Implementing a System-Wide Risk Mitigation Policy (288219183)

8/20/2019 Implementing a System-Wide Risk Mitigation Policy (288219183)

http://slidepdf.com/reader/full/implementing-a-system-wide-risk-mitigation-policy-288219183 1/94

Policy IT-28 Planne

Name of Unit Enter the name of your school or department

Unit Head Enter the full name of the Dean, Director, or top executive

Type of Unit Academic

Submitted by Typically, the highest ranking IT professional will submit

Secondary contact ptional, but should be someone well!informed about IT!"#

Date of Submission

Are you a Group-leel IT Serice proider!Defned as providing any IT services to more than 1 unit, including academic units, administrative unit

If proidin" IT Serices to more t#an one unit$ please list all units for %#ic

Are any of your unit&s IT serices proided ' mana"ed by a Group-leel IT P

If yes$ %#at proider!

Please note that fnal submission o this documentation should include all

IT Planner, version 1.9.24.13

I yes, please ans!er the ollo!ing !or"sheets only or services that are managed in your una plan or the services they provide.



cer for your department

, and research centers

IT support is proided

roider!

IT services supported within the unit.

it. #e sure to veriy that your $roup%level IT Provider su&mits



* Please only include servers, devices that behave like a serve

To re&uest a scan of static I' addresses in your building(s), click here

Hard%are Type Host Name Primary (unction*

"

+

-

.

/

#

0

*1

**

*"

*+

*

*-

*.

*/

*#

*0

"1

"*""

"+

"

"-

".

"/

"#

"0

+1

+*

+"

++

+

+-

+.

+/

+#

+0

1

Item

No)



*

"

+

-

.

/#

0

-1

-*

-"

-+

-

--

-.

-/

-#-0

.1

.*

."

.+

.

.-

..

./

.#

.0

/1

/*

/"

/+

/

/-

/.

//

/#

/0#1

#*

#"

#+

#

#-

#.

#/



Environmental $can of IT Assets%, or devices that store any data that you suspect may be protected b

Secondary (unction Description

Indiiduals %' Priile"ed

Access



privacy laws or policies

*peratin" System *t#er IP Addresses

Serice

+riticality

Primary IP

Address



P#ysical ,ocation irtuali.ed



*t#er /ey +#aracteristics or

+omments

Data 0ncrypted at

1est



These Columns Not e!uired or IT"#$ Co

Does t#e Serer Site#ind a Hard%are

(ire%all!

Do Antiirus Scans

Ta3e Place!



pliance. ecommended or %epartmental Trackin& o IT"'# Controls

Patc# 4ana"ement Procedures Serer Has UPS



Is Serer ac3ed Up! ac3up 4et#od'(re5uency



*6site ac3up ,ocation

*6site ac3up ,o"ical

Security +ontrols



*6site ac3up P#ysical

Security +ontrols

ac3up Testin" (re5uence

and 4et#od



*nsite ac3up ,ocation

*nsite ac3up ,o"ical

Security



*nline ac3up P#ysical

Security

*nsite ac3up Testin"

(re5uency and 4et#od



(re5uency ofac3up'1estoration ,o"s

1eie%ed

Is t#e serer bein" scanned

by a ulnerability scanner!



Is %eb application bein"

scanned by a %eb scanner!



