UPPS 04.01.11 - Risk Management of Information Resources
Risk Management of Information Resources
UPPS No. 04.01.11
Issue No. 2
Effective Date: 4/30/2021
Next Review Date: 9/01/2023 (E2Y)
Sr. Reviewer: Chief Information Security Officer
Texas State University is committed to the management of security risks posed to information resources.
This policy establishes the basis for management of security risks posed to information resources, including risk assessment, risk mitigation, and common configuration requirements across most information resources and information resource systems.
The frameworks outlined in this policy are not intended to be the sole source of configuration requirements, as technical requirements for individual information resources will be dependent on the value of the resource, context surrounding the resource’s implementation and use, and current trends and best practices.
This document also outlines individual role types (i.e., user, owner, custodian, privileged) and typical responsibilities associated with each type of role.
Data gathering and system evaluation requirements pertaining to the acquisition of information resources that will handle sensitive or confidential information are outlined in this document. These requirements are not intended to be used in lieu of other asset selection procurement procedures, including UPPS No. 05.02.06, Acquisition of Information Technology Products and Services. Rather, these requirements provide additional information pertaining to proactive risk mitigation measures that function within the overall procurement process for such information resources.
INFORMATION ASSET MANAGEMENT PROCEDURES
As stated in Section 01.02 of UPPS No. 04.01.01, Security of Texas State Information Resources, Texas State University’s information resources are strategic and vital assets that must be available when needed and protected commensurate to their value. In this policy, the university has identified specific actions required to achieve these objectives. The university has also articulated the owner, custodian, user, and privileged roles to clearly distinguish the parties responsible and accountable for taking those actions, in consultation with the Information Resources manager (IRM) and Chief Information Security officer (CISO).
The university (and consequently the state of Texas) is the legal owner of all the university’s information resources. As a practical matter, the university delegates specific ownership responsibilities to those with day-to-day oversight of the information resource. For example, ownership is split for departmental file shares hosted on Technology Resources servers in the data center. The shared directories and their logical contents are owned by the department, and the host computer, and related disk storage are owned by Technology Resources.
Owners have been designated for information resources based upon the general subject matter of the data. For example, Human Resources and Faculty and Academic Resources are the designated owners of staff and faculty employee information, respectively (see the Data Ownership Guide on the Information Security website for more information).
Ownership responsibility for certain information resources, including network, hardware, and software, is assigned to the party accountable for the resource, as documented in the university’s inventory, procurement, and licensing records. Owners generally occupy director- or higher-level positions that grant oversight of operations within a given area or institutional function (see UPPS No. 04.01.01, Security of Texas State Information Resources, Section 03.04). In other cases, the principal investigator for a research grant may be contractually designated as the information owner.
In consultation with the IRM and CISO, owners are specifically responsible for:
keeping abreast of laws and policies related to the information resources they own and classifying these resources according to their need for security protection (see Section 02.08);
determining the value of, authorizing user access to, and establishing procedures for authorized disclosure of their information resources;
specifying data control requirements for their information resources and conveying those requirements to co-owners, custodians, and users;
specifying appropriate controls, based on risk assessment, to protect their information resources from unauthorized use, modification, deletion, or disclosure;
selecting and assigning custody of information resources, in consultation with the CISO or appropriate Information Technology (IT) division staff, to custodians capable of implementing the necessary security controls and procedures;
contractually binding non-university custodians to implement and comply with their specified security controls and procedures;
confirming the implementation of and compliance with the specified controls by the custodians;
reviewing and maintaining access authorization lists based on documented security risk management decisions; this includes reviewing the access authorization lists for their resources to ensure that authorization is promptly revoked from those whose roles no longer justify the specified access (see TAC 202.72 (1)). Authorization lists reviewed should be comprehensive and include all components of the information resource (e.g., system, application, and database accounts); and
reviewing access authorization lists, which shall be conducted on a recurring basis (at least annually). The frequency of review shall be determined by the information owner in consultation with the CISO (or designee), and based on risk assessment methodology. The review must be documented, reviewed, and approved by appropriate owner management. Records necessary to support the reviews shall be maintained and should not contain confidential or sensitive information.
In consultation with the IRM and CISO, custodians provide information asset services to both owners and users. A custodian may be a person (such as a departmental system support specialist), a team or department (such as Technology Resources), or an authorized third-party provider of information resource management services (such as a website or application hosting firm).
