San Jose State University

Information Security Office

Questionnaire: Risk Assessment Resource Profile & Technical Controls

Scope and Objective: Please accurately complete the questionnaire below. Section A through E will
assess the risk sensitivity of the resource under the administrative domain of the business owner. Risk
Sensitivity is defined as the relative measurement of a resource's tolerance for risk exposure, similar to
an evaluation of the importance or criticality to the campus organization, independent of any particular
threat or vulnerability. Every resource is distinct within each campus IT department; therefore, it is
imperative to understand the risk exposure for different assets, resources, and applications.

Sample
Resource Name: Resource
Name:
Resource Type:
Business Owner:
Information Security Office Contact:

Resource Type Definitions:

Servers: A group of systems storing, processing, or transmitting sensitive information grouped in a
similar location (DMZ, Internal network) or hosting a similar application or information. This category
includes any network infrastructure (routers, firewalls, switches) supporting the servers.

Web Applications: A web application developed in-house by a campus developer, or hosted by a 3rd
party provider.

Users and Administrators: A catch-all resource category to include all desktops, workstations, and
mobile computing devices, in addition to any user or administrator who utilizes these computers.

A. General Information

1. Please select which groups of individuals have access to your information resource:
 University Students
Employees
Partners
External Clients
Outsourcers
Regulators
Government Agencies
Vendors
Other Campus Entity

2. Has a penetration test been performed on the application?

Yes
No

2.1 Please enter the date of the most recent penetration test:
2.2 Who performed the most recent penetration test?
2.3 Please briefly describe any outstanding security issues:

B. Information Sensitivity

3. Please specify the client data used or collected (select all that apply):

Client Data Contains Data Value (Yes/No)

Financial institution account information
Credit card information
International identifying number (for example, social security)
Home address
Home or cell phone
Medical information
Birth date
Personal private information (for example, mother's
Cultural information (racial
first/middle/maiden name, orcityethnic origin,
of birth, firstpolitical
school) opinion,
religion, trade union membership, sexual preference, criminal
record)

4. Please specify the employee data used or collected (select all that apply):

Employee Data Contains Data Value (Yes/No)

Birth date
Credit card information
Cultural information (racial or ethnic origin, political opinion,
religion, trade union membership, sexual preference, criminal
record)
Dependents or benficiaries
Financial institution deposit information
Hire date
Home address
Home or cell phone
International identifying number (for example, Social Security)
Marital status
Medical Information
Performance reviews/evaluations
Personal private information (for example, mother's
first/middle/maiden name, city of birth, first school)
Salary/compensation information

5. Please specify the type of campus (internal information) data used or collected (select all that apply):

Campus Data Contains Data Value (Yes/No)

FERPA Restricted Information
Public academic research
Private (proprietary) academic research
Client Lists
Financial forecasts
Legal documents/contracts
Merger or acquisition plans
Strategic plans

6. Please specify the type of third-party data used or collected (select all that apply):

Third-Party Data Contains Data Value (Yes/No)

Intellectual property
Licensed software in internally developed applications
Subject to Non-Disclosure Agreement (NDA)

7. Does the information resource use or process any other confidential or restricted information?
Yes
If yes, please specify:
 No

8. Does the information resource administer use or grant access to sensitive data (or privileges) on other
systems?
Yes
No

8.1 Please describe how this application administers access to sensitive data on other systems
or grants access to sensitive data:

9. Does the information resource process any financial transactions?

Yes
No

9.1 If information resource initiates or accepts financial transaction (noncustomer

transactions - internal to the organization only), please specify approximately how much
money is processed:

< $10,000
$10,000 to $49,999
$50,000 to $499,999
$500,000 to $1,000,000
> $1,000,000

10. Could mishandled information damage the organization by resulting in faulty business transactions,
loss of money, or jail time?
Yes
No

10.1 If information was compromised by an unauthorized outside party, select the resulting
level of potential damage:
Criminal Prosecution
< $500,000
$500,000 to $999,999
$1,000,000 to $4,999,999
$5,000,000 to $9,999,999
> $10,000,000
C. Regulatory Requirements

