Assignment 3 Asset Management
For this assignment, you will perform asset management using the Clearwater IRM Analysis software that is the leading application for healthcare information risk management in the nation. The software is cloud-based and can be accessed via a Web browser. This assignment will help you become familiar with the software and later you will use the software in your course project. Each student has an assigned account. Information needed to access Clearwater IRM Software:
Clearwater Compliance, LLC Software at: https://uwplatt.clwtr.com/
Username: your UW Extended Campus email address, e.g., abc@uwex.wisconsin.edu
Initial Password: abc@uwex.wisconsin.edu#
Begin by reading through these instructions. Review and/or complete the corresponding phase of this document before beginning the software component.
Follow the steps below to finish this assignment:
- Begin with reviewing the provided list of information assets in the attached document (BSSI-Case.pdf) the case organization would have and associate them with their media.
- Complete Tables 1 and 2 in this document.
- Add all information assets to Clearwater IRM Analysis Application (Under Asset Inventory List)
- Complete asset valuation screens in the Clearwater IRM Analysis application for your top information assets as defined in the template tables. In a real-world project, accurate asset valuation requires more data than the case study provides. For this task, focus on assigning importance and determining RTO and/or RPO for assets based on your assumptions and interpretation of their criticality to the owner.
- Ensure your asset descriptions are a minimum of 25 words in length.
- Create component groups for all shared or dedicated components (media) associated with your information assets.
PART 1 –INFORMATION ASSET IDENTIFICATION
Instructions for Table 1. Delete before submitting.
Complete Table 1 below specifying any information assets appropriate to the case not provided (add/remove rows as needed), the component/media, owner, type of data, RTO, and RPO, of all provided information assets, based on assumptions you derive from the case document.
These values will be entered into Clearwater IRM later in this assignment. Remember, each application should be paired with its data on its own server. All data is backed to a NAS (External storage) daily, and all data and applications are backed to the cloud (Software-as-a-Service) weekly. Both NAS cross-backup daily as well (NAS 1 backs up to NAS 2 and vice versa). All employees access all information assets through their desktops. Use the following options for the corresponding column’s values:
Component Group Options:
Components (a.k.a. Media) are the devices that “create, receive, store, transmit or view” information assets. Essentially, it’s the hardware that houses software and data. Before the current update for CC|IRM, these devices were referred to as media. For this assignment, use the following components:
Servers
External Storage (NAS1 and NAS2)
Desktops
Software-as-a-Service
Security and Governance
These component types need to be selected when adding assets to Clearwater IRM, then you will reorganize these into groups that match the actual implementation in the case organization. For example: presume that the Human Resources Information Systems SERVER (Server A) contains a specialized HR application (referred to as HRIS), and a database of employee data. This application and its data are accessed by employees on DESKTOPS, with the database backed up to the EXTERNAL STORAGE (NAS1) on a daily basis, with both the HRIS and the database backed up to the SOFTWARE-AS-A-SERVICE (the cloud backup) on a weekly basis. Periodically, the organization’s InfoSec and Executive Management teams review the application and its database as part of their SECURITY AND GOVERNANCEduties. See where the Component Groups come into play with the two information assets (the HRIS and the Employee DB)? So, under this example, the HRIS entries for Table 1 would be:
|
Asset |
Component/ |
Data Owner |
Type of |
RTO |
RPO |
|
1) HRIS |
Desktop |
HR Manager |
PII |
3 |
3 |
|
2) HRIS (Employee) DB |
Desktop |
HR Manager |
PII |
3 |
3 |
(Note: I’ve just added numbers for the RTO and RPO. You should put some thought into the values for your submission. If you just list them all the same or they don’t make sense, it could cost you points on the assignment).
Data Owner: Some examples of Data Owners include the Registrar and student data; the Treasurer and financial data; the VP of Human Resources and employee data. In most cases, the Data Custodian is not the Data Owner. A system administrator or Data Custodian is a person who has technical control over an information asset dataset. While the CIO may be the data custodian, he/she is most likely NOT the owner of non-IT data.
Type of Sensitive Data Options:
· Electronic Patient Healthcare Information (ePHI) – any data retained by the organization that contains personal medical information, including that of employees and clients. Employee health coverage information in an HR file is not ePHI for our purposes – unless it included details on the coverage such as the account number, primary care physician, etc. Most HR records would only contain the name of the coverage (e.g. Blue Cross/Blue Shield HMO), but not the details.
· Payment Card Information (PCI) – any data retained by the organization that contains payment card information such as debit/credit card numbers with expiration dates, users’ names, security codes and/or billing information.
· Personally Identifiable Information (PII) – any data retained by the organization that contains personally identifiable information that could be used to identify an individual (or steal their identity) including names with social security numbers, driver’s license numbers, addresses, phone numbers, family members.
