SYSTEMS ASSET MANAGEMENT POLICY

Similar documents
existing customer base (commercial and guidance and directives and all Federal regulations as federal)

Using Metrics to Gain Management Support for Cyber Security Initiatives

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

Information Technology Security Plan Policies, Controls, and Procedures Identify Risk Assessment ID.RA

Data Inventory and Classification, Physical Devices and Systems ID.AM-1, Software Platforms and Applications ID.AM-2 Inventory

INFORMATION ASSURANCE DIRECTORATE

Protecting Controlled Unclassified Information(CUI) in Nonfederal Information Systems and Organizations

Information Technology Security Plan Policy, Control, and Procedures Manual Detect: Anomalies and Events

CONTINUOUS VIGILANCE POLICY

Altius IT Policy Collection Compliance and Standards Matrix

Altius IT Policy Collection Compliance and Standards Matrix

Streamlined FISMA Compliance For Hosted Information Systems

Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA?

Four Deadly Traps of Using Frameworks NIST Examples

SAC PA Security Frameworks - FISMA and NIST

Information Technology Security Plan Policies, Controls, and Procedures Protect: Identity Management and Access Control PR.AC

Continuous Monitoring Strategy & Guide

NIST Special Publication

INTERNATIONAL CIVIL AVIATION ORGANIZATION ASIA and PACIFIC OFFICE ASIA/PAC RECOMMENDED SECURITY CHECKLIST

Handbook Webinar

Information Technology Security Plan (ITSP)

Rev.1 Solution Brief

SECURITY PLAN CREATION GUIDE

Tinker & The Primes 2017 Innovating Together

Department of Defense Cybersecurity Requirements: What Businesses Need to Know?

Managed Trusted Internet Protocol Service (MTIPS) Enterprise Infrastructure Solutions (EIS) Risk Management Framework Plan (RMFP)

DoD Guidance for Reviewing System Security Plans and the NIST SP Security Requirements Not Yet Implemented This guidance was developed to

Federal Continuous Monitoring Working Group. March 21, DOJ Cybersecurity Conference 2/8/2011

Mapping of FedRAMP Tailored LI SaaS Baseline to ISO Security Controls

NIST SP , Revision 1 CNSS Instruction 1253

The "Notes to Reviewers" in the February 2012 initial public draft of Revision 4 of SP states:

INFORMATION ASSURANCE DIRECTORATE

Framework for Improving Critical Infrastructure Cybersecurity

Employee Security Awareness Training Program

ACHIEVING COMPLIANCE WITH NIST SP REV. 4:

MICROSOFT (MS) WINDOWS DEFENDER ANTIVIRUS SECURITY TECHNICAL IMPLEMENTATION GUIDE (STIG) OVERVIEW. Version 1, Release 4 27 APRIL 2018

Framework for Improving Critical Infrastructure Cybersecurity

Is your privacy secure? HIPAA Compliance Workshop September Presented by: Andrés Castañeda, Senior Manager Steve Nouss, Partner

Security Management Models And Practices Feb 5, 2008

The Honest Advantage

INFORMATION ASSURANCE DIRECTORATE

K12 Cybersecurity Roadmap

ROADMAP TO DFARS COMPLIANCE

10/18/2016. Preparing Your Organization for a HHS OIG Information Security Audit. Models for Risk Assessment

CYBER SECURITY BRIEF. Presented By: Curt Parkinson DCMA

Cybersecurity Risk Management

MINIMUM SECURITY CONTROLS SUMMARY

NIST Special Publication

How To Establish A Compliance Program. Richard E. Mackey, Jr. SystemExperts Corporation

Information Security Policy

Virginia State University Policies Manual. Title: Information Security Program Policy: 6110

INFORMATION ASSURANCE DIRECTORATE

Function Category Subcategory Implemented? Responsible Metric Value Assesed Audit Comments

EXCERPT. NIST Special Publication R1. Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations

Standard: Risk Assessment Program

UNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY September 20, 2017

Compliance Brief: The National Institute of Standards and Technology (NIST) , for Federal Organizations

NW NATURAL CYBER SECURITY 2016.JUNE.16

ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)

Cybersecurity Challenges

TEL2813/IS2621 Security Management

Carbon Black PCI Compliance Mapping Checklist

Improving Critical Infrastructure Cybersecurity Executive Order Preliminary Cybersecurity Framework

Fiscal Year 2013 Federal Information Security Management Act Report

DATABASE SECURITY REQUIREMENTS GUIDE (SRG) TECHNOLOGY OVERVIEW. Version 2, Release October Developed by DISA for the DoD

