������һ��

Effective: 08/08/2022
Last Revised: 08/08/2022
Responsible ������һ�� Administrator: Assistant Vice President, IT Security Services
Responsible ������һ�� Office: Information Technology Services
Standard Contact: IT Security Services, security@nebraska.edu

Standard Contents

1. Purpose
2. Scope
3. Standard Statement
4. Situational Awareness Requirements
   4.1 Threat Intelligence
   
5. Standards and Procedures
6. Compliance
7. Related Information
8. Approvals and Revision History

1. Purpose

The purpose of the Situational Awareness Standard is to define the organization’s requirements for enforcing effective threat intelligence gathering and review practices. This standard serves as a statement of objectives for the protection of information assets against emerging and identified cyber security threats.

(Return to top)

2. Scope

This standard shall apply to all The ������һ�� of Nebraska (“The ������һ��”) technology assets. Any information not specifically identified as the property of other parties, that is transmitted or stored on Information Systems (including email, messages, and files) shall be considered the property of The ������һ�� and to which this standard applies. All users (employees, contractors, vendors, or others) of Information Systems are responsible for adhering to this standard.

(Return to top)

3. Standard Statement

It is the intention of this standard is to establish a threat intelligence capability throughout The ������һ�� to help the organization implement security best practices regarding the collection, review, and communication of security threat intelligence to enhance security posture and preparedness. Deviations from the requirements defined herein in the form of exceptions must be approved in advance and in writing by the Chief Information Security Officer (“CISO”) as defined in ITS Policy Exception Standard. The following subsections outline the Situational Awareness Standard.

(Return to top)

4. Situational Awareness Requirements

4.1 Threat Intelligence

4.1.1 Threat Intelligence Feeds

The ������һ�� must subscribe to industry and threat information provider feeds to gain access to information surrounding emerging and experienced security threats, alerts, advisories, directives, and attacks throughout the industry.

4.1.2 Threat Intelligence Review

Cyber security threat information feeds must be reviewed by ������һ�� information security staff to identify threats that are relevant and potentially harmful to ������һ�� assets. If a threat is deemed critical or of high risk, that threat must be communicated to appropriate stakeholders to determine risk treatment and drive program objectives.

4.1.3 Threat Classification

Threat actors and threat methods should be classified depending on their likelihood to impact the organization. Example threat actors include cyber criminals, privileged insiders, nation states, etc. Example threat vectors include accidental misconfiguration, malicious vulnerability exploit, etc. Threats should be classified based on their ability to impact the confidentiality, integrity or availability of ������һ�� assets of business value (such as data stores or systems supporting critical processes). Threats should be inventoried and regularly reviewed for relevance. The Governance, Risk and Compliance team, with coordination from the ITS Security Services team, are responsible for maintaining an up-to-date threat inventory.

A threat event is when a threat has the potential to cause harm to an asset (i.e., a cyber criminal attempt to exploit a vulnerability). Controls in place may increase the organization’s resilience to various threats.

Threats should be classified according to the following:

(Return to top)

5. Standards and Procedures

Standards and procedures specific to this policy are to be documented and maintained by the individual affiliates throughout the ������һ�� system.

(Return to top)

6. Compliance

Compliance Measurement

The ������һ�� of Nebraska IT Security Services team will verify compliance to this Standard through various methods, including but not limited to, business tool reports, internal and external audits, and feedback to the Standard owner.

Exceptions

Any exception to the Standard must be documented and formally approved by the CISO. Standard exceptions must describe:

• The nature of the exception
• A reasonable explanation for why the Standard exception is required
• Any risks created by the Standard exception
• Risk mitigation plan and duration of the exception
• Evidence of approval following established Exception Standard

Non-Compliance

Failure to comply with ������һ�� IT standards may result in sanctions relating to the individual's use of IT resources or other appropriate sanctions according to policies applicable to ������һ�� faculty and staff or student conduct.

(Return to top)

7. Related Information

The following is a listing of related Policies, Executive Memoranda, Standards, Controls, and Procedures.

• NIST 800-53
• NIST 800-171
• NU Executive Memorandum 16
• NU Executive Memorandum 26
• NU Executive Memorandum 41
• NU Executive Memorandum 42
• ������һ��-Wide Policies & Guidelines - /offices-policies/policies
• ITS-00 Information Technology Definitions and Roles
• ITS Knowledge Base -  

(Return to top)

8. Approvals and Revision History

Approval of this Standard:

• Authored by: Richard Haugerud, IT CISO (08/08/2022)
• Approved by: Bret Blackman, IT CIO (08/08/2022)

Revision history of this Standard:

• Version 1.0 - 08/08/2022 - Initial Standard Published

(Return to top)