Applies to all information systems of any kind that store or process data used to accomplish University research, teaching and learning, or administration.
The Cybersecurity Risk Management Policy requires application of the currently approved Implementation Plan to all covered systems.
This working document is the implementation plan for the Cybersecurity Risk Management Policy. The plan will be reviewed by the community, Information Technology (IT) governance, and the IT Committee.
For each information system, the Office of Cybersecurity will maintain a separate and detailed implementation plan that is jointly developed with the System Owner, also known as a System Security Plan. The Office of Cybersecurity will assist distributed Information Technology groups with developing implementation plans tailored to their group’s needs.
The University has classified its institutional data assets into risk based categories for determining who is allowed to access institutional data and what security precautions must be taken to protect it against unauthorized access and use.
Data should be classified as Restricted when the unauthorized disclosure, alteration, loss or destruction of that data could cause a significant level of risk to the University, affiliates or research projects. Data should be classified as Restricted if:
|Sensitive||Data should be classified as Sensitive when the unauthorized disclosure, alteration, loss or destruction of that data could cause a moderate level of risk to the University, affiliates or research projects. Data should be classified as Sensitive if the loss of confidentiality, integrity or availability of the data could have a serious adverse effect on university operations, assets or individuals.|
|Internal||Data should be classified as Internal when the unauthorized disclosure, alteration, loss or destruction of that data could result in risk to the University, affiliates, or research projects. By default, all Institutional Data that is not explicitly classified as Restricted, Sensitive or Public data should be treated as Internal data.|
|Public||Data should be classified as Public prior to display on web-sites or once published without access restrictions; and when the unauthorized disclosure, alteration or destruction of that data would result in little or no risk to the University and its affiliates.|
Risk is attributed to assets based on the analysis of multiple factors which influence the Availability, Integrity or Confidentiality (AIC) of the asset.
In a quasi-equation format:
[Risk (to AIC of an asset), (from a threat-vulnerability pairing)] = [the Likelihood of exploitation in a given time frame] X [the impact of such exploitation]
Incidents are categorized based on the severity of potential or actual impact to the university. The graphic below shows the color code as used in the Weekly IT Security Report provided to the University CIO and interested University leadership. Color codes are supported by a short narrative statement that summarizes the major impact of the incident.
|CRITICAL||Event in progress or significant loss of data and damage to university networks.|
|HIGH||Realized impact to the university.|
|MODERATE||Potential significant impact to the university.|
|LOW||No significant events.|
|NONE||No evidence of risk.|
Please consult the Office of Cybersecurity if a more detailed discussion is needed or for assistance in the development of a tailored impact score matrix, as well as the building of a Risk Register (not shown) from the resulting scoring.
Information systems proposed to undergo Risk Assessment are entered into the Risk Register managed by the Office of Cybersecurity. A Risk Analyst will be assigned as resources become available. Organizations desiring to accelerate the process can contact the Chief Information Security Officer for guidance and options for meeting Risk Analyst resource requirements.
With the volume of systems and networks at the University, a full implementation of the Risk Management Framework will take approximately five years to complete. Implementation will initially focus on systems handling or storing data classified as Restricted, then Sensitive. Since exposure or loss of Internal or Public data does not pose an immediate operational impact or significant financial risk, those information systems will be reviewed as resources allow.
|1||Systems with Restricted Data (PII/SSN’s, Financial Accounts, HIPAA)||2017 through 2018|
|2||Research systems where grant funding is tied to security requirements||2017 through 2019 and ongoing|
|3||New or significantly updated systems with Sensitive Data||2019 through 2020|
|4||Remaining systems with Sensitive Data||2020 through 2021 and ongoing|
|5||Systems that only handle Internal Data||2021 through 2022 and ongoing|
|6||Systems that only handle Public Data||2022 and ongoing|
Throughout the implementation period, systems of all kinds will benefit from advanced firewalls and network protections as those capabilities are further deployed. Public facing web servers will be monitored on a monthly basis for unwanted traffic, evidence of cyber-attack or potentially harmful data loss activity to ensure openly accessible data is protected.
Training on the processes, tools and use of or completion of artifacts will be provided by the Office of Cybersecurity with the details considered to be out of scope for this document. Ongoing security awareness training will be provided by the Security Education, Training and Awareness Lead and access to training tools will be widely publicized on the Office of Cybersecurity web pages (https://it.wisc.edu/about/division-of-information-technology/enterprise-information-security-services/cybersecurity/risk-management-framework).
Training for Risk Executives will be provided by the Chief Information Security Officer on an individual or group basis depending on the need and executive schedules. Training is tailored to the Risk Executive’s needs and will include the items in the Step 5 Accept Risk section, including review of RMF packages aligned with the Risk Executive areas of responsibility.
This section describes process specific activities necessary to carry out the Cybersecurity Risk Management Policy. The process steps summarized below are required by the policy. Amplification of process steps and a helpful background on the Risk Management Framework (RMF) are in Appendix A to this Implementation Plan.
The first three steps of the Risk Management Framework (RMF) prepare the information system for a certifiable risk assessment. As shown in Appendix A, an information system is categorized according to the potential impact should the availability, integrity or confidentially of the system or data be compromised, (RMF Step 1.) Security controls are selected to reduce the likelihood and impact of a compromise, (RMF Step 2.) The security controls are implemented, then tested to measure how well they are functioning, (RMF Step 3.) At this point the information system is ready for a certifiable risk assessment.
The Cybersecurity Risk Management Policy focuses on the final three steps of the RMF. The following describes the process which is mandated by the policy.
Assess Risk (RMF Step 4)
The academic / functional unit and the Office of Cybersecurity cooperatively assess the cybersecurity risk associated with a system and if needed, consultation with other experts on campus.
Certify Risk (RMF Step 5)
The University Chief Information Security Officer (CISO) signs the Risk Assessment to certify that the represented risk is accurate. The CISO may include recommended risk reduction strategies.
Accept Risk (RMF Step 5)
The risk of operating the system is accepted by the Risk Executive on behalf of The University. This is a leadership decision and should be based on the following:
Reduce Risk (RMF Step 5 and 6)
The acceptable level of risk may be constrained by legal, regulatory or contractual requirements, and is subject to review by university leadership.
If the certified level of risk is unacceptable:
Following the Risk Assessment and subsequent acceptance by the Risk Executive, information systems with vulnerability, threat and impact changes that elevate the level of risk will have to be corrected or mitigated back to the assessed level (or lower) within the following time limits:
In all cases, the Risk Register maintained by the office of Cybersecurity should be updated along with adjusting the existing risk assessment and plan of action and milestones.
Monitor Risk (RMF Step 6)
The academic / functional unit and the Office of Cybersecurity continually monitor the system to assure that the level of risk remains at or below the level accepted in C. Accept Risk.
Re-evaluate Risk (RMF Step 6)
Risk evaluation occurs throughout the system life cycle as follows:
Non-University-owned devices and services used for university business may be treated as part of a University information system, and if so, are subject to this policy. There must be policy and procedural controls in place to assure respect for property and privacy.
Questions and comments to this document can be directed to the Office of Cybersecurity at firstname.lastname@example.org.