Applications/Data To Include in Survey (include applications that meet one or more of the following criteria)

Transcription

1 Objective of Survey The purpose of this survey is to identify and understand 1) the nature of critical and sensitive campus-wide applications and/or data, 2) where the data is located, 3) how the data is protected, and 4) how the data is transferred between systems. Applications or data that serve others outside your own department are considered campus-wide applications. Criteria for criticality and sensitivity are explained below. Data gathering will be conducted in phases. For this first phase, the survey does not apply to: Research data Instructional data (web sites, course management systems, etc.) Infrastructure services such as DHCP servers, network switches, etc. Software deployment and security applications such as SMS, patch management, etc. Applications/Data To Include in Survey (include applications that meet one or more of the following criteria) Criticality Application whose failure to function correctly and on schedule could result in a business failure by UCLA and/or unit to perform mission-critical functions; a significant loss of funds to UCLA and/or unit; or significant liability or other legal exposure to UCLA and/or unit. Application performs an important function but UCLA and/or unit could continue operations for some designated (but not extended) period of time without the function and there is time for recovery should the function not perform correctly on schedule. Sensitivity Application contains personal data - information that identifies or describes an individual, including but not limited to, his or her name, social security number, driver s license number or California ID Card number, health information, and financial matters such as bank account number or credit or debit card account number. Application contains limited-access data data whose unauthorized access, modification or loss could seriously or adversely affect the University s reputation, operations, and assets; adversely affect a partner (e.g. a business or agency working with the University); or adversely affect the public. Draft UCLA Electronic Information Security Risk Assessment Survey, Phase 1 P /15/04 - Page 1 of 10

2 Cross-system Dependencies Application feeds data to campus wide systems. Application stores (locally) data drawn from campus wide systems. Contact If you have questions on whether or not this survey applies to your application, please call or write to us: Esther Woo-Benjamin (project coordinator) Draft UCLA Electronic Information Security Risk Assessment Survey, Phase 1 P /15/04 - Page 2 of 10

3 Questions about person responding to survey A. Name of Respondent: B. School/Department: C. address: D. Date: Draft UCLA Electronic Information Security Risk Assessment Survey, Phase 1 P /15/04 - Page 3 of 10

4 Questions about applications or data Please complete a separate survey form for each distinct application and/or data. If the answers to the Example section in the Preventive Measures and Controls category (see page 4) are exactly the same for multiple applications, then fill out just one questionnaire. For questions E through K, list the applications, referencing each with numbers (1, 2, 3, etc.). You may want to read through the entire survey before attempting to answer all of the questions to determine if you ll need to fill out just one or multiple questionnaires. E. Name of application or data: F. Functional description of application or data: G. Major users of application or data: H. Other applications that depend on this application or data: I. This application feeds data to what campus wide systems? J. This application draws data from what campus wide systems? K. Location of equipment that houses the application or data: Building: Room No. Draft UCLA Electronic Information Security Risk Assessment Survey, Phase 1 P /15/04 - Page 4 of 10

5 L. How is data protected? On the following pages, in the Y/N column, answer Y (Yes) or N (No) to the corresponding Example statement. Provide additional details in the Comments/Details column where appropriate. Do not answer questions in the Preventive Measures and Controls column. Physical Security (BFB IS-3 1 Section VII) security measures for controlling access to electronic information resources through physical means, including disaster controls, physical access controls, and procedural controls over financial instruments (e.g. check stock). Preventive Measures and Controls Example Y/N Comments/Details Disaster Controls 1. Do you have appropriate measures for the prevention, detection, early warning of, and/or recovery from emergency situations such as, earthquake, fire, water leakage or flooding, disruption or disturbance of power, air conditioning failure, and/or other environmental conditions exceeding equipment limitations? 2. Are there disaster recovery and emergency procedures implemented that address a disaster or any other interruption that render normal processing unavailable for an unacceptable period of time? a. There is a fire suppression system. b. There is a UPS. If yes, how long can power be maintained? c. There are redundant network connections. d. There is adequate HVAC. e. There are single points of failure. If yes, please describe. There are automated systems for monitoring applications to be sure they are available. f. There is a power backup generator. g. Other Please describe. a. There is a Disaster Recovery Plan. b. Plan is included in the campus Disaster Recovery Plan. c. Plan is tested on a regular basis. How often? d. Specific personnel are assigned responsibility for responding in emergency situations. e. Procedures are in place to enable team members to communicate with each other and with management during an emergency. f. There is systems documentation for performing recovery. g. There are provisions for running applications at an alternate ( hot ) site. h. There are provisions for equivalent alternate processing (e.g. manual). What is the unacceptable outage time/functionality that would constitute an emergency? Please describe. Draft UCLA Electronic Information Security Risk Assessment Survey, Phase 1 P /15/04 - Page 5 of 10

6 Preventive Measures and Controls Example Y/N Comments/Details Physical Access Controls 3. Do you have controls for limiting physical access to the facility that house the application(s)? a. There are combination/key locks. b. There are badge/biometric readers. c. There are sign in/out logs. d. There are dedicated on-site If yes, what hours? (e.g. 24 x 7 x 365) personnel. e. There are non-breakable windows. Indicate if no windows. f. Room is not accessible from outside Tiles are locked or not able to be opened. via ceiling tiles. g. Room is not accessible from outside via raised floor. h. Other Please describe. Procedural Controls 4. Do you have controls over sensitive documents, or any other financial instruments? a. There are controls over sensitive documents. b. Physical inventories of equipment are maintained in accordance with BFB Bus-29 2, Management and Control of University Equipment. c. There are controls preventing restricted data from being transferred and stored on separate portable equipment such as laptops. d. There are maintenance records documenting repairs and modifications to physical components of the facility related to security, such as hardware, walls, doors, and locks. Please describe. Please describe. Please describe. Draft UCLA Electronic Information Security Risk Assessment Survey, Phase 1 P /15/04 - Page 6 of 10

