| |
|
 |
|
 | Summary of changes between v. 1.0 (05/07/04) and v. 2.0 (08/17/04)
|
|
|
|
|
| In addition to the imposing 75 pp. Word and PDF versions of the ITS-RM packet, an HTML version suitable for browsing through the different aspects of the program, reviewing resources and focusing on smaller pieces of the process is now available
|
|
|
|
|
| In addition to the full packet, there is now a shorter “reports” document in Word and PDF formats that contains just the templates that need to be filled out, providing a convenient “deliverables” document
|
|
|
|
|
| Added many new links and resource pointers
|
|
|
|
|
| Made the question sets easier to use, adding signposting and rolling headers, and reorganizing questions to flow better
|
|
|
|
|
| Combined the GLBA and FERPA risk assessment question supplements since the overlap between them was so strong, individually labelling questions applying to only one standard
|
|
|
|
|
| The IT Mission Continuity plan is completely new (adapted from an HS/CS document), is less complicated, and is integrated into the main document rather than being a separate file
|
|
|
|
|
| The statement on executive support was completely redone to reflect the program’s progress through the executive management and policy processes
|
|
|
|
|
| There is more explicit focus on defining “critical assets” in terms of each department’s mission, reflected in the addition of several questions to Table 1: Critical Asset Criteria
|
|
|
|
|
| In addition to other language changes, “remediation plan” has been renamed “security plan,” with the intent of emphasizing that the program isn’t about what’s broken, but rather about improving security by documenting what’s already being done and analyzing on an on-going basis what improvements can be made with finite resources
|
|
|
|
|
| Added language about the need for a small number of Medical Center (Agency 209) departments responsible for systems identified in Appendix C to substitute the RiskWatch assessment tool administered by HS/CS for the ITS-RM HIPAA question set
|
|
|
|
|
| Full list of changes between v. 1.0 (05/07/04) and v. 2.0 (08/17/04), in page order
|
|
|
|
|
| changed all instances of “HSCS” to “HS/CS” to reflect their standard usage; “Health Systems Computing Services” to “Health System...”
|
|
|
|
|
| in the introduction to each template, added boilerplate: “(A copy of this template, as well as all the other templates required to complete your department’s report on the ITS-RM process, is available in Word format here <link> and Adobe PDF format here <link>.)”
|
|
|
|
|
| changed all instances of “remedial” to “corrective”; “remediation plan” to “security plan”; “remedying” to “mitigating”
|
|
|
|
|
| made all references to the need to repeat the ITS-RM process “at least every three years or...” consistently be followed by “when there are significant changes to departmental IT assets or risk environment.”
|
|
|
|
|
| added links everywhere text says “see x” (about half were unlinked in v. 1.0)
|
|
|
|
|
| put links to glossary items where appropriate throughout text
|
|
|
|
|
| tried to render URLs consistently
|
|
|
|
|
| URLs within a paragraph bracketed < >
|
|
|
|
|
| URLs on own line, unbracketed
|
|
|
|
|
| added mailto links to all email addresses
|
|
|
|
|
| Table of Contents page: added “This is version 2.0 of the University of Virginia Information Technology Security Risk Management (ITS-RM) Program materials. Both a summary and complete list of changes since version 1.0 (05/07/2004) are available at <http://www.itc.virginia.edu/security/riskmanagement/pages/history.html>. All materials ©2004 by the Rector and Visitors of the University of Virginia.”
|
|
|
|
|
| retitled “Executive Support and Policy Statement”
|
|
|
|
|
| the entire page was completely redone to reflect the program’s progress through the executive management and policy processes
|
|
|
|
|
| added “and tools” to “departments with the information and tools they need”
|
|
|
|
|
| changed “Chemistry department” to “Physics Department” (Rick Marshall noted the error)
|
|
|
|
|
| changed “Weight the threat” to “Assign weight to each threat” in text and chart
|
|
|
|
|
| changed “see Appendix A for a sample departmental analysis and report. This example does not necessarily cover all the issues facing your department, but it is intended as an example of the type of response expected. ” to “see Appendix A for sample responses to these steps. These examples do not necessarily cover all the issues facing your department, but they are intended as examples of the type and level of response expected.”
|
|
|
|
|
| in Chart 1 moved far left and far right items toward the middle slightly
|
|
|
|
|
| numbered questions in Mission Impact Analysis Questions
|
|
|
|
|
| added “infrastructure and” to question 3: “What IT hardware infrastructure and assets are critical to the performance of those key functions? ”
|
|
|
|
|
| Changed “The asset is required to support central University business functions.” to “The asset is required to provide central University business and support functions.
