NEWS: The UC Berkeley’s Minimum Security Standards for Electronic Information Workgroup Wins the Gold IT Security Award at the 2025 UC Tech Awards 

July 24, 2025All Articles

Overview 

UC Berkeley’s Minimum Security Standards for Electronic Information (MSSEI) Workgroup was a cross-campus group of IT professionals that worked collaboratively for nearly two years to incorporate the security controls from UC BFB IS-3 (IS-3) and its standards into Berkeley’s MSSEI for campus implementation.  

This was a complex project that required balancing systemwide policy with operational realities, campus values, risk tolerance, and alignment with industry best practices. Success required dedication, perseverance, each individual’s unique expertise, consultation and engagement with campus and systemwide subject matter experts, and a shared commitment to developing actionable, achievable requirements. The resulting standards have helped to mature information security policy and IT risk management for the entire campus and have also benefited other UC Locations.  

The Challenge 

When the UC systemwide Electronic Information Security Policy (UC Business and Finance Bulletin IS-3) was updated in late 2018, UC Berkeley’s Minimum Security Standards were also rapidly approaching the need for an update. Given the robust and well-socialized nature of Berkeley’s information security policy framework, it made sense to incorporate relevant requirements from IS-3 into our local standards to create a comprehensive set of campus security standards that would also serve as our location-specific implementation of IS-3 and its related standards. 

UC Berkeley’s MSSEI, in particular, define the minimum level of protection for campus Institutional Information and IT Resources. Their initial development took years, including significant effort to obtain campus buy-in. The Information Security Office knew that in order for this major update to succeed, a broad, cross-campus collaboration with representation and input from all campus constituencies would be needed. The MSSEI Workgroup was assembled to accomplish this goal. 

The Approach 

Julie Goldstein, UC Berkeley, on behalf of the Minimum Security Standards Workgroup.

The MSSEI Workgroup was a cross-campus team of IT subject matter experts charged under the authority of the Information Security Office to develop an updated version of the MSSEI that was suitable for campus review. Specific goals included: 

  • Maintaining the MSSEI’s risk-based model, which aligned with IS-3’s Risk Treatment Plan approach 
  • Evaluating existing MSSEI requirements and all IS-3 requirements (including the related standards) for inclusion, modification, or non-inclusion 
  • Developing updated requirements that were current, relevant, and actionable in order to manage risk 
  • Ensuring that the updated requirements were consistent with industry standards, reflected operational realities, and aligned with UC Berkeley’s values and risk tolerance 

Success criteria was based on the following two outcomes, both of which were achieved: 

  • Developing a proposed draft that addressed all of the elements listed above 
  • Approval of the updated MSSEI by the campus Information Risk Governance Committee, following broad campus review 

In order to accomplish its charge, the MSSEI workgroup reviewed all 350+ requirements from IS-3 and the related UC Standards, as well as all then-existing MSSEI requirements. They analyzed and clarified the intent of each requirement and its relevance for UC Berkeley, often in consultation with additional campus and systemwide subject matter experts, and identified the elements that should be included in the campus minimum security standards. The workgroup was committed to developing a standard that would address key information security risks at UC Berkeley and result in risk reduction, as opposed to taking a simpler “checkbox” approach to information security.  

This was a significant, nearly two years long effort requiring dedication, perseverance, collaboration, and the unique expertise of every single workgroup member – both from their own perspective and representing the interests of their campus constituencies. The bulk of the MSSEI Workgroup’s work took place from February 2021 through January 2023. Following an extensive campus review process, the updated MSSEI was approved by the campus Information Risk Governance Committee in February 2024. The success of the MSSEI Workgroup’s efforts and approach was evidenced by broad acceptance of the updated MSSEI during campus review. 

UC Berkeley’s MSSEI Workgroup worked collaboratively for nearly two years to analyze each security control from UC BFB IS-3 and the related standards – approximately 350 controls in total – and determine how to incorporate them into Berkeley’s MSSEI. Challenges included clarifying the intent of many of the systemwide requirements and balancing systemwide policy with operational concerns, campus values, risk tolerance, and alignment with industry best practices.  

This complex project required each workgroup member’s unique expertise, both from their own perspective and representing the interests of their campus constituencies. This regularly involved working together creatively to dissect requirements and reconcile differing perspectives, needs, and operational realities in order for the workgroup to accomplish its goals. It also required extensive consultation with campus and systemwide subject matter experts. In addition, the workgroup actively sought out points of view that were not represented among their membership in order to ensure broad input and representation. This increased the project’s complexity but also helped to ensure its success.  

