.2 Separation of accounts Progress: How are user accounts tied to institutional identities? Does each user account, including administrative accounts, in the application and underlying systems correspond to an individual? For accounts that are required to be shared due to application/system constraints and/or institutional requirement, what's the process to inventory these shared accounts along with description? What's the process to disable built-in administrator accounts and instead assigned a administrative function to individuals? When working with databases, is each application given a unique login account? Are password changed in different environments, for example, is the production database passwords different from development? Institutional Devices: Privileged Access Devices: MSSEI 9.3 Separation of system resources Progress: Are web servers and database only hosting systems of like data protection level, for example, are all databases hosting only PL2 data on server 1 and only PL1 data on server 2? Are you DB servers segmented from other services? How are your databases separated? Do your DB servers run multiple services? If so, which services? Are all critical services, such as, file server, database, operate on separate host machines or virtual machines? Institutional Devices: MSSEI 10.1 Use of admin accounts only on secure devices Progress: How are administrative accounts used to perform privileged operations? Please include in the description the various devices that are required to perform the privileged operations. E.g. if a work laptop is used to login to a secured host before performing privileged operation, please include the work laptop in your description. Please include description the function of all devices where admin credentials are entered. What devices are being used for administrative functions? How do you identify these devices? Do you have enforcement that limit administrator functions being performed only on approved privileged devices? UC Berkeley Page 9 of 19 How are you notifying administrators of this control? Institutional Devices: Privileged Access Devices (Future Requirement): MSSEI 10.2 Admin account security Progress: What password complexity requirements are enforced for administrative accounts? Is this process documented? Where application or script require access to administrative credentials, how are the credentials stored and protected? Are administrative accounts used for high risk activities such as web browsing, email, etc.? How are you managing shared service account credentials that have elevated privileges? where administrative accounts keys can read any private key, how do you identify and manage these administrative accounts? Institutional Devices: Privileged Access Devices (Future Requirement): MSSEI 11.1 Managed hardware firewall Progress: Do you have hardware firewall or router with Access Control Lists configured to protect Institutional System devices? What type and model? What is your context name? Do you have active outbound rules? Do you have default deny rule enabled? Do you have documented justifications for each of your firewall rules? If so, what's information are required to be included in the firewall justification rules? Please describe the process in which firewall rules are added or changed, including any review or approval process. Define the responsible person for your firewall. How are changes in the firewall configuration and rules logged and traceable back to the original request (e.g. a ticketing system)? Institutional Devices: UC Berkeley Page 10 of 19 MSSEI 11.2 Protected subnets Progress: What devices reside in the same protected VLAN(s) as covered devices? Do you have an inventory of the devices connected to the protected VLAN(s)? If non-covered devices reside in the protected VLAN, please describe the system supported by these non-covered devices in terms of their associated data classification level and MSSEI compliance (Level 1 or Level 2 compliance or no compliance). Where is the network device(s) connecting the covered devices located? How is the network device(s) physically protected? Do you have any wireless access points on your PL2 private VLAN (subnet)? Institutional Devices (Future Requirement): MSSEI 12.1 Security audit logging Progress: Are you sending your logs to campus logging program? Have you reconfigured your apache, IIS, or Jboss logs to use syslog to securely transmit your logs? Do you have full audit trail for user access to cover data? If web application, are the IIS, apache logs enabled and collecting source IP address, time, date, etc.? Can you show which user has access covered data when? How are the log files protected from tampering or unauthorized access? How does your system ensure time synchronization? Institutional Devices: MSSEI 12.2 Security audit log analysis Progress: Do you have a dedicated staff to review audits daily? How are log events prioritized and reviewed? What rules or algorithms is being used to determine a log event require further investigation? Institutional Devices (Future Requirement): UC Berkeley Page 11 of 19 MSSEI 13.1 Controlled access based on need to know Progress: What is the process in place to review request for access to covered application and devices (Institutional and Privileged)? Is the process documented? Who is responsible for the review? What kind of approval requirements need to be met before requested access is granted? What procedures are in place to review access granted to covered systems? Is your system automated to remove employees' access once they are no longer employed or they have a change in job responsibility? At what frequency do you review access to your application and devices (Institutional and Privileged)? How have you implemented the principal of least privilege in your application? Institutional Devices: Privileged Access Devices: MSSEI 14.1 Account monitoring and management Progress: Are there any automated reports showing inventory of user accounts in covered systems? Are there any automated reports showing account and group level changes? Examples of account and group level changes include: o Status changes that enable or disable accounts/groups o Account access privilege updates o Account creation/deletion o Group access privilege updates o Group membership updates o Group creation/deletion What documented procedures are in place to remove stale accounts that no longer require access to covered systems? Examples of stale account may include terminated or transferred employees, old service accounts, old administrative