Purpose
This document is to establish a process for assessing information systems for risks to systems and data; documenting and communicating those risks to university leadership to make decisions regarding the treatment or acceptance of those risks. The security and privacy of Protected Data will be a primary focus of risk assessments.
It specifies the details of the information systems standards as referred to by policies:
- 8000 Information Technology Resource Use
- 8020 Enterprise Servers and Storage
- 8030 Desktop, Laptop, and Tablet PC Computing Standards
- 8050 Software Patch Management
- 8060 Information Privacy and Data Security
Scope
To ensure the security of its data and systems, Boise State requires thorough risk assessments from all third-party service providers and cloud-based services it contracts with. These assessments are not only mandated by some regulations but are also crucial whenever new systems are implemented or significant changes occur that could impact security controls. This proactive approach helps Boise State identify and mitigate potential risks before they become security incidents.
Standards
Leveraging the NIST Risk Management Framework, Boise State University prioritizes four key areas to address the most common vulnerabilities identified through risk assessments:
- Configuration Management: By implementing pre-hardened system profiles from the outset, the university minimizes the risk of unnecessary services and configurations being deployed.
- Log Monitoring: Regular log review is a core security practice. Boise State emphasizes the importance of auditing logs to proactively detect and address potential system and security issues.
- Access Management: A recurring theme in risk assessments is account lifecycle management. The university highlights the importance of routinely reviewing accounts and access privileges to ensure appropriate control.
- Patch Management: Regular application and system patching is a cornerstone of the university’s information security program. This proactive approach helps mitigate financial, reputational, and regulatory risks associated with unpatched vulnerabilities.
Risk Assessment Steps
Step 1: Categorize
Categorize the information system and the information and data processed, stored, and transmitted by that system based on likelihood and impact to individuals and the university if the information is subject to a breach or unauthorized disclosure.
All information systems that create, process, store, or transmit Restricted or Confidential data must be assessed for risk to the university that results from threats to the integrity, availability and confidentiality of the data.
The following criteria should be used for categorization:
Likelihood Ranking Criteria:
| 1 (Negligible or Rare) | 2 (Low or Unlikely) | 3 (Medium or Possible) | 4 (High or Likely) | 5 (Extreme or Highly Likely) |
|---|---|---|---|---|
| Risk is very unlikely to occur here; not addressed in trade journals | Risk is unlikely to occur here; infrequently mentioned in trade journals | Risk occasionally occurs here; occasionally mentioned in trade journals | Risk frequently occurs here; regularly reported in trade journals | Risk routinely occurs here; constantly reported in trade journals |
| No known occurrence of risk at other organizations | Risk is known to have occurred at another organization | Risk is occasionally occurring at other organizations | Risk is frequently occurring at other organizations | Risk is routinely occurring at other organizations |
| Risk is continuously and thoroughly mitigated | High risk mitigation plans in place; well exercised scenario and stress testing performed | Moderate risk mitigation plans in place; scenario and stress testing performed | Minimal risk mitigation plans in place; some scenario planning for key strategic risks | No current risk mitigation plans; no scenario plans performed |
| Risk addressed through normal and routine operations | High organizational and local processes in place to address risk | Moderate organizational and local process in place to address risk | Minimal organizational or local processes in place to address risk | No organizational or local processes to address risk |
| Redundant contingency and management plans longstanding and sustainable | Contingency and management plans refined and well exercised | Most contingency and management plans in place; moderate exercises performed | Some contingency or management plans in place; limited exercise performed | No contingency or management plans in place |
Impact Ranking Criteria:
| 1 (Incidental Localized or No Impact) | 2 (Minor Localized Impact) | 3 (Moderate Organizational Impact) | 4 (Major or High Organizational Impact) | 5 (Extreme or Catastrophic Organizational Impact) |
|---|---|---|---|---|
| No or negligible effect on students or workforce | Localized and slight negative effect on students or workforce | Negative effect on wellbeing of a large number of students or workforce | Negative effect on wellbeing of a significant number of students or workforce | Negative effect on wellbeing of majority of students or workforce |
