Interviewee(s): Interviewer(s): A-1 Information Security Budget 0 ...

U. T. System Information Security Program Index (ISPI) Assessment Form (Effective 12/04/2009)

CONFIDENTIAL INFORMATIONThe information contained in this document is confidential. Access to and release of this information is restricted by law.

Institution: Date:

Interviewee(s):

Interviewer(s):

A-1 Information Security Budget

0 - No information security budget exists and no funds are made available for purchase of security tools and services.2 - The information security budget process is unknown to the ISO/CISO and funding continuously proves inadequate to meet program needs.

If information security budget is part of the general IT budget and competes against IT budget initiatives for funding:5 - Funding for the fiscal year is inadequate to meet basic security program needs.7 - Funding for the fiscal year is adequate to maintain baseline operations but not sufficient to allow for acquisition of needed new tools / services.8 - Funding for the fiscal year is adequate to maintain baseline operations and to allow for acquisition of needed new tools / services.9 - Funding consistently (for past 2 fiscal years at a minimum) is adequate to maintain baseline operations and allow for acquisition of needed new tools /

services.

If information security has a separate budget under authority of the ISO/CISO but competes against IT initiatives for funding: 5.5 - Funding for the fiscal year is inadequate to meet basic security program needs.7.5 - Funding for the fiscal year is adequate to maintain baseline operations but not sufficient to allow for acquisition of needed new tools / services.8.5 - Funding for the fiscal year is adequate to maintain baseline operations and to allow for acquisition of needed new tools / services.9.5 - Funding consistently (for past 2 fiscal years at a minimum) is adequate to maintain baseline operations and allow for acquisition of needed new tools /

services.

If information security has a separate budget under authority of the ISO/CISO and funding requests do not compete directly against IT initiatives. They are considered outside and apart from IT funding requests. 5.75 - Funding for the fiscal year is inadequate to meet basic security program needs. 7.75 - Funding for the fiscal year is adequate to maintain baseline operations but not sufficient to allow for acquisition of needed new tools / services.8.75 - Funding for the fiscal year is adequate to maintain baseline operations and to allow for acquisition of needed new tools / services.9.75 - Funding consistently (for past 2 fiscal years at a minimum) is adequate to maintain baseline operations and allow for acquisition of needed new tools /

services.

10 - All information security needs and initiatives are fully funded year after year (for past 3 fiscal years at a minimum).

Score: Documentation/Comments:

1



Institution: Date:

A-2 Staffing - Information Security Staff Level:

(Note: This refers only to staff who is a direct report to the ISO.)

0 - The institution has no designated ISO/CISO. This applies also if the position exists but is unfilled and there is no formally appointed Interim ISO/CISO..5 - Ratio of ISO staff to people (faculty, students & staff) < 1:160001 - Ratio of ISO staff to people ≥ 1 to 160001.5 - Ratio of ISO staff to people ≥ 1 to 150002 - Ratio of ISO staff to people ≥ 1 to 140002.5 - Ratio of ISO staff to people ≥ 1 to 130003 - Ratio of ISO staff to people ≥ 1 to 120003.5 - Ratio of ISO staff to people ≥ 1 to 110004 - Ratio of ISO staff to people ≥ 1 to 100004.5 - Ratio of ISO staff to people ≥ 1 to 90005 - Ratio of ISO staff to people ≥ 1 to 80005.5 - Ratio of ISO staff to people ≥ 1 to 70006 - Ratio of ISO staff to people ≥ 1 to 60006 - If an institution has only one staff member dedicated to Information Security, a score is capped at 6 despite ratio of ISO to people. 6.5 - Ratio of ISO staff to people ≥ 1 to 50007 - Ratio of ISO staff to people ≥ 1 to 40007.5 - Ratio of ISO staff to people ≥ 1 to 30008 - Ratio of ISO staff to people ≥ 1 to 20008.5 - Ratio of ISO staff to people ≥ 1 to 1500 9 - Ratio of ISO staff to people ≥ 1 to 10009.5 - Ratio of ISO staff to people ≥ 1 to 50010 - ISO/CISO of the institution attests that no additional staff is needed and that sufficient staff exists to perform all information security tasks (planning, assessing, monitoring, training, deployment, mitigation, forensics etc.) with a high degree of effectiveness.


2



Institution: Date:

A-3 Staffing - Information Security Team Expertise:

Skill Area

Following is a list knowledge/skill areas typically needed within an organization's information security function. Viewing the Information Security organization holistically, assess the organization’s possession of, or ready access to the following:

(Multiply each Item Score by the Weight percentage to obtain the score for that row. Sum these for Total Score.)

