Corrective Action Plan Guide for the 2010 IT Decentralized Risk Assessment
The following information is offered to assist individual units in planning corrective actions in response to the 2010 IT Decentralized Risk Assessment. For further information, please refer to the Corrective Action Planning presentation.
Question numbers refer to the numbers in the original risk assessment survey.
- B4. No apps access termination procedure
When someone leaves the employment of your Auditable Unit, including students, is there a procedure to immediately remove their access to all applicable file shares, servers and applications?
-
Addressed by university-wide training.
Access to electronic resources should be removed promptly on termination in accordance with SPP 1007 and ASU's Information Security Policy. This includes membership in Active Directory and other permissions groups, login privileges to departmental servers and Web sites, access to enterprise data and departmental file shares, and card access to buildings.
For normal terminations, managers should consult the HR Advisor Termination Checklist and contact UTO Computer Accounts to terminate computer services as necessary.
An online form is available to remove computer access for a terminating employee immediately under the following special circumstances:- You must immediately remove computing services for an employee being terminated.
- An employee still has an active contract even though (s)he is no longer, or not currently, working (on administrative leave).
MyASU > My Employment>Manager>Job Information>Terminate System Access
Contact: ASU Computer Accounts Office, AcctsT2@asu.edu. - B5. No privilege review at regular intervals
Does a process exist to review user access rights to applications specific to the Auditable Unit at regular intervals?
-
Access to sensitive data should be granted on a needs basis and reviewed regularly. Data trustees and supervisors are responsible for ensuring that employees' information access is appropriate to their job duties.
The Administrative System Access dashboard, available as a sidebar link from https://www.asu.edu/dashboard/, allows supervisors to view all centralized computing access granted to employees. The dashboard also allows data trustees to view all user access privileges to the data they oversee.
Each department should develop a process to review rights to unit-specific applications, group memberships and permissions (including Active Directory), login privileges to departmental servers and Web sites, access to departmental file shares, and card access to buildings. An annual review of employee access privileges would be consistent with the annual review conducted by data trustees.
Contact: PSSECTEC@asu.edu. - B6. No security awareness training provided
Do the employees of your Auditable Unit receive security awareness training upon hire and then annually thereafter?
-
Addressed by university-wide training. May require departmental follow-up.
As of December 21, 2009, all new faculty and staff receive online, self-paced information security awareness education and training upon hire. All existing faculty and staff are enrolled and required to complete this training. Annual online, self-paced refresher training is provided by the University Technology Office. Departments should require their staff to review the updated information provided in the annual refresher course. UTO can assist in packaging subsets of its existing information security awareness training materials on request in order to assist in meeting your unit's refresher training needs.
Contact: UTOTraining@asu.edu. - B19. Users save data to their C: drives
Do users within your Auditable Unit save data to their local C: drive on their desktop or laptop workstations?
-
Partially addressed by university-wide training. May require departmental follow-up.
End users should not save sensitive information locally unless the information is encrypted. The University recommends that sensitive information remain in secure file locations unless there is a specific business need that requires the data to be stored to local workstations, laptops or removable media. If there is a legitimate business need to store sensitive information locally, the workstation should be secured using whole disk encryption. Auditable Units should reinforce this message either in meetings or through electronic communications.
As an alternative to storing data locally, UTO offers network storage that can be used as easily as a local hard drive. Data hosted on UTO network storage is backed up regularly, stored offsite, and accessible using ASURITE authentication. More information is available online at https://help.asu.edu/node/1434. UTO recommends configuring departmental workstations so that files are saved to the end user's personal network folder by default.
Suggested reinforcement text: Sensitive data should not be saved to personal USB devices or local disks, nor sent via email (even just to yourself). If you must store sensitive data on your local disk for legitimate business purposes, the disk should be encrypted. Similarly, if you must transmit sensitive data electronically for legitimate purposes, the transmission should be encrypted. Examples of sensitive data include [types of high risk/confidential data handled in your unit]. For more information on what information is sensitive and what tools can be used to encrypt data in storage and transit, please see ASU's Data Classification Standard and the university-wide Information Security Policy. Both are available online at getprotected.asu.edu.
Contact: Information Security Office, infosec@asu.edu - B22. Sensitive data is sent/received via email
Are users within your Auditable Unit permitted to send or receive sensitive data via email?
