1. Description of Service
The Information Technology Division (ITD) provides Technical Risk Assessment services to those agencies wishing to deploy applications both internal to MAGnet as well as internet facing. This service uses the NIST Special Publication 800-30 "Risk Management Guide for Information Technology Systems" as its primary reference framework. A written report is produced.
This report typically includes the following elements:
- Executive Summary
- Technical Architecture Description
- Threat & Vulnerability Identification
- Likelihood Determination
- Impact Analysis
- Risk Determination
- Additional Information
- Jurisdiction Statement
Support services include:
- A Service Account Manager to answer any questions or concerns regarding ITD Services.
- Services offered through our Operations Office; including Change Management and customer access to incident management via email, phone (CommonHelp)
- The online COMiT service management portal
2. Service Targets/Hours of Availability
Initial reviews will be completed within 15 business days. If a customer's submission for an assessment is found to be non-Enterprise Policy compliant OR is found to be insecure, additional time will be involved. The amount of additional time will be dependent upon the complexity of the issue(s) identified and available mitigations.
The ITD Security Office will provide assistance to the customer with identifying potentially viable mitigation strategies to achieve compliance.
Service availability hours are 8:30 am - 5:00 pm Monday through Friday, excluding holidays.
3. Service Reporting
The following reporting information is provided to customers as part of this service: A written Risk Assessment is completed and provided to the customers.
Risk Assessment Report
The breadth and depth of these reports are specific to each assessment. The standard report would normally include the basic elements enumerated in "Description of Service".
Ad hoc - specific to each Risk Assessment request.
4. Service Requests
Lead Time-Business Days
Conduct a Risk Assessment
Request for assistance in assessing system risks relative to: threats, vulnerabilities, controls, likelihood, and impacts.
*For new service requests only. To manage existing requests, please log into COMiT.
5. Customer Responsibilities
Customers and their business partners are expected to develop applications in conformance with Enterprise Policies and Standards while also adhering to stipulations of Executive Order 504 in their treatment of sensitive data.
Customers need to also be familiar with the ramifications of MGL Section 93 (related to Data Breach Notifications) for them should a breach of their system(s) occur.
For your convenience, you may also view a detailed list of customer responsibilities.
6. Chargeback Rate Information
For more information on Chargeback, including an overview of the program as well as current and previous fiscal year rates, please visit our Chargeback Services webpage.
The costs pertaining to this service offering are currently funded out of Overhead. No additional detail is available for review.
Updated March 7, 2013
Published August 14, 2009
Created April 16, 2009: Information provided by the Security Office