UMGC Policy X-1.16 UMGC Policy on Security Assessment of Information Systems and Technology Resources

Purpose

The purpose of this Policy is to establish Information Security standards for Security Assessment processes relevant to University Information Technology Resources.

Scope and Applicability

This Policy applies to all University Information Systems and Information Technology Resources. Information System Stewards are responsible for adhering to this Policy.

Definitions

Defined terms are capitalized throughout this Policy and can be found in the Information Governance Glossary.

Security Assessment

Information System Stewards or their designee should ensure the adherence to the University's Security Assessment Policy to include:

1. System Security Plans (SSPs) should be documented and updated to describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems on an annual basis or when there is a significant change to the system that could impact the Confidentiality, Integrity, and/or Availability of the system.

   At a minimum an SSP must include the following:

   1. A list of key personnel and roles responsible for each Information System.
   2. A high-level description of the primary and function for each Information System.
   3. A list of the common types of user roles and their associated permissions
   4. A description of the type of data (e.g., CUI) that each Information System processes.
   5. A network diagram, including a written description of the network.
   6. A list of associated software and hardware.
   7. A list of the security practices that must be implemented to ensure the necessary security for each Information System.
   8. Describe how you have, or plan to, implement these necessary security practices.
      
2. A Security Assessment must be performed for their system(s) to determine if the controls are effective at least annually or when there is a significant change that could impact Confidentiality, Integrity, and/or Availability of the system. The Information gathered, and evidence produced by a Security Assessment must include:
   1. Documented assessment results.
   2. Identify potential problems or shortfalls in the organization's security and risk management programs.
   3. Identify security weaknesses and deficiencies in its systems and in the environments in which those systems operate.
   4. Ability to prioritize risk mitigation decisions and activities.
3. A Plan of Action and Milestone (POA&M) must be documented and designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems.
4. Security controls should be monitored on an ongoing basis to ensure the continued effectiveness of the controls. A plan for monitoring and assessing the state of security controls on a recurring basis must be developed that occurs more frequently than the annual assessments.

Exceptions

Exceptions to this Policy should be submitted to Information Security for review and approval. If an exception is requested a compensating control or safeguard should be documented and approved.

1. Any Employee, Contractor, or third-party performing duties on behalf of the University with knowledge of an alleged violation of this Policy shall notify Information Security as soon as practicable.
2. Any Employee, Contractor, or other third-party performing duties on behalf of the University who violates this Policy may be denied access to Information Resources and may be subject to disciplinary action, up to and including termination of employment or contract or pursuit of legal action.

1. Most recent versions:
   1. USM IT Security Standards
   2. NIST SP 800-171 “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations”
   3. Cybersecurity Maturity Model Certification (CMMC)

1. UMGC Policy X-1.02 Data Classification
2. UMGC Policy X-1.04 Information Security
3. UMGC Policy X-1.05 Information Security Awareness and Training
4. UMGC Policy X-1.06 Information Security Incident Response
5. UMGC Policy X-1.12 Acceptable Use
6. UMGC Policy X-1.19A Account Management (UMGC Learner Community)
7. UMGC Policy X-1.19B Account Management (UMGC Workforce)
8. UMGC Policy X-1.21 System and Communication Protection
9. UMGC Policy X-1.22 System and Information Integrity