Item Score10 - Very Strong8.5 - Solid7.5 - Adequate/Average6 - Weak 3 - Very Weak 2 - Unknown0 - None

Weight(multiplier)

TotalScore

1. Strategy Development and Communication: The knowledge and skills needed to create and articulate a vision for the Information Security function, effectively communicate the vision to achieve buy-in from management, stake holders, and others, and help motivate workers to work towards building a more secure institution

.077

2. Relationship Building: The skill of building relationships with personnel across the institution and to work cooperatively with other departments to achieve goals of the Information Security function and the institution. .077

3. Risk Assessment and Management: Skills needed to coordinate risk assessment processes and convert results into inputs for program prioritization decisions. .077

4. Planning and Budgeting: Ability to identify needs, create policies, reports and action plans, build and advocate for budget. .0775. Systems Administration: Ability to understand device configuration and identify weaknesses. .0776. Network Administration: Knowledge of various network devices, their functions, and vulnerabilities, and ability to analyze log information from such devices. .077

7. Contract Management: Understanding of contract provisions and operational practices needed to safeguard University data accessed, used, or stored by business partners. .077

8. Technical Monitoring: Ability to review output from various information security appliances or tools, determine whether anomalies exist that warrant follow-up by the ISO and determine appropriate actions. .077

9. Applications Security: Understanding of application vulnerabilities, secure coding practices, and skill to use application assessment tools to remediate code. .077

10. Forensics: Ability to examine the contents of a computing device and log information in order to determine what actions may have been performed on the device. .077

11. Project Management: The ability to work with stakeholders to deploy information security applications effectively, and consult on project implementations .077

12. Incident Management: The ability to coordinate the range of activities required to investigate an incident in a way that meets University, State, and Federal requirements and allows timely resumption of services to allow the institution to meet its missions. .077

13. Disaster Recovery/Business Continuity Planning: The ability to coordinate the integration of the disaster recovery planning process for information resources with the business continuity planning and business impact analysis process .077

TOTAL:


3



Institution: Date:

A-4 Resources – Availability of Information Security Tools, Appliances, Software & Services

The purpose of this item is to determine the extent to which needed security tools and services are available. NOTE: This is NOT a measure of actual deployment or use of each tool or service, but of ownership or access to each of the tools or services. For each tool/service, determine the percentage of need that can be covered by the institution’s ownership or level of access to the tool/service. Divide that percentage by 10 to obtain the Item Score. Multiply each Item Score by the Weight multiplier to obtain the total score for that row. Sum these for the Total Score.

Item Score

0 – 10 for each item. Percent of coverage divided by 10.

Weight(multiplier

)

Total Score

Example: If the institution owns a sufficient number of licenses to encrypt only 75% of laptops that need to be encrypted: Convert 75% to 75 then divide by 10 to obtain the Item score of 7.5. Multiply this by the multiplier to get Total Score for that row.Laptop Encryption Solution that is verifiable. (Provides ability to prove encryption status of a lost computer.)

7.5 .083 .62

1. Anti-Virus / Anti-Malware Solution .083

2. Server, Workstation, and Laptop Configuration Management Solution .083

3. Patch Management Solution .083

4. Intrusion Detection and/or Intrusion Prevention Solution .083

5. Vulnerability Scanning Solution .083

6. Penetration Testing Solution .083

7. Laptop Encryption Solution that is verifiable. (Provides ability to prove encryption status of a lost computer.) .083

8. Email Encryption Solution .083

9. Confidential Data Discovery Tool for at rest (examples: SENF, Identity Finder) .083

10. Confidential Data Discovery Tool for data in motion (examples: CISCO email gateway, UT System IDS) .083

11. Application Scanning Solution .083

12. Centralized log management tool for consolidation and analysis of log data. .083

TOTAL:

4



Institution: Date:


A-5 Basic Network Security Characteristics

For each statement below that is True for the institution, place a score of 10 in the Item Score column next to that item. If the statement is false, place a score of 0 in the Item Score column next to that item. Item scores between 0 and 10 can be used to denote partial implementations. Multiply each Item Score by the Weight percentage to obtain the score for that row. Sum these for the Total Score.

Item Score

Weight(multiplier)

Total

Example: For illustration let’s assume that only ½ or 50% of an institutions devices that should be behind a firewall are actually behind the firewall: 50% would translate to a item scored of 5 (rather than 10): Firewall Protection: All devices that should be behind firewall are behind a firewall.

5 .125 .625

1. Firewall Protection: All devices that should be protected by firewall are protected by such. .125

2. Public DMZ: DMZs are appropriately used to isolate all devices needing to be isolated. .125

3. Network Segmentation / VLANs: All network traffic is appropriately segmented either physically or logically to reduce scope of exposures.

.125

4. Network Address Translation (NAT): NAT is used where needed to reduce visibility of internal devices from external users.

.125

5. DNS Configuration: DNS is configured to separate internal and external zones. .125

6. VPN /Terminal Services: VPN and/or Terminal Services are used to provide remote access and restrict such access to authorized parties.

