• Introduction
• Executive Summary
• System Architecture
• Final Report
• Final Prototype
• Team Members
• Acknowledgements

The free exchange of information is a key tenet of higher education. However sensitive information must be protected, as its compromise could cause harm to the university or to individuals. UC Berkeley experiences thousands of network attacks every second, and a single successful compromise can cost the university hundreds of thousands of dollars. In the last 5 years, several such incidents at Berkeley have received national press coverage, illustrating the need to improve IT security at UC Berkeley. But in the decentralized nature of the university makes it difficult to ensure security awareness across campus, let alone ensuring effective security measures on those resources that contain sensitive information. The UC Berkeley office of the CIO has limited visibility into what information systems exist within the units on campus, and what measures are being taken to protect them.

Most IT resources on campus are managed by academic units or individuals. People may be unaware of all the security requirements for the systems they manage or use. Specific safeguards to protect sensitive information measures may be mandated by law, regulation, or policy. The mandates that apply in a particular situation may be determined by the context under which the data was initially collected as well as the inherent nature of the data itself. It is not easy for unit technical staff to find guidance. The specific requirements, known as controls, are spread across UC and campus policies. Different policies may use differing terminology for the same role or control. Within the policies, controls are described at a very high level, leaving the concrete steps up to the interpretation of the reader. There is no single source of requirements, recommended practices, or appropriate campus resources that can assist with compliance.

These issues are addressed by the ITS a BeAR security plan generator, which is a proof of concept web-based system that walks those responsible for an IT resource through discovering and documenting the security controls needed. It asks questions about the system and generates a security plan at the end. It generates of a list of appropriate controls based on their answers, helps users understand policy terminology, and gives guidance on how to implement controls. The generated security plan provides a concrete list of requirements that can be used by the unit to understand their security posture and justify security expenditures to decision makers. Similarly, it provides visibility to campus CIO into the nature of the IT resource, identifies who fulfills key roles, and what security measures are in place or are planned

The heart of ITS a BeAR is a catalog of controls distilled from an analysis of key university-wide and campus policies. Each catalog item identifies the conditions that mandate it, and may include recommended practices and campus resources. The ITS a BeAR decision logic uses the catalog to auto-generate the list of controls and create a security plan using our proposed standard format. The catalog, decision logic, and security plan template will be provided to the UC Berkeley office of the CIO so that future use of our methodology is not dependent on production implementation of our proof-of-concept..