Applications/Data To Include in Survey (include applications that meet one or more of the following criteria)

Similar documents
University of Pittsburgh Security Assessment Questionnaire (v1.7)

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

2.4. Target Audience This document is intended to be read by technical staff involved in the procurement of externally hosted solutions for Diageo.

Checklist: Credit Union Information Security and Privacy Policies

Standard: Data Center Security

SECURITY & PRIVACY DOCUMENTATION

EXHIBIT A. - HIPAA Security Assessment Template -

The Common Controls Framework BY ADOBE

Trust Services Principles and Criteria

Standard CIP Cyber Security Critical Cyber Asset Identification

Standard CIP Cyber Security Critical Cyber Asset Identification

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

Subject: University Information Technology Resource Security Policy: OUTDATED

Hosted Testing and Grading

Hurricane and Storm Commercial Damage Assessment

UCLA AUDIT & ADVISORY SERVICES

ISSP Network Security Plan

Information Technology General Control Review

Physical and Environmental Security Standards

Juniper Vendor Security Requirements

7.16 INFORMATION TECHNOLOGY SECURITY

Network Performance, Security and Reliability Assessment

Oracle Data Cloud ( ODC ) Inbound Security Policies

ASSURING BUSINESS CONTINUITY THROUGH CONTROLLED DATA CENTER

Introduction to Business continuity Planning

Afilias DNSSEC Practice Statement (DPS) Version

Identity Theft Prevention Policy

Network Security Policy

ISO27001 Preparing your business with Snare

UNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY October 25, 2017

Function Category Subcategory Implemented? Responsible Metric Value Assesed Audit Comments

Section 3.9 PCI DSS Information Security Policy Issued: November 2017 Replaces: June 2016

1) Are employees required to sign an Acceptable Use Policy (AUP)?

Red Flags/Identity Theft Prevention Policy: Purpose

TUFTS HEALTH PLAN CORPORATE CONTINUITY STRATEGY

U.S. Department of Health and Human Services (HHS) The Office of the National Coordinator for Health Information Technology (ONC)

L E C T U R E N O T E S : C O N T R O L T Y P E S A N D R I S K C A L C U L A T I O N

Google Cloud & the General Data Protection Regulation (GDPR)

Employee Security Awareness Training Program

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

Cyber Insurance PROPOSAL FORM. ITOO is an Authorised Financial Services Provider. FSP No

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

Information Security Policy

INFORMATION SECURITY- DISASTER RECOVERY

QuickBooks Online Security White Paper July 2017

security FRAUD PREVENTION Business Checklist Safeguard your money, your credit and your good name.

KantanMT.com. Security & Infra-Structure Overview

Template. IT Disaster Recovery Planning: A Template

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

NEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Is your privacy secure? HIPAA Compliance Workshop September Presented by: Andrés Castañeda, Senior Manager Steve Nouss, Partner

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

Policy and Procedure: SDM Guidance for HIPAA Business Associates

Canada Life Cyber Security Statement 2018

Annex 1 to NIST Special Publication Recommended Security Controls for Federal Information Systems

PROCEDURE POLICY DEFINITIONS AD DATA GOVERNANCE PROCEDURE. Administration (AD) APPROVED: President and CEO

NMHC HIPAA Security Training Version

UNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY September 20, 2017

Cloud Computing Standard 1.1 INTRODUCTION 2.1 PURPOSE. Effective Date: July 28, 2015

IT CONTINUITY, BACKUP AND RECOVERY POLICY

HIPAA Security. 3 Security Standards: Physical Safeguards. Security Topics

Any observations not included in this report were discussed with your staff at the informal exit conference and may be subject to follow-up.

Certified Information Systems Auditor (CISA)

UCOP Guidelines for Protection of Electronic Personal Information Data and for Security Breach Notification

Annex 3 to NIST Special Publication Recommended Security Controls for Federal Information Systems

ISO/IEC Solution Brief ISO/IEC EventTracker 8815 Centre Park Drive, Columbia MD 21045

Business Continuity Planning

Recommendations for Implementing an Information Security Framework for Life Science Organizations

NEN The Education Network

Automate sharing. Empower users. Retain control. Utilizes our purposebuilt cloud, not public shared clouds

Level 3 Certificate in Cloud Services (for the Level 3 Infrastructure Technician Apprenticeship) Cloud Services

Page 1 of 15. Applicability. Compatibility EACMS PACS. Version 5. Version 3 PCA EAP. ERC NO ERC Low Impact BES. ERC Medium Impact BES

Infocomm Professional Development Forum 2011

emarketeer Information Security Policy

Altius IT Policy Collection Compliance and Standards Matrix

CTS performs nightly backups of the Church360 production databases and retains these backups for one month.

