Download here

Annual Security Inventory
Background Information
1
2
 Environment Information
Please provide keywords for this environment. What constitutes an environment?
Environment Keywords e.g., Student Information System, Student Health Database, Employee Database, Active
Directory. Create new keywords by pressing the 'Enter' key.
Please describe this environment and its business purpose in this unit. Required
 Organization Information
Organization
Department Required
Data Proprietors
What constitutes a data proprietor?
Find by First, Last, or UCR NetID
 Type of Protected Data
For the environment that is described in this submission please answer the questions below concerning
Protected Information. For more information on what constitutes Personal Protected Information (PPI),
please see http://cnc.ucr.edu/security/personalinfo.html  (http://cnc.ucr.edu/security/personalinfo.html)
Social Security Number Required
Yes
No
3
Driver’s License Number Required
Yes
No
Financial Account or Credit Card Number Required
Yes
No
Medical Information Required
Yes
No
Health Insurance Information Required
Yes
No
 Other Sensitive Personal Information
Add keywords for any other types of Personal Sensitive Information e.g., Family Financial History, Vaccination Records.
Create new keywords by pressing the 'Enter' key.
Enter personal sensitive information
Please describe the Personal Protected Information (PPI), Medical Information, or Sensitive Information this is contained
within the environment.
Include any additional information
General Environment Information
Please provide system environment information for all instances where Personal Protected Information (PPI),
Medical Information, or Sensitive Information is stored, processed, or transmitted. This information will include IP
addresses, system host names, system administrator, operating system versions, and installed software.
 Location/Physical Security
Building
Floor
Describe the physical security for this system.
Room Number
Enter physical security here
Does this environment contain laptops? Required
Yes
No
Does this environment contain embedded devices (printer, scanner, copier, etc)? Required
Yes
No
Please describe methods used to ensure physical security of the laptops or embedded devices
Enter physical security methods here
 General Environment Information
IP Address
Hostname
Machine Type
DNS Aliases
OS
Version
Environment Inventory Notes
 Environment System Administrator
Is the environment system administrator a vendor? Required
Yes
No
System Administrator (Find By First, Last, Or NetID)
Contact Name
Contact Email
Contact Number
Patch
 Host Based Security
Do systems in this environment have host-based firewalls? Required
Yes
No
Other
Please explain. Required
What software, including version, is used for the host-based firewall?
How frequently are firewall logs reviewed? What is the most frequent incident
found in these logs?
 Administrative Access Controls
How many people have administrative rights to your environment? Required
Are logs kept of administrative access? Required
Yes
No
Are they reviewed periodically? Required
Yes
No
Please describe the logging procedure. Include log location, retention period,
frequency of review and the contact information for the person responsible
for the review. If no, please describe why and any remediation plans. Required
 Software Development Controls
Does the environment utilize change management for applications/systems
that interact with Personal Protected Information (PPI), Medical Information,
or Sensitive Information? Required
Yes
No
Please describe your change management system and procedures. If you are
using a vendor product for change management, include the product name
and version.
 Backups/Data Security
Is the data contained within the environment backed up? Required
Yes
No
Other
Please explain. Required
Please describe method for performing backups including the type of media
used.
Please describe the schedule for performing backups.
example: Mon-Thurs perform incremental backups, Friday Full/Image
backups
Are backups kept locally or sent off-site? Please describe.
Please describe the method for performing backups.
example: Remotely via Veritas NetBackup.
What is the retention period for keeping backups?
Does the system transfer or make copies of Personal Protected Information
(PPI), Medical Information, or Sensitive Information to other systems? Required
Yes
No
Do you use encryption when transferring Personal Protected Information
(PPI), Medical Information, or Sensitive Information to other systems? Required
Yes
No
Do you use encryption when storing backups of Personal Protected
Information (PPI), Medical Information, or Sensitive Information? Required
Yes
No
Describe the encryption method, algorithm, and key management.
 Network Security
Does the environment utilize a network firewall and/or intrusion detection/prevention system? Required
Yes
No
Is the administration of the network firewalls or intrusion detection/prevention systems handled by a vendor?
Yes
No
Network Security Administrator
Contact Name
Contact Email
Contact Number
What appliance or other hardware is used for network firewalls or intrusion detection/prevention systems?
How frequently are firewall logs reviewed? What is the most frequent incident found in these logs?
 Managerial Controls
Are you familiar with UCR's Procedures, Practices and Guidelines relating to U.C. Electronic Information Security Policy
(IS-3)? IS-3 Procedure  (https://cnc.ucr.edu/security/gensec.html) Required
Yes
No
Are employees hired to work with Personal Protected Information, medical information or other sensitive information
required to have background checks prior to accessing this information? Required
Yes
No
Are procedures and/or systems in place to provide timely revocation of access privileges upon termination, or when job
duties no longer require a legitimate business need for access? Required
Yes
No
Are procedures and/or systems in place to ensure proper disposition of electronic information resources upon
termination? Required
Yes
No
Are procedures in place for supervisors or other employees with responsibilities for protected data/systems to
periodically review the work of system administrators (or others, e.g. database administrators) with privileged accounts?
Required
Yes
No
Are procedures and/or systems in place to provide review and approval mechanisms to ensure only authorized
individuals are granted access to protected data and systems? Required
Yes
No
 Disaster Recovery
Do you have a disaster recovery plan for this environment? Required
Yes
No
Has this plan been tested?
Yes
No
Please describe the disaster recovery test and results.
Database/File System Information
The following section pertains to the database administration on the environment.
 Storage Type Information
Please describe the underlying technology used to store and access protected data. Examples include a relational
database (e.g. Oracle, SQL Server, MySQL, PostgreSQL, Microsoft Access), custom application/storage mechanism,
flat file database or network shares (e.g. Office documents on a central file share). Required
 Database/File System Administration
Is the administration of the database, file system or other storage mechanism described above provided by a vendor?
Required
Yes
No
Database/File System Administrator (Find By First, Last, Or NetID)
Contact Name
Contact Email
 Database/File Access Controls
How many people have access to the database/files containing Person
Protected Information (PPI), Medical Information, or Sensitive Information
within this environment? Required
Has the Data Proprietor authorized all of the people with such access?
Required
Yes
No
Do any of the people with access use a shared password? Required
Yes
No
Are logs kept of all database/file accesses? Required
Yes
No
Please describe the logging procedure and any authentication/authorization
controls. Include log location, retention period, frequency of review and the
contact information for the person responsible for the review. Required
Contact Number