Implementing a System-Wide Risk Mitigation Policy (288219183)

8/20/2019 Implementing a System-Wide Risk Mitigation Policy (288219183)

http://slidepdf.com/reader/full/implementing-a-system-wide-risk-mitigation-policy-288219183 1/94

Policy IT-28 Planne

Name of Unit Enter the name of your school or department

Unit Head Enter the full name of the Dean, Director, or top executive

Type of Unit Academic

Submitted by Typically, the highest ranking IT professional will submit

Secondary contact ptional, but should be someone well!informed about IT!"#

Date of Submission

Are you a Group-leel IT Serice proider!Defned as providing any IT services to more than 1 unit, including academic units, administrative unit

If proidin" IT Serices to more t#an one unit$ please list all units for %#ic

Are any of your unit&s IT serices proided ' mana"ed by a Group-leel IT P

If yes$ %#at proider!

Please note that fnal submission o this documentation should include all

IT Planner, version 1.9.24.13

I yes, please ans!er the ollo!ing !or"sheets only or services that are managed in your una plan or the services they provide.

cer for your department

, and research centers

IT support is proided

roider!

IT services supported within the unit.

it. #e sure to veriy that your $roup%level IT Provider su&mits

* Please only include servers, devices that behave like a serve

To re&uest a scan of static I' addresses in your building(s), click here

Hard%are Type Host Name Primary (unction*

Environmental $can of IT Assets%, or devices that store any data that you suspect may be protected b

Secondary (unction Description

Indiiduals %' Priile"ed

Access

privacy laws or policies

*peratin" System *t#er IP Addresses

Serice

+riticality

Primary IP

Address

P#ysical ,ocation irtuali.ed

*t#er /ey +#aracteristics or

+omments

Data 0ncrypted at

These Columns Not e!uired or IT"#$ Co

Does t#e Serer Site#ind a Hard%are

(ire%all!

Do Antiirus Scans

Ta3e Place!

pliance. ecommended or %epartmental Trackin& o IT"'# Controls

Patc# 4ana"ement Procedures Serer Has UPS

Is Serer ac3ed Up! ac3up 4et#od'(re5uency

*6site ac3up ,ocation

*6site ac3up ,o"ical

Security +ontrols

*6site ac3up P#ysical

Security +ontrols

ac3up Testin" (re5uence

and 4et#od

*nsite ac3up ,ocation

*nsite ac3up ,o"ical

Security

*nline ac3up P#ysical

Security

*nsite ac3up Testin"

(re5uency and 4et#od

(re5uency ofac3up'1estoration ,o"s

1eie%ed

Is t#e serer bein" scanned

by a ulnerability scanner!

Is %eb application bein"

scanned by a %eb scanner!

Item No) ' Type ' Host

*2 3"2 3

**2 3*"2 3

""2 3"+2 3

/2 3#2 3

-#2 3-02 3

/02 3#12 3

02 30-2 3

*112 3

*1*2 3

*1"2 3

*1+2 3

*1-2 3*1.2 3

*1/2 3

*1#2 3

*102 3

**12 3

***2 3

**"2 3

**+2 3

**-2 3

**.2 3

**/2 3

**#2 3

**02 3

*"12 3

I you insert more ro!s, &e sure to copy ormatti

Data Analysis

7#at is t#e #i"#est classication ofdata stored on t#is item!4lick for more info

g and ormulas

7#ic# of t#e follo%in" best describes t#e#i"#est classication of data stored on t#isitem!4lick for more info

*2 3 !

"2 3 !

+2 3 !

-2 3 !

.2 3 !

/2 3 !

#2 3 !02 3 !

*12 3 !

**2 3 !

*"2 3 !

*+2 3 !

*2 3 !

*-2 3 !

*.2 3 !

*/2 3 !

*#2 3 !

*02 3 !

"12 3 !

"*2 3 !

""2 3 !

"+2 3 !

"2 3 !

"-2 3 !

".2 3 !

"/2 3 !

"#2 3 !

"02 3 !

+12 3 !

+*2 3 !

+"2 3 !

++2 3 !

+2 3 !

+-2 3 !

+.2 3 !

5ased on the 6actor Analysis of information 7isk (6AI7) model

Data+lassication

+/2 3 !

+#2 3 !

+02 3 !

12 3 !

*2 3 !

"2 3 !

+2 3 !2 3 !

-2 3 !

.2 3 !

/2 3 !

#2 3 !

02 3 !

-12 3 !

-*2 3 !

-"2 3 !

-+2 3 !

-2 3 !--2 3 !

-.2 3 !

-/2 3 !

-#2 3 !

-02 3 !

.12 3 !

.*2 3 !

."2 3 !

.+2 3 !

.2 3 !

.-2 3 !

..2 3 !

./2 3 !

.#2 3 !

.02 3 !

/12 3 !

/*2 3 !

/"2 3 !

/+2 3 !

