Beruflich Dokumente
Kultur Dokumente
Scope and Objective: Please accurately complete the questionnaire below. Section A through E will
assess the risk sensitivity of the resource under the administrative domain of the business owner. Risk
Sensitivity is defined as the relative measurement of a resource's tolerance for risk exposure, similar to
an evaluation of the importance or criticality to the campus organization, independent of any particular
threat or vulnerability. Every resource is distinct within each campus IT department; therefore, it is
imperative to understand the risk exposure for different assets, resources, and applications.
Sample
Resource Name: Resource
Name:
Resource Type:
Business Owner:
Information Security Office Contact:
Web Applications: A web application developed in-house by a campus developer, or hosted by a 3rd
party provider.
Users and Administrators: A catch-all resource category to include all desktops, workstations, and
mobile computing devices, in addition to any user or administrator who utilizes these computers.
A. General Information
1. Please select which groups of individuals have access to your information resource:
University Students
Employees
Partners
External Clients
Outsourcers
Regulators
Government Agencies
Vendors
Other Campus Entity
Yes
No
2.1 Please enter the date of the most recent penetration test:
2.2 Who performed the most recent penetration test?
2.3 Please briefly describe any outstanding security issues:
B. Information Sensitivity
3. Please specify the client data used or collected (select all that apply):
4. Please specify the employee data used or collected (select all that apply):
5. Please specify the type of campus (internal information) data used or collected (select all that apply):
6. Please specify the type of third-party data used or collected (select all that apply):
7. Does the information resource use or process any other confidential or restricted information?
Yes
If yes, please specify:
No
8. Does the information resource administer use or grant access to sensitive data (or privileges) on other
systems?
Yes
No
8.1 Please describe how this application administers access to sensitive data on other systems
or grants access to sensitive data:
< $10,000
$10,000 to $49,999
$50,000 to $499,999
$500,000 to $1,000,000
> $1,000,000
10. Could mishandled information damage the organization by resulting in faulty business transactions,
loss of money, or jail time?
Yes
No
10.1 If information was compromised by an unauthorized outside party, select the resulting
level of potential damage:
Criminal Prosecution
< $500,000
$500,000 to $999,999
$1,000,000 to $4,999,999
$5,000,000 to $9,999,999
> $10,000,000
C. Regulatory Requirements
11.1 Please select the regulatory requirements that are applicable (select all that apply):
12. Are there any other requirements (for example, contractual) that mandate information security
controls for confidentiality, integrity, or availability?
Yes
No
12.1 Please provide any detail on other requirements that may be applicable for the
information resource:
D. Business Requirements
13. Please rate the overall confidentiality needs (the consequences of unauthorized disclosure or
compromise of data stored, processed, or transmitted by the resource) of the information resource:
High
Moderate
Low
14. Please rate the overall integrity needs (basically the consequences of corruption or unauthorized
modification/destruction of data stored, processed, or transmitted by the resource) of the information
resource:
High
Moderate
Low
15. Please rate the overall availability needs (basically the consequences of loss or disruption of access to
data the resource stores, processes or transmits) of the information resource to non-Campus users:
High
Moderate
Low
N/A
16. Please rate the overall availability needs (basically the consequences of loss or disruption of access to
data the resource stores, processes or transmits) of the information resource to Campus users:
High
Moderate
Low
N/A
17. Please rate the overall reputational damage to the organization if it was known to the user
community or industry that the information resource has been breached or defaced in some manner:
High
Moderate
Low
E. Definitions
Use the following definitions for Low, Moderate, and High ratings in this questionnaire:
Rating Definition
A compromise would be limited and generally acceptable for the organization,
Low resulting in minimal monetary, productivity, or reputational losses. There would be
only minimal impact on normal operations and/or business activity.
F. Servers
Scope and Objective: Please accurately complete the following questions on server security controls.
This section is important in order for the Information Security Office to understand potential risk
exposure areas for campus systems. Servers are defined as a group of systems storing, processing, or
transmitting sensitive information grouped in a similar location (DMZ, Internal network) or hosting a
similar application or information. This category includes any network infrastructure (routers, firewalls,
switches) supporting the servers.
