Integrated Information Technology Services
Vulnerability and Risk Assessment
POLICY:
Utica University will conduct periodic audits consisting of vulnerability assessments, penetration tests, network monitoring, and risk assessments against the University’s computing, networking, telephony, and information resources. The University’s Information Security Officer has been granted the authority to conduct these audits and to gain access to systems and files as needed to support those audits. In addition, the President of the University may, at his or her discretion, authorize other University personnel to conduct audits for special projects.
Audits may be conducted to:
- Assist in the risk management process
- Confirm the security of physical and virtual information systems and processes
- Ensure conformance to the University’s IITS policies and corresponding regulations (FERPA, PCI/DSS, HIPAA, GLBA, etc.)
- Ensure that information is accessible only by those individuals who should be able to access it
- Ensure that information is protected from modification by unauthorized individuals
- Ensure that system resources are available to support the mission of the University
- Identify critical assets
- Investigate possible security incidents
The execution, development, and implementation of remediation programs is the joint responsibility of campus users, departments, systems staff, and the group responsible for the systems and areas being assessed. Users are expected to cooperate fully with any risk assessment being conducted on systems for which they are held accountable. Users are further expected to work with an appointed Risk Assessment Team in the development of a remediation plan.
SCOPE:
This policy applies to all Utica University faculty, staff, and students, and covers all of Utica University’s computing, networking, telephony, and information resources.
REASON FOR POLICY:
This policy is designed to proactively identify and mitigate risks to the University’s network, comply with best practices as specified by National Institute of Standards and Technology and the Financial Accounting and Standards Board (FASB), and ensure that risk assessments are conducted efficiently and effectively.
DEFINITIONS:
Audit: A systematic evaluation designed to ensure the integrity of data and/or systems. Audits may be conducted routinely (i.e., on a designated schedule) or when there is reasonable evidence that the University’s data or networks have been compromised.
Vulnerability Assessment: As defined by the SANS (SysAdmin, Audit, Network, Security) Institute, “Vulnerabilities are the gateways by which threats are manifested.” A system compromise can occur through a weakness found in a system. A vulnerability assessment is a search for these weaknesses/exposures in order to apply a patch or fix to prevent a compromise (www.SANS.org, 2001).
Penetration Testing: Attempts to leverage vulnerabilities found during a vulnerability assessment in an attempt to find/gain relevant data.
Risk Assessment: A process by which to determine what information resources exist that require protection, and to understand and document potential risks from IT security failures that may cause loss of information, confidentiality, integrity, or availability (http://policy.ucop.edu/doc/7000543/BFB-IS-3).
Risk Assessment Team: A flexible team whose members are determined by the Information Security Officer (see Resources/Questions, below) based on the task at hand.
PROCEDURE:
While IITS staff members who oversee specific areas (e.g., email, networking, etc.) are responsible for day-to-day operations, the Information Security Officer is responsible for proactively conducting audits to identify vulnerabilities, and has been granted the access required to carry out these duties. In the event of suspicious activity or as part of a vulnerability or risk assessment, or quarterly review, access may include:
- User-level and/or system-level access to any University computing, networking, telephony, or information resource
- Access to information (electronic, hardcopy, etc.) that may be produced, transmitted, or stored on Utica University equipment or premises
- Access to work areas (labs, offices, cubicles, storage areas, etc.), through the assistance of the Office of Campus Safety
- Access to interactively monitor and log traffic on Utica University networks in accordance with policies and regulatory requirements
When user interaction is required, the Information Security Officer will discuss the details of the vulnerability assessment with the individual in charge of the area in question before scheduling and deploying any assessments.
If immediate action is required, the Information Security Officer will contact University employees as appropriate.
Service Degradation and/or Interruption
Network and server performance and/or availability may be affected by network scanning. Prior notification will be made to those possible affected by the process. Steps will be taken to reduce the impact on the performance and availability of the University’s network and ensure continuity in University operations.
Emergencies
In emergency cases or if the Information Security Officer is not available, actions may be taken by the person (s) in charge of maintaining the system in question. In some cases, this may mean taking actions without prior consultation. These actions may include rendering systems inaccessible. For example, if there is a problem with a user’s email account, the supervisor in charge of email administration will take appropriate actions to the protect the integrity of the entire system.
Response Classifications
The Information Security Officer will use the following classifications to determine the necessity and timeframe for taking action:
High – Emergency procedures must be enacted immediately. Response time will be within 24 hours.
Medium – Resolution must be scheduled at the earliest possible time. Response time will be within three days.
Low – Resolution must be implemented during the next scheduled maintenance period. Response time will be within two weeks.
RESPONSIBILITY:
The Information Security Officer is responsible for the annual review of this document. IITS will ensure the proper protections are in place based on the system in question. The Information Security Officer and those designated are responsible for following the policy defined in this document.
ENFORCEMENT:
Enforcement of Utica University policies is the responsibility of the office or offices listed in the “Resources/Questions” section of each policy. The responsible office will contact the appropriate authority regarding faculty or staff members, students, vendors, or visitors who violate policies.
Utica University acknowledges that University policies may not anticipate every possible issue that may arise. The University therefore reserves the right to make reasonable and relevant decisions regarding the enforcement of this policy. All such decisions must be approved by an officer of the University (i.e. President, Provost and Vice President for Academic Affairs, Executive Vice President and Chief Advancement Officer, Vice President for Financial Affairs, or Vice President for Legal Affairs and General Counsel).
RESOURCES/QUESTIONS:
For more information, contact the Information Security Officer.
Please note that other Utica University policies may apply or be related to this policy. To search for related policies, use the Keyword Search function of the online policy manual.
Effective Date: | 02/22/2013 |
Promulgation Date: | 03/01/2013 |