.125

7. Network Access Control (NAC): NAC is used to verify compliance with institutional security requirements prior to allowing any remote devices to establish connectivity to the network.

.125

8. Wireless Network Protections: Wireless network has appropriate controls to ensure all traffic is encrypted and access to the network is restricted to authorized parties.

.125

TOTAL:

5



Institution: Date:


A-6 ISA Program and Training

0 - No ISA program has been established and no ISAs have been appointed.3 - Some ISAs have been appointed.5 - Departmental ISAs have been appointed.6 - Departmental ISA have been appointed and have met. 6.5 - Departmental ISA have met at least once per semester. 7 - Departmental ISA’s have met and are meeting quarterly.8 - Departmental ISA’s have met and are meeting on a quarterly basis and are becoming appropriately trained.9 - The ISA Program meets requirements for level 8 and ISA meetings are used for input into the program in addition to information dissemination.10 - The ISA Program meets requirements for level 9 and ISAs are actively engaged in all ISA responsibilities identified in UTS-165.

Implements and complies with all information technology policies and procedures relating to assigned systems. Assists Owners in performing annual information security risk assessment for Mission Critical Resources. Reports general computing and Security Incidents to the Entity ISO. Assists, as a member of the ISA Work Group, the ISO in developing, implementing, and monitoring the Information Security Program. Establishes reporting guidance, metrics, and timelines for the ISOs to monitor effectiveness of security strategies implemented in both central and decentralized areas. Reports at least annually to the ISO about the status and effectiveness of information resources security controls

Note: After obtaining the Preliminary Score using the above criteria, modify the score based on breadth of ISA program. Do the following: Determine how many ISA’s your institution should have. (either based on departments, systems, or other criteria.)Determine how man y ISA’s the institution actually has and determine what percentage this is of the total. Multiply this percentage by the score you had from above to obtain the “FINAL” score for the item

Example, Assume the score from above is 9. Let’s assume that the institution should have 25 ISAs, but only 20 have been appointed: 20 /25 X 100 = 80%. 80% of 9 = 7.2 resulting in a Final Score of 7.2 for this item.

6



Institution: Date:


7



Institution: Date:

A-7 Internal Communication Flows

Rate the degree to which each of the following statements is true on a 1 to 10 scale. If it is 100% true score 10, if it is totally false score 0. If it is true 75% of the time or for 75% of situations score 7.5 etc. Score is capped at 9.5, unless the ISO asserts that communications in the organization are optimal for ensuring effectiveness of the ISO Office in securing the institution’s data.

Item Score0 to 10

based on degree

Weight(multiplier

)

Total Score

1. The institution has an incident response policy. (If yes, Item score is = 10, If no = 0) .12. The institution’s incident response policy identifies procedures, responsibilities, and communication chains to use

during critical information security incidents. .1

3. What percent of employees have received training in who to contact in event of an information security incident. (example 55% = Item score of 5.5)

.1

4. The ISO has ready access to all information sources (logs, configurations, firewall rules, IDS/IPS output etc.) required to understand the security posture of the organization and to effectively perform the ISO function.

.1

5. The ISO is involved in all discussions of new systems or system changes that may impact the information security state of the institution.

.1

6. The ISO is included in the purchase process to ensure that purchased or outsourced systems are appropriately vetted for information security

.1

7. Operational units inform the ISO of security breaches in a timely manner. .1

8. Feedback loops are defined and consistently used to ensure assignments relating to security are completed. .1

9. Executive management is informed in a timely way when significant security incidents occur. .110. The Office of Police and the ISO inform each other when a stolen device or other incident (or crime) occurs that

impacts information security..1

TOTAL:


8



Institution: Date:

A-8 Data Classification, Assignment of Ownership, and Owner Responsibilities

0 - The institution has not established a data classification policy and schema. 4 - A data classification policy and schema has been established, but Owners have not been identified.6 - A data classification policy and schema has been established, and Owners have been identified.7 - Criteria for 6 have been met and Owners are actively engaged in one of the following Owner duties as required by UTS 165.

Owners classify the data for the systems for which they are responsible. Owners (or their delegates) grant access to the information systems for which they are responsible. Owners ensure that data for which they are responsible are appropriately backed up. Owners of Mission Critical Systems designate individuals to serve as Information Security Administrator (ISA) to implement security controls and report

incidents to the ISO as necessary. Owners (or their delegates) perform annual information security risk assessment.

7.5 - Owners are actively engaged in two of the above noted Owner duties.8 - Owners are actively engaged in three of the above noted Owner duties.9 - Owners are actively engaged in four of the above noted Owner duties.9.5 - Owners are actively engaged in all five of the above noted Owner duties.10 - Criteria for 9.5 have been met AND Owners have received training in Owner responsibilities.

Note: If Owners have received training in their Owner responsibilities add .5 points to the score obtained above. Score cannot exceed 10.