Security Policies and Procedures Principles and Practices

RADIAN6 SECURITY, PRIVACY, AND ARCHITECTURE

EXCERPT. NIST Special Publication R1. Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

HIPAA Compliance Checklist

Information Security Data Classification Procedure

Virginia Commonwealth University School of Medicine Information Security Standard

MEETING ISO STANDARDS

1. Post for 45-day comment period and pre-ballot review. 7/26/ Conduct initial ballot. 8/30/2010

Apex Information Security Policy

BUSINESS CONTINUITY. Topics covered in this checklist include: General Planning

MINIMUM SECURITY CONTROLS SUMMARY

Business Continuity & Disaster Recovery

Business Continuity Planning. PDI January 14 th, 2018

Information Services IT Security Policies L. Network Management

Altius IT Policy Collection Compliance and Standards Matrix

UCOP ITS Systemwide CISO Office Systemwide IT Policy. UC Event Logging Standard. Revision History. Date: By: Contact Information: Description:

An Overview of the Gramm-Leach-Bliley (GLB) Act and the Safeguards Rule

POLICY FOR DATA AND INFORMATION SECURITY AT BMC IN LUND. October Table of Contents

Baseline Information Security and Privacy Requirements for Suppliers

01.0 Policy Responsibilities and Oversight

DATA CENTER OPERATIONS CALIFORNIA STATE UNIVERSITY, DOMINGUEZ HILLS. Audit Report June 15, 2012

DRAFT. Standard 1300 Cyber Security

Transcription:

Objective of Survey The purpose of this survey is to identify and understand 1) the nature of critical and sensitive campus-wide applications and/or data, 2) where the data is located, 3) how the data is protected, and 4) how the data is transferred between systems. Applications or data that serve others outside your own department are considered campus-wide applications. Criteria for criticality and sensitivity are explained below. Data gathering will be conducted in phases. For this first phase, the survey does not apply to: Research data Instructional data (web sites, course management systems, etc.) Infrastructure services such as DHCP servers, network switches, etc. Software deployment and security applications such as SMS, patch management, etc. Applications/Data To Include in Survey (include applications that meet one or more of the following criteria) Criticality Application whose failure to function correctly and on schedule could result in a business failure by UCLA and/or unit to perform mission-critical functions; a significant loss of funds to UCLA and/or unit; or significant liability or other legal exposure to UCLA and/or unit. Application performs an important function but UCLA and/or unit could continue operations for some designated (but not extended) period of time without the function and there is time for recovery should the function not perform correctly on schedule. Sensitivity Application contains personal data - information that identifies or describes an individual, including but not limited to, his or her name, social security number, driver s license number or California ID Card number, health information, and financial matters such as bank account number or credit or debit card account number. Application contains limited-access data data whose unauthorized access, modification or loss could seriously or adversely affect the University s reputation, operations, and assets; adversely affect a partner (e.g. a business or agency working with the University); or adversely affect the public. Draft UCLA Electronic Information Security Risk Assessment Survey, Phase 1 P1123 12/15/04 - Page 1 of 10

Cross-system Dependencies Application feeds data to campus wide systems. Application stores (locally) data drawn from campus wide systems. Contact If you have questions on whether or not this survey applies to your application, please call or write to us: Esther Woo-Benjamin (project coordinator) 6-6522 ewoo@ucla.edu Draft UCLA Electronic Information Security Risk Assessment Survey, Phase 1 P1123 12/15/04 - Page 2 of 10

Questions about person responding to survey A. Name of Respondent: B. School/Department: C. Email address: D. Date: Draft UCLA Electronic Information Security Risk Assessment Survey, Phase 1 P1123 12/15/04 - Page 3 of 10

Questions about applications or data Please complete a separate survey form for each distinct application and/or data. If the answers to the Example section in the Preventive Measures and Controls category (see page 4) are exactly the same for multiple applications, then fill out just one questionnaire. For questions E through K, list the applications, referencing each with numbers (1, 2, 3, etc.). You may want to read through the entire survey before attempting to answer all of the questions to determine if you ll need to fill out just one or multiple questionnaires. E. Name of application or data: F. Functional description of application or data: G. Major users of application or data: H. Other applications that depend on this application or data: I. This application feeds data to what campus wide systems? J. This application draws data from what campus wide systems? K. Location of equipment that houses the application or data: Building: Room No. Draft UCLA Electronic Information Security Risk Assessment Survey, Phase 1 P1123 12/15/04 - Page 4 of 10

