Issue/Question
What methodology is used to identify an application as high risk?
Environment
- Malware defenses
- Web browser and email protections
- DNS security
- EDR
Cause
Need to ensure the availability, reliability of University IT resources and services
Resolution
High-Risk Application Identification
Objective: The university is committed to safeguarding its information assets and ensuring the confidentiality, integrity, and availability of data. To achieve this, the university IT security policy identifies high-risk applications based on the CIS (Center for Internet Security) Security Controls framework.
Definition of High-Risk Application: High-risk applications are defined as software or services that pose a significant security threat to the university's IT infrastructure, data, or users. These applications typically exhibit characteristics such as known vulnerabilities, inadequate security controls, or a high potential for exploitation by malicious actors.
Criteria for Identifying High-Risk Applications: The university IT department will assess applications against the following CIS Security Controls to determine their risk level:
-
Inventory and Control of Hardware Assets:
- Applications that are installed on unauthorized or unmanaged hardware devices.
- Applications that lack proper documentation and tracking of hardware dependencies.
-
Inventory and Control of Software Assets:
- Applications that are not regularly patched or updated to address known vulnerabilities.
- Software without vendor support or end-of-life status, making them prone to security risks.
-
Continuous Vulnerability Management:
- Applications with a history of security incidents or exploitation.
- Applications that are not regularly scanned for vulnerabilities or have critical unpatched vulnerabilities.
-
Controlled Use of Administrative Privileges:
- Applications that require excessive or unnecessary administrative privileges for operation.
- Applications with weak access controls, allowing unauthorized users to gain administrative access.
-
Secure Configuration for Hardware and Software:
- Applications with default configurations that pose security risks.
- Applications with misconfigured security settings, exposing sensitive data or resources.
-
Maintenance, Monitoring, and Analysis of Audit Logs:
- Applications that do not generate or maintain adequate audit logs for security monitoring.
- Applications with insufficient logging capabilities to detect and investigate security incidents.
Response to High-Risk Applications: Upon identification of a high-risk application, the university IT department will take appropriate action, which may include:
- Conducting a risk assessment to determine the impact and likelihood of exploitation.
- Implementing mitigating controls to reduce the risk associated with the application, this can include block controls.
- Considering alternatives or replacements for the high-risk application.
- Communicating with relevant stakeholders to ensure awareness and compliance with security measures.
Policy Compliance: All university staff, faculty, students, and third-party vendors are required to adhere to this policy. Failure to comply may result in disciplinary action, including but not limited to access restrictions, or termination of services.
Policy Review: This policy will be reviewed and updated periodically to reflect changes in technology, security threats, or regulatory requirements. This policy provides a framework for identifying and managing high-risk applications within the university's IT environment, aligning with the principles of the CIS Security Controls for effective cybersecurity governance.
Please contact the Service Desk if you need further assistance