URP: I.19.l Information Security Risk Assessment

Tags techurp

POLICY STATEMENT

This document establishes the information security risk assessment regulations and procedures, for managing risk associated with information assets, information leakage, and network vulnerabilities. The information security risk assessment regulations and procedures proactively identifying threats and vulnerabilities, which can result in consequences to Texas Woman's University (TWU).

 

The scope of these regulations and procedures are applicable to all information resources owned or operated by TWU. All users are responsible for adhering to these regulations and procedures. If needed or appropriate, information regarding roles, responsibilities, management commitment, and coordination among organizational entities are embedded within these procedures.

 

APPLICABILITY

TWU Students, Faculty, Staff, and Guest

 

DEFINITIONS

Risk Assessment is an objective analysis of the effectiveness of security controls that protect an organization’s assets and a determination of the probability of losses to those assets.


Vulnerability Scanner is a computer program designed to assess computers, computer systems, networks or applications for weaknesses.

 

POLICY

The State of Texas has chosen to adopt the risk assessment principles established in NIST SP 800-53 “Risk Assessment,” Control Family guidelines. The following subsections outline the risk assessment standards that constitute TWU’s regulations and procedures.

 

RA-1 Risk Assessment Regulations:

  1. Regulations:

TWU must develop, adopt, or adhere to, formal documented risk assessment regulations and procedures that address purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.

 

  1. Procedures:

The Office of Technology (OOT) will maintain regulations and procedures for risk assessments that address purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.

 

RA-2 Security Categorization:

  1. Regulations:

TWU must:

  1. Categorize information systems and the data stored within these systems, in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance;
  2. Document the security categorization in the security plan for the information systems; and
  3. Ensure that the security categorization decision is reviewed and approved by the authorizing official or authorizing official designated representative.

 

  1. Procedures:
  1. OOT Security Team categorizes information systems and information and seeks category owner authorizing official designated representative on the risk assessment form.
  2. OOT Security Team defines categories within the information security plan.
  3. OOT Security Team categorizes information systems in the information security plan.

 

RA-3 Risk Assessments:

  1. Regulations:

TWU must:

  1. Conduct an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of information systems and the data the system processes, stores, or transmits;
  2. Document risk assessment results in a risk assessment report;
  3. Review risk assessment results of critical information systems;
  4. Disseminate risk assessment results to appropriate authorizing officials; and
  5. Update the risk assessment whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security state of the system.

 

  1. Procedures:
  1. OOT Security Team conduct risk assessments on all new information systems.
  2. OOT Security Team documents the risk assessment using the OOT risk assessment form.
  3. OOT Security Team ensures appropriate system/data owner(s) (i.e., authorizing officials) accept the risk noted on the risk assessments before information systems are put into production (i.e., begin to be used by the University).
  4. Each year, the OOT Security Team completes a risk assessment of critical information systems.
  5. The Information Technology Officer (ISO) may ask the OOT Security Team to complete a risk assessment of any information system when the ISO deems it necessary.

RA-5 Vulnerability Scanning:

  1. Regulations:

TWU shall:

  1. Perform periodic network scans for vulnerabilities in the information system and hosted applications and when new vulnerabilities potentially affecting the system/applications are identified and reported;
  2. Employ vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:
    1. Enumerating platforms, software flaws, and improper configurations;
    2. Measuring the criticality and impact of the vulnerability;
    3. Providing  checklists, remediation steps and validation procedures;
    4. Providing departmental or role based access to remediate respective findings, and
    5. Tracking historical vulnerability discovery and remediation efforts.
  3. Analyze vulnerability scan reports and results from security control assessments;
  4. Remediate vulnerabilities in a timely manner commensurate with the criticality and exposure of security risk to the institution; and
  5. Ensure asset, system, or application owners coordinate with ITS staff to identify and minimize the likelihood and impact of vulnerabilities.

 

Compliance

Unless coordinated with the TWU Information Security Officer, unpatched or un remediated systems will be quarantined and disconnected from the TWU network after the timeframe for remediation has expired. 

 

Violation of this policy may result in disciplinary action, which may include termination for employees and temporaries; a termination of employment relations in the case of contractors or

consultants; termination of access; legal action; termination for interns and volunteers; disciplinary review; suspension or expulsion (in the case of a student).

 

REVIEW

The Chief Information Officer will review this Policy with recommendations forwarded through normal administrative channels to the Chancellor and President.

 

REFERENCES

Department of Information Resources Security Standards Catalog

http://publishingext.dir.texas.gov/portal/internal/resources/DocumentLibrary/Security%20Control%20Standards%20Catalog.pdf

 

FORMS AND TOOLS

N/A

 

Details

Article ID: 56380
Created
Fri 6/22/18 10:58 AM
Modified
Fri 11/20/20 11:46 AM