Procedure for Risk Mitigation of Unsupportable Networked Computers or Devices
This procedure defines the risk mitigation process to be used when a vulnerable networked computer or system is identified for which there is no best practice resolution. The procedure includes options for reducing the risk of the loss of confidentiality, integrity or availability of Rice data and services.
Procedure Description: This procedure is a step by step process designed to provide support staff guidelines and practices to achieve <Whatever is being accomplished>. The procedure is maintained for standardization and repetition of the process.
|Date|| Modification Type
|| Modified by
|| Approved by
|1/12/2018|| Initial Draft
|| Barry Ribbeck
Operating Standards: < This section is used to define the who, what, when, and why. The step by step process defines the how>There are on occasion computing devices or systems identified on the Rice network which are integrated into research experimental equipment or data acquisition equipment, or legacy building controls that impose a risk to Rice University research data, operations, reputation, network and systems. These are generally unsupportable devices that have exceeded their life cycle but are considered still useful for research, administrative or academic purposes. They may be unfunded or there may not be a viable upgrade path.
This procedure outlines methods, mechanisms and process by which the identified risks associated with these systems can be identified, reduced to an acceptable level, transferred or accepted by a higher authority.
Step by Step process:
Special Note: It is important to understand that without a true evaluation and quick action, the risks to Rice are undefined and in most cases the risks are assumed to be negligible. Without objective data, the risks should be classified as HIGH until proven otherwise in order to minimize the minimize the potential risks of a loss of integrity, confidentiality and accessibility.
- Identification: The systems in question will be identified by vulnerability scans conducted by or on behalf of OIT. The owner, steward or entity in possession of the system will be identified to form a working partnership to address the risk.
- If no responsible party can be identified, the system will be evaluated for function and the risk of removal from the network .
- If the risk of removal is acceptable, the device will be removed from the network and its MAC address blocked from access.
- If the device is determined to serve no purpose, it should be allocated for decommissioning and disposal following disposal guidelines.
- Classification: The system in question will be Risk Classified to determine the impact and probability of loss of confidentiality, integrity and accessibility.
- Evaluation: The system in question will be evaluated for its purpose, access needs on the network, protocol support and integration requirements in order to assess its functional needs.
- Remediation Planning: A remediation plan will be drafted to reduce risks associated with the current state of the system by limiting access to required systems and services, reducing services to only those needed for reasonable functionality and implementing segregation from Rice resources and network where applicable.
- If any identified risks are not able to be mitigated acceptably, escalate the risk to the CISO and department chair for discussion.
- If an acceptable plan can not be developed, escalate the risk to the CISO and department chair for discussion.
- Testing: Once an acceptable plan has been developed a testing process should be implemented with the goal of maintaining reasonable functionality.
- If the test succeeds, move to step 6
- If the test fails fall back to step 3, evaluate the identified problem and repeat the planning and testing phases until success is achieved.
- A scan of the system/device should be initiate to validate the remediation steps taken to reduce the risk profile.
- Document the final results and initiate a reasonable time frame strategy for the removal of the system. Be sure to identify the risk state at the end of the process. If any parameters change, the process should be reviewed to ensure that risk is not elevated beyond the accepted level.