Protected Data and Systems Inventory

What is the Protected Data and Systems Inventory?

The Protected Data and Systems Inventory (PDSI) is an inventory of high-risk assets, including data, systems and applications, that store, process or transmit P3 or P4 information or are classified as Critical IT Infrastructure. This not only includes assets on the UCI network, but also assets located at other UC campuses or in the cloud that have access to or contain UCI information.

The PDSI is typically a subset of the full inventory that a Unit may track in their environment and is used to:

• • Identify where all UCI P3/P4 information is located and generally how it is used.
  • Ensure that appropriate security controls and safeguards are in place to adequately protect systems and data according to IS-3 and UCI ISS.
  • Assist with the prioritization of our security alerting and incident response processes.

Each Unit is required to keep this inventory up to date regularly, no less than annually or when there are major changes to your environment. Please note that the PDSI inventory is not a substitute for the full inventory that Units are required to maintain per UCI ISS.

Where is the Protected Data and Systems Inventory Managed?

The PDSI is managed in the UCI security ITRM/GRC tool, OneTrust.

Annual Protected Data and Systems Inventory Update Process

While Units are strongly encouraged to keep the PDSI up to date as changes are made throughout the year, OIT Security Risk and Compliance formally initiates this process annually.

Goals include:

• • Ensuring all P3/P4 systems and data in the Unit have been identified.
  • Adding new PDSI assets that are missing or have been added during the previous year.
  • Archiving PDSI assets that are no longer being used or can be consolidated.
  • Consolidating PDSI assets from individual servers into higher-level applications or services.
  • Communicating summary reports of protected data and systems to Unit Heads for awareness.
  • Providing summary and detail reporting of protected data and systems to the CIO, CISO, CRE and other stakeholders.

This is also a good time to review all systems and data use in the Unit to ensure the P3/P4 data is still needed on these systems. As a general rule, unless law, policy, business or research needs require storing P3/P4 data, it should be eliminated to reduce overall risk. Delete P3/P4 data in a way that is consistent with the UC Records Retention Schedule and UCI Institutional Information Disposal Requirements.

If you need to collect, use and store P3 or P4 data, electronically or on paper, please inform your Unit Information Security Lead (UISL). Your UISL maintains an inventory of data resources to facilitate risk assessment and compliance with law and policy. With assistance from the OIT Security team, your UISL can help you determine the best way to protect your data. All Unit updates to the PDSI are coordinated through the UISL(s).

Quick Links

• • PDSI Current Inventory – Default View
  • PDSI Update Instructions
  • PDSI Metrics Dashboard
  • PDSI Update and Risk Assessment Report
  • PDSI Research Assets Report
  • PDSI Assets by Hosting Type Report

What is Considered an Asset?

Units are encouraged to structure their inventories as consistently as possible, taking a higher-level application or services view of an asset rather than adding each individual server or workstation to the inventory. The focus should be on complete services, applications, business processes or research projects rather than individual servers or other IT components. This not only will make subsequent tasks such as performing risk assessments much easier, but it also provides the OIT Security Team better insight into how individual systems fit together into applications and services that support UCI business, academic and research needs.

Example: An administrative department manages a campus web application (Staff Track) to store and process UCI employee data. This application consists of two web servers, an application server and three clustered database servers. Rather than list each individual server or cluster separately in the inventory, “Staff Track” should be added as the asset, briefly describing the application function and architecture and listing the various server IP addresses in the appropriate OneTrust attribute fields for the asset.

Units, such as OIT, that provide enterprise-wide infrastructure services should also pay specific attention to the IS-3 definition of Critical IT Infrastructure, as those services may fit the criteria and be considered a PDSI asset.

PDSI Classification Tips

• 1. Fits one of the examples on our Protection Levels webpage?
  2. Meets the specific IS-3 criteria for Critical IT Infrastructure? Particularly pay attention to campus enterprise commodity services.
  3. Right-size scope of asset with risk assessment and commonality in mind, and mention subcomponents in description.
  4. Does the record count meet a basic threshold or raise risk level?

Resources

• • Using ITRM/GRC tool (OneTrust)
  • PDSI Training Demo Recording
  • Classifying Institutional Information and IT Resources
  • Classification Decision Tree
  • Unit Information Security Lead List
  • Contact securityrisk@uci.edu for any questions