Regardless of how the role is filled, custodians are expected to:
assist the owner in identifying cost-effective controls, along with monitoring techniques and procedures for detecting and reporting control failures or violations;
implement the controls and monitoring techniques and procedures specified by the owner and as specified by university policies, procedures, and standards;
provide and monitor the viability of physical and procedural safeguards for the information resources in accordance with the Information Security program;
provide appropriate information security training to employees; and
ensure information is recoverable in accordance with risk management decisions (see TAC 202.72 (2)).
The user role is the default role possessed by all users of Texas State information resources. Users of information resources shall use those resources for defined purposes that are consistent with their institutional responsibilities and always in compliance with established controls. Users must comply with the university’s published security policies and procedures, as well as with security bulletins and alerts that Information Security or other IT units issue in response to specific risks or threats. The use of Texas State information resources implies that the user has knowledge of and agrees to comply with the university’s policies governing such use (see TAC 202.72 (3)).
Employee users are responsible for ensuring the privacy and security of the information they access in the normal course of their work. Employees are also responsible for the security of any terminal, workstation, printer, or similar electronic device utilized in the normal course of their work. Employees are authorized to use only those resources and materials that are appropriate, necessary, and consistent with their job functions and must not violate or compromise the privacy or security of any data or systems accessible via the university’s information resources (see UPPS No. 04.01.07, Appropriate Use of Information Resources, for additional information about acceptable and prohibited uses of Texas State’s information resources).
Except as provided in Sections 02.05 and 02.06, users may not attempt to violate the security or privacy of the university’s information resources. The attempted violation of information security or privacy is grounds for revocation of computer access privileges, suspension or discharge of employees, suspension or expulsion of students, and prosecution to the full extent of the law.
Users are responsible for the security of any computer account (e.g., NetID or username) issued to them and are accountable for any activity that takes place under their account. Users who discover or suspect that the security of their account has been compromised must immediately change their password and report the incident to the Information Technology Assistance Center (ITAC) for initial investigation. ITAC shall escalate the incident to Information Security if the compromise may increase the risk to other university information resources (see UPPS No. 04.01.10, Information Security Incident Management). Any suspected or attempted violation of system security should be reported immediately to ITAC at 512.245.4822, firstname.lastname@example.org; or Information Security at 512.245.4225, email@example.com.
By virtue of their job duties (e.g., the review and monitoring activities described in Section 02.06), designated employees may require and may be entrusted with elevated access privileges to specified information resources. These employees normally function in custodial or security-related roles with respect to the specified information resources.Users entrusted with elevated access privileges shall:
use those privileges solely for the purpose intended by the information resource owner; and
access, disclose, and discuss the information only to the extent required to perform the job duty for which the privileges were granted.
Review and Monitoring
Texas State’s information resources are subject to review, monitoring, and disclosure as provided in Section 06. of UPPS No. 04.01.02, Information Resources Identity and Access Management. Consequently, users should not expect privacy in their use of Texas State’s information resources (see NIST 800-53 AC-8, AR-4).
When confidential information from another university or state agency is received by Texas State in connection with the transaction of official business, Texas State shall maintain the confidentiality of the information in accordance with the conditions imposed by the providing agency or university.
Prior to releasing, publishing, or disclosing any university information, the designated university owner of the information, in consultation with the IRM and CISO, shall classify the information as public, sensitive, or confidential, according to its need for confidentiality. Moreover, the information resource’s owner should ensure that disclosure controls and procedures are implemented and followed to afford the degree of protection required by the assigned classification. Information shall be assigned one of the following three classifications:
Public (Level 1) information is by its very nature designed to be shared broadly, without restriction, at the complete discretion of the owner. It may or may not have been explicitly designated as public. Public information may be freely disseminated without potential harm to the university, individuals, or affiliates. From the perspective of confidentiality, public information may be disclosed or published by any person at any time.
Examples of public information include: advertising and marketing literature, degree program descriptions, course offerings and schedules, campus maps, job postings, press releases, descriptions of university products and services, and certain types of unrestricted directory information, as specified by the Family Educations Rights and Privacy Act of 1974 (FERPA) and the Health Insurance Portability and Accountability Act (HIPAA).