18. Have you completed the Resource Inventory Worksheet for any system that is
storing, processing, or transmitting level 1 information?
If yes, please list date:
19. For servers not hosted in SJSU data centers, are any servers under your control
storing level 1 sensitive information?
If yes, please list server IP address, hostname, and location below:
20. Is an ISO approved patching application used and configured to run every 30 days on all servers?
22. Are all software and files downloaded from non-SJSU servers screened with virus detection,
malware, or content filtering prior to being executed?
24. Are server resources hosting sensitive information placed on separate VLANs
with firewall filtering? In other words, no servers hosting sensitive information are
placed in the same network segment or VLAN that DMZ or less sensitive hosts are
placed into?
24. Are server resources hosting sensitive information placed on separate VLANs
with firewall filtering? In other words, no servers hosting sensitive information are
placed in the same network segment or VLAN that DMZ or less sensitive hosts are
placed into?
24.3 Do firewall policy rules enforce the principle of least privilege for
controlling access to the servers? In other words, only ports are allowed
that require a business need and all other port access is dropped or
blocked?
25. Have the servers been verified or reviewed against the Data Center Security
Standard?
If yes, please list date this was verified:
26.1 Are security events retained for the required retention period, by
mirroring to a separate logging server?
26.3 Does the implemented security event logging solution detect and
alert on security events within 24 hours?
26.4 Have the systems been reviewed to be following the Event
Monitoring Security standard?
If yes, please list date verified:
28. Are administrative privileges for networked devices controlled and tracked for
their assignment and use using a procedure or tool?
29. Is a device tracking inventory control system in place to track all hardware on
the network so that only authorized devices are given access, and unmanaged
devices are found and prevented from gaining access?
30. Is a change control system in place for tracking and managing any changes to
routers, firewalls, and switches?
31. With networked devices, is a system in place to manage (track, control, and
correct) the ongoing operational use of ports, protocols, and services?
32. Are ACLs enforced on the servers to prevent unauthorized copying or writing of
sensitive information?
33. Can the servers detect all attempts to access files on local systems or network
file shares with the appropriate privilege?
G. Web Applications
Scope and Objective: Please accurately complete the following risk questionnaire questions on campus
web applications. This information will help determine specific risk exposure concerns for the
information security program. A web application is developed in-house by a campus developer, or
hosted by a 3rd party provider.
34. Have you completed the Resource Inventory Worksheet for any web application
storing, processing, or transmitting level 1 information?
35.2 Is their language in the agreement with the third party that covers
FERPA confidentiality?
35.3 Is their language in the agreement with the third party that covers
HIPPA Business Associate?
35.4 Is their language in the agreement with the third party that covers
PCI DSS?
36. Has the web application undergone a web application security assessment?
37. If the web application is developed in-house: Have the developers undergone
SDLC security training, including OWASP Top 10 web application vulnerabilities for
secure coding practices?
If yes, please list date:
38. Does the web application require forms for authentication of user credentials
with different authorization levels?
39. Does the web application serve dynamic content using a backend database
connection?
40. Is the web application protected with a firewall and located behind a DMZ?
41. Do firewall policy rules enforce the principle of least privilege for controlling
access to the web applications? In other words, only ports are allowed that require
a business need and all other port access is dropped or blocked?
Please list the date this was verified, and the verification procedure.
42. Please list the ports that are allowed through the firewall to access the web
application, for each source network where the users (or malicious 3rd parties) are
connecting from:
Connecting from Public Internet:
Ports allowed to access web application:
43. Has a web application firewall been installed and properly tuned, to help
provide threat mitigation against attacks against the web applications?
Scope and Objective: Please accurately answer the risk assessment questionnaire items below for Users
and Administrators. This section includes all endpoints and users. Endpoints include workstations,
laptops, and mobile computing machines. The users include both regular users and Administrators that
have access to sensitive campus information.
44. Does the information owner or delegate assign and review permissions for user
application access to level 1 information on a periodic basis?
