U. T. System Information Security Program Index (ISPI) Assessment Form (Effective 12/04/2009)

ahemcurrentΔίκτυα και Επικοινωνίες

21 Νοε 2013 (πριν από 3 χρόνια και 10 μήνες)

141 εμφανίσεις

U. T. System
Information Security Program Index (ISPI) Assessment Form (Effective 12/04/2009)


CONFIDENTIAL INFORMATION

The information contained in this document is confidential. Access to and release of this information is restricted by law.



Institution:

Date:


1


Interviewee(s):



Interviewer(s):



A
-
1
Information Security Budget


0
-

No information security budget exists and no funds are made available for purchase of security tools and services.

2
-

The information security budget process is
unknown to the ISO/CISO and funding continuously proves inadequate to meet program needs.


If information security
budget
is part of the general IT budget

and
competes against IT budget

initiatives for funding:

5
-

Funding for the fiscal year is
inadequate to meet basic security program needs.

7
-

Funding for the fiscal year is adequate to maintain baseline operations
but not sufficient

to allow for acquisition of needed new tools / services.

8
-

Funding for the fiscal year is adequate t
o maintain baseline operations
and

to allow for acquisition of needed new tools / services.

9
-

Funding
consistently

(for past 2 fiscal years at a minimum) is adequate to maintain baseline operations
and

allow for acquisition

of needed new tools /
ser
vices.


If information security
has a separate budget

under authority of the ISO/CISO but
competes against IT initiatives

for funding
:


5.5
-

Funding for the fiscal year is inadequate to meet basic security program needs.

7.5
-

Funding for the fiscal year is adequate to maintain baseline operations
but not sufficient

to allow for acquisition of needed new tools / services.

8.5
-

Funding for the fiscal year is adequate to maintain baseline operations
and

to allow for acq
uisition of needed new tools / services.

9.5
-

Funding
consistently

(for past 2 fiscal years at a minimum) is adequate to maintain baseline operations
and

allow for acquisition of needed new tools /
services.


If information security
has a separate budge
t

under authority of the ISO/CISO and
funding requests do not compete directly against IT initiatives
. They
are

considered outside and apart from IT funding requests.

5.75
-

Funding for the fiscal year is inadequate to meet basic security program needs.

7.75
-

Funding for the fiscal year is adequate to maintain baseline operations
but not sufficient

to allow for acquisition of needed new tools / services.

8.75
-

Funding fo
r the fiscal year is adequate to maintain baseline operations
and

to allow for acquisition of needed new tools / services.

9.75
-

Funding
consistently

(for past 2 fiscal years at a minimum) is adequate to maintain baseline operations
and

allow for acquisit
ion of needed new tools /
services.


10
-

All information security needs and initiatives are fully funded year after year (for past 3 fiscal years at a minimum).


Score:



Documentation/Comments:





U. T. System
Information Security Program Index (ISPI) Assessment Form (Effective 12/04/2009)


CONFIDENTIAL INFORMATION

The information contained in this document is confidential. Access to and release of this information is restricted by law.



Institution:

Date:


2

A
-
2
Staffing
-

Information Security Staff Level:



(Note: This refers only to staff who is a direct report to the ISO.)


0
-

The institution has no designated ISO/CISO. This applies also if the position exists but is unfilled and there is no formally

appointed Interim ISO/CISO.

.5
-

Ratio of ISO staf
f to people
(faculty, students & staff)

< 1:16000

1
-

Ratio of ISO staff to people ≥ 1 to 16000

1.5
-

Ratio of ISO staff to people ≥ 1 to 15000

2
-

Ratio of ISO staff to people ≥ 1 to 14000

2.5
-

Ratio of ISO staff to people ≥ 1 to 13000

3
-

Ratio

of ISO staff to people ≥ 1 to 12000

3.5
-

Ratio of ISO staff to people ≥ 1 to 11000

4
-

Ratio of ISO staff to people ≥ 1 to 10000

4.5
-

Ratio of ISO staff to people ≥ 1 to 9000

5
-

Ratio of ISO staff to people ≥ 1 to 8000

5.5
-

Ratio of ISO staf
f to people ≥ 1 to 7000

6
-

Ratio of ISO staff to people ≥ 1 to 6000

6
-

If an institution has only one staff member dedicated to Information Security, a score is capped at 6 despite ratio of ISO to

people.

6.5
-

Ratio of ISO staff to people ≥
1 to 5000

7
-

Ratio of ISO staff to people ≥ 1 to 4000

7.5
-

Ratio of ISO staff to people ≥ 1 to 3000

8
-

Ratio of ISO staff to people ≥ 1 to 2000

8.5
-

Ratio of ISO staff to people ≥ 1 to 1500

9
-

Ratio of ISO staff to people ≥ 1 to 1000

9
.5
-

Ratio of ISO staff to people ≥ 1 to 500

10
-

ISO/CISO of the institution attests that no additional staff is needed and that sufficient staff exists to perform all inform
ation security tasks (planning, assessing,
monitoring, training, deployment,
mitigation, forensics etc.) with a high degree of effectiveness.


Score:



Documentation/Comments:





U. T. System
Information Security Program Index (ISPI) Assessment Form (Effective 12/04/2009)


CONFIDENTIAL INFORMATION

The information contained in this document is confidential. Access to and release of this information is restricted by law.



Institution:

Date:


3

A
-
3
Staffing
-

Information Security Team Expertise
:


Skill Area


Following is a list knowledge/skill areas typically needed within an organization's information security function. Viewing th
e
Information Security organization holistically, assess the organization’s possession of, or ready access to the following:


(M
ultiply each Item Score by the Weight percentage to obtain the score for that row. Sum these for Total Score.)

Item Score

10
-

Very Strong

8.5
-

Solid

7
.5

-

Adequ
ate
/
Average

6
-

Weak

3
-

Very Weak

2
-

Unknown

0
-

None

Weight

(multiplier)

Total

Score

1.
Strategy Development and Communication: The knowledge and skills needed to create and articulate a vision for the
Information Security function, effectively communicate the vision to achieve buy
-
in from management, stake holders, and
others, and help motiv
ate workers to work towards building a more secure institution


.077


2.
Relationship Building: The skill of building relationships with personnel across the institution and to work cooperatively wi
th
other departments to achieve goals of the Information
Security function and the institution.


