Boise State University Information Security Risk Assessment Standard

Purpose

This document is to establish a process for assessing information systems for risks to systems and data; documenting and communicating those risks to university leadership to make decisions regarding the treatment or acceptance of those risks. The security and privacy of Protected Data will be a primary focus of risk assessments.

It specifies the details of the information systems standards as referred to by policies:

Scope

To ensure the security of its data and systems, Boise State requires thorough risk assessments from all third-party service providers and cloud-based services it contracts with. These assessments are not only mandated by some regulations but are also crucial whenever new systems are implemented or significant changes occur that could impact security controls. This proactive approach helps Boise State identify and mitigate potential risks before they become security incidents.

Standards

Leveraging the NIST Risk Management Framework, Boise State University prioritizes four key areas to address the most common vulnerabilities identified through risk assessments:

Configuration Management: By implementing pre-hardened system profiles from the outset, the university minimizes the risk of unnecessary services and configurations being deployed.
Log Monitoring: Regular log review is a core security practice. Boise State emphasizes the importance of auditing logs to proactively detect and address potential system and security issues.
Access Management: A recurring theme in risk assessments is account lifecycle management. The university highlights the importance of routinely reviewing accounts and access privileges to ensure appropriate control.
Patch Management: Regular application and system patching is a cornerstone of the university’s information security program. This proactive approach helps mitigate financial, reputational, and regulatory risks associated with unpatched vulnerabilities.

Risk Assessment Steps

Step 1: Categorize

Categorize the information system and the information and data processed, stored, and transmitted by that system based on likelihood and impact to individuals and the university if the information is subject to a breach or unauthorized disclosure.

All information systems that create, process, store, or transmit Restricted or Confidential data must be assessed for risk to the university that results from threats to the integrity, availability and confidentiality of the data.

The following criteria should be used for categorization:

Likelihood Ranking Criteria:

1 (Negligible or Rare)	2 (Low or Unlikely)	3 (Medium or Possible)	4 (High or Likely)	5 (Extreme or Highly Likely)
Risk is very unlikely to occur here; not addressed in trade journals	Risk is unlikely to occur here; infrequently mentioned in trade journals	Risk occasionally occurs here; occasionally mentioned in trade journals	Risk frequently occurs here; regularly reported in trade journals	Risk routinely occurs here; constantly reported in trade journals
No known occurrence of risk at other organizations	Risk is known to have occurred at another organization	Risk is occasionally occurring at other organizations	Risk is frequently occurring at other organizations	Risk is routinely occurring at other organizations
Risk is continuously and thoroughly mitigated	High risk mitigation plans in place; well exercised scenario and stress testing performed	Moderate risk mitigation plans in place; scenario and stress testing performed	Minimal risk mitigation plans in place; some scenario planning for key strategic risks	No current risk mitigation plans; no scenario plans performed
Risk addressed through normal and routine operations	High organizational and local processes in place to address risk	Moderate organizational and local process in place to address risk	Minimal organizational or local processes in place to address risk	No organizational or local processes to address risk
Redundant contingency and management plans longstanding and sustainable	Contingency and management plans refined and well exercised	Most contingency and management plans in place; moderate exercises performed	Some contingency or management plans in place; limited exercise performed	No contingency or management plans in place

Impact Ranking Criteria:

