Next. CDS 2015 Survey Module 7 Information Security Survey Errata

Similar documents
Next. CDS 2015 Survey Module 7 Information Security Survey Errata

Top Ten Technology Risks Facing Colleges and Universities

Information Security Policy and Handbook Overview. ITSS Information Security June 2015

Executive Summary Program Highlights for FY2009/2010 Mission Statement Authority State Law: University Policy:

Attachment A. Identification of Risks/Cybersecurity Governance

HIPAA Compliance Evaluation Report

micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8.

Client Security Risk Assessment Questionnaire

The Protection Mission a constant endeavor

John Essner, CISO Office of Information Technology State of New Jersey

EVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07

OCIE CYBERSECURITY INITIATIVE

POSTAL REGULATORY COMMISSION

INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION

INFORMATION SYSTEMS. Revised: August 2013

SECURITY. Risk & Compliance Services

University of Pittsburgh Security Assessment Questionnaire (v1.5)

Information Security Policy

Information Technology General Controls Review (ITGC) Audit Program Prepared by:

Information Security Program

Evaluation Report. Weaknesses Identified During the FY 2013 Federal Information Security Management Act Review. April 30, 2014 Report Number 14-12

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

INFORMATION SECURITY Humboldt State University

INFORMATION SECURITY California Maritime Academy

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Altius IT Policy Collection Compliance and Standards Matrix

University of Illinois at Chicago Health Sciences Colleges Information Technology Group Security Policies Summary

Security Controls What Works. Southside Virginia Community College: Security Awareness

R345, Information Technology Resource Security 1

Virginia Commonwealth University School of Medicine Information Security Standard

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

Maintaining PCI-DSS compliance. Daniele Bertolotti Antonio Ricci

IT Security in Higher Education Survey Questionnaire

Information Technology Security Review April 16, 2012

NSERC SSHRC AUDIT OF IT SECURITY Corporate Internal Audit Division

SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA

Health Insurance Portability and Accountability Act Enterprise Compliance Auditing & Reporting ECAR for HIPAA Technical Product Overview Whitepaper

INFORMATION TECHNOLOGY SECURITY STANDARDS

State of Oregon. State of Oregon 1

How To Control Vcloud Air From A Microsoft Vcloud (Vcloud)

Auditing your institution's cybersecurity incident/breach response plan. Baker Tilly Virchow Krause, LLP

IT Help Desk Management Survey Questionnaire January 2007

Microsoft s Compliance Framework for Online Services

ISO Controls and Objectives

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015

I. EXECUTIVE SUMMARY. Date: June 30, Sabina Sitaru, Chief Innovation Officer, Metro Hartford Innovation Services

UF IT Risk Assessment Standard

Intel Enhanced Data Security Assessment Form

Information Shield Solution Matrix for CIP Security Standards

VA Office of Inspector General

Utica College. Information Security Plan

STATE OF NEW JERSEY Security Controls Assessment Checklist

Supplier Security Assessment Questionnaire

Certified Information Systems Auditor (CISA)

OVERVIEW. In all, this report makes recommendations in 14 areas, such as. Page iii

Client Update SEC Releases Updated Cybersecurity Examination Guidelines

Discussion Draft of the Preliminary Cybersecurity Framework Illustrative Examples

Security Awareness Training Policy

Standard Operating Procedure Information Security Compliance Requirements under the cabig Program

Network Security Assessment

Information Security for the Rest of Us

Information Security Policy Manual

Infor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security

Office of the Auditor General Performance Audit Report. Statewide Oracle Database Controls Department of Technology, Management, and Budget

Data Security Incident Response Plan. [Insert Organization Name]

Data Management Policies. Sage ERP Online

Information Security Program CHARTER

Big Data, Big Risk, Big Rewards. Hussein Syed

Defending Against Data Beaches: Internal Controls for Cybersecurity

VMware vcloud Air HIPAA Matrix

Chapter 1 The Principles of Auditing 1

Build (develop) and document Acceptance Transition to production (installation) Operations and maintenance support (postinstallation)

Information Security Program Management Standard

Central Agency for Information Technology

Report on CAP Cybersecurity November 5, 2015

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections. Evaluation Report

MEMORANDUM. Date: October 28, Federally Regulated Financial Institutions. Subject: Cyber Security Self-Assessment Guidance

Information Security: A Perspective for Higher Education

Newcastle University Information Security Procedures Version 3

TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL

U.S. Department of Energy Office of Inspector General Office of Audits & Inspections. Evaluation Report

Guide for the Role and Responsibilities of an Information Security Officer Within State Government