Sensitive (Level 2) information can be difficult to classify as it often presents attributes of both public and confidential information. Sensitive information may be deemed “public” in the sense that, under certain circumstances, disclosure may be required under provisions of the Texas Public Information Act (TPIA). However, the disclosure of sensitive information also requires assurances that its release is both controlled and lawful. Sensitive information is often intended for use within a specific workgroup, department, or group of individuals with a legitimate need to know. Likewise, access to sensitive information may be controlled by identity authentication and authorization measures (e.g., NetID and password). Unauthorized disclosure of sensitive information could adversely impact the university, individuals, or affiliates.
Examples of sensitive information include: some employee records (such as performance appraisals, home address, home telephone number, and personal email addresses), departmental policies and procedures that might reveal otherwise protected information, the contents of email, voice mail, instant messages and memos, unpublished research, information covered by non-disclosure agreements, and donor information.
Generally speaking, sensitive information should not be published or disclosed to the public except by the university’s designated owner of the information in accordance with the owner’s established practices, or after consultation with The Texas State University System (TSUS) associate general counsel (see the Data Ownership Guide on the Information Security website for more information).
Confidential (Level 3) information is defined by TAC 202 to be “information that must be protected from unauthorized disclosure or public release based on state or federal law or other legal agreement,” such as the TPIA and FERPA.
Confidential information is generally intended for a very specific purpose and shall not be disclosed to anyone without a demonstrated need to know, even within a workgroup or department. Disclosure of confidential information is generally regulated by specific legal statutes (e.g., TPIA, FERPA, HIPAA), contract agreements, published opinions by the Office of the Attorney General of Texas, and the TSUS Rules and Regulations. Unauthorized disclosure of this information could have a serious, adverse impact on the university, individuals, or affiliates, and presents the most serious risk of harm if improperly disclosed.
Examples of confidential information include: student education records, as defined under FERPA, personally-identifiable medical records, passport information, crime victim information, library transactions (e.g., circulation records), court-sealed records, and access control credentials (e.g., PINs, passwords, and multi-factor authentication devices). Confidential information also includes any of the following when combined with other personally-identifying information: social security number, driver’s license number, date of birth, payment cardholder information, or financial account information.
Confidential information must not be disclosed to the public under any circumstances other than those specifically authorized by law. Any such disclosure should be immediately reported to the Information Security Office for incident mitigation and investigation (see UPPS No. 04.01.10, Information Security Incident Management). Requests for such information received from persons with a questionable need to know should be directed to the TSUS associate general counsel.
Standards for Handling Sensitive and Confidential Information
Because of the harm that can result from improper disclosure, sensitive and confidential university information shall be afforded the following special protections by owners, custodians, and users:
A person’s social security number, driver’s license number, or other widely-used government-issued identification number shall not be captured, stored, or used as a person identifier unless such use is required by an external, governmental, or regulatory system that is authorized for use at the university. The Texas State ID number or NetID should be used in lieu of such prohibited identifiers in situations where personal names or other identifiers do not assure uniqueness. Where use of such numbers is required, owners, custodians, and users shall store these numbers in encrypted form or using other compensating controls with the advice and authorization of the CISO (or designee).
Payment cardholder data (e.g., the primary account number or the magnetic stripe contents together with any one of: cardholder name, expiration date, or the service code) shall not be stored on any device for longer than is necessary to authorize a transaction using that information.
Confidential information must not be transmitted electronically over a public network (e.g., the internet) in unencrypted form. Either the information itself must be encrypted prior to transmission or an encrypted connection must be established and maintained for the duration of the transmission. Authorized encrypted connection examples include the university’s implementations of Virtual Private Network (VPN), Transport Layer Security (TLS), and Secure Shell (SSH).
Confidential information shall not be stored on portable devices or media such as notebook or tablet computers, smart phones, USB drives, CDs, DVDs, tape cartridges, etc. If such storage is required, the confidential information must be protected by encryption or by other compensating controls with the advice and authorization of the CISO (or designee).
Confidential information must not be accessed from remote locations in an unauthorized manner. Examples of authorized remote access solutions include the university’s implementations of VPN, TLS, and SSH. Contact ITAC for up-to-date information about authorized remote access solutions and the acceptability of other options.
Confidential information shall not be stored on personally-owned devices or media. If such storage is required, the confidential information must be protected by encryption or by other compensating controls with the advice and authorization of the CISO (or designee).