Item No) ' Type ' Host

*2 3"2 3

+2 3

2 3

-2 3

.2 3

/2 3

#2 3

02 3

*12 3

**2 3*"2 3

*+2 3

*2 3

*-2 3

*.2 3

*/2 3

*#2 3

*02 3

"12 3

"*2 3

""2 3"+2 3

"2 3

"-2 3

".2 3

"/2 3

"#2 3

"02 3

+12 3

+*2 3

+"2 3

++2 3

+2 3

+-2 3

+.2 3

+/2 3

+#2 3

+02 3

12 3



*2 3

"2 3

+2 3

2 3

-2 3

.2 3

/2 3#2 3

02 3

-12 3

-*2 3

-"2 3

-+2 3

-2 3

--2 3

-.2 3

-/2 3

-#2 3-02 3

.12 3

.*2 3

."2 3

.+2 3

.2 3

.-2 3

..2 3

./2 3

.#2 3

.02 3

/12 3

/*2 3

/"2 3

/+2 3

/2 3

/-2 3

/.2 3

//2 3

/#2 3

/02 3#12 3

#*2 3

#"2 3

#+2 3

#2 3

#-2 3

#.2 3

#/2 3



##2 3

#02 3

012 3

0*2 3

0"2 3

0+2 3

02 30-2 3

0.2 3

0/2 3

0#2 3

002 3

*112 3

*1*2 3

*1"2 3

*1+2 3

*12 3

*1-2 3*1.2 3

*1/2 3

*1#2 3

*102 3

**12 3

***2 3

**"2 3

**+2 3

**2 3

**-2 3

**.2 3

**/2 3

**#2 3

**02 3

*"12 3

I you insert more ro!s, &e sure to copy ormatti



Data Analysis

7#at is t#e #i"#est classication ofdata stored on t#is item!4lick for more info

http://datamgmt.iu.edu/classifications.shtml

http://datamgmt.iu.edu/classifications.shtml



g and ormulas



7#ic# of t#e follo%in" best describes t#e#i"#est classication of data stored on t#isitem!4lick for more info




*2 3 !

"2 3 !

+2 3 !

2 3 !

-2 3 !

.2 3 !

/2 3 !

#2 3 !02 3 !

*12 3 !

**2 3 !

*"2 3 !

*+2 3 !

*2 3 !

*-2 3 !

*.2 3 !

*/2 3 !

*#2 3 !

*02 3 !

"12 3 !

"*2 3 !

""2 3 !

"+2 3 !

"2 3 !

"-2 3 !

".2 3 !

"/2 3 !

"#2 3 !

"02 3 !

+12 3 !

+*2 3 !

+"2 3 !

++2 3 !

+2 3 !

+-2 3 !

+.2 3 !

5ased on the 6actor Analysis of information 7isk (6AI7) model

Data+lassication

http://www.riskmanagementinsight.com/media/docs/FAIR_brag.pdf

http://www.riskmanagementinsight.com/media/docs/FAIR_brag.pdf



+/2 3 !

+#2 3 !

+02 3 !

12 3 !

*2 3 !

"2 3 !

+2 3 !2 3 !

-2 3 !

.2 3 !

/2 3 !

#2 3 !

02 3 !

-12 3 !

-*2 3 !

-"2 3 !

-+2 3 !

-2 3 !--2 3 !

-.2 3 !

-/2 3 !

-#2 3 !

-02 3 !

.12 3 !

.*2 3 !

."2 3 !

.+2 3 !

.2 3 !

.-2 3 !

..2 3 !

./2 3 !

.#2 3 !

.02 3 !

/12 3 !

/*2 3 !

/"2 3 !

/+2 3 !

/2 3 !

/-2 3 !/.2 3 !

//2 3 !

/#2 3 !

/02 3 !

#12 3 !

#*2 3 !

#"2 3 !

#+2 3 !



#2 3 !

#-2 3 !

#.2 3 !

#/2 3 !

##2 3 !

#02 3 !

012 3 !0*2 3 !

0"2 3 !

0+2 3 !

02 3 !

0-2 3 !

0.2 3 !

0/2 3 !

0#2 3 !

002 3 !

*112 3 !

*1*2 3 !*1"2 3 !

*1+2 3 !

*12 3 !

*1-2 3 !

*1.2 3 !

*1/2 3 !

*1#2 3 !

*102 3 !

**12 3 !

***2 3 !

**"2 3 !

**+2 3 !

**2 3 !

**-2 3 !

**.2 3 !

**/2 3 !

**#2 3 !

**02 3 !

*"12 3 !

I you insert more ro!s, &e sure to copy ormatting and ormulas



Type

and 8I$T #11!+1

Pri

http://www.nist.gov/customcf/get_pdf.cfm?pub_id=912091

http://www.nist.gov/customcf/get_pdf.cfm?pub_id=912091



1is3 Assessment

ary threat for this service

(ull Description (feel free to use as a 4omment 9eld)T#reat 0ent(re5uency 9T0(:



(re5uency and +apacity

Describe rationalfor t#is ratin"

T#reat+apacity9T+ap:

Describe rational for t#isratin"



+ontrols 1is3 Assess

+ompensatin"+ontrol

Stren"t# 9+S: Describe controls 9clic3 to s ulnerability9uln:

,oss 0ent(re5uency9,0(:

http://policies.iu.edu/policies/categories/information-it/it/IT-12.shtml

http://policies.iu.edu/policies/categories/information-it/it/IT-12.shtml



ent

4a"nitudeSeere <;=$===$=== --

:igh ;*,111,111 ;0,000,000

$igni9cant ;*11,111 ;000,000

<oderate ;*1,111 ;00,000

=ow ;*,111 ;0,000

>ery =ow ;1 ;000

Probable ,oss4a"nitude 9Seetable at ri"#t:




*2 3"2 3

+2 3

2 3

-2 3

.2 3

/2 3

#2 3

02 3

*12 3

**2 3*"2 3

*+2 3

*2 3

*-2 3

*.2 3

*/2 3

*#2 3

*02 3

"12 3

"*2 3

""2 3"+2 3

"2 3

"-2 3

".2 3

"/2 3

"#2 3

"02 3

+12 3

+*2 3

+"2 3

++2 3

+2 3

+-2 3

+.2 3

+/2 3

+#2 3

+02 3

12 3

ulnerability9uln:

,oss 0ent(re5uency 9,0(:



*2 3

"2 3

+2 3

2 3

-2 3

.2 3

/2 3#2 3

02 3

-12 3

-*2 3

-"2 3

-+2 3

-2 3

--2 3

-.2 3

-/2 3

-#2 3-02 3

.12 3

.*2 3

."2 3

.+2 3

.2 3

.-2 3

..2 3

./2 3

.#2 3

.02 3

/12 3

/*2 3

/"2 3

/+2 3

/2 3

/-2 3

/.2 3

//2 3

/#2 3

/02 3#12 3

#*2 3

#"2 3

#+2 3

#2 3

#-2 3

#.2 3

#/2 3



##2 3

#02 3

012 3

0*2 3

0"2 3

0+2 3

02 30-2 3

0.2 3

0/2 3

0#2 3

002 3

*112 3

*1*2 3

*1"2 3

*1+2 3

*12 3

*1-2 3*1.2 3

*1/2 3

*1#2 3

*102 3

**12 3

***2 3

**"2 3

**+2 3

**2 3

**-2 3

**.2 3

**/2 3

**#2 3

**02 3

*"12 3

I you insert more ro!s, &e sure to copy ormatting and ormulas



Transition 'lanning

Are you plannin" to moe t#isserice to a UITS Serice as partof your IT-28 plan!

If No$ please proide briefe>planation



7#ere do you plan to moe 9or#ae already moed: t#is item!

If Group-,eel proider$please identify %#ic# "roup

0stimated4oe Date



1esource

4o!locationIntelligent Infrastructure

4:E

?ebserve

?4<$

4ollaborative $torage

7esearch $torage

7esearch 4omputing

Database Admin $ervices

$ystem Admin $ervices

Enterprise 'rint $ervicesEnterprise $44<

@roup!=evel $olution

ther



Denition

$hare'oint, 5ox

8ot yet available8ot yet available

Any IT service that is provided to multiple units by a single IT group

'hysically re!locate servers to racks in the data center:osted server >< service (II and II!5asic)

4onsolidated :osting Environment (<icrosoft platform ! II$, 28et, 4oldfusion)

4entral web platform (=A<')

4ascase $erver solution for 4<$

76$, $DA

5ig 7ed II, uarry, <ason, 7esearch Database 4omplex, B$EDE

4omprehensive, virtualiCed hosting solutions

4omprehensive, virtualiCed hosting solutions

http://kb.iu.edu/data/azof.html

http://ii.uits.iu.edu/

http://kb.iu.edu/data/arrt.html

http://webmaster.iu.edu/

https://wcms.iu.edu/home.php

http://kb.iu.edu/data/aroz.html

http://rt.uits.iu.edu/index.php

http://www.iu.edu/~esaweb/smart.html













Denition of Terms

Hard%are Types Denition

$erver Any computer device, physical or virtu

Desktoplaptop

8etwork :? =ist only network hardware that stores

'rinter <ulti!function printercopier that, beca4amera

(unctions Denition

6ile $haring The computing device is con9gured to

'rint $haring The computing device is con9gured to

?eb $erver The computing device is serving :T<=

?eb 4ontent <gmt The computing device runs software d

Email $erver The computing device receives, stores,

Database $erver The computing device runs server!side

'atch>irus <gmt The computing device is used to distri

4ustom App (Describe) Any custom!built applications that coll>ended App (Describe) Any vended applications that collect p

