Tower

UF IT Security Risk Assessment Standard

September 14, 2006

Who Should Read This

At a minimum, this document should be read by all unit administration and IT workers.  A robust risk assessment includes evaluation by all sectors of an organization, so it is recommended that other relevant faculty, staff, and students also participate in risk assessment.

Purpose

Risk assessments are conducted to bring sense, order, and boundaries to the mitigation strategies needed to protect the mission, operation, and reputation of the University of Florida.  They inform the judgments of decision makers about how risks should be managed.

Definitions

Standard

The Level 2 Unit Information Security Administrator (ISA) must ensure that IT risk assessments are performed for their unit.  The purpose is to determine protection level commensurate with resource value and exposure to threats.  Units may document their own comprehensive risk assessment process that approximates the “Risk Assessment Guidelines” <link>.  A comprehensive risk assessment must be done at least once every five years.  

The resulting risk mitigation strategy report must be provided to the UF Information Security Manager (ISM).  The report must be protected from unauthorized access.  It is not necessary for the report to the ISM to be comprehensive, but should cover at least the top 5 critical risks.  For each risk:

  1. Identify asset
  2. Identify contacts and contact information
    1. ISM
    2. ISA
    3. Data Principal
    4. Data Custodian
  3. Identify vulnerability
  4. List threats associated with potential to exploit the vulnerability including their likelihood and impact
  5. Describe actions and resources needed to mitigate or accept risk
    1. Responsible party name, title, phone and email
    2. Scheduled date of completion

Progress on the risk mitigation strategy must be reported to the UF ISM annually.  An example report can be found at <link>.

The UF ISM must incorporate Level 2 Unit risk mitigation strategy reports into a university-wide risk framework that must be formally acknowledged by the UF ISA and university administration.  The framework must include risk factors and vulnerabilities, approved mitigation measures and resources, and accepted and assumed accountability for residual risk.

References

[1]Security Self-Assessment Guide for Information Technology Systems, http://csrc.nist.gov/publications/nistpubs/800-26/sp800-26.pdf

[2]OCTAVE, http://www.cert.org/octave/

[3]An Overview of Threat and Risk Assessment, http://www.sans.org/rr/whitepapers/auditing/76.php

[4]An Introduction to Information Risk Assessment, http://www.sans.org/rr/whitepapers/auditing/1204.php

[5]CACI Computer Security Threats, http://www.caci.com/business/ia/threats.html

Risk Assessment Guidelines

October 26, 2006

These guidelines are intended to be comprehensive.  Especially for the first risk assessment, it may not be practical for some units to rigidly follow these guidelines.  Consider the following suggestions to help your unit prioritize and determine what is most meaningful to include in its risk assessment process.

  1. Resist the urge to be too comprehensive on the first assessment.
  2. Aggregate resources into similar groups and assess the group rather than individual resources.  For example, rather than assess each workstation, aggregate similar workstations in to a group and assess them as a group.
  3. Avoid straying from the process.  Resist mission creep.
  4. Focus on most critical assets.
    1. Those used for Restricted and Sensitive data.
    2. Those critical to the mission and function of the unit.
    3. Those not easily replaced.
  5. Focus on most probable threats.
  6. Balance mitigation strategy with risk, cost and usability.  Keep it doable.

The typical risk assessment includes:

Suggested Risk Assessment Steps

Below are suggested steps for a comprehensive risk assessment.  There is no such thing as perfect IT security.  IT security is ongoing process of improvement.  Also, security must be balanced with cost and usability.  Your unit will be best served by a candid risk assessment process.  Avoid answering questions as if this were a job performance evaluation.

