The National Institute of Standards and Technologies (NIST) defines an information system as a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information. Information systems also include specialized systems such as industrial/process controls systems, telephone switching and private branch exchange (PBX) systems, and environmental control systems. CyMetric enables organizations to establish an information system map that catalogs or inventories the systems that reside within organizational control or responsibility that store information. For more information on what an Information System is, please click on the link below.
Similar to adding Information Types, adding an Information System begins by clicking on Information Systems from the navigation area on the left side of the screen.
Click on the three-dot ellipsis in the top right portion of the screen to begin the data entry and compliance objectives definition process. The following dialog box will appear:
Enter Information System Name: Enter the name of the Information System you would like to enter along with a description of that system.
Assign Business Owner: Continue by defining who the Business Owner is of the system. The Business Owner is the name of the person who has functional responsibility for the system. The Business Owner is derived from the list of people that were defined in the People data entry process. NOTE: If you want to add a new person for this function, you will need to exit the Information System module and return to the People module. You currently CANNOT enter a new person in the Information System module.
Assign Technical Owner: Next, define the Technical Owner for the Information System. The Technical Owner is the name of the person who has operational responsibility for the application/system. The Technical Owner is derived from the list of people that were defined in the People data entry process. NOTE: If you want to add a new person for this function, you will need to exit the Information System module and return to the People module. You currently CANNOT enter a new person in the Information System module.
Assign Implementation Owner: CyMetric includes an optional field to define the Implementation Owner for the information system. The Implementation Owner is the person responsible for ensuring the system is properly implemented in the organization’s information technology infrastructure and ensures all technical requirements are in place to support the information system. This field could also be extended to apply to other aspects entities like third-party cloud vendors or consulting firms. The Implementation Owner is derived from the list of people that were defined in the People data entry process. NOTE: If you want to add a new person for this function, you will need to exit the Information System module and return to the People module. You currently CANNOT enter a new person in the Information System module.
Add Information Types: Essential to this process is adding information types to define the type of data that resides in this system. Click on the Add Information Types drop down to map the types of information that is contained in this system. The list is derived from the Information Types data entry process defined above. Upon selection, the specified information type will be included in the Linked Information Types area of the screen. To add a NEW data type (one not contained in the Information Type list), click on the Create New option at the top of the information types drop down to add a new data type to the list. This new information type will be added to the master list and be available for other systems moving forward. There is no limit to the number of Information Types that can be added to an Information System. For additional content on defining risk for information systems, please see Alan Winchester's article here.
When you are finished adding Information Types, click on the Next button at the bottom of the screen.
Define Additional Information: CyMetric enables users to define supplemental detailed information about an information system. These fields are OPTIONAL but the data can be very useful in certain circumstances.
Operating System: Define the operating system for the information system being entered (e.g. Windows, Linux, iOS, etc.).
Operating System Details: Text field to include any details about the operating system or other related information.
Compliance Boundary: The definition of a system categorization for the system based upon logical or physical perimeters of a system. Boundaries can be used to define systems that fall in or out of scope of a security or compliance program. This categorization can be highly useful for PCI compliance or other for compliance program definition.
Associated IP Addresses: IPv4 or IPv6 address values. CyMetric requires proper formatting of the address for the values to be accepted (e.g. IPv4: 12.244.233.165. IPv6: 2001:0db8:0000:0000:0000:ff00:0042:7879).
Associated Documents: Link documents that provide information relevant to the information system being entered into CyMetric. CyMetric is NOT a repository. The system links to the location of the document. Users will need to have access rights to the location in order to open the document(s).
These fields are optional and as such do not need to be filled in. Click Next to continue.
Define Compliance Objectives: The next step in the process is to define the compliance objectives that this system is looking to meet. Because each Information System can have its own unique compliance objective, select the appropriate objective or objectives that THIS SYSTEM needs to comply with. Note: Users will only see what obligations/compliance objectives they have been licensed for.
Once the applicable objectives are selected, click on the Next button.
Assign a Default Control Owner: The last step in defining your Information System is to assign a Default Owner to the Controls that are applied to this Information System. The Default Owner is the user who has initial responsibility for the approval of the control set for the defined system. The Default Owner can be changed in the Control Approval process or at any time via the Approved Control area.
Once the Default Owner has been assigned, click on the Submit button to generate the controls for the Information System.
Upon successful control generation, users have the option to create another Information System of to Review and Approve the Controls that were just generated. To learn how to go through the pending control approval process, please see the article Reviewing and Approving Pending Controls.
Edit an Information System
If there is a need to edit an information system, possibly to make changes to system owners, add or remove information types or add an additional obligation to a system, you can edit the system to reflect those changes.
From the Information System module main page, search for or scroll to find the system you would like to edit. Click on the caret at the end of the row of the system to access the information system.
From the Information System screen, click on the three-dot ellipsis and choose Edit Information System from the list of options.
Users will have access to all of the screens and options defined above in the Add an Information System section to make any changes to the system that are appropriate. NOTE: If you add a supplemental compliance obligation to the system, you will have to define a default control owner AND approve the controls via the Pending Approval Process. If you did not assign a new compliance obligation, you will NOT need to assign a Control Owner on screen 4.
When you get to screen 4, click on the Save Edits button to commit the changes.