.077


3.
Risk Assessment and Management: Skills needed to coordinate risk assessment processes and convert results into inputs
for program prioritization decisions.


.077


4.
Planning and Budgeting:
Ability

to identify needs, create policies, reports and action plans,
build and

advocate for
bud
get.


.077


5.
Systems Administration: Ability to understand device configuration and identify weaknesses.


.077


6.
Network Administration: Knowledge of various

network devices, their functions, and vulnerabilities, and ability to analyze log
information from such devices.


.077


7.
Contract Management: Understanding of contract provisions and operational practices needed to safeguard University data
accessed,
used, or stored by business partners.


.077


8.
Technical Monitoring: Ability to review output from various information security appliances or tools, determine whether
anomalies exist that warrant follow
-
up by the ISO and determine appropriate actions.


.077


9.
Applications Security: Understanding of application vulnerabilities, secure coding practices, and skill to use application
assessment tools to remediate code.


.077


10.
Forensics: Ability to examine the contents of a computing device and log
information in order to determine what actions may
have been performed on the device.


.077


11.
Project Management: The ability to work with stakeholders to deploy information security applications effectively, and
consult on project implementations


.077


12.
Incident Management: The ability to coordinate the range of activities required to investigate an incident in a way that meet
s
University, State, and
Federal requirements and allows

timely resumption of services to allow the institution to meet its missions.


.077


13.
Disaster Recovery/Business Continuity Planning: The ability to coordinate the integration of the disaster recovery planning
process for information resources with the

business continuity planning and business impact analysis process


.077




TOTAL:



Score:



Documentation/Comments:



U. T. System
Information Security Program Index (ISPI) Assessment Form (Effective 12/04/2009)


CONFIDENTIAL INFORMATION

The information contained in this document is confidential. Access to and release of this information is restricted by law.



Institution:

Date:


4


A
-
4
Resources


Availability of Information Security Tools, Appliances, Software & Services


The purpose of this item is to determine the extent to which needed security tools and services are available.

NOTE:

This is NOT a measure of
actual
deployment or use

of each tool or service
, but of
ownership or
access to each of the tools or services.

For each tool/service, determine the percentage of need that can be
covered by the institution’s ownership or level of access to the tool/service. Divide that percentage by 10 to obtain the
Item Score.

Multiply each Item Score by the Weight multiplier to
obtain the total score for that row. Sum these for
the Total Score.

Item Score


0


10 for each
item. Percent
of coverage
divided by 10.

Weight

(multiplier)

Total
Score

Example:

If

the
institution owns

a

sufficient number of licenses to encrypt only

75% of la
ptops that need to be
encrypted: Convert 75% to 75 then divide by 10 to obtain the Item score of 7.5. Multiply this by the multiplier to get
Total Score for that row.

Laptop Encryption
Solution

that is verifiable. (Provides ability to prove encryption status of a lost computer.)

7.5

.083

.62

1.
Anti
-
Virus / Anti
-
Malware Solution


.083


2.
Server, Workstation, and Laptop Configuration Management Solution


.083


3.
Patch Management Solution


.083


4.
Intrusion Detection and/or Intrusion Prevention Solution


.083


5.
Vulnerability Scanning Solution


.083


6.
Penetration Testing Solution


.083


7.
Laptop Encryption Solution that is verifiable. (Provides ability to prove encryption status of
a lost computer.)


.083


8.
Email Encryption Solution


.083


9.
Confidential Data
Discovery Tool
for at rest
(examples: SENF,
Identity Finder)


.083


10.
Confidential Data Discovery Tool for data in motion (examples: CISCO email gateway, UT System IDS)


.083


11.
Application Scanning Solution


.083


12.
Centralized log management tool for consolidation and analysis of log data.


.083





TOTAL:



Score:



Documentation/Comments:



U. T. System
Information Security Program Index (ISPI) Assessment Form (Effective 12/04/2009)


CONFIDENTIAL INFORMATION

The information contained in this document is confidential. Access to and release of this information is restricted by law.



Institution:

Date:


5



A
-
5
Basic Network Security Characteristics


For each statement
below that is

True

for the institution, place a score of 1
0

in the Item Score column next to that
item. If the statement is false, place a score of 0 in the Item Score column next to that item. Item scores between 0
and 1
0

can be used to denote partial
implementations.

Multiply each Item Score by the Weight percentage to obtain
the score for that row. Sum these for the Total Score.

Item

Score



Weight

(multiplier)

Total

Example:
For illustration let

s assume that only
½ or 50%

of an institutions devices that should be behind a firewall
are
actually behind the firewall: 50% would translate to a item scored of 5 (rather than 10)
:

Firewall Protection:
All devices that should be behind firewall are behind a firewall.



5

.125

.62
5

1.
Firewall Protection:
All d
evices that should be protected by fir
ewall are
protected by such.




.125


2.
Public DMZ:
DMZs are appropriately used to isolate all devices needing to be isolated.


.125


3.
Network Segmentation / VLANs
: All network
traffic is appropriately segmented either physically or logically to
reduce scope of exposures.


.125


4.
Network Address Translation (NAT)
:

NAT is used

where needed

to reduce visibility
of internal devices from

external users
.


.125


5.
DNS Configuration:
DNS is configured to s
eparat
e

internal and external zones.


.125


6.
VPN /Terminal Services:
VPN and/or Terminal Services are used to provide remote access and restrict such
access to authorized parties.


.125


7.
Network Access Control (NAC):
NAC is used to

verify compliance with institutional security requirements prior to
allowing
any
remote
devices to establish connectivity to the network.


.125


8.
Wireless Network Protections:
Wireless network has appropriate controls to ensure
all
traffic is encrypted and
access to the network is restricted to authorized parties.


.125




TOTAL:







Score:



Documentation/Comments:



U. T. System
Information Security Program Index (ISPI) Assessment Form (Effective 12/04/2009)


CONFIDENTIAL INFORMATION

The information contained in this document is confidential. Access to and release of this information is restricted by law.