  1. With assistance from unit administration, create and convene a risk assessment team.  Suggested members include:
    1. ISA
    2. ISM
    3. IT workers
    4. Faculty
    5. Staff
    6. Students
    7. Representative from the Office of Audit and Compliance Review
    8. Representative from the UF IT Security Team
    9. Representative from the Office of General Council
    10. Representative from Computing and Networking Services, Infrastructure Group
    11. Representative from Computing and Networking Services, Network Services
    12. Representative from Property Management
    13. Representative from Environmental Health and Safety
    14. External IT security consultant
  2. Establish the risk assessment schedule of one to three months.  Avoid taking longer than three months since assessment data may change.
  3. Understand unit infrastructure and reliance on IT
    1. Maps and diagrams of physical and logical structure
    2. Organizational charts
    3. Unit policies
    4. Complete Reliance on IT Questionnaire.
  4. Identify critical assets.  An asset is any intellectual or physical entity deemed important to doing or continuing business.
    1. What types of assets should be considered, inventoried and documented.
      1. Information
      2. Processes
      3. Systems
      4. Human Resources
      5. Software
      6. Hardware
      7. Other assets
    2. What assets are important to the unit?
      1. Consider processes as assets.  Follow the information flow throughout the process
      2. Which assets will cause a large adverse impact on the unit if they are disclosed to unauthorized people?
      3. Which assets will cause a large adverse impact on the unit if they are modified without authorization?
      4. Which assets will cause a large adverse impact on the unit if they are lost or destroyed?
      5. Which assets will cause a large adverse impact on the unit if access to them is interrupted?
      6. Which assets are difficult to replace?
      7. Which assets are costly to replace?
      8. What legal requirements impact the unit?
      9. How will the unit’s reputation be impacted?
      10. Consider central administrative systems
      11. Reference crises at other units or institutions
    3. Are there dependencies critical to function of identified assets?
    4. Examples of critical assets
      1. Student data systems and processes
      2. Medical data systems and processes
      3. Financial data systems and processes
      4. Human Resources systems and processes
      5. Critical enterprise systems
      6. Donor systems and processes
      7. Systems under contract and used for collaboration
      8. Certain intellectual property
  5. Evaluate asset criticality.
    1. Considerations to determine security requirements.
      1. Is the asset proprietary? Does it contain personal information? Should it be inaccessible to anyone who is not authorized to see it? If the answer to any of these questions is yes, what is the specific confidentiality requirement?
      2. Are authenticity, accuracy, and completeness important for the critical asset? If yes, what is the specific integrity requirement?
      3. Is accessibility of the asset important? If yes, what is the specific availability requirement?  What needs to be done to protect against service interruption?  What needs to be done to protect against data loss?
      4. Is the asset costly or otherwise difficult to replace?
      5. Is the asset mission critical?  Is it necessary for the proper function of the unit?
      6. Are there contracts or other legal requirements of this asset?
      7. Are there any other security-related requirements that are important to the asset? What are they?
    2. Using the following worksheets determine criticality for assets that are restricted, sensitive, mission critical, costly or difficult to replace.
      1. Data Risk Assessment Worksheet
      2. Software Risk Assessment Worksheet
      3. Host Risk Assessment Worksheet
      4. Network Risk Assessment Worksheet
      5. Physical and Environmental Risk Assessment Worksheet
      6. Training and Awareness Risk Assessment Worksheet
    3. Create a criticality profile
      1. From the worksheet responses, select all highly critical values.
      2. Prioritize list by sorting assets according to criticality responses
  6. Identify vulnerabilities.  A self-scan interface is available on the UF Infosec web site at https://infosec.ufl.edu/cgi-bin/newscan/.  Customized scans and penetration testing may also be requested from the UF IT Security Team by sending email to ufirt@ufl.edu.
    1. Enumerate vulnerabilities using scan software.
      1. Port scans
      2. Vulnerability scans
        1. Sort results in order of risk
      3. Vulnerability patterns
    2. Perform penetration testing
  7. Identify current asset protection measures.
    1. What is currently being done to protect assets?  Consider the following
      1. Confidentiality
      2. Integrity
      3. Availability
      4. Criticality to mission
      5. Contracts or other legal concerns
      6. Policy requirements
    2. Using the following worksheets, evaluate the extent to which protection measures exist (implemented, needed, or not applicable) for assets that are restricted, sensitive, mission critical, costly or difficult to replace.
      1. Data Risk Assessment Worksheet
      2. Software Risk Assessment Worksheet
      3. Host Risk Assessment Worksheet
      4. Network Risk Assessment Worksheet
      5. Physical and Environmental Risk Assessment Worksheet
      6. Training and Awareness Risk Assessment Worksheet
      7. IT Continuance of Operations Risk Assessment Worksheet
      8. Incident Response Risk Assessment Worksheet
      9. Meta Risk assessment Worksheet
    3. Create the protection measure profile.
      1. From the worksheet responses, compile a list of needed protection measures
      2. Prioritize needed protection measures by sorting in order of deficiency according to worksheet responses.
      3. Protection measure is documented in policy.
      4. Protection measure is documented in procedures.
      5. Protection measure is tested and reviewed.
      6. Protection measure is implemented.
  8. Evaluate threats (potentially undesirable events).
    1. Considerations for assessing threats
      1. reputation/customer confidence
      2. safety/health issues
      3. fines/legal penalties
      4. financial impact
      5. productivity
      6. historical data such as incident response reports from UFIRT.
    2. Using the following worksheets, evaluate the threat impact and likelihood (high, low, or none) for assets that are restricted, sensitive, mission critical, costly or difficult to replace.
      1. Data Risk Assessment Worksheet
      2. Software Risk Assessment Worksheets.
      3. Host Risk Assessment Worksheets.
      4. Network Risk Assessment Worksheets.
      5. Physical and Environment Risk Assessment Worksheets.
      6. IT Training and Awareness Risk Assessment Worksheet.
      7. IT Continuance of Operations Risk Assessment Worksheet.
    3. Create threat profile
      1. Create a list of all high impact and high likelihood threats
      2. Prioritize threats by sorting in order of impact and likelihood according to worksheet responses.
  9. Evaluate risk
    1. Considerations
      1. Which are the most critical assets?  Select a few of the most critical assets to create the criticality profile.
      2. What are the missing protection measures?  Select a few of the most needed protection measures to create the protection measures profile.
      3. What are the highest risk vulnerabilities?  Select a few of the highest risk vulnerabilities to create the vulnerability profile.
      4. Which threats would cause the largest impact?  Select a few of the highest impact threats to create the threat profile.
      5. Which threats are most likely to impact the unit?  Select a few threats that are mostly likely to occur to create the threat profile.
      6. What is the risk from dependent assets?
    2. Summarize the risk based on profile priorities identified in 8.A.
    3. Evaluate overall improvement needed.
      1. Effective
      2. Needs improvement
  10. Develop mitigation strategy
    1. Consider the following.
      1. What can be done to improve the way in which security issues are integrated with the unit’s business strategy?
      2. What funding level is appropriate to support the unit’s security needs?  What solution is most cost effective?
      3. How will the strategy impact usability?
      4. Is insurance needed to mitigate risks? [6]
      5. Is unit administration willing to assume responsibility for some risks?
    2. What measures could be used to verify that this mitigation plan works and is effective?
  11. Prepare strategy document for upper management that includes the following.
    1. Introductory summary
    2. The Risk Profile consists of the following lists, prioritized in order of importance.
      1. Criticality.
      2. Needed protection measures.
      3. High risk vulnerabilities.
      4. High impact threats.
      5. High probability threats.
    3. Resources needed to implement strategy.
      1. Financial
      2. Staff
      3. Software
      4. Hardware
      5. Space
      6. Other
    4. Mitigation recommendations
      1. Enumerate risks for which no mitigation is planned.  Provide justification.
      2. Prioritized list of recommendations.
      3. For each recommendation, estimate cost for staff, hardware, software or other resources.
      4. Identify performance metrics that can be used to evaluate the effectiveness of each recommendation.
      5. An implementation schedule for each recommendation.
  12. Review strategy with upper management and the UF ISM
    1. What refinements, modifications, additions, or deletions must be made to the protection strategy?
    2. What will the unit do to build on the results of this evaluation?
    3. What else will management do to ensure that the unit improves its information security?
    4. What can management do to support this security improvement initiative?
    5. What are management’s plans for ongoing security evaluation activities?
  13. Implement strategy
    1. Allocate resources to implement final strategy, staff and financial.
    2. Establish progress evaluation schedule.
    3. Evaluate what might improve the process in the next risk assessment.
  14. Evaluate strategy effectiveness and report progress to UF ISM on an annual basis.

