2013 Business Risk Profile

If you have any questions, contact the Information Security Office at 621-UISO (8476), or email us at 2013 UA Information Security Business Risk Profile [email protected]. Instructions: In the normal course of doing business, organizations regularly make certain technical and business decisions that could introduce security risks that need to be mitigated. This section - the Business Risk Profile - helps identify which of those risks your unit faces and provides a baseline against which to compare the measure of Defense-in-Depth (DiD). These questions cover areas of analysis about how your unit operates. The furthest column to the right provides you with sources that can assist you in answering these questions, such as relevant Information Security policies, standards, procedures and guidelines. PROFILE QUESTIONS ANSWERS GUIDANCE/SOURCES College Name o

o Specify your own value:

If you have selected “specify your own value,” please use the field above to enter the College Name. Is this risk assessment being completed at the College Select “Department” if the assessment or Department level? will include several departments, but not an entire college or high-level administrative unit (i.e., President’s Division, Business Affairs Division). Department Name o NOTE: These are sorted in alphabetical order by Department Name. The o Specify your own value: Department Number is included after the Department Name.

If you are completing the assessment at the college level, please If you are filling out the survey for more select Specify your own value and indicate this in the above field. than one department, please select one of the departments here, and then use You may also use the above field if your department name is not the additional space in “Additional found in the dropdown menu. Department Names to which this assessment pertains:” to list the remaining departments covered with this questionnaire. Additional Department Names to which this assessment pertains:

1 | P a g e 2013 Business Risk Profile PROFILE QUESTIONS ANSWERS GUIDANCE/SOURCES ISL/ISM Name o (Name can be found at http://www.security.arizona.edu/inform o Specify your own value: ation-security-liaisons#find)

If you have selected “specify your own value,” please use the field above to enter the Information Security Liaison or Manager for your department. A. Basic Information A1 Number of desktops and laptops in use at your unit: .

A2 Number of servers in use at your unit: .

A3 Number of employees associated with this risk Note: If you are filling out this . assessment (i.e., # in unit, # for units for which you are assessment for more than one completing this particular risk assessment): department, please choose the item that includes a count of all employees for these units combined.

2 | P a g e 2013 Business Risk Profile PROFILE QUESTIONS ANSWERS GUIDANCE/SOURCES A4 Choose the option that best describes your unit's Education . major functions. Select no more than two. IT Services If you select “specify your own value,” please use the Research field below to explain your selection. Financial Services Manufacturing Legal Services Communications & Marketing Retail Specify your own value:

Select Specify your own value and use the space above to describe the unit function. B. Infrastructure Security B1 Who is your Internet Service Provider? o . Please select “specify your own value” and use the space provided to indicate provider name.

Please select Specify your own value and use the space provided to indicate provider name. B2 Do you allow remote access to your network or NOTE: IT Support is defined as full or . internal systems for IT support (i.e., external vendors, part-time employees, external vendors, business partners, or other third parties in other units or other third parties who provide or organizations)? If you answered yes to B2, please answer B2.1. Otherwise, support for units. proceed to B3. i.e., using some form of remote desktop protocol into your network or system

3 | P a g e 2013 Business Risk Profile PROFILE QUESTIONS ANSWERS GUIDANCE/SOURCES B2 Who do you allow to remotely access your External Third Parties .1 network or internal systems? Please select all Departmental IT Staff that apply. UITS Specify your own value:

If you select Specify your own value, please use the field above to list those who have remote access. B3 Does your unit offer external network services (i.e., . web, email)?

B4 Does your unit host application services, such as a External third parties include non- . portal or a Web site, for external third parties? employee students, vendors, business partners, customers or other third parties in other units or organizations. B5 Does your unit use the same IT resources to support i.e., housing a web application on the . both external applications and internal services? same platform as active directory server.

B6 Does your unit allow employees to deploy non- . production systems, such as personal Web servers or computers housing "pet projects," on the general university network? B7 Are mobile devices used in your unit? Mobile devices in scope include, but are . not limited to:  Smartphones (i.e., iPhone, Android, If you answered yes to B7, please answer B7.1 and B7.2. Blackberry) Otherwise, please proceed to B8.  Personal Digital Assistants (i.e., Palm, iPod Touch)  Tablets (i.e., iPad, Samsung Galaxy, Kindle) The question applies to all mobile devices used to process, store, or transmit University data by University Employees or University-Related Persons in the performance of their duties, regardless of device ownership.

