Trusted Service Providers (TSPs) and/or IT Technical Owners are required to complete Risk Assessments (aka, Controls Assessments) if - and when - Information Assurance (IA:MM) vulnerability scans identify failed IT security controls, a major service architectural change occurs, an IT security incident is reported, and whenever required by regulation or law.
That means, if a vulnerability was not successfully fixed (eg, the patch did not work, a vendor upgrade is pending but not available, etc.), TSPs must work with IA Analysts to assess the risk of keeping a vulnerable system connected to Michigan Medicine IT resources. Assessments are prioritized by criticality - any system meeting criteria for mission critical systems or applications and all information systems that create, process, store, or transmit sensitive university data classified as Restricted or High* as defined by the U-M Data Classification Levels takes priority.
*Data classified as Moderate or Low will be prioritized and assessed accordingly.
Attention:
IT system or service owners must submit a Risk Decision Request (RDR) if they wish to keep vulnerable assets connected to Michigan Medicine IT resources. If a system/service's vulnerability is not resolved within the required timeframe - and a RDR is not submitted accordingly, that system/service can be disconnected from the Michigan Medicine network.
- How do I locate and manage my Risk (Controls) Assessments?
- What is a "Mission Critical" system/service?
- When are scheduled Controls Assessment due?
Controls Assessment Attestations
Vulnerable IT systems/services granted authorization to remain connected to Michigan Medicine resources usually do so under a signed agreement, or attestation: eventually, the vulnerability will need remediation. Controls Assessment Attestations are required to document the IT system/service owner and IA's future remediation plan, timeframes, etc.