11. Is the information resource subject to any regulatory requirements?

Yes
No

11.1 Please select the regulatory requirements that are applicable (select all that apply):

Family Education Rights & Privacy Act (FERPA)

Payment Card Industry Data Security Standard (PCI DSS)
Health Insurance Portability and Accountability Act (HIPAA)
Federal Financial Institutions Examination Council (FFIEC)
Gramm-Leach-Bliley Act (GLBA)
Office of Foreign Asset Control (OFAC)
Other, please specify:

12. Are there any other requirements (for example, contractual) that mandate information security
controls for confidentiality, integrity, or availability?
Yes
No

12.1 Please provide any detail on other requirements that may be applicable for the
information resource:

D. Business Requirements

13. Please rate the overall confidentiality needs (the consequences of unauthorized disclosure or
compromise of data stored, processed, or transmitted by the resource) of the information resource:

High
Moderate
Low

14. Please rate the overall integrity needs (basically the consequences of corruption or unauthorized
modification/destruction of data stored, processed, or transmitted by the resource) of the information
resource:

High
 Moderate
Low

15. Please rate the overall availability needs (basically the consequences of loss or disruption of access to
data the resource stores, processes or transmits) of the information resource to non-Campus users:

High
Moderate
Low
N/A

16. Please rate the overall availability needs (basically the consequences of loss or disruption of access to
data the resource stores, processes or transmits) of the information resource to Campus users:

High
Moderate
Low
N/A

17. Please rate the overall reputational damage to the organization if it was known to the user
community or industry that the information resource has been breached or defaced in some manner:

High
Moderate
Low

E. Definitions
Use the following definitions for Low, Moderate, and High ratings in this questionnaire:

Rating Definition
A compromise would be limited and generally acceptable for the organization,
Low resulting in minimal monetary, productivity, or reputational losses. There would be
only minimal impact on normal operations and/or business activity.

A compromise would be marginally acceptable for the organization, resulting in

certain monetary, productivity, or reputational losses. Normal operations and/or
Moderate business activity would be noticeably impaired, including the potential for breaches
of contractual obligations.

A compromise would be unacceptable for the organization, resulting in significant

monetary, productivity, or reputational losses. The ability to continue normal
High operations and/or business activity would be greatly impaired, potentially resulting
in noncompliance with legal or regulatory requirements and/or loss of public
confidence in the organization.
 A compromise would be unacceptable for the organization, resulting in significant
monetary, productivity, or reputational losses. The ability to continue normal
High operations and/or business activity would be greatly impaired, potentially resulting
in noncompliance with legal or regulatory requirements and/or loss of public
confidence in the organization.

F. Servers

Scope and Objective: Please accurately complete the following questions on server security controls.
This section is important in order for the Information Security Office to understand potential risk
exposure areas for campus systems. Servers are defined as a group of systems storing, processing, or
transmitting sensitive information grouped in a similar location (DMZ, Internal network) or hosting a
similar application or information. This category includes any network infrastructure (routers, firewalls,
switches) supporting the servers.

18. Have you completed the Resource Inventory Worksheet for any system that is
storing, processing, or transmitting level 1 information?
If yes, please list date:

19. For servers not hosted in SJSU data centers, are any servers under your control
storing level 1 sensitive information?
If yes, please list server IP address, hostname, and location below:

20. Is an ISO approved patching application used and configured to run every 30 days on all servers?

21. Do server administrators install software downloaded from Internet?

22. Are all software and files downloaded from non-SJSU servers screened with virus detection,
malware, or content filtering prior to being executed?

23. Is an antivirus program running on all servers?

24. Are server resources hosting sensitive information placed on separate VLANs
with firewall filtering? In other words, no servers hosting sensitive information are
placed in the same network segment or VLAN that DMZ or less sensitive hosts are
placed into?
24. Are server resources hosting sensitive information placed on separate VLANs
with firewall filtering? In other words, no servers hosting sensitive information are
placed in the same network segment or VLAN that DMZ or less sensitive hosts are
placed into?

24.1 Is port access allowed to servers from public Internet?

If yes, please list server and ports:

24.2 Is port access allowed to servers from other campus networks?

If yes, please list server and ports:

24.3 Do firewall policy rules enforce the principle of least privilege for
controlling access to the servers? In other words, only ports are allowed
that require a business need and all other port access is dropped or
blocked?

Please list date this was verified and verification procedure:

25. Have the servers been verified or reviewed against the Data Center Security
Standard?
If yes, please list date this was verified:

26. Is event monitoring enabled for security relevant events?

26.1 Are security events retained for the required retention period, by
mirroring to a separate logging server?

26.2 Are security events monitored and analyzed on a daily basis?

26.3 Does the implemented security event logging solution detect and
alert on security events within 24 hours?
 26.4 Have the systems been reviewed to be following the Event
Monitoring Security standard?
If yes, please list date verified:

27. Are server Administrator permissions reviewed by the business owner or

delegate on a periodic basis?

28. Are administrative privileges for networked devices controlled and tracked for
their assignment and use using a procedure or tool?

29. Is a device tracking inventory control system in place to track all hardware on
the network so that only authorized devices are given access, and unmanaged
devices are found and prevented from gaining access?

30. Is a change control system in place for tracking and managing any changes to
routers, firewalls, and switches?

31. With networked devices, is a system in place to manage (track, control, and
correct) the ongoing operational use of ports, protocols, and services?

32. Are ACLs enforced on the servers to prevent unauthorized copying or writing of
sensitive information?

33. Can the servers detect all attempts to access files on local systems or network
file shares with the appropriate privilege?

G. Web Applications
Scope and Objective: Please accurately complete the following risk questionnaire questions on campus
web applications. This information will help determine specific risk exposure concerns for the
information security program. A web application is developed in-house by a campus developer, or
hosted by a 3rd party provider.

34. Have you completed the Resource Inventory Worksheet for any web application
storing, processing, or transmitting level 1 information?

35. Is your web application resource hosted by a third party?

35.1 If it is hosted by a third party, have you completed the Cloud

Security Questionnaire and has it been approved by the Information
Security Office?
 35.1 If it is hosted by a third party, have you completed the Cloud
Security Questionnaire and has it been approved by the Information
Security Office?
If yes, please list date approved:

35.2 Is their language in the agreement with the third party that covers
FERPA confidentiality?

35.3 Is their language in the agreement with the third party that covers
HIPPA Business Associate?

35.4 Is their language in the agreement with the third party that covers
PCI DSS?

36. Has the web application undergone a web application security assessment?

If yes, please list date:

37. If the web application is developed in-house: Have the developers undergone
SDLC security training, including OWASP Top 10 web application vulnerabilities for
secure coding practices?
If yes, please list date:

38. Does the web application require forms for authentication of user credentials
with different authorization levels?

39. Does the web application serve dynamic content using a backend database
connection?

40. Is the web application protected with a firewall and located behind a DMZ?

41. Do firewall policy rules enforce the principle of least privilege for controlling
access to the web applications? In other words, only ports are allowed that require
a business need and all other port access is dropped or blocked?
Please list the date this was verified, and the verification procedure.

42. Please list the ports that are allowed through the firewall to access the web
application, for each source network where the users (or malicious 3rd parties) are
connecting from:
Connecting from Public Internet:
Ports allowed to access web application:

Connecting from Other Campus Networks:

Ports allowed to access web application:

43. Has a web application firewall been installed and properly tuned, to help
provide threat mitigation against attacks against the web applications?

H. Users and Administrators

Scope and Objective: Please accurately answer the risk assessment questionnaire items below for Users
and Administrators. This section includes all endpoints and users. Endpoints include workstations,
laptops, and mobile computing machines. The users include both regular users and Administrators that
have access to sensitive campus information.