Institution:

Date:


6

A
-
6
ISA Program and Training


0
-

No ISA program

has been established and no ISAs have been appointed.

3
-

Some ISAs have been appointed.

5
-

Departmental ISAs have been appointed.

6
-

Departmental ISA have been appointed and have met.

6.5
-

Departmental ISA have met at least once per semester.

7
-

Departmental ISA’s have met and are meeting quarterly.

8
-

Departmental ISA’s have met and are meeting on a quarterly basis and are becoming appropriately trained.

9
-

The ISA Program
meets requirements for level 8 and ISA meetings are used for input into the program in addition to information dissemination.

10
-

The ISA Program meets requirements for level 9 and ISAs are actively engaged in all ISA responsibilities identified in UTS
-
165.



Implements and complies with all information technology policies and procedures relating to assigned systems.



Assists Owners in performing annual information security risk assessment for Mission Critical Resources.



Reports general computing and
Security Incidents to the Entity ISO.



Assists, as a member of the ISA Work Group, the ISO in developing, implementing, and monitoring the Information Security Prog
ram.



Establishes reporting guidance, metrics, and timelines for the ISOs to monitor effective
ness of security strategies implemented in
both
central and decentralized areas.



Reports at least annually to the ISO about the status and effectiveness of informat
ion resources security controls


Note: After obtaining the
Preliminary Score

using the abo
ve criteria, modify the score based on
breadth of ISA program
. Do the following:

Determine how many ISA’s your institution
should

have. (either based on departments, systems, or other criteria
.
)

Determine

how man y

ISA’s the institution
actually

has and

determine what percentage this is of the total.

Multiply this percentage by the score you had from above to obtain the “FINAL” score for the item


Example, Assume

t
he score from above is 9.
Let’s

assume that the institution

should have 25 ISA
s
,
but
only 20 have been appointed:

20 /25 X 100 = 80%. 80% of 9 =
7.2 resulting

in
a Final Score of 7.2 for this item.


Score:



Documentation/Comments:





U. T. System
Information Security Program Index (ISPI) Assessment Form (Effective 12/04/2009)


CONFIDENTIAL INFORMATION

The information contained in this document is confidential. Access to and release of this information is restricted by law.



Institution:

Date:


7

A
-
7
Internal Communication Flows


Rate the degree to which each of the following statements is true on a 1 to 10 scale. If it is 100% true score 10, if it
is totally false score 0. If it is true 75% of the time or for 75% of situations score 7.5 etc.

Score is capped at 9.5, unless the ISO asserts that communications in the organization are optimal for ensuring
effectiveness of the ISO Office in securing the institution’s data.

Item
Score

0 to 10
based on
degree

Weight

(multiplier)

Total
Score

1.

The
institution has an incident response policy.

(If yes, Item score is = 10, If no = 0)


.1


2.

The institution’s incident response policy identifies procedures, responsibilities, and communication chains to use
during critical information security incidents.



.1


3.

What percent of employees

have received training in who to contact in event of an information security incident.

(example 55% = Item score of 5.5)


.1


4.

The ISO has ready access to

all
information sources (logs, configurations, firewall rules, IDS/IPS output etc.)
required to
understand

the security posture of the organization and to effectively perform the ISO function.


.1


5.

The ISO is involved in
all
discussions of new systems or system changes that may impact the information security
state of the institution.


.1


6.

The

ISO is included in the purchase process to ensure that purchased or outsourced systems are appropriately
vetted for information security


.1


7.

Operational units inform the ISO of security breaches in a timely manner.


.1


8.

Feedback loops are defined and consistently used to ensure assignments relating to security are
completed
.


.1


9.

Executive management is informed in a timely way when significant security incidents occur.


.1


10.

The Office of Police and the ISO inform each
other when a stolen device or other incident (or crime) occurs that
impacts information security.


.1




TOTAL:



Score:



Documentation/Comments:






U. T. System
Information Security Program Index (ISPI) Assessment Form (Effective 12/04/2009)


CONFIDENTIAL INFORMATION

The information contained in this document is confidential. Access to and release of this information is restricted by law.



Institution:

Date:


8

A
-
8
Data Classification, Assignment of Ownership, and Owner Responsibilities


0
-

The institution has not established a data classification policy and schema.

4
-

A data classification policy and schema has been established, but Owners have not been identified.

6

-

A data classification policy and schema has been establish
ed, and Owners have been identified.

7
-

Criteria for 6
have

been met and Owners are actively engaged in one of the following Owner duties as required by UTS 165.



Owners classify the data for the systems for which they are responsible.



Owners (or
their delegates) grant access to the information systems for which they are responsible.



Owners ensure that data for which they are responsible are appropriately backed up.



Owners of Mission Critical Systems designate individuals to serve as Information

Security Administrator (ISA) to implement security controls and report
incidents to the ISO as necessary.



Owners (or their delegates) perform annual information security risk assessment.

7.5
-

Owners are actively engaged in two of the above noted Owner du
ties.

8
-

Owners are actively engaged in three of the above noted Owner duties.

9
-

Owners are actively engaged in four of the above noted Owner duties.

9.5
-

Owners are actively engaged in all five of the above noted Owner duties.

10
-

Criteria for
9.5
have

been met AND Owners have received training in Owner responsibilities.


Note: If Owners have received training in their Owner responsibilities add .5 points to the score obtained above. Score can
not exceed 10.


Score:



Documentation/Comments:





U. T. System
Information Security Program Index (ISPI) Assessment Form (Effective 12/04/2009)


CONFIDENTIAL INFORMATION

The information contained in this document is confidential. Access to and release of this information is restricted by law.



Institution:

Date:


9

B
-
1
Server Confi
guration Management



0


No configuration management solution is in place for servers.

.5


No solution is in place, but is being planned for deployment.

1


A configuration management solution is in place, but the number of servers

is generally unknown (not known within a tolerance of 5%)


If a configuration management solution (as described below) is in place and the number of institutional servers is generally
known (within a 5%
tolerance):

What percent of the institution’s servers (including both physical and virtual servers) are managed by a configuration manage
ment system that has the capability to
allow a server administrator to change server administrator passwords remotely and to allow
server administrators
AND

the ISO/CISO the ability to know server
configurations and patch status remotely without intervention of another party. Convert this percent to a number on a 0


10 scale:
(ex:
92
% =
9.2
)
.


