University of California, Berkeley

Meeting system-wide cybersecurity compliance.

The University of California (UC) is the world’s leading public research university system, with ten campuses, five medical centers, three national labs, and a network of agricultural and natural resource centers. The first campus of the UC system, the University of California, Berkeley (UC Berkeley), was established in 1868 and currently has 14 colleges and schools offering over 350 degree programs to some 31,000 undergraduate and 12,000 graduate students.

The challenge

In late 2018, the University of California Office of the President (UCOP) released the updated and revised Electronic Information Security Policy (IS-3). The policy applies to all UC locations and primarily focuses on risk management, shifting information security risk responsibility to individual units, including vendor risk.

The Information Security Office (ISO) at UC Berkeley needed to figure out a process to help units meet the compliance requirements to comply with the new policy standards.

They needed a centralized and automated solution that would allow them to conduct a custom survey based on ISO 27001, assign permissions to unit risk owners, conduct vendor risk assessments, and roll up data into insightful risk reports and dashboards.

The solution

The UC Berkeley ISO chose Isora GRC from SaltyCloud to help them meet campus-wide compliance with the IS-3.

• The questionnaire builder allowed them to design custom questionnaires complete with custom answer choices, question weighting, survey logic, and help text.
• The assessment engine allowed them to assign role-based permissions to risk owners, including heads and information security leads, and launch and manage surveys across dozens of individual units.
• The inventory manager allowed them to keep track of vendor assessments, products, and details.
• The API allowed them to quickly upload information, like organizational structure, people, roles, questionnaires, and export assessment data for deeper analysis.

The outcome

Since deploying Isora GRC from SaltyCloud in 2020, the UC Berkeley ISO has seen several positive outcomes:

• Provided invaluable insights into critical risks across individual units and the entire campus.
• Helped measure and track unit-level and campus-wide risk improvements year-over-year.
• Allowed them to streamline and automate their vendor risk management process.
• Made it possible to build a culture of risk assessment across the campus.
• Saved hundreds of valuable FTE hours.