9



Institution: Date:

B-1 Server Configuration Management 0 – No configuration management solution is in place for servers. .5 – No solution is in place, but is being planned for deployment.1 – A configuration management solution is in place, but the number of servers is generally unknown (not known within a tolerance of 5%)

If a configuration management solution (as described below) is in place and the number of institutional servers is generally known (within a 5% tolerance): What percent of the institution’s servers (including both physical and virtual servers) are managed by a configuration management system that has the capability to allow a server administrator to change server administrator passwords remotely and to allow server administrators AND the ISO/CISO the ability to know server configurations and patch status remotely without intervention of another party. Convert this percent to a number on a 0 – 10 scale: (ex: 92% = 9.2).


10



Institution: Date:

B-2 Desktop/Laptop Configuration Management

0 – No configuration management solution is in place for desktops/laptops. .5 – No solution is in place, but is being planned for deployment.1 – A configuration management solution is in place, but the number of desktops/laptops is generally unknown (not known within a tolerance of 5%)

If a configuration management solution (as described below) is in place and the number of institutional desktops/laptops is generally known (within a 5% tolerance): What percent of the institution’s desktops/laptops (including both physical and virtual servers) are managed by a configuration management system that has the capability to allow the responsible administrator(s) to change desktop/laptop administrator passwords remotely and to allow the responsible administrator(s) AND the ISO/CISO the ability to know desktop/laptop configurations and patch status remotely without intervention of another party. Convert this percent to a number on a 0 – 10 scale: (ex: 53% = 5.3)


11



Institution: Date:

B-3 Malware Avoidance (anti-virus and/or anti-malware) Software

0 – No anti-malware software is in place..5 – No solution is in place, but is being planned for deployment.1 – An anti-malware, system(s) is in place, but the number of devices running such software is generally unknown.

What percent of institutional devices are known, by way of automated reporting immediately accessible to the ISO/CISO, to be running anti-virus and/or anti-malware software? Convert this percent to a number on a 0 – 10 scale: (ex: 88% = 8.8)


12



Institution: Date:

B-4 Network Monitoring / IDS-IPS 0 – No network IDS/IPS systems are in place..5 – No solution is in place, but is being planned for deployment.2 – IDS/IPS Systems are in place but no staff person is assigned the task of daily monitoring of the system.

Assuming a staff person is assigned the task of monitoring the IDS/IPS, determine score using the following procedure:What percent of network traffic entering the institution from the Internet is examined by an IDS or IPS System?Convert this percent to a number on a 0 – 10 scale: (ex: 100% = 10)

What percent of traffic traversing the internal network is examined by an IDS or IPS System?Convert this percent to a number on a 0 – 10 scale (ex: 65% = 6.5)

Add these numbers and divide by 2: (ex: (10 + 6.5)/2 = 8.25)


13



Institution: Date:

B-5 Vulnerability Assessment Practices

(Note: This item is not referring to 3rd party Penetration Testing. This is vulnerability testing that is assumed to be performed by the institution itself to identify internal vulnerabilities. However, the institution may use a 3rd party to perform this function.)

0 - The institution does not perform periodic vulnerability scans. 3 - It has been more than a year since the institution’s last comprehensive vulnerability scan. 4 - Vulnerability scans are performed, but needed remediation is not consistently performed. Note: regularity of vulnerability is irrelevant if needed remediation is

not performed.

If vulnerability scans are performed at least annually:5 - Vulnerability scans are performed at least annually, but results are not available to the ISO/CISO.7 - Vulnerability scans are performed at least annually and results are available to the ISO/CISO. Needed remediation is performed.7.5 - Vulnerability scans are performed at least annually in authenticated mode and results are available to CISO. Needed remediation is performed.

If vulnerability scans are performed at least quarterly:5.5 - Vulnerability scans are performed at least quarterly, but results are not available to the ISO/CISO.8 - Vulnerability scans are performed at least quarterly and results are available to the ISO/CISO. Needed remediation is performed.8.5 - Vulnerability scans are performed at least quarterly in authenticated mode and results are available to CISO. Needed remediation is performed.

If vulnerability scans are performed at least monthly:6 - Vulnerability scans are performed at least monthly, but results are not available to the ISO/CISO.9 - Vulnerability scans are performed at least monthly and results are available to the ISO/CISO. Needed remediation is performed.9.5 - Vulnerability scans are performed at least monthly in authenticated mode and results are available to CISO. Needed remediation is performed.

10 - Vulnerability scans of the complete institution computing environment are made continuously; results are available to the ISO/CISO. ISO/CISO verifies that needed remediation is performed.


14



Institution: Date:

B-6 3rd Party Penetration Testing

The purpose of this index item is to answer the question, “Does the institution have a valid and viable strategy in place for performing 3rd part penetration tests to challenge the effectiveness of the institution’s perimeter controls?”