Score:



Documentation/Comments:





U. T. System
Information Security Program Index (ISPI) Assessment Form (Effective 12/04/2009)


CONFIDENTIAL INFORMATION

The information contained in this document is confidential. Access to and release of this information is restricted by law.



Institution:

Date:


10

B
-
2
Desktop/Laptop Confi
guration Management


0


No configuration management solution is in place for desktops/laptops.

.5


No solution is in place, but is being planned for deployment.

1


A configuration management solution is in place, but the number of desktops/laptops is generally unknown (not known within a
tolerance of 5%)


If a configuration management solution (as described below) is in place and the number of institutional
desktops
/laptops

is generally known (within a 5%
tolerance):

What percent of the institution’s desktops/laptops (including both physical and virtual servers) are managed by a configurati
on management system that has the
capability to allow the responsible admini
strator(s) to change desktop/laptop administrator passwords remotely and to allow the responsible administrator(s)
AND

the
ISO/CISO the ability to know desktop/laptop configurations and patch status remotely without intervention of another party.
Convert
this percent to a number on a 0


10 scale:
(ex: 53% = 5.3)



Score:



Documentation/Comments:





U. T. System
Information Security Program Index (ISPI) Assessment Form (Effective 12/04/2009)


CONFIDENTIAL INFORMATION

The information contained in this document is confidential. Access to and release of this information is restricted by law.



Institution:

Date:


11

B
-
3
Malware Avoidance (anti
-
virus and/or anti
-
malware
) Software


0


No anti
-
malware software is in place.

.5


No solution is in place, but is being
planned for deployment.

1


An anti
-
malware, system(s) is in place, but the number of devices running such software is generally unknown.


What percent of institutional devices are known,
by way of automated reporting immediately accessible to the ISO/CIS
O
, to be running anti
-
virus and/or anti
-
malware
software?

Convert this percent to a number on a 0


10 scale:
(ex:
88
% =
8.8
)



Score:



Documentation/Comments:





U. T. System
Information Security Program Index (ISPI) Assessment Form (Effective 12/04/2009)


CONFIDENTIAL INFORMATION

The information contained in this document is confidential. Access to and release of this information is restricted by law.



Institution:

Date:


12

B
-
4
Network Monitoring / IDS
-
IPS



0


No network IDS/IPS systems are in place.

.5


No solution is in place, but is being planned for deployment.

2


IDS/IPS Systems are in place but no staff person is assigned the task of daily monitoring of the system.


Assuming a staff person is assigned the task of monitoring the IDS/IPS, determine s
core using the following procedure:

What percent of network traffic entering the institution from the Internet is examined by an IDS or IPS System?

Convert this percent to a number on a 0


10 scale:
(ex:
100
% =
10
)



What percent of traffic traversing t
he internal network is examined by an IDS or IPS System?

Convert this percent to a number on a 0


10 scale
(ex: 65% = 6.5)


Add these numbers and divide by 2:
(ex: (10 + 6.5)/2 = 8.25)


Score:



Documentation/Comments:





U. T. System
Information Security Program Index (ISPI) Assessment Form (Effective 12/04/2009)


CONFIDENTIAL INFORMATION

The information contained in this document is confidential. Access to and release of this information is restricted by law.



Institution:

Date:


13

B
-
5
Vulnerability Assessment
Practices



(Note: This item is not referring to 3
rd

party Penetration Testing. This is vulnerability testing that is assumed to be performed by the institution itself to
identify internal vulnerabilities. However, the institution may use a 3
rd

party to perform this function.)


0
-

The institution does not perform periodic vulnerability scans.

3
-

It has been
more than a year

since the institution’s last comprehensive vulnerability scan.


4
-

Vulnerability scans are performed,
but needed
remediation is

not
consistently
performed
. Note: regularity of vulnerability is irrelevant if needed
remediation is

not performed.


If vulnerability scans are performed at least annually:

5
-

Vulnerability scans are performed at least annu
ally, but results are not available to the ISO/CISO.

7
-

Vulnerability scans are performed at least annually and results are available to the ISO/CISO. Needed
remediation is

performed.

7.5
-

Vulnerability scans are performed at least annually
in aut
henticated mode

and results are available to CISO. Needed
remediation is

performed.


If vulnerability scans are performed at least quarterly:

5.5
-

Vulnerability scans are performed at least quarterly, but results are not available to the ISO/CISO.

8
-

Vulnerability scans are performed at least quarterly and results are available to the ISO/CISO. Needed
remediation is

performed.

8.5
-

Vulnerability scans are performed at least quarterly
in authenticated mode

and results are available to CISO.
Needed
remediation is

performed.


If vulnerability scans are performed at least monthly:

6
-

Vulnerability scans are performed at least monthly, but results are not available to the ISO/CISO.

9
-

Vulnerability scans are performed at least monthly

and results are available to the ISO/CISO. Needed
remediation is

performed.

9.5
-

Vulnerability scans are performed at least monthly
in authenticated mode

and results are available to CISO. Needed
remediation is

performed.


10
-

Vulnerability scans

of the complete institution computing environment are made
continuously;

results are available to the ISO/CISO. ISO/CISO verifies
that
needed remediation is

performed.


Score:



Documentation/Comments:





U. T. System
Information Security Program Index (ISPI) Assessment Form (Effective 12/04/2009)


CONFIDENTIAL INFORMATION

The information contained in this document is confidential. Access to and release of this information is restricted by law.



Institution:

Date:


14

B
-
6
3rd Party Penetration Testing


The
purpose of this index item is to answer the question, “Does the institution have a valid and viable strategy in place for per
forming 3
rd

part penetration
tests to challenge the effectiveness of the institution’s perimeter controls?”


Scoring Criteria:

0

-

The Institution has not performed a 3
rd

Party Penetration Test

3
-

It has been more than 24 months since the institution’s last 3
rd

Party Penetration Test.

5
-

It has been more than 16 months since the institution’s last 3
rd

Party Penetration Test.