Test or Dev $erver 8on!production server used for testing

Types of Data

$tudent grades

:7 records

4redit card numbers

Electronic protected health information

6inancial data

Donor info

6ederal grantcontract data

1is3 Analysis

4a"nitudeSeere <;=$===$===

:igh ;*,111,111

$igni9cant ;*11,111

<oderate ;*1,111

=ow ;*,111

Any computing device, physical or virt

T#reat 0ent (re5uency?(ow oten does the threat)knock at your door)

ery Hi"# 9H:3 G *11 timesyr

Hi"# 9H:3 5etween *1 and *11 timesyr

4oderate 94:3 5etween * and * timesyr

,o% 9,:3 5etween 2* and * timesyr

ery ,o% 9,:3 H2* times per year (less than once in *1 years)



>ery =ow ;1

1esource Denition

4o!location

Intelligent Infrastructure

4:E?ebserve

?4<$

4ollaborative $torage $hare'oint, 5ox

7esearch $torage

7esearch 4omputing

Database Admin $ervices

$ystem Admin $ervices

Enterprise 'rint $ervices 8ot yet available

Enterprise $44< 8ot yet available

@roup!=evel $olution Any IT service that is provided to multi

ther

'hysically re!locate servers to racks in

:osted server >< service (II and II!5asi

4onsolidated :osting Environment (<i4entral web platform (=A<')

4ascase $erver solution for 4<$

76$, $DA

5ig 7ed II, uarry, <ason, 7esearch Da

4omprehensive, virtualiCed hosting sol

4omprehensive, virtualiCed hosting sol





















al, running a server operati

data, such as an ID$ or pro

use it stores data, poses so

share 9les with one or mor

share access to one or mor

9les andor actively listeni

signed for end user to ma

and forwards electronic m

database systems, such a

ute manage security patc

ct personal data via a webrsonal data via a web form

and development

Denition or 4ore Info ,

--

;0,000,000

;000,000

;00,000

;0,000

al, running a desktop oper

4lick for more info

4lick for more info

4lick for more info

T#reat +apacity? I the

ery Hi"# 9H:3 'robable

Hi"# 9H:3 'robable impact

4oderate 94:3 'robable i

,o% 9,:3 'robable impact

ery ,o% 9,:3 'robable i

http://treasurer.indiana.edu/pcidss/index.html

http://www.iu.edu/~vpgc/compliance/hipaa-privacy-and-security/index.shtml

http://csrc.nist.gov/groups/SMA/fisma/overview.html

http://csrc.nist.gov/groups/SMA/fisma/overview.html

http://www.iu.edu/~vpgc/compliance/hipaa-privacy-and-security/index.shtml

http://treasurer.indiana.edu/pcidss/index.html



;000

ple units by a single IT grou

the data center

c)

rosoft platform ! II$, 28et,

tabase 4omplex, B$EDE

utions

utions















g system

y server

e risk2 <ost printers probably dont need to be inventoried

other computing devices

printers, either physically attached or across the network

g on ports #1, +, #1#1, or other common web server ports

age and update web content

il and acts as a host for end users to access their Inboxes

<$ $=, racle, etc2

hes andor anti!virus software pattern 9les

form, or that provide mission!critical services to your unit, or that provide mission!critical services to your unit

in3

ting system AND hosting resources that other computers can access across the net

hreat happens, how bad is it likely to be+ontrol Sdoin& to

impact of threat is in the top " when compared to other threats

of threat is in the top *. when compared to other threats

pact of threat is of average capacity

f threat is in the bottom *. when compared to other threats

pact of threat is in the bottom " when compared to other threats

'our estimate o magnitude may eel li"e a !ild guess, &ut try tothin" a&out the !orst%case scenario. I a mission%critical system!as do!n or several !ee"s !hile you re&uilt it (due to any reason),!hat !ould it cost your unit in terms o lost productivity* +osttuition* +ost revenue* +ost grant opportunities* +oss o trust andreputation* In an academic unit, sliding do!n several positions innational ran"in s has a tan i&le cost in terms o enrollment and the



p

attraction o top talent.

oldfusion)





ork (e2g2, Facting like a serverF)

ren"t#? +hat are yourotect this asset

3

Implementing a System-Wide Risk Mitigation Policy (288219183)

Documents

Transcript of Implementing a System-Wide Risk Mitigation Policy (288219183)