7 Logical Security (BFB IS-3 Section VI) security measures for controlling access to electronic information resources through logical means (e.g. via software or network controls), procedural controls related to software development and change control, security of data, communications security, and reduction of risk from intrusive computer software. Preventive Measures and Controls Example Y/N Comments/Details Access Controls 5. Is application access controlled with proper authentication and authorization security? 6. Are the number of system administrator userids on shared servers kept to a minimum and only provided to those personnel requiring system administration capabilities in order to perform their job duties? a. Access is controlled with authentication. b. Access is controlled through authorization procedures. c. There are mechanisms that detect, record, and generate alerts about repeated failed attempts at access. d. There are system logs to assist in monitoring access. e. There is a formal process in place for providing access. f. Owner of application/data provides approval of access. a. Privileged or superuser access is kept to a minimum. b. Superuser access is limited to UCLA personnel (i.e. NOT contractors) c. Superuser accounts are monitored to ensure they are being used for designated purposes. If yes, what technology? If yes, do procedures include review & approval mechanisms? Please describe. Can suspicious patterns of activity be identified through these logs? If yes, is this a manual or automatic process? How often do you review these logs? If yes, how often? Draft UCLA Electronic Information Security Risk Assessment Survey, Phase 1 P /15/04 - Page 7 of 10

8 Preventive Measures and Controls Example Y/N Comments/Details Change Control 7. Do software changes conform to change management procedures established by the campus (BFB IS-10 3, Systems Development Standards)? 8. Do you provide a separate development environment and testing environment a. Only authorized personnel may implement changes to software. b. There are change management procedures. c. There are audit logs for transactions. d. Internal Audit or the Campus Controller is involved in development or implementation of this application. e. Programmers are not allowed to make application changes AND promote changes into production. f. Application/data owner must sign off on change before it is promoted to production. a. There is a separate development environment. different from the production environment? b. There is a separate testing environment. If yes, are these manual or automated procedures? Data Security 9. Are backup copies of critical data taken? a. Backups are taken. How often? b. Backups are stored at a secure, commercial off-campus site. c. Backups are stored at a secure, noncommercial off-campus site. d. Back up services for data complies with UC policies regarding data retention (BFB RMP-2 4 ; BFB RMP- 4 5 ; BFB IS-10). Draft UCLA Electronic Information Security Risk Assessment Survey, Phase 1 P /15/04 - Page 8 of 10

9 Preventive Measures and Controls Example Y/N Comments/Details 10. Does data conform to University policies and regulations related to privacy of data or information records associated with them? a. Data complies with Legal Requirements on Privacy of and Access to Information (BFB RMP- 8) 6. b. Data complies with Systems Development Standards (BFB IS- 10). 11. When transferring data, are access controls on the destination system commensurate with access controls on the originating system? c. Data complies with UC Electronic Communications Policy 7. a. There are procedures to ensure users are apprised of this constraint when access is originally granted. b. The user s signature is required to acknowledge this notification. c. The data is encrypted before transfer to/from destination and originating sites. d. Logon/password protocol is used at originating and destination sites. Communications Security 12. Are communications access controls present to limit unauthorized access to restricted data and applications across campus communication networks? Other 13. Is this application subject to regular UCOP or UCLA audits? a. There are firewalls. b. There is intrusion detection. c. Service & ports are locked down. d. Scans are done for security holes. e. There is patch management. f. Encryption is used. g. Virus Scans are done. What product/s? h. Other Please describe. a. This application is audited. If yes, how often and by whom? Draft UCLA Electronic Information Security Risk Assessment Survey, Phase 1 P /15/04 - Page 9 of 10

10 M. Does application or data contain personal information? In the Y/N column, answer Y (Yes) or N (No) to the corresponding Example statement. Provide additional details in the Comments/Details column where appropriate. 14. What type(s) of personal information is contained in the data/applications? 15. What people/number of people have access to this personal information? 16. What privacy statement, if any, has been written for the data/application? Example Y/N Comments/Details a. Name, address, phone Please describe. b. Date of birth c. Social Security number d. Driver s license # or CA ID card # e. Payroll salary, title Please describe. f. Bank acct. no. or debit card acct. no. Please describe. g. Credit card acct. no. h. Other Please describe. a. Department HR manager How many? b. Department HR analyst How many? c. Department LAN administrators How many? d. Other (within department) Who? How many? e. Other (outside department) Who? How many? 1 Electronic Information Security BFB IS-3: 2 Management and Control of University Equipment - BFB Bus-29: 3 Systems Development Standards - BFB IS-10: 4 UC Records Disposition Program & Procedures - BFB RMP-2: 5 Vital Records Protection BFB RMP-4: 6 Legal Requirements on Privacy of and Access to Information - BFB RMP-8: 7 UC Electronic Communications Policy: Draft UCLA Electronic Information Security Risk Assessment Survey, Phase 1 P /15/04 - Page 10 of 10