Completed as part of Annual TAMU Risk Assessment of IT Resources
NIST Low Application Questions Required for Annual SPECTRIM Submissions
Allowed Answers Implemented fully compliant with requirement Partially Implemented not fully compliant; if use this answer, must specify in the notes column how you intend to become fully/more compliant in the coming year. Or, you can request the dean to accept the risk for not being compliant. For the latter, include reasons. #10 of template provides an example of this. Not Implemented not compliant at all; if use this answer, must specify in the notes column how you intend to become fully/more compliant in the coming year. Or, you can request the dean to accept the risk for not being compliant. For the latter, include reasons. Unknown do not know if system is compliant; unlikely you will use this answer if assessing systems in your possession. If do, be sure to explain in the Notes section. Not Applicable E.g., if requirement relates to confidential data, but no confidential data is kept on system. Access Control Answer* Response / Notes Q# Specific Control Assessment Question Text 1 NIST-R0002-AC-02 Are there processes in place to ensure access provided to users (e.g., the role provided to a user for an application, or privileged access provided to an IT administrator, etc.) aligns with business requirements and/or access control policy?
2 NIST-R0003-AC-03.02 Are information systems (Application
Assessments;operating systems;Network Assessment devices;databases;etc.) configured and access enforcement mechanisms employed per approved policy to provide protection from unauthorized access by malicious users;software or systems?
3 NIST-R0007-AC-07 Have you implemented procedures and controls to
lock user access to information resources after a defined number of unsuccessful login attempts?
4 NIST-R0008-AC-08 Do organizational or departmental information systems
display an approved system use notification message or banner before granting access to the information system? NIST Low Application Assessment Questions Completed as part of Annual TAMU Risk Assessment of IT Resources
Audit and Accountability Answer Notes
Q# Specific Control Assessment Question Text 5 NIST-R0020-AU-01 Is there a process in place to monitor compliance to security policies and requirements on a scheduled basis (e.g.;audits and assessments of controls;vulnerability assessments;etc.)?
6 NIST-R0021-AU-02 Do you monitor the use of information
systems;maintain security related system logs;and retain logs in accordance with the organization's records retention schedules?
7 NIST-R0022-AU-03.01 Does the information system produce audit records
that contain sufficient information and;at a minimum;establish: a. the type of event that occurred; b. the date and time the event occurred; c. where the event occurred;(Specific system;etc.) d. the source of the event; e. outcome (success or failure) of the event;and f. the identity of any user or subject associated with the event?
8 NIST-R0023-AU-04.01 Do you monitor the storage capacity of your logging
servers to prevent data over-writing? 9 NIST-R0024-AU-05 Do you log all user access to confidential data (e.g.;card holder data;ePHI;PII) and enable audit trails to uniquely log each user's activities NIST Low Application Assessment Questions Completed as part of Annual TAMU Risk Assessment of IT Resources
10 NIST-R0025-AU-06 Are information system audit records reviewed and
analyzed on a daily basis for indications of inappropriate or unusual activity;findings reported to designated organizational officials;and corrective action plans implemented for identified issues? [e.g.; logs from different system correlated in order to effectively detect potential security issues; specific use cases for alerts been defined in order to identify critical security events; there are knowledgeable resources that exist and are responsible for responding to alerts; such process is tied to the incident response process]
11 NIST-R0027-AU-08 Is the information system configured to use internal
system clocks to generate time stamps for audit records? [Note: The ability to accurately monitor timestamps from logs could affect the incident response process.]
12 NIST-R0028-AU-09.01 Is access to log data directories adequately controlled?
13 NIST-R0029-AU-11.01 Are audit records retained to provide support for after-
the-fact investigations of security incidents in accordance with regulatory requirements and organizational records retention requirements?
Configuration Management Answer Notes
Q# Specific Control Assessment Question Text NIST Low Application Assessment Questions Completed as part of Annual TAMU Risk Assessment of IT Resources
14 NIST-R0040-CM-04.01 Are changes to information systems (including those
related to procedures;processes;system and service parameters) logged;assessed and authorized prior to implementation and reviewed against planned outcomes following implementation (including impact from an information security perspective)?