· Customer Confidential (Conf) – any data retained by the organization that has been labeled as confidential – i.e. limited in its access, distribution and use. Examples include executive meeting records; marketing and strategic plans not yet released; details of communications with and services provided to select client organizations; and company IT and InfoSec program details.
· Student Records (FERPA) – any data retained by the organization that contains academic information regarding an individual including names with student numbers, social security numbers, courses taken, grades assigned, academic integrity/misconduct issues, financial aid and/or other PII.
For our purposes, ePHI and FERPA are considered specialized versions of PII. If a data asset has no academic or medical content, just classify it as PII. If a component group contains multiple different classified data assets, list all that it contains.
RTO Tiers Options:
“Recovery time objective (RTO) is the maximum desired length of time allowed between an unexpected failure or disaster and the resumption of normal operations and service levels. The RTO defines the point in time after a failure or disaster at which the consequences of the interruption become unacceptable.” (Clearwater IRM Help Menu).
Tier 0 = 30 minutes
Tier 1 = 1 hour
Tier 2 = 8 hours
Tier 3= 24 hours
Tier 4= 2 days
Tier 5= 1 week
RPO Tiers Options:
“A recovery point objective (RPO) is the maximum acceptable amount of data loss measured in time. It is the age of the files or data in backup storage required to resume normal operations if a computer system or network failure occurs.” (Clearwater IRM Help Menu).
Tier 0 = No data loss
Tier 1 = 4 hour data loss
Tier 2 = 8 hour data loss
Tier 3= 1 day data loss
Tier 4= 2 days data loss
Tier 5= 1 week data loss
A few assets have been added to the table to help you get started. You will need to identify the rest on your own. Add rows as needed.
Table 1: Listing of Information Assets for Case Organization
|
Asset |
Component/ |
Data Owner |
Type of Sensitive Data |
RTO |
RPO |
|
1) |
Desktop |
CIO |
|
|
|
|
2) |
Desktop |
CIO |
|
|
|
|
3) |
Desktop |
CIO |
|
|
|
|
4) |
Desktop |
CIO |
|
|
|
|
5) |
|
|
|
|
|
|
6) |
|
|
|
|
|
|
7) |
|
|
|
|
|
|
8) |
|
|
|
|
|
|
9) |
|
|
|
|
|
|
10) |
|
|
|
|
|
|
11) |
|
|
|
|
|
|
12) |
|
|
|
|
|
|
13) |
|
|
|
|
|
|
14) |
|
|
|
|
|
|
15) |
|
|
|
|
|
|
16) |
|
|
|
|
|
|
17) |
|
|
|
|
|
|
18) |
|
|
|
|
|
|
19) |
|
|
|
|
|
|
20) |
|
|
|
|
|
|
21) |
|
|
|
|
|
|
22) |
|
|
|
|
|
|
23) |
|
|
|
|
|
|
24) |
|
|
|
|
|
|
25) |
|
|
|
|
|
|
26) |
|
|
|
|
|
|
27) |
|
|
|
|
|
|
28) |
|
|
|
|
|
|
29) |
|
|
|
|
|
|
30) |
|
|
|
|
|
|
31) |
|
|
|
|
|
|
32) |
|
|
|
|
|
|
33) |
|
|
|
|
|
|
34) |
|
|
|
|
|
|
35) |
|
|
|
|
|
PART 2 –INFORMATION ASSET VALUATION
When it comes to valuing IT information assets, people may use various criteria based on their specific needs and goals. However, some common criteria used for valuing IT information assets are as follows, categorized into tangible and intangible groups. Tangible values are those that can be physically quantified and measured. Intangible values, on the other hand, are those that cannot be physically quantified and measured.
Tangible values:
Market value: The market value of an IT information asset is the price at which it can be bought or sold on the market. This value is determined by supply and demand, and it can vary depending on factors such as age, condition, and demand.
Replacement cost: The replacement cost of an IT information asset is the amount of money it would cost to replace the asset with a similar one. This value is typically based on the asset’s current market value, adjusted for depreciation and other factors.
Intangible values:
Profitability: The profitability value of an IT information asset is based on the amount of revenue or cost savings it generates for the organization. Assets that contribute to revenue growth or cost savings are considered more valuable.
Strategic value: The strategic value of an IT information asset is based on its importance to the organization’s strategic goals and objectives. Assets that are critical to achieving the organization’s goals and objectives are considered more valuable.
Competitive advantage: The competitive advantage value of an IT information asset is based on its ability to give the organization a competitive edge in the market. Assets that provide the organization with a competitive advantage are considered more valuable.
Intellectual property: The intellectual property value of an IT information asset is based on its potential for patent protection or copyright. Assets that have significant intellectual property value are considered more valuable.
Brand recognition: The brand recognition value of an IT information asset is based on its ability to enhance the organization’s brand and reputation. Assets that enhance the organization’s brand and reputation are considered more valuable.
Security: The security value of an IT information asset is based on its ability to protect the organization’s sensitive data and intellectual property. Assets that have robust security features are considered more valuable.
Sustainability: The sustainability value of an IT information asset is based on its ability to support the organization’s environmental and social sustainability goals. Assets that have a low environmental impact and promote social responsibility are considered more valuable.
Instructions for Table 2. Delete before submitting.
Create a weighted table analysis to rank all information assets from Table 1. To assist you in the calculations, you may use the Weighted Ranking of Information Assets spreadsheet provided.
1. Identify 5 criteria from the provided list of frequently used criteria for asset valuation you will use to evaluate the assets identified earlier and assign weights to the criteria. Note the weights must sum to 1.0 (as in 100%).
2. Copy the complete list of assets from Table 1 into the first column of Table 2.
3. Evaluate each information asset against your criteria by assigning a value of 0 to 5 (with 5 being most critical) under each asset criterion. Use the following scale in your assignments, to answer the question: “How important is this asset with regard to this criterion?”
a. 5 – Critically important
b. 4 – Very important
c. 3 – Important
d. 2 – Somewhat important
e. 1 – A little important
f. 0 – Not important
4. Perform the calculations to determine the totals. (Each cell is multiplied by its criterion’s weight, then all products are summed into the total column).
Note: sample criteria weights were added to the table to illustrate function (e.g., Crit 1; .20). Replace these values with your own criteria and weights.
5. Use the following scale to convert the weighted table analysis “Total” values to Clearwater “Importance” scores. Use standard rounding (e.g. .5 and above rounded up) to select the corresponding Importance score:
a. 5 – Critically important
b. 4 – Very important
c. 3 – Important
d. 2 – Somewhat important
e. 1 – A little important
f. 0 – Not important
Row 1 provides an example of a completed row. Replace this row’s values with your own before submitting.
6. Finally sort the entire table on the Total column. When you’re finished, your number one asset (first on the list) should be the one with the largest total, and thus the highest importance.
Table 2: Weighted Ranking of Information Assets
|
Criteria è
|
Insert here |
Insert here |
Insert here |
Insert here |
Insert here |
Total 0-5.0 |
Importance (0-5; Not Important to Critically Important) |
|
Criteria Weightè êAsset Name |
Insert Crit 1 weight here |
Insert Crit 2 weight here |
Insert Crit 3 weight here |
Insert Crit 4 weight here |
Insert Crit 5 weight here |
|
|
|
1) AD/DNS Services |
3 |
3 |
4 |
2 |
3 |
3.00 |
3 – Important |
|
2) DNS DB |
|
|
|
|
|
|
|
|
3) AD SQL DB |
|
|
|
|
|
|
|
|
4) Exchange email app. |
|
|
|
|
|
|
|
|
5) Email DB |
|
|
|
|
|
|
|
|
6) NAS1 app. |
|
|
|
|
|
|
|
|
7) NAS1 Data |
|
|
|
|
|
|
|
|
8) NAS2 app. |
|
|
|
|
|
|
|
|
9) NAS2 Data |
|
|
|
|
|
|
|
|
10) |
|
|
|
|
|
|
|
|
11) |
|
|
|
|
|
|
|
|
12) |
|
|
|
|
|
|
|
|
13) |
|
|
|
|
|
|
|
|
14) |
|
|
|
|
|
|
|
|
15) |
|
|
|
|
|
|
|
|
16) |
|
|
|
|
|
|
|
|
17) |
|
|
|
|
|
|
|
|
18) |
|
|
|
|
|
|
|
|
19) |
|
|
|
|
|
|
|
|
20) |
|
|
|
|
|
|
|
|
21) |
|
|
|
|
|
|
|
|
22) |
|
|
|
|
|
|
|
|
23) |
|
|
|
|
|
|
|
|
24) |
|
|
|
|
|
|
|
|
25) |
|
|
|
|
|
|
|
|
26) |
|
|
|
|
|
|
|
|
27) |
|
|
|
|
|
|
|
|
28) |
|
|
|
|
|
|
|
|
29) |
|
|
|
|
|
|
|
|
30) |
|
|
|
|
|
|
|
|
31) |
|
|
|
|
|
|
|
|
32) |
|
|
|
|
|
|
|
|
33) |
|
|
|
|
|
|
|
|
34) |
|
|
|
|
|
|
|
|
35) |
|
|
|
|
|
|
|
Criteria Descriptions: List and describe your criteria used in Table 2 below. Then provide a detailedjustification as to how and why you selected these criteria and their weights.
Format: Criterion (e.g. Profitability) – this criterion is defined as _____, This criterion was selected because _____, A weight of ___ was selected for this criterion because _____.
1.
2.
3.
4.
5.