1 (Incidental Localized or No Impact)	2 (Minor Localized Impact)	3 (Moderate Organizational Impact)	4 (Major or High Organizational Impact)	5 (Extreme or Catastrophic Organizational Impact)
No or negligible effect on students or workforce	Localized and slight negative effect on students or workforce	Negative effect on wellbeing of a large number of students or workforce	Negative effect on wellbeing of a significant number of students or workforce	Negative effect on wellbeing of majority of students or workforce
No potential harm to students, employees or third parties	No harm to students, employees or third parties	Moderate harm to students, workforce, or third parties	Serious harm to students, employees, or third parties resulting in the serious injury of death of an individual	Significant harm to students, employees or third parties resulting in multiple deaths
No reputational harm or embarrassment; no media interest	Local and minor reputational embarrassment; insignificant media coverage	Short-term harm to reputation; national media or extensive local media coverage	Significant negative impact to reputation; significant negative media coverage	Organization’s reputation will be permanently harmed; extensive negative media coverage
Financial loss < $1M	Financial loss ($1M to 10M)	Financial loss ($11M to $25M)	Financial loss ($25M to 100M); significant negative impact to market share	Financial loss (in excess of $100M); game-changing loss of market share
No regulatory non-compliance	Minor regulatory non-compliance with no regulatory reporting requirements	Moderate regulatory non-compliance; reporting to regulators requiring immediate corrective actions	Significant regulatory non-compliance; reporting to regulators requiring major project or corrective action	Extreme regulatory non-compliance, fines, litigation, incarceration of leadership
No impact to operations or staff morale	Minimal and localized effect on operations and staff morale, or	Noticeable disruption to operations; widespread staff morale problems and high turnover	Long-term negative impact on operations; high turnover of senior managers and experienced staff	Normal operations will not be possible; multiple senior leaders leave the organization
No impact to strategic or local goals	No impact to strategic goals	Moderate negative impact to strategic goals	Significant negative impact to strategic goals	Strategic goals will not be obtained

Risk Score:

Likelihood	1 – Incidental Impact	2 – Minor Impact	3 – Moderate Impact	4 – Major Impact	5 – Catastrophic Impact
5 – Extreme	MEDIUM 8	HIGH 16	HIGH 18	SEVERE 23	SEVERE 25
4 – Likely	MEDIUM 7	MEDIUM 10	HIGH 17	HIGH 20	SEVERE 24
3 – Possible	LOW 3	MEDIUM 9	MEDIUM 12	HIGH 19	HIGH 22
2 – Unlikely	LOW 2	LOW 5	MEDIUM 11	MEDIUM 14	HIGH 21
1 – Negligible	LOW 1	LOW 4	LOW 6	MEDIUM 13	MEDIUM 15

Step 2: Select

Select an initial set of baseline security controls based on the data classification levels described in Information Privacy and Data Security (Policy 8060).

Step 3: Assess

Assess the extent to which security controls are correctly implemented, operating as intended, and producing the desired outcome.

The core elements of a risk assessment include:

Scope of assessment
Current state of security control implementation
Documentation of identified threats, vulnerabilities, and risks associated with the system
Mitigation recommendations to reduce risks and threat potential to the system.

Risk assessments for systems or applications that create, store, process, or transmit Restricted or Confidential data are required to be conducted by OIT staff under the following circumstances:

After a major architectural change to the service, and
Soon after a serious security incident is reported
When required by regulation or law.

Step 4: Implement

Implement the appropriate risk-reducing controls as identified by the risk assessment process.

This plan requires the assessed area to review all security control recommendations and either: a) agree to mitigate as stated; or b) propose alternative or revision to specific control recommendation(s).

Components of risk treatment plans include:

Description of security mitigation recommendation
Primary staff responsibility for each recommendation
Estimated financial costs, time and staffing resources to carry out identified mitigation recommendations, including estimated start and completion dates
Metrics to evaluate progress and success
Exception requirements if security controls cannot be implemented

Step 5: Evaluate

Evaluate that an identified but unmitigated risk is acceptable. Risks are quantitatively and qualitatively expressed as Severe, High, Medium, Low and Very Low.

In general, Boise State departments and individuals may not unilaterally accept information security and compliance risks that result in the greater university’s vulnerability to cyber risks. Specifically:

Residual high and severe risks identified in risk assessments but not mitigated in an established timeframe may only be accepted on behalf of the university by department leadership with the acknowledgement of the Chief Information Security Officer.
Approval authority may be delegated if documented in writing, but ultimate responsibility for risk acceptance on behalf of the university cannot be delegated.

Step 6: Monitor and Follow-Up

CISO will follow-up with departments on an ongoing basis to ensure and track progress of open risk treatment plans.

References

Non-Compliance and Exceptions

A Request for IT Security Policy/Standards Exception, along with a plan for risk assessment and management, can be submitted via Help Desk Self Service. Non-compliance with these standards may result in revocation of access, notification of supervisors, and reporting to the Office of Internal Audit and Institutional Compliance.

Updates

Created: November 2024

Last Update: November 2024

Next Review: February 2025