Filetype Excel XLSX | Posted on 07 Jul 2022 | 3 years ago
Authentication
digital resources
198x Filetype XLSX File size 2.81 MB Source: admin.sc.gov
Sheet 1: Cover
| FOR THE STATE OF SOUTH CAROLINA INTERNAL USE ONLY (VERSION 1.0) | ||||||
| State of South Carolina Information Security Enterprise Risk Assessment Framework: Self-Assessment Tool Last Update On: October 2013 |
||||||
| Table of Contents | ||||||
| 1. Instructions | ||||||
| 2. Information Security Domains | ||||||
| 3. Security Framework | ||||||
| 4. Risk Dashboard | ||||||
| 5.1 Governance | ||||||
| 5.2 IT Risk Strategy | ||||||
| 5.3 IT Risk Management | ||||||
| 5.4 Asset Management | ||||||
| 5.5 Data Protection & Privacy | ||||||
| 5.6 Change Management | ||||||
| 5.7 IS Acquisition, Development & Maintenance | ||||||
| 5.8 Security Operations | ||||||
| 5.9 Threat & Vulnerability Management | ||||||
| 5.10 HR Security & Training | ||||||
| 5.11 Identity Access Management | ||||||
| 5.12 Business Continuity Management | ||||||
| 5.13 Physical Security | ||||||
| 5.14 Communication Strategy | ||||||
| 5.15 IT Compliance | ||||||
| 6. Reference | ||||||
| Document Management | ||||||
| Version | Updated by | Date modified | Change description | |||
| Version 1.0 | 10/29/2013 | Initial draft | ||||
| Document Overview | ||||||
| This information security self-assessment tool provides an information security risk assessment framework for the State of South Carolina by integrating control requirements and guidelines from National Institute of Standards and Technology (NIST) 800-53 Rev. 3, Internal Revenue Service (IRS) Publication 1075, Health Insurance Portability and Accountability Act (HIPAA) Security Section, Payment Card Industry Data Security Standards (PCI DSS) v2.0, Computer Security Act of 1987 – Public Law 100-235 (H.R. 145), The Children’s Online Privacy Protection Rule of 2000 (COPPA), Gramm-Leach-Bliley Act of 1999 (GLBA) into one common information security framework. | ||||||
| All Rights Reserved This tool is intended solely for the information and internal use of State of South Carolina and is not intended to be and should not be used by any other person or entity. No other person or entity is entitled to rely, in any manner, or for any purpose, on this tool. |
||||||
| FOR THE STATE OF SOUTH CAROLINA INTERNAL USE ONLY (VERSION 1.0) | ||||
| State of South Carolina Information Security Enterprise Risk Assessment Framework: Self-Assessment Tool |
||||
| Instructions | ||||
| State of South Carolina Self-Assessment Tool Instructions | ||||
| Instructions | ||||
| Please click on the embedded document for instructions on how to use the self-assessment tool |
||||
| All Rights Reserved This tool is intended solely for the information and internal use of State of South Carolina and is not intended to be and should not be used by any other person or entity. No other person or entity is entitled to rely, in any manner, or for any purpose, on this tool. |
||||
| FOR THE STATE OF SOUTH CAROLINA INTERNAL USE ONLY (VERSION 1.0) | ||||
| State of South Carolina Information Security Enterprise Risk Assessment Framework: Self-Assessment Tool |
||||
| Information Security Domains | ||||
| Component | Domain | Sub-Domain | ||
| Risk Governance | Governance | Information Security Program Planning | ||
| Security Organization (Roles and Responsibilities) | ||||
| Security Policy and Procedures | ||||
| Risk Strategy | IT Risk Strategy | Security Enterprise Architecture | ||
| Security Performance and Metrics | ||||
| Third Party Risk Management | ||||
| Risk Assessment | IT Risk Management | Risk Assessment (Assessing Risks) | ||
| Risk Acceptance Process (Treating Risks) | ||||
| Control Activities | Asset Management | System Inventory | ||
| Data Privacy & Protection | Data Authorization | |||
| Data Classification | ||||
| Data Disposal/Removable Media | ||||
| Data Integrity | ||||
| Data Management Policies and Procedures | ||||
| Data Transportation | ||||
| Data Storage | ||||
| Encryption | ||||
| Record Management/Retention | ||||
| Change Management | Configuration Management Process | |||
| Change Management Process | ||||
| Unauthorized Changes | ||||
| IS Acquisition, Development & Maintenance | System Development Lifecycle (SDLC) | |||
| System Acquisition | ||||
| System Development | ||||
| Maintenance | ||||
| System Planning and Acceptance | ||||
| Release Management | ||||
| Security Operations | Audit Logs | |||
| Information Security Events | ||||
| Network Protection | ||||
| Network Access Control | ||||
| Network Standards | ||||
| Mobile Security | ||||
| Protection Against Malicious and Mobile Code | ||||
| Threat & Vulnerability Management | Incident Management | |||
| Forensics | ||||
| Patch Management | ||||
| Vulnerability Management | ||||
| HR IT Security & Training | HR Compliance | |||
| HR Security | ||||
| Security Awareness Training | ||||
| Training Curriculum | ||||
| Identity Access Management | Access Control | |||
| Access Segmentation | ||||
| Authentication | ||||
| Emergency Access | ||||
| Identity Management | ||||
| Operating System Security | ||||
| User Access Review | ||||
| Business Continuity Management | Contingency Planning | |||
| Disaster Recovery | ||||
| Data Backup | ||||
| Physical & Environmental Security | Physical Access Controls | |||
| Environmental Security | ||||
| Removing Equipment | ||||
| Information & Communication | Communications Strategy | Policy Communication | ||
| Reporting Communications | ||||
| Monitoring & Reporting | IT Compliance | Compliance with Requirements | ||
| Information System Audit Considerations | ||||
| Review/Monitoring/Response Program | ||||
| All Rights Reserved This tool is intended solely for the information and internal use of State of South Carolina and is not intended to be and should not be used by any other person or entity. No other person or entity is entitled to rely, in any manner, or for any purpose, on this tool. |
||||
no reviews yet
Please Login to review.
