Risk Management ASSET INVENTORY Identify ALL possible assets the case organization would have and associate them with their media – some of which have been identified for you. Complete all tables i

Risk Management ASSET INVENTORY Identify ALL possible assets the case organization would have and associate them with their media – some of which have been identified for you. Complete all tables i
1 Jules Ostin Sustainable Packaging , Inc . ( JOSP ) M ission Statement Jules Ostin Sustainable Packaging , Inc strives to provide eco – friendly and susta inable packaging solutions to its business customers to help satisfy their need of mar keting their products in env ironment friendly packaging without sacrificing cost effective ness . O ur Goal is to provide best quality products and customer s ervice, while serving the environment with a focus o n quality and minimizing cost . We a im to foster life – long partnerships with our customers and our employees , helping both of them feel pro ud about serving the enviro nment withou t sacrificing market competitiveness . We aim to prove that dedication to a clean environment is not only good for mother nature but is also good for bu siness. We want to help our customers provide best quality and unique ways to market and package their pro d ucts w ithout sacrificing their green goals. We value our employees that build pride and strive to creating a strong positive working environment and company spirit. H istory JOSP was established by its founder Jules Ostin to prove that good environment is good for business. She got her head start in the corporate world as a strategy consulta n t at one of the first electric vehicle companies and worke d closely with its founder to build it into a multi – billion – dollar firm with market capitalization dwarfing the other players in the car industry. It taught her an important lesson that what ’ s good for environment can be good for business as well . From there sh e founded another company which provi ded electric car batteries as a service helping reduce car charging times b y just switching car batteries and saving customers from spending h ou rs at the charging station s . Her firm was acquired by a private equity firm, and she cashed out at the right tim e as industry saw several larger players enter in a small m arket. During her visit to a self – sustaining pla s tic collection center at an ocean in South – East Asia while on a holiday , she was a g hast by plasti cs at the river mouths and at oceans and wondered if that plastic can be harnessed into sustainable pack a ging . Where other people saw unsolva ble problems, she saw opportunities. She also saw first – hand a factory where clothes donated by people or collected from trash were turned into t hread , albeit of cheaper quality for clothing p urposes, but can be used for sustainable packaging. T here was a clear need of design for modern packaging sol ution s . She put her team of designers to work and qu ickly came up with clothes and plastic based sustai nable packaging solutions . But to have an industry im pact her team needed scale . She worked with her friend at a major Private equity firm and h er team went out and acquired a boutique recycl ed paper – based packaging solution s company which had 5 region al sto res and a corporate he ad quarter serving as centra l design, shipping and receiving hub and a fleet of 20 delivery trucks and most importantly a strong relationship with its customers. J u les has an MBA and a BSBA in Entrepreneurship, with a minor in IT from the Atlantis University of Technology. Ju l es ’s first order of business was to update the almost obsolete IT infrastructure 2 and teleph ony systems in all stores and the corporate headquarters of this company . H er next task is to improve the information security of the corporate headquarters. Executive Staff The current CEO, Jules Ostin, oversees all operations at corporate headquarters a nd all 5 regional stores. The managers of the regional stores actually report to the COO, who reports to the CEO. The current CFO, Juan Mata , oversees all financial operations at corporate headquarters and all 5 regional stores. The Senior Accounta nt reports directly to the CFO. The Current COO, David Silva , oversees all corporate and branch operations, including sales, procurements and distribution. The managers of all 5 stores report to the COO, as does the Managers of Design/ Purchasing, Sales, Dis tribution, HR and IT. Corporate Organization Chart Corporate Headquarters Physical Plant JOSP Corporate Headquarters Floor Plan 3 Office Occupant 100 Foyer 101 Reception 102 Workroom 103 Executive Assistant 104 CEO 105 COO 106 Conference Room 107 CFO 108 Purchasing Rep 109 Purchasing Rep 110 Manager, Purchasing 111 Purchasing Admin Assistant 112 HR Admin Assistant 113 Manager, HR 114 Sales Rep 115 Sales Rep 116 Manager, Sales 117 Sales Admin Assistant 4 118 Distribution Rep 119 Distribution Rep 120 Manager, Distribution 121 Distribution Admin Asst 122 Accountant – General Ledger 123 Accountant – Accounts Receivable 124 Senior Accountant 125 Accountant – Accounts Payable 126 Manager, IT 127 Data Center/Server Room 128 IT Tech – Systems & Servers 129 IT Tech – Networking * Data Center specifications provided separately JOSP Data Center/Server Room (Room 127) Two full – height (42U), floor – standing racks inside the center currently each hold a 3000VA UPS and 6 – 8 rackmount servers (described below), plus switches for the 1GbE Cat6 – backbone network and several shelves of routers, wireless controllers, spare drives and so on. The room is independently