The Impact 

The MSSEI Workgroup’s efforts have a broad, cross-campus impact. The updated MSSEI that they developed defines the minimum level of protection for campus Institutional Information and IT Resources. It applies to all components of information systems used with Institutional Information, regardless of device ownership or location. The workgroup went above and beyond to ensure that the MSSEI supported the needs and values of the campus community, reduced risk, and was achievable. 

The MSSEI Workgroup’s thoughtful, collaborative, and highly consultative approach served as a model for a successful cross-campus and cross-functional workgroup. This also had a positive impact on campus governance’s perception of IT’s responsiveness to the needs of the campus. 

Additionally, the workgroup’s in-depth analysis and collaborative process benefited all UC Locations through numerous improvements and clarifications to the UC systemwide standards that resulted from the workgroup’s feedback and consultation with the Systemwide IT Policy Director. 

The MSSEI Workgroup was primarily active from February 2021 through January 2023. Following an extensive campus review process, the updated MSSEI was approved by the campus Information Risk Governance Committee in February 2024. The success of the MSSEI Workgroup’s efforts and approach was evidenced by broad acceptance of the updated MSSEI during campus review. 

Why It Matters 

The results of the MSSEI Workgroup’s work directly and significantly advanced IT policy at UC Berkeley, helped to mature IT risk management for the entire campus, and also helped to strengthen UC systemwide IT Policy. Their work also strongly aligns with the university’s core mission: the MSSEI Workgroup developed the campus-level information security requirements that enable UC Berkeley’s students, faculty, staff, and researchers to fulfill UC’s mission of teaching, research, and public service. 

Meet the Award-Winning Team 

Team Name: UC Berkeley MSSEI Workgroup 
Award Category: IT Security 
Location: UC Berkeley 

2025 Gold IT Security Award Winners: 

  • Blaine Isbelle – Windows Operations Manager, Data & Platform Services, Berkeley IT, UC Berkeley 
  • Chad Edwards – Information Security Assessments Manager, Information Security Office, UC Berkeley 
  • Chris Hoffman – Retired, formerly IT and Operational Director, Forum for Collaborative Research, and Unit Information Security Lead, School of Public Health, UC Berkeley 
  • Danny Grieb – Data Solutions Director, Campus Applications & Data, Berkeley IT, UC Berkeley 
  • Emily Gladstone Cole – Information Security Analyst, Information Security Office, UC Berkeley 
  • Erin Hancock – Computer Systems Staff, Berkeley Marvell NanoLab at CITRIS, UC Berkeley 
  • Jake F Harwood – Senior Information Security Officer, Information Security Office, UC Berkeley 
  • Jason C. Christopher – Research Computing Architect, Service Lead, Information Security Officer, and Unit Information Security Lead, Research IT, UC Berkeley 
  • John Ives – Information Security Operations Manager, Information Security Office, UC Berkeley 
  • Julie Goldstein – Information Security Policy Program Manager, Information Security Office, UC Berkeley 
  • Mark Kraitchman – Retired/volunteer affiliation, formerly Electrical Engineering and Computer Sciences Department Operations, UC Berkeley 
  • Micah Bot-Miller – Client Technology Services Senior Manager, IT Client Services (Central IT), Berkeley IT, UC Berkeley 
  • Michael Quan – IT Client Services Collaborative Partner (College of Letters & Sciences), Berkeley IT, UC Berkeley 
  • Mike Howard – Unix Operations & Services Analyst, Data & Platform Services, Berkeley IT, UC Berkeley 
  • Mike Jones – Information Security Analyst, Information Security Office, UC Berkeley 
  • Rick Jaffe – Research Data Consultant, Research IT, UC Berkeley 

Read More 

Read the team’s complete UC Tech Awards application

Learn more about the UC Tech Awards Program

Contact 

Julie Goldstein
Information Security Policy Program Manager, Information Security Office
UC Berkeley 

[Cover image and event photo of Julie Goldstein, Emily Gladstone Cole and Mike Jones with UC CIO’s Matthew Gunkel, Aisha Jackson and Molly Greek courtesy of Andrew Castro]

Related Posts