SECURITY ASSESSEMENT & AUTHORIZATION GUIDE

Transcription

1 2017 SECURITY ASSESSEMENT & AUTHORIZATION GUIDE UTC IT0131-G UTC Information Technology Michael Dinkins, CISO 4/28/2017

2 CONTENTS 1. SCOPE PRINCIPLES REVISIONS OBJECTIVE POLICY APPLICABILITY RESPONSIBILITIES IT SECURITY OFFICE

3 1. Scope This Guide applies to all users of and information technology (IT) resources owned, operated, or provided by the University of Tennessee at Chattanooga. Users includes but is not limited to students, faculty, staff, contractors, agents, representatives, and visitors accessing, using, or handling the University s information technology resources. Information transmitted or stored on University IT resources is the property of the University unless it is specifically identified as the property of other parties. 2. Principles This document is a University of Tennessee at Chattanooga-specific Guide based on University policy. Each User of UTC resources is required to be familiar and comply with University policies, and acceptance is assumed if the User accesses, uses, or handles UTC information technology resources. The Associate Vice Chancellor and Chief Information Officer (AVC/CIO) is responsible for information technology and security at the University of Tennessee Chattanooga. The AVC/CIO is the Position of Authority (POA) for Information Technology at UTC. 3. Revisions Date Action Name 4/14/2017 Version 1.0 Michael Dinkins 4. Objective This document provides guidance for developing, maintaining and documenting a Security Assessment & Authorization program for UTC s business-critical information systems. 5. Policy This guide is a supplement to published University of Tennessee Policy IT0131, Security Assessment & Authorization. Click here for more information. This policy requires UTC to develop or adopt and adhere to a formal, documented program that addresses: 2

4 Security Assessment Plan Documentation of System Interconnections Plan of Action & Milestones Continuous Monitoring 6. Applicability A formal Security Assessment & Authorization program must be applied to the following functional systems/subsystem organizations: Banner Banner Banner MISSION-ESSENTIAL SYSTEMS System Subsystem Owner Administrator Contact Enterprise Services (Non-Banner) Banner Services Systems applications Banner Services Systems database Banner Services Systems servers Data Center Banner Systems Support Services Enterprise Applications & Data Center Enterprise Applications & Data Center Enterprise Applications & Data Center Director, Banner Systems Support Services Banner Systems DBA Executive Director, Enterprise Applications & Data Center Deputy CIO Infrastructure Network Infrastructure Deputy CIO Infrastructure Telecomm Infrastructure Deputy CIO Moderate-categorized Departments registered with Office of CIO 7. Responsibilities ROLE RESPONSIBILITY Department Head Department Head Associate Vice- Chancellor & CIO (AV/CIO) As Position of Authority (POA), the AVC/CIO has overall responsibility of the Security Assessment & Authorization program at UTC. The AVC/CIO Technology Advisory Team ensures: 1) The Security Assessment & Authorization program is developed, documented, and disseminated in accordance with University policy. 2) The Program is reviewed and updated annually. 3

5 Chief Information Security Officer 3) Critical business systems and mission-essential functions are identified for inclusion in the Security Assessment & Authorization program. The CISO is responsible for overseeing the implementation of the UTC Security Assessment & Authorization program. The CISO and IT Security Team consults and assists system owners to ensure: Subsystem Owner / Administrator (or assignee) 1) An effective, system-specific Security Assessment & Authorization program is established in applicable organizations. 2) System Interconnections are authorized, documented and an annual review/updates of systems interconnections is performed. 3) A Plan of Action and Milestones is developed and updates maintained, and remedial actions are taken to correct system deficiencies. 4) A program of continuous monitoring of critical systems is implemented that documents: a) Criteria and metrics for monitoring. b) Periodic assessment of monitoring criteria. c) Response to monitoring results, and d) Monitoring and reporting of system status. System Owner or department head of each system/subsystem must develop processes and procedures that ensure: 1) A system-specific Security Assessment plan is developed, documented, and maintained that: a) Describes the scope of assessment; b) Produces a security assessment report and provides the results of the assessment to the Position of Authority. c) Prescribes an annual assessment cycle. 2) An annual review is performed to verify System Interconnections and Interconnection Security Agreements are current, authorized, and documented. A review must include verification/documentation of a process for interconnection change management. 3) A Plan of Action and Milestones is developed, updated, and documented and remedial actions are performed to correct system deficiencies noted during assessments and continuous monitoring activities. 4) A continuous monitoring program is implemented, and includes: a) Criteria and metrics for monitoring; b) Periodic assessment of monitoring criteria; c) Monitoring and reporting of system status; d) Response to monitoring results. 4

6 8. IT Security Office Michael Dinkins, CISSP Chief Information Security Officer (423) Larry Prince IT Security Analyst (423)