Rutgers Security Posture Survey Feb 2015
The annual Rutgers University Information Security Posture Survey is a coordinated effort to measure the level of information risk across the University. It will determine if the information security policies and efforts currently in use are sufficient to address the level of risk and identify improvements, where possible.
As a result of participation in the survey, participants will receive a report that will indicate their organization's estimated level of information risk. This information will help effectively target information security efforts. Additionally, the survey results will help identify areas where a coordinated effort could help reduce risk across the University.
The University Information Security Posture Survey process will be conducted Monday, February 16th through Friday, February 27th. It is suggested that each organization’s responses be coordinated by a member of Senior Management and a member of the IT/Technical staff.
If your organization has outsourced their IT/Technical Support services to a Unit(s) within the University and/or an external vendor, please ask that provider for their answer and score it as your own.
The survey questions have been categorized into the following sections:
Introduction / Data Collection
Data Security Procedures
HR/Employee Security Procedures
Physical Security Procedures
Incident Response and Business Continuity
Account Management
Asset Management
System Operational Practices
Network Operational Practices
For each of the questions, please select the most accurate answer(s).
It is our belief that all organizations have restricted information within their operations.
If you have any questions please e-mail
Q1.1 Please indicate the organization(s) you are responding for:
Q1.2 Please estimate the size of your organization: (Employees)
Q1.3 Please estimate the size of your organization: (Student enrollments)
Q1.4 Please estimate the size of your IT organization:
Full time
Part time
Student staff
Q1.5 Please indicate ALL third party vendors/contractors, whose services you utilize within your organization. (University Email, University File Storage, Shared Systems from other University Departments (TSS/MSSG, NCS), Dropbox, Amazon, Scarlet Mail, Scholarchip, LIFT, etc.)
Q1.6 Please indicate the number of servers in use by your organization:
Q1.7 Please indicate the number of networks in use by your organization:
Q1.8 Please indicate the number of firewalls in use by your organization:
Q1.9 Please indicate approximately how manyapplications are in use by your organization:
Q1.10 Approximately how many identities classified as restricted exist in your organization?
HIPAA
GLBA
Credit Cards
Social Security #
Data Security Procedures
For more information see:
Q2.1 How much of your organization’s information is classified, documented, and has appropriate security controls based on sensitivity and risk in accordance with University policy?
None (0)
Some (1-50%)
Most (51-99%)
All (100%)
Q2.2 How much of your organization’s information is retained and disposed of, per a documented process, in accordance with University Data Retention Schedules and disposal policy?
None
Some
Most
All
Q2.3 How often does your organization review and update its Information Security Plan?
Never
Less than once a year
Annually
Quarterly
Our organization does not have a Security Plan
Q2.4 How often does your organization perform an Information Security Risk Assessment?
Never
Less than once a year
Annually
Quarterly
Q2.5 How often does your organization perform remediation of each identified risk resulting from your Information Security Risk Assessment, per a documented strategy?
Never
Less than once a year
Annually
Quarterly
HR/Employee Security Procedure
For more information see:
Q3.1 Does your organization have a documented security role with available funds for supporting the security posture?
Yes
No
Q3.2 Compared to the University's Acceptable Use Policy, does your organization require employees to sign a more restrictive confidentiality agreement before being granted access to restricted information?
Yes
No
N/A, Our organization has no restricted information
Q3.3 How often does your organization review and update a documented list of individuals who have been granted access to restricted information?
Never
Less than once a year
Annually
Quarterly
Q3.4 In the event of a voluntary or involuntary departure of an employee from their current position, does your organization follow the University process for the collection of University owned assets (equipment & information), removal of access rights, and disabling accounts?
Yes
No
Q3.5 Does your organization prohibit the use of personal equipment for employees with access to restricted information?
Yes
No
Q3.6 Does your organization have a documented procedure for the usage of Social Media for employees?
Yes
No
Q3.7 If a third party vendor/contractor requires access to your systems containing restricted information, is that access limited and does your organization monitor their activity to ensure compliance with University Policy?
Yes
No
N/A, Our organization does not utilize third party services.
N/A, Our organization has no restricted information,
Q3.8 Does your organization work in accordance with the University Signatory Authority policy, in order to ensure proper acquisition of Business Associates Agreements or Contract Addendum as necessary when utilizing third party vendor/contractors
Yes
No
N/A, Our organization does not utilize third party services.
Physical Security Procedures
For more information see:
Q4.1 Does your organization have a documented process for granting access to physical locations, with limited access, containing processing equipment such as routers, servers, and switches?
Yes
No
N/A, Our organization does not maintain any information processing equipment.
Q4.2 How much of your organization’s systems and equipment located in publicly accessible areas such as labs, classrooms, offices and libraries, are physically secured?
None
Some
Most
All
Q4.3 Does your organization have a method to detect and document authorized and unauthorized access to physical locations housing systems which contain restricted information?
Yes
No
N/A, Our organization has no restricted information.
Q4.4 Does your organization follow the University Policy for the secure destruction and documentation of physical record containing restricted information, such as but not limited to paper, photographic records, x-rays, and molds?
Yes
No
N/A, Our organization has no restricted information.
N/A, Our organization does not keep physical records containing restricted information.
Q4.5 Does your organization follow the University Policy for the secure destruction and documentation of retired storage media containing restricted information, such as but not limited to USB, CD, DVD, Hard Drives, Copiers, Printers, Fax Machines, and Tapes?
Yes
No
N/A, Our organization has no restricted information.
Incident Response and Business Continuity For more information see:
Q5.1 How often does your organization review and update its Incident Response Plan?
Never
Less than once a year
Annually
Quarterly
Our organization does not have an Incident Response Plan.
Q5.2 How often does your organization review and test its plan for Breach Handling?
Never
Less than once a year
Annually
Quarterly
Our organization does not have a plan for Breach Handling.
Q5.3 How often does your organization review, update and communicate to staff its procedure for reporting equipment thefts and/or losses?
Never
Less than once a year
Annually
Quarterly
Our organization does not have a procedure for reporting equipment thefts and/or losses.
Q5.4 How often does your organizationreview, update and communicate to staff its procedure for information thefts and/or losses?
Never
Less than once a year
Annually
Quarterly
Our organization does not have a procedure for reporting information thefts and/or losses.
Q5.5 How often does your organization review and update its plan for Business Continuity? (Continuity of staff, space, budget, communications, computing resources and applications, etc.)
Never
Less than once a year
Annually
Quarterly
Our organization does not have a plan for Business Continuity.
Q5.6 How often does your organization review and test its Disaster Recovery Plan? (Recovery of equipment, data connectivity, phone connectivity, backup retrieval, etc.)
Never
Less than once a year
Annually
Quarterly
Our organization does not have a Disaster Recovery Plan.
Account Management
For more information see:
Q6.1 For systems and devices not utilizing Rutgers Central Authentication (CAS and/or LDAP), does your organization employ Strong Password Complexity with annual change requirements for local and/or managed accounts?
Yes
No
N/A, Our organization only uses CAS and/or LDAP for account authentication.
Q6.2 How often does your organization audit all local and managed accounts, which may be used on all servers, workstations, laptops and/or devices? Managed accounts may be stored in Active Directory, organizational LDAP, etc.
Never
Less than once a year
Annually
Quarterly
Q6.3 How often does your organization audit all local and centrally managed accounts which have been granted Administrative privileges?
Never
Less than once a year
Annually
Quarterly
N/A, Our organization has no restricted information.
Q6.4 If your organization utilizes a securely managed Remote Access Service for accessing restricted information, such as Citrix, VPN, etc., how often do you audit accounts with access to this service?
Never
Less than once a year
Annually
Quarterly
N/A, Our organization has no restricted information.
N/A, Our organization does not utilize a securely managed Remote Access Service.
Asset Management
For more information see:
Q7.1 How often does your organization review and update a documented inventory of servers, workstations, laptops and/or devices owned by the organization, including asset name and serial number? (Examples: Kace, Altiris, LANDesk, Excel Spreadsheet, Racktables, etc.)
Never
Less than once a year
Annually
Quarterly
Our organization does not have a documented inventory of hardware.
Q7.2 How often does your organization review and update a documented inventory of the software and product licenses currently in use? (Ex: Kace, Altiris, LANDesk, Excel Spreadsheet, etc.)
Never
Less than once a year
Annually
Quarterly
Our organization does not have a documented inventory of software.