L. How is data protected? On the following pages, in the Y/N column, answer Y (Yes) or N (No) to the corresponding Example statement. Provide additional details in the Comments/Details column where appropriate. Do not answer questions in the Preventive Measures and Controls column. Physical Security (BFB IS-3 1 Section VII) security measures for controlling access to electronic information resources through physical means, including disaster controls, physical access controls, and procedural controls over financial instruments (e.g. check stock). Preventive Measures and Controls Example Y/N Comments/Details Disaster Controls 1. Do you have appropriate measures for the prevention, detection, early warning of, and/or recovery from emergency situations such as, earthquake, fire, water leakage or flooding, disruption or disturbance of power, air conditioning failure, and/or other environmental conditions exceeding equipment limitations? 2. Are there disaster recovery and emergency procedures implemented that address a disaster or any other interruption that render normal processing unavailable for an unacceptable period of time? a. There is a fire suppression system. b. There is a UPS. If yes, how long can power be maintained? c. There are redundant network connections. d. There is adequate HVAC. e. There are single points of failure. If yes, please describe. There are automated systems for monitoring applications to be sure they are available. f. There is a power backup generator. g. Other Please describe. a. There is a Disaster Recovery Plan. b. Plan is included in the campus Disaster Recovery Plan. c. Plan is tested on a regular basis. How often? d. Specific personnel are assigned responsibility for responding in emergency situations. e. Procedures are in place to enable team members to communicate with each other and with management during an emergency. f. There is systems documentation for performing recovery. g. There are provisions for running applications at an alternate ( hot ) site. h. There are provisions for equivalent alternate processing (e.g. manual). What is the unacceptable outage time/functionality that would constitute an emergency? Please describe. Draft UCLA Electronic Information Security Risk Assessment Survey, Phase 1 P1123 12/15/04 - Page 5 of 10

Preventive Measures and Controls Example Y/N Comments/Details Physical Access Controls 3. Do you have controls for limiting physical access to the facility that house the application(s)? a. There are combination/key locks. b. There are badge/biometric readers. c. There are sign in/out logs. d. There are dedicated on-site If yes, what hours? (e.g. 24 x 7 x 365) personnel. e. There are non-breakable windows. Indicate if no windows. f. Room is not accessible from outside Tiles are locked or not able to be opened. via ceiling tiles. g. Room is not accessible from outside via raised floor. h. Other Please describe. Procedural Controls 4. Do you have controls over sensitive documents, or any other financial instruments? a. There are controls over sensitive documents. b. Physical inventories of equipment are maintained in accordance with BFB Bus-29 2, Management and Control of University Equipment. c. There are controls preventing restricted data from being transferred and stored on separate portable equipment such as laptops. d. There are maintenance records documenting repairs and modifications to physical components of the facility related to security, such as hardware, walls, doors, and locks. Please describe. Please describe. Please describe. Draft UCLA Electronic Information Security Risk Assessment Survey, Phase 1 P1123 12/15/04 - Page 6 of 10

Logical Security (BFB IS-3 Section VI) security measures for controlling access to electronic information resources through logical means (e.g. via software or network controls), procedural controls related to software development and change control, security of data, communications security, and reduction of risk from intrusive computer software. Preventive Measures and Controls Example Y/N Comments/Details Access Controls 5. Is application access controlled with proper authentication and authorization security? 6. Are the number of system administrator userids on shared servers kept to a minimum and only provided to those personnel requiring system administration capabilities in order to perform their job duties? a. Access is controlled with authentication. b. Access is controlled through authorization procedures. c. There are mechanisms that detect, record, and generate alerts about repeated failed attempts at access. d. There are system logs to assist in monitoring access. e. There is a formal process in place for providing access. f. Owner of application/data provides approval of access. a. Privileged or superuser access is kept to a minimum. b. Superuser access is limited to UCLA personnel (i.e. NOT contractors) c. Superuser accounts are monitored to ensure they are being used for designated purposes. If yes, what technology? If yes, do procedures include review & approval mechanisms? Please describe. Can suspicious patterns of activity be identified through these logs? If yes, is this a manual or automatic process? How often do you review these logs? If yes, how often? Draft UCLA Electronic Information Security Risk Assessment Survey, Phase 1 P1123 12/15/04 - Page 7 of 10

