UMGC Policy X-1.16 Security Assessment of Information Systems and Technology Resources

Purpose

The purpose of this policy is to establish information security standards for Security Assessment processes relevant to University of Maryland Global Campus ("UMGC" or "University") Information Technology Resources.

Scope and Applicability

This policy applies to all University Information Systems and Information Technology Resources. Information System Stewards are responsible for adhering to this policy.

Definitions

Capitalized terms shall have the meaning ascribed to them herein and shall have the same meaning when used in the singular or plural form or any appropriate tense.

1. Authorized User:  A User who has been granted authorization to access electronic Information Resources and is current in their privileges.
2. Contractor: A person or a company that undertakes a contract to provide materials or labor to perform a service.
3. Controlled Unclassified Information (CUI): US Federal Government or Contractor created information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended.
4. Employee: University staff and faculty, including nonexempt, exempt, and overseas staff and collegiate faculty.
5. Information System: Inter-related components of Information Technology Resources working together for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.
6. Information System Steward: A UMGC staff member or other individual providing services to the University who is responsible for the development, procurement, compliance, and/or final disposition of an Information System.
7. Information Technology Resource: Any equipment or interconnected system or subsystem of equipment that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information by UMGC directly or by a third party under a contract with UMGC which requires the use of such equipment. The term includes computers, mobile devices, software, firmware, services (including support services), and UMGC's network via a physical or wireless connection, regardless of the ownership of the Information Technology Resource connected to the network.
8. Plan of Action and Milestone (POA&M): A document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks, and scheduled completion dates for the milestones.
9. Security Assessment: The testing or evaluation of security controls to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for an information system or organization.
10. System Security Plan (SSP): Formal document that provides an overview of the security requirements for an information system and describes the security controls in place or planned for meeting those requirements.
11. User: A member of the University community, including but not limited to Staff and Faculty, and other individuals performing services on behalf of University, including Contractors, volunteers and other individuals who may have a need to access, use or control University Data.

Security Assessment

Information System Stewards or their designee should ensure the adherence to the University's Security Assessment Policy to include:

1. SSPs should be documented and updated to describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems on an annual basis or when there is a significant change to the system that could impact the Confidentiality, Integrity, and/or Availability of the system.

   At a minimum an SSP must include the following:

   1. A list of key personnel and roles responsible for each Information System.
   2. A high-level description of the primary and function for each Information System.
   3. A list of the common types of user roles and their associated permissions
   4. A description of the type of data (e.g., CUI) that each Information System processes.
   5. A network diagram, including a written description of the network.
   6. A list of associated software and hardware.
   7. A list of the security practices that must be implemented to ensure the necessary security for each Information System.
   8. Describe how you have, or plan to, implement these necessary security practices.
      
2. A Security Assessment must be performed for their system(s) to determine if the controls are effective at least annually or when there is a significant change that could impact Confidentiality, Integrity, and/or Availability of the system. The Information gathered, and evidence produced by a Security Assessment must include:
   1. Documented assessment results.
   2. Identify potential problems or shortfalls in the organization's security and risk management programs.
   3. Identify security weaknesses and deficiencies in its systems and in the environments in which those systems operate.
   4. Ability to prioritize risk mitigation decisions and activities.
3. A POA&M must be documented and designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems.
4. Security controls should be monitored on an ongoing basis to ensure the continued effectiveness of the controls. A plan for monitoring and assessing the state of security controls on a recurring basis must be developed that occurs more frequently than the annual assessments.

Exceptions

Exceptions to this policy should be submitted to the Sr. Director, Information Security for review and approval. If an exception is requested a compensating control or safeguard should be documented and approved.

1. Any Employee, Contractor, or third-party performing duties on behalf of the University with knowledge of an alleged violation of this Policy shall notify the Sr. Director, Information Security as soon as practicable.
2. Any Employee, Contractor, or other third-party performing duties on behalf of the University who violates this Policy may be denied access to Information Resources and may be subject to disciplinary action, up to and including termination of employment or contract or pursuit of legal action.

1. USM IT Security Standards, v.5, dated July 2022
2. NIST SP 800-171r2 “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations”, dated February 2020
3. Cybersecurity Maturity Model Certification (CMMC), v.2.0, dated December 2021

1. UMGC Policy X-1.02 Data Classification
2. UMGC Policy X-1.04 Information Security
3. UMGC Policy X-1.05 Information Security Awareness and Training
4. UMGC Policy X-1.06 Information Security Incident Response
5. UMGC Policy X-1.12 Acceptable Use
6. UMGC Policy X-1.19A Account Management (UMGC Learner Community)
7. UMGC Policy X-1.19B Account Management (UMGC Workforce)
8. UMGC Policy X-1.21 System and Communication Protection
9. UMGC Policy X-1.22 System and Information Integrity