��������

Purpose

The purpose of this policy is to establish information security standards for Security Assessment processes relevant to University of Maryland Global Campus ("UMGC" or "University") Information Technology Resources.

Scope and Applicability

This policy applies to all University Information Systems and Information Technology Resources. Information System Stewards are responsible for adhering to this policy.

Definitions

Defined terms are capitalized throughout this Policy and can be found in the Information Governance Glossary.

Security Assessment

Information System Stewards or their designee should ensure the adherence to the University's Security Assessment Policy to include:

1. SSPs should be documented and updated to describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems on an annual basis or when there is a significant change to the system that could impact the Confidentiality, Integrity, and/or Availability of the system.

   At a minimum an SSP must include the following:

   1. A list of key personnel and roles responsible for each Information System.
   2. A high-level description of the primary and function for each Information System.
   3. A list of the common types of user roles and their associated permissions
   4. A description of the type of data (e.g., CUI) that each Information System processes.
   5. A network diagram, including a written description of the network.
   6. A list of associated software and hardware.
   7. A list of the security practices that must be implemented to ensure the necessary security for each Information System.
   8. Describe how you have, or plan to, implement these necessary security practices.
      
2. A Security Assessment must be performed for their system(s) to determine if the controls are effective at least annually or when there is a significant change that could impact Confidentiality, Integrity, and/or Availability of the system. The Information gathered, and evidence produced by a Security Assessment must include:
   1. Documented assessment results.
   2. Identify potential problems or shortfalls in the organization's security and risk management programs.
   3. Identify security weaknesses and deficiencies in its systems and in the environments in which those systems operate.
   4. Ability to prioritize risk mitigation decisions and activities.
3. A POA&M must be documented and designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems.
4. Security controls should be monitored on an ongoing basis to ensure the continued effectiveness of the controls. A plan for monitoring and assessing the state of security controls on a recurring basis must be developed that occurs more frequently than the annual assessments.

Exceptions

Exceptions to this policy should be submitted to the Sr. Director, Information Security for review and approval. If an exception is requested a compensating control or safeguard should be documented and approved.

1. Any Employee, Contractor, or third-party performing duties on behalf of the University with knowledge of an alleged violation of this Policy shall notify the Sr. Director, Information Security as soon as practicable.
2. Any Employee, Contractor, or other third-party performing duties on behalf of the University who violates this Policy may be denied access to Information Resources and may be subject to disciplinary action, up to and including termination of employment or contract or pursuit of legal action.

1. USM IT Security Standards, v.5, dated July 2022
2. NIST SP 800-171r2 “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations”, dated February 2020
3. Cybersecurity Maturity Model Certification (CMMC), v.2.0, dated December 2021

1. UMGC Policy X-1.02 Data Classification
2. UMGC Policy X-1.04 Information Security
3. UMGC Policy X-1.05 Information Security Awareness and Training
4. UMGC Policy X-1.06 Information Security Incident Response
5. UMGC Policy X-1.12 Acceptable Use
6. UMGC Policy X-1.19A Account Management (UMGC Learner Community)
7. UMGC Policy X-1.19B Account Management (UMGC Workforce)
8. UMGC Policy X-1.21 System and Communication Protection
9. UMGC Policy X-1.22 System and Information Integrity