0% found this document useful (0 votes)

41 views185 pages

Manual

The Clearwater Compliance IRM|Analysis® Software Manual provides comprehensive instructions for conducting HIPAA-compliant risk analyses and risk responses, detailing the methodology and regulatory requirements. It includes step-by-step guides for software usage, risk management processes, and compliance with HHS and OCR guidelines. The manual serves as a resource for organizations of all sizes to effectively manage and mitigate risks to electronic protected health information (ePHI).

Uploaded by

KarimBerra

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

41 views185 pages

Manual

Uploaded by

KarimBerra

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 185

Clearwater Compliance

IRM|Analysis®
Software Manual
Version 5.1.6
With Step-by-Step Instructions
Table of Contents
Introduction .................................................................................................................................... 6
HIPAA Security ................................................................................................................................ 7
HIPAA Security and IRM|Analysis® ................................................................................................. 8
Risk Rating Matrix ........................................................................................................................... 9
HHS Guidance on the Completion of a Risk Analysis .................................................................... 10
How Our Risk Management Methodology Meets/Exceeds All HHS/OCR Guidance .................... 12
NIST IRM|Analysis® ....................................................................................................................... 13
Our Security Risk Management Process Flow .............................................................................. 15
Our practical approach to conducting and documenting a risk analysis for the HIPAA Security Rule
....................................................................................................................................................... 16
Accessing Clearwater Software – Logging In ................................................................................ 17
Forgot Password ........................................................................................................................ 18
Password Management............................................................................................................. 18
Account Owner: Edit an Existing User or Reset a User’s Password .......................................... 19
Analyst: Change your Password .................................................................................................... 20
Quick Start Guide: Manage Account ............................................................................................. 21
Profile ........................................................................................................................................ 22
Physical Locations .................................................................................................................. 23
Add a new Physical Location ................................................................................................. 23
Edit a Physical Location ......................................................................................................... 23
Copy a Physical Location to other Entities ............................................................................ 24
Delete a Physical Location ..................................................................................................... 24
Entity Management ...................................................................................................................... 25
Entity List - Add a New Entity .................................................................................................... 26
Entity List – Edit an Existing Entity ............................................................................................ 27
Entity List – Delete an Entity ..................................................................................................... 27
Entity List – Entity Tags.............................................................................................................. 28
Entity Tag Categories................................................................................................................. 29
User Management ........................................................................................................................ 30
User List ..................................................................................................................................... 31
Add a New User ..................................................................................................................... 32
Account Owner – Delete a User ................................................................................................ 34

1 | IRM|Analysis® Software Manual - Version 5.1.6

© 2011-2020 Clearwater Compliance LLC  All Rights Reserved 
Manage Roles (Custom and Default) ........................................................................................ 34
Editing Permissions within Roles ........................................................................................... 35
Assign a User to a Role .......................................................................................................... 37
Editing a Role Name .............................................................................................................. 38
Deleting a Role ....................................................................................................................... 39
Quick Start Guide: Framing and Governance ............................................................................... 40
Risk Threshold ........................................................................................................................... 41
Likelihood Settings .................................................................................................................... 43
Impact Settings .......................................................................................................................... 44
Version Frequency ..................................................................................................................... 46
Custom Controls ........................................................................................................................ 47
Control Tags............................................................................................................................... 49
RTO/RPO Settings ...................................................................................................................... 51
Quick Start Guide: Dashboards ..................................................................................................... 52
Governance Dashboards ........................................................................................................... 53
Risk Manager Dashboards ......................................................................................................... 54
Charts and Graphs Dashboards ................................................................................................. 54
Rating Distribution by Asset .................................................................................................. 55
Risk Rating Trends ................................................................................................................. 57
Quick Start Guide: Assets .............................................................................................................. 58
Asset Inventory Information ......................................................................................................... 59
Determining what Assets to Include ......................................................................................... 60
Determining what Assets to Exclude ........................................................................................ 61
Asset Inventory List ................................................................................................................... 61
Asset Inventory Form – Adding a New Asset ........................................................................ 62
Edit an Existing Asset ............................................................................................................. 66
Deleting an Existing Asset ...................................................................................................... 66
Change an Asset Status ......................................................................................................... 67
Asset Inventory Wizard ............................................................................................................. 68
Asset Inventory Import ............................................................................................................. 73
Component Groups ................................................................................................................... 74
Create New Component Groups ........................................................................................... 75