Confidential information shall not be stored on any devices external to the campus network except as provided under contract with an authorized information resource service provider that is contractually bound to properly protect the information (see UPPS No. 04.01.01, Security of Texas State Information Resources, Section 03.06).
Confidential or sensitive information shall be retained only as long as the information is needed to conduct university business. It is the responsibility of owners, custodians, and employee users to perform periodic reviews to ensure confidential and sensitive information stored on university information resources (e.g., desktops, laptops, portable drives, and servers) is removed when no longer needed. IT provides data-loss-prevention software to assist in the identification, encryption, or removal of confidential and sensitive information on all university workstations.
Encryption requirements for information storage and transmission, as well as for portable devices, removable media, and encryption key management, shall be based on documented risk management decisions. Contact ITAC for up-to-date information about university-supported encryption solutions.
All computing devices that do not have an approved exemption are required to employ whole-disk encryption, regardless of their intended use or the data stored on them, to protect against inadvertent data disclosure. Refer to the Computer Encryption Program website for information on computer encryption best practices.
ITAC, in consultation with the CISO (or designee), will provide and support whole-disk encryption for all university workstations. Departments that do not have a technical support person can request assistance from ITAC with installing encryption software on their computers. It is the responsibility of each workstation owner and the associated department head to ensure that systems under their custodianship are encrypted.
There may be instances in which a device, or group of devices, may need to be exempted from the encryption standard (e.g., a computer lab that is imaged on a regular basis). In these cases, a formal encryption exception request form must be submitted for approval. Department computing resources that need to be exempted from encryption or have encryption configured should direct requests to firstname.lastname@example.org. The CISO (or designee) will review and authorize exemption requests. Approved exemptions are valid for 365 days. Owners may appeal denied exemption requests to the vice president for IT, whose decision is final.
Confidential information shall not be shared, exposed, or transmitted via any peer-to-peer (P2P) file sharing mechanism prior to completion of a comprehensive risk assessment, including penetration testing, of the proposed P2P file sharing mechanism by Information Security.
These restrictions apply regardless of the user’s location and include transmissions over any network accessible to the user, including in-home networks.
Transfer, Disposal, or Destruction of Information Assets
The sale, transfer, or disposal of old, obsolete, damaged, nonfunctional, or otherwise unneeded electronic devices and media pose information risks for the university. These risks are related primarily to the contents of storage media within these devices, which may expose sensitive or confidential information, licensed and non-transferable software, copyrighted intellectual property, or other protected information. Modern computer forensic techniques may allow for the recovery of data even after it has been moved, deleted, wiped, or otherwise logically removed from a storage device.
Under Texas Government Code §2054.130, state agencies and institutions of higher education are required to permanently remove data from data processing equipment before disposing of or otherwise transferring the equipment to an entity that is not a state agency or other agent of the state. The Texas Department of Information Resources (DIR) recommends that "state agencies shall assess whether to remove data from any associated storage device. Electronic state records shall be destroyed in accordance with §441.185, Government Code" (see NIST 800-53 MP-7).
Owners, custodians, and users shall contact ITAC for media sanitization assistance prior to transferring ownership or otherwise disposing of any magnetic media (e.g., hard disk drives, USB drives, backup tape cartridges, DVDs, CDs, etc.) or any devices containing such media (e.g., computers, laptops, PDAs, tablets and smart phones, printers, copiers, etc.). ITAC will securely sanitize or destroy the media, at its sole discretion, and maintain appropriate records of the action taken (see UPPS No. 05.01.02, University Surplus Property (Equipment and Consumable Supplies), for additional information regarding proper disposal procedures).
Owners, custodians, and users shall not repurpose or reassign any electronic device or electronic media contained within a device without first fully sanitizing the media using a tool sanctioned by the CISO (or designee). Reformatting the media does not constitute, by itself, a satisfactory sanitization process.
COMMUNICATIONS AND OPERATIONS MANAGEMENT PROCEDURES
Network resources used to exchange sensitive or confidential information shall protect the confidentiality of the information for the duration of the session. Controls shall be implemented commensurate with the highest risk. Transmission encryption technologies (e.g., VPN, TLS, HTTPS, SSH, IPSEC, etc.) shall be employed to accomplish this objective (see NIST 800-53 SC-8).
For on-campus wireless network access, Technology Resources shall establish and maintain a WPA2-AES encrypted (or equivalent or superior) wireless network for use on the university campus.