climate controlled and on its own 9000VA UPS that also powers half a dozen office systems and switches around the floor in case of a power outage. Current server applications installed and running as infrastructure: Unless otherwise specified, all servers are Dell PowerEdge R6xx Rack – mounted servers. Rack 1: 1. Windows 2012 Server A – Active Directory Service and AD SQL DB 2. Windows 2012 Server B – Primary Domain Name Service and DNS SQL DB 3. Windows 2012 Server C – Exchange 2013 email server and Email DB 4. Windows 2012 Server D – Traverse Accounting Software and Accounting SQL DB 5. Windows 2012 Server E – Traverse Distribution Software and Distribution SQL DB 6. Windows 2012 Server F – Traverse ERP Software and ERP SQL DB 7. Dell Storage NX 3xxx 1 – Network Attached Storage (NAS) #1 – Runs Windows 2012 R2 – multi – terabyte data backup capability for Rack 1 servers’ databases. In CC |IRM this is referred to as a “Disk Array”. 8. Dell Switch A 9. APC UPS A 5 Rack 2: 1. Windows 2012 Server G – Office 365 Server and Office DB (contains Office 365 files and images) – web – based office productivity software used on employee systems. 2. Windows 2012 Server H – Internet Information Server #1 for Intranet support – stores own web and document data. Used for internal forums, wiki’s and policy document management. 3. Windows 2012 Server I – Optimum HRIS and HRIS DB 4. Windows 2012 Server K – Internet Inf ormation Server #2 used with Forefront TMG and IIS – FTMGDB – used to provide web filtering and proxy services – has own Intranet DB. 5. Windows 2012 Server K – SupportIT and SIT DB – used by IT department to manage systems configuration, updates, and helpdesk tickets. 6. Dell Storage NX 3xxx 2 – Network Attached Storage (NAS) #2 – Runs Windows 2012 R2 – multi – terabyte data backup capability used as an onsite daily backup for all Rack 2 servers’ databases. In CC|IRM this is referred to as a “Disk Array”. 7. Dell S witch B 8. APC UPS B All Servers (including both NAS) are backed up weekly to a Cloud – based backup service (iDrive.com which provides a deep educational discount). In CC|IRM this is referred to as “Software – as – a – Service”. All data and databases in Rack 1 backed up daily to NAS#1. 6 All data and databases in Rack 2 backed up daily to NAS#2. All systems backed up weekly to online backup service (SaaS). Travers e Accounting Software provides the following applications: • General Ledger • Accounts Payable • Accounts Receivable • Payroll (Employee Distributions) • Banking • Bank Reconciliation • Fixed Assets Traverse Distribution Software provides the following applications: • Inventory • Bill of Materials/Kitting • Purchase Order • Sales Order • Warehouse Management • Requirements Planning Traverse ERP Software provides the following applications: • Web Portals (Ecommerce site) • Customer Relationship Management Optimum HRIS provides the following applications • Payroll Management (exports to Traverse for Payroll processing) • Human Resources • Time & Attendance (exports to Traverse for Payroll processing) Current JOSP does not have any formal information security policies, plans or staff.
Risk Management ASSET INVENTORY Identify ALL possible assets the case organization would have and associate them with their media – some of which have been identified for you. Complete all tables i
Risk Management Project using Clearwater Compliance IRM Analysis (v. 01-2021)Course TermYear – Ima Student (Replace with your course/information (e.g. CYBR7300 SP21 – Mike Whitman), then delete all instructions in italics). The Risk Management Project will be performed using the Clearwater IRM Analysis software. The software is cloud-based and may be accessed via a Web browser (Chrome is recommended). Each student will have an assigned account and will be provided access information once the students have been registered with Clearwater by the instructor. Each phase is designed to take you through the exact same tasks an individual conducting a risk management program for an organization would perform, using the exact same tools that are currently available. The Clearwater software is currently the leading application for healthcare information risk management in the nation and as such you will find the software manual tailored for healthcare information systems. Begin by reading through these instructions, and the associated tutorial – available in D2L Content section. Review and/or complete the corresponding phase of this document before beginning the software component. Clearwater Compliance, LLC Software (https://software.clearwatercompliance.com) Be sure to place your personal information in this document header and delete everything in italics. Save as PDF, renaming it (e.g. CYBR7300-SP21_mwhitman_asset_tables.pdf) before submitting. PART 1 –INFORMATION ASSET INVENTORY AND RANKING TABLES Begin with the provided list of information assets the case organization would have and associate them with their components. Complete Tables 1 and 2 in this document. Remove all instructions in italics. You will then use this information to add information assets to Clearwater IRM, complete the asset information form and then assign component groups for your information assets. Then proceed to Part 2 as described in the CC|IRM tutorial (both are completed/uploaded together, as one submission). TABLE 1 – LISTING OF INFORMATION ASSETS Instructions for Table 1. Delete before submitting. Complete Table 1 below specifying any information assets appropriate to the case not provided (add/remove rows as needed), the component/media, owner, type of data, RTO, and RPO, of all