Scoring Criteria:0 - The Institution has not performed a 3rd Party Penetration Test3 - It has been more than 24 months since the institution’s last 3rd Party Penetration Test.5 - It has been more than 16 months since the institution’s last 3rd Party Penetration Test. 6 - The Institution has performed a 3rd Party Penetration Test within the past 16 months, but the results have not been made available to the ISO/CISO, or have

been made available, but they have not been reviewed, prioritized, and weaknesses remediated.7 - The Institution performs annual 3rd Party Penetration Tests and results are made available to the ISO/CISO. Security weaknesses are reviewed, prioritized for

correction and corrected as needed.8 - The Institution performs quarterly 3rd Party Penetration Tests and results are made available to the ISO/CISO. Security weaknesses are reviewed, prioritized for

correction and corrected as needed.9 - The Institution performs monthly 3rd Party Penetration Tests and results are made available to the ISO/CISO. Security weaknesses are reviewed, prioritized for

correction and corrected as needed.10 - The criteria for 9 are met, and the institution has been performing 3rd party penetration that is broad in scope for a period of 5 years or longer.

Note about Scope: The usefulness and effectiveness of a 3rd party penetration test is reduced if it is not comprehensive in scope. Take from .5 up to 2 points off the score if the 3rd party penetration test excludes IP ranges that include mission critical systems known to contain confidential information.


15



Institution: Date:

B-7 Encryption – Encryption of Laptops

0 – The institution has not deployed a laptop encryption solution..5 – No solution is in place, but is being planned for deployment.4 – An encryption solution is in place, but the institution is not able to determine the number of laptops that require encryption or how many of the target group has

been encrypted.

If the institution has established a policy that ALL laptops are to be encrypted:Determine the number of laptops that require encryption based on the institution’s encryption policy. (Ex: Owned laptops = 180 so 180 require encryption.) Determine the percent of these that have been encrypted and convert to a number in the range 0 - 10. (ex: 145 of 180 = 80.5% for a score of: 8.05) If the institution has established a policy that only those laptops containing confidential data must be encrypted?Determine the number of laptops that require encryption based on the institution’s encryption policy. (ex: 85 of 180 laptops require encryption) Determine the percent of these that are encrypted and convert to a number in the range 0 - 10. (ex: 72 of the 85 are encrypted = 84.7% = 8.47)Multiply that number by .9 for a final score: (ex: .9 X 8.47 = 7.62)

NOTE: Add 1 point to the score if the implemented solution is an enterprise solution that allows the institution to VERIFY that a lost computer was using whole disk encryption and that the data was in fact encrypted. Score cannot exceed 10.


16



Institution: Date:

B-8 Email Encryption Support

Obtain an INITIAL SCORE based on the following scale:0 - The institution provides no email encryption solution that can be used by faculty and staff for encrypting any file type that may be sent via email. 5 - The only means of sending encrypted email is through use of application based password protection (i.e. Word, Excel etc.) 7 - The institution makes available a web-based or other solution that allows SOME employees to send encrypted email to any outside email address.8 - The institution makes available a web-based or other solution that allows ALL employees to send encrypted email to any outside email address.9 - The institution meets the requirements for 8 or higher AND provides a means for sending encrypted email internally. _____________________

Add up to 1 point to the INITIAL SCORE based on the following criteria:

Add ½ point if the institution makes digital certificates available so faculty and staff can encrypt email being sent to others who also use digital certificates.Add ½ point if the institution uses TLS to automatically encrypt all email going to most business partners. (This requires pre-arrangements with business partners so that it is known that email is being transmitted via TLS.)


17



Institution: Date:

B-9 Confidential Data Search, Discovery, Removal – for data at rest

0 – The institution has not established a strategy to discover and remove unneeded confidential data on either servers or user desktops and laptops..5 – No solution is in place, but is being planned for deployment.1 – The institution has established a strategy of identifying and removing unneeded confidential data on servers.1 – The institution has established a strategy of identifying and removing unneeded confidential data on user desktops and laptops. 2 – The institution has established a strategy of identifying and removing unneeded confidential data on servers and also user desktops and laptops.

If strategies exist for servers and or user desktops and laptops (i.e. the score based on the above criteria is 1 or 2) use the following table for scoring:

Item ScoreWeight

(multiplier)

Total Score

Determine the percent of servers that have been scanned for discovery and removal of unneeded confidential data within the past year. Convert that percent into a number in the range of 0 – 10. (ex: 75% would equal 7.5)

0 .5 0

Determine the percent of desktop/laptops that have been scanned for discovery and removal of confidential data within the past year. Convert that percent into a number in the range of 0 – 10) (ex: 40% would equal 4)

0 .5 0

Determine the row score by multiplying the Item score by the multiplier) Sum the two row scores to obtain a Total score. Note: If the institution meets the criteria for obtain a score based on the two rows above but the Total score results in a score of less than 2, then the Total score should be raised to 2.