Media Protection Program

READ ME for the Agency ATO Review Template

TEL2813/IS2820 Security Management

Building Secure Systems

DFARS Safeguarding Covered Defense Information The Interim Rule: Cause for Confusion and Request for Questions

Web Hosting: Mason Home Page Server (Jiju) Service Level Agreement 2012

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

STUDENT GUIDE Risk Management Framework Step 1: Categorization of the Information System

UNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY October 25, 2017

FedRAMP Training - Continuous Monitoring (ConMon) Overview

Safeguarding of Unclassified Controlled Technical Information. SAFEGUARDING OF UNCLASSIFIED CONTROLLED TECHNICAL INFORMATION (NOV 2013)

DETAILED POLICY STATEMENT

CloudCheckr NIST Matrix

Outline. Why protect CUI? Current Practices. Information Security Reform. Implementation. Understanding the CUI Program. Impacts to National Security

Cyber Security Standards Developments

ISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION

01.0 Policy Responsibilities and Oversight

Red Flags/Identity Theft Prevention Policy: Purpose

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

New York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief

Integrating Information Security Protections In Supplier Agreements: Guidance for Business and Technology Counsel

Ensuring System Protection throughout the Operational Lifecycle

University of Pittsburgh Security Assessment Questionnaire (v1.7)

Top 10 ICS Cybersecurity Problems Observed in Critical Infrastructure

DFARS Cyber Rule Considerations For Contractors In 2018

DFARS Compliance. SLAIT Consulting SECURITY SERVICES. Mike D Arezzo Director of Security Services. SLAITCONSULTING.com

Cybersecurity & Privacy Enhancements

Special Publication

Cyber Security Program

Updates to the NIST Cybersecurity Framework

MIS Week 9 Host Hardening

New Guidance on Privacy Controls for the Federal Government

ISACA Arizona May 2016 Chapter Meeting

Executive Order 13556

Designing and Building a Cybersecurity Program

Transcription:

SYSTEMS ASSET MANAGEMENT POLICY Policy: Asset Management Policy Owner: CIO Change Management Original Implementation Date: 7/1/2017 Effective Date: 7/1/2017 Revision Date: Approved By: NIST Cyber Security Framework (CSF) NIST SP 800-53 Security Controls NIST SP 800-171 Protecting Controlled Unclassified Information Center for Internet Security Critical Security Control Payment Card Industry Data Security Standard (PCI DSS) v3.2 Executive Staff Crosswalk ID.AM AC-4, AC-20, CM-8, CP-2, PS-7, PL-8, PM-11, RA-2, CA-3, CA-9, SA-9, SA-14 3.4.1, 3.4.2 CSC 1, CSC 2 Procedure Mapping PURPOSE To provide Pomona College with guidance in identifying and gaining an understanding of the components of the institution that make up its information security system and thereby enable Pomona College to manage cybersecurity risk to systems, assets, data, and capabilities. POLICY In order for Pomona College leadership to make informed, business-driven decisions regarding computing assets, they must first know what assets exist, and the status of those assets. This information provides Pomona College visibility into license utilization, software support costs, unauthorized devices, vulnerabilities, threats, and compliance posture. IT assets include items such as servers, desktops, laptops, and network devices, as well as software, applications, programs and logical processes. Pomona College data, students, faculty, staff, devices, systems, and facilities that enable the organization to achieve educational, business, and operational purposes are identified and managed. The management of these assets is consistent with their relative importance to Pomona College educational, business, and operational objectives as well as Pomona College s overall risk strategy.

PHYSICAL ASSET INVENTORY Pomona College maintains an inventory of physical system components that: Accurately reflect the Pomona College system Includes all physical components within the authorization boundary of the Pomona College system Is at a level of detail necessary for appropriate tracking and status reporting of assets Includes hardware inventory specifications (e.g. manufacturer, device type, model, serial number, physical location), component owners, machine names, and network addresses The inventory of physical devices is updated whenever: Physical system components are installed Physical system components are removed The system is updated Pomona College employs automated mechanisms to detect the presence of unauthorized hardware within its system. Whenever unauthorized hardware is detected, network access is disabled and Pomona College Information Technology Services (ITS) is notified. Pomona College verifies that all components within the authorization boundary of the Pomona College system are not duplicated in other system component inventories. Pomona College periodically reviews and updates the Physical Asset Inventory. SOFTWARE ASSET INVENTORY Pomona College maintains an inventory of logical system components that: Accurately reflect the Pomona College system Includes all software components within the authorization boundary of the Pomona College system Is at a level of detail necessary for appropriate tracking and status reporting of assets Includes items such as software license number and component owners The inventory of software is updated whenever: Logical system components are installed Logical system components are removed The system is updated Pomona College employs automated mechanisms to detect the presence of unauthorized software and firmware within its system: Whenever unauthorized logical components are detected the component is isolated and Pomona College Information Technology Services (ITS) is notified Pomona College verifies that all components within the authorization boundary of the Pomona College system are not duplicated in other system component inventories. Pomona College periodically reviews and updates the Software Asset Inventory.

