Information Security Program Assessment
IS-3 Implementation Progress Report Describe campus action - include detail, such as breadth, maturity, and effectiveness and
(Section III) percentage estimates. See examples (yellow) below.
Options include: (1) Assign responsibility for IT security oversight to a person or persons, (2) create a
Assignment of responsibility for security (III.A)
campus-wide security team, (3) incorporate IT security as a functional area in existing governance
structure, (4) other.
J Smith has been named security officer. A campus security committee called "UCITsecure" consisting of
repreresentatives from primary departments has been formed and meets on a monthly basis.
conduct risk assessments (III.B) Conduct risk assessments of target areas or assist departments in conducting reviews of possible risks to
their resources.
Our campus has not conducted a risk assessment since Y2K. It is, however, a model we could follow.
Dep't X conducted a risk assessment of financial loan information.
- inventory resources Idenitfy equipment, such as servers, desktop computers, laptops, mobile devices, including the type of
information/data stored on or transmitted by those resources.
Our campus has a reporting tool for departments to describe their restricted information. So far we think
65% departments have reported. We feel we know enough that we can target key areas for implementing
specific measures.
Identify the type of information/data on specified resources, and assign a classification category, such as
- classify resources
public, personal information subject to security breach notification, departmental financial data, protected
loan information, student FERPA data for example
Departmental servers store restricted data; desktop computers contain personal email records
Establish the "security objectives" for the resource for confidentiality, integrity, and availability. Determine
create a security plan (III.C)
the security impact of potential harm that failure to achieve security objectives would have on the
operations, function, image/reputation, or protection of personal information.
Some of our research projects require a documented security plan. Many large departments have
professional IT personnel who understand the threats and vulnerabilities in their departments, and
recommend a set of measures to address these risks. Small departments lack professional IT resources.
Security Plan components
Administrative (III.C.1)
workforce and authorization management (III.C.1.a) Establish procedures, review access rights of workforce, ensure separation of duties, review privileged
account access, periodic provisioning/de-provisioning of access controls.
Conduct appropriate background checks for personnel recruited for critical positions; consultation with
critical positions (III.C.1.b)
HR.
consequences of violations (III.C.1.c)
Co-ordinate with HR regarding appropriate response/disciplinary action for violations of policy/procedures.
1
Information Security Program Assessment
Operational/technical controls (III.C.2)
Establish authorization/authentication controls to ensure that only identified, authorized indivduals gain
identity and access management (III.C.2.a)
access to specified resources.
access controls (III.C.2.b)
Establish appropriate password strategies, implement session controls, review priviliged access rights.
systems and application security (III.C.2.c)
Review system personnel assignments for appropriate classification, security responsibility, procedures,
- systems personnel (III.C.2.c.i)
and ensure appropriate separation of duties.
Implement routine backup of systems supporting essential activities; deploy encryption when physical
- back up and retention (III.C.2.c.ii)
protection is vulnerable
Deploy appropriate measures to limit access and to protect resources from malicious software, e.g.,
- system protection (III.C.2.c.iii)
viruses, worms, Trojans, spyware, etc.
- patch management (III.C.2.c.iv) Implement timely udpate of operating systems and application software
Development should conform with specifications in IS-10, local standards, procedures, guidelines, and
system and application software development (III.C.2.c.v)
conventions; conduct privacy impact assessments as appropriate.
network security (III.C.2.d) Establish campus minimum requirements; deploy firewall and IDS/IPS as appropropriate
change management (III.C.2.e) Implement change mangement procedures for major systems
audit logs (III.C.2.f) Implement log management strategies
encryption (III.C.2.g) Deploy encryption strategies
Physical/environmental controls (III.C.3)
risk mitigation measures (III.C.3.a) Establish procedures to protect resources in the event of emergencies
physical access controls (III.C.3.b) Control access to facilities by appropriate measures
tracking reassignmetn, movement of devices, inventories(III.C.3.c) Implement procedures to track movement of devices
disposition of equipment (III.C.3.d)
Implement procedures to ensure removal of data before equipment is re-deployed, recycled, or disposed
portable devices (III.C.3.e) Implement controls to provide physical security for portable media
Incident response and notification procedures (III.D0 Establish and implement an incident response plan
As required by IS-3 our campus has a published incident response plan (url), however, with the recent
breach, senior executives pursued alternative processes.
2
Information Security Program Assessment
education/training (III.E)
Conduct appropriate security awareness training for faculty, staff, and students
Training modules are posted on the web and all departments were notified that they should ensure that
their staff and faculty complete the training.
vendor agreements Ensure that contracts with external entitites include data security language
We worked closely with IR&C strategic sourcing to include security requirements in new contracts.
Maturity descriptions
0 - Not performed
1 - Performend Informally
2 - Planned and tracked
3 - Well defined
4 - Quantitatively Controlled
5 - Continuously Improving
3
Campus and unit mangement risk issues
Risk for campus as a whole
Severe risk of legal liabilityand/or damage to reputation.
The big picture at the campus level is missing or not understood. Senior management often doesn't understand
depth and breadth of potential risks and doesn't truly understand the business context of different campus units.
Insufficient or ineffective funding.
Absence of accountability, authority, responsibility consistent deployment of controls.
Management directives are not followed.
Security practices are not followed: Workforce doesn't follow recommended practices and procedures.
