The Risk Management Project will be performed using the Clearwater IRM Analysis software. The software is cloud-based and may be accessed via a Web browser (Chrome is strongly recommended). Each student will have an assigned account and will be provided access information once the class has been registered with Clearwater by the instructor.
Each phase is designed to take you through the exact same tasks and using the exact same tools an individual conducting a risk management program for an organization would perform. The Clearwater software is currently the leading application for healthcare information risk management in the nation and as such you will find the software manual tailored for healthcare information systems. It is however equally suitable for non-healthcare organizations.
Begin by reading through these instructions, and the associated tutorials – available in D2L Content section. Review and/or complete this document before beginning the software component.
KSU’s Clearwater Compliance software login is at https://kennesaw.clwtr.com.
Before submitting, place your information in this document’s header and delete everything in italics. Save as PDF, renaming it using this format CYBR7300-FA23_yournetid_asset_tables.pdf, then upload to D2L with the reports indicated in the Tutorial Part 1 document. Make sure you list your top information asset from the weighted table at the end of this document, as a comment in D2L after you upload your reports, and before you click submit.
PART 1 –INFORMATION ASSET INVENTORY AND RANKING TABLES
Task: Begin with the provided list of information assets the case organization would have and associate them with their components. Complete Tables 1 and 2 in this document. Remove all instructions in italics.You will then use this information to add information assets to Clearwater IRM, complete the asset information form and then assign component groups for your information assets.
Then submit the reports as described in the CC|IRM tutorial Part 1. You will receive graded feedback on Part 1 before beginning Part 2.
TABLE 1 – LISTING OF INFORMATION ASSETS
Delete instructions before submitting.
Complete Table 1 below specifying any information assets appropriate to the case (add/remove rows as needed). You will also specify the component/media, asset owner, type of data, RTO, and RPO, of all provided information assets, based on assumptions you derive from the case document.
For the RM Project “an information asset is any application, database, or file store that stores critical data, that it is important to manage the risk for.” If an information asset is “unimportant” don’t waste your time with it. Technically, network packets could be considered information assets, but for now, focus exclusively on the critical applications and databases/file stores identified in the case organization for this project. This means that for the purposes of this project, only external databases/data stores/file stores and applications with internal data storage are considered information assets. Applications that interface with an external database and do not contain internal data will not be considered information assets, but components/media.
These values will be entered into CC|IRM later in the project. For component grouping: all databases are grouped individually on their own Server component, accessed by Internal Users, from their Desktops, and through their Applications. All databases, and applications with internal data are backed up daily, and all other applications are backed up weekly, to a Software-as-a-Service organization.
Component Group Options:
Components are the systems that “create, receive, store, transmit, or view” information assets. Essentially, they are containers or hardware that house and interact with information assets. For this project, use the following component types:
Application
Desktop
Server
Internal Users
Software-as-a-Service
Note: Since we’re using applications that interface with external databases and applications with internal databases, we won’t use databases as components.
These component types are first entered when adding assets to CC|IRM, then you will reorganize these into groups that match the actual implementation in the case organization.
For example:
Asset | Component/ Media |
Data Owner | Type of Sensitive Data | RTO Tier |
RPO Tier |
1) HRMS SQL DB | Application DesktopInternal Users Software-as-a-Service Server (1A) |
CFO | PII, CC | 2 | 3 |
2) Planning SQL DB | Application DesktopInternal Users Software-as-a-Service Server (1B) |
CEO | CC | 3 | 2 |
(Note: I’ve just added numbers for the RTO and RPO for this example. You should put some thought into the values for your project. If you just list them all the same or they don’t make sense, it could cost you points on the project).
Data Owner: refer to the text for the definition of the data owner. While the CIO may be the data custodian for all data, they are most likely NOT the owner of non-IT data.
Type of Sensitive Data Options:
- Customer Confidential (CC) – any data retained by the organization that has been labeled as confidential – i.e. limited in its access, distribution and use. Examples include executive meeting records; marketing and strategic plans not yet released; details of communications with and services provided to select client organizations; and company IT and InfoSec program details.
- Electronic Patient Healthcare Information (ePHI) – any data retained by the organization that contains personal medical information, including that of employees and clients. Employee health coverage information in an HR file is not ePHI for our purposes – unless it includes details on the coverage such as the account number, primary care physician, etc. Most HR records would only contain the name of the coverage (e.g. Blue Cross/Blue Shield HMO), but not the medical history details.
- Payment Card Information (PCI) – any data retained by the organization that contains payment card information such as debit/credit card numbers with expiration dates, users’ names, security codes and/or billing information.
- Personally Identifiable Information (PII) – any data retained by the organization that contains personally identifiable information that could be used to identify an individual (or steal their identity) including names with social security numbers, driver’s license numbers, addresses, phone numbers, family members.
- Student Records (FERPA) – any data retained by the organization that contains academic information regarding an individual including names with student numbers, social security numbers, courses taken, grades assigned, academic integrity/misconduct issues, financial aid and/or other PII.
ePHI and FERPA are specialized versions of PII. If a data asset has no academic or medical content, just classify it as PII. If a component group contains multiple different classified data assets, list all that it contains.
RTO Tier Options:
“Recovery time objective (RTO) is the maximum desired length of time allowed between an unexpected failure or disaster and the resumption of normal operations and service levels. The RTO defines the point in time after a failure or disaster at which the consequences of the interruption become unacceptable” (CC|IRM Help Menu). Refer to the text pp. 509-10 for additional discussion of this topic. Keep in mind that the shorter the RTO, the more expensive the protection/backup options.
0 = 30 mins
1 = 1 hour
2 = 8 hours
3= 24 hours
4= 2 days
5= 1 week
RPO Tiers Options:
“A recovery point objective (RPO) is the maximum acceptable amount of data loss measured in time. It is the age of the files or data in backup storage required to resume normal operations if a computer system or network failure occurs.” (CC|IRM Help Menu). Refer to the text pp. 509-10 for additional discussion of this topic. Keep in mind that the smaller the RPO, the more expensive the protection/backup options.
0 = No data loss
1 = 4 hours data loss
2 = 8 hours data loss
3= 1 day data loss
4= 2 days data loss
5= 1 week data loss
Discussion on modules in the second half of the semester. Discuss how the Linux tools for software storage, network management, and security work. Please create at least one posting and respond to at least two students. With this being an online course, I would encourage additional participation in the discussions, however, the requirements for grading purposes are listed below.
Once you post your introduction, please respond to at least two classmates. All discussions (including this one) are worth 10 points towards your Discussion grade. (six points for your response, and two points for each response to a classmate)
Asset | Component(s) | Data Owner | Type of Sensitive Data | RTO | RPO |
1) HRMS SQL DB | |||||
2) Planning SQL DB | |||||
3) | |||||
4) | |||||
5) | |||||
6) | |||||
7) | |||||
8) | |||||
9) | |||||
10) | |||||
11) | |||||
12) | |||||
13) | |||||
14) | |||||
15) | |||||
16) | |||||
17) | |||||
18) | |||||
19) | |||||
20) |
(add rows if needed)
TABLE 2 – WEIGHTED RANKING OF INFORMATION ASSETS
Create a weighted table analysis, as described in the text, to rank all information assets from Table 1. To assist you in the calculations, you may use the Weighted Ranking of Information Assets spreadsheet provided in D2L.
- Identify 3-5 criteria you will use to evaluate the assets identified earlier and assign weights to the criteria. You can find examples for use as criteria in Chapter 6 of the text, under Assessing the Value of Information Assets. Note the weights must sum to 1.0 (as in 100%).
- Copy the complete list of assets from Table 1 into the first column of Table 2.
- Evaluate each information asset against your criteria by assigning a value of 1 to 5 (with 5 being critically important) under each asset criterion. Use the following scale in your assignments, to answer the question: “How important is this asset with regard to this criterion?”
1 – Not important
2 – Somewhat important
3 – Important
4 – Very important
5 – Critically important
- Perform the calculations to determine the totals. (each cell is multiplied by its criterion’s weight, then summed into the total column).
Note: sample criteria weights were added to the table to illustrate function (e.g. Crit 1; .20). Replace these values with your own criteria and weights. - Use the following scale to convert the weighted table analysis “Total” values to Clearwater “Importance” scores. Use standard rounding (e.g., .5 and above rounded up) to select the corresponding Importance score:
1 – Not important
2 – Somewhat important
3 – Important
4 – Very important
5 – Critically important
Row 1 provides an example of a completed row. Replace this row’s values with your own before submitting.
- Finally sort the entire table on the Total column. When you’re finished, your number one asset (first on the list) should be the one with the largest total, and thus the highest importance.Refer to the supplemental lecture on Weighted tables for additional instructions.
Criteria è
|
Insert Crit 1here |
Insert Crit 2here |
Insert Crit 3here |
Insert Crit 4here |
Insert Crit 5here |
Weighted 1-5.0 |
Importance
(1-5; Not Important to Critically Important) |
Criteria Weightè
êAsset Name |
Insert Crit 1 weight
Here
|
Insert Crit 2 weight
here |
Insert Crit 3 weight
here |
Insert Crit 4 weight
here |
Insert Crit 5 weight
here |
||
1) HRMS SQL DB | 3 | 3 | 5 | 2 | 3 | 3.2 | 3 – Important |
2) | |||||||
3) | |||||||
4) | |||||||
5) | |||||||
6) | |||||||
7) | |||||||
8) | |||||||
9) | |||||||
10) | |||||||
11) | |||||||
12) | |||||||
13) | |||||||
14) | |||||||
15) | |||||||
16) | |||||||
17) | |||||||
18) | |||||||
19) | |||||||
20) |
(add rows as needed)
Criteria Descriptions: List and describe your criteria used in Table 2 below. Then provide a detailed justification as to how and why you selected these criteria and their weights, using the following format:
Format: Criterion (e.g., Impact on Profitability) – this criterion is defined as _____, This criterion was selected because _____, A weight of ___ was selected for this criterion because _____.)
1.
2.
3.
4.
5.
At this point you should download and follow the instructions on the RM Project Tutorial Part 1, which will take you through the Clearwater Compliance | IRM portion of the assignment. The steps to be performed and deliverables for the overall assignment are listed in that document. This document, plus the Reports you will generate at the end of the tutorial, are your deliverables for the RM assignment Part 1. These reports will be uploaded to D2L and used for grading, regardless of the work you do in CC|IRM. Remember to delete all instructions in italics before submitting this document with your Part 1 reports.