To facilitate security of the campus network, owners, custodians, and users of information resources shall adhere to the provisions of UPPS No. 04.01.05, Network Use Policy.
Owners of distributed information resources within the campus network shall prescribe sufficient controls to ensure that access to those resources is restricted to authorized users and uses only. Examples of such resources include network equipment rooms, data closets, and the equipment contained within them. Controls shall restrict access to the resources based upon user identification and authentication (e.g., password, smartcard or token), physical access controls, or a combination thereof (see TAC 202.70 and NIST 800-53 PE).
ACCESS CONTROL PROCEDURES
Prior to obtaining access to the Texas State network, any device connected to that network, any service provided via that network, or any application hosted on that network, individuals must authenticate themselves as authorized users of the network, service, device, or application. This requirement may be waived in situations where a formal risk assessment has determined that access to the resource does not require individual user identification, authorization, or accountability.
A university-assigned network identifier (e.g., NetID or Texas State ID number) and its corresponding “secret” (e.g., a password, PIN, smartcard, or token) shall be used to accomplish the authentication. Based upon security risk assessment, information resources that contain sensitive or confidential information may require the use of multi-factor authentication where one factor is provided by a device separate from the computing device gaining access. The network identifier shall be unique to an individual in all cases except for authorized “service” accounts that must be accessible to a team of custodians charged with supporting a breadth of resources (see NIST 800-53 AC).
Based upon security risk assessment, owners and custodians shall implement and maintain audit trails and transaction logs as necessary to provide accountability on a per-account basis for changes to mission critical information, hardware, software, and automated security or access rules (see NIST 800-53 AC).
Self-service systems must incorporate security procedures and controls to ensure data integrity and protection of sensitive or confidential information. Self-service systems must authenticate the identity of individuals that use the systems to retrieve, create, or modify sensitive or confidential information about them (see NIST 800-53 AC).
To the extent practicable, all initial login and authentication screens should clearly and prominently display the following user advisory: “Use of computer and network facilities owned or operated by Texas State University requires prior authorization. Unauthorized access is prohibited. Usage may be subject to security testing and monitoring, and affords no privacy guarantees or expectations except as otherwise provided by applicable privacy laws. Abuse is subject to criminal prosecution. Use of these facilities implies agreement to comply with the policies of Texas State University” (see NIST 800-53 AC).
A user’s NetID shall be deactivated whenever the user’s affiliation with the university no longer qualifies the user to possess an active NetID. See UPPS No. 04.01.02, Information Resources Identity and Access Management, Section 04.02 e., for specifics regarding the deactivation of employee accounts upon separation from service (see NIST 800-53 AC).
Sensitive and confidential information shall be accessible only to personnel with authorization from the information owner on a strict need-to-know basis in the performance of their assigned duties. Such information shall be disclosed only by the information owner, as described in the Data Ownership Guide on the Information Security website (see NIST 800-53 AC-6).
All Texas State information resources that employ passwords for authenticating user identities shall be configured to comply with the sets of standards below (see NIST 800-53 IA):
General Requirements – the following criteria apply to all instances where passwords are used for authentication:
passwords must be case-sensitive;
passwords must not be re-used following password resets within the same system or service;
password history shall be enforced to the system’s maximum available setting;
authentication systems must utilize one-way encryption and, once assigned, the password must not be retrievable by anyone. Thus, when a password is lost or forgotten, the existing password will not be retrieved and instead a new password will be assigned or set by the user;
password change logs shall be maintained by custodians who issue passwords. The log entries should reflect the date and time of the password change and the username associated with the changed password, but neither the new nor the old password;
passwords must be changed if compromised;
authentication systems must support user-initiated, self-service reset processes OR upon creation of user account, a temporary password must be delivered in a confidential manner and be reset upon first log on by the account owner;
passwords shall be changeable by their owners at will;
passwords should be unique (i.e., a user must not set their NetID password to the same password as their personal email address);
passwords should not be set to credentials obtained from previous, known breaches, commonly used passwords, dictionary words, repetitive or sequential characters (e.g., “aaaaaaaa” or “abcd1234”), or context-specific words (including the name of the service, user’s name, or derivatives thereof);
information resource owners and custodians may require more frequent password changes based upon risk assessment results; and
authentication systems must support the use of special characters in passwords (see NIST SP 800-63B, Section A.3).
