Security Review Policy

Policy
Rationale
Standards & Procedures
Revisions
Approval Dates

(Summary of Changes/Additions/Deletions)

POLICY:

Where appropriate, Information Security personnel will conduct risk assessments of technologies/processes that are being evaluated and/or used at Georgia State University.  The purpose of these assessments is to quantify the impact and probability of potential threats and vulnerabilities.  Furthermore, Information Security personnel may recommend which security controls, if any, are commensurate with the risks to which the University would be exposed.

Rationale:

Managing the security risks associated with Georgia State University’s ever changing IT infrastructure presents an enormous challenge.  Although some risks can be assessed and managed locally, there are many that can not be easily understood and/or controlled.  In these situations, Information Security personnel should perform security reviews to determine the threats, the likelihood of such events taking place, the estimated impact if they were to occur, and recommend controls.

Standards & Procedures:

Standards:

Threats. Things that can go wrong or that can 'attack' the system. Examples might include fire, system failure, or hacking. Threats are present in every system.

Vulnerabilities. These make a system more prone to attack by a threat or make an attack more likely to have some success or impact. For example, a hacking vulnerability would be the lack of patches on a computer operating system.

            Controls. These are the countermeasures for vulnerabilities. There are four types: 

§         Deterrent controls reduce the likelihood of a deliberate attack

§         Preventative controls protect vulnerabilities and make an attack unsuccessful or reduce its impact

§         Corrective controls reduce effect of an attack

§         Detective controls discover attacks and trigger preventative or corrective controls


Procedures:

Secure Your Workstation

 

Revisions:

 

 

Approval Date(s):

Reviewed by IST
Reviewed by Information Security Subcommittee
Reviewed by ISAT Senate Committee
Approved by: University Administrative Council
Approved on: November 2, 2005
Version number: 1.0.0
Effective Date: November 2, 2005

 

SUMMARY OF CHANGES/ADDITIONS/DELETIONS