8/20/2019 Implementing a System-Wide Risk Mitigation Policy (288226470) http://slidepdf.com/reader/full/implementing-a-system-wide-risk-mitigation-policy-288226470 1/24 IT Required Practices Description Authentication Admin accounts not used for day-to-day activities Users are not allowed to run systems as administrators Employ strong authentication requirements Secure management of passwords All mobile devices require at least a 4-digit PI Backups All institutional data are bac!ed-up" tests of bac!ups routinely conducted #aintain o$-site bac!ups Documentation %ata stored or shared with third party is appropriately documented %ata stored or shared with third party is approved by %ata Stewards Up-to-date ris! mitigation plan &usiness 'ontinuity Plan up-to-date %isaster (ecovery Plan formally tested Inventory of I) assets* with data classi+cations* and data analysis ,ritten incident response procedure %(P maintained and routinely updated ormally assign roles of security and privacy Physical infrastructure/hardware .$site bac!ups with critical data properly secured Server room environmental controls are su/cient Server room physical controls are su/cient Procedure for equipment decommissioning 0i1e1 hard drive-wiping* shredding2 Scans and log monitoring (egular 0at least monthly2 vulnerability scans on all servers System logs regularly reviewed System logs archived securely* and for the appropriate duration Identify inder scans routinely occurring on servers Identify inder scans routinely occurring on wor!stations Patch management software system !uilds (outine and consistent procedures for patch management Servers on supported operating systems (un systems with only necessary software* services and port openings Identify and patch third-party software on systems #obile devices on IU3s networ! secured and managed #aintain updated .S builds for e/cient recovery "irewall anti#irus encryption network All servers behind physical +rewall Admin accounts not shared among individuals - unique admin accountspasswords for each Provide access to IU systems and services only to those authori5ed to access such services
24
Embed
Implementing a System-Wide Risk Mitigation Policy (288226470)
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
8/20/2019 Implementing a System-Wide Risk Mitigation Policy (288226470)
All servers on private IPs 0unless documented operational necessity2
All printers on private IPs
%isable or secure remote access
$erti%cations / training / handling of sensiti#e data
7ire technicians with the e6pertise necessary to maintain systems and hardware
Identify types data in your unit
All employees participate in securityprivacy awareness 07IPAAE(PA certs2
P'I %SS compliance training awareness for appropriate personnel
Subscribe to vendor advisory services
Sensitive data managed on secure systems* by appropriate procedures andpersonnel )raining procedures in place for appropriate use and access to electronicinformation
8eep abreast of IU security advisories* policy* and best practice updates throughProtect IUor users* identify appropriate server locations of data e6tracted or derived fromcentral sources
8/20/2019 Implementing a System-Wide Risk Mitigation Policy (288226470)
IT-07, section 1 The university does not condone censorhip, routine inspection of electronic files, the monitoring of network ac
IT-07, section 2 tored electronic files and voice and data network communications may not !e accessed !y someone o
IT-07, section 2.1 the person to whom the account in which the information has !een stored is assig
IT-07, section 2.2 the person from whom the communication originated, or to whom the communica
IT-07, section 2.$ the person to whom the device containing the stored electronic files has !een ass
IT-07, section $ % technician may access specific information technology resources and electronic information in certain
IT-07, section &
Policy IT478 RequirementsFor a computer system to be managed securely, functional unit management must:
IT-12, section 1.1 'ully understand the sensitivity of the function or operation !eing supported !y the system and the data !eing
IT-12, section 1.2
IT-12, section 1.$
IT-12, section 1.& )rovide necessary initial and refresher training to technicians as hardware or software components are revised
IT-12, section 1.* +nsure that assignments and o! plans account for time reuired for systematic and periodic audit and mainte
For a computer system to be managed securely, functional unit technicians must:
IT-12, section 2.1 'ully understand the sensitivity of the function or operation !eing supported !y the system and the da
IT-12, section 2.2 ot choose operating systems that are known as !eing difficult to maintain and secure.
IT-12, section 2.$ /se technical tools to take an image of any freshly installed operating systems in order to speed recov
IT-12, section 2.& emove or disa!le unneeded services and software, especially those that are network-accessi!le.
