- My application received a Pass grade. Does this mean my application is certified for Protection Level 2 data?
- What if I cannot meet the remediation due dates presented to me in the final report?
- Based on my data, I have external regulatory requirements like PCI, HIPAA, or CPHS. Does an ASTP assessment cover me for those requirements?
- How often am I required to have an assessment against my application?
No. Information Security and Policy does not "certify" applications. A Pass or Fail grade is intended to indicate whether or not an application meets the campus minimum security requirements for application security at the time at which it was assesssed.
An application security assessment is intended to find the most critical and high risk vulnerabilities; however, the assessment process is often accelerated due to time and resource constraints meaning all vulnerabilities may not be discovered in a single assessment.
Remediation due dates are generated based on the risk and the breadth of the vulnerability. Due dates can be negotiated with the Information Security and Policy team at the time of disclosure. For example, some due dates may be changed for reasons like:
- Reliance upon a vendor to implement a fix for a discovered vulnerability
- Development time
- Retirement of a vulnerable portion of an application
Ultimately, it is the responsibility of the application owner to make or coordinate best efforts to remediate and/or adequately mitigate the risks in a timely fashion.
No. ASTP assessments only measure compliance with campus minimum application security requirements. Though, it should be noted that achieving compliance with campus standards will lay a lot of ground work for meeting PCI, HIPAA, CPHS, or other external standards. The campus Minimum Security Standards for Electronic Information (MSSEI) is based off the SANS Top 20 Critical Controls, so there is some overlap with external standards.
Currently, applications handling PL2 data should plan for an application security assessment once every two years. However, scheduling will depend on available resources and other factors such as how drastically an application has changed since the prior assessment.