4 | P a g e 2013 Business Risk Profile PROFILE QUESTIONS ANSWERS GUIDANCE/SOURCES B7 # of Unit-owned or University-owned devices: .1

B7 # of personally-owned devices used for .2 University business (including those devices for which the employee receives a stipend):

B8 Is your virtual local area network (VLAN) or subnet o . under a higher level virtual router forwarding (VRF), such as Multiprotocol Label Switching (MPLS)? o Specify your own value:

If N/A, please use the specify your own value field to explain why the control does not apply C. Application Security C1 Does your unit develop applications (software)? . C2 Does your unit allow software developers to connect . remotely to development resources or remotely develop application code? If you answered yes to C2, please answer C2.1. Otherwise, proceed to C3.

5 | P a g e 2013 Business Risk Profile PROFILE QUESTIONS ANSWERS GUIDANCE/SOURCES C2.1 Are these software developers internal or external resources (i.e., third party vendors)?

Please use the specify your own value field to indicate other software development resources. C3. Does your unit develop and market software products for external third parties (including other university units) or a broad market? C4. Does your unit allow developers to run development or test systems in remote or unprotected locations (as opposed to remotely accessing systems)? C5. For service offerings, do you rely o i.e., web pages, PCI hosted-order pages on third-party software developers for any of the following?

If N/A, please use the space below Specify your own value to explain why this does not apply.

6 | P a g e 2013 Business Risk Profile PROFILE QUESTIONS ANSWERS GUIDANCE/SOURCES C6. Do any of your unit applications Sensitive data is defined in the Data Classification Standard (IS- process sensitive data or S302). information critical to your operations? Information critical to the daily operation of your unit should also be considered sensitive data. C7. Does your unit make its critical Critical applications are those that are needed in order for the unit applications available through to conduct business. network-based connections? C8. Does your unit use down- Note: This would also include in-house legacy software that is no version or legacy software longer supported by the developer. (software that is no longer supported by the vendor )? C9. Does your unit acquire software from a reputable vendor or source? C10. Do you have applications that are housed on unit servers?

D. Operations Security D1. How are information technology Within Department or resources managed within your College unit? UITS Check all that apply. External Third Parties Unmanaged Specify your own value:

If Other, please use the space below Specify your own value to describe. D2. Does your LAN connect to third- LAN=subnet party LAN(s)? This question is directed at your unit's portion of the network, not the entire university network.

7 | P a g e 2013 Business Risk Profile PROFILE QUESTIONS ANSWERS GUIDANCE/SOURCES D3. Does your unit provide services, such as storage or electronic distribution of data, to entities external to your unit? If you answered yes, please answer D3.1. Otherwise, proceed to question D4. D3.1 Are these services provided in the same environment as your unit's services? D4. Has your unit gone through a "rip and replace" change of any major technology component/application in the last six months? D5. Does your unit rely on data In this situation, consider data feeds from outside your unit. For feeds or processed data example, if you rely on data or provide data to another University received from third parties? unit, you would answer yes to this question. D6. Would an incident that affected applications or infrastructure, such as a site outage or a hardware or application failure, If you answered yes to D6, significantly impact your unit's please answer D6.1. Otherwise, ability to conduct business (i.e., proceed to D7. revenue or mission-critical outcomes)? D6.1 What level of impact would the o Critical: Cannot pause. outage cause? Necessary to life, health, security High: Failure will lead to imminent and very serious consequences o Specify your own value: Medium: Can endure a pause, but only for a short time. Must be recovered by sometime If Other, please use the space sooner than 30 days. under Specify your own value to Low: Important, but we can describe. function without this system for more than 30 days.

8 | P a g e 2013 Business Risk Profile PROFILE QUESTIONS ANSWERS GUIDANCE/SOURCES D7. Does your unit store sensitive or Data Classification Standard (IS-S302) critical data?

