Objectives

1. Identify the risk level for each application (LOW, MEDIUM, HIGH)

2. Identify the risk factors for each application (e.g. application doe snot lock users out after 25 minutes)

3. Provide guidance on remediation of risks found (e.g. change the timeout to 25 minutes unless there is a business need to extend the time.  Submit a security exception.)

How We Get There

During the March 2018 FAS DSCP Meeting, a plan was made to use the Inherent Risk Survey Tool (by IT Security) on all FAS applications outside of enterprise IT to create our risk profile. The Inherent Risk Survey Tool is the first step in a two-step process which culminates with the satisfactory resolution of any risks identified by the FAS Application Checklist.  The Inherent Risk Survey Tool assigns ratings for applications based on the quesitons in the survey regarding data classification, user types, number of users and records, and architecture. This is a simple 6 question survey.

The FAS Application Checklist is a deeper dive into an application. This checklist has been designed to efficiently analyze risk based on the data a system or application manages, to comply with regulatory requirements, to prioritize full risk assessment efforts, and to ensure that the right people are making informed decisions about risk and risk management. When the FAS Application Checklist is completed, security staff review it to determine where remediation could strengthen the application's security and lower it's risk level.  Security staff then works with the department using the application to resolve any problems.  The Inherent Risk Survey Tool informs the security staff's remediation planning and ensures that problems are addressed as required by specific risk levels.