Component Types

There are three types of assessable components in SPECTRIM (i.e. Application, Location, Network) that make up a Risk Assessable Unit (RAU). Each component is a separate record from its related assessment in SPECTRIM (see Image 1). Some components can be created in SPECTRIM without requiring an assessment. The three component assessments do have different question sets, but some of the questions are the same across the different assessments. The number of questions in an assessment is determined by the type of component and the NIST questionnaire type (e.g. low, moderate, high, etc.) as shown in Table 1. The NIST low questionnaire type is only required for FY 2018.

Image 1: SPECTRIM Components and Assessments

SPECTRIM Components and Assessments

Table 1: Number of questions per NIST Questionnaire Type

Application

Location

Network

Low

42

35

38

Moderate

60

51

57

High

100

101

107

Detailed Low

148

101

137

Detailed Moderate

220

171

220

Detailed High

260

221

270

When an Assessment is Required

1. Application

Groupings of information resources (e.g. workstations, laptops, mobile devices, servers, NAS, SAN, hypervisors, software applications, etc.) that do not fall into either the Network or the Location components. The information resources within an Application should have a similar security profile.

Application Assessment - required for all IT managed information resources, including resources fully and partially managed by an IT Professional.

2. Location (Facilities)

A location can be a building and/or room within a building. If a data center happens to be in a building that is used for other purposes (e.g. Teague data center), then the data center and the building will be considered different locations in SPECTRIM.

Location Assessment – required for all rooms that house servers (e.g. server closet, server room, unit data center, etc.).

3. Network

Networking equipment and related resources (switches, routers, hubs, etc.) that make up a physical network.

If a unit manages a physical network separate from the College Station campus network, that unit must create a Network in SPECTRIM. For the majority of units at the College Station campus, simply linking to the campus network (TAMU Network-711-) in SPECTRIM is sufficient.

Network Assessment – required if a unit manages a physical network separate from the College Station campus network.

NOT required in the following situations if a unit:

    1. Only utilizes the College Station campus network (TAMU Network-711-) for public networking. THe Division of IT assesses the College Station campus network.

    2. Manages address space (e.g. Infoblox, NIM, DHCP) on the College Station campus network.

    3. Runs patch cables between information resources and College Station campus networking equipment.

    4. Operates an independent physical or virtual (e.g. software networking, VLANs, etc.) network for private communication between information resources. These networks are to be considered part of an Application representing the information resources connected.