Skip to main content

Boise State University Information Security Risk Assessment Standard

Purpose

This document is to establish a process for assessing information systems for risks to systems and data; documenting and communicating those risks to university leadership to make decisions regarding the treatment or acceptance of those risks. The security and privacy of Protected Data will be a primary focus of risk assessments.

It specifies the details of the information systems standards as referred to by policies:

Scope

To ensure the security of its data and systems, Boise State requires thorough risk assessments from all third-party service providers and cloud-based services it contracts with. These assessments are not only mandated by some regulations but are also crucial whenever new systems are implemented or significant changes occur that could impact security controls. This proactive approach helps Boise State identify and mitigate potential risks before they become security incidents.

Standards

Leveraging the NIST Risk Management Framework, Boise State University prioritizes four key areas to address the most common vulnerabilities identified through risk assessments: 

  • Configuration Management: By implementing pre-hardened system profiles from the outset, the university minimizes the risk of unnecessary services and configurations being deployed.
  • Log Monitoring: Regular log review is a core security practice. Boise State emphasizes the importance of auditing logs to proactively detect and address potential system and security issues.
  • Access Management: A recurring theme in risk assessments is account lifecycle management. The university highlights the importance of routinely reviewing accounts and access privileges to ensure appropriate control.
  • Patch Management: Regular application and system patching is a cornerstone of the university’s information security program. This proactive approach helps mitigate financial, reputational, and regulatory risks associated with unpatched vulnerabilities.

Risk Assessment Steps

Step 1: Categorize

Categorize the information system and the information and data processed, stored, and transmitted by that system based on likelihood and impact to individuals and the university if the information is subject to a breach or unauthorized disclosure.

All information systems that create, process, store, or transmit Restricted or Confidential data must be assessed for risk to the university that results from threats to the integrity, availability and confidentiality of the data.

The following criteria should be used for categorization:

Likelihood Ranking Criteria:

1 (Negligible or Rare)2 (Low or Unlikely)3 (Medium or Possible)
4 (High or Likely)5 (Extreme or Highly Likely)
Risk is very unlikely to occur here; not addressed in trade journalsRisk is unlikely to occur here; infrequently mentioned in trade journalsRisk occasionally occurs here; occasionally mentioned in trade journalsRisk frequently occurs here; regularly reported in trade journalsRisk routinely occurs here; constantly reported in trade journals
No known occurrence of risk at other organizationsRisk is known to have occurred at another organization

Risk is occasionally occurring at other organizations

Risk is frequently occurring at other organizationsRisk is routinely occurring at other organizations
Risk is continuously and thoroughly mitigatedHigh risk mitigation plans in place; well exercised scenario and stress testing performedModerate risk mitigation plans in place; scenario and stress testing performedMinimal risk mitigation plans in place; some scenario planning for key strategic risksNo current risk mitigation plans; no scenario plans performed
Risk addressed through normal and routine operationsHigh organizational and local processes in place to address riskModerate organizational and local process in place to address riskMinimal organizational or local processes in place to address riskNo organizational or local processes to address risk
Redundant contingency and management plans longstanding and sustainableContingency and management plans refined and well exercisedMost contingency and management plans in place; moderate exercises performedSome contingency or management plans in place; limited exercise performedNo contingency or management plans in place

Impact Ranking Criteria:

1 (Incidental Localized or No Impact)2 (Minor Localized Impact)3 (Moderate Organizational Impact)4 (Major or High Organizational Impact)5 (Extreme or Catastrophic Organizational Impact)
No or negligible effect on students or workforceLocalized and slight negative effect on students or workforceNegative effect on wellbeing of a large number of students or workforceNegative effect on wellbeing of a significant number of students or workforceNegative effect on wellbeing of majority of students or workforce
No potential harm to students, employees or third partiesNo harm to students, employees or third partiesModerate harm to students, workforce, or third partiesSerious harm to students, employees, or third parties resulting in the serious injury of death of an individualSignificant harm to students, employees or third parties resulting in multiple deaths
No reputational harm or embarrassment; no media interestLocal and minor reputational embarrassment; insignificant media coverageShort-term harm to reputation; national media or extensive local media coverageSignificant negative impact to reputation; significant negative media coverageOrganization’s reputation will be permanently harmed; extensive negative media coverage
Financial loss < $1MFinancial loss ($1M to 10M)Financial loss ($11M to $25M)Financial loss ($25M to 100M); significant negative impact to market shareFinancial loss (in excess of $100M); game-changing loss of market share
No regulatory non-complianceMinor regulatory non-compliance with no regulatory reporting requirementsModerate regulatory non-compliance; reporting to regulators requiring immediate corrective actionsSignificant regulatory non-compliance; reporting to regulators requiring major project or corrective actionExtreme regulatory non-compliance, fines, litigation, incarceration of leadership
No impact to operations or staff moraleMinimal and localized effect on operations and staff morale, orNoticeable disruption to operations; widespread staff morale problems and high turnoverLong-term negative impact on operations; high turnover of senior managers and experienced staffNormal operations will not be possible; multiple senior leaders leave the organization
No impact to strategic or local goalsNo impact to strategic goalsModerate negative impact to strategic goalsSignificant negative impact to strategic goalsStrategic goals will not be obtained

Step 2: Select

Select an initial set of baseline security controls based on the data classification levels described in Information Privacy and Data Security (Policy 8060).

Step 3: Assess

Assess the extent to which security controls are correctly implemented, operating as intended, and producing the desired outcome.

The core elements of a risk assessment include:

  • Scope of assessment
  • Current state of security control implementation
  • Documentation of identified threats, vulnerabilities, and risks associated with the system
  • Mitigation recommendations to reduce risks and threat potential to the system.

Risk assessments for systems or applications that create, store, process, or transmit Restricted or Confidential data are required to be conducted by OIT staff under the following circumstances:

  • After a major architectural change to the service, and
  • Soon after a serious security incident is reported
  • When required by regulation or law.

Step 4: Implement

Implement the appropriate risk-reducing controls as identified by the risk assessment process.

This plan requires the assessed area to review all security control recommendations and either: a) agree to mitigate as stated; or b) propose alternative or revision to specific control recommendation(s). 

Components of risk treatment plans include:

  • Description of security mitigation recommendation
  • Primary staff responsibility for each recommendation
  • Estimated financial costs, time and staffing resources to carry out identified mitigation recommendations, including estimated start and completion dates
  • Metrics to evaluate progress and success
  • Exception requirements if security controls cannot be implemented

Step 5: Evaluate

Evaluate that an identified but unmitigated risk is acceptable. Risks are quantitatively and qualitatively expressed as Severe, High, Medium, Low and Very Low.

In general, Boise State departments and individuals may not unilaterally accept information security and compliance risks that result in the greater university’s vulnerability to cyber risks. Specifically:

  • Residual high and severe risks identified in risk assessments but not mitigated in an established timeframe may only be accepted on behalf of the university by department leadership with the acknowledgement of the Chief Information Security Officer.
  • Approval authority may be delegated if documented in writing, but ultimate responsibility for risk acceptance on behalf of the university cannot be delegated.

Step 6: Monitor and Follow-Up

CISO will follow-up with departments on an ongoing basis to ensure and track progress of open risk treatment plans.

References

Non-Compliance and Exceptions

A Request for IT Security Policy/Standards Exception, along with a plan for risk assessment and management, can be submitted via Help Desk Self Service. Non-compliance with these standards may result in revocation of access, notification of supervisors, and reporting to the Office of Internal Audit and Institutional Compliance.

Updates

Created: November 2024

Last Update:  November 2024

Next Review: February 2025