Berkeley Data Authorization Process

1. Berkeley Data Authorization Process MATCHING DATA with IT SERVICES CISPC, April 19, 2012 Lisa Ho, IT Policy Manager, Berkeley Privacy & Policy Office

2. Berkeley Data Authorization Process The Questions What is restricted and notice-triggering data? From Resource Proprietors (functional owners):  What service providers (on or off-campus) are appropriate for my data/system? From Resource Custodians who provide/manage IT services:  What kind of data is under my custodianship What security controls are required? Can I host restricted/notice-triggering data? From End Users: Where can I store my restricted data?

3. Berkeley Data Authorization Process The Answers • Classify campus data  • Definitions and process • Secure campus data • Authorize data use • Approve services (on and off campus) for a data class • Develop an information bank • Publish approved services • Reduce duplication of work • Respond to the Business Finance Bulletin IS-2 • Classify, inventory, and define appropriate security controls for institutional data

4. Berkeley Data Authorization Process What is the process? A: General System Inventory B: Protected Data Screen C: Data Privacy Questionnaire D: Privacy Impact Assessment E: Data Classification F: Baseline Risk Questionnaire G: Information Risk Assessment H: Resource Proprietor Approval A: General System Inventory B: Protected Data? Yes More Review No H: Resource Proprietor Approval Data Authorization Issued https://security.berkeley.edu/content/data-authorization-process-draft

5. High-level Rollout Plan • Pilot • Off-site hosting • Systems in the spotlight • Expand to other systems • Eventually align with campus OE initiatives Berkeley Data Authorization Process