In addition to the requirements outlined in Section 04.06, authentication systems must also incorporate one of the following standards outlined below:
Modern Authentication System Standards – It is the expectation that new information resources will use modern authentication standards and will support multi-factor authentication.
passwords must be at least 15 characters in length (though complex passwords and passphrases are strongly encouraged); and
services should support multi-factor authentication.
Legacy Authentication System Standards:
passwords must be at least eight characters in length (though longer passwords and passphrases are strongly encouraged);
passwords must include at least one character from at least three of the following four-character sets:
uppercase characters (A, B, C … Z);
lowercase characters (a, b, c … z);
numeric characters (0, 1, 2 … 9);
special characters or symbols (e.g., #, $, %, ^, &, -); and
passwords must be changed at least annually.
In the event that an information resource is incapable of enforcing all requirements for passwords as specified in Sections 04.06 and 04.07, alternative mitigating security controls shall be implemented in place of these requirements with approval from the CISO (or designee).
Information resources that contain, access, transfer sensitive, or confidential information shall require authentication of user identity prior to granting access to the applications (see TAC 202.70 and NIST 800-53 AC). Owners of such information resources are responsible for mandating and ensuring fulfillment of this requirement.
To the extent practicable, all information systems that require users to authenticate their identities should be configured to leverage Single-Sign On (SSO) systems maintained by the Division of IT.
To the extent practicable, all information systems that require users to authenticate their identities should be configured to leverage Multi-Factor Authentication (MFA) systems maintained by the Division of IT.
INFORMATION SYSTEMS ACQUISITION, DEVELOPMENT, AND MAINTENANCE PROCEDURES
In addition to requirements outlined in UPPS No. 05.02.06, Acquisition of Information Technology Products and Services, many IT products and services to be used by the university must undergo review by the Information Security Office prior to acquisition.
Assessment of internet-connected information resources that handle sensitive or confidential information:
Any information resource that is to be connected to or accessed via the internet or mobile devices and will process, store, or otherwise transmit confidential information or is determined to present significant potential risk to university information resources will be subject to additional scrutiny and background information gathering requirements by the Information Security Office in order to better assure the confidentiality, integrity, and availability of Texas State’s information.
Prior to procurement, development, deployment, or use of such information resources, the following information must be submitted in a timely fashion to the Information Security Office (see Texas Government Code §2054.517). This process must be completed before such information resources will be authorized for procurement, use, proofs of concept, demonstrations, or exposure to sensitive or confidential information.
System Architecture of the Website, Service, or System – Architectural information should include, at minimum, interconnections with third parties, data transport methods, data flow diagrams, and the physical location of repositories or data centers in which privileged university information shall be stored.
Documentation of Available Controls – Systems to be hosted solely by the university must make available documentation outlining the security controls and posture of the proposed system. At a minimum, this must include information about available authentication mechanisms for the information system and information about user, administrator, and third-party access to information that will be handled by the system.
A Higher-Education-Industry Standard Self-Assessment of the Vendor’s and Product’s Security Posture – This self-assessment report shall include at minimum information required in items 1) and 2), an explanation of the vendor’s overall posture, and appropriate contact details for vendor technical personnel. The preferred self-assessment report is the Higher Education Cloud Vendor Assessment Tool (HECVAT), provided by EDUCAUSE. Other reports that may be suitable substitutes for the HECVAT include SOC 1 or SOC 2 reports. At the CISO’s (or designee’s), discretion, additional, supplemental information from the vendor may be necessary.
A Report of a Recent Penetration and Vulnerability Test Conducted by a Qualified Third Party – The penetration and vulnerability report must be the result of a recent assessment conducted by a third party. The third party that produces the report must be reasonably qualified to assess the vendor or service provider with which the university plans to do business. The vendor or service provider must also provide information about its plans to remedy any significant findings outlined within the third party’s report. In instances where a product is to be hosted solely by the university, the Information Security Office shall conduct appropriate levels of testing instead.
Exemptions to this requirement as it pertains to new (unassessed) information resources handling confidential information shall not be granted under any circumstance (see Texas Government Code §2054.517).
Following submission of this information and other data as required in the above section, a review of the information shall be conducted by the CISO (or designee).
Prior to renewal or reimplementation of existing systems that have not undergone this process, the above-outlined information should be gathered, and appropriate CISO-led evaluative measures shall be taken at the discretion of the CISO (or designee).
