This risk self-assessment survey is based on the Center for Internet Security (CIS) Controls, which are a recommended

set of ac
ways to thwart the most pervasive attacks. The CIS Controls are a relatively short list of high-priority, highly effective defensiv
every enterprise seeking to improve their cyber defense. Prioritization is a key benefit to the CIS Controls. They were designed
defenses, direct their scarce resources on actions with immediate and high-value payoff, and then focus their attention and re
or mission. (While Controls 1 through 7 are essential to success and should be considered among the very first things to be do
implement controls accordingly.)
Instructions:
1. Access the Risk Assessment Survey
2. Complete Step #1 under the name of the participating units
3. Complete the risk assessment contained in Step #2
For each “Yes” answer, include a statement in the Current Status column that explains how the unit meets the criteria
For each "No" or "Partial" answer, it is critical that the unit prepares a risk mitigation strategy. Broadly, there are four potentia
mitigation strategies with a short reason for choosing a particular response in the Mitigation Plan column:

Avoid | change plans to circumvent the problem

Control/Mitigate/Modify/Reduce | reduce threat impact or likelihood (or both) through intermediate steps

Accept/Retain | assume the chance of the negative impact to the unit or university; or

Transfer/Share | outsource risk or a portion of the risk to a third party or parties that can manage the outcome; this is done fi
operationally through outsourcing an activity

For each “Does Not Apply” answer, include a statement in the Current Status column that explains why the control does not a
4. Upon completion, submit an encrypted copy of the risk assessment only to risk@fsu.edu (do not include copies of inventory
Please complete the section below then complete
Step 2 - Risk Assessment: Answer
Unit Name

Completion Date

Primary person responsible for completing this survey

Secondary Contact(s)

Information Security Manager(s) (ISM)

Unit Privacy Coordinator(s) (UPC)

2

Critical Security
Control
Basic Controls
1: Inventory and Control of Data
Sets
2: Inventory and Control of
Hardware Assets
3: Inventory and Control of
Software Assets
4: Continuous Vulnerability
Management
5: Controlled Use of
Administrative Privileges
6: Secure Configurations for
Hardware and Software on
Mobile Devices, Laptops,
Workstations, and Servers
7: Maintenance, Monitoring and Does the unit collect, manage, and analyze audit logs of events that All computing devices are generally capable of generating log information including
Analysis of Audit Logs
Foundational
Controls
Risk Self-Assessment Survey - Confidential
Question Background
Does the unit maintain an inventory of the data sets it stores, The Information Security and Privacy Office (ISPO) provides an Excel spreadsheet to
transmits, processes, or creates including classification of such data perform this process if the unit does not already have this information recorded.
sets (Protected, Private, Public)? The unit must understand the data sets it is responsible for safeguarding to ensure
proper security and privacy controls are in place to protect these assets. The
ISM/UPC's should interview faculty and staff to develop and maintain the list. At a
minimum, the unit should inventory the types of data sets such as HR, Student
Data, Intellectual Property (exams, class presentations), and Research Data the unit
holds as part its normal business process. Units with dedicated resources should
create a system to onboard data sets in a real time inventory list.
Does the unit actively inventory and track FSU-owned hardware The unit may also have inventory spreadsheets prepared or use applications to
devices (Examples include PCs, laptops, servers, tablets, phones, record/poll this information digitally. It is important to understand the computing
switches, routers, security appliances)? assets the unit is responsible for to ensure proper controls and security patch
updates are being applied to protect unit information.
Does the unit actively inventory and track unit software it is The unit may also have manually created spreadsheets or use automated
responsible for managing (excludes enterprise applications such as applications to poll computing devices to discover and record this information. The
OMNI modules, Campus Solutions modules, Concur, Office 365, or inventory is limited to the software assets the unit has developed internally or has
Canvas unless your unit is responsible for managing one or more of licensed as off-the-shelf software. Units answering "Yes" will have functional
these enterprise applications)? automated or manual software inventory programs deployed and whitelisting
software or device configurations to restrict the addition of unauthorized software.
Does the unit use InsightVM or another vulnerability scanning ISPO provides units access to the InsightVM vulnerability scanning tool to
application to conduct monthly credentialed vulnerability scans of accomplish this task. Local unit IT staff should conduct credentialed monthly scans attackers. As soon as researchers report new vulnerabilities, a race starts
computing devices (operating systems and applications) and ensure of unit assigned subnets and remediate vulnerabilities based on timelines
critical vendor security patches are applied to devices in a timely established in the Vulnerability Management Program. Note: ITS provides a
manner? supplemental service to automate patching of non-Microsoft applications (Adobe, assessments or regression testing. Attackers have access to the same
Java, etc..) that are not part of the base Microsoft patching services. Otherwise, the information as everyone else, and can take advantage of gaps between the
units must have a local solution for third-party patching.
Does the unit have processes and tools used to track and control the Units answering "Yes" will have a formal/auditable process to track and monitor
use, assignment, and configuration of administrative accounts with privileged account activities or have deployed a tool to automate this process.
elevated privileges on computers, networks, and applications? Outsourced Applications: Responsibility for outsourced applications should be
contractually provided by the vendor.
Does the unit have computing device hardening guidelines to Unit IT should utilize device hardening guidelines to ensure non-essential services
configure mobile devices, laptops, servers, and workstations? are disabled to reduce the potential attack surface area of PCs, Macs, laptops,
network devices, and tablets when deploying devices to users. Units answering
"Yes" will have a formal process in place to only deploy hardened devices (PCs,
Macs, Laptops, Servers, Network Devices). Outsourced Applications: Hardening
guidelines are specified in the university's IT Security and Privacy Terms and
Conditions.
could help detect, understand, or recover from an attack? logon activity, file access, and services auditing. Enterprise services: ITS provides
Internet/Network access for all university affiliates on-campus, including: wired
high-speed Ethernet, dormitory network access (RESNet), campus-wide wireless
(see Related Services), and educational connections on Florida Lambda Rail (FLR)
and National Lambda Rail (NLR). This access is audited and monitored by ITS staff.
Units with Local IT Support: Units supporting their desktops and servers locally
should have the ability to collect, manage, and analyze log data. Outsourced
Services: Units with outsourced services should ensure the vendor is auditing and
monitoring contracted services. The university's IT Security and Privacy Terms and
Conditions includes this provision.
Does not
Why This Control Is Critical Yes No Partial Current Status Mitigation Plan Apply
Data sets must be actively managed to ensure proper physical and cyber
controls are in coordination with the classification level assigned to the
information. Units that fail to inventory and classify the types of information
they process face a daunting task of confirming controls are properly deployed
to safeguard information. In addition, this increases the risk of failing to
implement controls to meet legal or contractual safeguarding requirements. In
the worst case, the lack of data set management leads to problems maintaining
the Confidentiality, Integrity, and Availability of unit information.
Unit Information Security Managers or Service Providers need the ability to
inventory computing devices attaching to the unit's assigned network subnets
to ensure the devices are managed with updated security and privacy controls.
The inability to inventory unit computing devices or the internal
implementation of Shadow IT not managed by unit IT managers or a 3rd party
greatly increases the risk that devices attaching to unit networks contain
security/privacy vulnerabilities. Units allowing employees/students/vendors to
Bring Their Own Device (BYOD) may not be able to inventory these devices as
they attach to their networks, but should have network controls implemented
to reduce the risks these unmanaged devices present.
Attackers look for vulnerable versions of software that can be remotely
exploited. They can distribute hostile web pages, media files and other content,
or use zero-day exploits that take advantage of unknown vulnerabilities.
Therefore, proper knowledge of what software has been deployed in the unit is
essential to properly manage software for data security and privacy updates. In
addition, utilizing whitelisting technologies allows IT managers to restrict the
use of unauthorized software to reduce risks to the unit of unsupported
software opening vulnerabilities into unit networks and computing devices.
A vulnerability is a weakness or flaw found in software that can be exploited by
among all relevant parties: Attackers strive to exploit the vulnerability for an
attack, vendors deploy patches or updates, and defenders start performing risk
appearance of new knowledge and remediation. By promptly performing
remediation on vulnerabilities found, the local unit IT staff is thereby reducing
the unit’s cyber security risk.
The misuse of administrative privileges is a primary method for attackers to gain
unauthorized access inside an enterprise. To gain administrative credentials,
attackers use phishing techniques, crack or guess the password for an
administrative user, or elevate the privileges of a normal user account into an
administrative account. If organizations do not have resources to monitor
privileged account activities in their IT environments, it is easier for attackers to
gain full control of their systems.
Manufacturers and resellers design the default configurations of operating
systems and applications for ease of deployment and use, not strong security.
Open services and ports, as well as default accounts or passwords, can be
exploitable in their default state, so units must develop configuration settings
with good security properties.
Lack of security logging and analysis enables attackers to hide their location and
activities in the network. Even if the victim organization knows which systems
have been compromised, without complete logging records, it will be difficult
for them to understand what an attacker has done so far and respond
effectively to the security incident.
3
 Risk Self-Assessment Survey - Confidential
Critical Security Does not
Control Question Background Why This Control Is Critical Yes No Partial Current Status Mitigation Plan Apply
8: Email and Web Browser Does the unit have procedures in place to ensure web browsers and Enterprise Email Services: The enterprise Office 365 service has a security Web browsers and email clients are very common points of entry for hackers
Protections email clients are fully patched? infrastructure gateway in place allowing the unit to answer "yes" to this question. because of their high technical complexity and flexibility. They can create
Unit Email Servers: Those units running local email servers or contracted email content and spoof users into taking actions that can introduce malicious code
services will have to analyze these services to determine if appropriate antimalware and lead to loss of valuable data.
and phishing screening protection features are active. Web Browser: The unit is
responsible for managing web browser security patches especially if it uses
browsers other than Explorer, Firefox, or Edge.

9: Malware Defenses Does the unit install antimalware applications on computing devices Local unit IT staff should have antivirus/antimalware running on PCs/Laptops and Modern malware can be fast-moving and fast-changing, and it can enter
to control the installation, spread, and execution of malicious code Windows OS based servers. Macs, Linux servers, and tablets should be hardened or through any number of points. Therefore, malware defenses must be able to
at multiple points in the enterprise? use internal firewall features to protect data processing assets. operate in this dynamic environment through large-scale automation, updating
and integration with processes like incident response.

10: Limitation and Control of
Network Ports, Protocols, and
Services
Does the unit manage (track/control/correct) the ongoing This question extends the requirements of Critical Control 6 and the of hardening of
operational use of ports, protocols, and services on networked devices by: 1) Reviewing the open ports, protocols, and services running on each
devices in order to minimize points of access to hackers/attackers? computing or network device to ensure they are necessary for the business
functionality of the device. Any unnecessary ports, protocols, or services are
disabled after the review process. 2) Using firewalls on the network or host-based
firewalls in the computing devices to close unnecessary ports, protocols, or
services. 3) Putting all servers running critical services such as DNS, file servers,
mail, web, and database servers behind a firewall.
Attackers search for remotely accessible network services that are vulnerable
for exploitation. Common examples include poorly configured web servers, mail
servers, and file and print services, as well as domain name system (DNS)
servers that are installed by default on a variety of devices. Therefore, it is
critical to make sure that only ports, protocols, and services with a validated
business need are running on each system.

11: Data Recovery Capabilities
Are processes and tools used to properly back up critical
information with a tested procedure to meet the business processes will determine if a formal backup and recovery strategy is appropriate to maintain
of the unit?
Units will have conducted a review of local applications and data sets. The review Attackers often make significant unauthorized changes to data, device or
application/database configurations and software if they are able to breach
business continuity in the event of a service disruption. Units answering "Yes" will security/privacy controls. Failure to support a reliable backup and recovery
have a backup and recovery process which is tested at least annually to ensure it program makes it difficult for units to recover from such an attack.
functions as intended. Canvas, OMNI, and Campus Solutions modules are the
responsibility of the respective application/module owners for enterprise backup
and recovery operations. Outsourced applications backup requirements are
covered in the university's IT Security and Privacy Terms and Conditions. Units not
processing any critical applications or data sets requiring a backup and recovery
strategy will answer this question "N/A". Units answering "No" will not have
conducted an assessment of their applications or data sets to determine if a backup
and recovery strategy is required.

12: Secure Configuration for
Network Devices, such as
Firewalls, Routers and Switches
Does the unit establish, implement, and actively manage (track,
report on, correct) the security configuration of network
infrastructure devices using a configuration management and
change control process?
Formal and auditable configuration procedures should be able to log any security or Just as with operating systems and applications (see Critical Security Control 4),
access configuration changes to network devices. This includes periodic reviews of the default configurations for network infrastructure devices are geared for
network and security device configurations to validate controls. ease of deployment, not security. Attackers exploit these configuration flaws to
gain access to networks or use a compromised machine to pose as a trusted
system.

13: Boundary Defense
Does the unit: 1) Use automated tools such as an Intrusion
Prevention System (IPS) to block the unauthorized flow of
information between the unit's internal network and known
malicious IP addresses; 2) Internally support or have contracted
with a vendor to provide a Security Information Event Management
(SIEM) security appliance/service to monitor unit network
communications for anomalous activity; and 3) Require two-factor
authentication for all remote access (non-FSU network) to unit
internal systems hosting protected information?
Units answering "Yes" to this control will 1) Have deployed an IPS on its connection Attackers focus on exploiting systems that they can reach across the Internet,
to the university's core network; 2) Support a SIEM either as a local service or as a including workstation and laptop computers that pull content from the Internet
vendor supported service; 3) Have implemented a two-factor authentication service through network boundaries. Threats such as organized crime groups and
for all connections from non-unit networks to devices within the units network nation-states use configuration and architectural weaknesses found on
space hosting or processing protected information. perimeter systems, network devices, and Internet-accessing client machines to
gain initial access into an organization. Then, unauthorized users will leverage
these compromised devices to pivot deeper inside the boundary to steal or
change information or to set up a persistent presence for later attacks against
internal hosts.

14: Data Protection
Has the unit: 1) Deployed hard drive or file encryption to identified
systems holding protected data including mobile storage devices; 2)
Implemented network or host-based Data Loss Prevention (DLP)
solutions; and 3) Utilized a data discovery tool to scan servers,
mapped drives, and user devices for protected information?
Compliant units will have 1) Deployed either file or full disk encryption to devices
storing protected information; 2) Implemented host or network DLP solution(s); 3)
Scanned computing devices for the storage of protected data including mapped or
community drives.
While many data leaks are deliberate theft, other instances of data loss or
damage are the result of poor security practices or human errors. To minimize
these risks, organizations need to implement automated solutions that can help
detect data exfiltration and mitigate the effect's of data compromise. In
addition, encryption of protected data at rest adds a layer of control. Finally,
using a data discovery tool automates the task of finding where users are
storing protected information.

15: Controlled Access Based on
Least Privilege
Has the unit: 1) Restricted network access to protected information
to allow only users who have a business need for accessing these
systems; 2) Deployed "Certificates" to encrypt all communications
of protected information over local network or Internet
connections; 3) Deployed Virtual Local Area Networks (VLANs) or
Virtual Routing and Forwarding (VRF) to restrict access to unit
network segments hosting protected information?
Units answering “Yes” will 1) Have granted user access on a need to know or
business need and review these permissions periodically to validate these
permissions are still valid; 2) Deployed "Certificates" to encrypt communications
between authorized users and resources; 3) Have segmented their network by
either implementing VLANs or VRFs based on the classification level of the
information stored or processed within the unit's subnets
Some organizations do not carefully identify, separate, and deploy controls to
protect their most critical assets from less sensitive data, and users have access
to more sensitive data than they need to do their jobs. As a result, it is easier
for a malicious insider — or an attacker or malware that takes over their
account — to steal important information or disrupt operations.

16: Wireless Access Control
Has the unit: 1) Educated users to only conduct university
transactions involving information classified as "Protected" over
encrypted wireless connections on campus or when accessing non-
university wireless connections? 2) Periodically used a wireless
discovery tool to ensure unauthorized wireless access points are not
connected to unit assigned subnets?
Units answering "Yes" will: 1) Have training sessions with users to ensure they only
use encrypted wireless connections to process information classified as
"Protected." 2) Utilize a wireless discovery tool to walk through unit facilities to
discover the possible connection of unauthorized wireless access points.
Specifically, administrators should ensure users or unauthorized individuals have
not connected a consumer-grade wireless access point to extend connections to
unit network assets.
Wireless devices are a convenient vector for attackers to maintain long-term
access into the IT environment, since they do not require direct physical
connection. In addition, non-FSU wireless access used by employees as they
travel can expose "Protected" information if the transmission of this
information is not encrypted in transit over the host access points.

Organizational
Controls

4
 Risk Self-Assessment Survey - Confidential
Critical Security Does not
Control Question Background Why This Control Is Critical Yes No Partial Current Status Mitigation Plan Apply
17: Implement a Security Does the unit have a functional training program in place to ensure By policy, the unit should have a training schedule for both users and systems It is tempting to think of cyber defense as primarily a technical challenge.
Awareness and Training Program users and those positions supporting unit technologies are educated administrators. ISPO provides resources to assist in completing this task on a yearly However, employee actions are also critical to the success of a security
on current security and privacy topics/strategies to protect unit basis. Both the UPC and ISM should review any special training that might be program. Attackers often use the human factor to plan exploitations, for
resources? needed to fulfill contractual or legislated requirements specific to the unit. example, by carefully crafting phishing messages that look like normal emails, or
working within the time window of patching or log review.

18: Incident Response Does the unit maintain a copy of the university's incident response It is important to have an Incident Response program even if the unit utilizes only Security incidents are now a normal part of our daily life. Even large and well-
Management plan and does the unit educate users on how to manage a breach of enterprise applications. ISPO provides a formal Incident Response Plan to fulfill the funded enterprises struggle to keep up with the evolving cyber threat
protected information and/or computing equipment using the plan? documentation requirement for general breach response. This document should landscape. Sadly, in most cases, the chance of a successful cyber attack is not
be communicated to unit administrators and users to assist in executing incident “if” but “when.” Without an incident response plan, an organization may not
response procedures correctly. Units handling credit cards, protected health discover an attack until it inflicts serious harm or be able to eradicate the
information, student financial aid, and certain research data need to integrate attacker’s presence and restore the integrity of the network and systems.
those legal or contractual specialized breach procedures into the unit's general
program.

19: Application Software Security Does the unit: 1) Only run applications or application versions that
are supported by the vendor with security patches/security
strategies; 2) Protect web applications with a Web Application
Firewall (WAF); 3) Perform code vulnerability scans for any
internally developed applications; 4) Maintain separate production
and test environments to validate patch updates or to test code
changes on internally supported applications?
1) Both "off the shelf" and shareware applications should be fully supported by the Attackers often take advantage of vulnerabilities in web-based applications and
appropriate vendor or shareware support groups. Support exceptions are possible other software. They can inject specific exploits, including buffer overflows, SQL
for unsupported software with compensating security/privacy controls. 2) Web injection attacks, cross-site scripting and click-jacking of code, to gain control
Application Firewalls inspect all traffic flowing to protected web applications to over vulnerable machines including unauthorized read/write access to
prevent attacks on vulnerable web applications. 3) Internally developed software "Protected" information assets.
should be scanned for any known vulnerabilities prior to moving the software into a
production environment. 4) Testing of new patch deployments and code changes to
internally developed applications should always be validated in a separate test
environment and not in the production environment.

20: Penetration Testing
Has the unit completed external (from outside of the FSU/Unit
network) and internal (from within the FSU/Unit network)
penetration tests against computing assets including desktops,
servers, and network devices?
Penetration testing utilizes computerized applications and manual methods to
simulate attacks against unit computer systems and manual security/privacy
controls. The resulting reports from a pen test enable units to identify
vulnerabilities and attack vectors that can be used to exploit systems.
Attackers can exploit the gap between good defensive intentions and their
implementation, such as the time window between the announcement of a
vulnerability, the availability of a vendor patch and patch installation. In a
complex environment where technology is constantly evolving, organizations
should periodically test their defenses to identify gaps and fix them before an
attack occurs.

