果冻传媒麻豆社

果冻传媒麻豆社 - I Banner
A student works at a computer

SlateConnect

U of I's web-based retention and advising tool provides an efficient way to guide and support students on their road to graduation.

Risk & Security Assessment

Overview

This updated standard is to help align existing IT practices around Risk and Security Assessment to the requirements in NIST 800-171 (RA/SA | 3.11.x/3.12.x) as well as industry best practices. This document does not give full coverage of 3.11.x or 3.12.x controls within 171 due to existing limitations and other requirements that are specific to CUI.

What is in this document:

  • Risk assessment requirements
  • Vulnerability scan requirements
  • Remediation requirements

What is NOT in this document:

  • Types of risk assessments that occur
  • Dates of risk assessments
  • Scope of risk assessments

Policy Reference

APM 30.11 University Data Classification and Standards

APM 30.12 Acceptable Use of Technology Resources

APM 30.14 Cyber Incident Reporting and Response

Purpose

This Risk Assessment standard supports APM 30.11 University Data Classification and Standards, and other relevant university policies.

Scope

These Standards are the minimum baseline for all managed and unmanaged systems that access, store or process 果冻传媒麻豆社 data (see APM 30.14 C-6) or using 果冻传媒麻豆社 technology resources (see APM 30.12 C-1) at the Low, Moderate or High risk levels (see APM 30.11) not otherwise covered by an approved system security plan.

Standards

To ensure risk assessments identify reasonably foreseeable internal and external risks to the security, confidentiality and integrity to the university, risk assessments must occur regularly under the direction of OIT Security with all required stakeholders.

  1. Risk assessments are scheduled to occur annually based on calendar year unless otherwise scheduled.
  2. Risks shall be categorized by severity level calculated by impact and likelihood.
  3. Risk assessments shall evaluate the security of university data and systems based on their data classification under APM 30.11, including the adequacy of the existing controls.
  4. Risks must be reported to data owner, CIO and appropriate entities.

  1. OIT security may scan systems using the following methods at any time at the discretion of OIT Security:
    1. Agent-based scanning
    2. Network scanning
    3. Application vulnerability scanning
  2. Systems and applications are scanned weekly, or more frequently.
  3. System and applications scans occur when significant new vulnerabilities are discovered at the discretion of OIT Security.
  4. Any and all systems connected to university-managed networks are subject to unauthenticated network scanning.

To ensure risks and vulnerabilities discovered are resolved:

  1. OIT Security will determine if remediation is required.
  2. Risks that require remediation will be tracked via ticket with system owner.
  3. Risks that require remediation must be resolved within a timeframe defined by OIT Security.
    1. Risks that cannot be resolved within a timeframe defined by OIT Security must have mitigating controls approved by OIT Security until the risk or vulnerability can be resolved.
    2. Standard timeframes, unless otherwise specified by OIT Security, are:
      1. For high-risk issues: 4 hours
      2. For medium-risk issues: 1 business day
      3. For low-risk issues: 10 business days
    3. Risks that cannot be resolved must have mitigating controls approved by OIT Security that are reviewed annually.
    4. Systems with unresolved vulnerabilities or risks may be taken offline at the discretion of the CSIRT.
      1. CSIRT must make a best effort to communicate systems being taken offline to system owner and users.

  1. Penetration tests are scheduled to occur at least annually based on the calendar year unless otherwise scheduled.
  2. Penetration test results must be included in the annual risk assessment.

A vendor security assessment (VSA) must be completed by the OIT Security prior to purchase of resources from, usage of services provided by or sharing of university data with third parties. To complete the assessment:

  1. Vendors must provide a HECVAT completed within the last 12 months upon request.
  2. Vendors must provide a SOC type 2 report and bridge letter.
    1. Vendors determined to be of significant risk, at discretion of OIT Security and/or U of I data steward, may be required to provide updated documentation periodically (no more than annually, except in case of a breach or incident) during the term of contract.
    2. Alternative reports or certification may be accepted or required at the discretion of OIT Security.
  3. Risks identified by the assessment must be addressed through mitigation, resolution or acceptance by the data owner.

Other References

1.  (February 2020)

2.  (September 2020)

3.  (May 2002)

4.  (December 2021)

Definitions

1. Risk

“A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically is a function of: (i) the adverse impact, or magnitude of harm, that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence.” (NIST SP 800-171)

2. Vulnerability

“Weakness in an information system, system security procedures, internal controls or implementation that could be exploited by a threat source.” (CMMC Glossary)

3. Risk Assessment

“The process of identifying risks to organizational operations including mission, functions, image, reputation, organizational assets, individuals, other organizations and the Nation, resulting from the operation of a system.” (NIST SP 800-171)

4. Penetration test

“A test methodology in which assessors, typically working under specific constraints, attempt to circumvent or defeat the security features of a system.” (NIST SP 800-53)

Standard Owner

U of I Office of Information Technology (OIT) is responsible for the content and management of these standards.

.

Contact: oit-security@uidaho.edu

Revision History

3/1/2024 — Minor updates

  • Minor formatting/wording/reference changes.

6/23/2023 — Original standard

  • Full re-write to align with NIST 800-171r2

Physical Address:

Teaching Learning Center Room 128

Office Hours:

Monday - Friday
8 a.m. to 5 p.m.

Summer Hours:

Monday - Friday
7:30 a.m. to 4:30p.m.

Phone: 208-885-4357 (HELP)

Email: support@uidaho.edu