Information Security Risk Management Policy

Policy Statement

The purpose of this policy is to establish the process – and define the major activities – for the timely identification, prioritization, analysis, and management of risks to MassArt’s information, Technology infrastructure, and services.

Assigned Roles

Rules, Responsibilities, and Prohibitions

Information Security Risk Assessment

The ISO will conduct an information security risk assessment in accordance with industry best practices, and in order to ensure compliance with state or federal regulations, or industry requirements.** The assessment will consider MassArt asset criticality, known threats and vulnerabilities, adverse event impact and likelihood (using industry-standard data), and any other known factors that could affect the confidentiality, functionality, or integrity of MassArt Technology resources, information, services, and assets.

Regulatory Compliance Assessments

The ISO will conduct discrete regulatory compliance “gap assessments” to assess the organization’s compliance with MA CMR 201, and other relevant compliance obligations at the institution’s discretion, on a schedule and at a frequency in compliance with state and federal regulations, and industry requirements.

Vulnerability Detection and Remediation

The Deputy CIO will ensure that structured activities on an ongoing basis to detect and remediate vulnerabilities within the Technology resources and infrastructure are conducted. These activities will use reputable outside sources for security vulnerability information. Risk rankings will be assigned to vulnerabilities, either using the vendor-supplied rankings or a MassArt schema. Vulnerabilities will be remediated in a timely fashion appropriate to the vulnerability severity and the criticality of the affected asset or service. Vulnerability management activities include:

• External Vulnerability Scanning: Public-facing MassArt systems and network ingress points will be scanned at least quarterly and after any major Technology infrastructure change. Quarterly external vulnerability scans will be run by an Approved Scanning Vendor (ASV) approved by the Payment Card Industry (PCI) Council for the cardholder data environment if credit card payments are processed, transmitted, or stored at MassArt. Rescanning is required following remediation of any non-compliant items identified during scans
• Internal Vulnerability Scanning: All internal systems, major applications, and major network components will be scanned at least quarterly and after any major Technology infrastructure change using an industry-standard tool. Rescanning is required following remediation of any non-compliant items identified during scans.
• Penetration testing: External and internal penetration testing will be performed at least annually and also after any significant Technology infrastructure change. Penetration testing will include network-layer, system-layer, and application-layer penetration tests, use an industry-accepted methodology, and meet all applicable regulatory requirements for penetration testing, such as PCI.
• Patching: Security patches will be applied in a timely fashion to all major Technology assets owned or managed by MassArt. Critical-severity security patches will be applied within seven (7) days and high-severity patches within thirty (30) days.

Audit Monitoring

The Director of Enterprise Applications and Integration and the Deputy CIO shall determine, based on risk, regulatory requirements, organizational needs, and in consultation with the ISO, the enterprise systems, services*** and infrastructure that require audit logging to be enabled. If a Security Information Event Monitor (SIEM) has been deployed in a production mode, then all critical Technology assets will send their security events to the SIEM in real time. Additionally, it will be determined (based on threat information available and ongoing risk assessment activities) which assets require continuous auditing and monitoring and which assets require periodic monitoring in response to specific threats or adverse events. 

Third-party Risk Management

Third-party access to MassArt data must be approved in writing by the corresponding MassArt Data Custodian. Similarly, third-party access of Technology resources must be approved by the Director of Enterprise Applications and Integration or the Deputy CIO and be based on a formal contract approved by the CIO. The contract must contain all security requirements and assigned responsibilities to ensure that there is no misunderstanding between MassArt and the third party.

Related Policies and Procedures

Enforcement of Policy Violations

Failure to comply with this policy, intentionally or unintentionally, may result in one or more of the following: 

• Termination, without notice, of access privileges to information and technology resources.
• Disciplinary action, up to and including termination of employment.
• Civil or criminal penalties as provided by law.

Review and Revision History

Policy Owner: Information Security Officer
Applicability: Assigned Roles
CIS Critical Security Controls (CSC):

• CSC 4 - Continuous Vulnerability Assessment and Remediation
• CSC 6 - Maintenance, Monitoring, and Analysis of Audit Logs

Approved by: Patrick O’Connor, Chief Information Officer / Assistant Vice President, Technology
Approved on: 08-01-2023

*As of 01-29-2025, ISO duties and responsibilities are currently being performed by the Deputy CIO.
**E.g., PCI-DSS compliance.
***In some instances, vendors delivering technology resources using any *-as-a-service model–e.g., software-as-a-service (SaaS), platform-as-a-service (PaaS), etc.–may conduct their own security assessments and monitoring provided it is consistent with industry best practices, and in compliance with state or federal regulations, or industry requirements.