TOTAL: 0


18



Institution: Date:

B-10 Confidential Data Discovery for data in motion

0 - The institution has not deployed technology to filter network traffic to identify confidential data being transmitted in the clear..5 – No solution is in place, but is being planned for deployment.7 - Outbound traffic exiting via the institution’s primary Internet connection is scanned for unencrypted confidential information such as SSNs and credit card

numbers, and violators are alerted that a policy violation has occurred. 7.5 - The criteria for 7 are met, plus scanning of internal traffic for exposed SSNs and credit card numbers is similarly performed. 8 - Outbound traffic exiting via the institution’s primary Internet connection is scanned for unencrypted confidential information such as SSNs and credit card

numbers; data found to be in violation is blocked (or is automatically encrypted and forwarded on for delivery)..8.5 - The criteria for 8 are met, plus scanning of internal traffic for exposed SSNs and credit card numbers is similarly performed. 9 - All outbound traffic is scanned for unencrypted confidential information such as SSNs and credit card numbers; data found to be in violation is blocked.9.5 - The criteria for 8 are met, plus scanning of internal traffic for exposed SSNs and credit card numbers is similarly performed. 10 - The criteria for 9.5 are met and additional controls are in place to prevent or enforce encryption on downloads of information to mobile media such as USB

drives.


19



Institution: Date:

B-11 Web Applications Scanning

0 – The institution has no solution in place to scan applications for security coding weaknesses..5 – No solution is in place, but is being planned for deployment.4 – The institution has an application scanning solution/service that is available for use but no policy in place that dictates when applications are be scanned. 5 – Criteria for 4 are met, but despite the lack of a policy, some application scanning is being performed on an ad hoc basis.6.5 – The institution has an application scanning solution in place and a policy that defines criteria for determining which applications to scan and criteria that would

trigger a need to scan an application.7 – Criteria for 6.5 is met, the scanning policy requires scanning of all outwardly facing systems that hold or manipulate confidential data, and scanning is taking

place according to policy.8 – The institution has established a prioritization of applications for scanning and is scanning applications based on that priority.9 – The institution has scanned all mission critical applications and those containing confidential data at least once.9.5 – The institution has scanned all mission critical applications and those containing confidential data at least once and has an established program for requiring

additional scans as part of the application change control process.10 – All applications have been scanned, and are subject to subsequent scans as result of the institution’s application change control process requirements for such.


20



Institution: Date:

B-12 Identity Management Practices

0 - The institution has not agreed to abide by The University of Texas System Federation identity management practices. (i.e. is not a member of the Federation) 3 - The institution has signed on to be a member of The University of Texas System Federation and to abide by federation practices.7 - Each person associated with the institution is assigned a permanent unique identifier (that is not the person’s SSN), and is assigned a digital credential

(username and password) that the person uses to authenticate his or her identity.8 - Each user is vetted in-person as required by The University of Texas System Federation processes as described in the Membership Operating Practices

document prior to being granted access to information resources other than those made available to the public.10 - The institution has passed a formal Audit of its Membership Operating Practices


21



Institution: Date:

B-13 Account and Access Control Policies and Practices

For each of the statements below that is True for the institution, place a score of 10 in the Item Score column next to that item. If the statement is false, place a score of 0 in the Item Score column next to that item. Partial credit can be given by assigning a value of 1 – 9 based on percent to which the statements are true.

Item Score

Weight(multiplier)

Total Score

1. The institution has an Access Control policy. .1

2. Processes are in place to ensure that network accounts are established only for authorized individuals. .1

3. Users accessing non-public University resources and services must sign/acknowledge and acceptable use statement prior to being granted access to network resources.

.1

4. Logon ID and password are required for an individual to gain access to the institution’s network. .1

5. Logon ID and password are required for an individual to gain access to non-public resources on the network. .1

6. Processes are in place to ensure that network accounts are revoked when a person’s association with the institution ends or role changes within the institution.

.1

7. Reviews are performed at least annually to ensure that no network accounts continue to exist for employees or others who are no longer associated with the University in a capacity that would warrant their having an account.

.1

8. Two factor (or stronger) access controls are required of individuals who hold positions that require administrator rights. .1

9. Access to resources is based on minimum “need to know.” .1

10. Application owners (or designees) determine who has access to information resources within the owner’s scope of authority. .1

TOTAL:


22



Institution: Date:

B-14 User Training Execution

What percent of employees and other associates have taken Information Security training within the past year? Convert this percent to a number on a 0 – 10 scale: (ex: 96% = 9.6)


23



Institution: Date:

B-15 Purchasing/Outsourcing Security Review Practices

0 - The institution has no process for contract review to ensure that information security issues are appropriately addressed in the purchasing and contracting process.

