Add to collection(s) Add to saved
  1. Business
  2. Management
  3. Project Management

Information Security Review for Projects Questionnaire

advertisement 
Information Security Review For Projects Questionnaire
Introduction
As part of any significant Information Technology Project, it is very important to identify and incorporate
information security requirements at the early planning stage. In doing so, the risk of new security and
compliance problems being introduced into the University environment is greatly reduced. It also
minimizes the risk of project schedule delays and cost overruns when security requirements must be
retrofitted into systems and/or contractual agreements late in the process.
The purpose of this questionnaire is to:
 facilitate identification of security requirements for a given Information Technology Project; and
 help minimize risks associated with planned outsourcing of Mission Critical IT services.
This questionnaire is intended for an Information Technology Project (as defined in the Definitions
Section) that will:
 involve (e.g., create, obtain, transmit, maintain, use, process, store or dispose) institutional data
classified as Highly Sensitive; or
 acquire ongoing vendor IT services (e.g., application software hosting, hardware/software
infrastructure, data storage facilities, staffing, etc.) considered Mission Critical by the project
sponsor.
The questionnaire consists of six sections as follows:
1
2
3
4
5
6
• Identify sensitivity of data the project involves
• Describe plans, if any, for use of vendor IT services
• Describe planned user access methods
• Describe planned data input/output processes
• Describe plans for data storage and destruction
• Review Institutional Data Protection Standards
Directions for Use
1. Joint completion of the questionnaire by the Project Manager and Project Sponsor, with the Project
Manager taking the lead, is recommended.
2. The questionnaire should be completed during the project planning phase when most, if not all,
requested information is known. (See UVa’s IT Project Management Methodology Overview for
activities that typically occur during the project planning phase.) Reviewing the UVa’s Institutional
Data Protection Standards prior to completion is recommended.
3. The Project Manager should:
a. submit the completed questionnaire and any additional project information he/she believes
would be helpful, e.g., project charter, to it-policy@virginia.edu;
b. copy the Project Sponsor on the submission; and
c. retain a copy with other project documentation.
Information Security Review For Projects Questionnaire
Version 1.0 April 2013
Page 1 of 7
4. The Information Security, Policy, and Records Management Office will review the questionnaire and
provide the Project Manager and Project Sponsor with any recommendations it has regarding
security and records management measures and/or additional consultation steps.
Definitions
Authentication – The process of verifying the identity of a user. Examples include but are not limited
to use of: user ID/password, hardware token, Netbadge, Enhanced Netbadge.
Authorization – The process of establishing a user’s rights or privileges to access the
software/hardware/data associated with the project.
Encryption – The process of converting data to a form that is incomprehensible, except by the
authorized recipient (human or machine). Data may be encrypted during transmission and/or in
storage. Examples include but are not limited to use of: VPNs (transmission encryption) and
TrueCrypt (storage encryption).
Highly Sensitive Data – Institutional data classified as “Highly Sensitive” include personal
information that can lead to identity theft if exposed and health information that reveals an
individual’s health condition and/or history of health services use. Refer to university policy for
examples.
Information Technology Project – A project having as its primary purpose the creation of a unique
information technology product or service. Consistent with the University Information Technology
Project Management Policy, research projects, research initiatives and instructional programs are
not included in the scope of this definition.
Mission Critical – As a general rule, an asset is critical when its disclosure, modification, destruction,
or misuse will cause harmful consequences to the department’s — or the University’s — goals and
mission, or will provide an undesired and unintended benefit to someone. See Section B. Step 1: IT
Mission Impact Analysis of the University’s Information Technology Security Risk Management
Program for further definition and guidance.
Information Security Review For Projects Questionnaire
Version 1.0 April 2013
Page 2 of 7
Information Security Review For Projects Questionnaire
Project Name:
Project Manager Name:
Project Sponsor Name:
Date of Questionnaire Submission: 01/02/2013
SECTION 1: IDENTIFY SENSITIVITY OF DATA THAT THE PROJECT INVOLVES
Purpose
This section identifies the sensitivity level of data that the project involves. This information is
needed to determine baseline data security requirements that must be addressed during the
project.
1.1. The project involves: (check all that apply)
The first name or first initial and last name in combination with and linked to any one or more
of the following data elements about an individual:
 Social Security number
 Driver’s license number or state identification card number issued in lieu of a driver’s
license number
 Passport number; or
 Financial account number, or credit card or debit card number.
Information that, if exposed, can reveal an individual’s mental or physical condition and/or
history of health services use (refer to university policy for examples).
Other personally identifiable data the project sponsor considers Highly Sensitive. If checked,
describe here:
If any box above is checked, explain why the involvement of this Highly Sensitive Data is essential to
the system/service to be delivered by the project:
SECTION 2: DESCRIBE PLANS, IF ANY, FOR USE OF VENDOR IT SERVICES
Purpose
This section describes the intent, if any, to acquire ongoing vendor IT services (e.g., application
software hosting, hardware/software infrastructure, data storage facilities, staffing, etc.)
considered Mission Critical by the project sponsor. This information is needed to determine
security requirements that should considered when evaluating vendor services and negotiating
vendor contracts.
Information Security Review For Projects Questionnaire
Version 1.0 April 2013
Page 3 of 7
2.1 Will the project acquire ongoing vendor IT services (e.g., application software hosting,
hardware/software infrastructure, data storage facilities, staffing, etc.) considered Mission Critical
by the project sponsor?
Yes
No. If checked, skip to Section 3.