-
Addressed by university-wide training.
Electronic mail is not a secure communication mechanism. Sensitive data should not be sent by electronic mail, even within the same department. If there is a legitimate business need to send sensitive data electronically, the data must be securely encrypted.
Auditable Units should reinforce this message either in meetings or through electronic communications.
Suggested reinforcement text: Sensitive data should not be saved to personal USB devices or local disks, nor sent via email (even just to yourself). If you must store sensitive data on your local disk for legitimate business purposes, the disk should be encrypted. Similarly, if you must transmit sensitive data electronically for legitimate purposes, the transmission should be encrypted. Examples of sensitive data include [types of high risk/confidential data handled in your unit]. For more information on what information is sensitive and what tools can be used to encrypt data in storage and transit, please see ASU's Data Classification Standard and the university-wide Information Security Policy. Both are available online at getprotected.asu.edu.
Contact: Information Security Office, infosec@asu.edu. - B23. No action taken to contain data leakage
Has your auditable unit taken stock of its data loss prevention requirements by understanding both the amount of access to sensitive data within the unit and the various transmission methods (email, USB devices, laptops, etc.) available to it, in order to contain data leakage?
-
Partially addressed in ASU Security Governance Standards. May require departmental follow-up.
Each unit should develop a plan to conduct an inventory of sensitive data and regular audits of access privileges to that data. Where possible, sensitive data should be encrypted at rest and in transit.
Units can use Cornell Spider to identify sensitive data on departmental equipment. Instructions are available online at https://help.asu.edu/node/2446. The following documents, available online at https://getprotected.asu.edu/governance, may assist units in defining sensitive data and determining what access activities to monitor:- Data Classification Standard
- Data Owner and Trustee Standard
- System Audit Requirements
- B26, IT19. Digital certificates have lapsed
If your Auditable Unit does utilize digital certificates, is there an established procedure in place that records the term of the digital certificates and when they expire?
-
Requires departmental follow-up.
UTO has contracted with InCommon to provide digital certificates university-wide at no cost to individual units. Certificate terms and expiration dates will be managed centrally and automatically according to an established procedure. All units are strongly encouraged to use this free centralized service immediately for new certificates and to move existing certificates to the centralized service when they expire. More information on UTO's free centralized digital certificate service is available at https://help.asu.edu/node/2358.
Contact: ASU Help Desk, (480) 965-6500. - B37, IT32. There is an extreme rate of change
How would you describe the rate of change you're currently experiencing within the overall IT environment at ASU?
-
Change is inherent in the IT field; little can be done to "remedy" this condition. Departmental units may wish to address this item by standardizing hardware/software specifications, emphasizing transparency in upgrades and migrations, and/or clearly documenting established standards, guidelines, and procedures.
- B43, IT37. We are understaffed for the work we do
Describe the level of the labor force relative to the all the work-related responsibilities your unit is tasked to perform.
-
May be addressable with UTO support.
Given current budget constraints at ASU, many units have limited capacity to respond to this concern at this time. The work-related responsibilities of decentralized IT admins may be reduced in some cases by using centralized IT services rather than duplicating those services in-house. Examples include networked data storage, virtual servers, and Web hosting.
Information on virtual servers is available at https://ets.fulton.asu.edu/ets-categories/sod.
Information on Web hosting is available at https://help.asu.edu/webhost.
Contact: ASU Help Desk, (480) 965-6500. - B49. An incident was not handled properly
For any IT security incident experienced by your Auditable Unit in the last 12 months, was it handled and resolved satisfactorily?
-
The Information Security Office is here to help with IT security incidents. If you have questions or concerns with any IT security events, please contact the ISO as soon as they occur or are discovered. The Information Security Office will cooperatively determine the proper course of action, classify the event as an incident, and invoke an Incident Response Team as appropriate. Information on how to respond to IT security incidents is found in the ASU Incident Response standard, available online athttps://getprotected.asu.edu/governance/#standards.
Contact: Information Security Office, infosec@asu.edu.
IT13. Data is not subject to rules of retention
Does your Auditable Unit follow an information classification scheme that identifies and controls electronic data subject to the rules of data retention?
Partially addressed in ASU Security Governance Standards. May require departmental follow-up.
