Specifications include, but are not limited to: Assessment Objectives The objective of the assessment is to provide a comprehensive evaluation of the effectiveness of cybersecurity processes, policies, procedures, governance and other relevant controls. This assessment should objectively measure the effectiveness of the information security and risk management programs to properly address institutional, state, and federal security and privacy compliance requirements. • Provide management with an accurate assessment of the cybersecurity policies and procedures to measure operational effectiveness • Identify security and privacy controls concerns or issues that could affect the confidentiality, integrity, and/or availability of University data or services due to weaknesses in security controls • Evaluate the effectiveness of response and recovery programs Industry Standards and Frameworks The assessment should support established, industry-standard assessment frameworks and guidelines. NKU uses a hybrid approach on security control use. As of March 2020, NKU prescribes to relevant controls from: • FERPA • PCI-DSS 3.2.1 • GLBA, Safeguards Rule • GDPR • HIPAA • NIST Cyber Security Framework 1.1 • CIS CSC 20 Security Controls • NIST SP800-53r4 • NIST SP800-171r1 • NIST Risk Management Framework (RMF) Assessment Report Content The assessment should address and document the following requirements: • A summary of the assessment, and approach, denoting industry standards or frameworks used • Identify potential problems or shortcomings in the information security and risk policies, standards, governance, training, and other critical administrative controls • Identify security and data privacy issues or weaknesses in information systems and/or their operating environment. This shall include the network and other key infrastructure • Identify application security and privacy issues • Identify third party vendor / services hosting security and privacy issues • Identify potential insider threats and risks • Identify ability to detect, prevent, and respond to intrusions, attacks, and other system or network issues • Provide a mapping of findings to relevant industry standards where applicable (NIST CSF, FERPA, HIPAA, PCI-DSS, and GLBA standards) • Provide prioritized business impact and risk findings with a list of observations/artifacts, gap analysis, recommendations, and remediations