/2 3 !

/-2 3 !/.2 3 !

//2 3 !

/#2 3 !

/02 3 !

#12 3 !

#*2 3 !

#"2 3 !

#+2 3 !

#2 3 !

#-2 3 !

#.2 3 !

#/2 3 !

##2 3 !

#02 3 !

012 3 !0*2 3 !

0"2 3 !

0+2 3 !

02 3 !

0-2 3 !

0.2 3 !

0/2 3 !

0#2 3 !

002 3 !

*112 3 !

*1*2 3 !*1"2 3 !

*1+2 3 !

*12 3 !

*1-2 3 !

*1.2 3 !

*1/2 3 !

*1#2 3 !

*102 3 !

**12 3 !

***2 3 !

**"2 3 !

**+2 3 !

**2 3 !

**-2 3 !

**.2 3 !

**/2 3 !

**#2 3 !

**02 3 !

*"12 3 !

I you insert more ro!s, &e sure to copy ormatting and ormulas

and 8I$T #11!+1

1is3 Assessment

ary threat for this service

(ull Description (feel free to use as a 4omment 9eld)T#reat 0ent(re5uency 9T0(:

(re5uency and +apacity

Describe rationalfor t#is ratin"

T#reat+apacity9T+ap:

Describe rational for t#isratin"

+ontrols 1is3 Assess

+ompensatin"+ontrol

Stren"t# 9+S: Describe controls 9clic3 to s ulnerability9uln:

,oss 0ent(re5uency9,0(:

4a"nitudeSeere <;=$===$=== --

:igh ;*,111,111 ;0,000,000

$igni9cant ;*11,111 ;000,000

<oderate ;*1,111 ;00,000

=ow ;*,111 ;0,000

>ery =ow ;1 ;000

Probable ,oss4a"nitude 9Seetable at ri"#t:

*2 3"2 3

**2 3*"2 3

""2 3"+2 3

ulnerability9uln:

,oss 0ent(re5uency 9,0(:

/2 3#2 3

-#2 3-02 3

/02 3#12 3

02 30-2 3

*112 3

*1*2 3

*1"2 3

*1+2 3

*1-2 3*1.2 3

*1/2 3

*1#2 3

*102 3

**12 3

***2 3

**"2 3

**+2 3

**-2 3

**.2 3

**/2 3

**#2 3

**02 3

*"12 3

I you insert more ro!s, &e sure to copy ormatting and ormulas

Transition 'lanning

Are you plannin" to moe t#isserice to a UITS Serice as partof your IT-28 plan!

If No$ please proide briefe>planation

7#ere do you plan to moe 9or#ae already moed: t#is item!

If Group-,eel proider$please identify %#ic# "roup

0stimated4oe Date

1esource

4o!locationIntelligent Infrastructure

?ebserve

4ollaborative $torage

7esearch $torage

7esearch 4omputing

Database Admin $ervices

$ystem Admin $ervices

Enterprise 'rint $ervicesEnterprise $44<

@roup!=evel $olution

Denition

$hare'oint, 5ox

8ot yet available8ot yet available

Any IT service that is provided to multiple units by a single IT group

'hysically re!locate servers to racks in the data center:osted server >< service (II and II!5asic)

4onsolidated :osting Environment (<icrosoft platform ! II$, 28et, 4oldfusion)

4entral web platform (=A<')

4ascase $erver solution for 4<$

76$, $DA

5ig 7ed II, uarry, <ason, 7esearch Database 4omplex, B$EDE

4omprehensive, virtualiCed hosting solutions

Denition of Terms

Hard%are Types Denition

$erver Any computer device, physical or virtu

Desktoplaptop

8etwork :? =ist only network hardware that stores

'rinter <ulti!function printercopier that, beca4amera

(unctions Denition

6ile $haring The computing device is con9gured to

'rint $haring The computing device is con9gured to

?eb $erver The computing device is serving :T<=

?eb 4ontent <gmt The computing device runs software d

Email $erver The computing device receives, stores,

Database $erver The computing device runs server!side

'atch>irus <gmt The computing device is used to distri

4ustom App (Describe) Any custom!built applications that coll>ended App (Describe) Any vended applications that collect p

Test or Dev $erver 8on!production server used for testing

Types of Data

$tudent grades

:7 records

4redit card numbers

Electronic protected health information

6inancial data

Donor info

6ederal grantcontract data

1is3 Analysis

4a"nitudeSeere <;=$===$===

:igh ;*,111,111

$igni9cant ;*11,111

<oderate ;*1,111

=ow ;*,111

Any computing device, physical or virt

T#reat 0ent (re5uency?(ow oten does the threat)knock at your door)

ery Hi"# 9H:3 G *11 timesyr

Hi"# 9H:3 5etween *1 and *11 timesyr

4oderate 94:3 5etween * and * timesyr

,o% 9,:3 5etween 2* and * timesyr

ery ,o% 9,:3 H2* times per year (less than once in *1 years)

