[Project Name] Planning: Security and Risk Plan Instruction This document is used to define the technology-related risks and security needs associated with NUIT projects. This document outlines the process by which risk and security needs are assessed and includes a sample Risk Analysis Questionnaire. The data collected with the attached questionnaire will provide insight to the project manager and project team as to the level of involvement Information Security will have on the project. Specifically, this will raise security awareness within project team and avoid the need for Information Security staff from attending all project meetings and reading detailed project documentation. Procedure As soon as the project enters the planning phase the Risk Analysis Questionnaire should be completed. The questionnaire is included as page 2 of this planning document. Completing the Questionnaire Effective use of the questionnaire presumes a comprehensive understanding of the value of the systems and information being assessed. When determining the value, consider any laws, regulations, policies or standards that establish specific requirements for integrity, confidentiality, authenticity, and non-repudiation of data and information in the system. Confidentiality – The information requires protection from unauthorized disclosure. Integrity – The information must be protected from unauthorized, unanticipated, or unintentional modification. This includes, but is not limited to: Availability – The information technology resource (system or data) must be available on a timely basis to meet mission requirements or to avoid substantial losses. Availability also includes ensuring that resources are used only for intended purposes. Consider the information processed by the system and the need for protective measures. Reference the Business Impact Analysis Workshop document for recovery time frames. Data Analysis Send completed questionnaire to the Information Security Office BEFORE creating the project plan. Date Printed: 3/22/2016 File Name: Document1 Page 1 of 3 NUIT Confidential Document Tracking Date Date Printed: 3/22/2016 File Name: Document1 Action Taken By Whom Page 2 of 3 NUIT Confidential Technology Risk Analysis Questionnaire Project Number and Title: Responder: Date: QUESTION Is the project requesting a modification to established information security policies or standards? (Implication: 1. Any change in the information security controls must be reviewed for impact across the enterprise). If “YES”, provide details. Does this project cut across multiple lines of business in a new or unique manner for which no approved security requirements or design models exist? (Implications: One business unit cannot put another at risk without both parties knowing it and allowing it to occur.) If “YES”, provide details. 2. Does this project include applications and information with regulatory compliance significance (or other contractual conditions that must be formally complied with) in a new or unique manner for which no approved 3. security requirements or design models exist? (Implication: Noncompliance with regulations and contractual commitments can incur penalties.) If “YES”, provide details. Does this project have privacy implications because of the use of customer or internal personnel information? (Implication: Protecting personal information of customers and employees is mandated by many laws, rules, and 4. regulations. Not complying with such requirements could result in punitive damages being applied to the enterprise and lawsuits form affected parties.) If “YES”, provide details. Is there new technology involved, never before used by the organization? (Implication: New technology can introduce new information security risk into the enterprise. Identifying that risk must be done early in the project to provide time to research mitigating controls or delay the project.) If “YES”, provide details. 5. Does this project include third-party service providers conducting business on behalf of the organization? (Implication: The use of third-party service providers can introduce new information security risk into the enterprise and into the overall business process. That risk must be identified early in the project to provide time 6. to assess the other party’s information security processes and mitigating controls, introduce contractual requirements such as acceptance of liability in the event of a security breach introduced through either party, research and implement additional mitigating controls on all sides, or delay the project.) If “YES”, provide details. Will this project involve a major change to the IT infrastructure? (Implication: A change to the established infrastructure could mean a change in the information security architecture and implementations. Changes to processes, procedures and mitigating controls might be required because of the infrastructure change.) If “YES”, provide details. 7. Will there be a need to modify established identity and access management processes and infrastructure? (Implication: Business process changes often indicate changes to the access control infrastructure. Not applying such changes can put the enterprise at risk of unauthorized access.) If “YES”, provide details. 8. Will this project have an impact on current business continuity, disaster recovery processes and infrastructure? (Implication: Changes in business and IT processes and infrastructure often make established business 9. continuity and disaster recovery plans out of date. Not applying changes to the enterprise’s recovery plans and infrastructure puts the enterprise at risk in the event of an interruption in the normal business process.) If “YES”, provide details. Please send completed questionnaires to the Information Security Office. YES NO