2 | IRM|Analysis® Software Manual - Version 5.1.6

© 2011-2020 Clearwater Compliance LLC  All Rights Reserved 
Edit a Component Group ....................................................................................................... 77
Move and Copy Assets from Existing Component Groups .................................................... 77
Copy Risk Determination Information ................................................................................... 78
Copy Component Group to Entity ......................................................................................... 78
Delete Group ......................................................................................................................... 79
Quick Start Guide: Risk Determination ......................................................................................... 80
How can our Proven Risk Analysis Algorithm benefit you? .......................................................... 81
Risk Determination ....................................................................................................................... 82
Controls by Component Group ................................................................................................. 82
Controls by Component Group - Group Level View .............................................................. 83
Controls by Component Group - Control Level View ............................................................ 84
Controls by Component Group - Asset Level View ............................................................... 85
Pending Group Changes ........................................................................................................ 86
Controls – Global ....................................................................................................................... 87
Adding, Updating or Clearing the Control Responses ........................................................... 89
Adding Global and Component Level Notes to Controls ....................................................... 92
Uploading Documents to Controls ........................................................................................ 93
Risk Questionnaire List .............................................................................................................. 94
Selecting an Action for Component Groups ............................................................................. 97
Risk Questionnaire Form ........................................................................................................... 99
How should I determine Risk Likelihood? ........................................................................... 103
How should I determine Risk Impact? ................................................................................. 103
Controls Review....................................................................................................................... 105
Filtering the Controls Review Data ...................................................................................... 108
Rating Review .......................................................................................................................... 111
How do you define the colors in the Risk Rating Scale? ..................................................... 114
Filtering the Rating Review Data ............................................................................................. 115
Quick Start Guide: Risk Response ............................................................................................... 116
Risk Response.............................................................................................................................. 117
NIST Risk Response ..................................................................................................................... 118
Risk Response List ................................................................................................................... 120
Simple Tab ........................................................................................................................... 128

3 | IRM|Analysis® Software Manual - Version 5.1.6

© 2011-2020 Clearwater Compliance LLC  All Rights Reserved 
Treat and Evaluate Tab ........................................................................................................ 131
Risk Action Plan Tab............................................................................................................. 133
Risk Response Optimizer ......................................................................................................... 135
Controls Response Review ...................................................................................................... 137
Risk Reconciliation ................................................................................................................... 138
Filtering the Risk Reconciliation List .................................................................................... 142
Documents .................................................................................................................................. 143
Quick Start Guide: Reports ......................................................................................................... 147
Risk Rating Report ................................................................................................................... 148
Risk Rating Detail Report ......................................................................................................... 150
Asset Inventory Report............................................................................................................ 153
Risk Response Detail Report ................................................................................................... 154
New Risk Response Control Status Summary Report ............................................................. 156
New Risk Rating Detail Report ................................................................................................ 158
New Asset Component Group Report..................................................................................... 159
Enterprise Extracts .................................................................................................................. 160
Version History ........................................................................................................................ 162
Add a Version History Data Snapshot.................................................................................. 163
Edit a Version History Data Snapshot .................................................................................. 164
Review a Version History Data Snapshot ............................................................................ 164
Delete a Version History Snapshot ...................................................................................... 165
Component Groups Detail Report........................................................................................... 165
Notifications ................................................................................................................................ 167
Clearwater Help Center and Customer Forum ........................................................................... 168
Keys for Success .......................................................................................................................... 169
References .................................................................................................................................. 170
Appendices .................................................................................................................................. 171
Appendix A – Export to CSV or PDF......................................................................................... 171
Appendix B – How to print or export Dashboards using the tri-bar menu icon ..................... 172
Appendix C – How to use Search ............................................................................................ 173
Appendix D – How to use Sorting in Reports and Grids.......................................................... 173
Appendix E – How to use Multi-Row Select ............................................................................ 174

