[Jun 28, 2008 8:06] Email phishing scam targeting WebMail users has been reported. More Information
Step 1: IT Mission Impact Analysis
- Determine your department’s critical assets (hardware, software, information, people) based on Table 1 below and your department’s mission
Step 2: IT Risk Assessment
- Assess departmental security practices against audit, state and federal standards
- Map your department’s assets from Step 1 to the threat scenarios provided (and others that your department identifies)
- Assign weight to each threat to your assets based on the likelihood of it occurring in your environment and the impact of any vulnerability
- Prioritize the threats you face
- Map these threats back to response strategies provided (and others your department develops)
- Create (or update if you already have one) your department’s security plan for mitigating or accepting the identified risks
- Take into account previously implemented strategies and existing plans – use (and document) effort and analysis that you have already produced
- Document your key decisions and justifications
Step 3: IT Mission Continuity Planning
- Create (or update) a response plan for your department to use in the event that critical IT assets are lost, unavailable, corrupted or disclosed
- Test your plan
Step 4: Evaluation and Reassessment
- Repeat Steps 1-3 every three years or when there are significant changes to departmental IT assets or risk environment
- Review the success of your prior analysis, testing and any responses made, whether they were corrective, preventative or post-incident
- Incorporate responses to any intervening changes (new operating system, critical applications or data, or state or federal standards)
See section F. below for the reporting requirements of this process, and see Appendix A for sample responses to these steps. These examples do not necessarily cover all the issues facing your department, but they are intended as examples of the type and level of response expected. The time necessary to complete the ITS-RM process will vary with the size of the department, the breadth of its mission and the complexity of its IT infrastructure. Departments should establish internal deadlines for the completion of each step of the process in order to ensure steady progress.
Make liberal use of copy/paste as you move from step to step, and utilize any previous work your department has done in security planning and disaster recovery. This process should build on what you have already done rather than causing you to redo work.
Additional resources for departmental managers regarding IT security are available at <http://www.itc.virginia.edu/security/manager.phtml>. Additional resources for general technology planning, including a list of best practices for U.Va. departments, are available at <http://www.itc.virginia.edu/dcs/dpo/>.
