Component Types

There are three types of assessable components in SPECTRIM (i.e. Application, Location, Network) that make up a Risk Assessable Unit (RAU). Each component is a separate record from its related assessment in SPECTRIM (see Image 1). Some components can be created in SPECTRIM without requiring an assessment. The three component assessments do have different question sets, but some of the questions are the same across the different assessments. The number of questions in an assessment is determined by the type of component and the NIST questionnaire type (e.g. low, moderate, high, etc.) as shown in Table 1. The NIST low questionnaire type is only required for FY 2017.

Image 1: SPECTRIM Components and Assessments

SPECTRIM Components and Assessments

Table 1: Number of questions per NIST Questionnaire Type

Application

Location

Network

Low

42

35

38

Moderate

60

51

57

High

100

101

107

Detailed Low

148

101

137

Detailed Moderate

220

171

220

Detailed High

260

221

270

When an Assessment is Required

1. Application

Groupings of information resources (e.g. workstations, laptops, mobile devices, servers, NAS, SAN, hypervisors, software applications, etc.) that do not fall into either the Network or the Location components. The information resources within an Application should have a similar security profile.

Application Assessment - required for all unit managed information resources.

2. Location (Facilities)

Locations are buildings and data centers. If a data center is located in a building that is used for other purposes (e.g. Teague data center), then the data center and the building will be considered different locations in SPECTRIM. By definition, data centers have redundant power feeds, independently-controlled environment and fire suppression system

Location Assessment – required only for Locations designated as data centers that a unit maintains.

3. Network

Networking equipment and related resources (switches, routers, hubs, etc.) that make up a physical network.

If a unit manages a physical network separate from the College Station campus network, that unit must create a Network in SPECTRIM. For the majority of units at the College Station campus, simply linking to the campus network (TAMU Network-711-) in SPECTRIM is sufficient.

Network Assessment – required if a unit manages a physical network separate from the College Station campus network.

NOT required in the following situations if a unit:

    1. Only utilizes the College Station campus network (TAMU Network-711-) for public networking. Texas A&M IT assesses the College Station campus network.

    2. Manages address space (e.g. Infoblox, NIM, DHCP) on the College Station campus network.

    3. Runs patch cables between information resources and College Station campus networking equipment.

    4. Operates an independent physical or virtual (e.g. software networking, VLANs, etc.) network for private communication between information resources. These networks are to be considered part of an Application representing the information resources connected.