RSAM FAQ and Definitions

RSAM is the governance, risk and compliance (GRC) platform that we are using to manage, organize and analyze data associated with Risk Management and Compliance for systems at Columbia University and Columbia University Medical Center (CUMC). The use of RSAM allows for automation and continuous risk monitoring of critical information assets and systems. As a stakeholder in a system being assessed by the Risk Management Program, you are required to register your system in RSAM, and to answer the System Questionnaire if it has been determined to be in-scope for a deeper assessment.

RSAM is a repository, where relevant information about University and CUMC systems is secured, collected, and analyzed. This includes self-assessment questionnaires, vulnerability scans results, and other potential information security uses. The use of RSAM allows for automation and continuous risk monitoring of critical information assets and systems.

Risk Management Program Definitions

For the purpose of the University Risk Management Program, a system is defined as any server based software that resides on a single server or multiple servers and is used for University purposes. “Application” or “Information System” is synonymous with “System”.

System Owners are University officials, including Directors, Officers of Instruction and Officers of Research, who are responsible for determining computing needs, and applicable System hardware and software, in their respective areas of responsibility and ensuring the functionality of each such system. Such responsibilities include, but are not limited to:

  • Classifying each system in their respective areas of responsibility based on the identification and classification of data by the applicable data owner;
  • Ensuring that each such system that contains sensitive data or confidential data is scheduled for risk assessment in accordance with the Columbia University Information Security Risk Management Policy;
  • Establishing and implementing security requirements for each such dystem in consultation with the applicable Information Security Office;
  • Documenting and implementing audit mechanisms, timing of log reviews and log retention periods;
  • Maintaining an inventory of such systems;
  • Approving appropriate access to systems; and
  • Ensuring that the Columbia University Sanitization and Disposal of Information Resources Policy is followed.

IT Custodians are University personnel who are responsible for providing a secure infrastructure in support of data, including, but not limited to, providing physical security, backup and recovery processes, granting access privileges as authorized by data owners or system owners and implementing and administering controls over data in their respective areas of responsibility. Such responsibilities include, but are not limited to:

  • Maintaining an inventory of all endpoints used in their respective areas of responsibility;
  • Conducting periodic security checks of systems and networks, including password checks, in their respective areas of responsibility;
  • Documenting and implementing audit mechanisms, timing of log reviews and log retention periods;
  • Performing self-audits and reporting metrics to the applicable Information Security Office and monitoring assessments and appropriate corrective actions; and
  • Ensuring that the Columbia University Sanitization and Disposal of Information Resources Policy is followed.

FAQ

The first step is to register your system(s) in RSAM (rsam.cumc.columbia.edu) – see the RSAM registration user guides and technical requirements document. The RSAM registration requires completing the demographic questionnaire, and then the completed registration questionnaire is reviewed by a risk analyst who will determine if risk assessment needs to be performed for the registered system/application. If a system qualifies for risk assessment, then the system owner and IT custodian will be notified to complete the baseline risk assessment questionnaire. The completed baseline risk assessment questionnaire is reviewed; a report is issued, control gaps are identified and discussed with all interested parties to determine remediation plan and timeframe for resolving the control gaps that are noted.          

All systems located at Columbia University’s Morningside Heights or Manhattanville Campus that process, transmit and/or store Sensitive Data must be registered with the CU Information Security Office. All Systems located at CUMC (“CUMC Systems”) must be registered with the CUMC Information Security Office.  See Columbia's Registration and Protection of Systems Policy for additional information. 

The system/application must be multi-users with an authentication and authorization mechanism. For example, the system/application must require a unique user ID and password to authenticate the user’s identity and provide access levels/permissions which are specific to the user’s account. 

The system/application owner or IT custodian can register their system(s). 

If you have not registered your systems, you should register them immediately.

Please see the RSAM registration user guides and technical requirements document or troubleshooting document. If you are still having trouble, please feel free to email us at cuit-risk@columbia.edu (for Morningside campus affiliates) or security@cumc.columbia.edu (for Medical Center affiliates).