Preventive Measures and Controls Example Y/N Comments/Details Change Control 7. Do software changes conform to change management procedures established by the campus (BFB IS-10 3, Systems Development Standards)? 8. Do you provide a separate development environment and testing environment a. Only authorized personnel may implement changes to software. b. There are change management procedures. c. There are audit logs for transactions. d. Internal Audit or the Campus Controller is involved in development or implementation of this application. e. Programmers are not allowed to make application changes AND promote changes into production. f. Application/data owner must sign off on change before it is promoted to production. a. There is a separate development environment. different from the production environment? b. There is a separate testing environment. If yes, are these manual or automated procedures? Data Security 9. Are backup copies of critical data taken? a. Backups are taken. How often? b. Backups are stored at a secure, commercial off-campus site. c. Backups are stored at a secure, noncommercial off-campus site. d. Back up services for data complies with UC policies regarding data retention (BFB RMP-2 4 ; BFB RMP- 4 5 ; BFB IS-10). Draft UCLA Electronic Information Security Risk Assessment Survey, Phase 1 P1123 12/15/04 - Page 8 of 10

Preventive Measures and Controls Example Y/N Comments/Details 10. Does data conform to University policies and regulations related to privacy of data or information records associated with them? a. Data complies with Legal Requirements on Privacy of and Access to Information (BFB RMP- 8) 6. b. Data complies with Systems Development Standards (BFB IS- 10). 11. When transferring data, are access controls on the destination system commensurate with access controls on the originating system? c. Data complies with UC Electronic Communications Policy 7. a. There are procedures to ensure users are apprised of this constraint when access is originally granted. b. The user s signature is required to acknowledge this notification. c. The data is encrypted before transfer to/from destination and originating sites. d. Logon/password protocol is used at originating and destination sites. Communications Security 12. Are communications access controls present to limit unauthorized access to restricted data and applications across campus communication networks? Other 13. Is this application subject to regular UCOP or UCLA audits? a. There are firewalls. b. There is intrusion detection. c. Service & ports are locked down. d. Scans are done for security holes. e. There is patch management. f. Encryption is used. g. Virus Scans are done. What product/s? h. Other Please describe. a. This application is audited. If yes, how often and by whom? Draft UCLA Electronic Information Security Risk Assessment Survey, Phase 1 P1123 12/15/04 - Page 9 of 10

M. Does application or data contain personal information? In the Y/N column, answer Y (Yes) or N (No) to the corresponding Example statement. Provide additional details in the Comments/Details column where appropriate. 14. What type(s) of personal information is contained in the data/applications? 15. What people/number of people have access to this personal information? 16. What privacy statement, if any, has been written for the data/application? Example Y/N Comments/Details a. Name, address, phone Please describe. b. Date of birth c. Social Security number d. Driver s license # or CA ID card # e. Payroll salary, title Please describe. f. Bank acct. no. or debit card acct. no. Please describe. g. Credit card acct. no. h. Other Please describe. a. Department HR manager How many? b. Department HR analyst How many? c. Department LAN administrators How many? d. Other (within department) Who? How many? e. Other (outside department) Who? How many? 1 Electronic Information Security BFB IS-3: http://www.ucop.edu/ucophome/policies/bfb/bfbis.html 2 Management and Control of University Equipment - BFB Bus-29: http://www.ucop.edu/ucophome/policies/bfb/bus29.html 3 Systems Development Standards - BFB IS-10: http://www.ucop.edu/ucophome/policies/bfb/is10.pdf 4 UC Records Disposition Program & Procedures - BFB RMP-2: http://www.ucop.edu/ucophome/policies/bfb/rmp2.pdf 5 Vital Records Protection BFB RMP-4: http://www.ucop.edu/ucophome/policies/bfb/rmp4.html 6 Legal Requirements on Privacy of and Access to Information - BFB RMP-8: http://www.ucop.edu/ucophome/policies/bfb/rmp8a.html 7 UC Electronic Communications Policy: http://www.ucop.edu/ucophome/policies/ec/ Draft UCLA Electronic Information Security Risk Assessment Survey, Phase 1 P1123 12/15/04 - Page 10 of 10

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback