NIST Low Application Assessment Questions

Completed as part of Annual TAMU Risk Assessment of IT Resources

NIST Low Application Questions Required for Annual SPECTRIM Submissions

Allowed Answers
Implemented fully compliant with requirement
Partially Implemented not fully compliant; if use this answer, must specify in the notes column how you intend to become fully/more compliant in the
coming year. Or, you can request the dean to accept the risk for not being compliant. For the latter, include reasons. #10 of
template provides an example of this.
Not Implemented
not compliant at all; if use this answer, must specify in the notes column how you intend to become fully/more compliant in the
coming year. Or, you can request the dean to accept the risk for not being compliant. For the latter, include reasons.
Unknown do not know if system is compliant; unlikely you will use this answer if assessing systems in your possession. If do, be sure to
explain in the Notes section.
Not Applicable E.g., if requirement relates to confidential data, but no confidential data is kept on system.
Access Control Answer* Response / Notes
Q# Specific Control Assessment Question Text
1 NIST-R0002-AC-02 Are there processes in place to ensure access provided
to users (e.g., the role provided to a user for an
application, or privileged access provided to an IT
administrator, etc.) aligns with business requirements
and/or access control policy?

2 NIST-R0003-AC-03.02 Are information systems (Application

Assessments;operating systems;Network Assessment
devices;databases;etc.) configured and access
enforcement mechanisms employed per approved
policy to provide protection from unauthorized access
by malicious users;software or systems?

3 NIST-R0007-AC-07 Have you implemented procedures and controls to

lock user access to information resources after a
defined number of unsuccessful login attempts?

4 NIST-R0008-AC-08 Do organizational or departmental information systems

display an approved system use notification message
or banner before granting access to the information
system?
 NIST Low Application Assessment Questions
Completed as part of Annual TAMU Risk Assessment of IT Resources

Audit and Accountability Answer Notes

Q# Specific Control Assessment Question Text
5 NIST-R0020-AU-01 Is there a process in place to monitor compliance to
security policies and requirements on a scheduled
basis (e.g.;audits and assessments of
controls;vulnerability assessments;etc.)?

6 NIST-R0021-AU-02 Do you monitor the use of information

systems;maintain security related system logs;and
retain logs in accordance with the organization's
records retention schedules?

7 NIST-R0022-AU-03.01 Does the information system produce audit records

that contain sufficient information and;at a
minimum;establish: a. the type of event that occurred;
b. the date and time the event occurred; c. where the
event occurred;(Specific system;etc.) d. the source of
the event; e. outcome (success or failure) of the
event;and f. the identity of any user or subject
associated with the event?

8 NIST-R0023-AU-04.01 Do you monitor the storage capacity of your logging

servers to prevent data over-writing?
9 NIST-R0024-AU-05 Do you log all user access to confidential data
(e.g.;card holder data;ePHI;PII) and enable audit trails
to uniquely log each user's activities
 NIST Low Application Assessment Questions
Completed as part of Annual TAMU Risk Assessment of IT Resources

10 NIST-R0025-AU-06 Are information system audit records reviewed and

analyzed on a daily basis for indications of
inappropriate or unusual activity;findings reported to
designated organizational officials;and corrective
action plans implemented for identified issues? [e.g.;
logs from different system correlated in order to
effectively detect potential security issues; specific use
cases for alerts been defined in order to identify
critical security events; there are knowledgeable
resources that exist and are responsible for responding
to alerts; such process is tied to the incident response
process]

11 NIST-R0027-AU-08 Is the information system configured to use internal

system clocks to generate time stamps for audit
records? [Note: The ability to accurately monitor
timestamps from logs could affect the incident
response process.]

12 NIST-R0028-AU-09.01 Is access to log data directories adequately controlled?

13 NIST-R0029-AU-11.01 Are audit records retained to provide support for after-

the-fact investigations of security incidents in
accordance with regulatory requirements and
organizational records retention requirements?

Configuration Management Answer Notes

Q# Specific Control Assessment Question Text
 NIST Low Application Assessment Questions
Completed as part of Annual TAMU Risk Assessment of IT Resources

14 NIST-R0040-CM-04.01 Are changes to information systems (including those

related to procedures;processes;system and service
parameters) logged;assessed and authorized prior to
implementation and reviewed against planned
outcomes following implementation (including impact
from an information security perspective)?

