Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 6 Next »

Frequently Asked Questions about the UCI Security Risk Assessment Questionnaire (SRAQ)

  • What is the SRAQ?
    • The SRAQ is a tool (Word document with macros) to guide you through the security risk assessment process for a system, to get you to think about and document the components, threats, countermeasures, and other key information required when assessing risk.  It also provides a worksheet for risk acceptance and action items for risk reduction.  It is primarily used as a self-assessment tool, but is also the basis providing the required information gathering for audits and security reviews.  It can also be given to a vendor during an RFP or contracting phase for them to document how they will protect your data.
  • Where can I download the tool?
  • What is the "LITE" version vs the regular version?
    • The "LITE" version is the same document except has the detailed items under each control section removed to lower the number of pages.  It may be used for a low or medium risk system, however any high risk system should use the full version.  Also even for low/medium risk assessments, having the detailed items help explain each control section and can help answer questions people have filling it out, even if they don't choose to address each detail.
  • Responsible Parties: Who is the Proprietor, Custodian, and Information Security Coordinator?
  • Information Classification: Which data elements do I need to include?
    • At a minimum include all data elements in the system that are classified as "restricted" or "sensitive" based on http://security.uci.edu/plan-classification.php.  You can also include "normal" classified data as space permits, especially if it has special availability requirements (downtime tolerance of hours or less).
  • What is the purpose of the Identify Threats section?
    • This section allows you to think about the different ways an attacker could compromise your system specifically and identify exactly what you are trying to protect the system from.  Then later you can tailor security safeguards specifically for those threats rather than blindly applying generic ones of possibly little value.
  • Which threats should I consider?
    • Default Threats: The first five threats are generic security threats that commonly apply to systems that are included by default.
    • Custom Threats:  Other threats specific to your system or more detailed specifics to the default threats that are important to highlight for your system.
  • How do I properly complete the Identify Threats section?
    • Activate the checkbox on the left for each threat that is relevant to your system.
    • Impact- select high/medium/low to describe the impact to the campus if the threat was successfully realized.
    • Likelihood- select high/medium/low to describe the likelihood of the threat being successfully realized.
  • How does the Risk Level Classification work?
    • A macro is run to calculate an overall risk level of the system based on the data classification, downtime tolerance, threat impact, and threat likelihood.
  • What is a Control?
    • Control is just a fancy term in the information security domain to refer to any safeguard or countermeasure that reduces or eliminates risk imposed by a threat.
  • Controls: What do the High/Med/Low mean in the detail columns?
    • Use the column based on the overall risk level classification for your system.
  • Controls: What do the RQ/RM/OP mean in the detail columns?
    • These denote whether that specific control is required, recommended, or optional to implement in your system based on the applicable risk classification column.  RQ means Required, RM means Recommended, OP means Optional.
  • What are the Action Plan and Residual Risk Acceptance sections for?
    • Each Control that is Required for your risk level classification but not fully met ("Partial" or "None" status) should either have an associated action item defined for it in the Action Plan section or formal residual risk acceptance in the Residual Risk Acceptance section.

  • What is "residual risk"?

    • Residual risk is the risk remaining after a security control is implemented or chosen not to implement.
  • Who is appropriate to be the Risk Acceptor for residual risk?
    • It is important to actually name them and make them aware of it.  It should be the appropriate risk decision maker for the system, keeping in mind that person is usually the Proprietor / data owner, not the IT person.
  • What if I don't meet all the requirements, am I being graded?
  • Someone else handles (fill in the blank), do I have to worry about it, can I just assume they are doing it marking the Control "Full"?
  • Can I see sample diagram templates?
  • No labels