IT-12, section 2.* og activities on the system"
IT-12, section 2.*.1
IT-12, section 2.*.2
IT-12, section 2.*.$
IT12.2.*.&
IT-12, section 2. 3isa!le or secure remote access from system-to-system 4e.g., rlogin5.
IT-12, section 2.7
IT-12, section 2.6 +ncrypt stored sensitive data where possi!le to minimie disclosure if the system is compromised.
IT-12, section 2.8 +ncrypt sensitive data !eing transmitted to-and-from the system where possi!le to ensure the data is
IT-12, section 2.10 3eploy encrypted communications methods 4e.g., ecure hell5 for user access to the system and for a
IT-12, section 2.11 Technically limit access to local network addresses where possi!le 4e.g., T:);rappers5 given the functi
IT-12, section 2.12 can computers for security vulnera!ilities using availa!le technical tools"
IT-12, section 2.12.1
IT-12, section 2.12.2
IT-12, section 2.12.$
IT-12, section 2.12.&
IT-12, section 2.1$ Install and maintain anti-virus software on operating systems for which Indiana /niversity has licensed
IT-12, section 2.1& u!scri!e to vendor and other advisory services applica!le to the operating environment !eing mainta
IT-12, section 2.1* )eriodically visit the we! site of the /I< to view current !ulletins or to o!tain recent security guides a
IT-12, section 2.1
IT-12, section 2.17 imit access to needed services to only authoried persons.
The language used here is taken directly from each policy. ot all of the te=t of each policy is included here - only the
The num!ering scheme in the left column is provided to help map items in the previous worksheet to specific parts of organiation and num!ering in the actual policy, and in some cases it does not.
%ll other reuirements and actions outlined in policy IT-07, including notification, preservation of electronic inf
provisions.
?ire technicians with the e=pertise necessary to appropriately maintain the hardware, operating systems, syst
which they are assigned.
+nsure that technicians understand their responsi!ilities and the conseuences of poorly managed systems 4csensitive data, potential legal lia!ility for the department and Indiana /niversity, possi!le loss of 'ederal and o
1.
uccessful user logins, including the location from which the logins originated
2.
/nsuccessful login attempts, including the location from which the attempts o
$. /nsuccessful file access attempts, and
&.
uccessful file accesses for files and data!ases containing sensitive informatio
)roactively seek out and apply vendor-supplied fi=es necessary to repair security vulnera!ilities, withinhigh-risk, with &6 hours for medium-risk, and within 72 hours for low-risk5.
1.
regularly, at least every $0 days to ensure new vulnera!ilities are identified promp
2.
immediately after installation(configuration of a new system is completed,
$.
immediately after introduction of a new operating system or an upgrade to a curre
&.
immediately after installation or upgrade of networking or other system software.
)rovide access to only those persons who are otherwise eligi!le to use Indiana /niversity technology re
is allowed.
8/20/2019 Implementing a System-Wide Risk Mitigation Policy (288226470)
IT-26, section 1a 3etermine what unit-level information technology systems and services are candidates for use
IT-26, section 1! 3evelop a plan for policy compliance with target dates agreed to !y the unit head or delegate
IT-26, section 1c )repare a formal risk assessment and risk mitigation plan to !e discussed and approved ointly
IT-26, section 1d +sta!lish and maintain appropriate capacity and e=pertise for risk mitigation, I/ policy complia
IT-26, section 1e
IT-26, section 2 'ormal reviews will !e updated every two years
Policy Standard D24574S Requ3D-01-, section 2.a
3D-01-, section 2.! %ccess to institutional data that is consistent with the data@s classification will !e granted to all
3D-01-, section 2.c
3D-01-, section 2.d
3D-01-, section 2.e
3D-01-, section 2.f
3D-01-, section 2.g
3D-01-, section 2.h The access privileges of users who change positions or separate from the university must !e u
3D-01-, section 2.i +ach data steward will !e individually responsi!le for documenting data access procedures that
3D-01-, section 8.a
3D-01-, section 8.!