>ery =ow ;1

1esource Denition

4o!location

Intelligent Infrastructure

4:E?ebserve

4ollaborative $torage $hare'oint, 5ox

7esearch $torage

7esearch 4omputing

Database Admin $ervices

$ystem Admin $ervices

Enterprise 'rint $ervices 8ot yet available

Enterprise $44< 8ot yet available

@roup!=evel $olution Any IT service that is provided to multi

'hysically re!locate servers to racks in

:osted server >< service (II and II!5asi

4onsolidated :osting Environment (<i4entral web platform (=A<')

4ascase $erver solution for 4<$

76$, $DA

5ig 7ed II, uarry, <ason, 7esearch Da

4omprehensive, virtualiCed hosting sol

al, running a server operati

data, such as an ID$ or pro

use it stores data, poses so

share 9les with one or mor

share access to one or mor

9les andor actively listeni

signed for end user to ma

and forwards electronic m

database systems, such a

ute manage security patc

ct personal data via a webrsonal data via a web form

and development

Denition or 4ore Info ,

;0,000,000

;000,000

;00,000

;0,000

al, running a desktop oper

4lick for more info

T#reat +apacity? I the

ery Hi"# 9H:3 'robable

Hi"# 9H:3 'robable impact

4oderate 94:3 'robable i

,o% 9,:3 'robable impact

ery ,o% 9,:3 'robable i

ple units by a single IT grou

the data center

rosoft platform ! II$, 28et,

tabase 4omplex, B$EDE

utions

g system

y server

e risk2 <ost printers probably dont need to be inventoried

other computing devices

printers, either physically attached or across the network

g on ports #1, +, #1#1, or other common web server ports

age and update web content

il and acts as a host for end users to access their Inboxes

<$ $=, racle, etc2

hes andor anti!virus software pattern 9les

form, or that provide mission!critical services to your unit, or that provide mission!critical services to your unit

ting system AND hosting resources that other computers can access across the net

hreat happens, how bad is it likely to be+ontrol Sdoin& to

impact of threat is in the top " when compared to other threats

of threat is in the top *. when compared to other threats

pact of threat is of average capacity

f threat is in the bottom *. when compared to other threats

pact of threat is in the bottom " when compared to other threats

'our estimate o magnitude may eel li"e a !ild guess, &ut try tothin" a&out the !orst%case scenario. I a mission%critical system!as do!n or several !ee"s !hile you re&uilt it (due to any reason),!hat !ould it cost your unit in terms o lost productivity* +osttuition* +ost revenue* +ost grant opportunities* +oss o trust andreputation* In an academic unit, sliding do!n several positions innational ran"in s has a tan i&le cost in terms o enrollment and the

attraction o top talent.

oldfusion)

ork (e2g2, Facting like a serverF)

ren"t#? +hat are yourotect this asset

Implementing a System-Wide Risk Mitigation Policy (288219183)

Documents

Transcript of Implementing a System-Wide Risk Mitigation Policy (288219183)

Implementing Financial Assurance for Mitigation Project Success

Implementing Financial Assurance for Mitigation Project ... · Implementing financial assurances for mitigation project success can be challenging and place demands on regulators

Implementing Secure Converged Wide Area Networksios.ipmanager.ir/r/Ebook/Cisco.Implementing.Secure.Converged.Wide... · Implementing Secure Converged Wide Area ... Inc. Implementing

Formulating and Implementing Sector-wide Approaches in ...

implementing access control lists for threat mitigation

Section 6. Mitigation Strategies - Dutchess County · FEMA Mitigation Planning How-To Guide #3, Identifying Mitigation Actions and Implementing ... county and local mitigation and

2021: Implementing the Hybrid Hospital-Wide Readmission ...

California Eelgrass Mitigation Policy and Implementing ...

Implementing a Hospital-Wide Policy Management System

(NASA J.harben P.reese) Implementing Strategies for Risk Mitigation (NCSLI-2011)

Implementing Secure Converged Wide Area Networks (ISCW)

Guidance for designing and implementing Sector-Wide ...

Implementing Microsoft Enhanced Mitigation Experience ...

An Approach for Implementing Mitigation Measures to ... · long linear projects like pipelines due to the wide variety of slopes, soils, community types and precipitation zones that

Implementing Local Climate Change Adaptation and Mitigation … › files › 11427574 › climate_04... · climate Comment Implementing Local Climate Change Adaptation and Mitigation

Implementing System-Wide Risk Stratification Approaches

Implementing a Government-wide Monitoring and Evaluation ...

Module 14: Implementing School-wide PBS

Cummins Saves $4.1 Million by Implementing Enterprise- wide ISO 50001 ... · Cummins Takes SEP Enterprise-wide Approach Cummins Saves $4.1 Million by Implementing Enterprise-wide

Implementing Cisco ASR 9000 vDDoS Mitigation