Infrastructure Questionnaire Information Security Risk Assessment: Infrastructure General Information- Owner(s)/ Sponsor Questionnaire Owner Name * Title * Contact Number * Email * Data Owner Name * Contact Number * Email * Data Custodian Name * Contact Number * Email * Sponsor / Business Owner Use "Add" button below if there is more than one. Name * Contact Number * Email * Add Remove Infrastructure Information What is the type of implementation? * New Replacement If “Replacement” will the new system retain the previous systems controls (network, filesystem, procedures, firewall, CIS Benchmarks…….)? Please explain below * Provide a brief description of the service purpose and functionality. The infrastructure may consist of various components to perform a service function * Please list assets that will make up this functionality and are to be included in this assessment * Will any physical or logical modification(s) to existing Washington University hardware / software infrastructure be required? If so, describe the modification(s) and why they are required. * (Example: addition or change of firewall rules) What Classification of data will the system / component(s) receive, store, process and transmit? * Protected Confidential Public Visit https://informationsecurity.wustl.edu/resources/information-security-solutions/data-classification for information on data classification. Specify Type (check all that apply) * Protected Health Information (ePHI) Nuclear Regulatory Commission (NRC) PII FISMA FDA PART 11 CUI PCI FERPA Financial Legal Documents Intellectual Property e-identified research data All of the above OtherOther What does the infrastructure component(s) do in regard to this data? Check all that apply * Receive Store Process Transmits Who will be using the infrastructure?: * Staff Clinical Users Patients OtherOther Will access be granted to external user(s)? * Yes No If yes, please explain below. * Do the servers have antivirus protection? * Yes No If yes, who is the vendor? * If yes, what is the product? * Is any of the infrastructure provided by a cloud service? * Yes No If yes, which of the following is it? * IaaS PaaS SaaS How is this service used to support the infrastructure? Please explain below * Infrastructure Access Management Information How will the administrator accounts be provisioned? * Please provide any documentation that may exist Drop a file here or click to upload Choose File Maximum upload size: 51.2MB Is access to the infrastructure provided through a secure access gateway architecture or other centralized access mechanism? * Yes No Have roles been defined to access the infrastructure? * Yes No If yes, please list below. * What access rights are given to the roles? Please explain below * Who has access to operate / manage the Infrastructure? Please explain below * (examples: physical server(s), network fabric, backend storage, etc.) Will user access additions and modifications be requested through an established/existing WashU process (e.g., service catalog)? * Yes No If no, please briefly describe the process below * Audit and Logging Information Will audit logging be enabled for specific activity and events? * Yes No If yes, briefly describe available audit functions and events, timestamp and identify those enabled below * If no, explain why * Will audit logs be able to be exported? * Yes No If yes, briefly describe available export options below (e.g., txt, csv, pdf, syslog) * If no, explain why * Will audit logs be retained for at least 90 days? * Yes No If no, indicate the actual period of time for which logs will be retained below * Have procedures for monitoring or reviewing audit logs on a regular basis been formally documented? * Yes No If yes, please provide a copy of the procedure documentation as a supplement to the completed assessment * Drop a file here or click to upload Choose File Maximum upload size: 51.2MB Infrastructure Management Information Has system been hardened per Center for Internet Security Benchmarks or Vendor OS system recommendations for secure operations? * Yes No If yes, who performs scanning? * How often will scanning be performed? * Who is responsible for providing and applying patches and updates? Please explain below * At what frequency and schedule are patches and updates applied? Please explain below * Does your department / school / organization have a Disaster Recovery Plan that describes how the application and data will be recovered in the event of an emergency? * Yes No Have you shared the Disaster Recovery plan with WashU? * Yes No If no, please provide where it is located * Is a process in place to notify WashU of alerts or potential security breach issues? * Yes No If yes, please explain the process * If no, explain why * Will changes (patches and updates) follow established WashU Change Management Procedures, which include identifying all devices in the CMDB (Change Management Database)? * Yes No Data Protection Information Will data in transit be encrypted? * Yes No If yes, indicate the encryption method used and how this is to be done below * If no, explain why * Will data at rest be encrypted? * Yes No If yes, indicate the encryption method used and how this is to be done below * If no, explain why * Will back-up operations be able to run concurrently with the operation of the application? * Yes No What is the backup strategy and frequency?: * Full Backups Differential Backups Incremental Backups Enter Frequency * How long are backups retained? * Instructions: Provide a graphic representation of the application architecture and data flow. Be as specific as possible and include physical locations, logical locations, IP Addresses, Operating Systems / versions, system interconnections, key incoming and outgoing data flows, security controls in place (ex. Encryption). You may attach a single hybrid diagram or multiple specific diagrams to summarize the architecture and key data flows. Architecture Diagram Drop a file here or click to upload Choose File Maximum upload size: 51.2MB reCAPTCHA If you are human, leave this field blank. Submit