3D-01-, section 8.c 3ata element names, formats, and codes must !e consistent across all applications which use
3D-01-, section 8.d The /niversity Information )olicy <ffice will assist in determining data storage location and arc
3D-01-, section 8.e
3D-01-, section 8.f 3epartments are e=pected to identify, for their users, appropriate server locations for storage
3D-01-, section 8.g
3D-01-, section 8.h
3D-01-, section 8.i
3D-01-, section 11.a Institutional data must !e maintained within professionally administrated systems in complian
3D-01-, section 11.!
/se of mo!ile devices to access, store, or manipulate critical information reuires" ;ritten approv
Goard confirming a critical !usiness need, and +ncrypting the information on the device and in tra
;ithin one year of the adoption of this policy, all I/ administrative and au=iliary units# adminis
information technology environment will perform an initial, comprehensive evaluation of their i
Identify any unit level information technology systems and services within an academic unit fo
are not practica!le for use of /IT services
To the e=tent possi!le, data stewards will work together to define a single set of procedures fodocumenting these common data access reuest procedures.
+=cept as specified elsewhere in this standard, all institutional data will !e classified as universappointees will have access to these data, without restriction or prior authoriation, for use in
4e=. assent to Institutional 3ata %ccepta!le use agreement, etc.5. These data are designated ugeneral pu!lic.
;here appropriate, data stewards may identify institutional data elements or views which have
will !e designated as pu!lic data.
;here necessary, data stewards may specify some data elements as critical or restricted. :ritiindividual authoriation prior to access, or to which only limited access may !e granted. 3ata c
reuire such access. 3esignation of data as critical or restricted will include specific reference t
restriction.
3irect access to university file servers hosting critical or restricted institutional data must !e !these servers from off-campus must connect in a secure manner, such as through the universi
% data view does not necessarily inherit the restriction characteristics of the data elements whdata elements can result in a view which contains otherwise restricted data elements !eing de
The data steward, in consultation with other university offices as appropriate, is responsi!le foofficial data storage location of valid codes and values for each data element. The data stewar
historical data for each data element.
Institutional data may !e stored on any of many diverse computing hardware platforms, provid
system.
:ritical or estricted data must never !e stored on individual user workstations, or mo!ile devwithout prior formal written approval and appropriate technical safeguards 4see IT-12 )olicy, IT
e=ecutive officer of the unit and confirm a critical !usiness need for such storage. :ritical or edepartment or central servers.
:ritical data must not !e collected, or e=tracted from central systems and stored on departmeof the office involved.
o that standards for survey research and '+)% reuirements for non-directory student reco
that responses are not associated with personally identifia!le information 4i.e. names, s, eplaced in different directories and with different naming conventions to o!scure the connection
% student may file a directory e=clusion to prevent disclosure of pu!lic information. 'or this readaily.
If institutional data are stored on any component of the university information system, that sy
assigned to it a system administrator whose responsi!ilities include generally accepted systemauthoriation systems, !ackup, recovery, and system restart procedures, data archiving, capac
8/20/2019 Implementing a System-Wide Risk Mitigation Policy (288226470)
3D-02, section $.1.1 completion of a data security uestionnaire provide linkJ
3D-02, section $.1.2 review !y the /niversity Information ecurity <ffice 4/I<5, and other parties as
3D-02, section $.1.$ approval !y the 3ata teward responsi!le for the institutional information involve
3D-02, section $.2
3D-02, section &
COBIT 4.1 Framework, Section DS4
eek advice from the appropriate 3ata teward4s5 and, as appropriate, egal :ounsel" there m
documentation in disclosing information with third parties.
