Isaac End User Instructions

TAMU Rule 29.01.99.M1 Security of Electronic Information Resources requires all departments having ownership or custodial responsibility for electronic information systems to ensure that a security assessment report is "filed" (virtually) with the Office of the Associate Provost for Information Technology (via ITIM) on an annual basis. ISAAC-EU has been made available to help your department maintain compliance with this rule.

ISAAC-EU is a basic assessment designed for end users that have administrative rights to their desktop and/or laptop computers. The assessment is applicable for users with both managed (e.g., in a domain where security policies are enforced) and unmanaged (e.g., standalone) computers. It indicates compliance with basic security countermeasures (e.g., antivirus, security patches, password strength, and others) and provides the user a Remediation Level of HIGH, MEDIUM, LOW, or NONE, depending upon their answers and the security rating of the questions. Additional information regarding Social Security Number scanning and legal/regulatory requirements (e.g., software licensing) is gathered, but does not impact the compliance rating.

For instructions, click on the link below that will direct you to College Station's Isaac End User Instructions.

The link below will direct you to the Isaac End User Webpage:

Using ISAAC End User Edition

Prerequisites: Ensure you have scanned your PC with IdentityFinder prior to filling out this assessment as the answers to some
questions are directly related to IdentityFinders results.

1. Connect to the following website and click on LOGIN: 

2. Enter your NetID and Password 

3. Click "Create Assessment" 

4. Enter the name of your Assessment, examples are shown below.
Enter how many devices are included in your assessment
Enter a Description or location of the device being assessed. 

5. Click "Answer Questions". 

Question 1: Have you identified all confidential information on your computer(s) or determined that there is no confidential information?

In order to answer this question you must either know of confidential information on your computer or have used IdentityFinder to scan for Social Security Numbers. Click on MORE for further details about this question.

Question 2: Is all confidential information on your computer(s) protected and available only to authorized users? (If you have determined that there is no confidential information on your computer, answer "N/A.")

Question 3: Do all the computer(s) in this assessment require users to have a unique UserID and password to log in (i.e., a username/password is required to use the system and there are no shared logins)?

Help: All of your computers should be password protected. If they are Answer YES.

Question 4: Do you use strong passwords on all accounts for your computer(s)?

Question 5: Do you change your passwords routinely, and no longer than every 90 days if mission critical or confidential information is present on your computer(s)?

Question 6: For your computers that are susceptible to computer viruses and other malware (e.g., Windows or Mac), do you or your IT Staff ensure that antimalware software (e.g., antispyware or antivirus software) is installed, updated frequently, configured to scan regularly, and allowed to run without interference? (Answer "N/A" if the computers being assessed run Linux or another unsusceptible operating system.)

Help: Ensure you have McAfee anti-virus on your computer. All users should have this University supplied software.

Question 7: Do you or your IT Staff keep your computer(s) up-to-date by installing security-related patches and updates in a timely manner and allowing the installation to complete without interference?

Question 8: With regard to the disposal or transfer of computers and storage devices (e.g., flash drives or external hard drives) to other departments or Surplus Property, if it is possible that they contain confidential information, mission critical information, intellectual property, or licensed software, are those devices turned over to departmental IT Staff for proper sanitization or do you sanitize them via methods compliant with DIR guidelines? (Note: If you or your IT Staff destroys the drives instead of sanitizing them please answer "Yes.")

Help: CIS either removes and destroys the hard drive or wipes the hard drive using special software. You can answer YES to this question.

Question 9: Are security incidents reported to your departmental IT Staff or Department Head so that they may assess, investigate, document, and report?

Help: this question relates to computer security data breaches, such as the loss of a USB drive that has confidential information or the unauthorized access of a workstation.

Question 10: If you have Peer-to-Peer (P2P) software installed on your computer(s) is it configured to prevent or disallow automatic or unintended file sharing? If you do not have P2P software installed, answer "N/A."

Section 2: Social Security Number Questions - "My Desktop"

Questions in this section relate to using IdentityFinder to scan your devices for Social Security Numbers. Ensure you have scanned with IdentityFinder before answering this section.

What To Do If Social Security Numbers Are Found
If Identity Finder locates SSN's on your PC or external drives then you will need to evaluate why these SSN's are there and if they are no
longer necessary delete them.

If you have a business reason for having the SSN's then you need to advise your Department Head and have them notify CIS the reason
why so we can ask for an exemption.
Often keeping the SSN's will mean utilizing an encryption program to secure the files containing SSN's.

Please contact CIS if you have any questions.

Question 1: Are all information resources in this assessment scanned on an annual basis for SSNs, where possible and feasible? If all information resources in this assessment are specialized systems that cannot be scanned and are not capable of storing SSNs, answer N/A.

Answer Yes if you have scanned your PC with Identity Finder.

Question 2: What is the date of the last SSN scan?

Enter the date you scanned with Identity Finder (approximate if you cannot remember exact date)

Question 3: For SSNs that are being retained (other than your own and those of immediate family members) has permission been requested from the Office of the Vice President and Associate Provost for Information Technology? Note that this permission must be granted on an annual basis. See SSN Exception Requests for instructions. If no SSNs are being retained, answer N/A.

If no SSN's (other than yours or family members) are on your PC answer N/A

Question 4: For SSNs that are being retained, has permission been obtained from the Office of the Vice President and Associate Provost for Information Technology? If no SSNs are being retained, answer N/A.

If no SSN's (other than yours or family members) are on your PC answer N/A

Regulatory Questions - "My Desktop"

Question 1: If you install software on your computer(s), is all software properly licensed? If you never install software, answer "N/A."

6. Click on "Proceed to Review" 

7. Enter the text in RED as a form of electronic signature and click " Complete Assessment"

Thanks and see you next year!!