5 - On an ad hoc basis, some contracts and other purchases are routed to the ISO/CISO for review and recommendation.7 - The institution includes information security language in all contracts that involve use or storage of University information resources. 7.5 – Criteria for 7 is met and the institution has a process in place to review existing contracts for possible revision if needed security language is not in place.8 - Criteria for 7.5 is met and the institution has a process in place to help ensure that purchases involving new information systems or services that involve storage,

transfer, or access to confidential University data are routed to the ISO/CISO for review and recommendation.9 - Criteria for 8 is met, and the institution’s Information Security Office has authority to require that a purchaser formally acknowledge acceptance of risk if a

decision is made to make a purchase that the ISO has advised against because of poor information security practices of the vendor.10 - Criteria for 9 are met, and the ISO/CISO has authority to stop purchase of software and/or services, unless overridden by signature of an Executive Officer.


24



Institution: Date:

C-1 Risk Assessments

Primary focus and weight is placed on completion of annual risk assessments for Mission Critical systems and systems containing confidential University data. However, it is also important that completed risk assessments be used to help establish program priorities and to perform risk assessments for systems not considered to be of high risk. The scoring methodology gives weighted consideration to each of these criteria.

Item Score

Weight(multiplier)

Total

Mission Critical Systems and Systems containing Confidential University Information:Determine the percent of Mission Critical systems and systems containing Confidential University Data that have undergone a risk assessment within the past 12 months. Express this as a number between 0-10. Ex: 68% = 6.8

.8

Lower Risk Systems:Determine the percent of Low Risk systems that have undergone a risk assessment within the past 12 months. Express this as a number between 0-10. Ex: 45% = 4.5

.2

SUB-TOTAL:

If completed risk assessments, were considered and used to establish priorities for the current year’s Action, Monitoring, and Training Plan, ADD 1 to the sub-total to obtain the final score.

+1

If completed risk assessments, were NOT considered and used to establish priorities for the current year’s Action, Monitoring, and Training Plan, SUBTRACT 1 from the sub-total to obtain the final score.

-1

Note: Score cannot exceed 10. FINAL SCORE:


25



Institution: Date:

C-2 Annual Report to President which includes the Security Program Document (Action, Training, and Monitoring Plans)

0 - The institution has not submitted a Report to the President for the current fiscal year.3 - The submitted Report to the President does not meet the defined minimum content requirements.5 - The submitted Report to the President contains the required minimum content but does not meet the format requirements that allow activities contained in

quarterly reports to be associated with Program strategies.6 - Report has been submitted but content provides little insight into the accomplishments of the previous year’s program or barriers that may be hampering efforts

to secure the institution. 7 - The submitted Report to the President is properly formatted and contains required content but does not demonstrate comprehensiveness in terms of

adequately informing the President about the program, or in terms of what is included in the Action, Training, and/or Monitoring Plans.8 - The submitted Report to the President meets the formatting and content requirements and demonstrates that Program Elements have been considered and

prioritized and that Risk Assessment results were used to develop items contained in the Action, Training, and Monitoring plans.9 - Meets the criteria required for 8 plus the included Monitoring plan is comprehensive and addresses monitoring of physical and administrative controls in

addition to technical controls. The Program must be signed by the President. 10 - Meets the criteria for 9 plus demonstrates comprehensive in all plans – Action Plan, Training Plan, and Monitoring Plan. The Action Plan indicates that

Program Elements, Risk Assessments, Audits, and Quarterly & Annual Reports data were considered in determining strategies for the coming fiscal year.


26



Institution: Date:

C-3 Quarterly and Annual Metrics Reports to UT System

0 - The institution has not submitted all quarterly and annual reports.5 - Reports are submitted, but fail to provide adequate information about activities to determine the status and viability of the Information Security Program.7 - Reports are submitted and provide a minimum amount of information, but are lacking in detail needed to provide good understanding of program strengths and

weaknesses.8 - Submitted reports provide sufficient content and detail to understand program activities completed within the timeframe of the reports plus issues, strengths, and

weaknesses.9 - Submitted reports meet the criteria for 8 plus provide comprehensive information about Monitoring Plan activities including activities relating to monitoring of

physical and administrative controls, as well as technical controls. 10 - Meets the criteria for 9 on a consistent sustained basis.


27



Institution: Date:

C-4 Incident Reporting to UT System

Note: For context, “reporting” refers to submission of a formal typed report using the UT System Online incident Reporting tool.

0 - Significant incidents are not reported to UT System.2 - Significant incidents are often not reported to UT System.5 - Significant incidents are reported to UT System, but not in a timely manner. (i.e. not soon enough to protect Chancellor and Board members from learning of

incidents from 3rd parties prior to being alerted through University channels.6 - Incidents are reported to UT System, but they are not being reported through use of the online tool and as result do not appear in the archive database.7 - No formal reports have been made because no significant incidents have occurred.7.5- Initial reporting of significant events occurs but updates and closeout are not consistently performed. 8 - Incidents are reported and follow-up/closeouts are performed appropriately.9 - Criteria for 8 are met plus UT System reporting is incorporated into the institution’s Incidence Response Plan.10 - Criteria for 9 are met. Incident reports flow to UT System as a matter of course.