15 NIST-R0042-CM-06 Do you have processes in place to monitor and control

changes to the baseline configuration settings of
information systems in accordance with organizational
policies and procedures?

16 NIST-R0174-CM-10 Do you have processes in place to monitor software

usage in accordance with contractual agreements
(e.g.;abiding by copyright laws;license
agreements;etc.)?

Contingency Planning Answer Notes

Q# Specific Control Assessment Question Text
17 NIST-R0048-CP-03 Do you train personnel in their contingency roles and
responsibilities with respect to the information system
and provide refresher training?

18 NIST-R0049-CP-04 Are Disaster Recovery Plans tested;reassessed and

maintained regularly to ensure that they are up to date
and effective?

19 NIST-R0053-CP-09 Do you backup user-level and system-level

information;system documentation;and security-
related documentation consistent with recovery
objectives and protect the confidentiality and integrity
of backups?
 NIST Low Application Assessment Questions
Completed as part of Annual TAMU Risk Assessment of IT Resources

20 NIST-R0054-CP-10.01 Does the recovery strategy and its implementation

include considerations for fault tolerance and
redundant architecture for minimizing risk of
information system downtime [taking into account risk
tolerance and importance of the system based on
business requirements]?

Identification and Authorization Answer Notes

Q# Specific Control Assessment Question Text
21 NIST-R0056-IA-02a Is the information system configured to uniquely
identify and authenticate information system users (or
processes acting on behalf of users - e.g.;service and
system accounts)?

22 NIST-R0056-IA-02b Are strong authentication controls (e.g.;two-factor

authentication and proper encryption of credentials) in
place for administrative type access to information
system(s)?

23 NIST-R0059-IA-05.01 Have you established;documented;and implemented

administrative procedures to manage information
system authenticators such as passwords;key
fobs;certificates;etc.;for users and information
systems;and ensure user identity when issuing or
resetting them? [e.g.;establishing and implementing
administrative procedures for initial authenticator
distribution; changing default content of
authenticators upon information system
installation;etc.;as per organization requirement].
 NIST Low Application Assessment Questions
Completed as part of Annual TAMU Risk Assessment of IT Resources

24 NIST-R0059-IA-05.02 Are information system authenticators configured in a

manner to reduce risk of "bad actors" from guessing
passwords;brute forcing;and/or replaying
authenticated sessions? [e.g.;if passwords are used;are
passwords configured with a reasonable minimum
password length with complexity
requirements;periodic expiration;encrypted;etc.]

25 NIST-R0060-IA-06.01 Are information system authentication mechanism(s)

configured in a manner to reduce the risk of malicious
users intercepting authentication information
(e.g.;passwords);brute forcing;and/or replaying
authenticated sessions?

See Computer Configuration.doc

Maintenance Answer Notes

Q# Specific Control Assessment Question Text
26 NIST-R0074-MA-04 Do you have documented and implemented policies
and practices to control security exposure from
organizational vendors who provide remote support or
maintenance to information system(s);through: i)
enabling strong identification and authentication; ii)
limiting to ports;services;and access levels needed for
business purpose; iii) having appropriate logging
enabled for monitoring vendor actions; and iv) session
termination of sessions and Network Assessment
connections when remote maintenance is completed?
 NIST Low Application Assessment Questions
Completed as part of Annual TAMU Risk Assessment of IT Resources

Media Protection Answer Notes

Q# Specific Control Assessment Question Text
27 NIST-R0078-MP-02.01 Do you have administrative;physical;and technical
controls in place to manage access to media containing
confidential information?

Planning Answer Notes

Q# Specific Control Assessment Question Text
28 NIST-R0102-PL-02 Do you develop and maintain information security plan
for the information system(s) that includes;but not
limited to: i) Description of the system environment
and business processes ii) Interfaces and data flow iii)
System classification based on type of information and
business process supported iv) Security controls
designed;configured;and implemented [Note: these
may be maintained in an asset register that has details
of the information system]

Program Management Answer Notes

Q# Specific Control Assessment Question Text
29 NIST-R0100-PM-12.01 Do you have documented policies and implementation
plans on insider threat programs to respond to
malicious incidents?