At the discretion of the CISO (or designee), renewals and continued use of “grandfathered” systems that have been determined to present low levels of risk may be approved, contingent on the completion of a formal evaluation.
Test functions shall be kept either physically or logically separate from production functions. Copies of production data shall not be used for testing unless all personnel involved in testing are authorized access to the production data or all confidential information has been removed from the test copy (see NIST 800-53 SC).
Appropriate information security and audit controls shall be incorporated into new systems. Each phase of systems acquisition or development shall incorporate corresponding development or assurances of security controls. The movement of system components through various life cycle phases shall be tracked, and, more specifically, the movement of any software component into production shall be logged (see NIST 800-53 SA).
After a new system has been placed into production, all program changes shall be authorized and accepted by the system owner (or designee) prior to implementation (see NIST 800-53 SA). The system owner’s authorizations to make changes and acceptances of those changes shall be documented and maintained.
To the extent practicable, the principles of separation of duties and least privilege shall be applied to the system development, acquisition, and production life cycle. For example, the developer or maintainer of a component should not also have the ability to place the component into production.
Modifications to production data by custodians or developers shall be authorized in advance by the system owner. If advanced authorization is not possible in a real or perceived emergency, the owner shall be notified as soon as possible after the fact and the notification documented. The notification log entry shall contain the notification date and time, a description of the data modified, the justification for the modification,and the identities of the owner and the custodian.
Owners and custodians will ensure that new and modified web applications are compliant with Technology Resources’ web application development standards prior to their production deployment.
RISK ASSESSMENT PROCEDURES
Risk assessment is a vehicle for systematically identifying and evaluating the vulnerabilities of and threats to an information resource. Risk assessment is an essential component of any security and risk management program. Absolute security must assure protection against all threats is unachievable. Risk assessment provides a framework for weighing losses that might occur in the absence of an effective security control against the costs of implementing the control. Risk management is intended to ensure that reasonable measures are employed to protect against the most probable and impactful threats.
Owners and their designated custodians shall complete risk assessments as provided by the CISO (or designee), most often occurring annually or biennially, depending on the classification of data or the information resource. The scope of this assessment may include departmentally- administered information resources that store, process, or access information. The assessment must include a classification of each information resource according to its need for security protection (e.g., the need to maintain confidentiality, integrity, and availability) (see Section 02.08).
The assessment should also identify reasonable, foreseeable, internal, and external risks to the security, confidentiality, integrity, and availability of those resources. Owners and custodians should assess the sufficiency of safeguards in place to control these risks and take mitigating measures to protect the resources from unacceptable risks. They should also document their acceptance of residual risk (i.e., the exposure remaining after implementing appropriate protective measures, if any). The risk assessment should include consideration of employee training and management, information systems architecture and processes, business continuity planning and prevention, and detection and response to intrusion and attack. The assessment results shall be documented in a written report, protected from unauthorized disclosure, modification, or destruction, and retained until superseded by a subsequent documented assessment, plus one year (see TAC 202.73).
Owners may opt to commission additional risk assessments as necessary. For example, the Student Health Center may commission a third party to conduct a risk assessment pertaining to HIPAA compliance in addition to annual, CISO-led assessments. Third-party risk assessors are subject to evaluation by the CISO (or designee).
The CISO (or designee), shall periodically (at least annually) complete or commission a risk assessment of the information resources considered essential to the university’s critical mission and functions and shall recommend to the owners and custodians of these resources appropriate risk mitigation measures, technical controls, and procedural safeguards. The assessment may incorporate self-assessment questionnaires, vulnerability scans, scans for confidential information, and penetration testing. Findings and recommendations shall be provided to the owners and custodians of the information assets.
The CISO (or designee), shall periodically (at least annually) report on the status and effectiveness of security controls and residual institutional risks to information resources (see TAC 202.71(a)). This report shall be presented to the president and President’s Cabinet.
REVIEWERS OF THIS UPPS
Reviewers of this UPPS include the following:
Position Date Chief Information Security Officer Sept 1 E2Y Associate Vice President for Technology Resources Sept 1 E2Y Vice President for Information Technology and Chair, Campus Information Resource Advisory Council Sept 1 E2Y
This UPPS has been approved by the following individuals in their official capacities and represents Texas State policy and procedure from the date of this document until superseded.
Chief Information Security Officer; senior reviewer of this UPPS
Vice President for Information Technology