4 | IRM|Analysis® Software Manual - Version 5.1.6

© 2011-2020 Clearwater Compliance LLC  All Rights Reserved 
Appendix F - How the IRM|Analysis® Workflow Maps to Clearwater Compliance's IRM
Software® ................................................................................................................................ 175
Appendix G – Icon Definitions ................................................................................................. 176
Appendix H – Examples for Component Groups..................................................................... 180
Appendix J – HHS OCR Guidance to IRM|Analysis® ................................................................ 181
Appendix K – How to user Filtering ......................................................................................... 181
Appendix L – How to user Column Selector ............................................................................ 182
Appendix M – User Permissions based on Role ...................................................................... 182

5 | IRM|Analysis® Software Manual - Version 5.1.6

This document describes the Clearwater Compliance IRM|Analysis® Methodology and the
rationale behind this approach. It also includes Step-by-Step Instructions on how to use the
Clearwater HIPAA IRM|Analysis® Software product to perform a Bona Fide Risk Analysis and
Risk Response. This document briefly reviews the HIPAA regulatory requirements for security
risk analysis while providing a practical methodology and step-by-step instructions for
completing a Risk Analysis in accordance with the latest Health and Human Services (HHS) and
Office for Civil Rights (OCR) Risk Analysis guidelines, entitled “Guidance on Risk Analysis
Requirements under the HIPAA Security Rule”1.

This Clearwater Compliance Security IRM|Analysis® Methodology and HIPAA IRM|Analysis®

Software-as-a-Service product has been used by organizations of all sizes and is purposefully
designed to be operational by all Covered Entities and Business Associates, from the largest
(e.g., hospitals, insurers, long term care facilities, care management firms, etc.) to the
smallest (e.g., small medical practices, clinics, dental offices, medical billing companies, etc.).

6 | IRM|Analysis® Software Manual - Version 5.1.6

The purpose of the Health Insurance Portability and Accountability Act (HIPAA) of 1996 was
to improve the efficiency and effectiveness of the US healthcare system. HIPAA was modified
in February 2009 by the Health Information Technology for Economic and Clinical Health Act
(HITECH Act). HITECH modifications included much more stringent privacy and security
protection for patients of Covered Entities including Business Associates of Covered Entities.
It also increased the sanctions and penalties for failure to comply, including the right of
States Attorneys General to bring lawsuits on behalf of private individuals for breach of the
Security Rule.

HITECH has had the force of law since February 2010. However, Federal final rulemaking was
slower than anticipated. Consequently, many organizations seemed to have been unsure as
to how and when they should go about complying with the regulations, and were either
unaware of or elected to ignore the risk of noncompliance. The long-awaited Final Omnibus
Rule was finally published in the Federal Register on January 25, 2013. In that Final Rule, the
enforcement of which began on September 23, 2013, made it clear that Business Associates
must comply with HIPAA and HITECH. The definition of Business Associate was also extended
to include Subcontractors. As of that enforcement date, any entity that creates, receives,
transmits, or manages PHI of any kind is directly obligated to comply with all of the
requirements of the HIPAA Security Rule as well as the provisions of the Privacy and Breach
Notification Rules that specifically pertain to the organization’s interaction with PHI.

The security standards include general requirements to:

A. Ensure the confidentiality, integrity, and availability of all electronic protected

health information (ePHI) the CE or BA creates, receives, maintains, or transmits
B. Protect against any reasonably anticipated threats or hazards to the security or
integrity of such information
C. Protect against any reasonably anticipated uses or disclosures of such information
that are not permitted or required under the privacy rule
D. Ensure compliance with this law by its workforce

7 | IRM|Analysis® Software Manual - Version 5.1.6

© 2011-2020 Clearwater Compliance LLC  All Rights Reserved 
HIPAA Security and IRM|Analysis®
The Security Management Process standard in the Security Rule requires organizations to
“[i]implement policies and procedures to prevent, detect, contain, and correct security violations.”
(45 C.F.R. § 164.308(a)(1).) IRM|Analysis® is one of four required implementation specifications
that provide instructions for implementation of the Security Management Process standard.