44. Does the information owner or delegate assign and review permissions for user
application access to level 1 information on a periodic basis?

If yes, when was the last time permissions were reviewed?

45. Is the principle of least privilege used when assigning permissions to users for
business applications that need access to level 1 information?

46. Do your users access level 1 sensitive information?

46.1 If yes, what applications or client applications are used?

46.2 For any of these applications: do they currently store, process, or

transmit any level 1 sensitive information unencrypted?
If yes, please list application and IP address:
47. Have users received information security awareness training?
If yes, please list date:

Does awareness training include phishing education and awareness?

48. How likely are users to download and open suspicious attachments or click on
suspicious links sent via email from 3rd parties?

1 Not likely
2
3 Somewhat likely
4
5 Very likely

49. Beyond workstations, laptops, and mobile computing devices: Are there any
servers (for example, file servers) under your control that store level 1 data
unencrypted?

If yes, please list exceptions below, including IP address and hostname:

50. Is level 1 information stored on workstation (including laptops and mobile

computing devices) hard drives encrypted?

51. Is level 1 information stored on exchangeable media (USB, CD/DVD) encrypted?

52. For any machines decrypting level 1 information: Are these machines following
the patching standard of running ISO approved patching application every 30 days?

53. For any machines decrypting level 1 information: Are these machines running
an ISO approved antivirus application?

54. Is storage of any level 1 information taking place on any cloud based storage
systems such as google drive or dropbox?
55. Is personal email used to transmit level 1 or FERPA information?

56. From the Internet, are any inbound connections allowed directly through the
firewall into any workstation, laptop, or mobile computing machines under your
control?
If yes, please list exceptions, including IP address and ports allowed:

57. From other campus networks, are any other networks allowed through firewall
to access services on your machines?
If yes, please source networks and ports allowed to access your machines:

58. Do any users run patching applications other than ISO approved?

59. Do any users run Antivirus applications other than ISO approved?

60. Are any endpoints running an Operating System that is not supported by the
vendor, such as Windows XP?
If yes, please list exceptions, including hostname and IP address:
61. Have the critical workstations and laptops been screened for vulnerabilities
using a vulnerability scanner?
If yes, please list date:

62. Has a random sampling of the laptops or workstations been screened for the
existance of stored level 1 data that is unencrypted?

If yes, please list date and verification procedure:

63. Do users log in with administrative credentials on workstations or laptops?

If yes, please list exception reason:

64. Is Administrative privilege granted by business owners with the principle of

least privilege?

65. Do users install software downloaded from the Internet?

If yes, please list exception reason:

66. Do users adhere to ISO password policy, including:

All passwords adhere to this standard for length and complexity:

If password is 8 - 16 characters long:
* It can not contain spaces
* It needs to contain at least one lowercase letter
* It needs to contain at least one uppercase letter
* It needs to contain at least one number
* It needs to be uniquely differernt than previous passwords
 If password is 17 - 28 characters long:
* No character restrictions
* It needs to be uniquely different than previous passwords

All campus user passwords expire after 180 days, and are reset in
accordance with password standard?

The initial distribution of passwords, password lockout, and password

reset follows the ISO password standard?

67. For endpoints: Is a device tracking inventory control system in place to track all
hardware on the network so that only authorized devices are given access, and
unmanaged devices are found and prevented from gaining access?

68. Is an inventory control system in place to actively manage all software on the
network so that only authorized software is installed and can execute, and
unmanaged software is discovered and prevented from installation or exection?

69. Is the security of the wireless network, access points, and wireless clients
adhering to the Airwave Security standard for strong access control and encryption,
including:

69.1 Rogue access points are either disallowed or immediately detected?

69.2 Rogue wireless devices can be detected?

69.3 All wireless traffic leverages AES encryption used with at least WPA2
protection?

69.4 All wireless networks use authentication protocols such as EAP-TLS?

70. Is a Data Loss Prevention solution in place to prevent data exfiltration of

sensitive level 1 information?

