Information Resource Risk Assessment Guideline Syracuse University – Information Technology and Services Information Security Guideline – G0102 1.0 Scope This document covers all information technology assets that store, transmit or process SU data. 2.0 Purpose The purpose of this document is to provide a consistent approach for evaluating the risk presented by a particular IT asset not being compliant with an external requirement, SU policy, ITS standard or guideline, or lack of mitigation of an identified vulnerability. It then goes on to define the various signatures and notifications required for granting an exception to a compliance requirement or vulnerability remediation based on the level of risk. 3.0 Guideline In order to assess the risk presented by a particular system, the following items must be quantified. 1. Data Classification Score: Determined by the highest classification of data that is stored or processed on the system in question as per the Syracuse University Information Security Standard. 2. Data Exposure Score: Determined by evaluating the level of data exposure as a result of technical controls around the asset such as firewalls and ACLs. 3. Admin Control Score: Determined by evaluating the administrative control of the asset. Once these three components are identified, the asset’s Threat Exposure Score can be calculated using the below equation: Threat Exposure Score = Data Classification Score * (Data Exposure Score + Admin Control Score) The Threat Exposure Score is then compared against a qualified Vulnerability Score as follows: High, Medium or Low as provided by the weekly InfoSec vulnerability scans. (Scores labelled “critical” are considered “high” for this process) High for any external requirement, SU policy, or ITS standard or guideline that an exception is being sought for. A value of High, Medium or Low to be determined by the ISO in conjunction with the school or unit seeking the exception if the other scoring methods do not make practical sense. The comparison of the Threat Exposure Score against the Vulnerability Score will then provide a qualified Risk Score of HIGH, MEDIUM, or LOW. Based on the Risk Score, the school or unit seeking an SU Information Technology Security Guideline G0102 – Information Resource Risk Assessment Page 1 exception needs to seek and obtain the following approvals, and file those approvals with the Information Security Office. (Note: We need to develop a form and a process for “filing” these – Chris C.) RISK SCORE = LOW: Unit’s IT Director RISK SCORE = MEDIUM: Unit’s IT Director, DDD RISK SCORE = HIGH: Unit’s IT Director, DDD, ISO RISK SCORE = CRITICAL: Unit’s IT Director, DDD, ISO, CIO 3.1 Quantifying Data Classification Score A risk assessment is not complete without a process of identification of information in the information systems to be protected. Based on the type of data as defined by the Syracuse University Information Security Standard, the Data Classification Score is as follows:Type of Data Data Classification Score Confidential or federally funded research data 4 Enterprise 2 Public 1 3.2 Quantifying Data Exposure Score Risk evaluations must also include an assessment of how much risk each asset faces due to the exposure/availability of the information. We have classified assets based on their availability as follows to determine the Data Exposure Score: Asset Availability Data Exposure Score External /Internet Service Provided available to large number of users 4 External/ Internet Available 3 Internal Campus Available/To small number of user 2 Firewalled/Exposure Limited with other means like 2Factor authentication etc. 1 3.3 Quantifying Admin Control Score Control risk is the risk of errors or irregularities, in the underlying transactions/process that will not be prevented, detected and/or corrected by teams managing the assets. Based on current distribution of the assets, the following categories are used to determine the Admin Control Score: SU Information Technology Security Guideline G0102 – Information Resource Risk Assessment Page 2 Asset Control Admin Control Score Staff/Faculty/ Student Managed 3 Staff/Faculty/Student Managed with oversight from ITS/DSP Admin 2 ITS/DSP Managed 1 4.0 Risk Analysis Based on the Threat Exposure Score described above, we have identified overall risk associated with each information asset on our campus to be anywhere from a 2 to 28 ranking from a low risk to a high risk asset. This is the inherent risk carried by all information assets depending on their usability, availability and management. Typically having identified assets, assigned values, and ascertained threats, the next step is to determine what vulnerabilities exist. During this analysis, the assets themselves should not play a major role in the ranking process. However the combined effect of vulnerability in the assets coupled with asset threat rank should allow for risk review. Below we have created a risk approval matrix based on current insights in vulnerability and asset threat categorization. Vulnerability Score Vulnerability T h r e a t E x p o s u r e Low Medium High LOW RISK LOW RISK MEDIUM RISK IT Director Approval IT Director Approval DDD and IT Director approval Medium (612) LOW RISK MEDIUM RISK HIGH RISK IT Director Approval DDD and IT Director approval ISO, DDD and IT Director Approval High (16-28) MEDIUM RISK HIGH RISK CRITICAL RISK DDD and IT Director approval ISO, DDD and IT Director Approval CIO, ISO, DDD and IT Director Approval Threat Low (2-5) In summary the threat and risk assessment process is not a means to an end and an integral part of the overall life cycle of the infrastructure. SU Information Technology Security Guideline G0102 – Information Resource Risk Assessment Page 3 This is a continual process that will be reviewed regularly to ensure the protection mechanisms, which are currently in place still meet the required objectives. The assessment is meant to adequately address the security requirements of the organization in terms of integrity, availability and confidentiality. 5.0 Referred Documents, Web Pages and Contact Information Item Location/Info Standard: Syracuse University Information Security Standard Contact: Director of Information Security Document Info Version: Effective Date: Date of Last Review Date of Next Mandatory Review http://its.syr.edu/infosec/docs/standards/ITSecuritystandard.pdf Christopher Croad [email protected] 1.0 Dec 01, 2014 Nov 20,2014 November 20, 2015 SU Information Technology Security Guideline G0102 – Information Resource Risk Assessment Page 4
© Copyright 2024