2.2 Briefly describe below the service(s) to be acquired, including names of desired vendor(s) if known:
2.3 The vendor service(s) will be acquired via:
Request For Proposal
Sole Source Procurement
Purchase Order
Agreement to vendor’s online license user agreement
Other. If checked, describe here:
NOTE: If the project will not involve Highly Sensitive Data (no boxes are checked in Sub-section
1.1) and will not acquire ongoing vendor IT services (“no” box checked in Sub-section 2.1), further
completion and submission of this questionnaire is NOT REQUIRED. Otherwise, proceed.
SECTION 3: DESCRIBE PLANNED USER ACCESS METHODS
Purpose
This section identifies the user population who will have access to the IT product or service to be
delivered by the project, as well as planned security access controls. This information will help
determine if additional controls are needed to reduce the risk of unauthorized or otherwise
inappropriate access to sensitive data.
3.1. What UVa organizational units and general user populations, e.g., students, will have access to the
IT product or service delivered by the project?
3.2. What entities external to the University will have access to the IT product or service?
3.3. Briefly describe the process by which Authorization of users will likely be accomplished, if known.
Information Security Review For Projects Questionnaire
Version 1.0 April 2013
Page 4 of 7
3.4. What means will likely be used to Authenticate system users, if known? (check all that apply)
Users authorized to Users authorized to
access only their
access data of
own data
other individuals
IT staff authorized to
administer the
system
User ID and Password
NetBadge
Enhanced NetBadge
Hardware Token
Other*
* If Other, describe here:
SECTION 4: DESCRIBE PLANNED DATA INPUT/OUTPUT PROCESSES
Purpose
This section describes the planned processes for entering data into and sending it out of the IT
product or service delivered by the project. This information will help determine if additional
controls are needed to reduce the risk of unauthorized data exposure or integrity compromise in
input/output processes.
4.1 Will the IT product or service collect information about individuals directly from those individuals?
Yes
No. If checked, skip to Sub-section 4.2.
What method(s) will likely be used for collecting data from the individuals? (check all that apply)
Paper form
Web form
Fax
Phone
Scanned document upload
Other. If checked, describe here:
Is any of the data to be collected from the individuals classified as Highly Sensitive Data?
Yes
No
Information Security Review For Projects Questionnaire
Version 1.0 April 2013
Page 5 of 7
4.2 Will UVa organizational units enter data into the IT product or service? If so, what data entry
method(s) will likely be used? (check all that apply)
End user input via Web interface
Data entry from collected hard-copy forms
File(s) transferred from other system(s)
Other. If checked, describe here:
Is any data to be entered by UVa organization units classified as Highly Sensitive Data?
Yes
No
4.3 Will copies of data files be transmitted out of the IT product or service? If so, what transmission
method(s) will likely be used? (check all that apply)
Electronic file transfers to other information systems within UVa
Electronic file transfers to entities external to UVa
Spreadsheets/databases created by users of the IT product or service
Other. If checked, describe here:
For each method checked, briefly describe the purpose of the data files transmission:
Is any data to be transmitted classified as Highly Sensitive Data?
Yes
No
SECTION 5: DESCRIBE PLANS FOR DATA STORAGE AND DESTRUCTION
Purpose
This section describes the plans for storing and destroying data. This information will help
determine if additional controls are needed to reduce the risk of unauthorized data exposure or
integrity compromise while stored and to verify information security and records management
compliance issues are being addressed.
Information Security Review For Projects Questionnaire
Version 1.0 April 2013
Page 6 of 7
5.1 Where will production and test data likely be stored? (check all that apply)
On server(s) managed by Information Technology Services (ITS)
On server(s) managed by Health Systems Technology Services (HSTS)
On server(s) managed by UVa department staff
On server(s) managed by vendor
Other. If checked, describe here:
If known, provide either ITS/HSTS/UVa department server name(s) and/or storage vendor name(s)
for each location checked:
5.2 What is the planned schedule for purging production and test data from the IT product or service, if
known?
5.3 Where will copies of the IT product or service data likely be stored?
Electronic backup media stored in Information Technology Services (ITS) facility
Electronic backup media stored in Health Systems Technology Services (HSTS) facility
Electronic backup media stored in UVa department facility
Electronic backup media stored in vendor facility
Paper documents stored in UVa department facility
Paper documents stored in vendor facility
If vendor facility checked, provide vendor name if known:
5.4 What is the planned schedule for destroying copies of data, if known?
5.5 If copies of Highly Sensitive Data will be stored, will it be encrypted? (See “Encrypting Your Data” for
guidance.)
Yes
No. If checked, explain why not here:
SECTION 6: REVIEW INSTITUTIONAL DATA PROTECTION STANDARDS
Purpose
This step helps verify that the IT product or service delivered by the project will meet UVa’s
Institutional Data Protection Standards.
6.1. UVa’s Institutional Data Protection Standards specify mandatory security requirements for each
classification(s) of data that will be used by the IT product or service. If there are any questions
concerning these standards, please indicate those here:
Information Security Review For Projects Questionnaire
Version 1.0 April 2013
Page 7 of 7
Related documents
Questionnaire suggestions - i
Questionnaire suggestions - i
Third Grade Parent Questionnaire
Third Grade Parent Questionnaire
Self Attributes Questionnaire (SAQ) - April Bleske
Self Attributes Questionnaire (SAQ) - April Bleske
Follow up = Accountability - University of Virginia Health System
Follow up = Accountability - University of Virginia Health System
Board member self assessment questionnaire
Board member self assessment questionnaire
GREEN SHEET 101
GREEN SHEET 101
Reengineering Vendor Fees
Reengineering Vendor Fees
Primary Data Collection Method: Survey Design
Primary Data Collection Method: Survey Design
Download
advertisement