6
-

The Institution has performed a 3
rd

Party Penetration Test within the past 16 months, but the results have not been made available to the ISO/CISO, or have
been made available, but they have not been reviewed, prioritized, and weaknesses remediated.

7
-

The Institution performs annual 3
rd

Party Penetration Tests and results are made available to the ISO/CISO. Security weaknesses are reviewed, prioritized for
correction and corrected as needed.

8
-

The Institution performs quarterly 3
rd

Party Penetration Tests and results are made available to the ISO/CISO. Security weaknesses are reviewed, prioritized for
correction and corrected as needed.

9
-

The Institution performs monthly 3
rd

Party Penetration Tests and results are made available

to the ISO/CISO. Security weaknesses are reviewed, prioritized for
correction and corrected as needed.

10
-

The criteria for 9 are met, and the institution has been performing 3
rd

party
penetration that is

broad in scope for a period of 5 years or longer.



Note about Scope: The usefulness and effectiveness of a 3
rd

party penetration test is reduced if it is not comprehensive in scope. Take from .5 up to 2 points off
the score if the 3
rd

party penetration test excludes IP ranges that include mission cr
itical systems known to contain confidential information.


Score:



Documentation/Comments:





U. T. System
Information Security Program Index (ISPI) Assessment Form (Effective 12/04/2009)


CONFIDENTIAL INFORMATION

The information contained in this document is confidential. Access to and release of this information is restricted by law.



Institution:

Date:


15

B
-
7
Encryption


Encryption of Laptops


0


The institution has not deployed a laptop encryption solution.

.5


No solution is in place, but is being
planned for deployment.

4


An encryption solution is in place, but the institution is not able to determine the number of laptops that require encryptio
n or how many of the target
group has

been encrypted.


If the institution has established a policy th
at ALL laptops are to be encrypted:

Determine the number of laptops that require encryption based
on the institution’s encryption policy.

(
Ex
:
Owned laptops = 180 so 180 require encryption.)

Determine the percent of these that have been encrypted

and
convert to a number in the range 0
-

10
.

(ex: 145 of 180 = 80.5% for a score of: 8.05)



If the institution has established a policy that
only those laptops containing confidential data must be encrypted?

Determine the number of laptops that require encryption based on
the institution’s encryption policy.

(ex:
85 of 180

laptops
require encryption)

Determine the percent of these that
are

encrypted

and convert to a number in the range 0
-

10
.

(ex: 72 of
the 85 are encrypted = 84.7% = 8.47)

Multiply that number by .9 for a final score:

(ex: .9 X 8.47 = 7.62)


NOTE: Add 1 point to the score if the implemented solution is an enterprise solution that allows the institution to VERIFY
that a lost computer wa
s using whole disk
encryption and that the data was in fact encrypted. Score cannot exceed 10.


Score:



Documentation/Comments:





U. T. System
Information Security Program Index (ISPI) Assessment Form (Effective 12/04/2009)


CONFIDENTIAL INFORMATION

The information contained in this document is confidential. Access to and release of this information is restricted by law.



Institution:

Date:


16

B
-
8
Email Encryption Support


Obtain an INITIAL SCORE based on the following scale:

0
-

The institution provides no email encryption solution that can be used by faculty and staff for encrypting any file type that

may be sent via email.

5

-

The only means of sending encrypted email is through use of application based password prote
ction (i.e. Word, Excel etc.)

7

-

The institution makes available a web
-
based or other solution that allows SOME employees to send encrypted email to any
outside
email address.

8

-

The institution makes available a web
-
based or other solution that a
llows ALL employees to send encrypted email to any outside email address.

9

-

The institution meets the requirements for 8 or higher AND provides a means for sending encrypted email internally.

_____________________


Add up to 1 point to the INITIAL SC
ORE based on the following criteria:


Add ½ point if the institution makes digital certificates available so faculty and staff can encrypt email being sent to othe
rs who also use digital certificates.

Add ½ point if the institution uses TLS to automaticall
y encrypt all email going to most business partners. (
This requires pre
-
arrangements with business partners so
that it is known that email is being transmitted via TLS.)



Score:



Documentation/Comments:





U. T. System
Information Security Program Index (ISPI) Assessment Form (Effective 12/04/2009)


CONFIDENTIAL INFORMATION

The information contained in this document is confidential. Access to and release of this information is restricted by law.



Institution:

Date:


17

B
-
9
Confidential Dat
a Search, Discovery,
Removal



for data at rest


0


The institution has not es
tablished a strategy to discover

and remove unneeded confidential data on either servers or user desktops and laptops.

.5


No solution is in place, but is being planned for deployment.

1


The institution has established a strategy of identifying and removing unneeded confidential data on servers.

1


The institution has established a strategy of identifying and removing unneeded confidential data on user desktops and laptop
s.

2


The institution has established a strategy of identifying and removing unneeded confidential data on servers and also user de
sktops and laptops.


If strategies exist for servers and or user desktops and laptops (
i.e.

the score based on the above
criteria i
s 1 or 2) use the following table for scoring:

Item Score

Weight

(multiplier)

Total
Score

Determine the percent of servers that have been scanned for discovery and removal of unneeded confidential data
within the past year. Convert that percent into a nu
mber in the range of 0


10. (ex: 75% would equal 7.5)

0

.5

0

Determine the percent of desktop/laptops that have been scanned for discovery and removal of confidential data
within the past year. Convert that percent into a number in the range of 0


10)

(ex: 40% would equal 4)

0

.5

0

Determine the row score by multiplying the Item score by the multiplier
) Sum

the two row scores to obtain a Total
score.
Note: If the institution meets the criteria for obtain a score based on the two rows above but the
Total
score results in a score of less than 2, then the Total score should be raised to 2.




TOTAL:

0


Score:



Documentation/Comments:





U. T. System
Information Security Program Index (ISPI) Assessment Form (Effective 12/04/2009)


CONFIDENTIAL INFORMATION

The information contained in this document is confidential. Access to and release of this information is restricted by law.



Institution:

Date:


18

B
-
10
Confidential Data Discovery for data in motion


0


-

The institution has not deployed technology to filter
network traffic to identify confidential data being transmitted in the clear
.

