Controls Self Assessment, University of Cincinnati

Visit UC
Support UC
Directories
UC Tools
- Blackboard
- OneStop
- Student Email
- UCMail
- UCFileSpace
- UC Flex/ESS
- Password Help
- UC VPN

About Us
Awareness & Training
Compliance & Law
Help
Policies
Services
- Risk Management
  - Controls Self Assessment
- Security Certificates
- Shredding
- Vulnerability Assessments
Tools & Software
Contact Us

Controls Self Assessment

The UCIT Office of Information Security (OIS) has created an Information Security Controlled Self Assessment (CSA) tool. A CSA is a powerful tool because it sets an expectation of adherence to industry best practices and policies.

This tool is intended for use within a college or business department. It asks the people directly involved in a business activity to determine whether the data protection processes in place are effective. It helps internal staff evaluate informal or subjective controls in 62 information security areas. (See example below). This tool is meant to be a self assessment that you can use in order to “rate” yourself on the standard CMM maturity scale with 0 being low (non-existent) and 5 being high (optimizing). The intent of this CSA is for you to conduct a CSA annually and seek continual improvements each year in areas of immaturity.

From an information security perspective, CSAs assist you in determining whether your organization is meeting its data protection objectives. Key advantages to implementing a CSA program include earlier detection of risk and the development of action plans that will safeguard organizational data against significant business risk. We have taken an information security Integrated Process Approach when designing this CSA template and have incorporated a blend of ITIL (IT Information Library/ISO 2000); COBIT (ISACA’s - Control Objectives for IT); and ISO 17799:270001 (International Standards Organization) processes and standards into it.

Goals of the CSA

Reduce or eliminate costly and ineffective controls while stimulating thought towards the direction of valuable alternatives
Pinpoint data protection risk areas while developing adequate control measures;
Evaluate the data protection control standards already in place
Emphasize management and IT staff responsibility for developing and monitoring effective internal control systems
Enable clear communication of the results to others so that there is a better understanding of the risks associated with departmental data

CSA Document Downloads

Self Assessment Spreadsheet – The CSA template that you would use to grade yourself in each of the assessment areas
Score Rollup Tool – Used to take multiple Self Assessment Spreadsheets from various departments or organizations and obtain an overall average maturity score for each of the separate departments or organizations that have completed an assessment.
Score Rollup Tool Instructions– Directions on how to use the Rollup spreadsheet to obtain an Executive overview of your overall department or college’Information Security maturity level

Example

If you download the Self Assessment Spreadsheet above and open it, we will review one of the CSA Questions as an example. (The bullet items below the picture simply provide examples of how to fill the column templates out. The examples used are not meant to be taken as facts; as we do offer Security Awareness programs at UC)

Question Number	Question (Control Objective) Business Staff	Question Number	Question (Control Objective) IT Staff	Answer Yes/No/Not Applicable	Describe Existing Key Security Controls Supporting this Question	Describe Key Weaknesses Relative to this Question	Describe any Current Projects Relative to this	Current Maturity Rating
1	Are you and members of your department aware of information security policies and have you been provided with any type of awareness training or ongoing communications?	1	Has an information security policy framework been developed including who is responsible for development, review, and approval of policies?	NA

The template can be used by a business person or an IT person (each question is written in both “languages”)

The first three columns in the spreadsheet ask a question in business and in IT language
The next column is a short straightforward answer tot he question. It is to be filled in with Yes, No, Somewhat or Not Applicable
The next column should contain a short description of processes or tool solutions that exists to insure that the practice referenced by the question is being followed by departmental employees (i.e. annual web presentation on OIS policies and mandatory attendance at one of the OIS brown bag seminars each year)
The next column should contain a short description outlining weaknesses in meeting this objective (i.e. no security awareness training has been developed and provided to staff members, no resources available to implement adherence to OIS policies, etc.)
The next column should contain a short description of any active projects that you are working the will increase the department’s maturity level in this space
The last column is the one where you grade yourself (yes it is subjective!) on your maturity level for this item – the description of the maturity levels can be found under the FAQ tab in the spreadsheet

University of Cincinnati Information Security
132/134 University Hall
51 Goodman Drive
Cincinnati, OH 45221

Phone: 513-558-ISEC (4732)
E-mail: infosec@uc.edu