OSP Data Center/Server Room (Room 127)

Two full-height (42U), floor-standing racks inside the center currently each hold a 3000VA UPS and 6-8 rackmount servers (described below), plus switches for the 1GbE Cat6-backbone network and several shelves of routers, wireless controllers, spare drives and so on. The room is independently climate controlled and on its own 9000VA UPS that also powers half a dozen office systems and switches around the floor in case of a power outage.

Current server applications installed and running as infrastructure:

Unless

otherwise specified, all servers are Dell PowerEdge R6xx Rack-mounted servers.

Rack 1:

Windows 2012 Server A - Active Directory Service and AD SQL DB

Windows 2012 Server B - Primary Domain Name Service and DNS SQL DB

Windows 2012 Server C - Exchange 2013 email server and Email DB

Windows 2012 Server D - Traverse Accounting Software and Accounting SQL DB

Windows 2012 Server E - Traverse Distribution Software and Distribution SQL DB

Windows 2012 Server F - Traverse ERP Software and ERP SQL DB

Dell Storage NX 3xxx 1 - Network Attached Storage (NAS) #1 - Runs Windows 2012 R2 -

multi-terabyte data backup capability for Rack 1 servers' databases. In CC|IRM this is

referred to as a "Disk Array".

Dell Switch A

APC UPS A

4

Rack 2:

Windows 2012 Server G - Office 365 Server and Office DB (contains Office 365 files and

images) - web-based office productivity software used on employee systems.

Windows 2012 Server H - Internet Information Server #1 for Intranet support - stores

own web and document data. Used for internal forums, wiki's and policy document

management.

Windows 2012 Server I - Optimum HRIS and HRIS DB

Windows 2012 Server K - Internet Information Server #2 used with Forefront TMG and

IIS-FTMGDB - used to provide web filtering and proxy services - has own Intranet DB.

Windows 2012 Server K - SupportIT and SIT DB - used by IT department to manage

systems configuration, updates, and helpdesk tickets.

Dell Storage NX 3xxx 2 - Network Attached Storage (NAS) #2 - Runs Windows 2012 R2 -

multi-terabyte data backup capability used as an onsite daily backup for all Rack 2

servers' databases. In CC|IRM this is referred to as a "Disk Array".

Dell Switch B

APC UPS B

All Servers (including both NAS) are backed up weekly to a Cloud-based backup service (iDrive.com which provides a deep educational discount). In CC|IRM this is referred to as "Software-as-a-Service".

All data and databases in Rack 1 backed up daily to NAS#1.

5

All data and databases in Rack 2 backed up daily to NAS#2. All systems backed up weekly to online backup service (SaaS).

Traverse Accounting Software provides the following applications:

General Ledger

Accounts Payable

Accounts Receivable

Payroll (Employee Distributions)

Banking

Bank Reconciliation

Fixed Assets

Traverse Distribution Software provides the following applications:

Inventory

Bill of Materials/Kitting

Purchase Order

Sales Order

Warehouse Management

Requirements Planning

Traverse ERP Software provides the following applications:

Web Portals (Ecommerce site)

Customer Relationship Management

Optimum HRIS provides the following applications

Payroll Management (exports to Traverse for Payroll processing)

Human Resources

Time & Attendance (exports to Traverse for Payroll processing)

Current JOSP does not have any formal information security policies, plans or staff.

 

 

 

 

 

 

The Risk Management Project will be performed using the Clearwater IRM Analysis software. The software is cloud-based and may be accessed via a Web browser (Chrome is recommended). Each student will have an assigned account and will be provided access information once the students have been registered with Clearwater by the instructor. 

 

Each phase is designed to take you through the exact same tasks an individual conducting a risk management program for an organization would perform, using the exact same tools that are currently available. The Clearwater software is currently the leading application for healthcare information risk management in the nation and as such you will find the software manual tailored for healthcare information systems. 

 

Begin by reading through these instructions, and the associated tutorial - available in D2L Content section. Review and/or complete the corresponding phase of this document before beginning the software component.

 

Clearwater Compliance, LLC Software (https://software.clearwatercompliance.com)

 

Be sure to place your personal information in this document header and delete everything in italics. Save as PDF, renaming it (e.g. CYBR3300-gbatra_asset_tables.pdf) before submitting.

PART 1 -INFORMATION ASSET INVENTORY AND RANKING TABLES

1. Begin with the provided list of information assets the case organization would have and associate them with their components.
2. Complete Tables 1 and 2 in this document. 
3. Remove all instructions in italics.
4. You will then use this information to add information assets to Clearwater IRM, complete the asset information form and then assign component groups for your information assets. 

Then proceed to Part 2 as described in the CC|IRM tutorial (both are completed/uploaded together, as one submission).

TABLE 1 - LISTING OF INFORMATION ASSETS

Instructions for Table 1. Delete before submitting.