Q7.3 How often does your organization review the security event logs of systems containing restricted information?
Never
Monthly
Weekly
Daily
N/A, Our organization has no restricted information.
Q7.4 Does your organization utilize a tool to scan for restricted data, such as SSN’s and credit card numbers? (Example: Identify-Finder, Spider, SENF)
Yes
No
Q7.5 How much of your restricted information is identified, monitored, and secured using Data Loss Prevention software?
None
Some
Most
All
Our organization does not use Data Loss Prevention Software.
N/A, Our organization has no restricted information.
Q7.6 Does your organization annually review and update any documented configuration standard to ‘harden’ all systems housing or processing restricted information? These systems include servers, workstations and laptops. Examples: Center for Internet Security, NIST, SANS, etc.
Yes
No
N/A, Our organization has no restricted information.
Q7.7 On how many systems containing restricted information does your organization prohibit the use of unmanaged and/or personal storage media? (USB devices, Flash/Pen drives, external hard drives, etc.)
None
Some
Most
All
N/A, Our organization has no restricted information.
Q7.8 Does your organization use Mobile Device Management Controls for University issued/owned mobile devices accessing restricted information?
Yes
No
N/A, Our organization has no restricted information.
N/A, Our organization does not issue mobile devices.
Q7.9 Does your organization have Mobile Device Management Controls to manage Personally Owned devices used for University business?
Yes
No
Q7.10 If your organization has Mobile Device Management Controls, please specify which of the following features are utilized to manage mobile devices containing and/or accessing restricted information? (Select all that apply)
Anti-virus
Encryption
Sandboxing
Strong Passwords
Limited password attempts
Auto lock timeout
Connectivity timeout
Remote Locate
Remote Lock
Remote Wipe
N/A, Our organization does not have restricted information.
Our organization does not have Mobile Device Management Controls.
System Operational Practices
For more information see:
Q8.1 Does your organization utilize a Change Control Process to manage and document significant infrastructure changes?
Yes
No
Q8.2 How many of your organization's servers, workstations, laptops and devices are protected by anti-virus software? (Examples: Rutgers Anti-virus Delivery System, Norton, McAfee, etc.)
None
Some
Most
All
Q8.3 How many of your organization's servers, workstations, laptops and devices are scanned for vulnerabilities, and remediated as necessary?
None
Some
Most
All
Q8.4 How many of your organization's public-facing web applications are scanned for vulnerabilities, and remediated as necessary? (Scanning Examples: AlienVault, Greenbone, Kali Linux; Testing Examples: Attack Proxy)
None
Some
Most
All
N/A, Our organization does not have public-facing web applications/servers.
Q8.5 How much of your organization’s software, including operating systems, is currently supported? (eg: Not End-of Life)
None
Some
Most
All
Q8.6 How many of your organization’s systems are kept up-to-date with vendor-issued patches?
None
Some
Most
All
Q8.7 Does your organization have a documented remediation plan for systems and/or software that are past End-of-Life?
Yes
No
Q8.8 How many of your organization’s backups are encrypted?
None
Some
Most
All
Our organization does not perform backups.
Q8.9 How much of your organization’s backup information is stored in a location separate from the live data repository?
None
Some
Most
All
Our organization does not perform backups.
Network Operational Practices
For more information see:
Q9.1 How much of your organization’s restricted information is encrypted in network transit?
None
Some
Most
All
N/A, Our organization does not have restricted information.
Q9.2 How much of your organization’s restricted information is encrypted in transit via email?
None
Some
Most
All
N/A, Our organization does not have restricted information.
Q9.3 How much of your organization’s restricted information is encrypted in transit via text messaging?
None
Some
Most
All
N/A, Our organization does not have restricted information.
Q9.4 How much of your organization’s restricted information is protected by a firewall
None
Some
Most
All
N/A, Our organization has no restricted information.
Q9.5 How many of your organization’s public-facing web servers and/or application servers are protected by data separation, such as but not limited to keeping any database servers supporting those services on a private network/VLAN, or behind a firewall?
None
Some
Most
All
N/A, Our organization does not have public-facing web applications/servers.
Q9.6 Are your organization’s network(s) and server(s) are monitored for intrusion attempts?
Yes
No