Docstoc

Start Web 2.0 Business

Document Sample
Start Web 2.0 Business Powered By Docstoc
					UNIVERSITY OF CALIFORNIA, SANTA CRUZ                                                       KEY

IT SECURITY COMPLIANCE SELF-ASSESSMENT
                                                                                           Information requested
INSTRUCTIONS:


1. Start here. Complete this worksheet, filling out yellow areas.
2. Continue on and complete the Assessment Worksheet, working with both System Steward and IT Service Provider representatives.
3. Return to Janine Roeth via secure means by December 1, 2008. If you have any questions, please contact itpolicy@ucsc.edu.
4. Campus Governance has advised that System Steward representatives advise Principal Officers on key issues and develop security
plans.

Description of environment being assessed:
Organization:

Contact Person:

List of systems, computers
(including home computers used
for university business), devices,
applications, and data sources:




List roles with access including
roles with update or admin
privileges:


Assessment Contributors:




Description and Classification of Information

Description of Information:

Please generally describe the type
of information in these systems,
including what business functions
are supported



Sensitivity requirement: Impact of
unauthorized access or disclosure

High = Restricted data
Moderate =Confidential data
Low = Non-confidential data



If Sensitivity is High, are full
Social Security Numbers stored?



If full Social Security Numbers are
stored, please explain the
business need or law that
requires having them.

If no business need or law
requires storing full Social
Security Numbers, is there a plan
to redact or remove them? If yes,
please describe.

Availability requirement:

Essential to the continuing
operation of the University. Failure to
function correctly and on schedule
could result in a major failure to
perform mission-critical functions, a
significant loss of funds or
information, or a significant liability or
other legal exposure.

Necessary to perform important
functions, but operations could
continue for a short period of time
without those functions while normal
operations are being restored.

Deferrable while operations
continue for an extended period of
time without those systems or
services performing correctly or on
schedule.

If availability is " Essential" list
key physical locations for these
systems.



       Confidential: Security Sensitive – Not For Public Disclosure                                                                 2008 , b4674562-61d2-435f-83ea-ac3838f6e739.xls
UNIVERSITY OF CALIFORNIA, SANTA CRUZ
IT SECURITY COMPLIANCE SELF-ASSESSMENT


IS - 3 Policy Requirements Questions to Consider
                                                                                                   Responses                  Maturity Level                        Action Plan
                                           Reference to help with responses                                                                                         Describe any projected
                                                                                                                              See Maturity Levels tab               improvements for next year


Security Program
Identification of Information Security Officer (III.A - page 4)
Designate an individual to perform CAMPUS-LEVEL IMPLEMENTATION: The
the function of an Information          Director, Client Services and Security in ITS is the
                                        designated IS-3 Information Security Officer for
Security Officer(s) on each campus. UCSC.
Security Plan (III.C - page 6)
Define/update the "security             Each organization should have a security plan in
objectives" for confidentiality,        place defining their resources rating/risk
                                        (restricted/confidential/essential) with the
integrity, and availability of          appropriate level of protection implemented
information resources, describing       depending on risk. This plan should include actions
the potential harm/security impact      taken for mitigation appropriate to risk level.
that failure to achieve security        Describe your security plan and any action/security
                                        plans you create resulting from this or other
objectives would have on the
                                        security reviews.
operations, function,
image/reputation, or ability to protect
Education & Security Awareness Training (III.E - page 24)
Conduct appropriate security            BACKGROUND: General and restricted data self-
awareness training for faculty, staff, paced security training materials are available
                                        online http://its.ucsc.edu/security_awareness/ and
and students.                           incorporated into campus new employee
                                           orientation and Staff Training & Development
                                           curriculum. Campus awareness activities occur via
                                           email and during National Cyber Security
                                           Awareness Month (October). Divisional security
                                           activities derive from central communications,
                                           local operational needs, and event-driven
                                           responses.