Complete Table 1 below specifying any information assets appropriate to the case not provided (add/remove rows as needed), the component/media, owner, type of data, RTO, and RPO, of all provided information assets, based on assumptions you derive from the case document.

An information asset is any application, database, or file store that creates, stores, transmits or receives critical data, that it is important to manage the risk for. If an information asset is "unimportant" we typically won't waste our time with it.  Technically, network packets could be considered information assets, but we're going to focus exclusively on the critical applications and databases/file stores identified in the case organization for this project.
 

 

 

These values will be entered into CC|IRM later in the project. For this project, all of the assets except for the NAS' Data and the Office File Share are considered Applications with internal data. All information assets are stored on Servers and accessed by users from their Desktops. Some of the applications are considered File-Shares.  All applications are backed up their rack's NAS (External Storage) daily. Each NAS backs its application internally, and then its data to another NAS.  Each NAS also backs up its data to the Cloud Backup Service Provider (Software-as-a-Service) weekly as a single encrypted file.

 

Component Group Options: 

Components are the systems "create, receive, store, transmit or view" information assets.  Essentially, they are the containers or hardware that house and interact with information assets.  For this project, use the following component types: 

Applications
Desktops

Servers 

External Storage (NAS)

File Share

Software-as-a-Service

Note: Since we're using applications with internal databases, rather than applications that interface with external databases, we won't use "databases" as components. Since our application/information assets interact with other applications and each other, we include "applications" as components as well.  

 

These component types are first entered when adding assets to CC|IRM, then you will reorganize these into groups that match the actual implementation in the case organization. 

For example:
                                                

Asset	Component/ Media	Data Owner	Type of Sensitive Data	RTO Tier	RPO Tier
Active Directory Service	Application Desktop External Storage Server (T)	CIO	Customer Confidential	1	1
NAS#1 Data	Application Desktop External Storage Server (I) SaaS	CIO	Customer Confidential	2	2

 

(Note: I've just added numbers for the RTO and RPO. You should put some thought into the values for your project. If you just list them all the same or they don't make sense, it could cost you points on the project).

 

Data Owner: refer to the text for the definition of the data owner.  While the CIO may be the data custodian for all data, they are most likely NOT the owner of non-IT data.

 

 

 

Type of Sensitive Data Options:

• Customer Confidential (Conf) - any data retained by the organization that has been labeled as confidential - i.e. limited in its access, distribution and use.  Examples include executive meeting records; marketing and strategic plans not yet released; details of communications with and services provided to select client organizations; and company IT and InfoSec program details.
• Electronic Patient Healthcare Information (ePHI) - any data retained by the organization that contains personal medical information, including that of employees and clients. Employee health coverage information in an HR file is not ePHI for our purposes - unless it included details on the coverage such as the account number, primary care physician, etc. Most HR records would only contain the name of the coverage (e.g. Blue Cross/Blue Shield HMO), but not the details.
• Payment Card Information (PCI) - any data retained by the organization that contains payment card information such as debit/credit card numbers with expiration dates, users' names, security codes and/or billing information. 
• Personally Identifiable Information (PII) - any data retained by the organization that contains personally identifiable information that could be used to identify an individual (or steal their identity) including names with social security numbers, driver's license numbers, addresses, phone numbers, family members.
• Student Records (FERPA) - any data retained by the organization that contains academic information regarding an individual including names with student numbers, social security numbers, courses taken, grades assigned, academic integrity/misconduct issues, financial aid and/or other PII.

ePHI and FERPA are specialized versions of PII. If a data asset has no academic or medical content, just classify it as PII.  If a component group contains multiple different classified data assets, list all that it contains. 

RTO Tiers Options:

"Recovery time objective (RTO) is the maximum desired length of time allowed between an unexpected failure or disaster and the resumption of normal operations and service levels. The RTO defines the point in time after a failure or disaster at which the consequences of the interruption become unacceptable." (CC|IRM Help Menu).  Refer to the text pp. 509-10 for additional discussion of this topic.

0 = less than 1 hour

1 = 1 - 2 hours

2 = 3 - 6 hours

3= 6 - 24 hours 

4= 1 - 3 days

5= 3 - 5 days

RPO Tiers Options:

"A recovery point objective (RPO) is the maximum acceptable amount of data loss measured in time. It is the age of the files or data in backup storage required to resume normal operations if a computer system or network failure occurs." (CC|IRM Help Menu). Refer to the text pp. 509-10 for additional discussion of this topic.

0 = less than 1 hour

1 = 1 - 2 hours

2 = 3 - 6 hours

3= 6 - 24 hours 

4= 1 - 3 days

5= 3 - 5 days

A few Assets have been added to the table to help you get started. You will need to identify the rest on your own. Add rows as needed.

Asset	Component	Data Owner	Type of Sensitive Data	RTO	RPO
HRIS
PAYROLL
NAS#1 BARS
NAS#1 Data

(add rows as needed)