Data Protection Self Assessment Worksheet Instructions

The Data Protection Self Assessment Worksheet is a tool for measuring compliance with the Guidelines for Data Protection published by the Information Security Office. The
Guidelines for Data Protection were publish to support the University's Information Security Policy. Its purpose is to define baseline security controls for protecting
Institutional Data. This tool is intended for self evaluation. The Information Security Office can assist with a self assessment by request. Please send email to
iso@andrew.cmu.edu if you'd like assistance with evaluating your security controls. The following are some general instructions and guidance on using this tool.

Scoping a Self-Assessment Completing the Self-Assessment

Before starting this self-assessment, you should determine the scope of what
you are assessing. There are a variety of options when determining scope.
One option is to conduct a self-assessment of a particular data set (e.g.
financial data). This will require a thorough understanding of how that data is
stored, processed and transmitted and should provide the most
comprehensive view into what risks exists to institutional data. A simplified
alternative would be to focus on a specific server or set of servers. Depending
on the situation, this may not provide a comprehensive view into existing risks.
In a situation where one server hosts multiple applications, it may be
appropriate to scope the assessment to a particular application. Data
classification may also play a role in scoping a self-assessment. For example, it
may be appropriate to assess Restricted data separately from Private data.
Data stewards and data custodians should jointly discuss the various
alternatives and determine the best strategy given their own unique
circumstances.
Data Classification
Once the scope of the assessment is determined, the data classification should
should be noted. Setting the appropriate data classification in cell I7 of the
Controls worksheet will then populate the Rating column appropriately. If you
would like more information on data classification, see the Guidelines for Data
Classification published by the Information Security Office.
When completing the self-assessment, respond to each control with either
Yes, No or Not Applicable. A drop-down menu should appear when you select
a cell in the Response column. The following are some additional instructions
based on what response you give:
Yes: If you answer Yes to a control, briefly describe the control in the
Description of Controls column. If supplemental documentation exists that
explains the control in more detail, provide a reference to the document(s).
No: If you answer No to a control, briefly describe any supplemental controls
you have in place that would mitigate this risk. For example, if you are storing
Restricted data on removable electronic storage media and you are unable to
encrypt that data (see ES-4), describe what other controls/processes are in
place to control and monitor access to this media. Next, explain any plans for
remediating this risk in the Remediation Plan / Other Comments column. For
example, if you have a project planned to evaluate a backup tape encryption
solution, reference the project. Where available, timeline information should
be provided. If no remediation plan exists, this should be documented.
Not Applicable: Depending on the scope of the assessment, one or more
security controls may not be applicable. For example, if a business decision is
made to not backup a particular data set, BC-5 through BC-9 may not be
applicable. However, it is still important to document that there was a
business decision made and that appropriate individuals were involved in this
decision making process. Reasoning behind a Not Applicable response should
be explained in the Remediation Plan / Other Comments column.

Future Plans for this Tool

Future plans for this tool include adding funcitionality to facilitate an evaluation of information security roles and responsibilities as well as adding a scorecard to measure
progress toward compliance. If you have additional ideas on how to make this tool more valuable, please send email to iso@andrew.cmu.edu.
Data Protection Self Assessment Worksheet Resources
The following is a list of resources referenced in the Data Protection Self Assessment Tool.

Information Security Policy

http://www.cmu.edu/iso/governance/policies/information-security.html

Information Security Roles & Responsibilities

http://www.cmu.edu/iso/governance/policies/information-security-roles.html

Guidelines for Data Classification

http://www.cmu.edu/iso/governance/guidelines/data-classification.html

Guidelines for Data Protection

http://www.cmu.edu/iso/governance/guidelines/data-protection/

Guidelines for Password Management

http://www.cmu.edu/iso/governance/guidelines/password-management.html

Send Email to the Information Security Office

iso@andrew.cmu.edu
 Data Protection Self Assessment Worksheet

Data Protection Self Assessment Worksheet

Instructions:
Complete the information to the right first. Selecting a value for 'Data Classification' will populate the Date Started:
Rating column with appropriate information. The Response for each control should be Yes, No or Not
Applicable per the drop down menu. If the response is Yes, briefly describe the controls that are in place. Date Completed:
If the response is No, describe any mitigating controls as well as plans for remediation of this risk. If the Completed by:
response is N/A, explain the reasoning for this in the Remediation Plan / Other Comments section.
Scope of Assessment:
Data Classification:

ID Control Rating Response Description of Controls Remediation Plan / Other Comments

(Yes, No, N/A) (Include any mitigating controls) (If appropriate)

Application Security
AS-1 Application development includes reviews
for security vulnerabilities throughout the
development lifecycle

AS-2 Application change control procedures are

documented and followed

AS-3 Controls are in place to protect the integrity

of application code
AS-4 Application validates and restricts input,
allowing only those data types that are
known to be correct
AS-5 Application executes proper error handling
so that error messages do not reveal
potentially harmful information to
unauthorized users (e.g. detailed system
information, database structures, etc.)