15 NIST-R0042-CM-06 Do you have processes in place to monitor and control
changes to the baseline configuration settings of information systems in accordance with organizational policies and procedures?
16 NIST-R0174-CM-10 Do you have processes in place to monitor software
usage in accordance with contractual agreements (e.g.;abiding by copyright laws;license agreements;etc.)?
Contingency Planning Answer Notes
Q# Specific Control Assessment Question Text 17 NIST-R0048-CP-03 Do you train personnel in their contingency roles and responsibilities with respect to the information system and provide refresher training?
18 NIST-R0049-CP-04 Are Disaster Recovery Plans tested;reassessed and
maintained regularly to ensure that they are up to date and effective?
19 NIST-R0053-CP-09 Do you backup user-level and system-level
information;system documentation;and security- related documentation consistent with recovery objectives and protect the confidentiality and integrity of backups? NIST Low Application Assessment Questions Completed as part of Annual TAMU Risk Assessment of IT Resources
20 NIST-R0054-CP-10.01 Does the recovery strategy and its implementation
include considerations for fault tolerance and redundant architecture for minimizing risk of information system downtime [taking into account risk tolerance and importance of the system based on business requirements]?
Identification and Authorization Answer Notes
Q# Specific Control Assessment Question Text 21 NIST-R0056-IA-02a Is the information system configured to uniquely identify and authenticate information system users (or processes acting on behalf of users - e.g.;service and system accounts)?
22 NIST-R0056-IA-02b Are strong authentication controls (e.g.;two-factor
authentication and proper encryption of credentials) in place for administrative type access to information system(s)?
23 NIST-R0059-IA-05.01 Have you established;documented;and implemented
administrative procedures to manage information system authenticators such as passwords;key fobs;certificates;etc.;for users and information systems;and ensure user identity when issuing or resetting them? [e.g.;establishing and implementing administrative procedures for initial authenticator distribution; changing default content of authenticators upon information system installation;etc.;as per organization requirement]. NIST Low Application Assessment Questions Completed as part of Annual TAMU Risk Assessment of IT Resources
24 NIST-R0059-IA-05.02 Are information system authenticators configured in a
manner to reduce risk of "bad actors" from guessing passwords;brute forcing;and/or replaying authenticated sessions? [e.g.;if passwords are used;are passwords configured with a reasonable minimum password length with complexity requirements;periodic expiration;encrypted;etc.]
25 NIST-R0060-IA-06.01 Are information system authentication mechanism(s)
configured in a manner to reduce the risk of malicious users intercepting authentication information (e.g.;passwords);brute forcing;and/or replaying authenticated sessions?
See Computer Configuration.doc
Maintenance Answer Notes
Q# Specific Control Assessment Question Text 26 NIST-R0074-MA-04 Do you have documented and implemented policies and practices to control security exposure from organizational vendors who provide remote support or maintenance to information system(s);through: i) enabling strong identification and authentication; ii) limiting to ports;services;and access levels needed for business purpose; iii) having appropriate logging enabled for monitoring vendor actions; and iv) session termination of sessions and Network Assessment connections when remote maintenance is completed? NIST Low Application Assessment Questions Completed as part of Annual TAMU Risk Assessment of IT Resources
Media Protection Answer Notes
Q# Specific Control Assessment Question Text 27 NIST-R0078-MP-02.01 Do you have administrative;physical;and technical controls in place to manage access to media containing confidential information?
Planning Answer Notes
Q# Specific Control Assessment Question Text 28 NIST-R0102-PL-02 Do you develop and maintain information security plan for the information system(s) that includes;but not limited to: i) Description of the system environment and business processes ii) Interfaces and data flow iii) System classification based on type of information and business process supported iv) Security controls designed;configured;and implemented [Note: these may be maintained in an asset register that has details of the information system]
Program Management Answer Notes
Q# Specific Control Assessment Question Text 29 NIST-R0100-PM-12.01 Do you have documented policies and implementation plans on insider threat programs to respond to malicious incidents?
