Corrective Action Plan Guide for the 2009 IT Decentralized Risk Assessment

The following information is offered to assist individual units in planning corrective actions in response to the 2009 IT Decentralized Risk Assessment. For further information, please refer to the Corrective Action Planning presentation.

Question numbers refer to the numbers in the original risk assessment survey.

1. Does your Auditable Unit follow a university-wide formal written information security policy (in addition to ACD 125)?

Addressed by university-wide training.
ASU has a formal written information security policy which applies to all units. The security policy is available online. Awareness of this issue is raised in ASU's mandatory information security awareness training for faculty and staff. Auditable Units should reinforce this message either in meetings or through electronic communications.

Suggested reinforcement text: ASU's Information Security Policy establishes guidelines and standards to safeguard University information resources, ensure the integrity of institutional processes, and foster compliance with state and federal rules, regulations, and laws including HIPAA and FERPA. This policy applies University-wide. Please review the policy, available online at getprotected.asu.edu.

Contact: Information Security Office, infosec@asu.edu.

5. When someone leaves the employment of your Auditable Unit, including students, is there a procedure to immediately remove their access to all applicable file shares, servers and applications?

Addressed by university-wide training.
Access to electronic resources should be removed promptly on termination in accordance with SPP 1007 and ASU's Information Security Policy. This includes membership in Active Directory and other permissions groups, login privileges to departmental servers and Web sites, access to enterprise data and departmental file shares, and card access to buildings.

An online form is available to remove computer access for a terminating employee immediately under the following special circumstances:

1. You must immediately remove computing services for an employee being terminated.
2. An employee still has an active contract even though (s)he is no longer, or not currently, working (on administrative leave).

 

The form can be found at:
MyASU > My Compensation>Manage>Job and Personal Information>Terminate System Access

For normal terminations, managers should consult the HR Advisor Termination Checklist and contact UTO Computer Accounts to terminate computer services as necessary.

Awareness of this issue is raised in ASU's mandatory information security awareness training for faculty and staff.

Contact: ASU Computer Accounts Office, (480) 965-1211.

 

7. Does your Auditable Unit have a network map to know how your systems and data interface with the rest of the network?

No need to address.
This question will be dropped from future risk assessments; there is no need to respond with corrective action to this concern.

 

8. Does your Auditable Unit provide users with security awareness education and training upon hire and then annually thereafter?

Addressed by university-wide training. May require departmental follow-up.
As of December 21, 2009, all new faculty and staff receive information security awareness education and training upon hire. All existing faculty and staff will be enrolled and required to complete this training in FY2010. Annual "refresher" training should be specific to units and job functions. UTO can assist in packaging subsets of its existing information security awareness training materials on request in order to assist in meeting your unit's refresher training needs.

Contact: UTOTraining@asu.edu.

 

10. Does your Auditable Unit have written incident management procedures to respond to system security breaches?

Partially addressed by university-wide training. May require departmental follow-up.
Awareness of this issue is raised in ASU's mandatory information security awareness training for faculty and staff. UTO has a written incident response standard, available online at https://getprotected.asu.edu/security-policies#standards. Units can adapt this document to develop their own procedures if desired; departmental incident response procedures should include notification of the Information Security Office by sending an email to infosec@asu.edu).

 

18. If a malicious virus attacked a local system in your Auditable Unit, along with containing the virus, how would you alert others?

Partially addressed by university-wide training. May require departmental follow-up.
A virus attack is a security incident and should be handled according to written incident response procedures. Awareness of this issue is raised in ASU's mandatory information security awareness training for faculty and staff. UTO has a written incident response standard, available online athttps://getprotected.asu.edu/security-policies#standards. Units can adapt this document to develop their own procedures if desired; departmental incident response procedures should include notification of the Information Security Office by sending an email to infosec@asu.edu).

 

19. Has your Auditable Unit developed its own home grown Web-based application and has it had a security assessment in the last year?