                                           QUESTIONS: Describe your program to provide
                                           security information to your workforce, including
                                           the proper handling of information and how
                                           information about relevant policies and laws is
                                           distributed. Is training required for access to this
                                           system or service? If so, does it include security
                                           information, either general (e.g. ITS Top 10 List) or
                                           specific to the systems/service (e.g. restricted
                                           data reminders)? Do you include security
                                           information in response to security-related events?
Identity and Access Management




     Confidential: Security Sensitive – Not For Public Disclosure                                              Page 2 of 13                             2008, b4674562-61d2-435f-83ea-ac3838f6e739.xls
UNIVERSITY OF CALIFORNIA, SANTA CRUZ
IT SECURITY COMPLIANCE SELF-ASSESSMENT


IS - 3 Policy Requirements Questions to Consider
                                                                                               Responses                  Maturity Level                        Action Plan
                                       Reference to help with responses                                                                                         Describe any projected
                                                                                                                          See Maturity Levels tab               improvements for next year
* Control accurate identification of   BACKGROUND: UCSC has an identity
authorized University community        management system (IdM) that is based on the
                                       CruzID.
members and that provides
authenticated access to and use of     QUESTIONS: Is authentication used for access to
network-based services.                these systems or services? Does this system or
* Control access by authentication     service utilize the CruzID name as part of
                                       authentication? Is the authentication system local
and authorization mechanisms to
                                       or is it integrated with something central, e.g.
insure that only identifiable          kerberos or Active Directory? What is the
individuals with appropriate           mechanism for handling authorization, e.g., is it
authorization gain access to           technically enforced within the application?
specified computing and information
resources. [Identity and Access
Security Program Processes
Risk Assessment, Asset Inventory       & Classification (III.B - page 4)
 Inventory computing devices          Include inventory and classification information on
(servers, desktop computers,           page 1 of this assessment. Are you taking into
                                       account all the places where your data may be
laptops, mobile devices, storage       stored, including desktops, reports portable
devices, etc.) and the                 devices, etc. Additionally, is education in place
characteristics of the                 instructing people to minimize storage and
information/data stored on or          transmission of restricted data, such as by
                                       deleting, redacting or de-identifying restricted data
transmitted from/to those
                                       whenever possible, including from storage
computing devices. Inventory           devices? Are people aware of Office of Record
applications and the characteristics
of the data stored by or transmitted
                                       copies live?)
from/to those applications.
 Classify each computing device
and application based on the
characteristics of the associated
stored data or data transmitted
from/to the computing device or
Risk Assessment (III.B)
 Understand and document the          Include inventory and classification information on
risks in the event of failures that    page 1 of the assessment. This assessment
                                       worksheet identifies the controls in place and the
may cause loss of confidentiality,     maturity level of those controls. Review security
integrity, or availability of          requirements based on sensitivity from the matrix:
information resources.                 http://its.ucsc.edu/security/policies/protection_matr
 Identify the level of security       ix.php.
necessary for the protection of
                                       QUESTIONS: What are your gaps in required
information resources.                 security controls (based on this assessment)?
                                       Identify if the risk is low, medium or high.
                                       Determine cost-effective actions, and document
[Workforce] Administrative (III.C.1 - page 6)




    Confidential: Security Sensitive – Not For Public Disclosure                                           Page 3 of 13                             2008, b4674562-61d2-435f-83ea-ac3838f6e739.xls
UNIVERSITY OF CALIFORNIA, SANTA CRUZ
IT SECURITY COMPLIANCE SELF-ASSESSMENT


IS - 3 Policy Requirements Questions to Consider
                                                                                              Responses                  Maturity Level                        Action Plan
                                        Reference to help with responses                                                                                       Describe any projected
                                                                                                                         See Maturity Levels tab               improvements for next year
* Control how faculty, staff,           BACKGROUND: The Support Center handles
students, and other affiliates are      account management related to CruzID and the
                                        Identity Management system (IdM). This includes
granted access privileges to            creation, modification and termination of accounts.
computing and information               Validation of the CruzID is primarily through IdM,
resources and how those privileges      which is fed from authoritative systems.
for individuals are altered or
                                        QUESTIONS:
revoked. Review privileged account
                                        Is there a formal authorization process for
access.                                 obtaining access to systems or data? Who is
                                        responsible for granting authorization? Please
                                        describe the authorization process. How about for
                                        obtaining privileged/admin access at any level,
                                        e.g. root access, superuser access, privileged
                                        application or database access, etc.? Does the
                                        Support Center have a role in account
                                        management for your system or service?