accounts, etc. Are there expiration dates assigned to user accounts? If so, how are expiration dates determined? Are account locked after multiple failed login accounts? Institutional Devices: UC Berkeley Page 12 of 19 MSSEI 15.1 Encryption in transit Progress: Have you identified the entire flow of covered data over networks, including to and from external vendors/entities, backup systems, and redundant systems? Ensure that you have thoroughly "followed" the flow of covered data over networks. A common pitfall when identifying data flow is failing to consider external systems that receive or send covered data such as via FTP, Web Services, and other batch data processing components with network access. Do your QA or Development environments contain copies of covered data? Ensure that your security plan includes encryption mechanisms for these common environments and not just Production systems. Have you documented the type of encryption protocols and authentication methods in use for each network transmission of covered data related to your system? Have you identified any vendor products in your system that use encryption and can you provide documentation for the protocols and mechanisms used by those products? Institutional Devices: Privileged Access Devices: MSSEI 15.2 Encryption on mobile devices and removable storage media Progress: Will covered data be stored in mobile devices and removable storage media? If so, o what encryption mechanisms are used to protect covered data on mobile devices and removable media? o How are encryption keys stored and managed? o Please describe any documented policies or procedures to physically secure mobile devices and removable storage media. o How do you keep track of removable storage media location and data owner? o What is the backup plan for covered data stored in mobile devices and removable storage media? How do you ensure that all covered data is encrypted on your backup media? If proprietary encryption algorithms are used, how have you ensured the encryption methods are "industry acceptable"? Institutional Devices: UC Berkeley Page 13 of 19 MSSEI 15.3 Secure deletion upon decommission Progress: What documented procedures are used to delete covered data when it is no longer needed? How is removable storage media storing covered data handled after it is no longer needed? How is covered system hardware handled after it is decommissioned? How is this handled in backups? What is your documented process to ensure that all backup media are securely deleted when no longer needed? Institutional Devices: Privileged Access Devices: MSSEI 15.4 Data access agreement Progress: What data access agreement is in place between end users and resource proprietor? Does the data access agreement explain the assigned data classification level and protection profile required for individual devices? Institutional Devices: MSSEI 16.1 Incident response planning Progress: Are you using ISP incident response plan template? If not, please describe the components of your incident response plan. What roles are defined and assigned in your incident response plan? Are those role definitions and assignments communicated to the stakeholders? Institutional Devices: UC Berkeley Page 14 of 19 MSSEI 16.2 Incident response plan availability Progress: How are you making your incident response plan available to members of the local incident response team? Have you documented or had incident response team members otherwise acknowledge that they have read and understood the incident response plan? Institutional Devices: MSSEI 16.3 Incident reporting training Progress: Have all End Users been made aware of the appropriate way to report an incident? Institutional Devices (Future Requirement): MSSEI 17.1 MSSND - Software Patch Updates Progress: How do you deploy patches to your covered devices, workstations, laptops, servers, etc? Do you operate any systems that have outdated security updates, outdated OS versions, oudated browser versions, etc. and/or that are not supported by their respective vendors for which security updates are not available? Institutional Devices: Privileged Access Devices: MSSEI 17.2 MSSND - Anti-malware Software Progress: Do all your systems, for which anti-malware solutions are available, have AV installed? How often are the anti-malware software and its malware definition files updated? UC Berkeley Page 15 of 19 Institutional Devices: Privileged Access Devices: MSSEI 17.3 MSSND - Host-based Firewall Software Progress: Do all your systems have host-based firewalls enabled and effectively configured? Please describe your policy and process to accomplish this. Institutional Devices: Privileged Access Devices: MSSEI 17.4 MSSND - Use of Authentication Progress: Do you ensure that all covered devices require a valid and strong password before they can be accessed and/or used? How do devices validate the user account before granting access (e.g. Active Directory, application level accounts, etc)? Institutional Devices: Privileged Access Devices: MSSEI 17.5 MSSND - Passphrase Complexity Progress: Describe your passphrase complexity policy and how you enforce it. Institutional Devices: UC Berkeley Page 16 of 19 Privileged Access Devices: MSSEI 17.6 MSSND - No Unencrypted Authentication Progress: How do you ensure that all authentication sessions are encrypted? Institutional Devices: Privileged Access Devices: MSSEI 17.7 MSSND - No Unattended Console Sessions Progress: Describe your screen/console lock policies and how they are enforced to ensure that no covered devices are left unlocked when not under direct control of the authorized user. Institutional Devices: Privileged Access Devices: MSSEI 17.8 MSSND - No Unnecessary Services Progress: How do you ensure that your covered devices do not run any unnecessary network services? Institutional Devices: Privileged Access Devices: UC Berkeley Page 17 of 19 MSSEI 17.9 MSSND - Privileged Accounts Progress: How do you ensure that holders of administrative accounts do not use those accounts for non-administrative activities, such as e-mail and web browsing? Institutional Devices: Privileged Access Devices: UC Berkeley Page 18 of 19 Appendix A – Hardware inventory Host Name IP address Virtual? Managed By OS/Software Device Type Server Type Appendix B – Software Inventory Software e.g., Windows server Oracle Eclipse JDK Gnu Privacy Guard UC Berkeley Version 2008 11g 1.6 Source www.eclipse.org www.oracle.com www.gpg.org Purpose Operating System Database Integrated Development Environment Java Libraries Encryption Too Page 19 of 19