Partially addressed by university-wide training. May require departmental follow-up.
Web applications are considered "home grown" if they are on an ASU server that is not an enterprise server. Developers of home grown applications must undergo ASU's mandatory Web security training. New applications must be scanned before they are migrated into production; existing applications are subject to random scanning. More information on this topic is available in ASU's Web Application Security Standard and Secure Web Development Standard, both available online at https://getprotected.asu.edu/security-policies. Awareness of this issue is raised in ASU's mandatory information security awareness training for faculty and staff.

Contact: Information Security Office, infosec@asu.edu.

 

21. When users log on the network, is there a set time when you're forced to change your password?

Addressed by university-wide training.
ASU is moving to a 180 day standard for password changes. ASURITE is preferred over local authentication solutions. If the latter are used for any reason, passwords should be set to expire within 180 days.

 

23. Are users in your Auditable Unit aware that they should not share their user ID and Password with another user?

Addressed by university-wide training.
Awareness of this issue is raised in ASU's mandatory information security awareness training for faculty and staff. Auditable Units should reinforce this message either in meetings or through electronic communications. 
Suggested reinforcement text: Your userids and passwords should never be shared with others. You are responsible for what is done using your login information, so protect it as you would protect your personal information.

 

25. Do users in your Auditable Unit either utilize a password protected screen saver set to 15 minutes or less, or do they lock (Ctrl + Alt + Delete) their workstations when unattended?

Addressed by university-wide training.
Awareness of this issue is raised in ASU's mandatory information security awareness training for faculty and staff. Auditable Units should reinforce this message either in meetings or through electronic communications.

Below are links to instructions for configuring password protected screen savers. 
Windows (workstations)
Windows (group policy)
MacOS

Suggested reinforcement text: On your desktop and/or laptop computer, use a password protected screen saver that locks the computer within 15 minutes of inactivity. This will ensure that your computer can't be used by unauthorized individuals while you're away.

 

27. Are service packs and patches for all workstations and servers kept up to date?

Partially addressed by university-wide training. May require departmental follow-up.
Servers managed by UTO are patched according to ASU's Patch Management Standard, available online athttps://getprotected.asu.edu/security-policies#standards. Auditable Units that maintain their own servers must adhere to this standard as well. Where applicable, workstations should be configured to download and install service packs and patches automatically.

 

28. Do users within your Auditable Unit save data to their local C: drive on their desktop or laptop workstations?

Addressed by university-wide training.
End users should not save sensitive information to local drives. Awareness of this issue is raised in ASU's mandatory information security awareness training for faculty and staff. Auditable Units should reinforce this message either in meetings or through electronic communications.

As an alternative to storing data locally, UTO offers network storage that can be used as easily as a local hard drive. Data hosted on UTO network storage is backed up regularly, stored offsite, and accessible using ASURITE authentication. More information is available online athttps://help.asu.edu/node/1434. Your local IT support may automatically set up this space for you; contact your local IT representative for more information on network storage in your area.

Suggested reinforcement text: Sensitive data should never be saved to personal USB devices or local disks, nor sent via email (even just to yourself). Examples of sensitive data include [types of high risk/confidential data handled in your unit]. For more information on what information is sensitive, please see ASU's Data Classification Standard and the university-wide Information Security Policy. Both are available online at getprotected.asu.edu.

 

31. Do users within your Auditable Unit send sensitive data via email?

Addressed by university-wide training.
Electronic mail is not a secure communication mechanism. Sensitive data should not be sent by electronic mail, even within the same department. Awareness of this issue is raised in ASU's mandatory information security awareness training for faculty and staff. Auditable Units should reinforce this message either in meetings or through electronic communications.

If there is a legitimate business need to send sensitive data electronically, the data must be securely encrypted.

Suggested reinforcement text: Sensitive data should never be saved to personal USB devices or local disks, nor sent via email (even just to yourself). Examples of sensitive data include [types of high risk/confidential data handled in your unit]. For more information on what information is sensitive, please see ASU's Data Classification Standard and the university-wide Information Security Policy. Both are available online at getprotected.asu.edu.