AS-6 Default and/or vendor supplied credentials

are changed or disabled prior to
implementation in a staging or production
environment

AS-7 Functionality that allows the bypass of

security controls is removed or disabled
prior to implementation in a staging or
production environment

AS-8 Application sessions are uniquely associated

with an individual or system

Page 4 of 11
 Data Protection Self Assessment Worksheet

ID Control Rating Response Description of Controls Remediation Plan / Other Comments

(Yes, No, N/A) (Include any mitigating controls) (If appropriate)

AS-9 Session identifiers are generated in a manner

that makes them difficult to guess

AS-10 Session identifiers are regenerated following

a change in the access profile of a user or
system
AS-11 Active sessions timeout after a period of
inactivity
AS-12 Applications are periodically tested for
security vulnerabilities (e.g. vulnerability
scanning, penetration testing, etc.)

AS-13 Application security patches are deployed in

a timely manner
AS-14 Successful attempts to access an application
are logged

AS-15 Failed attempts to access an application are

logged

AS-16 Attempts to execute an administrative

command are logged
AS-17 Changes in access to an application are
logged (e.g. adding, modifying or revoking
access)
AS-18 Application logs are reviewed on a periodic
basis for security events
AS-19 Application logs are protected against
tampering
Business Continuity and Disaster Planning
DR-1 A disaster recovery plan is documented

DR-2 Disaster recovery plans are periodically

tested
DR-3 A backup and recovery strategy for
Institutional Data is documented
DR-4 Backup and recovery procedures are formally
documented and followed
DR-5 Backup and recovery procedures are
periodically tested

Page 5 of 11
 Data Protection Self Assessment Worksheet

ID Control Rating Response Description of Controls Remediation Plan / Other Comments

(Yes, No, N/A) (Include any mitigating controls) (If appropriate)

DR-6 Backup copies of data are accurately

inventoried
DR-7 Content and physical location of removable
backup media is tracked
DR-8 Removable backup media is periodically
validated
DR-9 Backup copies of data are stored in a
secondary location that is not in close
proximity to the primary location (e.g.
secondary datacenter, third-party storage
site, etc.)

Electronic Access Controls

EA-1 Electronic access to Institutional Data and/or
Information Systems is uniquely associated
with an individual or system

EA-2 Electronic access to Institutional Data and/or

Information Systems is authenticated

EA-3 Electronic access to Institutional Data and/or

Information Systems is authenticated using
multi- factor authentication

EA-4 Electronic access to Institutional Data and/or

Information Systems that traverses the
Internet is authenticated using multi-factor
authentication

EA-5 Electronic access to Institutional Data and/or

Information Systems is reauthenticated after
a period of inactivity

EA-6 Where username and password

authentication is employed, passwords are
managed according to the Guidelines for
Password Management

EA-7 Electronic access to Institutional Data and/or

Information Systems is authorized by a Data
Steward or a delegate prior to provisioning

Page 6 of 11
 Data Protection Self Assessment Worksheet

ID Control Rating Response Description of Controls Remediation Plan / Other Comments

(Yes, No, N/A) (Include any mitigating controls) (If appropriate)

EA-8 Electronic access to Institutional Data and/or

Information Systems is authorized based on a
business need

EA-9 Electronic access to Institutional Data and/or

Information Systems is based on the principle
of least privilege

EA-10 Electronic access to Institutional Data is

reviewed and reauthorized by a Data
Steward or a delegate on a periodic basis

EA-11 Electronic access is promptly revoked when it

is no longer necessary to perform authorized
job responsibilities

EA-12 Successful attempts to access Institutional

Data in electronic form are logged.

EA-13 Failed attempts to access Institutional Data in

electronic form are logged

EA-14 Changes in access to Institutional Data in

electronic form are logged
EA-15 Electronic access logs are reviewed on a
periodic basis for security events

EA-16 Electronic access logs are protected against

tampering
Encryption and Key Management
EN-1 Institutional Data transmitted over a network
connection is encrypted
EN-2 Institutional Data stored on Electronic Media
is encrypted
EN-3 Institutional Data stored on removable
Electronic Media is encrypted

EN-4 Data stored on a mobile computing device is

encrypted

Page 7 of 11
 Data Protection Self Assessment Worksheet

ID Control Rating Response Description of Controls Remediation Plan / Other Comments

(Yes, No, N/A) (Include any mitigating controls) (If appropriate)

EN-5 Remote administration of an Information

System is performed over an encrypted
network connection

EN-6 Industry accepted algorithms are used where

encryption and/or digital signing are
employed
EN-7 Key sizes of 128-bits or greater are used
where symmetric key encryption is employed

EN-8 Key sizes of 1024-bit or greater are used

where asymmetric key encryption is
employed
EN-9 Keys are changed periodically where
encryption is employed
EN-10 Keys are revoked and/or deleted when they
are no longer needed to perform a business
function
Information System Security
IS-1 Controls are deployed to protect against
unauthorized connections to services (e.g.
firewalls, proxies, access control lists, etc.)