.5


No solution is in place, but is being planned for deployment.

7
-

Outbound traffic exiting via the institution’s primary Internet connection is scanned for unencrypted confidential informatio
n such as SSNs and credit card
numbers, and
violators are alerted

that a policy violation has occurred
.


7.5
-

The criteria
for 7 are met, plus scanning of internal traffic for exposed SSNs and credit card numbers is similarly performed.

8
-

Outbound traffic exiting via the institution’s primary Internet connection is scanned for unencrypted confidential informatio
n such as

SSNs and credit card
numbers; data found to be in violation is
blocked

(or is
automatically encrypted

and forwarded on for delivery).
.

8.5
-

The criteria for 8 are met, plus scanning of internal traffic for exposed SSNs and credit card numbers is similarl
y performed.

9
-

All

outbound traffic is scanned for unencrypted confidential information such as SSNs and credit card numbers; data found to be i
n violation is
blocked.

9.5
-

The criteria for 8 are met, plus scanning of internal traffic for exposed SS
Ns and credit card numbers is similarly performed.

10
-

The criteria for 9.5 are met and additional controls are in place to prevent or enforce encryption on downloads of informatio
n to mobile media such as USB
drives.


Score:



Documentation/Comments:





U. T. System
Information Security Program Index (ISPI) Assessment Form (Effective 12/04/2009)


CONFIDENTIAL INFORMATION

The information contained in this document is confidential. Access to and release of this information is restricted by law.



Institution:

Date:


19

B
-
11
Web Applications Scanning


0


The institution has no solution in place to scan applications for security coding weaknesses.

.5


No solution is in place, but is being planned for deployment.

4


The institution has an application scanning solution/service that is available for

use but no policy in place

that dictates when applications are be scanned.

5


Criteria for 4
are

met, but despite the lack of a
policy
,

some application scanning is
being performed on an ad hoc basis.

6.5


The institution has an application scanning solution in place and a policy that
defines criteria for determining which applications
to scan
and
criteria that would
trigger a need to scan an application.

7


Criteria for 6.5 is met
, the scanning policy requires scanning of all outwardly facing systems that hold or manipulate confidential data,

and scanning is taking
place according to policy.

8


The institution has established a prioritization of applica
tions for scanning and is scanning applications based on that priority.

9


The institution has scanned all mission critical applications and those containing confidential data at least once.

9.5


The institution has scanned all mission critical applic
ations and those containing confidential data at least once and has an established program for requiring
additional scans as part of the application change control process.

10


All applications
have been scanned, and

are subject to subsequent scans as res
ult of
the institution’s app
lication change control process requirements for such.


Score:



Documentation/Comments:





U. T. System
Information Security Program Index (ISPI) Assessment Form (Effective 12/04/2009)


CONFIDENTIAL INFORMATION

The information contained in this document is confidential. Access to and release of this information is restricted by law.



Institution:

Date:


20

B
-
12
Identity Management Practices


0
-

The institution has not agreed to abide by The University of Texas System Federation identity management practices. (i.e. is
not a member of the Federation)

3
-

The institution has signed on to be a member of The University of Texas System
Federation and to abide by federation practices.

7

-

Each person associated with the institution is assigned a permanent unique identifier (that is not the person’s SSN), and is
assigned a digital credential
(username and password) that the person uses t
o authenticate his or her identity.

8
-

Each user is vetted in
-
person as required by The University of Texas System Federation processes as described in the Membership Operating Practices
document prior to being granted access to information resources ot
her than those made available to the public.

10
-

The institution has passed a formal Audit of its Membership Operating Practices


Score:



Documentation/Comments:





U. T. System
Information Security Program Index (ISPI) Assessment Form (Effective 12/04/2009)


CONFIDENTIAL INFORMATION

The information contained in this document is confidential. Access to and release of this information is restricted by law.



Institution:

Date:


21

B
-
13
Account and Access Control Policies and Practices


For each of the statements
below that is True for the institution, place a score of 1
0

in the Item Score column next to
that item. If the statement is false, place a score of 0 in the Item Score column next to that item.

Partial credit can be
given by assigning a value of 1


9 based on percent to which the statements are true.

Item
Score

Weight

(multiplier)

Total
Score

1.
The institution has an Access Control policy.


.
1


2.
Processes are in place to ensure that
network accounts are established only for authorized individuals.


.
1


3.
Users accessing non
-
public University resources and services must sign/acknowledge and acceptable use statement prior to
being granted access to network resources.


.
1


4.
Logon ID

and password are required for an individual to gain access to the institution’s network.


.
1


5.
Logon ID and password are required for an individual to gain access to non
-
public resources on the network.


.
1


6.
Processes are in place to ensure that
network accounts are revoked when a person’s association with the institution ends or
role changes within the institution.


.
1


7.
Reviews

are performed at least annually to ensure that no network accounts continue to exist for employees or others who
are

no longer associated with the University in a capacity that would warrant their having an account.


.
1


8.
Two factor (or stronger) access controls are required of individuals who hold positions that require administrator rights.


.
1


9.
Access to resources is based on
minimum
“need to know.”


.
1


10.
Application owners (or designees) determine who
has

access to information
re
sources within the owner’s scope of authority.


.
1




TOTAL:



Score:



Documentation/Comments:





U. T. System
Information Security Program Index (ISPI) Assessment Form (Effective 12/04/2009)


CONFIDENTIAL INFORMATION

The information contained in this document is confidential. Access to and release of this information is restricted by law.



Institution:

Date:


22

B
-
14
User Training Execution


What percent of employees and other associates have taken Information Security training within the past year? Convert this p
ercent to a number on a 0


10 scale:
(ex:
96
% =
9.6
)



Score:



Documentation/Comments:





U. T. System
Information Security Program Index (ISPI) Assessment Form (Effective 12/04/2009)


CONFIDENTIAL INFORMATION

The information contained in this document is confidential. Access to and release of this information is restricted by law.



Institution:

Date:


23

B
-
15
Purchasing/Outsourcing Security Review Practices


0
-

The institution has no process for contract review to ensure that information security issues are appropriately addressed in
the purchasing and contracting
process.

