Risk & Security Assessment
Overview
This updated standard is to help align existing IT practices around Risk and Security Assessment to the requirements in NIST 800-171 (RA/SA | 3.11.x/3.12.x) as well as industry best practices. This document does not give full coverage of 3.11.x or 3.12.x controls within 171 due to existing limitations and other requirements that are specific to CUI.
What is in this document:
- Risk assessment requirements
- Vulnerability scan requirements
- Remediation requirements
What is NOT in this document:
- Types of risk assessments that occur
- Dates of risk assessments
- Scope of risk assessments
Policy Reference
APM 30.11 University Data Classification and Standards
APM 30.12 Acceptable Use of Technology Resources
APM 30.14 Cyber Incident Reporting and Response
Purpose
This Risk Assessment standard supports APM 30.11 University Data Classification and Standards, and other relevant university policies.
Scope
These Standards are the minimum baseline for all managed and unmanaged systems that access, store or process University of Idaho data (see APM 30.14 C-6) or using University of Idaho technology resources (see APM 30.12 C-1) at the Low, Moderate or High risk levels (see APM 30.11) not otherwise covered by an approved system security plan.
Standards
To ensure risk assessments identify reasonably foreseeable internal and external risks to the security, confidentiality and integrity to the university, risk assessments must occur regularly under the direction of OIT Security with all required stakeholders.
- Risk assessments are scheduled to occur annually based on calendar year unless otherwise scheduled.
- Risks shall be categorized by severity level calculated by impact and likelihood.
- Risk assessments shall evaluate the security of university data and systems based on their data classification under APM 30.11, including the adequacy of the existing controls.
- Risks must be reported to data owner, CIO and appropriate entities.
- OIT security may scan systems using the following methods at any time at the discretion of OIT Security:
- Agent-based scanning
- Network scanning
- Application vulnerability scanning
- Systems and applications are scanned weekly, or more frequently.
- System and applications scans occur when significant new vulnerabilities are discovered at the discretion of OIT Security.
- Any and all systems connected to university-managed networks are subject to unauthenticated network scanning.
To ensure risks and vulnerabilities discovered are resolved:
- OIT Security will determine if remediation is required.
- Risks that require remediation will be tracked via ticket with system owner.
- Risks that require remediation must be resolved within a timeframe defined by OIT Security.
- Risks that cannot be resolved within a timeframe defined by OIT Security must have mitigating controls approved by OIT Security until the risk or vulnerability can be resolved.
- Standard timeframes, unless otherwise specified by OIT Security, are:
- For high-risk issues: 4 hours
- For medium-risk issues: 1 business day
- For low-risk issues: 10 business days
- Risks that cannot be resolved must have mitigating controls approved by OIT Security that are reviewed annually.
- Systems with unresolved vulnerabilities or risks may be taken offline at the discretion of the CSIRT.
- CSIRT must make a best effort to communicate systems being taken offline to system owner and users.
- Penetration tests are scheduled to occur at least annually based on the calendar year unless otherwise scheduled.
- Penetration test results must be included in the annual risk assessment.
A vendor security assessment (VSA) must be completed by the OIT Security prior to purchase of resources from, usage of services provided by or sharing of university data with third parties. To complete the assessment:
- Vendors must provide a HECVAT completed within the last 12 months upon request.
- Vendors must provide a SOC type 2 report and bridge letter.
- Vendors determined to be of significant risk, at discretion of OIT Security and/or U of I data steward, may be required to provide updated documentation periodically (no more than annually, except in case of a breach or incident) during the term of contract.
- Alternative reports or certification may be accepted or required at the discretion of OIT Security.
- Risks identified by the assessment must be addressed through mitigation, resolution or acceptance by the data owner.
Other References
1. NIST SP800-171r2 (February 2020)
2. NIST SP800-53r5 (September 2020)
3. Gramm-Leach-Bliley Act STANDARDS FOR SAFEGUARDING CUSTOMER INFORMATION (May 2002)
4. CMMC Glossary (December 2021)
Definitions
1. Risk
“A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically is a function of: (i) the adverse impact, or magnitude of harm, that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence.” (NIST SP 800-171)
2. Vulnerability
“Weakness in an information system, system security procedures, internal controls or implementation that could be exploited by a threat source.” (CMMC Glossary)
3. Risk Assessment
“The process of identifying risks to organizational operations including mission, functions, image, reputation, organizational assets, individuals, other organizations and the Nation, resulting from the operation of a system.” (NIST SP 800-171)
4. Penetration test
“A test methodology in which assessors, typically working under specific constraints, attempt to circumvent or defeat the security features of a system.” (NIST SP 800-53)
Standard Owner
U of I Office of Information Technology (OIT) is responsible for the content and management of these standards.
To request an exception to this standard.
Contact: oit-security@uidaho.edu
Revision History
3/1/2024 — Minor updates
- Minor formatting/wording/reference changes.
6/23/2023 — Original standard
- Full re-write to align with NIST 800-171r2