Data Privacy and Gramm- Leach-Bliley Act Section 501(b)

Boston Public Schools. Guidelines for Implementation of Acceptable Use Policy for Digital Information, Communication, and. Technology Resources

Developing the Corporate Security Architecture. Alex Woda July 22, 2009

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)

Transcription:

CDS 2015 Survey Survey Errata This module includes questions about the IT security organization, staffing, policies, and practices related to information technology security. This is an optional module. In responding to the survey questions in this module, unless specified otherwise, please enter data that describe your IT environment during the prior fiscal year (FY 2014-2015). Prior fiscal year is defined as the most recent fiscal year ending before July 1, 2015. NOTES: Unless otherwise specified, all questions in this survey request data for the prior fiscal year. Throughout the survey, "central IT" refers to the centralized information technology services and support organization reporting to the highest-ranking information technology administrator/officer in the institution. For CDS participants from central offices of multicampus systems and community college districts, "institution" refers to the central office only, not the entire multicampus entity. For all other participants, Institution refers to the individual college or university (typically referred to as a campus). Please refer to the CDS glossary for definitions of other terms in the survey. Q1 Information Security Service Delivery Q2-4 Information Security Staff Q5 Information Security Maturity Q6 Information Security Technology Deployment Q7 Information Security Standards/Frameworks Q8-9 Information Security Risk Assessment Q10-11 Information Security Training Q12 Information Security Metrics Q13-14 Multi-institutional Collaborations and Federations Q15-16 Supplemental Information Q17-20 Module Feedback 2015 EDUCAUSE. Reproduction by permission only. This is Module 7 of the EDUCAUSE Core Data Service Annual Survey. Colleges and universities use the CDS benchmarking service to inform their IT strategic planning and management. Learn more on the Core Data Service website. 1 Next

Q1 Information Security Service Delivery Q1 Information Security Service Delivery 1. Which organizational units were responsible for the following information security practices in your institution? a. Information security compliance b. Information security risk management c. Monitoring d. Incident management e. Training and awareness f. Information security policy development g. Network security h. Identity management i. Data security j. Data privacy k. Security software procurement l. Configuration management m. Other (select organizational unit here; describe other practice below) Other security practice Q2-4 Information Security Staff Q2 4 Information Security Staff Primarily central IT Primarily central IT Primarily central IT Shared between central IT and other admin or Shared between central IT and other admin or Shared between central IT and other admin or Primarily other admin or Primarily other admin or Primarily other admin or Primarily system or district office Primarily system or district office Primarily system or district office Primarily outsourced Primarily outsourced Primarily outsourced CDS 2015 Survey ${m://lastname} Survey Errata No unit responsible No unit responsible No unit responsible 2

2. In the prior fiscal year, what was the title of the highest-ranking person with primary responsibility for information security across your institution? NOTE: This person may not have reported within the central IT organization. CIO or equivalent serves in this role Chief information security officer Chief IT security officer Information security officer IT security officer Executive director, information security Executive director, IT security 100% 80 99% 60 79% 40 59% 20 39% 10 19% Less than 10% Director, information security Director, IT security Manager, information security Manager, IT security Network manager Network administrator 3. What percentage of full time did this person devote to information security? 4. To whom did this person report? (Check all that apply.) Board of trustees/regents President/chancellor Provost/chief academic officer Chief administrative officer Chief financial officer Q5 Information Security Maturity Q5 Information Security Maturity Director of internal audit Highest-ranking IT administrator/officer (e.g., CIO) in central IT First-line director in central IT Second-line manager in central IT 3