5
-

On an ad hoc basis, some
contracts and other purchases are routed to the ISO/CISO for review and recommendation.

7
-

The institution includes information security language in all contracts that involve use or storage of University information

resources.

7.5


Criteria for 7 is

met and the institution has a process in place to review existing contracts for possible revision if needed security language

is not in place.

8
-

Criteria for 7
.5

is met and the institution has a process in place to help ensure that purchases involvin
g new information systems or services that involve storage,
transfer, or access to confidential University data are routed to the ISO/CISO for review and recommendation.

9
-

Criteria for 8 is met, and the institution’s Information Security Office has au
thority to require that a purchaser formally acknowledge acceptance of risk if a
decision is made to make a purchase that the ISO has advised against because of poor information security practices of the ve
ndor.

10
-

Criteria for 9
are

met, and the ISO/CIS
O has authority to stop purchase of software and/or services, unless overridden by signature of an Executive Officer.


Score:



Documentation/Comments:





U. T. System
Information Security Program Index (ISPI) Assessment Form (Effective 12/04/2009)


CONFIDENTIAL INFORMATION

The information contained in this document is confidential. Access to and release of this information is restricted by law.



Institution:

Date:


24

C
-
1
Risk Assessments



Primary focus

and weight

is placed on completion of
annual
risk assessments for Mission Critical systems
and systems containing confidential University data. However, it is also important that completed risk
assessments be used to help establish program priorities and to perform risk assessments
for

systems not
considered to be of high risk. The scoring methodology gives
weighted
consideration to each of these
criteria.

Item
Score

Weight

(multiplier)

Total

Mission Critical Systems and Systems containing Confidential University Information:

Determine the percent

of Mission Critical systems and systems containing Confidential University Data that have
undergone a risk assessment

within the past 12 months
. Express this as a number between 0
-
10. Ex: 68% = 6.8


.8


Lower Risk Systems:

Determine the percent of Low

Risk systems that have undergone a risk assessment within the past 12 months.
Express this as a number between 0
-
10. Ex: 45% = 4.5


.2




SUB
-
TOTAL:


If completed risk assessments, were considered and used to establish priorities for the current
year’s Action,
Monitoring, and Training Plan, ADD 1 to the sub
-
total to obtain the final score.


+1


If completed risk assessments, were NOT considered and used to establish priorities for the current year’s Action,
Monitoring, and Training Plan, SUBTRACT

1 from the sub
-
total to obtain the final score.


-
1


Note: Score cannot exceed 10.

FINAL SCORE
:




Score:



Documentation/Comments:





U. T. System
Information Security Program Index (ISPI) Assessment Form (Effective 12/04/2009)


CONFIDENTIAL INFORMATION

The information contained in this document is confidential. Access to and release of this information is restricted by law.



Institution:

Date:


25

C
-
2
Annual Report to President which includes the Security Program Document (Action, Training, and Monitoring
Plans)


0
-

The institution has not submitted a Report to the President for the current fiscal year.

3
-

The submitted Report to the President does not meet the defined minimum content requirements.

5
-

The submitted Report to the President
contains the required minimum content but does not meet the format requirements that allow activities contained in
quarterly reports to be associated with Program strategies.

6
-

Report has been submitted but content provides little insight into the ac
complishments of the previous year’s program or barriers that may be hampering efforts
to secure the institution.

7
-

The submitted Report to the President is properly formatted and contains required content but does not demonstrate comprehens
iveness
in terms of
adequately informing the President about the program, or in terms of what is included in the Action, Training, and/or Monitor
ing Plans.

8
-

The submitted Report to the President meets the formatting and content requirements and demonstrates
that Program Elements have been considered and
prioritized and that Risk Assessment results were used to develop items contained in the Action, Training, and Monitoring pla
ns.

9
-

Meets the criteria required for 8 plus the included Monitoring plan is c
omprehensive and addresses monitoring of physical and administrative controls in
addition to technical controls.

The
Program
must be signed by the President.

10
-

Meets the criteria for 9 plus demonstrates comprehensive in all plans


Action Plan, Trai
ning Plan, and Monitoring Plan. The Action Plan indicates that
Program Elements, Risk Assessments, Audits, and Quarterly & Annual Reports data were considered in determining strategies for

the coming fiscal year.


Score:



Documentation/Comments:






U. T. System
Information Security Program Index (ISPI) Assessment Form (Effective 12/04/2009)


CONFIDENTIAL INFORMATION

The information contained in this document is confidential. Access to and release of this information is restricted by law.



Institution:

Date:


26

C
-
3
Quarterly and Annual Metrics Reports to UT System


0
-

The institution has not submitted all quarterly and annual reports.

5
-

Reports are submitted, but fail to provide adequate information about

activities to determine the

status and viability of the Information Security Program.

7
-

Reports are submitted and provide a minimum amount of information, but are lacking in detail needed to provide good understan
ding of program strengths and
weaknesses.

8
-

Submitted report
s provide sufficient content and detail to understand program activities completed within the timeframe of the reports plus i
ssues, strengths, and
weaknesses.

9
-

Submitted reports meet the criteria for 8 plus provide comprehensive information about Mon
itoring Plan activities including activities relating to monitoring
of
physical

and administrative controls, as well as technical controls.

10
-

Meets the criteria for 9 on a consistent sustained basis.


Score:



Documentation/Comments:





U. T. System
Information Security Program Index (ISPI) Assessment Form (Effective 12/04/2009)


CONFIDENTIAL INFORMATION

The information contained in this document is confidential. Access to and release of this information is restricted by law.



Institution:

Date:


27

C
-
4
Incident Reporting to UT System


Note: For context,
“reporting” refers to submission of a formal typed report using the UT System Online incident Reporting tool
.


0
-

Significant incidents are not reported to UT System.

2
-

Significant incidents are of
ten not reported to UT System.

5
-

Significant incidents are reported to UT System, but not in
a
timely manner. (i.e. not soon enough to protect Chancellor and Board members from learning of
incidents from 3
rd

parties prior to being alerted through Univ
ersity channels.

6
-

Incidents are reported to UT System, but they are not being reported through use of the online tool and as result do not appe
ar in the archive database.