provided information assets, based on assumptions you derive from the case document.An information asset is any application, database, or file store that creates, stores, transmits or receives critical data, that it is important to manage the risk for. If an information asset is “unimportant” we typically won’t waste our time with it. Technically, network packets could be considered information assets, but we’re going to focus exclusively on the critical applications and databases/file stores identified in the case organization for this project. These values will be entered into CC|IRM later in the project. For this project, all of the assets except for the NAS’ Data and the Office File Share are considered Applications with internal data. All information assets are stored on Servers and accessed by users from their Desktops. Some of the applications are considered File-Shares. All applications are backed up their rack’s NAS (External Storage) daily. Each NAS backs its application internally, and then its data to another NAS. Each NAS also backs up its data to the Cloud Backup Service Provider (Software-as-a-Service) weekly as a single encrypted file. Component Group Options: Components are the systems “create, receive, store, transmit or view” information assets. Essentially, they are the containers or hardware that house and interact with information assets. For this project, use the following component types: ApplicationsDesktops Servers External Storage (NAS) File Share Software-as-a-Service Note: Since we’re using applications with internal databases, rather than applications that interface with external databases, we won’t use “databases” as components. Since our application/information assets interact with other applications and each other, we include “applications” as components as well. These component types are first entered when adding assets to CC|IRM, then you will reorganize these into groups that match the actual implementation in the case organization. For example: Asset Component/Media Data Owner Type of Sensitive Data RTOTier RPOTier Active Directory Service ApplicationDesktopExternal StorageServer (T) CIO Customer Confidential 1 1 NAS#1 Data ApplicationDesktopExternal StorageServer (I)SaaS CIO Customer Confidential 2 2 (Note: I’ve just added numbers for the RTO and RPO. You should put some thought into the values for your project. If you just list them all the same or they don’t make sense, it could cost you points on the project). Data Owner: refer to the text for the definition of the data owner. While the CIO may be the data custodian for all data, they are most likely NOT the owner of non-IT data. Type of Sensitive Data Options: Customer Confidential (Conf) – any data retained by the organization that has been labeled as confidential – i.e. limited in its access, distribution and use. Examples include executive meeting records; marketing and strategic plans not yet released; details of communications with and services provided to select client organizations; and company IT and InfoSec program details. Electronic Patient Healthcare Information (ePHI) – any data retained by the organization that contains personal medical information, including that of employees and clients. Employee health coverage information in an HR file is not ePHI for our purposes – unless it included details on the coverage such as the account number, primary care physician, etc. Most HR records would only contain the name of the coverage (e.g. Blue Cross/Blue Shield HMO), but not the details. Payment Card Information (PCI) – any data retained by the organization that contains payment card information such as debit/credit card numbers with expiration dates, users’ names, security codes and/or billing information. Personally Identifiable Information (PII) – any data retained by the organization that contains personally identifiable information that could be used to identify an individual (or steal their identity) including names with social security numbers, driver’s license numbers, addresses, phone numbers, family members. Student Records (FERPA) – any data retained by the organization that contains academic information regarding an individual including names with student numbers, social security numbers, courses taken, grades assigned, academic integrity/misconduct issues, financial aid and/or other PII. ePHI and FERPA are specialized versions of PII. If a data asset has no academic or medical content, just classify it as PII. If a component group contains multiple different classified data assets, list all that it contains. RTO Tiers Options: “Recovery time objective (RTO) is the maximum desired length of time allowed between an unexpected failure or disaster and the resumption of normal operations and service levels. The RTO defines the point in time after a failure or disaster at which the consequences of the interruption become unacceptable.” (CC|IRM Help Menu). Refer to the text pp. 509-10 for additional discussion of this topic. 0 = less than 1 hour 1 = 1 – 2 hours 2 = 3 – 6 hours 3= 6 – 24 hours 4= 1 – 3 days 5= 3 – 5 days RPO Tiers Options: “A recovery point objective (RPO) is the maximum acceptable amount of data loss measured in time. It is the age of the files or data in backup storage required to resume normal operations if a computer system or network failure occurs.” (CC|IRM Help Menu). Refer to the text pp. 509-10 for additional discussion of this topic. 