                                        Are procedures in place to ensure prompt
                                        modification or termination of access or
                                        authorization levels in response to user separation
                                        or change in role? Including for people with
                                        privileged access? Are privileged accounts and
                                        individuals with access to these accounts reviewed
* Conduct appropriate background        BACKGROUND: Campus HR procedures exist for
checks for personnel handling           identifying positions requiring background checks.
                                        ITS requires all staff to have background checks
information classified as "sensitive"   as standard part of recruitment process.
or "to be protected."
                                        QUESTIONS: Are required background checks for
                                        employees in your organization implemented
                                        promptly upon hire or reclassification? Do you
                                        know whether other departments do the same for
* Take appropriate                      people who have Campus procedures for reporting
                                        BACKGROUND: access to your system?
personnel/disciplinary action(s) for    violations of law or policy/procedures include but
                                        aren't limited to the Whistleblower, Title IX,
violations of policy/procedures.        Ombudsman, Human Resources, Labor Relations,
                                        and Student Judicial Offices, campus police, and
                                        reporting to a supervisor.

                                        QUESTION: Is management aware of campus
                                        procedures for reporting violations of law or
                                        policy/procedures? Are individuals? Does the
                                        department have any local procedures in addition
                                        to campus procedures? Are violations and
Applications Systems
Management




     Confidential: Security Sensitive – Not For Public Disclosure                                         Page 4 of 13                             2008, b4674562-61d2-435f-83ea-ac3838f6e739.xls
UNIVERSITY OF CALIFORNIA, SANTA CRUZ
IT SECURITY COMPLIANCE SELF-ASSESSMENT


IS - 3 Policy Requirements Questions to Consider
                                                                                               Responses                  Maturity Level                        Action Plan
                                         Reference to help with responses                                                                                       Describe any projected
                                                                                                                          See Maturity Levels tab               improvements for next year
* Control application systems            QUESTIONS: Describe the process used to
development/maintenance through          develop/deploy new application(s) from inception
                                         (requirements, function, funding), to development
conformance with specifications in       (coding standards, application security,
IS-10, local standards, procedures,      authentication/authorization), and deployment
guidelines, and conventions;             (workflow, management approval, alpha/beta
conduct application vulnerability        testing and pilot, release). Does application
                                         development and maintenance conform to the
assessments as appropriate.
                                         specifications of UC BFB IS-10, Systems
[System & Applications Software          Development and Maintenance Standards? Does
Development (III.C.2.c.v)]               application development take into account
                                         business decisions about how restricted or
                                         confidential information should be collected,
                                         stored, shared, and managed? Are application
                                         vulnerability assessments performed? Is
                                         appropriate separation of duties in place? Is data
                                         in test, training and development systems
                                         BACKGROUND: ITS has classification, including
                                         protected according to its adopted divisional
* Control production application
software modification through            change management process for outage
                                         communications and maintenance window
change management procedures for         guidelines.
major systems. - [Change
Management (III.C.2.e)]             QUESTIONS: Explain procedures used to manage
                                    and document changes. Include any method in
                                    place to provide history of changes. Are change
                                    management procedures in place where restricted
                                    data is involved and for essential systems? Are
                                    - page tested
Risk Mitigation Measures (III.C.3.a changes 20) and backout plans developed? Is
Protect resources in the event of   BACKGROUND: If the system or service is in the
emergencies.                        ITS Data Center, this information is provided by
                                    the ITS Core Tech Operations group. The Data
                                    Center has regular data backups and mitigations
                                    for infrastructure failures, including power, fire,
                                    flooding.