|
|
|
|
|
| changed “The asset is required to provide IT services to multiple University departments or to other institutions or agencies.” to “The asset is required to provide services on which multiple University departments or other institutions or agencies depend.” in order to generalize the statement to all services (not just IT), and focus on the receiving departments’ dependence on the providing department
|
|
|
|
|
| added new row “The asset is required to support a vice-presidentially designated critical function area.”
|
|
|
|
|
| added new row: “The asset is required to perform other functions essential to a department’s mission”
|
|
|
|
|
| new paragraph: As you can see from Table 1, for purposes of this process the definition of “critical” goes well beyond the medical sense of “life and death.” Based on your mission, what functions do you perform with safety or legal ramifications? What do you do that is important to the University as a whole or to other departments? What’s important for your department to get its job done? What failure don’t you want to end up on a vice-president’s desk?
|
|
|
|
|
| “Three sets of templates and examples are included to assist in this process:” changed to “Three sets of templates and/or tools are included to assist in this process:”
|
|
|
|
|
| “2.3 Security plan development (template and example)” changed to “2.3 Security plan development (template)”
|
|
|
|
|
| Intro: changed “Weight the threat” to “Assign weight to each threat” in text and chart
|
|
|
|
|
| “Below are four sets of questions to help you assess risk and associated security practices in your department: a general risk assessment, a HIPAA supplement, a GLBA supplement and a FERPA supplement.” changed to “Below are three sets of questions to help you assess risk and associated security practices in your department: a general risk assessment, a HIPAA supplement, and a combined GLBA and FERPA supplement. ”
|
|
|
|
|
| added: “Medical Center (Agency 209) departments responsible for systems identified in this policy must substitute the RiskWatch assessment tool administered by HSCS for the ITS-RM question sets provided in this section. Other Medical Center (Agency 209) departments have the option of using either the RiskWatch tool or the ITS-RM question sets that follow. For additional information on the RiskWatch tool, contact Jay Early <jee@virginia.edu>. All Agency 207 (Academic Division) and 246 (College at Wise) departments should use the ITS-RM question sets.”
|
|
|
|
|
| reference to COV Security Standard in footnote now has Internet link to document
|
|
|
|
|
| added signposting letters to categories within question sets, and numbered questions within categories; added “rolling headers” to the top of each page of the question set
|
|
|
|
|
| Physical security: added links to information on
|
|
|
|
|
| desktop and laptop anti-theft options
|
|
|
|
|
| signs a machine has been hacked
|
|
|
|
|
| Account/Password management
|
|
|
|
|
| reordered questions in this section to group related items better and improve “flow”
|
|
|
|
|
| added sentence within parentheses: “Does the department disallow shared accounts? (For email, use mailing lists rather than shared accounts if multiple people need to review the same messages; for file servers, use group memberships rather than generic accounts.) If not, is use of shared accounts audited frequently?”
|
|
|
|
|
| added “Does the department have a policy on keeping passwords confidential? (See Responsible Computing Handbook <link> and Oracle User Responsibility Acknowledgement and Agreement <link>.)”
|
|
|
|
|
| added: “Does the department securely escrow passwords for accounts that may need to be accessed in the absence of their normal administrator or in an emergency situation? (A short overview of and rationale for password escrow is available here <link>.)”
|
|
|
|
|
| added “except” clause to: “Does the department require that passwords not be written down or shared, except for purposes of escrow?”
|
|
|
|
|
| changed: “Does the department disallow dial-in access to office computers or servers?” to “Does the department disallow modems attached to servers and desktops that can receive calls?”
|
|
|
|
|
| Virus: changed “Does the department remind users to scan after each update?” to “Does the department remind users to scan regularly in addition to updating?”
|
|
|
|
|
| Backup: removed “Does the department prohibit the use of e-mail folders for document storage?” Original purpose of this question is unclear, but may be related to document retention issues (attachments may be replace previous paper copies and be more valuable than the email content to which they are connected); I may need to add this back if further investigation indicates it is necessary
|
|
|
|
|
| Confidentiality of data: added link to data removal policy/procedures
|
|
|
|
|
| added “Medical Center (Agency 209) departments responsible for systems identified in this policy must substitute the RiskWatch assessment tool administered by HSCS for the ITS-RM question sets provided in this section. Other Medical Center (Agency 209) departments have the option of using either the RiskWatch tool or the ITS-RM question sets that follow. For additional information on the RiskWatch tool, contact Jay Early <jee@virginia.edu>.All Agency 207 (Academic Division) and 246 (College at Wise) departments should use the ITS-RM question sets.”
