UMBC Security Risk - Division of Information Technology

advertisement
UMBC Security Risk Assessment Last Modified: ­ ​
09­16­2011 Michael Carlin ­ 11­07­2012 Laura (adding Titanium (Counseling Services) to chart, process start RL2) ­ 11­13­12 LB/WF update­ include ‘data’ in RLs and eventually add link to revised policy ­ 1/15/2013 Laura ­ SATrans replaced by BSGTrans, AD in proc, indiv risk doc being worked on. Added Table of contents and link for data use guideline. ­ 1/16 and 1/17/2013 LB/WF update to fit in conjunct with Sensitive Info Policy rewrite, Data use Doc so all 3 gel. 4/9/2013 ­ ​
Note: ​
​
UMBC X­01.00.07 UMBC Policy on Definition of Sensitive Information​
is the current active policy from the policy site... our new ​
draft​
this will need t be changed once it’s gone through the policy process. 4/23/13 ­ LB Changed document title to match doc name per Mike. Will check where we link it in. 7/2/2013 ­ Jack/Mike/LB discussed, Jack signed off. ​
Note: ​
​
UMBC X­01.00.07 UMBC Policy on Definition of Sensitive Information​
is the current active policy from the policy site... not our new ​
draft​
this will need to be changed once it’s gone through the policy process. 8/26/2013 ­ LB added Spotlight Monitoring to the table. 10/14/2013 ­ LB added link to RL 2,3 quarterly scanning and vulnerability mitigation process 10/30/2013 ­ LB changing link to our Draft policy for cohesiveness. ​
UMBC X­01.00.07 UMBC Policy on Definition of Sensitive Information​
is the current active policy that this will be replacing. 8/21/2014 ­ L fixing link to point to policies site for X­01.00.07. 9/2/2014 ­ added backup server (in progress), adjusted link for department risk, requested final sign off from CISO 3/27/2015­. Todd confirmed SEVIS is now gone and functionality has been moved within peoplesoft (Dave), removed entry. Management Review: ­ 9­16­2011 Michael Carlin ­ 7­02­2013 Jack Suess ­ 5­13­2015 Mark Cather (CISO) Note: Not all documents below are open to the public, to request access/information please send your request to ​
DoIT­AudComp@umbc.edu​
. Background Risk Level Designation UMBC Department Risk Evaluation Risk Mitigation Strategy for Level 2 and 3 Applications and Services UMBC Systems, Services and Applications Inventory Table 1 Background This document explains UMBC’s IT risk management process and self assessment. It includes an inventory of the systems, services and applications included in the self assessment, the factors considered in ranking the risk and security profiles for each and the risk mitigation strategy for each system, service or application depending on its categorization. The document was originally prepared in response to item II, section 2 of the IT Security Program Standard of the ​
USM Guidelines in Response To The State IT Security Policy (October 2009 Version 1.6) ​
which requires USM institutions to formalize their IT risk management process by identifying critical systems and performing risk self­assessments. Within UMBC, the Division of Information Technology (DoIT) is responsible for the security of the school’s business critical and/or sensitive systems and applications, and for complying with USM IT security guidelines. DoIT has consistently implemented and enforced a variety of technical, procedural, and managerial security controls for UMBC’s systems, services and applications by relying upon formal and informal risk assessments coupled with ongoing adoption of contemporary best practices from other USM institutions and from the IT industry. This risk self­assessment documents management decisions concerning which UMBC systems, services and applications are critical and/or sensitive, the known or perceived risk to those systems, services or applications, and the strategies DoIT employs to mitigate risk. Each year, or as new hardware or software versions are installed, DoIT reviews the risk analysis for each UMBC infrastructure systems. Risk Level Designation UMBC designates a security risk level to each of its infrastructure computing systems, services and applications based on the sensitivity level of the data maintained or processed by the system or application. The following security risk levels are used when ranking each system, service, or application: Level 3​
​
­ Highest risk data, systems, applications or services that have externally mandated IT compliance requirements, such as those containing information covered by HIPPA or PCI. Failure to comply with the externally mandated IT security requirements would result in serious financial, legal, or reputational harm to individuals or to the university. Level 2​
​
­ Critical data, systems, applications or services related to or supporting the commitment or management of UMBC funds, and those containing confidential information (e.g. name, SSN, or other combination of personal identifiers) which if compromised could be used to facilitate identity theft. Level 1 ​
­ Business essential data, applications or services that support academic instruction, research data, or general communications that do not contain confidential information. At the discretion of the Audit Committee we may designate certain important level 1 systems to perform an annual system risk assessment that will be reviewed annually to determine if the system is categorized at the correct risk level. Level 0 ​
­ Other data (e.g. public directory information), systems, applications or services that support individual workstations, personal web pages, IT utilities (e.g. printing), etc. where there is little institutional risk associated with this system due to security. See ​
UMBC Sensitive Information Policy X­1.00.07​
​
and ​
UMBC Data Use Guidelines​
​
for additional information. UMBC Department Risk Evaluation Based on discussions with the Office Legislative Auditors (OLA) in 2008, and reinforced with our own risk assessment, there are a few UMBC departments that we initially have classified as “higher risk” due to the nature of the work those departments perform. These departments have extensive access to financial information, such as electronic funds transfer, confidential personal information, or credit card information. The OLA highlighted the risks associated with Finance and Human Resources as part of its financial audit. As part of our risk review we expanded the list to include additional departments that have a business need to handle confidential data. See ​
UMBC Department Risk Evaluation ​
for additional information on our current process. Risk Mitigation Strategy for Level 2 and 3 Applications and Services As part of the risk management process, each system, service or application identified as a level 2 or higher risk, will be required to fill out a security risk document using the template below. These documents are designed to identify risks associated with the system, service, or application and identify security controls we have put in place. These security controls may be associated with system administration, application­level controls, network level controls, database level controls, or other approaches. This form is developed using Google Apps for Education and can be updated by DoIT staff members as needed. Template for Individual Risk Assessment Document Link to Individual Risk Assessment Documentation See also our ​
Risk Level 2 and 3 Quarterly Scanning and Vulnerability Mitigation Procedure​
​
for additional information. UMBC Systems, Services and Applications Inventory
The following table contains UMBC's inventory of systems, services, and applications, followed by the assigned security risk level. Note: For UMBC hosted 3rd party applications or vendor supported systems, UMBC has limited risk management/remediation capability. Table 1 Systems, Services, and Applications System Risk Level 3 2 1 0 ✔
CS Gold (Campus Card) ✔ Micros (Campus Card) ✔ Lenel ✔ ✔ Hosted Applications Point and Click (Health Services) Hilltop Institute (not managed by DoIT) Titanium (Counseling Services) Business and Academic Applications Peoplesoft Apps. Finance Human Resources Student Administration (Staff and faculty access) Student Administration (Student access) Blackboard R25 RT Peoplesoft Document Imaging (Imagenow) REX (iStrategy) ✔ ✔ ✔ ✔ ✔
✔
✔
✔
✔ ✔ BSGTrans ✔ Spotlight Monitoring ✔ ✔ Services Active Directory File Service IDMS (includes Kerberos, LDAP) Backup Server Cryptolocker myUMBC UNIX GL Infrastructure (AFS and associated infrastructure) Microsoft Active Directory Microsoft Infrastructure (authentication, network printers, and file sharing) Email (Webmail and Google) Research Computing Licensed software USM Services AOK Library Services (Operated at UMCP) VPN Network Security Monitoring Wireless Access (public and secured) Internet Access ✔ ✔ ✔ ✔
✔
✔
✔
✔
✔
✔
✔
✔
✔
✔
✔
✔
Download