                                         QUESTIONS: Where is this system or service
                                         housed, including backups? If not in the ITS Data
                                         Center, or for any portions not in the Data Center,
                                         describe what is in place for the prevention,
                                         detection, early warning of, and recovery from
                                         emergency conditions. For example, are there
                                         locks, is there UPS or generator back-up power, is
                                         there fire suppression? Are procedures in place to
                                         protect restricted data during emergencies when
                                         focus may be elsewhere? Are there regular
Incident Response Planning & Notification Procedures (III.D - page 21)




     Confidential: Security Sensitive – Not For Public Disclosure                                          Page 5 of 13                             2008, b4674562-61d2-435f-83ea-ac3838f6e739.xls
UNIVERSITY OF CALIFORNIA, SANTA CRUZ
IT SECURITY COMPLIANCE SELF-ASSESSMENT


IS - 3 Policy Requirements Questions to Consider
                                                                                               Responses                  Maturity Level                        Action Plan
                                      Reference to help with responses                                                                                          Describe any projected
                                                                                                                          See Maturity Levels tab               improvements for next year
Maintain incident response and        BACKGROUND: The campus has an
notification processes.               implementation plan for protection of electronic
                                      restricted data
                                      (http://its.ucsc.edu/security/policies/ucsc_breach_
                                      guideline.php) and data security incidents are to be
                                      reported to help@ucsc.edu

                                      QUESTIONS: Is everyone aware of campus
                                      procedures for reporting and responding to
                                      potential security incidents? Do additional
Third Party Agreements (III.F -       departmental procedures exist, and if so, are
page 28)
Ensure that contracts with external   BACKGROUND: Purchasing has adopted the use
entities include data security        of the Appendix DS for all vendor contracts using a
                                      PO, with additional HIPAA BAA or PCI-DSS
language.                             language for new agreements when they are
                                      informed it is needed.

                                      QUESTIONS: Did Purchasing or Business
                                      Contracts review/execute all contracts and POs
                                      with vendors that have access to the systems or
                                      data? Was additional language, e.g. for HIPAA or
                                      PCI, required? Were any of these contracts or
                                      POs executed before 2006? If so, they may need
                                      to be reviewed for appropriate language. Is a non-
                                      UCSC party managing a web site for you that
                                      collects sensitive data, such as SSN, credit card
                                      info, or other PII or restricted data? If so, was this
                                      approved through the appropriate campus

Security Controls
Access Controls (III.C.2.b - page
11):
Control passwords and sessions
to minimize risk of unauthorized
access to restricted computing
and information resources
* Control passwords through           BACKGROUND: UCSC has a password policy.
password management conventions       The associated standards are available at
                                      http://its.ucsc.edu/security/policies/password.php
and vulnerability assessment
procedures. - [Passwords and other    QUESTIONS: Do passwords comply with UCSC
authentication credentials            password strength and security requirements? Is
(III.C.2.b.i)]                        the password policy technically enforced by your
                                      system or service? If not, describe any limitations
                                      that prevent this and additional mitigations to
                                      compensate. Are passwords tested for strength?
                                      Are there any expiration or password aging
                                      policies? Do individuals have unique access


     Confidential: Security Sensitive – Not For Public Disclosure                                          Page 6 of 13                             2008, b4674562-61d2-435f-83ea-ac3838f6e739.xls
UNIVERSITY OF CALIFORNIA, SANTA CRUZ
IT SECURITY COMPLIANCE SELF-ASSESSMENT


IS - 3 Policy Requirements Questions to Consider
                                                                                                Responses                  Maturity Level                        Action Plan
                                         Reference to help with responses                                                                                        Describe any projected
                                                                                                                           See Maturity Levels tab               improvements for next year
* Control access to working              QUESTIONS: Is there a session timeout for the
sessions through session timeout         application, including for administrators? Are users
                                         encouraged to implement screensaver locks at the
mechanisms. -[Session protection         desktop? Are desktops configured to automatically
(III.C.2.b.ii)]                          lock or go to screensaver after a period of
* Control privileged account access      QUESTIONS: See "[Workforce] Administrative,"
through defined procedures for           above for process for obtaining privileged
                                         access/accounts. Is privileged access and activity
providing privileged accounts and        logged? Are logs reviewed periodically? Are they
reviewing activity under privileged      reviewed in response to potential security events?
account. - [Privileged access            Do individuals have unique access credentials for
(III.C.2.b.iii)]                         privileged access?
Systems and Application Security        (III.C.2.c - page 14)
* Control systems-level access           BACKGROUND: Central systems and applications
through review of personnel              are supported by ITS employees with IT-related
                                         classifications.
assignments for appropriate
classification, security                 QUESTIONS: Do job descriptions for individuals
responsibilities, and separation of      who provide application and system support
duties. [Systems Personnel               accurately reflect their duties and access to
                                         restricted data or systems? Are individuals who
(III.C.2.c.i)]
                                         provide IT-related services trained and
                                         knowledgeable in these areas of responsibility? Do
                                         defined procedures exist for reviewing personnel
                                         assignments for appropriate classification, security
* Backup systems supporting              BACKGROUND: If the system or service is in the
essential activities; encrypt data       ITS Data Center, this information is provided by
                                         the ITS Core Tech Operations group. The Data
where required to secure backup          Center has regular data backups.
data. - [Back Up and Retention
(III.C.2.c.ii)]                          QUESTIONS: Are backups containing restricted
                                         data stored securely and/or encrypted? For all
                                         systems, including those in the Data Center, is
                                         recovery of data tested? Is data integrity/user
                                         functionality ensured/verified upon recovery or
                                         restore? Is a retention and disposition schedule in
                                         place for backups? Also see "Risk Mitigation
* Protect computing and information      BACKGROUND: For systems in the ITS Data
resources from malicious software        Center, firewalls provide a level of protection
                                         against malicious software.
(e.g., viruses, worms, Trojans,
spyware, etc.) - [System Protection QUESTIONS: Is anti-virus and anti-spyware
(III.C.2.c.iii)]                    installed, running, and logging? Are they current
                                         and up-to-date? How is this verified? For systems
                                         not in the ITS Data Center, is a firewall in place?
* Maintain currency of operating         QUESTIONS: Describe the patching process,
systems and application systems          including frequency, whether it is a manual or
                                         automatic process, and verification. Is there a
software. - [Patch Management            testing or backout procedure? What is the process
(III.C.2.c.iv)]                          for severe or critical updates?
Audit Logs (III.C.2.f - page 17)




     Confidential: Security Sensitive – Not For Public Disclosure                                           Page 7 of 13                             2008, b4674562-61d2-435f-83ea-ac3838f6e739.xls
UNIVERSITY OF CALIFORNIA, SANTA CRUZ
IT SECURITY COMPLIANCE SELF-ASSESSMENT


IS - 3 Policy Requirements Questions to Consider
                                                                                                 Responses                  Maturity Level                        Action Plan
                                        Reference to help with responses                                                                                          Describe any projected
                                                                                                                            See Maturity Levels tab               improvements for next year
Monitor for attempted/actual            QUESTIONS: Are available logs enabled at the
unauthorized access through review      OS, application/database, and workstation level?
                                        Including logs of privileged access and activities?
of access and audit logs.               Are procedures in place to proactively review logs
                                        or is review event-driven, such as in the case of
                                        problems or potential security incidents?
Encryption (III.C.2.g - page 18)
Control risk of unauthorized access     QUESTIONS: Describe encryption methods or
to "sensitive"/"restricted" data by     mitigating controls: Are passwords or other
                                        authentication tokens encrypted in transit and in
use of encryption.                      storage? Is restricted data encrypted during
                                        transmission, including printing? Is stored
                                        restricted data encrypted? How about database
                                        tables or columns with restricted data elements? Is
                                        restricted data on backups, portable devices and
                                        media encrypted or otherwise protected? Are
                                        encryption keys secure? Are encryption keys
Physical/Environmental Controls         managed to ensure
                                      (III.C.3 - page 19) availability of essential data?
 Control access to facilities by       BACKGROUND: If the system or service is in the
appropriate measures - [Physical        ITS Data Center, this information is provided by
                                        the ITS Core Tech Operations group. Access to
Access Controls (III.C.3.b)]            the Data Center is regulated by the Data Center
 Track movement of devices -           Access Policy as well as physical security controls
[Tracking Reassignment or               (i.e. locks). Movement of equipment is tracked;
Movement of Devices &                   rack inventory is updated as needed, reviewed
                                        quarterly. Devices are stored securely pending
Stock Inventories (III.C.3.c)]          secure destruction (ITS adopted a secure media
 Remove data before equipment          destruction service in 2007-08); use of
is re-deployed, recycled, or            locksafes/fireproof vaults for media.
disposed. - [Disposition of
                                        QUESTIONS: Where is this system or service
Equipment (III.C.3.d)]
                                        housed, including backups? If not in the ITS Data
                                        Center, or for any portions not in the Data Center,
                                          * Describe the physical security controls
                                        protecting access to the facility, systems and data,
                                        including backups and portable devices.
                                          * Are facility access policies in place, including
                                        procedures to verify the identity of individuals and
                                        tracking of entry and exit, including for visitors and
                                        guests?
                                          * Are all critical and restricted systems locked
                                        down?
* Control physical security of          QUESTIONS: Are portable devices and media
portable media. - [Portable & Media     used? If so, are procedures in place to ensure
                                        their physical security? Are laptop computers
Devices (III.C.3.e)]                    locked down? Is restricted data on portable
                                        devices and media encrypted? Is there a practice
                                        of reviewing and deleting data from portable
                                        devices when no longer needed?




    Confidential: Security Sensitive – Not For Public Disclosure                                             Page 8 of 13                             2008, b4674562-61d2-435f-83ea-ac3838f6e739.xls
UNIVERSITY OF CALIFORNIA, SANTA CRUZ
IT SECURITY COMPLIANCE SELF-ASSESSMENT


IS - 3 Policy Requirements Questions to Consider
                                                                                           Responses                              Maturity Level                            Action Plan
                                         Reference to help with responses                                                                                                   Describe any projected
                                                                                                                                  See Maturity Levels tab                   improvements for next year
Network Security (III.C.2.d - page
17) / Minimum Requirements for
Network Connectivity (IV)
Control network and computing
resources exposure to risk through
minimum network connectivity
requirements, firewalls and
Intrusion Detection
System/Intrusion Prevention
System (IDS/IPS) as appropriate:
* Control access to networked            See "[Workforce] Administrative" and              See "[Workforce] Administrative" and   See "[Workforce] Administrative" and      See "[Workforce] Administrative" and
devices through authentication           "Access Controls," above                          "Access Controls," above               "Access Controls," above                  "Access Controls," above
measures (e.g. user
name/password or better). - [Access
Control Measures (IV.A.)]
* Protect passwords or other             See "Encryption," above                           See "Encryption," above                See "Encryption," above                   See "Encryption," above
authentication tokens while in transit
through the use of encryption. -
[Encrypted Authentication (IV.B.)]
* Control potential security loopholes   See "Systems and Application Security," See "Systems and Application Security,"          See "Systems and Application Security,"   See "Systems and Application Security,"
by maintaining current operating         above                                   above                                            above                                     above
system, application software, and
firmware code on all devices
connected to the network. - [Patch
Management Practices (IV.C.)]
* Protect networked devices against      See "Systems and Application Security," See "Systems and Application Security,"          See "Systems and Application Security,"   See "Systems and Application Security,"
malicious software. - [Malicious         above                                   above                                            above                                     above
Software Protection (IV.D.)]
* Control the use of networked           QUESTIONS: Are services not necessary for
devices for intended purposes by         operation disabled, turned off or removed,
                                         including ports, relays, and default accounts?
eliminating unnecessary services
from devices. - [Removal of
Unnecessary Services (IV.E.)]
* Control network communications         QUESTIONS: Are host-based firewalls enabled
to/from networked devices through        and properly configured, where available? What
                                         about network firewalls and Intrusion Detection
host-based firewall software, as         System/Intrusion Prevention System?
available. - [Host-based Firewall
Software (IV.F.)]
* Prevent networked devices from         QUESTIONS: Do you run any email relays? Are
becoming unauthorized email              they properly configured? Can this be
                                         demonstrated?
relays. - [Authenticated Email Relay
* Control access to network proxy        QUESTIONS: Do you run any network proxy
servers through authentication           servers? Is access controlled through
                                         authentication? Can this be demonstrated?
[Authenticated Network Proxy
Servers (IV.H.)]




     Confidential: Security Sensitive – Not For Public Disclosure                                           Page 9 of 13                                      2008, b4674562-61d2-435f-83ea-ac3838f6e739.xls
UNIVERSITY OF CALIFORNIA, SANTA CRUZ
IT SECURITY COMPLIANCE SELF-ASSESSMENT


IS - 3 Policy Requirements Questions to Consider
                                                                                             Responses                       Maturity Level                         Action Plan
                                       Reference to help with responses                                                                                             Describe any projected
                                                                                                                             See Maturity Levels tab                improvements for next year
* Control access to restricted or    See "Access Controls," above                            See "Access Controls," above    See "Access Controls," above           See "Access Controls," above
essential services by limiting
unattended/inactive sessions
through session timeouts. - [Session
Timeout (IV.I)]
Special Categories of Data
HIPAA Security Rule / UCSC             If ePHI is present, is the department represented
Practices for HIPAA Security Rule      on the campus HIPAA Security Rule Compliance
                                       Team? Are the HIPAA Practices implemented?
Compliance                             http://its.ucsc.edu/security/docs/hipaa_practices.p
                                       df

Payment Card Industry Data             If credit card information is stored, processed or
Security Standard (PCI DSS)            transmitted, has the campus PCI Compliance
                                       Team been informed? Is the credit card
                                       environment PCI compliant?
                                       http://its.ucsc.edu/security/policies/pci.php




     Confidential: Security Sensitive – Not For Public Disclosure                                            Page 10 of 13                              2008, b4674562-61d2-435f-83ea-ac3838f6e739.xls
Maturity Levels
 0 Not performed: Complete lack of any recognizable processes. The institution has not even
recognized that there is an issue to be addressed.

 1 Performed Informally:
There is evidence that the institution has recognized that the issues exist and need to be addressed.
There are, however, no standardized processes; instead, there are ad hoc approaches that tend to be
applied on an individual or case-by-case basis. The overall approach to management is disorganized.

 2 Planned and Tracked —Processes have developed to the stage where similar procedures are
followed by different people undertaking the same task. There is no formal training or communication
of standard procedures, and responsibility is left to the individual. There is a high degree of reliance on

 3 Well Defined and Communicated —Procedures have been standardized and documented, and
communicated through training. It is mandated that these processes should be followed; however, it is
unlikely that deviations will be detected. The procedures themselves are not sophisticated but are the

 4 Managed and Measurable—Management monitors and measures compliance with procedures
and takes action where processes appear not to be working effectively. Processes are under constant
improvement and provide good practice. Automation and tools are used in a limited or fragmented

 5 Continuously Improved —Processes have been refined to a level of good practice, based on the
results of continuous improvement and maturity modeling with other enterprises. IT is used in an
integrated way to automate the workflow, providing tools to improve quality and effectiveness, making
Impact     Availability   SSN

High       Essential      Yes
Moderate   Necessary      No
Low        Deferrable

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:6
posted:8/23/2011
language:English
pages:13
Description: Start Web 2.0 Business document sample