5

Critical Security Control
Basic Controls
1: Inventory and Control of Data Sets
2: Inventory and Control of Hardware Assets
3: Inventory and Control of Software Assets
4: Continuous Vulnerability Management
5: Controlled Use of Administrative Privileges
6: Secure Configurations for Hardware and
Software on Mobile Devices, Laptops,
Workstations, and Servers
7: Maintenance, Monitoring and Analysis of
Audit Logs
Foundational Controls
8: Email and Web Browser Protections
9: Malware Defenses
10: Limitation and Control of Network Ports,
Protocols, and Services
11: Data Recovery Capabilities
12: Secure Configuration for Network Devices,
such as Firewalls, Routers and Switches
13: Boundary Defense
14: Data Protection
Tools and Resources
Question Tools & Resources 1 Tools & Resources 2 Tools & Resources 3
Does the unit maintain an inventory of the data sets it stores, transmits,
processes, or creates including classification of such data sets (Protected,
Private, Public)?
See Inventory Spreadsheets for Datasets,
Information
Hardware,Classification
and Software Guidelines
What is a Dataset?
Does the unit actively inventory and track FSU-owned hardware devices
(Examples include PCs, laptops, servers, tablets, phones, switches, routers,
security appliances)?
See Inventory Spreadsheets for Datasets, Hardware, and Software
Does the unit actively inventory and track unit software it is responsible for
managing (excludes enterprise applications such as OMNI modules, Campus
Solutions modules, Concur, Office 365, or Canvas unless your unit is responsible
for managing one or more of these enterprise applications)?
See Inventory Spreadsheets for Datasets, Hardware, and Software
Does the unit use InsightVM or another vulnerability scanning application to
conduct monthly credentialed vulnerability scans of computing devices
(operating systems and applications) and ensure critical vendor security patches
are applied to devices in a timely manner?
Vulnerability Assessment FSU Vulnerability Management Program - Information Technology Services Stan
Does the unit have processes and tools used to track and control the use,
assignment, and configuration of administrative accounts with elevated
privileges on computers, networks, and applications?
Supervisor Guidelines for Reviewing Employee Role Assignments
Does the unit have computing device hardening guidelines to configure mobile
devices, laptops, servers, and workstations?
FSU Information Security Policy FSU Information Privacy Policy CIS Benchmarks
Does the unit collect, manage, and analyze audit logs of events that could help
detect, understand, or recover from an attack?
FSU Information Security Policy FSU Information Privacy Policy NIST SP 800-92: Guide to Computer Security
Does the unit have procedures in place to ensure web browsers and email
clients are fully patched? Electronic Mail Policy ITS Email Spam and Virus Filtering Services
Does the unit install antimalware applications on computing devices to control
the installation, spread, and execution of malicious code at multiple points in
the enterprise?
How can I protect my computer from viruses
Phishing
and malware?
Does the unit manage (track/control/correct) the ongoing operational use of
ports, protocols, and services on networked devices in order to minimize points
of access to hackers/attackers?
Information Security Support Resources
Are processes and tools used to properly back up critical information with a
tested procedure to meet the business processes of the unit?
Seminole Secure - See Disaster Reovery and Continuity of Operations Plans
Does the unit establish, implement, and actively manage (track, report on,
correct) the security configuration of network infrastructure devices using a
configuration management and change control process?
FSU Network Services
Does the unit: 1) Use automated tools such as an Intrusion Prevention System
(IPS) to block the unauthorized flow of information between the unit's internal
network and known malicious IP addresses; 2) Internally support or have
contracted with a vendor to provide a Security Information Event Management
(SIEM) security appliance/service to monitor unit network communications for
anomalous activity; and 3) Require two-factor authentication for all remote
access (non-FSU network) to unit internal systems hosting protected
information?
Information Security Support Resources
Has the unit: 1) Deployed hard drive or file encryption to identified systems
holding protected data including mobile storage devices; 2) Implemented
network or host-based Data Loss Prevention (DLP) solutions; and 3) Utilized a
data discovery tool to scan servers, mapped drives, and user devices for
protected information?
Information Classification Guidelines Information Security Support Resources

Critical Security Control
15: Controlled Access Based on Least Privilege
16: Wireless Access Control
Organizational Controls
17: Implement a Security Awareness and Training Does the unit have a functional training program in place to ensure users and
Program
18: Incident Response Management
19: Application Software Security
20: Penetration Testing
Tools and Resources
Question Tools & Resources 1 Tools & Resources 2 Tools & Resources 3
Has the unit: 1) Restricted network access to protected information to allow
only users who have a business need for accessing these systems; 2) Deployed
"Certificates" to encrypt all communications of protected information over local
network or Internet connections; 3) Deployed Virtual Local Area Networks
(VLANs) to restrict access to unit network segments hosting protected
information?
FSU Information Security Manager FSU Unit Privacy Coordinator
Has the unit: 1) Educated users to only conduct university transactions involving
information classified as "Protected" over encrypted wireless connections on
campus or when accessing non-university wireless connections? 2) Periodically
used a wireless discovery tool to ensure unauthorized wireless access points are
not connected to unit assigned subnets?
FSU Wireless Data Communications Policy
FSU Campus Wi-Fi FSU Wireless Security Guidelines 2019
those positions supporting unit technologies are educated on current security
and privacy topics/strategies to protect unit resources?
ISPO - Training and Outreach Developing a Unit Training Plan Training Slide - Security Awareness
Does the unit acknowledge the receipt of the university's incident response plan
and does it educate users on how to manage a breach of protected information
and/or computing equipment using the plan?
IT Security and Privacy Incident Response
ITS and
Incident
Reporting
Management
Procedures ITS Incident Management
Does the unit: 1) Only run applications or application versions that are
supported by the vendor with security patches/security strategies; 2) Protect
web applications with a Web Application Firewall (WAF); 3) Perform code
vulnerability scans for any internally developed applications; 4) Maintain
separate production and test environments to validate patch updates or to test
code changes on internally supported applications?
Ten Security Tips for Software Developers
Has the unit completed external (from outside of the FSU/Unit network) and
internal (from within the FSU/Unit network) penetration tests against
computing assets including desktops, servers, and network devices?
What is an IT Penetration Test?