| No potential harm to students, employees or third parties | No harm to students, employees or third parties | Moderate harm to students, workforce, or third parties | Serious harm to students, employees, or third parties resulting in the serious injury of death of an individual | Significant harm to students, employees or third parties resulting in multiple deaths |
| No reputational harm or embarrassment; no media interest | Local and minor reputational embarrassment; insignificant media coverage | Short-term harm to reputation; national media or extensive local media coverage | Significant negative impact to reputation; significant negative media coverage | Organization’s reputation will be permanently harmed; extensive negative media coverage |
| Financial loss < $1M | Financial loss ($1M to 10M) | Financial loss ($11M to $25M) | Financial loss ($25M to 100M); significant negative impact to market share | Financial loss (in excess of $100M); game-changing loss of market share |
| No regulatory non-compliance | Minor regulatory non-compliance with no regulatory reporting requirements | Moderate regulatory non-compliance; reporting to regulators requiring immediate corrective actions | Significant regulatory non-compliance; reporting to regulators requiring major project or corrective action | Extreme regulatory non-compliance, fines, litigation, incarceration of leadership |
| No impact to operations or staff morale | Minimal and localized effect on operations and staff morale, or | Noticeable disruption to operations; widespread staff morale problems and high turnover | Long-term negative impact on operations; high turnover of senior managers and experienced staff | Normal operations will not be possible; multiple senior leaders leave the organization |
| No impact to strategic or local goals | No impact to strategic goals | Moderate negative impact to strategic goals | Significant negative impact to strategic goals | Strategic goals will not be obtained |
Step 2: Select
Select an initial set of baseline security controls based on the data classification levels described in Information Privacy and Data Security (Policy 8060).
Step 3: Assess
Assess the extent to which security controls are correctly implemented, operating as intended, and producing the desired outcome.
The core elements of a risk assessment include:
- Scope of assessment
- Current state of security control implementation
- Documentation of identified threats, vulnerabilities, and risks associated with the system
- Mitigation recommendations to reduce risks and threat potential to the system.
Risk assessments for systems or applications that create, store, process, or transmit Restricted or Confidential data are required to be conducted by OIT staff under the following circumstances:
- After a major architectural change to the service, and
- Soon after a serious security incident is reported
- When required by regulation or law.
Step 4: Implement
Implement the appropriate risk-reducing controls as identified by the risk assessment process.
This plan requires the assessed area to review all security control recommendations and either: a) agree to mitigate as stated; or b) propose alternative or revision to specific control recommendation(s).
Components of risk treatment plans include:
- Description of security mitigation recommendation
- Primary staff responsibility for each recommendation
- Estimated financial costs, time and staffing resources to carry out identified mitigation recommendations, including estimated start and completion dates
- Metrics to evaluate progress and success
- Exception requirements if security controls cannot be implemented
Step 5: Evaluate
Evaluate that an identified but unmitigated risk is acceptable. Risks are quantitatively and qualitatively expressed as Severe, High, Medium, Low and Very Low.
In general, Boise State departments and individuals may not unilaterally accept information security and compliance risks that result in the greater university’s vulnerability to cyber risks. Specifically:
- Residual high and severe risks identified in risk assessments but not mitigated in an established timeframe may only be accepted on behalf of the university by department leadership with the acknowledgement of the Chief Information Security Officer.
- Approval authority may be delegated if documented in writing, but ultimate responsibility for risk acceptance on behalf of the university cannot be delegated.
Step 6: Monitor and Follow-Up
CISO will follow-up with departments on an ongoing basis to ensure and track progress of open risk treatment plans.
References
- NIST Risk Management Framework
- Information Technology Guidelines
- Information Technology Standards
- Software and Accessibility Review Board
Non-Compliance and Exceptions
A Request for IT Security Policy/Standards Exception, along with a plan for risk assessment and management, can be submitted via Help Desk Self Service. Non-compliance with these standards may result in revocation of access, notification of supervisors, and reporting to the Office of Internal Audit and Institutional Compliance.
Updates
Created: November 2024
Last Update: November 2024
Next Review: February 2025