Risk Assessment Answer Notes

Q# Specific Control Assessment Question Text
30 NIST-R0126-RA-02.01 Do you have a documented data classification policy or
standard that guides data owners on data
categorization;and associated security requirements of
information systems where such information is
maintained?
 NIST Low Application Assessment Questions
Completed as part of Annual TAMU Risk Assessment of IT Resources

31 NIST-R0126-RA-02.02 If yes;are information systems categorized according to

the data classification policy or standard?

32 NIST-R0126-RA-02.03 If yes;are information system security plans aligned

with the classification of the information system?

Security Assessment and Authorization Answer Notes

Q# Specific Control Assessment Question Text
33 NIST-R0033-CA-03 Do you have requirements defined and perform
monitoring of those requirements for systems that
connect to other systems outside of your immediate
control?

34 NIST-R0035-CA-06.01 Do you follow a defined process for approving new

information systems for production use based upon
approval from appropriate stakeholders;including
information security (e.g.;approval from ISO)?

35 NIST-R0035-CA-06.02 For existing systems;does the department require

appropriate approvals from relevant
stakeholders;including information security
(e.g.;approval from ISO) when major changes are
made to information systems and/or related
processes?

36 NIST-R0036-CA-07 Have you implemented a continuous monitoring

program that includes configuration
management;ongoing security control
assessments;and reporting on the information system
and its constituent components?

System and Services Acquisition Answer Notes

Q# Specific Control Assessment Question Text
 NIST Low Application Assessment Questions
Completed as part of Annual TAMU Risk Assessment of IT Resources

37 NIST-R0130-SA-02 Do you have an explicit line entry for incorporating

information security resource requirements for
planning and implementing information systems?

38 NIST-R0132-SA-04 Do you have policies and supporting processes to

ensure that information system contracts;based on risk
level;account for: i) information security risk
assessment; ii) security functional requirements /
specifications; iii) security-related documentation
requirements; and iv) developmental and evaluation-
related assurance requirements.

39 NIST-R0133-SA-05 Do you have effective processes in place to ensure that

appropriate levels of information and training about
information systems exist to configure and manage
systems securely (e.g.;vendor documentation on
default accounts and secure configuration
specs;administration processes;technical training;etc.)?

System and Communications Protections Answer Notes

Q# Specific Control Assessment Question Text
40 NIST-R0155-SC-20 Have you implemented the DNS service in a manner
that supports cryptographically signed responses and
validates DNS results to reduce risk of traffic diversion
through DNS spoofing;cache poisoning;etc.? [Note:
example of proper security includes separation of
external and internal DNS;validating DNS results;etc.].

System and Information Integrity Answer Notes

Q# Specific Control Assessment Question Text
 NIST Low Application Assessment Questions
Completed as part of Annual TAMU Risk Assessment of IT Resources

41 NIST-R0161-SI-02 Do you have policies and supporting processes for

timely identification and implementation of patches to
applicable information systems (e.g.;operating
systems;Application Assessments;databases;etc.)
based on risk?

42 NIST-R0163-SI-04 1) Do you have effective tools and processes in place to

proactively detect and respond to security
threats/events;through: i) effectively placed and
configured intrusion-detection system(s) and/or
intrusion-prevention system(s) to guard against or
monitor for malicious Network Assessment traffic at
the perimeter; ii) effective placement and use of
monitoring tools with configured applicable use cases
to detect potential events relevant to the information
system (e.g.;DLP;SIEM;Netflow;etc.) ; iii) effective
monitoring processes (e.g.;alerts from IDS/IPS alert)
for taking timely actions; iv) defined processes
(e.g.;playbooks) that guide the responders to take
appropriate level of action?

Other Texas A&M Requirements Answer Notes

Q# Specific Control Assessment Question Text
 NIST Low Application Assessment Questions
Completed as part of Annual TAMU Risk Assessment of IT Resources

1) Where feasible, all data files are to be scanned on

an annual basis to determine if those files contain
43 SSNs. 2) If SSNs are found or known to be present in a
file, they are to be removed or appropriate risk
mitigation measures applied (for example encryption,
but not limited to encryption) if their continued
presence is required. 3) All SSNs that are to be retained
and stored are to be reported to, and approved by, the
Associate Vice President for Information Technology &
Chief Information Officer. The reporting and approval
process will be in the manner indicated for SSN
ITCC-RA-2 2.3 exception requests at SSN Exception Requests.
Implemented
Partially Implemented
Not Implemented
Unknown
Not Applicable