0 = less than 1 hour 1 = 1 – 2 hours 2 = 3 – 6 hours 3= 6 – 24 hours 4= 1 – 3 days 5= 3 – 5 days A few Assets have been added to the table to help you get started. You will need to identify the rest on your own. Add rows as needed. Asset Component Data Owner Type of Sensitive Data RTO RPO HRIS PAYROLL NAS#1 BARS NAS#1 Data (add rows as needed) TABLE 2 – WEIGHTED RANKING OF INFORMATION ASSETS Create a weighted table analysis, as described in the text, to rank all information assets from Table 1. To assist you in the calculations, you may use the Weighted Ranking of Information Assets spreadsheet provided in D2L. Identify 4-5 criteria you will use to evaluate the assets identified earlier and assign weights to the criteria. Note the weights must sum to 1.0 (as in 100%). Copy the complete list of assets from Table 1 into the first column of Table 2. Evaluate each information asset against your criteria by assigning a value of 0 to 5 (with 5 being most critical) under each asset criterion. Use the following scale in your assignments, to answer the question: “How important is this asset with regard to this criterion?” 5 – Critically important 4 – Very important 3 – Important 2 – Somewhat important 1 – A little important 0 – Not important Perform the calculations to determine the totals. (each cell is multiplied by its criterion’s weight, then all products are summed into the total column).Note: sample criteria weights were added to the table to illustrate function (e.g. Crit 1; .20). Replace these values with your own criteria and weights. Use the following scale to convert the weighted table analysis “Total” values to Clearwater “Importance” scores. Use standard rounding (e.g. .5 and above rounded up) to select the corresponding Importance score: 5 – Critically important 4 – Very important 3 – Important 2 – Somewhat important 1 – A little important 0 – Not important Row 1 provides an example of a completed row. Replace this row’s values with your own before submitting. Finally sort the entire table on the Total column. When you’re finished, your number one asset (first on the list) should be the one with the largest total, and thus the highest importance.Refer to the supplemental lecture on Weighted tables for additional instructions. Criteria  InsertCrit 1 here InsertCrit 2 here InsertCrit 3 here InsertCrit 4 here InsertCrit 5 here WeightedTotal 0-5.0 Importance (0-5; Not Important to Critically Important) Criteria Weight Asset Name Insert Crit 1 weight Here Insert Crit 2 weight here Insert Crit 3 weight here Insert Crit 4 weight here Insert Crit 5 weight here HRIS 3 3 4 2 3 3.00 3 – Important (add rows as needed) Criteria Descriptions: List and describe your criteria used in Table 2 below. Then provide a detailed justification as to how and why you selected these criteria and their weights. Format: Criterion (e.g., Impact on Profitability – this criterion is defined as _____, This criterion was selected because _____, A weight of ___ was selected for this criterion because _____.)1. 2. 3. 4. 5. PART 2: RISK DETERMINATION & RISK RESPONSE At this point you should download and follow the instructions on the RM Project tutorial, which will take you through the Clearwater Compliance | IRM portion of the assignment. The steps to be performed and deliverables for the overall assignment are listed in that document. This document, plus the Reports you will generate at the end of the tutorial are your deliverables for the RM assignment. However, I will be accessing your CC|IRM account directly to do much of the grading. Remember to delete all instructions in italics before submitting this document. The application uses a slightly different definition of risk treatments (we call them risk controls): Use their definitions for the application, but the text’s for all assignments. “Risk acceptance is the appropriate risk response when the identified risk is within the organizational risk tolerance. Organizations can accept risk deemed to be low, moderate, or high depending on particular situations or conditions.” (In the Text we also label this as Acceptance) “Risk avoidance may be the appropriate risk response when the identified risk exceeds the organizational risk tolerance. Organizations may conduct certain types of activities or employ certain types of information technologies that result in risk that is unacceptable. In such situations, risk avoidance involves taking specific actions to eliminate the activities or technologies that are the basis for the risk or to revise or reposition these activities or technologies in the organizational mission/business processes to avoid the potential for unacceptable risk.” (In the Text we label this as Termination) “Risk mitigation, or risk reduction, is the appropriate risk response for that portion of risk that cannot be accepted, avoided, shared, or transferred.” It typically involves the implementation of new or enhanced controls and counter-measures. In the Text we label this as Defense) “Risk sharing or risk transfer is the appropriate risk response when organizations desire and have the means to shift risk liability and responsibility to other organizations.” (In the Text we label this as Transfer) In some case more than one Risk Treatment might be an appropriate response to a risk. It is common for Transfer and Mitigation activities to both be applied to reduce a risk. Select a primary risk treatment type and select or add controls or recommendations that correspond to all Risk Treatment types in the Evaluate Alternatives section. If you select “Mitigate” (most common), then specify expected Effectiveness of proposed controls, estimated cost, feasibility and whether the action will enhance (improve) or add (new) the control, or if that control is effective (no change), or needs to be removed (omit). 13