Northeastern University Security Assessment Standard
Related Policy: Northeastern University Information Security Policy
Responsible Office: Office of Information Security (OIS)
Purpose and Scope
Northeastern University is committed to securing its data and providing clear and concise guidance on protecting the many information technology (IT) systems we use. Given the widespread use and diversity of the types of IT systems employed within Northeastern University, it is paramount that a technology-agnostic set of standards are in place and uniformly applied across all IT systems.
This standard establishes the minimum security assessment criteria to carry out and meet the intent of the directives within Northeastern University’s Information Security Policy. This standard applies to all organizations (e.g., academic entities, entities other than Colleges and Departments, legally separate but wholly owned entities) of Northeastern University.
IT systems are considered in the scope of this standard if they utilize any of the following: Northeastern’s Network, ITS troubleshooting or administration, OIS incident response or investigation, or a Northeastern Microsoft account (e.g., @northeastern.edu).
Security Assessment Overview
This domain focuses on Security Assessment (CA). Security assessment involves the testing and/or evaluation of the security controls implemented for information technology (IT) systems to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. This domain also focuses on the continuous monitoring of security controls to maintain ongoing awareness of security vulnerabilities and threats to support organizational risk management decisions.
Roles and Responsibilities
The following high-level functional roles support the security assessment processes for IT systems. In some cases, there may be more than one functional role associated with a specific process or task; similarly, more than one person may perform some roles. The following describe the roles and responsibilities associated with security assessment within the Northeastern University environment.
Chief Information Security Officer (CISO): Individual responsible for the overall Northeastern University information security program.
System Administrator: An organization or individual responsible for setting up and maintaining an IT system, appliance, or specific IT system elements. This role revolves around hands on management of the IT system, usually more technical in nature than the System Owner. They are also responsible for implementing approved secure baseline configurations, incorporating secure configuration settings for IT products, and conducting/assisting with configuration monitoring activities as needed.
Depending on the size of the IT system, these responsibilities can be split across multiple skill-based domains listed below. These domains can be managed by separate teams across Northeastern University depending on the skills necessary to carry out the listed responsibilities.
- Infrastructure: manages any servers that are not aligned to a specific skill-based domain listed below.
- Network: manages all hardware and IT systems related to managing network communications.
- Security: manages all IT systems that ensure and confirm security of the environment. Sentinel,Defender, Tenable, Azure, Intune, Windows Cloud PC, etc.
- Desktop: manages the physical workstations and the software installed on them.
- Identity: manages IT systems that control identity-based access, like Entra ID.
- System Owner: An individual or organization responsible for the development, procurement, integration, modification, operation, and maintenance, and/or final disposition of an information IT system.
- Security Assessor: The individual, group, or organization responsible for conducting a security control assessment, at the direction of the system owner.
Standard
This standard is scoped primarily around a subset of the National Institute of Standards and Technology (NIST) 800-171 controls to protect the confidentiality, integrity, and availability of information. The related NIST controls have been tagged (e.g., 3.12.1) in the text below to identify where each listed responsibility inherits its requirements from.
As the security assessment capability is matured over time, additional controls may be considered to augment confidentiality and address the availability and integrity of information. Additionally, when implementing the criterion of this document, organizations may choose to implement stricter criteria; however, the criterion cannot be lessened without formal exception by the Northeastern University Chief Information Security Officer (CISO) as described in the Compliance section of this standard.
System Security Plan
(3.12.4) The System Owner is responsible for developing a System Security Plan (SSP) for the relevant in-scope IT systems within the defined assessment boundary (e.g., Northeastern University environment). The SSP must contain sufficient information to describe the current security posture and must be updated and reviewed by the System Owner annually, or when changes are made which impact the security posture. Specifically, the SSP must contain the components identified in Table 1.
| SSP Component | Description |
|---|---|
| Assessment Boundary | Description of the system Boundary within an organization |
| System Boundary | High-level description of the components within the Northeastern University system boundary. Typically, the system boundary includes all components (e.g., network devices, servers, web applications, virtual machines) of a system supporting the processing, storing, and transmitting sensitive |
| Operating Environment | Description of the physical (e.g., data center) and logical (e.g., cloud) environment in which the in-scope system processes, stores, and transmits data |
| System Interconnections | Description of interconnected systems and/or networks which provide inputs to, or receive information from, the in-scope system including allowed interfaces (e.g., APIs) and network protocols (e.g., TLS) |
| Roles and Responsibilities | Description of the roles and responsibilities for key personnel (e.g., system owner, data owner) supporting the in-scope system |
| System Users | User types (e.g., end users, privileged users, administrators) that access and administer the in-scope system |
| Approved Security Requirements | Security requirements (e.g., applicable laws) intended to be met by the in-scope system via security controls |
| Security Control Implementation | Description of how the approved security requirements are implemented and the current status (e.g., In Place, Partially in Place) |
Security Control Assessment
(3.12.1) At the direction of the System Owner, the Security Assessor is responsible for assessing the security controls of the in-scope system annually, or when changes are made which impact the system’s security posture, to identify security control weaknesses.