28



Institution: Date:

C-5 TAC 202 Compliance

Data source for scoring of this item is from the Annual Compliance Assessment spreadsheet.

Convert the TAC 202 scores (for Central IT and Decentralized Departments) from a 5 point scale to a 10 point scale by multiplying each by 2.

Then average the two scores to obtain the final score. __________________

Note 1: The above process weights Central IT and Decentralized IT equally. If an institution is highly centralized or is highly decentralized, it is acceptable to change the weighting ratio from 50/50 to one that reflects the reality of an institution’s circumstances. For example if an institution is 80% centralized, then the Central IT score can be multiplied by .8 and the decentralized score multiplied by .2. These products would then be summed to obtain the final score.

Note 2: If no TAC 202 information is known, because the Annual Compliance Assessment has not been submitted and no appropriate Audit has occurred, the score will be defaulted to “4” on the 0-10 scale, because it is generally known (through previous TAC 202 audits and other TAC 202 compliance activities) that UT institutions are meeting many of the TAC 202 compliance requirements.


29



Institution: Date:

C-6 PCI-DSS Compliance

1 - The institution has not submitted an Annual Metrics spreadsheet which provides information about PCI-DSS requirements.

If the Annual Metrics spreadsheet has been submitted to UT System use the following process to obtain the score for this item:

Average the two PCI-DSS scores (central IT and decentralized departments) from the Annual Metrics spreadsheet and multiply this average by two to convert from a 5 point to a 10 point scale. This provides a PRELIMINARY SCORE.

If the institution has only Level 4 merchants (i.e. no single merchant has over 20,000 transactions annually):Level 4 merchants must comply with PCI-DSS requirements. However, they are not required to follow the PCI-DSS VALIDATION procedures, but are encouraged to do so. Points are added to an institution’s PRELIMINARY SCORE for voluntarily following these procedures.

Add up to 1 point to the PRELIMINARY SCORE for voluntary completion of Annual Self-Assessment Questionnaires (SAQ): Add .1 points to the score for each 10% of the Level 4 merchants that have completed the annual SAQ. Also, add up to 1 point to the PRELIMINARY SCORE for voluntary completion of quarterly scans of merchant PCI network environments: Add .1 points for each 10% of the LEVEL 4 merchants who have performed the quarterly scans. This results in the institution’s FINAL SCORE for this item. Note: FINAL SCORE cannot exceed 10.

____________________________________________________________________________________________

If the institution has one or more Level 1, 2, or 3 merchants (a merchant processing at least 20,000 transactions annually): Note: Level 1, 2, & 3 merchants must adhere to PCI-DSS requirements AND to VALIDATION requirements

Has each of these merchants completed the required annual Self-Assessment Questionnaire, completed the required Quarterly scans, and completed the required Attestation of Compliance Form?

If “NO” – the FINAL SCORE is “6” or the current value of the PRELIMINARY SCORE as previously calculated, whichever is lower.

If “YES” – Points are added based on voluntary compliance of the institution’s Level 4 merchants with the PCI-DSS VALIDATION procedures. Add up to 1 point to the PRELIMINARY SCORE for voluntary completion of Annual Self-Assessment Questionnaires (SAQ): Add .1 points to the score for each 10% of the Level 4 merchants that have completed the annual SAQ. Also, add up to 1 point to the PRELIMINARY SCORE for voluntary completion of quarterly scans of merchant PCI network environments: Add .1 points for each 10% of the LEVEL 4 merchants who complete the quarterly scans. This results in the institution’s FINAL SCORE for this item. Note: FINAL SCORE cannot exceed 10.


30



Institution: Date:

C-7 HIPAA Compliance

NA - The institution is not subject to HIPAA regulations.1 - The institution has not submitted an Annual Metrics spreadsheet which provides information about HIPAA requirements.

Data source for scoring of this item is from the Annual Compliance Assessment spreadsheet. A score for HIPAA compliance is determined only for those institutions that are subject to HIPAA. The score is determined through use of the same Annual Compliance Assessment tool that is used to assess TAC 202 compliance. The methodology will be as described in C-5 above, except some adjustment may be needed because HIPAA may not apply to all departments within an institution. For this reason, the initial score will be established from the compliance spreadsheet, but may then be adjusted up or down based on discussion with the institutional CISO to focus on only the specific departments that HIPAA pertains to. The reasons for any adjustments will be documented.


31

Interviewee(s): Interviewer(s): A-1 Information Security Budget 0 ...

Documents

Transcript of Interviewee(s): Interviewer(s): A-1 Information Security Budget 0 ...