 

32. Do users in your Auditable Unit save sensitive data to USB flash drives?

Addressed by university-wide training.
Sensitive data should not be stored on portable devices, including USB flash drives. If there is a legitimate business need to carry sensitive data on a portable device, the data must be securely encrypted. Awareness of this issue is raised in ASU's mandatory information security awareness training for faculty and staff. Auditable Units should reinforce this message either in meetings or through electronic communications.

Suggested reinforcement text: Sensitive data should never be saved to personal USB devices or local disks, nor sent via email (even just to yourself). Examples of sensitive data include [types of high risk/confidential data handled in your unit]. For more information on what information is sensitive, please see ASU's Data Classification Standard and the university-wide Information Security Policy. Both are available online at getprotected.asu.edu.

 

35. What has been your experience with the UTO Technical Support help desk in the past 6 months?

Will be addressed by UTO.
Auditable Units with concerns in this area will be contacted by UTO's Care Team to investigate and resolve Help Desk concerns.

Contact: ASU Service Desk, (480) 965-6500, or email via https://help.asu.edu/contact.

 

37. Are you aware that ASU has a HOTLINE where you can anonymously report any irregularity?

Addressed by university-wide training.
Information about the HOTLINE has been included in ASU's mandatory information security awareness training for faculty and staff. A HOTLINE publicity campaign has been undertaken university-wide. All personnel should be well aware of the HOTLINE by the time of the next IT Decentralized Risk Assessment. For further information, see the HOTLINE Web site at https://uabf.asu.edu/asu_hotline

 

47. Is backup data routinely stored at a remote offsite location?

Partially addressed by university-wide training. May require departmental follow-up.
UTO offers a centrally provided network storage solution to all units. Data hosted on UTO network storage is backed up regularly, stored offsite, and accessible using ASURITE authentication. More information is available online at https://help.asu.edu/node/1434. Any data maintained locally should be backed up regularly, and the backup media should be stored offsite. Local backup systems should conform to UTO's configuration standards for Tivoli backup/restore and disaster recovery.

Awareness of this issue is raised in ASU's mandatory information security awareness training for faculty and staff.

 

49. Do you have an IT Disaster Recovery/Business Continuity Plan or are you a part of the UTO's overall Disaster Recover/Business Continuity Plan? Is it up to date?

Partially addressed by university-wide training. May require departmental follow-up.
ASU is investigating software that will assist units in developing localized DR/BC Plans. In the interim, the following resources from Disaster Recovery Journal may be of assistance to units.

Business Continuity for the Rest of Us
DRJ Toolbox (includes links to sample plans)
Business Continuity Planning Model

Centralized systems are covered by Disaster Recovery/Business Continuity Plans within UTO. For further information on a specific centralized system, contact the UTO team supporting that system. The ASU Service Desk can refer you to the appropriate contact.

Awareness of this issue is raised in ASU's mandatory information security awareness training for faculty and staff.

Contact: ASU Service Desk, (480) 965-6500, email via https://help.asu.edu/contact, or visit https://help.asu.edu for more information.

 

64. Describe the level of the labor force relative to the all the work-related responsibilities that the IT Admins are tasked to perform.

May be addressable with UTO support.
Given current budget constraints at ASU, many units have limited capacity to respond to this concern at this time. The work-related responsibilities of decentralized IT admins may be reduced in some cases by using centralized IT services rather than duplicating those services in-house. Examples include networked data storage, virtual servers, and Web hosting. In the Spring semester 2010, UTO will publish a service catalog to assist in identifying centralized IT services your unit may be able to use.

Information on virtual servers is available at http:/ets.fulton.asu.edu/ets-categories/sod.
Information on Web hosting is available at https://help.asu.edu/webhost.

Contact: ASU Service Desk, (480) 965-6500, email via https://help.asu.edu/contact, or visit https://help.asu.edu for more information.

 

68. Describe the level of labor force relative to all the work-related responsibilities your Auditable Unit is tasked to perform.

Outside the scope of this guide.
Given current budget constraints at ASU, many units have limited capacity to respond to this concern at this time. Auditable Units' staffing needs and responsibilities are outside the scope of this guide.