(3.12.2) The Security Assessor is responsible for formally documenting any identified security control weaknesses and planned remediation actions in a Plan of Actions & Milestones (POA&M) document. The POAM must be reviewed by the Security Assessor monthly to ensure all gaps are tracked for remediation. To allow for effective tracking of remediation actions, the POA&M must include the components identified in Table 2. POA&M Components.
| POA&M Component | Description |
|---|---|
| POA&M ID | A unique identifier used to reference the POA&M item |
| Control Reference | The security control against which the security weakness was identified |
| Weakness | Description of the security weakness identified against a security control |
| Severity | A ranking (e.g., low, moderate, high) used to assist in prioritizing POA&M items |
| Affected Component(s) | The component (e.g. application, database, server) where the weakness resides |
| Corrective Action | Planned mitigations to close the security weakness |
| Point of Contact | The individual responsible for addressing the POA&M item |
| Milestone Date | Interim accomplishment milestone dates |
| Planned Completion | Target date for POA&M item completion |
| Status | State of POA&M item (e.g., open, in progress, closed) |
(3.12.3) The System Owner is responsible for ensuring the continued monitoring of the security controls of the in-scope system. Continuous monitoring activities may include both near-real time (e.g., SIEM reports, firewall reports) and periodic (e.g., monthly, bi-annually) assessments (e.g., vulnerability assessments, penetration tests) of specific controls. The System Owner is also responsible for reviewing the relevant continuous monitoring outputs (e.g., security dashboard reports) to determine security control effectiveness. Any discovered security control deficiencies must be added to the POA&M by the System Owner for prioritization and remediation.
Definitions
The following definitions have been derived from industry standard definitions provided by the National Institute of Standards and Technology (NIST) Computer Security Resource Center Glossary1 and, where appropriate, tailored for Northeastern University’s IT environment.
Approved Security Requirements: System requirements that have security relevance and have been approved by the System Owner. System security requirements define the protection capabilities provided by the system, the performance and behavioral characteristics exhibited by the system, and the evidence used to determine that the system security requirements have been satisfied.
Assessment Boundary: The scope of (assessment objects included in) an organization’s implementation to which assessment of objects is applied. Typically, assessment boundary includes an entire network to its outside perimeter.
Continuous Monitoring: Maintaining ongoing awareness to support organizational risk decisions. See information security continuous monitoring, risk monitoring, and status monitoring.
Operating Environment: The physical surroundings in which an information system processes, stores, and transmits information.
Plan of Actions & Milestones (POA&M): A document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks, and scheduled completion dates for the milestones.
Risk: The level of impact on organizational operations (including mission, functions, image, or reputation), organizational assets, or individuals resulting from the operation of an information system given the potential impact of a threat and the likelihood of that threat occurring.
Security Assessment: The testing and/or evaluation of the management, operational, and technical security controls in an information system to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.
Security Control: A safeguard or countermeasure prescribed for an information system or an organization designed to protect the confidentiality, integrity, and availability of its information and to meet a set of defined security requirements.
Security Control Implementation: The current state (e.g., In Place, Partially In Place) of a security control prescribed for an information system or an organization.
Security Requirement: Requirements levied on an information system that are derived from applicable laws, Executive Orders, directives, policies, standards, instructions, regulations, or procedures, or organizational mission/business case needs to ensure the confidentiality, integrity, and availability of the information being processed, stored, or transmitted.
System Boundary: All components of an information system to be authorized for operation by an authorizing official and excludes separately authorized systems, to which the information system is connected.
System Description: Explains the function or purpose of the system and related information processes.
System Environment: The unique technical and operating characteristics of an IT system and its associated environment, including the hardware, software, firmware, communications capability, organization, and physical location.
System Interconnection: The direct connection of two or more information systems for the purpose of sharing data and other information resources.
System Owner: Person or organization having responsibility for the development, procurement, integration, modification, operation, and maintenance, and/or final disposition of an information system.
System Security Plan (SSP): Formal document that provides an overview of the security requirements for an information system and describes the security controls in place or planned for meeting those requirements.
Compliance
This standard complies with the directives defined in the Northeastern University Information Security Policy. The university recognizes that on rare occasions there might be compelling reasons to consider allowing an organization to operate outside of the criterion defined in this standard, as derived from the Northeastern University Information Security Policy. To facilitate this consideration the System Owner must submit a petition for a risk-based policy exception in writing, including supporting rationale, and forward it to the Northeastern University CISO for review and approval. All approved risk-based policy exceptions must be formally documented by the Northeastern University CISO and indicate the exception duration (e.g., temporary, long-term). The Northeastern University CISO is responsible for disseminating and communicating all risk-based exception approvals and rescissions to the relevant stakeholders in a timely manner.
Change and Review Log
| Date | Description | Version | Editor |
|---|---|---|---|
| 01/13/2025 | Initial draft for Stakeholder Review | 0.1 | Kwaku Danquah |
| 1/24/2025 | Manager review before stakeholder review | 0.2 | Brad Wing |
| 9/3/2025 | Final draft approved by CISO | 1.0 | Brad Wing |
Appendix A. Security Assessment Standard Summary
The table below summarizes the Northeastern University IT system environment minimum criteria for enabling security assessment capabilities within the Northeastern University IT system environments.