|
|
|
|
|
| Documentation: reordered questions for better flow across page break
|
|
|
|
|
| Combined GLBA and FERPA supplements since overlap was so strong, individually labelling questions refering to only one standard
|
|
|
|
|
| FERPA question: replaced “data” with “which” in last clause: “Knowing which student data may be released without permission and which may not”
|
|
|
|
|
| replace “student data” and “customer data” with “protected data” as appropriate; refer to “customers and/or students” as appropriate
|
|
|
|
|
| changed “and a way to hone in on he most vital ones” to “and a way to hone in on the most vital ones”
|
|
|
|
|
| changed “identifying which strategies are already in place and which need to be implemented.” to “identifying which strategies are already in place, which ones need to be implemented and which ones are either unnecessary or unjustifiable.”
|
|
|
|
|
| Threat, Attack, Vulnerability Scenarios
|
|
|
|
|
| added rolling headers to the grid
|
|
|
|
|
| In “Identified Strategies” column, changed all instances of “Have central IT group manage or host services” to “Have ITC (HS/CS) manage or host services Win <link>| Unix <link>
|
|
|
|
|
| added link to Unix server administration in “Identified Strategies”
|
|
|
|
|
| ITC Help Desk’s list of known applications that cause poor network & computing performance; focused on most common problems, with links to sites with more comprehensive information
|
|
|
|
|
| HS/CS’s software support policy, incl. list of unauthorized applications
|
|
|
|
|
| 2.A. “Affect” to “Effect”
|
|
|
|
|
| 2.B. Data loss: added “• Data recovery costs per drive; first 3 found via Google 7/27/04 with price; most said ”call for estimate“:
• $99 + $129/hr.
• $500 to $4000
• $625-875”
|
|
|
|
|
| changed “Use the template below to document your decisions regarding the countermeasures you are already taking, those you will implement going forward and those you have chosen to leave undone” to
“Use the template below to document your decisions regarding:
1. Countermeasures you are already taking
2. Countermeasures you will implement going forward
3. Countermeasures you have identified but decided not to implement”
to bring attention to the three parts and focus on the activity involved in #3
|
|
|
|
|
| Template: changed “mitigation steps identified but left undone” to “mitigation steps you identified but decided not to implement.”; added “not implementing:” category to “Mitigation strategies” column
|
|
|
|
|
| Template: added running header
|
|
|
|
|
| ellipsed references to “business” in the security standard quotation
|
|
|
|
|
| reference to COV Security Standard in footnote now has Internet link to document
|
|
|
|
|
| added “Note: The costs associated with mission continuity preparedness can be significant, and they increase dramatically the more rapid the recovery that is required. Such efforts do benefit from economies of scale, however, allowing larger organizations to put measures in place that would be cost-prohibitive for smaller ones. Having ITC or HS/CS host services or servers for your department can pay for itself when continuity preparedness costs are factored in, even in cases where the financial case is marginal based simply on day-to-day operational costs.”
|
|
|
|
|
| added running header to question set
|
|
|
|
|
| added signposting to categories with alphas, numbered questions within category
|
|
|
|
|
| added parenthetical statement: “A. Interim Manual Process Components (aka Downtime Procedures)”
|
|
|
|
|
| removed “See example IT Mission Continuity Plan template.” references in question set
|
|
|
|
|
| added the last two sentences: “See CIMP for official University notification procedures. (Those in the Health System should route notification through HS/CS.) All contacts with the public regarding the incident should be routed through University Relations (Media Relations in the Health System).”
|
|
|
|
|
| added “8. Does the department securely escrow passwords for accounts that may need to be accessed in the absence of their normal administrator or in an emergency situation?”
|
|
|
|
|
| added second sentence: “10. Do you have recovery plans for each service to be restored (specific, complete, up-to-date)? Do they include a list identifying all system, application and data file systems that must be recovered for each system?”
|
|
|
|
|
| added “(Off-site rotation involves periodically and systematically moving backup media to a physically and environmentally secure facility at a significant distance from the asset being backed up.)” to the offsite backup rotation question
|
|
|
|
|
| added parenthetical statement and deleted bracketed word: “Are installations and changes to those critical [physical] configurations governed by a formal change management process? (This will wary from simple chronological logging of changes to assist in troubleshooting or back out, to a multilevel review involving significant testing for more complex and highly critical systems.)”
|
|
|
|
|
| replaced “See the IT Mission Continuity Plan template for an example. ” with “Based on your answers to the Mission Continuity Questions and the steps outlined in the checklists, create (or update) your IT Mission Continuity Plan using the template below.”
|
| |
;){kind=small}
;){kind=small}
;){kind=small}
;){kind=small}
;){kind=small}
;){kind=small}
;){kind=small}
;){kind=small}
;){kind=small}
;){kind=small}
;){kind=small}
;){kind=small}
;){kind=small}
;){kind=small}
;){kind=small}
;){kind=small}
;){kind=small}
;){kind=small}
;){kind=small}
;){kind=small}
;){kind=small}
;){kind=small}
;){kind=small}
;){kind=small}