Risk Assessment Answer Notes
Q# Specific Control Assessment Question Text 30 NIST-R0126-RA-02.01 Do you have a documented data classification policy or standard that guides data owners on data categorization;and associated security requirements of information systems where such information is maintained? NIST Low Application Assessment Questions Completed as part of Annual TAMU Risk Assessment of IT Resources
31 NIST-R0126-RA-02.02 If yes;are information systems categorized according to
the data classification policy or standard?
32 NIST-R0126-RA-02.03 If yes;are information system security plans aligned
with the classification of the information system?
Security Assessment and Authorization Answer Notes
Q# Specific Control Assessment Question Text 33 NIST-R0033-CA-03 Do you have requirements defined and perform monitoring of those requirements for systems that connect to other systems outside of your immediate control?
34 NIST-R0035-CA-06.01 Do you follow a defined process for approving new
information systems for production use based upon approval from appropriate stakeholders;including information security (e.g.;approval from ISO)?
35 NIST-R0035-CA-06.02 For existing systems;does the department require
appropriate approvals from relevant stakeholders;including information security (e.g.;approval from ISO) when major changes are made to information systems and/or related processes?
36 NIST-R0036-CA-07 Have you implemented a continuous monitoring
program that includes configuration management;ongoing security control assessments;and reporting on the information system and its constituent components?
System and Services Acquisition Answer Notes
Q# Specific Control Assessment Question Text NIST Low Application Assessment Questions Completed as part of Annual TAMU Risk Assessment of IT Resources
37 NIST-R0130-SA-02 Do you have an explicit line entry for incorporating
information security resource requirements for planning and implementing information systems?
38 NIST-R0132-SA-04 Do you have policies and supporting processes to
ensure that information system contracts;based on risk level;account for: i) information security risk assessment; ii) security functional requirements / specifications; iii) security-related documentation requirements; and iv) developmental and evaluation- related assurance requirements.
39 NIST-R0133-SA-05 Do you have effective processes in place to ensure that
appropriate levels of information and training about information systems exist to configure and manage systems securely (e.g.;vendor documentation on default accounts and secure configuration specs;administration processes;technical training;etc.)?
System and Communications Protections Answer Notes
Q# Specific Control Assessment Question Text 40 NIST-R0155-SC-20 Have you implemented the DNS service in a manner that supports cryptographically signed responses and validates DNS results to reduce risk of traffic diversion through DNS spoofing;cache poisoning;etc.? [Note: example of proper security includes separation of external and internal DNS;validating DNS results;etc.].
System and Information Integrity Answer Notes
Q# Specific Control Assessment Question Text NIST Low Application Assessment Questions Completed as part of Annual TAMU Risk Assessment of IT Resources
41 NIST-R0161-SI-02 Do you have policies and supporting processes for
timely identification and implementation of patches to applicable information systems (e.g.;operating systems;Application Assessments;databases;etc.) based on risk?
42 NIST-R0163-SI-04 1) Do you have effective tools and processes in place to
proactively detect and respond to security threats/events;through: i) effectively placed and configured intrusion-detection system(s) and/or intrusion-prevention system(s) to guard against or monitor for malicious Network Assessment traffic at the perimeter; ii) effective placement and use of monitoring tools with configured applicable use cases to detect potential events relevant to the information system (e.g.;DLP;SIEM;Netflow;etc.) ; iii) effective monitoring processes (e.g.;alerts from IDS/IPS alert) for taking timely actions; iv) defined processes (e.g.;playbooks) that guide the responders to take appropriate level of action?
Other Texas A&M Requirements Answer Notes
Q# Specific Control Assessment Question Text NIST Low Application Assessment Questions Completed as part of Annual TAMU Risk Assessment of IT Resources
1) Where feasible, all data files are to be scanned on
an annual basis to determine if those files contain 43 SSNs. 2) If SSNs are found or known to be present in a file, they are to be removed or appropriate risk mitigation measures applied (for example encryption, but not limited to encryption) if their continued presence is required. 3) All SSNs that are to be retained and stored are to be reported to, and approved by, the Associate Vice President for Information Technology & Chief Information Officer. The reporting and approval process will be in the manner indicated for SSN ITCC-RA-2 2.3 exception requests at SSN Exception Requests. Implemented Partially Implemented Not Implemented Unknown Not Applicable