|
Division of IT: Security
Security Inspection Program
Upcoming Changes to Division of IT Security Inspection Program
In an effort to help application developers streamline the inspection process, the Division of IT has contracted with IBM to purchase licenses for Fortify Source Code Analyzer. Information about the licensing structure and yearly cost is now available.
The new security auditing requirements are dependent on the data classification level of your application. The charging structure listed below is designed to help offset the cost of purchasing the Fortify license for departments who choose to take that route.
For DCS Level 1 applications:
- No annual audit is required but one may be scheduled if necessary.
For DSC Level 2 applications:
- A security audit is recommended and may be required in certain cases. If the developer responsible for the application has purchased a license for the Fortify program and can submit their scan results to ISAM for verification, the auditing process can often times be expedited.
For DCS Level 3 applications:
- An annual audit is required.
Departments that would like to conduct more in-depth scanning on their applications, the Division of IT has also purchased licenses for AppScan Enterprise. More information on the capabilities of this product and licensing issues can be obtained by e-mailing isam@missouri.edu.
The Division of IT security inspection program reduces the risk of exploits to University of Missouri-Columbia systems by proactively identifying vulnerabilities found in information systems and by deploying both vendor and industry best practices in order to remove or mitigate the severity of those vulnerabilities.
The program strives to accomplish this mission in six distinct phases:
- Identification: During the identification phase, a thorough list of networks, systems and physical locations to be inspected is gathered.
- Coordination: During the coordination phase, the Division of IT security inspectors work with the client to determine the boundaries of the inspection. The goal is to minimize the impact to the client, and a key element to do so is determining what times specific locations, networks and systems should be off limits to the inspectors.
- Inspection: During the inspection phase, data is collected by the Division of IT security inspectors, either in-person or through automated means, about the physical locations, networks, and systems identified by the client.
- Evaluation: During the evaluation phase, the data is compiled by the Division of IT security inspectors. This creates a comprehensive picture of the client's security posture. This data is compared to industry and vendor best practices to accurately describe the vulnerabilities in the system.
- Recommendation: During the recommendation phase, the Division of IT security inspectors work with the client to analyze the vulnerabilities found in the evaluation phase. Inspectors offer prioritized recommendations on how best to remediate the vulnerabilities that have been found based on the client's business needs.
- Repetition: During the repetition phase, the client system is evaluated again, both to make certain that the recommendations have been adopted, and to insure that new vulnerabilities have not crept into the system. This phase is also used to determine if the overall security posture has been increased despite the ever-changing state of information security.
Program Service Levels
The Division of IT Security Inspection program currently offers four levels of service.
More Information
For more information on the Division of IT security inspection program or to schedule an audit, contact isam@missouri.edu.
|