- The first column “Northeastern University Practice ID” identifies the related Northeastern University practice ID as defined in the NIST 800-171.
- The “Northeastern University Practice Statement” column includes the Northeastern University practices required to be met for that control.
- The third column, “Derived Requirement”, provides a description of the requirement derived from the high-level Northeastern University practice statement. Derived requirements were developed from analysis of the intent of the practice and the logical components required to satisfy the practice. In some instances, an Northeastern University practice statement may be derived into several requirements to be addressed to satisfy the Northeastern University practice.
- The final column, “Northeastern University IT system environment Criteria”, defines the minimum criteria (e.g., configurations, actions, responsibilities, practices, etc.) which the university will implement to satisfy the related Northeastern University practice.
| CMMC Practice ID | CMMC Practice Statement | Derived Requirement | NU CUI Environment Criteria (NU Practice Implementation) |
|---|---|---|---|
| 3.12.4 | Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems. | SSP: Development/ Maintenance | The System Owner is responsible for: Developing a System Security Plan (SSP) for the relevant in- scope IT systems within the defined assessment boundary (e.g., NU environment).The SSP must contain sufficient information to describe the current security posture.The SSP must be updated and reviewed annually, or whenchanges are made which impact the security posture. |
| SSP: Assessment Boundary | Description of the Boundary within an organization. | ||
| SSP: System Boundary | High-level description of the components within the NU system boundary. Typically, the system boundary includes all components (e.g., network devices, servers, web applications, virtual machines) of asystem supporting the processing, storing, and transmitting sensitive. | ||
| SSP: System Description | General business purpose and technical/functional description of thein-scope system | ||
| SSP: Operating Environment | Description of the physical (e.g., data center) and logical (e.g., cloud)environment in which the in-scope system processes, stores, and transmits data. | ||
| SSP: System Interconnections | Description of interconnected systems and/or networks which provide inputs to, or receive information from, the in-scope system includingallowed interfaces (e.g., APIs) and network protocols (e.g., TLS). | ||
| SSP: Roles and Responsibilities | Description of the roles and responsibilities for key personnel (e.g.,system owner, data owner) supporting the in-scope system. | ||
| SSP: System Users | User types (e.g., end users, privileged users, administrators) thataccess and administer the in-scope system. | ||
| SSP: Approved Security Requirements | Security requirements (e.g., applicable laws) intended to be met by the in-scope system via security controls. | ||
| SSP: Security Control Implementation | Description of how the approved security requirements are implemented and the current status (e.g., In Place, Partially in Place) | ||
| 3.12.1 | Periodically assess the security controls in organizational systems to determine if the controls are effective in theirapplication. | Security Control Assessment | At the direction of the System Owner, the Security Assessor is responsible for: •Assessing the security controls of the in-scope system annually, or when changes are made which impact the system’s security posture, to identify security controlweaknesses. |
| 3.12.2 | Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems. | POA&M: Development/ Maintenance | The Security Assessor is responsible for: •Formally documenting any identified security control weaknesses and planned remediation actions in a Plan of Actions & Milestones (POA&M) document. •Reviewed by the Security Assessor monthly to ensure all gapsare tracked for remediation. |
| POA&M: ID | A unique identifier used to reference the POA&M item | ||
| POA&M: Control Reference | The security control against which the security weakness wasidentified | ||
| POA&M: Weakness | Description of the security weakness identified against a securitycontrol | ||
| POA&M: Severity | A ranking (e.g., low, moderate, high) used to assist in prioritizingPOA&M items | ||
| POA&M: Affected Component(s) | The component (e.g., application, database, server) where theweakness resides | ||
| POA&M: Corrective Action | Planned mitigations to close the security weakness | ||
| POA&M: Point of Contact | The individual responsible for addressing the POA&M item | ||
| POA&M: Milestone Date | Interim accomplishment milestone dates | ||
| POA&M: Planned Completion | Target date for POA&M item completion | ||
| POA&M: Status | State of POA&M item (e.g., open, in progress, closed) | ||
| 3.12.3 | Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls. | Continuous Monitoring | The System Owner is responsible for: Ensuring the continued monitoring of the security controls of the in-scope system. Continuous monitoring activities may include both near-real time (e.g., SIEM reports, firewall reports) and periodic (e.g., monthly, bi-annually) assessments (e.g., vulnerability assessments, penetration tests) of specific controls. Reviewing the relevant continuous monitoring outputs (e.g., security dashboard reports) to determine security control effectiveness. Adding any discovered security control deficiencies must be added to the POA&M for prioritization and remediation. |
Appendix B. Security Assessment References
The following list of references are common industry standards used to carry out the security assessment criterion defined within this standard.
- National Institute of Standards and Technology (NIST) Special Publication 800-18 Rev. 1, Guide for Developing Security Plans for Federal Information Systems. https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-18r1.pdf
- NIST Special Publication 800-137, Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations. https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-137.pdf