Information Resource Risk Assessment Guideline

Information Resource Risk Assessment Guideline
Syracuse University – Information Technology and Services
Information Security Guideline – G0102
1.0 Scope
This document covers all information technology assets that store, transmit or process SU data.
2.0 Purpose
The purpose of this document is to provide a consistent approach for evaluating the risk presented by a
particular IT asset not being compliant with an external requirement, SU policy, ITS standard or guideline,
or lack of mitigation of an identified vulnerability. It then goes on to define the various signatures and
notifications required for granting an exception to a compliance requirement or vulnerability remediation
based on the level of risk.
3.0 Guideline
In order to assess the risk presented by a particular system, the following items must be quantified.
1. Data Classification Score: Determined by the highest classification of data that is stored or
processed on the system in question as per the Syracuse University Information Security
Standard.
2. Data Exposure Score: Determined by evaluating the level of data exposure as a result of
technical controls around the asset such as firewalls and ACLs.
3. Admin Control Score: Determined by evaluating the administrative control of the asset.
Once these three components are identified, the asset’s Threat Exposure Score can be calculated using
the below equation:
Threat Exposure Score = Data Classification Score * (Data Exposure Score + Admin Control Score)
The Threat Exposure Score is then compared against a qualified Vulnerability Score as follows:



High, Medium or Low as provided by the weekly InfoSec vulnerability scans. (Scores labelled
“critical” are considered “high” for this process)
High for any external requirement, SU policy, or ITS standard or guideline that an exception is
being sought for.
A value of High, Medium or Low to be determined by the ISO in conjunction with the school or
unit seeking the exception if the other scoring methods do not make practical sense.
The comparison of the Threat Exposure Score against the Vulnerability Score will then provide a
qualified Risk Score of HIGH, MEDIUM, or LOW. Based on the Risk Score, the school or unit seeking an
SU Information Technology Security Guideline G0102 – Information Resource Risk Assessment
Page 1
exception needs to seek and obtain the following approvals, and file those approvals with the
Information Security Office. (Note: We need to develop a form and a process for “filing” these – Chris
C.)




RISK SCORE = LOW: Unit’s IT Director
RISK SCORE = MEDIUM: Unit’s IT Director, DDD
RISK SCORE = HIGH: Unit’s IT Director, DDD, ISO
RISK SCORE = CRITICAL: Unit’s IT Director, DDD, ISO, CIO
3.1 Quantifying Data Classification Score
A risk assessment is not complete without a process of identification of information in the information
systems to be protected. Based on the type of data as defined by the Syracuse University Information
Security Standard, the Data Classification Score is as follows:Type of Data
Data Classification Score
Confidential or federally funded research data
4
Enterprise
2
Public
1
3.2 Quantifying Data Exposure Score
Risk evaluations must also include an assessment of how much risk each asset faces due to the
exposure/availability of the information. We have classified assets based on their availability as follows
to determine the Data Exposure Score:
Asset Availability
Data Exposure Score
External /Internet Service Provided available to large number of users
4
External/ Internet Available
3
Internal Campus Available/To small number of user
2
Firewalled/Exposure Limited with other means like 2Factor
authentication etc.
1
3.3 Quantifying Admin Control Score
Control risk is the risk of errors or irregularities, in the underlying transactions/process that will not be
prevented, detected and/or corrected by teams managing the assets. Based on current distribution of
the assets, the following categories are used to determine the Admin Control Score:
SU Information Technology Security Guideline G0102 – Information Resource Risk Assessment
Page 2
Asset Control
Admin Control Score
Staff/Faculty/ Student Managed
3
Staff/Faculty/Student Managed with oversight from ITS/DSP Admin
2
ITS/DSP Managed
1
4.0 Risk Analysis
Based on the Threat Exposure Score described above, we have identified overall risk associated with
each information asset on our campus to be anywhere from a 2 to 28 ranking from a low risk to a high
risk asset. This is the inherent risk carried by all information assets depending on their usability,
availability and management. Typically having identified assets, assigned values, and ascertained
threats, the next step is to determine what vulnerabilities exist. During this analysis, the assets
themselves should not play a major role in the ranking process. However the combined effect of
vulnerability in the assets coupled with asset threat rank should allow for risk review.
Below we have created a risk approval matrix based on current insights in vulnerability and asset threat
categorization.
Vulnerability Score
Vulnerability
T
h
r
e
a
t
E
x
p
o
s
u
r
e
Low
Medium
High
LOW RISK
LOW RISK
MEDIUM RISK
IT Director Approval
IT Director Approval
DDD and IT Director approval
Medium (612)
LOW RISK
MEDIUM RISK
HIGH RISK
IT Director Approval
DDD and IT Director
approval
ISO, DDD and IT Director
Approval
High (16-28)
MEDIUM RISK
HIGH RISK
CRITICAL RISK
DDD and IT Director
approval
ISO, DDD and IT Director
Approval
CIO, ISO, DDD and IT Director
Approval
Threat
Low (2-5)
In summary the threat and risk assessment process is not a means to an end and an integral part of the
overall life cycle of the infrastructure.
SU Information Technology Security Guideline G0102 – Information Resource Risk Assessment
Page 3
This is a continual process that will be reviewed regularly to ensure the protection mechanisms, which
are currently in place still meet the required objectives. The assessment is meant to adequately address
the security requirements of the organization in terms of integrity, availability and confidentiality.
5.0 Referred Documents, Web Pages and Contact Information
Item
Location/Info
Standard:
Syracuse University Information
Security Standard
Contact:
Director of Information Security
Document Info
Version:
Effective Date:
Date of Last Review
Date of Next Mandatory Review
http://its.syr.edu/infosec/docs/standards/ITSecuritystandard.pdf
Christopher Croad
[email protected]
1.0
Dec 01, 2014
Nov 20,2014
November 20, 2015
SU Information Technology Security Guideline G0102 – Information Resource Risk Assessment
Page 4