5. Please characterize each of the following items as it relates to the state of information security at your institution as of June 30, 2015, using the following scale (optional): 1. Absent/ad hoc: We don t currently have this capability, or we address it in an improvised, irregular way. 2. Repeatable: We have an established capability, but our practices are mostly informal. 3. Defined: We have a standardized capability and have documented procedures and/or responsibilities related to it. 4. Managed: We manage this capability to achieve predictable results on the basis of reliably measured performance indicators. 5. Optimized: Besides measuring performance, we regularly reassess the way we deliver this capability, in order to improve practices and manage risks. NOTE: This section is best completed by your institution's chief information security officer, director of IT security, or other individual familiar with the institutional information security technology environment. 1. ORGANIZATION 1.1) We have an individual with institution-wide information security responsibility and authority written in their job description, or equivalent. Note: This may be the CIO, CISO, CSO, or other. 1.2) Duties are sufficiently segregated to ensure unintentional or unauthorized modification of information is detected. 1.3) Individuals (staff, faculty, students, third parties) interacting with institutional systems receive information security awareness training. 1.4) We participate in local or national security groups (e.g., REN-ISAC, EDUCAUSE, InfraGard, Information Systems Security Association, etc.). 1.5) We monitor and promptly respond to patch releases, security bulletins, and vulnerability reports. 1.6) Incident-handling procedures include the definition of roles and responsibilities. 1.7) Our incident response staff are aware of legal or compliance requirements surrounding evidence collection. 1.8) We maintain relationships with local law enforcement authorities. 2. POLICY 2.1) We have an information security policy that has been approved by institutional leadership. 2.2) We have an Acceptable Use Policy that defines misuse of institutional IT resources and data. 2.3) We maintain security configuration standards for information systems and applications. 2.4) We have usage guidance established for mobile computing devices (regardless of ownership) that store, process, or transmit institutional data. 2.5) Our policies indicate when encryption should be used (e.g., at rest, in transit, with sensitive or confidential data, on certain types of devices, etc.). 3. DATA SECURITY AND DATA MANAGEMENT PROCESSES 3.1) We have a process for identifying and assessing reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of records containing sensitive information. 3.2) We identify critical information assets and the functions that rely on them. 3.3) We classify data to indicate the appropriate levels of information security. 3.4) We have standards for isolating sensitive data to protect it from unauthorized access and tampering. 3.5) We have procedures and technologies in place to protect sensitive data from unauthorized access and tampering. 3.6) We have a records management or data governance policy that addresses the life cycle of paper records. 3.7) We have a records management or data governance policy that addresses the life cycle of electronic records. 3.8) Our data backup process is consistent with the availability requirements of our organization. 3.9) We routinely test our data backup restore procedures. 3.10) We have a business continuity plan for information technology that has been reviewed and approved by senior staff or the board of trustees. 3.11) We have a business continuity plan for information technology that is periodically tested. 4. ACCESS CONTROL PROCESSES 4.1) We have access control procedures to authorize and revoke access rights to information systems. 4.2) We have access control procedures to authorize and revoke access rights to physical assets (e.g., buildings). 4.3) We have procedures to regularly review users' access to ensure only needed privileges are applied. Absent/ ad hoc Repeatable Defined Managed Optimized 1 2 3 4 5 1 2 3 4 5 1 2 3 4 5 1 2 3 4 5 4

Q6 Information Security Technology Deployment Q6 Information Security Technology Deployment 6. Please describe the status of the following systems and technologies at your institution as of June 30, 2015 using the following scale: (optional) 1. No deployment. None of this technology or service is in place and no work is underway or resources committed for this technology or service. 2. Tracking. Staff are assigned, but restricted to monitoring and understanding this technology or service (much more than just reading articles). 3. Planning, piloting, and initial deployment. This technology or service is not yet available to users, however meaningful planning for deployment is underway. A plan for deployment is either in development or in place. Staff are investing significant time (multiple person-weeks of effort) and resources planning to deploy this technology or service. This includes evaluating options with an expectation of deployment within a defined timeframe. Evaluation involves at least multiple person weeks of staff time developing options, a proposal for required funding, and possibly piloting the technology or service. 4. Deployment to parts of the institution. Full, production-quality technical capability or service is in place, including ongoing maintenance, funding, etc., with potential access by selected users, but not institution-wide. 5. Deployment institution-wide. Full production-quality technical capability or service is in place, including ongoing maintenance, funding, etc., with deployment supporting potential access institution-wide. NOTES: This section is best completed by your institution's chief information security officer, director of IT security, or other individual familiar with the institutional information security technology environment. CDS 2014 responses to this question have been preloaded, however response options have changed slightly for the CDS 2015 survey. Please review responses thoroughly to ensure CDS 2015 responses align with the new response options. a. Scanning tools for private/protected information b. Data loss prevention c. Network filtering d. Network intrusion detection system e. Network intrusion prevention system f. Host based intrusion detection system g. Host based intrusion prevention system h. Network access control system i. Penetration testing tools j. Vulnerability assessment tools k. Endpoint configuration management l. Malware protection m. Endpoint encryption for sensitive data n. Secure remote access o. Secure wireless access p. Log management q. Security information and event management Q7 Information Security Standards/Frameworks Q7 Information Security Standards/Frameworks No deployment Tracking Planning, piloting, and initial deployment Deployment to parts of the institution Deployment institution-wide 1 2 3 4 5 5

