High Risk Application Identification

Issue/Question

What methodology is used to identify an application as high risk?

Environment

  • Malware defenses
  • Web browser and email protections
  • DNS security
  • EDR

Cause

Need to ensure the availability, reliability of University IT resources and services

Resolution

High-Risk Application Identification

Objective: The university is committed to safeguarding its information assets and ensuring the confidentiality, integrity, and availability of data. To achieve this, the university IT security policy identifies high-risk applications based on the CIS (Center for Internet Security) Security Controls framework.

Definition of High-Risk Application: High-risk applications are defined as software or services that pose a significant security threat to the university's IT infrastructure, data, or users. These applications typically exhibit characteristics such as known vulnerabilities, inadequate security controls, or a high potential for exploitation by malicious actors.

Criteria for Identifying High-Risk Applications: The university IT department will assess applications against the following CIS Security Controls to determine their risk level:

  1. Inventory and Control of Hardware Assets:

    • Applications that are installed on unauthorized or unmanaged hardware devices.
    • Applications that lack proper documentation and tracking of hardware dependencies.
  2. Inventory and Control of Software Assets:

    • Applications that are not regularly patched or updated to address known vulnerabilities.
    • Software without vendor support or end-of-life status, making them prone to security risks.
  3. Continuous Vulnerability Management:

    • Applications with a history of security incidents or exploitation.
    • Applications that are not regularly scanned for vulnerabilities or have critical unpatched vulnerabilities.
  4. Controlled Use of Administrative Privileges:

    • Applications that require excessive or unnecessary administrative privileges for operation.
    • Applications with weak access controls, allowing unauthorized users to gain administrative access.
  5. Secure Configuration for Hardware and Software:

    • Applications with default configurations that pose security risks.
    • Applications with misconfigured security settings, exposing sensitive data or resources.
  6. Maintenance, Monitoring, and Analysis of Audit Logs:

    • Applications that do not generate or maintain adequate audit logs for security monitoring.
    • Applications with insufficient logging capabilities to detect and investigate security incidents.​​​​

​​Response to High-Risk Applications: Upon identification of a high-risk application, the university IT department will take appropriate action, which may include:

  1. Conducting a risk assessment to determine the impact and likelihood of exploitation.
  2. Implementing mitigating controls to reduce the risk associated with the application, this can include block controls.
  3. Considering alternatives or replacements for the high-risk application.
  4. Communicating with relevant stakeholders to ensure awareness and compliance with security measures.

Policy Compliance: All university staff, faculty, students, and third-party vendors are required to adhere to this policy. Failure to comply may result in disciplinary action, including but not limited to access restrictions, or termination of services.

Policy Review: This policy will be reviewed and updated periodically to reflect changes in technology, security threats, or regulatory requirements.  This policy provides a framework for identifying and managing high-risk applications within the university's IT environment, aligning with the principles of the CIS Security Controls for effective cybersecurity governance.

Please contact the Service Desk if you need further assistance

ITS STAFF ONLY

  1. Direct questions Following article Reviewing USD Security Policy Requests