It is recognied that in some cases the university is reuired to share information in compliance with ap
partyEs willingness to address risks raised !y /niversityEs security review, and(or enter into an agreemesituations, the law reuiring disclosing, the security concerns raised, and the response of the third party
:opyright K 2007 !y the IT Fovernance Institute. %ll rights reserved. o part of this pu!lication may !e used, copied, reproduced, modifie
form !y any means 4electronic, mechanical, photocopying, recording or otherwise5, without the prior written authorisation of ITFI. eprodacademic use only, is permitted and must include full attri!ution of the materialEs source. o other right or permission is granted with resp
The full te=t of the :<GIT &.1 framework can !e downloaded from http"((www.isaca.org(Lnowledge-:enter(co!it()ages(3ownloads.asp=
IT Fovernance Institute
$701 %lgonuin oad, uite 1010olling Deadows, I 0006 /%
)hone" M1.6&7.*80.7&81'a=" M1.6&7.2*$.1&&$
+-mail" info>itgi.org
8/20/2019 Implementing a System-Wide Risk Mitigation Policy (288226470)
3D-01-, section 2.a a1 )o the e6tent possible* data stewards will wor! together to de+
3D-01-, section 2.! b1 Access to institutional data that is consistent with the dataHs cl
3D-01-, section 2.c c1 E6cept as speci+ed elsewhere in this standard* all institutional
3D-01-, section 2.d d1 ,here appropriate* data stewards may identify institutional da
3D-01-, section 2.e e1 ,here necessary* data stewards may specify some data elem
3D-01-, section 2.f f1 %irect access to university +le servers hosting critical or restric
3D-01-, section 2.g g1 A data view does not necessarily inherit the restriction charact3D-01-, section 2.h h1 )he access privileges of users who change positions or separa
3D-01-, section 2.i i1 Each data steward will be individually responsible for documen
3D-01-, section 8.a a1 )he data steward* in consultation with other university o/ces
3D-01-, section 8.! b1 Institutional data may be stored on any of many diverse comp
3D-01-, section 8.c c1 %ata element names* formats* and codes must be consistent a
3D-01-, section 8.d d1 )he University Information Policy ./ce will assist in determini
3D-01-, section 8.e e1 'ritical or (estricted data must never be stored on individual u
3D-01-, section 8.f f1 %epartments are e6pected to identify* for their users* appropri
3D-01-, section 8.g g1 'ritical data must not be collected* or e6tracted from central s
3D-01-, section 8.h
h1 So that standards for survey research and E(PA requirements3D-01-, section 8.i i1 A student may +le a directory e6clusion to prevent disclosure o
3D-01-, section 11.a a1 Institutional data must be maintained within professionally ad
3D-01-, section 11.! b1 If institutional data are stored on any component of the univer
3D-01-, section 11.c c1 If institutional data are stored on any component of the univer
3D-01-, section 11.d d1 System Administrators shall ensure that adequate administrati
3D-01-, section 1&.a a1 %ata classi+cation information and data handling procedures
3D-01-, section 1&.! b1 )raining to promote understanding and appropriate use of dat
)raining may be based on data classi+cation1
)raining may be required based on role responsibilitie
)raining may be required based on the impact of decis
3D-01-, section 1&.c c1 )raining material should be reviewed and revised as appropria3D-01-, section 1&.d d1 Periodic review and renewal of individual training is strongly re
8/20/2019 Implementing a System-Wide Risk Mitigation Policy (288226470)
ne a single set of procedures for requesting permission to access institutional data* an
assi+cation will be granted to all data users for all legitimate university purposes1
data will be classi+ed as university-internal data for use within the university1 Universit
ta elements or views which have few access restrictions and which may be released to
nts as critical or restricted1 'ritical or restricted data would include those data for whic
ed institutional data must be bloc!ed from non-IU networ! addresses1 Individuals requi
eristics of the data elements which comprise it1 0or e6ample* removal of any associatie from the university must be updated in a timely manner as appropriate1
ing data access procedures that are unique to a speci+c information resource or set of
s appropriate* is responsible for identifying an o/cial data storage location for each d
ting hardware platforms* provided such platforms are integrated components of an ov
cross all applications which use the data and consistent with such university standards
ng data storage location and archiving requirements for institutional data1
ser wor!stations* or mobile devices 0i1e1 laptops* smart phones* tablets* personal digita
te server locations for storage of data e6tracted from central sources or derived throu
stems and stored on departmental servers unless doing so is absolutely required to m
for non-directory student records are met* all program evaluation and assessment datpublic information1 or this reason* student public information must not be stored on l
inistrated systems in compliance with university policies and applicable regulations1
ity information system* that system component must have de+ned a formal system ad
ity information system* that system component must comply with speci+c manageme
ve processes and proper security safeguards are in place and enforced1
ust be documented and communicated to all relevant audiences includingD developer
before access to information is provided is strongly recommended1
1
ions made using the data1
e1
commended1
8/20/2019 Implementing a System-Wide Risk Mitigation Policy (288226470)