|Policy Category||Policy No. & Title||Policy Owner||Effective Date||Revision Number||Revision Eff. Date||Review Cycle|
Information Governance, Security & Technology
Security Assessment of Information Systems and Technology Resources
|VP of Information Security||July 15, 2021||N/A||N/A||Bi-Annually|
The purpose of this policy is to establish information security standards for Security Assessment processes relevant to University of Maryland Global Campus ("UMGC" or "University") Information Technology Resources.
Scope and Applicability
This policy applies to all University Information Systems and Information Technology Resources. Information System Stewards are responsible for adhering to this policy.
Capitalized terms shall have the meaning ascribed to them herein and shall have the same meaning when used in the singular or plural form or any appropriate tense.
Authorized User: A User who has been granted authorization to access electronic Information Resources and is current in their privileges.
Contractor: A person or a company that undertakes a contract to provide materials or labor to perform a service.
Controlled Unclassified Information (CUI): A categorical designation that refers to unclassified information that does not meet the standards for National Security Classification under Executive Order 12958, as amended, but is (i) pertinent to the national interests of the United States or to the important interests of entities outside the federal government, and (ii) under law or policy requires protection from unauthorized disclosure, special handling safeguards, or prescribed limits on exchange or dissemination. CUI includes Personally Identifiable Information (PII).
Employee: University staff and faculty, including nonexempt, exempt, and overseas staff and collegiate faculty.
Information System: Inter-related components of Information Technology Resources working together for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.
Information System Steward: A UMGC staff member or other individual providing services to the University who is responsible for the development, procurement, compliance, and/or final disposition of an Information System.
Information Technology Resource: Any equipment or interconnected system or subsystem of equipment that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information by UMGC directly or by a third party under a contract with UMGC which requires the use of such equipment. The term includes computers, mobile devices, software, firmware, services (including support services), and UMGC's network via a physical or wireless connection, regardless of the ownership of the Information Technology Resource connected to the network.
Plan of Action and Milestone (POA&M): A document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks, and scheduled completion dates for the milestones.
Security Assessment: The testing or evaluation of security controls to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for an information system or organization.
System Security Plan: Formal document that provides an overview of the security requirements for an information system and describes the security controls in place or planned for meeting those requirements.
User: A University community member, including but not limited to, staff, faculty, students, alumni, and individuals working on behalf of the University, including third party vendors, Contractors, consultants, volunteers, and other individuals who may have a need to access, use or control University Data.
Information System Stewards or their designee should ensure the adherence to the University's Security Assessment Policy to include:
System Security Plans (SSPs) should be documented and updated to describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems on an annual basis or when there is a significant change to the system that could impact the Confidentiality, Integrity, and/or Availability of the system.
At a minimum system security plan (SSP) must include the following:
A list of key personnel and roles responsible for each Information System.
A high-level description of the primary and function for each Information System.
A list of the common types of user roles and their associated permissions
A description of the type of data (e.g., CUI) that each Information System processes.
A network diagram, including a written description of the network.
A list of associated software and hardware.
A list of the security practices that must be implemented to ensure the necessary security for each Information System.
Describe how you have, or plan to, implement these necessary security practices.
A Security Assessment must be performed for their system(s) to determine if the controls are effective at least annually or when there is a significant change that could impact Confidentiality, Integrity, and/or Availability of the system. The Information gathered, and evidence produced by a Security Assessment must include:
Documented assessment results.
Identify potential problems or shortfalls in the organization's security and risk management programs.
Identify security weaknesses and deficiencies in its systems and in the environments in which those systems operate.
Ability to prioritize risk mitigation decisions and activities.
A Plan of Action & Milestones (POA&M) must be documented and designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems.
Security controls should be monitored on an ongoing basis to ensure the continued effectiveness of the controls. A plan for monitoring and assessing the state of security controls on a recurring basis must be developed that occurs more frequently than the annual assessments.
Exceptions to this policy should be submitted to the VP of Information Security for review and approval. If an exception is requested a compensating control or safeguard should be documented and approved.
Any Employee, Contractor, or third-party performing duties on behalf of the University with knowledge of an alleged violation of this Policy shall notify the VP of Information Security as soon as practicable.
Any Employee, Contractor, or other third-party performing duties on behalf of the University who violates this Policy may be denied access to Information Resources and may be subject to disciplinary action, up to and including termination of employment or contract or pursuit of legal action.
This policy is effective as of the date set forth above.