Units can use Cornell Spider to identify sensitive data on departmental equipment. Instructions are available online athttps://help.asu.edu/node/2446. Each unit should develop plans to conduct a data inventory to address the control and retention issues. The following resources are available online at https://getprotected.asu.edu/governance/#standards:
Contact: CRM provider group PSCCFUN.
Units can use Cornell Spider to identify sensitive data on departmental equipment. Instructions are available online athttps://help.asu.edu/node/2446. Each unit should develop plans to conduct a data inventory to address the control and retention issues. The following resources are available online at https://getprotected.asu.edu/governance/#standards:
- Data Classification Standard
- Data Owner and Trustee Standard
Contact: CRM provider group PSCCFUN.
IT16. We have developed our own Web apps
Has your Auditable Unit developed its own Web-based applications?
Partially addressed by university-wide training. May require departmental follow-up.
Web applications are considered "home grown" if they are on an ASU server that is not an enterprise server. Developers of home grown applications must undergo ASU's mandatory Web security training and are encouraged to attend quarterly meeting of the Web Developers Group. More information on the group is available online at https://confluence.dmit.asu.edu/display/dg/Home.
ASU Web applications and content are governed by the Digital Strategy Board and subject to its audit checklist, available online athttps://commguide.asu.edu/webauditchecklist. Developers of new applications should contact the Information Security Office for security/architecture review. More information on this topic is available in ASU's Web Application Security Standard and Secure Web Development Standard, both available online at https://getprotected.asu.edu/governance.
New applications will soon be required to register through a Web Inventory application to maintain appropriate contact information and other pertinent information about each site.
Contact: Information Security Office, infosec@asu.edu.
Web applications are considered "home grown" if they are on an ASU server that is not an enterprise server. Developers of home grown applications must undergo ASU's mandatory Web security training and are encouraged to attend quarterly meeting of the Web Developers Group. More information on the group is available online at https://confluence.dmit.asu.edu/display/dg/Home.
ASU Web applications and content are governed by the Digital Strategy Board and subject to its audit checklist, available online athttps://commguide.asu.edu/webauditchecklist. Developers of new applications should contact the Information Security Office for security/architecture review. More information on this topic is available in ASU's Web Application Security Standard and Secure Web Development Standard, both available online at https://getprotected.asu.edu/governance.
New applications will soon be required to register through a Web Inventory application to maintain appropriate contact information and other pertinent information about each site.
Contact: Information Security Office, infosec@asu.edu.
IT17. Web apps not security assessed last year
If your Auditable Unit has its own Web-based application(s), has it undergone a security assessment in the last year?
Requires departmental follow-up.
New Web applications must be scanned before they are migrated into production; existing applications are subject to enterprise scanning. The frequency of scanning for a given application is based on its criticality.
To request an application scan, contact sac@asu.edu. Application developers can use ASU's AppScan toolset to scan their own applications in advance of the required enterprise scan. To request access to AppScan, have your TAG representative submit a recommendation on your behalf to the Information Security Office.
More information on this topic is available in ASU's Web Application Security Standard and Secure Web Development Standard, both available online at http://getprotected.asu.edu/governance.
Contact: Information Security Office, infosec@asu.edu.
IT19, B26. Digital certificates have lapsed
If your Auditable Unit does utilize digital certificates, is there an established procedure in place that records the term of the digital certificates and when they expire?
Requires departmental follow-up.
UTO has contracted with InCommon to provide digital certificates university-wide at no cost to individual units. Certificate terms and expiration dates will be managed centrally and automatically according to an established procedure. All units are strongly encouraged to use this free centralized service immediately for new certificates and to move existing certificates to the centralized service when they expire. More information on UTO's free centralized digital certificate service is available at https://help.asu.edu/node/2358.
Contact: ASU Help Desk, (480) 965-6500.
IT23. Not aware of the Hotline
Are you aware that ASU has a HOTLINE where you can anonymously report your concerns?
Addressed by university-wide training.
Information about the HOTLINE has been included in ASU's mandatory information security awareness training for faculty and staff. A HOTLINE publicity campaign has been undertaken university-wide. All personnel should be well aware of the HOTLINE by the time of the next IT Decentralized Risk Assessment. For further information, see the HOTLINE Web site at https://uabf.asu.edu/asu_hotline
IT26. B/U media is not routinely stored offsite
For data stored locally by the Auditable Unit, is the backed up media routinely stored at a remote offsite location?