D8. Does your unit allow Data Classification Standard (IS-S302) confidential or proprietary data off-site (other than at the University Services Annex data center)? D9. Do third-party infrastructure components or applications rely on access to resources within your environment? D10. Does your unit share office space with other organizations? Other organizations include other university units. D11. Does your unit have more than one physical location (buildings, campuses or cities/towns)? E. People Security E1. Indicate the approximate percentage of employees in your unit who use computers for work:

E2. Does your unit outsource Infrastructure includes all resources within your area of maintenance or ownership of responsibility, i.e., network, servers, etc. any portion of its infrastructure? E3. Do you consider your unit to be New technology= cutting-edge or bleeding-edge technology. A an early adopter of new current example of cutting-edge technology would be using technology? Microsoft Surface. If you answered yes to E3, please answer E3.1. Otherwise, proceed to E4.

9 | P a g e 2013 Business Risk Profile PROFILE QUESTIONS ANSWERS GUIDANCE/SOURCES E3.1 Does your unit select and deploy new technologies based on existing partnerships and licensing agreements? E4. Does your unit limit technology choices to technologies known by the current IT staff? E5. Has your unit recently expanded its network through reorganization or merger with other unit(s) and their existing environments? E6. Does your unit allow employees Data Classification Standard (IS-S302) to download sensitive data to their workstations? E7. Does your unit deploy new services or applications before assessing them for possible security issues? E8. Number of full-time IT support staff in your unit:

E9. Number of part-time IT support staff in your unit:

10 | P a g e 2013 Business Risk Profile PROFILE QUESTIONS ANSWERS GUIDANCE/SOURCES E10. Number of undergraduate or graduate students who serve as IT support for your unit:

E11. Do you rely on student workers in your unit for IT support?

E12. Do you have an annual budget for Information Technology in your unit? If you answered yes to E12, please answer E12.1. Otherwise, proceed to E13. E12.1 Please select a range for your annual IT budget:

E13. Are the technologists in your unit subject to high turnover or attrition? F. Compliance Areas

11 | P a g e 2013 Business Risk Profile PROFILE QUESTIONS ANSWERS GUIDANCE/SOURCES F1. Does your unit engage in any of  Lending, including receiving application information for, making the following activities? or servicing loans  Collection of delinquent loans (i.e., payments on which interest is paid; NOT deferred payment plans not charging interest)  Check cashing services  Financial or investment advisory services  Credit counseling services  Travel agency services provided in connection with financial services  Tax planning or tax preparation  Obtaining information from a consumer credit report  Career counseling services for those seeking employment in finance, accounting or auditing F2. Does your unit accept credit or debit cards in exchange for goods or services offered for sale by the unit? This question does NOT refer to P-cards used by the unit to purchase goods or services. F3. Does your unit access, process Personally identifiable information includes: or store records of personally-  The name of a student, the student's parent, or other family identifiable student members information?  A personal identifier such as a Social Security Number or student identification number  A list of personal characteristics or other information that would make the student's identity easily traceable F4. Does your unit collect Social Security Numbers and use them as identifiers (including use as a primary key or unique identifier in a database)?

12 | P a g e 2013 Business Risk Profile PROFILE QUESTIONS ANSWERS GUIDANCE/SOURCES F5. Does your unit engage in ITAR ITAR or export-controlled research may include any of the (International Traffic in Arms following: Regulations) sensitive research  Commodities and technologies that have predominant military or with export controlled use or space application information, commodities, or  Items that started out as having civil application but were later software? adapted or modified for military application  Dual-Use items that contain or use ITAR controlled articles/technology, i.e., “see through rule” F6. Does your unit use, access, For more information on Human Subjects Research, please see the disclose, or store Human Subject VPR’s webpage on Human Subjects Research and IRB Research data? (http://orcr.vpr.arizona.edu/irb).

F7. Does your unit provide a health care service (treatment, payment, or healthcare operations) that involves accessing, using, analyzing, or creating health related data? F8. Does your unit bill electronically for a health care service (directly or via a business associate agreement) using HIPAA standard transactions (codes 270, 271, 278, 835, or 837)? F9. Does your unit work in association with or provide services (treatment, payment, or healthcare operations) on behalf of a HIPAA covered entity? F10. Does your unit engage in highly competitive or research-focused activities in which intellectual property theft or espionage is a significant concern? F11. Does your unit have significant product or brand recognition?

13 | P a g e 2013 Business Risk Profile PROFILE QUESTIONS ANSWERS GUIDANCE/SOURCES Indicate the Completion Status of the Assessment:

14 | P a g e