Security and Risk Plan - Northwestern University Information

advertisement
[Project Name]
Planning: Security and Risk Plan
Instruction
This document is used to define the technology-related risks and security needs associated with
NUIT projects. This document outlines the process by which risk and security needs are assessed
and includes a sample Risk Analysis Questionnaire.
The data collected with the attached questionnaire will provide insight to the project manager and
project team as to the level of involvement Information Security will have on the project.
Specifically, this will raise security awareness within project team and avoid the need for
Information Security staff from attending all project meetings and reading detailed project
documentation.
Procedure
As soon as the project enters the planning phase the Risk Analysis Questionnaire should be
completed. The questionnaire is included as page 2 of this planning document.
Completing the Questionnaire
Effective use of the questionnaire presumes a comprehensive understanding of the value of the
systems and information being assessed. When determining the value, consider any laws,
regulations, policies or standards that establish specific requirements for integrity, confidentiality,
authenticity, and non-repudiation of data and information in the system.

Confidentiality – The information requires protection from unauthorized disclosure.

Integrity – The information must be protected from unauthorized, unanticipated, or
unintentional modification. This includes, but is not limited to:

Availability – The information technology resource (system or data) must be available on a
timely basis to meet mission requirements or to avoid substantial losses. Availability also
includes ensuring that resources are used only for intended purposes.
Consider the information processed by the system and the need for protective measures. Reference
the Business Impact Analysis Workshop document for recovery time frames.
Data Analysis
Send completed questionnaire to the Information Security Office BEFORE creating the project plan.
Date Printed: 3/22/2016
File Name: Document1
Page 1 of 3
NUIT Confidential
Document Tracking
Date
Date Printed: 3/22/2016
File Name: Document1
Action Taken
By Whom
Page 2 of 3
NUIT Confidential
Technology Risk Analysis Questionnaire
Project Number and Title:
Responder:
Date:
QUESTION
Is the project requesting a modification to established information security policies or standards? (Implication:
1.
Any change in the information security controls must be reviewed for impact across the enterprise).
If “YES”, provide details.
Does this project cut across multiple lines of business in a new or unique manner for which no approved security
requirements or design models exist? (Implications: One business unit cannot put another at risk without both
parties knowing it and allowing it to occur.)
If “YES”, provide details.
2.
Does this project include applications and information with regulatory compliance significance (or other
contractual conditions that must be formally complied with) in a new or unique manner for which no approved
3.
security requirements or design models exist? (Implication: Noncompliance with regulations and contractual
commitments can incur penalties.)
If “YES”, provide details.
Does this project have privacy implications because of the use of customer or internal personnel information?
(Implication: Protecting personal information of customers and employees is mandated by many laws, rules, and
4.
regulations. Not complying with such requirements could result in punitive damages being applied to the
enterprise and lawsuits form affected parties.)
If “YES”, provide details.
Is there new technology involved, never before used by the organization? (Implication: New technology can
introduce new information security risk into the enterprise. Identifying that risk must be done early in the project
to provide time to research mitigating controls or delay the project.)
If “YES”, provide details.
5.
Does this project include third-party service providers conducting business on behalf of the organization?
(Implication: The use of third-party service providers can introduce new information security risk into the
enterprise and into the overall business process. That risk must be identified early in the project to provide time
6.
to assess the other party’s information security processes and mitigating controls, introduce contractual
requirements such as acceptance of liability in the event of a security breach introduced through either party,
research and implement additional mitigating controls on all sides, or delay the project.)
If “YES”, provide details.
Will this project involve a major change to the IT infrastructure? (Implication: A change to the established
infrastructure could mean a change in the information security architecture and implementations. Changes to
processes, procedures and mitigating controls might be required because of the infrastructure change.)
If “YES”, provide details.
7.
Will there be a need to modify established identity and access management processes and infrastructure?
(Implication: Business process changes often indicate changes to the access control infrastructure. Not
applying such changes can put the enterprise at risk of unauthorized access.)
If “YES”, provide details.
8.
Will this project have an impact on current business continuity, disaster recovery processes and infrastructure?
(Implication: Changes in business and IT processes and infrastructure often make established business
9.
continuity and disaster recovery plans out of date. Not applying changes to the enterprise’s recovery plans and
infrastructure puts the enterprise at risk in the event of an interruption in the normal business process.)
If “YES”, provide details.
Please send completed questionnaires to the Information Security Office.
YES
NO
Download