Workforce/student are not aware of their responsibilities.
Inefficient and ineffective security measures deployed.
Control not working as intended; wrong control.
No systematic means to learn if/when an incident may have happened; risk ineffective/inefficiant response.
Risk at the unit management level
Risk litigation and loss of reputation; loss of business continuity.
Risk loss of integrity, confidentiality, availability.
Managament does not understand isses and which recommendatioins to validate.
Units and departments do not have well defined structures and assignment of responsibiliy.
Workforce management risks: job descriptions are not updated to reflect responsibilities; workforce is not
adequately vetted. Authorized access is not managed adequately. Sanctions applied inconsistently.
Poor risk/threat/vulnerability assessment.
Don't know who owns the data or responsibility for the data.
Do not know where information is stored and processed. Do not know what information is held by
departments/individuals.
Have not identified systems that should have physical and environmental controls, e.g., restricted information
should not be on desktops.
Risk to data held or maintained by outside entities. Risk of litigation.
Inefficient and ineffective security measures deployed.
Directives not followed.
Lack of awareness of responsibility associated with restricted data.
Unauthorized and unauthenticated access.
Lack of logs/audit trail
Campus and unit mangement risk issues
Campus challenges to achieve effective security.
To what extent is(are) "security officer(s)/committee" aware of departmental awareness of security risks and
implemenation of recommended controls?
How much confidence do you have that you know where restricted information is located?
How much confidence do you have that departments/individuals are aware of and comply with campus policies?
To what extent does senior management support efforts to address security?
To what extent does your campus have a governance structure that supports discussion and deployment of
recommended security measures?
Sample campus checklist for vulnerability assessment
Potential Impact
Risk security Impairment of Risk to integrity of data
Vulnerability breach/ service/ or information
confidentiality availabiltiy
Inadequate knowledge of where sensitive data or information is stored and how it is
managed
Inadequate control over what information is acquired and/or kept by various applications
Not all computers have antivirus software and/or up to date virus definitions
Not all computers have integral firewall software and/or use it.
No uniform patch management for all campus computers
No support for encrypted transmission of data or passwords, e.g. VPN from external
locations or SSL/TLS for email, etc.
Inadequate network management tools
Inadequate network monitoring ability
No control over access to the local network
No vulnerability scanning when new connections are made to the network
Inadequate training for employees on IT in general and security in particular
Lack of robust electronic identity and access management
Inadequate use of encryption for data “at rest,” particularly on mobile devices.
Lack of pervasive management of logs from campus systems, including network, server,
applications
Department Information Security Checklist
Response
Department ______________________________________________________ Comment Yes / No
s
Department planning Descriptio
Who is assigned responsibility for information/ data security policy?
Is there a department information security program?
Has a security risk assessment been conducted? When? By whom?
If a security risk assessment has been conducted, does the security risk
assessment:
– Identify all resources that store or transmit restricted data? E.g. PDA,
servers, laptops, backup systems.
– Identify relevant threats and vulnerabilities?
Is a data inventory maintained? Who maintains the inventory? How was the
inventory compiled? How often is it updated? How is inventory validated?
– Does the department have restricted data, e.g. FERPA, HIPPA, GLB, or
SB1386 (data with SSN and names)?
Is a physical device inventory maintained? Who maintains the inventory? How was
the inventory compiled? How often is it updated? How is inventory validated?
Is an inventory maintained of software added to standard-configuration desktops?
Who maintains the inventory? How was the inventory compiled? How often is it
updated? How is inventory validated?
Who in the department is responsible for configuring devices and systems to ensure
compliance with security and connectivity standards?
Have changes been made to standard desktop configurations? What were the
changes? Who manages and tracks changes?
Incident Response Plan
Does the department have a security incident response plan?
– Who in the department is responsible for handling security incidents
and implementing remediation?
Does the security plan:
Document processes and controls needed to enhance security?
Identify department requirements to access restricted data?
Include staff training?
Include implementation strategies to protect data (see below)?
Securing Restricted Data
Are devices that store or use restricted data (including backups) physically secured?
Is encryption used for transit and storage of restricted data on devices?
Is the number of devices where restricted data is stored or used minimized?
Are network management tools, such as firewalls, IDS system, vulnerability
scanning, and content scanning (spam, virus, restricted data, etc.) used?
Is access to restricted data logged?
Describe authentication and access controls.
Is data backed up routinely? How often? Where is the backup data stored? Has the
data restore been tested?
Department Information Security Checklist
Is there a business continuity plan? Where is the business continuity data stored?
Has the plan been tested?
Security Practices
Are the following applications and systems security practices implemented?
· Anti-virus real time protection is active and virus definitions are current
(automatic update on / enabled).
· Windows/MS Office security patch management is current (automatic
update on/ enabled).
· Other software security patch management is current (automatic update on/
enabled).
· Ports are closed.
· Unused services are turned off.
· Secured application, such as VPNs, SSH, and SFTP, are used for external
connectivity.
· Change monitoring tools are operating (system restore is enabled in
Windows XP).
· Scanning for restricted data is done periodically.
Handling incidents
Have there been instances where confidential/ restricted data was inappropriately
released? Please describe.
What actions, if any, were taken in response to the incident findings or
recommendations?
Were incident reports (initial and final) sent to IR&C?
Who were the members of the incident response team?