7
-

No
formal
reports
have been
made because no significant incidents have
occurred.

7
.5
-

Initial reporting of significant events occurs but updates and closeout are not
consistently
performed.

8
-

Incidents are reported and follow
-
up/closeouts are performed appropriately.

9
-

Criteria for 8 are met plus UT System reporting
is incorporated into the institution’s Incidence Response Plan.

10
-

Criteria for 9 are met. Incident reports flow to UT System as a matter of course.


Score:



Documentation/Comments:





U. T. System
Information Security Program Index (ISPI) Assessment Form (Effective 12/04/2009)


CONFIDENTIAL INFORMATION

The information contained in this document is confidential. Access to and release of this information is restricted by law.



Institution:

Date:


28

C
-
5
TAC 202 Compliance



Data source for scoring of this item is from the Annual Compliance Assessment spreadsheet.


Convert the TAC 202 scores (for Central IT and Decentralized Departments) from a 5 point scale to a 10 point scale by multipl
ying each by 2.


Then average the two scores to obtain the final score.

__________________


Note 1:

The above process weights Central IT and Decentralized IT equally. If an institution is highly centralized or is highly dece
ntralized, it is acceptable to change
the

weighting

ratio from 50/50 to one that reflects the reality of an institution

s circumstances. For example if an institution is 80% centralized, then the Central IT
score
can
be multiplied by .8 and the decentralized score multiplied by .2. These produ
cts would then be summed
to obtain

the final score.


Note

2
:

If no TAC 202 information is
known, because the Annual Compliance Assessment
has

not
been
submitted and no appropriate Audit has occurred, the score
will be defaulted to “4” on the 0
-
10 scale, be
cause it is generally known (through

previous

TAC 202 audits

and other TAC 202 compliance activities
) that UT
institutions are meeting many of the TAC 202 compliance requirements
.


Score:



Documentation/Comments:





U. T. System
Information Security Program Index (ISPI) Assessment Form (Effective 12/04/2009)


CONFIDENTIAL INFORMATION

The information contained in this document is confidential. Access to and release of this information is restricted by law.



Institution:

Date:


29


C
-
6

PCI
-
DSS Compliance


1

-

The institution has not submitted an Annual Metrics spreadsheet which provides information about PCI
-
DSS requirements.


If the Annual Metrics spreadsheet has been submitted to UT System

use the following process to obtain the score for this item
:


Ave
rage the two PCI
-
DSS scores (central IT and decentralized departments) from the Annual Metrics spreadsheet and multiply this average by two

to convert from a
5 point to a 10 point scale. This provides a
PRELIMINARY SCORE
.


I
f the
institution has only
Level 4 merchants

(
i.e.
no single merchant has

over 20,000 transactions annually):

Level 4 merchants
must comply with PCI
-
DSS requirements. However, they
are not required to follow the

PCI
-
DSS
VALIDATION

procedures
, but are
encouraged to do so.
P
oints ar
e added to an institution’s PRELIMINARY SCORE
for voluntar
ily

following these procedures
.


Add up

to 1 point
to the PRELIMINARY
SCORE
for
voluntary completion of

Annual Self
-
Assessment Questionnaire
s

(SAQ
):
Add .1 points to the score for each
10% of the Level 4
merchants

that have completed

the ann
ual SAQ
.

Also, add up to 1 point to the PRELIMINARY SCORE
for voluntary completion of

quarterly scans

of merchant

PCI network environment
s
: Add .1 points for
each
10% of the LEVEL 4 merchants who
have performed the

quarterly scan
s
.

This results in the
institution’s
FINAL SCORE

for this item. Note: FINAL SCORE cannot exceed 10
.



_______________________________
__________________________________________________________
___


If the
institution has
one or more

Level 1, 2, or 3 merchants

(
a merchant processing at least

20,000
transactions
annual
ly
)
:

Note: Level 1, 2, & 3 merchants
must

adhere to
PCI
-
DSS

requirements
AND

to
VALIDATION

requirements


Has
each

of these merchants completed

the required annual
Self
-
Assessment Questionnaire
, completed the required Quarterly scans,
and completed the required Attestation of Compliance Form?


If “NO”



the
FINAL SCORE

is
“6”

or
the
current value of the PRELIMINARY SCORE

as previously calculated
,
whichever is lower
.


If “YES”


Points are added based on voluntary compliance of the institution’s
Level 4 merchants with the
PCI
-
DSS
VALIDATION

procedures.


Add up to 1 point to the PRELIMINARY SCORE for voluntary completion of Annual Self
-
Assessment Questionnaires (SAQ): Add .1 points to the score for each
10% of the Level 4 merchants
that have completed

the annual SAQ.

Also, add up to 1 point to the PRELIM
INARY SCORE for voluntary completion of quarterly scans of merchant PCI network environments: Add .1 points for each
10% of the LEVEL 4 merchants who complete the quarterly scans.

This results in the
institution’s
FINAL SCORE

for this item. Note: FINAL SCORE cannot exceed 10.


Score:



Documentation/Comments:



U. T. System
Information Security Program Index (ISPI) Assessment Form (Effective 12/04/2009)


CONFIDENTIAL INFORMATION

The information contained in this document is confidential. Access to and release of this information is restricted by law.



Institution:

Date:


30


C
-
7
HIPAA Compliance


NA
-

The institution is not subject to HIPAA regulations.

1
-

The institution has not submitted an Annual Metrics spreadsheet which provides information about
HIPAA

requirements.


Data source for scoring of this item is from the Annual Compliance Assessment spreadsheet.



A score for HIPAA compliance is dete
rmined only for those institutions that are subject to HIPAA. The score is determined through use of the same Annual
Compliance Assessment tool that is used to assess TAC 202 compliance. The methodology will be as described in C
-
5 above, except some ad
justment may be
needed because HIPAA may not apply to all departments within an institution. For this reason, the initial score will be est
ablished from the compliance spreadsheet,
but may then be adjusted up or down based on discussion with the institut
ional CISO to focus on only the specific departments that HIPAA pertains to. The reasons
for any adjustments will be documented.


Score:



Documentation/Comments: