RSAM User Guides

RSAM is the the governance, risk and compliance (GRC) platform that we are using to manage, organize and analyze data associated with Risk Management and Compliance for systems at Columbia University and Columbia University Irving Medical Center (CUIMC). The use of RSAM allows for automation and continuous risk monitoring of critical information assets and systems. As a stakeholder in a system being assessed by the Risk Management Program, you are required to register your system in RSAM, and to answer the System Questionnaire if it has been determined to be in-scope for a deeper assessment.

System Registration is the first step in getting your University System assessed by the Information Security Risk Management Program. During System Registration you will answer certain overall questions about your system, it's setup, it's intended purpose, and the data that it contains. The completed registration questionnaire is reviewed by a risk analyst who will determine if risk assessment needs to be performed for the registered system/application. If a system qualifies for risk assessment, then the system owner and IT custodian will be notified to complete the baseline risk assessment questionnaire.

Navigate to https://rsam.cumc.columbia.edu and log in with your UNI and password. You must be on the Columbia network or connected via VPN to access the site.

Welcome to the RSAM Home Screen.

You can get back here at any time by clicking on Home in the Upper left hand corner, and then on the "0.0 Home" Tab.

To register a system, click on the Create new System Registration link. Do not click on the document icon next to it, which leads to an instructional pop-up window.

Read the informational text to familiarize yourself with the process.

Type in the name of the system you want to register under CU System Registration Name.

Click on Organization: Business Unit and select the appropriate business unit for the system.

Click on Create CU System Registration.

In the Attributes section, please fill out the information about the system itself, independent of the data it stores, in order to describe how the system functions.

The first page asks you to provide a brief overview of the system, including, but not limited to:

The stated purpose of the system, what function is it meant to address
Its current status
When it was first put into production
How many users it has
How many records it holds

Click on Next Unanswered button

When you finish each page of questions, click on the Next Unanswered button on the top of the page to move onto the next question. You can also navigate to the other questions by using the other buttons appropriately.

System Stakeholders

In this section you indicate who your System Owner, IT Custodian, and Other Custodian(s) for this system are.These are people who own, manage, and/or have relevant technical knowledge of the system in question. Please refer to the Definitions of Stakeholders page for more information on what these roles entail.

Once a person is identified as a stakeholder, they can also answer or edit the registration on their own. This is useful if you don’t know all the answers yourself. You can ask fellow stakeholders to log in and answer questions related to their expertise.

Please refer to Sharing Worksheets with Other Stakeholders for instructions on how other stakeholders can access, answer, or edit existing registration worksheets.

To choose the appropriate persons for each field:

Click on the magnifying glass icon to open the System Owner Dialog Box.

Click Add.

Type in the UNI or name of the person you are searching for and select eMail if you are searching by UNI, or Name if you are searching by name.

Click on Validate. If the validation went through, then the person's full name should appear, with their UNI in parentheses. If it did not, modify your search text and try again.

Click OK. You will return to the System Owner Dialog Box. Click on Add to add another owner or OK to complete this assignment.

IT Implementation

In this section, you will be asked information about how your system is implemented. This includes questions about it's physical location, the software running on it, and its IP addresses.

While this guide will not cover every question on this page, some fields of note are:

Server IP Address

Click on the Magnifying Glass to open the Server IP Addresses dialog box.

When you find your IP(s), click the check box on the left hand column. When you are done, click Update on the lower right hand corner. (If your server's IP is not in the table, close the dialog by clicking Cancel and leave the entry blank.)

Additional IT Implementation Information

In this field, please describe your system architecture to the best of your ability. This should include how data travels between users, the interaction of any subsystems or components, and a general understanding how the system functions.

Please also list the following stats for your system:

If you left the “Server IP Addresses” question blank, please also provide the proper IP here.
Operating system
Webserver software
Any relational databases used by the system

Third-party IT Services

If your system uses any third-party services to function, or were used in development of this system, please fill out this section.

Data Flow and System Information

If your system exchanges information with any other systems, please fill out this section.

Risk Assessment Administration and WIP

These sections are for CU/CUIMC Infosec Staff only. Do not fill out any fields on these pages.

The Criticality section includes questions about the type of data the system processes and stores, the purpose of the data, how many users it affects, and questions about its security. These are used to determine the risk of your system.