45. Is the principle of least privilege used when assigning permissions to users for
business applications that need access to level 1 information?
48. How likely are users to download and open suspicious attachments or click on
suspicious links sent via email from 3rd parties?
1 Not likely
2
3 Somewhat likely
4
5 Very likely
49. Beyond workstations, laptops, and mobile computing devices: Are there any
servers (for example, file servers) under your control that store level 1 data
unencrypted?
52. For any machines decrypting level 1 information: Are these machines following
the patching standard of running ISO approved patching application every 30 days?
53. For any machines decrypting level 1 information: Are these machines running
an ISO approved antivirus application?
54. Is storage of any level 1 information taking place on any cloud based storage
systems such as google drive or dropbox?
55. Is personal email used to transmit level 1 or FERPA information?
56. From the Internet, are any inbound connections allowed directly through the
firewall into any workstation, laptop, or mobile computing machines under your
control?
If yes, please list exceptions, including IP address and ports allowed:
57. From other campus networks, are any other networks allowed through firewall
to access services on your machines?
If yes, please source networks and ports allowed to access your machines:
58. Do any users run patching applications other than ISO approved?
59. Do any users run Antivirus applications other than ISO approved?
60. Are any endpoints running an Operating System that is not supported by the
vendor, such as Windows XP?
If yes, please list exceptions, including hostname and IP address:
61. Have the critical workstations and laptops been screened for vulnerabilities
using a vulnerability scanner?
If yes, please list date:
62. Has a random sampling of the laptops or workstations been screened for the
existance of stored level 1 data that is unencrypted?
All campus user passwords expire after 180 days, and are reset in
accordance with password standard?
67. For endpoints: Is a device tracking inventory control system in place to track all
hardware on the network so that only authorized devices are given access, and
unmanaged devices are found and prevented from gaining access?
68. Is an inventory control system in place to actively manage all software on the
network so that only authorized software is installed and can execute, and
unmanaged software is discovered and prevented from installation or exection?
69. Is the security of the wireless network, access points, and wireless clients
adhering to the Airwave Security standard for strong access control and encryption,
including:
69.3 All wireless traffic leverages AES encryption used with at least WPA2
protection?
information grouped in a
r information. This category
ng the servers.
tion resource:
ns Data Value (Yes/No)
ly):
that apply):
r restricted information?
tive data (or privileges) on other
ction (noncustomer
approximately how much
DSS)
(HIPAA)
FFIEC)
authorized disclosure or
f the information resource:
corruption or unauthorized
resource) of the information
of loss or disruption of access to
urce to non-Campus users:
questionnaire:
he organization, resulting in
s. Normal operations and/or
uding the potential for breaches
Yes
No
Yes
No
Yes
No
Yes
No
Yes
No
Yes
No
Yes
No
Yes
No
Yes
No
Yes
No
Yes
No
Yes
No
Yes
No
Yes
No
Yes
No
Yes
No
Yes
No
Yes
No
Yes
No
Yes
No
Yes
No
Yes
No
Yes
No
Yes
No
Yes
No
Yes
No
Yes
No
Yes
No
Yes
No
Yes
No
Yes
No
Yes
No
Yes
No
Yes
No
Yes
No
Yes
No
Yes
No
Yes
No
Yes
No
Yes
No
Yes
No
Yes
No
Yes
No
Yes
No
Yes
No
Yes
No
Yes
No
Yes
No
Yes
No
Yes
No
Yes
No
r machines:
Yes
No
Yes
No
Yes
No
Yes
No
Yes
No
Yes
No
Yes
No
Yes
No
Yes
No
previous passwords
revious passwords
Yes
No
Yes
No
Yes
No
Yes
No
Yes
No
Yes
No
Yes
No
Yes
No
Yes
No
Yes
No
< CONTENTS
Step 4: Document
(Document risk decisions including
exceptions & mitigation plans)
Step 6: Validation
(Test the controls to ensure the
actual risk exposure matches the
desired levels)
nance Users
Center 1 hosting FERPA
Center 2 hosting FERPA
web app for student records
< BACK NEXT >