IS-2 Controls are deployed to protect against

malicious code execution (e.g. antivirus,
antispyware, etc.)
IS-3 Controls deployed to protect against
malicious code execution are kept up to date
(e.g. software version, signatures, etc.)

IS-4 Host-based intrusion detection and/or

prevention software is deployed and
monitored
IS-5 Local accounts that are not being utilized are
disabled or removed
IS-6 Default or vendor supplied credentials (e.g.
username and password) are changed prior
to implementation

IS-7 Services that are not being utilized are

disabled or removed
IS-8 Applications that are not being utilized are
removed

Page 8 of 11
 Data Protection Self Assessment Worksheet

ID Control Rating Response Description of Controls Remediation Plan / Other Comments

(Yes, No, N/A) (Include any mitigating controls) (If appropriate)

IS-9 Auto-run for removable electronic storage

media (e.g. CDs, DVDs, USB drives, etc.) and
network drives is disabled

IS-10 Active sessions are locked after a period of

inactivity
IS-11 Native security mechanisms are enabled to
protect against buffer overflows and other
memory based attacks (e.g. address space
layout randomization, executable space
protection, etc.)

IS-12 Procedures for monitoring for new security

vulnerabilities are documented and followed

IS-13 Operating system and software security

patches are deployed in a timely manner

IS-14 Mitigating controls are deployed for known

security vulnerabilities in situations where a
vendor security patch is not available

IS-15 System is periodically tested for security

vulnerabilities (e.g. vulnerability scanning,
penetration testing, etc.)

IS-16 Successful attempts to access Information

Systems are logged
IS-17 Failed attempts to access Information
Systems are logged

IS-18 Attempts to execute an administrative

command are logged
IS-19 Changes in access to an Information System
are logged
IS-20 Changes to critical system files (e.g.
configuration files, executables, etc.) are
logged
IS-21 Process accounting is enabled, where
available
IS-22 System logs are reviewed on a periodic basis
for security events

Page 9 of 11
 Data Protection Self Assessment Worksheet

ID Control Rating Response Description of Controls Remediation Plan / Other Comments

(Yes, No, N/A) (Include any mitigating controls) (If appropriate)

IS-23 System logs are protected against tampering

Media Sanitization and Disposal

ME-1 Electronic Media is sanitized prior to reuse

ME-2 Electronic Media is destroyed prior to

disposal
ME-3 Paper-based and/or written Media is
destroyed prior to disposal
Network Security
NS-1 Networks that transmit Institutional Data are
segmented according to access profile

NS-2 Access to a network that transmits

Institutional Data is authenticated
NS-3 Controls are in place to prevent unauthorized
inbound access to a network that transmits
Institutional Data (e.g. firewalls, proxies,
access control lists, etc.)

NS-4 Controls are in place to prevent unauthorized

outbound access from a network that
transmits Institutional Data (e.g. firewalls,
proxies, access control lists, etc.)

NS-5 Changes to network access controls follow a

documented change procedure

NS-6 Network access controls are reviewed on a

periodic basis for appropriateness

NS-7 Controls are in place to protect the integrity

of Institutional Data transmitted over a
network connection

NS-8 Network based intrusion detection and/or

prevention technology is deployed and
monitored
NS-9 Network devices are configured to protect
against network-based attacks

NS-10 Successful attempts to establish a network

connection are logged

Page 10 of 11
 Data Protection Self Assessment Worksheet

ID Control Rating Response Description of Controls Remediation Plan / Other Comments

(Yes, No, N/A) (Include any mitigating controls) (If appropriate)

NS-11 Failed attempts to establish a network

connection are logged
Physical Security
PS-1 Physical access to Institutional Data and/or
Information Systems is authorized by an
appropriate Data Steward or a delegate prior
to provisioning

PS-2 Physical access to information systems that

store, process or transmit Institutional Data is
secured in a manner that prevents
unauthorized access

PS-3 Physical access to Institutional Data in

written or paper form is secured in a manner
that prevents unauthorized access

PS-4 Procedures for obtaining physical access to

datacenter facilities are formally
documented and followed
PS-5 Physical access to datacenter facilities is
logged and monitored
PS-6 Physical access to datacenter facilities is
reviewed and reauthorized by a Data
Steward or delegate on a periodic basis

PS-7 Physical access to datacenter facilities is

promptly revoked when it is no longer
necessary to perform authorized job
responsibilities

Page 11 of 11