7. Please describe the status of the following standards or frameworks at your institution using the following scale. CoBIT NIST 800-53/FISMA ISO 27001 AICPA Trust Services BITS Shared Assessments Other (select status here; describe below) Other standard or framework Q8-9 Information Security Risk Assessment Q8-9 Information Security Risk Assessment Central IT infrastructure Central IT systems and data Medical center systems and data Research systems and data Instructional systems and data No risk assessments have been undertaken. Internal audits External audits Planning/prioritizing institutional security work Deployed broadly Deployed sparsely In planning Experimenting/ considering Considered, not pursued No discussion to date 8. In which of these areas did your institution undertake an information security risk assessment during the prior fiscal year? (Check all that apply.) NOTE: Question 9 will appear only if your institution conducted a security assessment during the prior fiscal year. 9. For which of the following reasons were information security risk assessments conducted at your institution? (Check all that apply.) Q10-11 Information Security Training Q10-11 Information Security Training 6

10. Which information security training topics were mandatory for the following groups? Usage policies (AUP) Security policies Regulatory compliance (FERPA, HIPAA, PCIDSS) Self-defense (phishing, identity theft) Other (select groups here; describe training below) Other information security training Required certification for all positions Required certification for some positions We did not require certification, but prefer personnel with certification We did not require certification and have no preference We did not have information security personnel Faculty Students IT staff 11. Did your institution require certification for information security personnel? Q12 Information Security Metrics Q12 Information Security Metrics New employees Other staff 12. Which of the following information security metrics did your institution track? (Check all that apply.) Training Not applicable available but - security not mandatory training not for any group. provided NOTE: For additional background on the list of metrics below, please visit: https://benchmarks.cisecurity.org/downloads /metrics/ a. Number of applications m. Mean-time between security incidents b. Percentage of critical applications n. Mean-time to recovery c. Risk assessment coverage o. Patch policy compliance d. Security Testing coverage p. Patch management coverage e. Mean-time to complete changes q. Mean-time to patch f. Percent of changes with security review r. Vulnerability scan coverage g. Percent of changes with security exceptions s. Percent of systems without known severe vulnerabilities h. Information security budget as % of IT budget t. Mean-time to mitigate vulnerabilities i. Information security budget allocation u. Number of known vulnerability instances j. Mean-time to incident discovery v. k. Incident rate We did not track any metrics l. Percentage of incidents detected by internal controls 7

Q13-14 Multi-institutional Collaborations and Federations Q13-14 Mulit-institutional Collaborations and Federations 13. In which of these multi-institutional collaborations related to information security did your institution participate? (Check all that apply.) Higher Education Information Security Council (HEISC) EDUCAUSE Security Discussion List EDUCAUSE Policy Discussion List EDUCAUSE Identity Management Discussion List State or regional group REN-ISAC (Research and Education Network Information Sharing and Analysis Center) Public/private information sharing activities such as the U.S. FBI InfraGard program National Security Higher Education Board Internet2 Not applicable no collaborative participation 14. In which of the following federations was your institution a member, either as an identity provider, a service provider, or both? InCommon OpenID OpenID Connect Other federation Q15-16 Supplemental Information Q15 16 Supplemental Information Identity Provider Service Provider Both Identity Provider and Service Provider Neither, but considering Neither, not considering 15. Please provide, in a paragraph or two, any background information about your institution and its IT security environment that could be useful to other CDS participants who may be using your data in their benchmarking. Example: Our affiliated hospital has its own information systems, network, and IT security staff with whom we collaborate frequently. (optional) 8

16. Please provide the name and e-mail address of the person to contact regarding your institution's responses to this module of the CDS survey. (optional) Q17-20 Module Feedback Q17 20 Module Feedback 17. EDUCAUSE welcomes your feedback on this survey module. Please let us know of any technologies, innovations, or challenges important to your institution that are not addressed or are inadequately addressed in this year's survey. We'd also like to know if any questions in this module are not relevant to your institution. How else could this module of the CDS survey be improved? (optional) 18. How many people participated in preparing and completing the answers to the questions in this module? (optional) 1 2-4 5+ 19. Approximately how much time did you spend on the following? (optional) Acquiring and processing question data prior to entering data into the survey Entering data into the survey Very difficult Difficult Somewhat difficult Somewhat easy Easy Very easy Number of hours 20. How easy was it for you to complete this module? Please take into consideration the amount of time it took, the ease of gathering information needed to answer the questions, the ease of identifying people at your institution to supply the answers, the clarity of the questions, etc. (optional) 9

2015 EDUCAUSE. Reproduction by permission only. This is Module 7 of the EDUCAUSE Core Data Service Annual Survey. orm their IT strategic planning and management. Learn more on the Core Data Service website. 10

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information