71. Has an incident response infrastructure, program, or process been developed

so that information owners and administrators can respond to security incidents
with the help of ISO?
y
ce

e & Technical Controls

elow. Section A through E will

ain of the business owner. Risk
nce for risk exposure, similar to
n, independent of any particular
T department; therefore, it is
sources, and applications.

information grouped in a
r information. This category
ng the servers.

eveloper, or hosted by a 3rd

sktops, workstations, and

utilizes these computers.

tion resource:
ns Data Value (Yes/No)

ly):

ns Data Value (Yes/No)

collected (select all that apply):

ns Data Value (Yes/No)

that apply):

ns Data Value (Yes/No)

r restricted information?
tive data (or privileges) on other

sensitive data on other systems

ction (noncustomer
approximately how much

in faulty business transactions,

side party, select the resulting

able (select all that apply):

DSS)
(HIPAA)
FFIEC)

ndate information security

y be applicable for the

authorized disclosure or
f the information resource:

corruption or unauthorized
resource) of the information
 of loss or disruption of access to
urce to non-Campus users:

of loss or disruption of access to

urce to Campus users:

was known to the user

or defaced in some manner:

questionnaire:

ptable for the organization,

tational losses. There would be
usiness activity.

he organization, resulting in
s. Normal operations and/or
uding the potential for breaches

ization, resulting in significant

ability to continue normal
y impaired, potentially resulting
ents and/or loss of public
s on server security controls.
nderstand potential risk
stems storing, processing, or
ernal network) or hosting a
rastructure (routers, firewalls,

Yes
No

Yes
No

very 30 days on all servers?

Yes
No

Yes
No

ed with virus detection,

Yes
No

Yes
No

Yes
No

Yes
No

Yes
No

Yes
No

Yes
No

Yes
No

Yes
No

Yes
No

Yes
No
 Yes
No

Yes
No

Yes
No

Yes
No

Yes
No

Yes
No

Yes
No

Yes
No

tionnaire questions on campus

sure concerns for the
by a campus developer, or

Yes
No

Yes
No

Yes
No
Yes
No

Yes
No

Yes
No

Yes
No

Yes
No

Yes
No

Yes
No

Yes
No

Yes
No
 Yes
No

tionnaire items below for Users

ints include workstations,
r users and Administrators that

Yes
No

Yes
No

Yes
No

Yes
No
Yes
No

Yes
No

Yes
No

Yes
No

Yes
No

Yes
No

Yes
No

Yes
No
 Yes
No

Yes
No

Yes
No
r machines:

Yes
No

Yes
No

Yes
No
 Yes
No

Yes
No

Yes
No

Yes
No

Yes
No

Yes
No

previous passwords
revious passwords

Yes
No

Yes
No

Yes
No

Yes
No

Yes
No

Yes
No

Yes
No

Yes
No

Yes
No

Yes
No
< CONTENTS

Step 1: Resource Profiling

(Describe the resource and rate risk
sensitivity)

Step 2: Risk Assessment

(Identify and rate threats,
vulnerabilities, and risks)

Step 3: Risk Evaluation

(Decision to accept, avoid, transfer, or
mitigate risk)

Step 4: Document
(Document risk decisions including
exceptions & mitigation plans)

Step 5: Risk Mitigation

(Implement Mitigation plan with
specified controls)
 Step 5: Risk Mitigation
(Implement Mitigation plan with
specified controls)

Step 6: Validation
(Test the controls to ensure the
actual risk exposure matches the
desired levels)

Step 7: Monitoring & Audit

(Continually track changes to the
system that may affect the risk profile
and perform regular audits)
Risk Assessment Process F
7 Step Process

Servers AVP Human Resources Users

Web Applications AVP Business and Finance Users
Users and Administrators DMZ servers in Data Center 1 hosting FERPA
DMZ servers in Data Center 2 hosting FERPA
Student self-service web app for student records
Faculty web app for grades
Process Flow

nance Users
Center 1 hosting FERPA
Center 2 hosting FERPA
web app for student records
< BACK NEXT >