Partially addressed by university-wide training. May require departmental follow-up.
UTO offers a centrally provided network storage solution to all units. Data hosted on UTO network storage is backed up regularly, stored offsite, and accessible using ASURITE authentication. More information is available online at https://help.asu.edu/node/1434. UTO recommends configuring departmental workstations so that files are saved to the end user's personal network folder by default.
Any data maintained locally should be backed up regularly, and the backup media should be stored offsite. Local backup systems should conform to UTO's configuration standards for Tivoli backup/restore and disaster recovery.
Contact: ASU Help Desk, (480) 965-6500.
UTO offers a centrally provided network storage solution to all units. Data hosted on UTO network storage is backed up regularly, stored offsite, and accessible using ASURITE authentication. More information is available online at https://help.asu.edu/node/1434. UTO recommends configuring departmental workstations so that files are saved to the end user's personal network folder by default.
Any data maintained locally should be backed up regularly, and the backup media should be stored offsite. Local backup systems should conform to UTO's configuration standards for Tivoli backup/restore and disaster recovery.
Contact: ASU Help Desk, (480) 965-6500.
IT28. There is no IT DR/BCP
Does your auditable unit have its own IT Disaster Recovery/Business Continuity Plan?
Centralized systems are covered by Disaster Recovery/Business Continuity Plans within UTO. For further information on a specific centralized system, contact the UTO team supporting that system. The ASU Help Desk can refer you to the appropriate contact.
The following resources from Disaster Recovery Journal may be of assistance to units in developing their own Disaster Recovery/Business Continuity plans:
DRJ Toolbox (includes links to sample plans)
Business Continuity Planning Model
Contact: ASU Help Desk, (480) 965-6500.
The following resources from Disaster Recovery Journal may be of assistance to units in developing their own Disaster Recovery/Business Continuity plans:
DRJ Toolbox (includes links to sample plans)
Business Continuity Planning Model
Contact: ASU Help Desk, (480) 965-6500.
IT32, B37. There is an extreme rate of change
How would you describe the rate of change you're currently experiencing within the overall IT environment at ASU?
Change is inherent in the IT field; little can be done to "remedy" this condition. Departmental units may wish to address this item by standardizing hardware/software specifications, emphasizing transparency in upgrades and migrations, and/or clearly documenting established standards, guidelines, and procedures.
IT37, B43. We are understaffed for the work we do
Describe the level of the labor force relative to the all the work-related responsibilities your unit is tasked to perform.
May be addressable with UTO support.
Given current budget constraints at ASU, many units have limited capacity to respond to this concern at this time. The work-related responsibilities of decentralized IT admins may be reduced in some cases by using centralized IT services rather than duplicating those services in-house. Examples include networked data storage, virtual servers, and Web hosting.
Information on virtual servers is available at https://ets.fulton.asu.edu/ets-categories/sod.
Information on Web hosting is available at https://help.asu.edu/webhost.
Contact: ASU Help Desk, (480) 965-6500.
Given current budget constraints at ASU, many units have limited capacity to respond to this concern at this time. The work-related responsibilities of decentralized IT admins may be reduced in some cases by using centralized IT services rather than duplicating those services in-house. Examples include networked data storage, virtual servers, and Web hosting.
Information on virtual servers is available at https://ets.fulton.asu.edu/ets-categories/sod.
Information on Web hosting is available at https://help.asu.edu/webhost.
Contact: ASU Help Desk, (480) 965-6500.
IT42. Not aware of Incident Response Std / Have not read Incident Response Std
If your Auditable Unit experienced an IT security incident, who would you report it to first?
Partially addressed by university-wide training. May require departmental follow-up.
In accordance with ASU's Incident Response standard, available online at https://getprotected.asu.edu/governance/#standards, individuals and decentralized units are responsible for reporting IT security events to the Information Security Office as soon as they occur or are discovered. The Information Security Office will cooperatively determine the proper course of action, classify the event as an incident, and invoke an Incident Response Team as appropriate.
Contact: Information Security Office, infosec@asu.edu.