ORGANIZATIONAL DATAFLOW MAPPING Pomona College maintains and authorizes internal connections of components to the system. Pomona College documents the internal connection characteristics, security requirements, and nature of the information communicated. INFORMATION SECURITY ARCHITECTURE Pomona College: Maintains an information security architecture for the Pomona College system that: Describes the overall philosophy, requirements, and approach to be taken with regard to protecting the confidentiality, integrity, and availability of Pomona College information Describes how the information security architecture is integrated into and supports the enterprise architecture Describes any information security assumptions about, and dependencies on, external services Reviews and updates the information security architecture annually to reflect updates in the enterprise architecture Ensures that planned information security architecture changes are reflected in the security plan and Pomona College procurements and acquisitions Pomona College s security architecture uses a defense-in-depth approach that: Allocates appropriate security safeguards to Pomona College assets; and Ensures that allocated security safeguards operate in a coordinated and mutually reinforcing manner EXTERNAL SYSTEMS External systems utilized by Pomona College are identified and catalogued. Pomona College authorizes connections from its system to other systems through the use of Interconnection Security Agreements The documentation for each interconnection includes: Interface characteristics Security requirements The nature of the information communicated Pomona College reviews and updates its Interconnection Security Agreements annually, or upon a significant change to the Pomona College system or to the external systems. Pomona College requires that providers of external system services comply with its information security requirements, and employ the necessary controls to comply with applicable state and federal law. Pomona College monitors external system service providers security control compliance on an ongoing basis. Pomona College requires external system services to identify the functions, ports, protocols, and other services required for the use of such services. Pomona College establishes terms and conditions with approved external systems allowing authorized faculty, staff, or students to access these external systems, and to process, store or transmit Pomona College-controlled information using approved external systems.

Pomona College employs a permit-by-exception policy for allowing Pomona College system components to connect to external systems. Pomona College permits authorized individuals to use external systems to access the Pomona College system or to process, store, or transmit Pomona College information only when: Pomona College verifies the implementation of required security controls on the external system as specified by Pomona College policy; or Pomona College retains approved system connections or processing agreements with the thirdparty hosting the external system. Pomona College restricts the use of Pomona College-controlled portable devices by authorized individuals on external systems. SECURITY CATEGORIZATION Pomona College: Categorizes information, the system, and its components in accordance with applicable laws, regulations, policies, and guidance Documents the security categorization results, and their supporting rationale, in the Pomona College information security plan Ensures that the Security Official reviews and approves of security categorization decisions. Pomona College s security categorization schema follows a three-tier methodology: Public Unauthorized use, disclosure, alteration, or destruction of Public information will result in little or no risk to Pomona College. Proprietary Unauthorized use, disclosure, alteration, or destruction of Proprietary information could result in moderate risk to Pomona College. By default, all institutional data that is not explicitly categorized as Confidential or Public is treated as Proprietary. Confidential - Unauthorized use, disclosure, alteration, or destruction of Confidential information could result in significant risk to Pomona College. Examples of Confidential information include but are not limited to Controlled Unclassified Information (CUI) 1. RESOURCE PRIORITIZATION Pomona College assets and resources, including but not limited to hardware, devices, data, and software, are prioritized based on their categorization, criticality, and business value. Critical assets are identified by Pomona College so that additional safeguards and countermeasures are employed to help ensure that Pomona College mission functions can continue during contingency operations. A criticality analysis is a key tenant of risk management and informs the prioritization of protection activities for Pomona College. ASSET ROLES AND RESPONSIBILITIES 1 Controlled Unclassified Information - https://www.archives.gov/cui/registry/category-list

Pomona College establishes asset management roles and responsibilities for faculty, staff, and thirdparty stakeholders, including (but not limited to) vendors, suppliers, customers, and partners.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback