Assessment, Authorization, and Monitoring Standard

Description

The university develops, disseminates, and periodically reviews/updates formal, documented procedures to facilitate the implementation of the Information Security Program (ISP). The Chief Information Security Officer (CISO) is responsible for reporting to Senior Leadership and the Board of Trustees the status of the Program.

Scope

This policy applies to everyone who accesses University data or information resources.

Security Requirements

NIST 800-171 references the following security requirements within the Security Assessment family:

• Periodically assess the security controls in organizational systems to determine if the controls are effective in their application [3.12.1].

• Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems [3.12.2].

• Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls [3.12.3].

• Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems [3.12.4].

Other compliance requirements:

• FERPA

• HIPAA 

• GLBA/Red Flags Rule

• CMMC

• Data Use Agreements (DUA) Implementation

Implementation

Control Assessments

A periodic review of the university’s Information Security Program will be performed, based on risk management decisions, by Internal Audit or other independent individual(s) to evaluate the effectiveness and completeness of security control to protect the vital interests of the University. This review will include both centralized (LTS managed) and decentralized (non-LTS) systems. 

Information Exchange

Sensitive data shared between internal or external systems must be authorized by the appropriate Data Steward responsible for that data. Approval shall be documented through MOU, SLA, ticketing system or other vehicle which notes the approver, any conditions, duration and the sensitive data elements to be shared. Changes shall also require documented approval.

Continuous Monitoring

Develop an on-going assessment of Information Security program effectiveness.

1. Develop and maintain metrics providing insight into the state of confidentiality, integrity and availability of critical information resources and systems.

2. Benchmark security program against peer institutions and industry best practices and norms. 

3. Assessment of security controls and information will be at a frequency sufficient to support risk-based decisions.

Reporting made available to information system owners, data stewards, Vice Provost of Library and Technology Services, Senior Leadership and the Board of Trustees.

Authorization

The university authorizes information systems before being put into production or when significant changes are made. When sensitive or regulated data is used by these systems approval by the Office of Information Security will be required. 

Penetration Testing

The purpose of penetration testing is to validate that the security controls are performing as designed. Control gaps that are identified during the process must be remediated.

Independent

Independent penetration testing agents or teams are individuals or groups who conduct impartial penetration testing of organizational systems.

Independent penetration tests shall be conducted:

1. As required by law, regulation or agreement. 

2. As required to maintain compliance or certification.

3. Prior to implementing systems which the CISO identifies as significantly increasing the risk to the University. 

4. At minimum, annually.

Results of penetration tests shall be reported by the CISO to the Board of Trustees through Internal Audit.

Internal (Red Team)

Red team exercises extend the objectives of penetration testing by examining the security and privacy posture of organizations and the capability to implement effective cyber defenses.

Red team exercises shall be conducted at minimum, annually

1. Establish Red team and Red team leader.

2. Maintain documentation of Red team procedures and protocols

3. Conduct one red team exercise per year authorized by the CISO.

Results of red team exercises reported to the CISO.

Plan of Action and Milestones

The ISP is designed to meet the security and compliance requirements of the University for the purpose of maintaining the appropriate level of risk. Deficiencies in the security, privacy and compliance controls will be officially documented within the risk register. The risk register will guide decisions to improve and implement appropriate controls which will be formally documented with actionable deadlines and milestones.

Related

Detail associated standards and guidances.

Definitions

Sensitive Data - Class I and, in certain situations, Class II data

Data Steward - are designated senior University officials who have planning and policy-level responsibilities for data in their functional areas. Data Stewards are responsible for recommending policies and establishing procedures and guidelines concerning the accuracy, privacy, and integrity of the data subsets for which they are responsible

Revision History