References

[1]Security Self-Assessment Guide for Information Technology Systems, http://csrc.nist.gov/publications/nistpubs/800-26/sp800-26.pdf

[2]OCTAVE, http://www.cert.org/octave/

[3]An Overview of Threat and Risk Assessment, http://www.sans.org/rr/whitepapers/auditing/76.php

[4]An Introduction to Information Risk Assessment, http://www.sans.org/rr/whitepapers/auditing/1204.php

[5]CACI Computer Security Threats, http://www.caci.com/business/ia/threats.html

[6] UF Environmental Health and Safety, Risk Management, Insurance, http://www.ehs.ufl.edu/RiskMgmt/insure2.htm

[7] Educause risk assessment framework, http://www.educause.edu/LibraryDetailPage/666?ID=CSD4380

[8] Educause Information Security Governance Assessment Tool for Higher Education, http://www.educause.edu/ir/library/pdf/SEC0421.pdf

[9] Educause Effective Practices and Solutions in Security, http://www.educause.edu/EffectivePracticesandSolutionsinSecurity/1246

Top | Home

OIT Units

Chief Information Officer , Academic Technology, Computing and Networking Services , Network Services, Telecom

Services

Students, Faculty, Staff

Committees

IT Advisory Committee, Academic Technology, Data Infrastructure, High-Performance Computing, Network Infrastructure, Information Security Management, Ad Hoc

Projects

UF Exchange, High Performance Computing, AT Grid, Active Directory Project, Microsoft Campus Agreement, more...

Policies

Acceptable Use (AUP), IT Security, IT Strategic Plan, Disabled Access Computing Policy, more...

System Status

Bridges Status, CNS Reported Issues, Gatorlink Mail, ISIS, Outgoing Mail, Network Status, Webadmin Sites, Webmail

Training

Students, Faculty, Staff, Other Resources

Topics of Interest

Charging for Dial Up Services, Gatorlink Eligibility, Email/Gatorlink Configuration, Connecting to UF , IT Reports

Text-only Version

Search: