| 16. |
|
Number
of IT employees whose primary job responsibilities are information
security-related and job title(s): |
| 17. |
|
Number
of IT employees whose secondary job responsibilities are information
security-related and job title(s): |
| 18. |
|
Number
of employees whose job responsibilities include the development
of information security plans and job title(s), i.e., information
security director: |
| 19. |
|
Number
of employees whose job responsibilities include the development
of information security policies and job title(s): |
| 20. |
|
Number
of employees whose job responsibilities include incident monitoring
and response and job title(s): |
| 21. |
|
Number
of employees whose job responsibilities include the development
and management of security awareness programs and job title(s): |
| 22. |
|
Does
your institution have an Information Security Strategic Plan?
If so,
| |
a. |
What
year was it first developed? |
| |
b. |
When was it last updated? |
| |
c. |
What
is the URL? |
|
| 23. |
|
Does
your university have an Information Security Policy? If so,
| |
a. |
What
year was it first developed? |
| |
b. |
When was it last updated? |
| |
c. |
What
is the URL? |
|
| 24. |
|
Does
your university have an Information Security website? If so,
|
| 25. |
|
Does
your university have an Information Security Taskforce, committee,
working group, etc.? If so,
| |
a. |
When
was it started and is it active today? |
| |
b. |
If
the group has a URL, what is it? |
|
| 26. |
|
Does
your university offer information-security (academic or continuing
education) degrees, certificate programs, or coursework? If
so,
|
| 27. |
|
Has
an information security audit/assessment been conducted at your
institution? If so,
| |
a. |
When? |
| |
b. |
Was
this audit/assessment completed by the BOR? |
| |
c. |
Was
this audit/assessment completed by internal auditors at
your institution? |
| |
d. |
Was
this audit/assessment completed by an external source?
If so, who conducted the audit? |
|
| 28. |
|
If your University has not conducted an information security
audit/assessment, are there plans to do so? When? |
| 29. |
|
Does
your institution have an Incident Response Team or program? |
| 30. |
|
Is
your institution a member of FIRST or any other professional
information security organizations? |
| 31. |
|
How
many staff members at your institution attend formal information
security conferences, training programs, and seminars each year? |
| 32. |
|
Is
your institution using UID's to identify your students (other
than SSN numbers)? |
| 33. |
|
Has
your institution classified your critical servers or data, i.e.,
established guidelines that address access/authorization/prioritized
mission critical servers? |
| 34. |
|
Does
your institution employ system entry banners or warnings when
users log in? |
| 35. |
|
Does
your institution require users to utilize encrypted methods
of authentication, data transmission and remote access
(SSH, SSL, VPN, Radius server, Kerberos, etc.)? If so,
|
| 36. |
|
Which
antivirus product does your institution distribute, provide,
or recommend to campus users? |
| 37. |
|
What
percentage of your computer users install and maintain antivirus
software on their University systems? |
| 38. |
|
Do
you require, either through standards or policies, that users
install and maintain antivirus software? |
| 39. |
|
Do
you require, either through standards or policies, that campus
dormitory residents install and maintain anti virus software
on their systems that are connected to your network (i.e., that
have an IP from your domain)? |
| 40. |
|
Which
personal firewall products, if any, are distributed or recommended
to campus users? |
| 41. |
|
What
percentage of your computer users install personal firewalls? |
| 42. |
|
Does
your institution require, either through standards or policies,
that computer users install a personal firewall? |
| 43. |
|
Does
your university require, either through standards or policies,
that campus dormitory residents install a personal firewall? |
| 44. |
|
Does
your university, either through standards or policies, restrict
dormitory students from operating web, ftp or mail servers in
their dorm rooms? |
| 45. |
|
Does
your university, either through standards or policies, specify
the minimum information security requirements to connect a
host to the network and clearly define what will be done in
the event of noncompliance with these standards? |
| 46. |
|
Does
your university have firewalls installed as "perimeter
protection" devices? If so,
| |
a. |
Briefly
describe your firewall architecture, placement, etc. |
| |
b. |
Which
vendor/firewall do you utilize? |
|
| 47. |
|
Does
your university employ access control lists on routing devices
to restrict or deny access? |
| 48. |
|
Does
your university employ bandwidth restrictions or control or
restrict the use of file-sharing applications? |
| 49. |
|
Does
your university have distributed firewalls protecting servers?
If so,
| |
a. |
Which
vendors/firewalls do you utilize? |
|
| 50. |
|
Does
your university have an intrusion detection system deployed
on your network? If so,
| |
a. |
Which
vendor/NIDS do you utilize? |
|
| 51. |
|
Does
your university have a host-based intrusion detection system
or integrity monitoring protection system installed
(examples are ISS System Scanner and Tripwire)? If so,
| |
a. |
Which
vendor/product do you utilize? |
|
| 52. |
|
Does
your university have a system security vulnerability assessment
product? If so,
| |
a. |
Which
vendor/product do you utilize? |
|
| 53. |
|
Does
your university have a database vulnerability assessment product?
If so,
| |
a. |
Which
vendor/product do you utilize? |
|
| 54. |
|
Has
your university deployed an automated system that can monitor
and respond to attacks and intrusions on your network? If so,
|
| 55. |
|
How
does your university recognize or know when a system compromise
of any system on campus has occurred? |
| 56. |
|
How
does your University recognize or know when a system compromise
of a critical system has occurred? |
| 57. |
|
Can
your university provide statistical/historical data on the numbers
of attacks and intrusions that have occurred, whether
successful or unsuccessful, for the previous six months to a
year? |
| 58. |
|
Can
your university provide qualitative data on the types of intrusions,
identification of attackers (internal and external), as well
as the steps that were taken in responding to and resolving
security incidents for the previous six months to a year timeframe? |
| 59. |
|
Estimate
the timeframe in which your university was able to contain,
isolate all infected systems and eradicate three recent Internet
attacks which affected every university worldwide (if still
a problem, identify that):
| |
a. |
Code
Red Worm Version 1: |
| |
b. |
Code
Red Worm version 2: |
| |
c. |
Nimda/Code
Blue: |
|
| 60. |
|
What
are your top three security issues? |