45 C.F.R. § 164.308(a)(1)(ii)(A) states:

IRM|ANALYSIS® (Required).
Conduct an accurate and thorough assessment of the potential risks and
vulnerabilities to the confidentiality, integrity, and availability of electronic protected
health information held by the [organization].

In addition, there is a separate and distinct implementation specification for the performance
of an Evaluation;
45 C.F.R. § 164.308(a)(8) Standard: Evaluation
(8) Standard: Perform a periodic technical and non-technical evaluation, based
initially upon the standards implemented in this rule, and subsequently, in
response to environmental or operational changes.

In general, the standard for Evaluation calls for an organizational or programmatic

assessment of compliance with the regulations. The Risk Analysis is a more detailed level
analysis of assets, threats, vulnerabilities and risks at the information system level. To
understand more about HIPAA Security Evaluation and HIPAA Security Risk Analysis,
including the differences between them and how to use them, watch the Clearwater
webinar, The Critical Difference: HIPAA Security Evaluation v HIPAA Security Risk Analysis.
From a very practical perspective, the ultimate goal of completing a risk analysis is to produce
a prioritized list of security risks to the organization’s Electronic Protected Healthcare
Information (ePHI) that can be addressed by a risk mitigation action plan based on informed
decisions.
However, doing so first requires an understanding of what is meant by “risk”. The classic
formula for calculating the level of risk is:

Risk = Impact * Likelihood

These terms (impact, likelihood and many others) will be explained in detail in this
document. A categorization of risks is shown in the following matrix. Our process helps you
determine your risks, categorize them as Low, Medium, High, or Critical, and then produce a
Risk Analysis Report (Risk Register) that will allow risks to be treated in priority order.

8 | IRM|Analysis® Software Manual - Version 5.1.6

9 | IRM|Analysis® Software Manual - Version 5.1.6

As required by The HITECH Act, the OCR, within HHS, has issued final “Guidance on Risk
Analysis Requirements under the HIPAA Security Rule”1. The following excerpts provide an
overview of this guidance:

The Office for Civil Rights (OCR) is responsible for issuing annual guidance on the
provisions in the HIPAA Security Rule. (45 C.F.R. §§ 164.302 – 318.) This series of guides
will assist organizations in identifying and implementing the most effective and
appropriate administrative, physical, and technical safeguards to secure electronic
protected health information (ePHI). The guidance materials will be developed with input
from stakeholders and the public, and will be updated as appropriate.

We [OCR] begin the series with the risk analysis requirement in § 164.308(a)(1)(ii)(A).
Conducting a risk analysis is the first step in identifying and implementing safeguards
that comply with and carry out the standards and implementation specifications in the
Security Rule.

Therefore, a risk analysis is foundational, and must be understood in detail before OCR
can issue meaningful guidance that specifically addresses safeguards and technologies
that will best protect electronic health information.

The guidance is not intended to provide a one-size-fits-all blueprint for compliance with
the risk analysis requirement. Rather, it clarifies the expectations of the Department for
organizations working to meet these requirements. An organization should determine
the most appropriate way to achieve compliance, taking into account the
characteristics of the organization and its environment.

The “Guidance on IRM|Analysis® Requirements under the HIPAA Security Rule”1 describes nine
essential elements a Risk Analysis must incorporate, regardless of the risk analysis methodology
employed. These elements are as follows:

1. Scope of the Analysis - all ePHI that an organization creates, receives, maintains,
or transmits must be included in the risk analysis. (45 C.F.R. § 164.306(a).)
2. Data Collection - The data on ePHI gathered using these methods must be
documented. (See 45 C.F.R. §§ 164.308(a)(1)(ii)(A) and 164.316 (b)(1).)
3. Identify and Document Potential Threats and Vulnerabilities - Organizations
must identify and document reasonably anticipated threats to ePHI. (See 45
C.F.R. §§ 164.306(a)(2), 164.308(a)(1)(ii)(A) and 164.316(b)(1)(ii).)
4. Assess Current Security Measures - Organizations should assess and document
the security measures an entity uses to safeguard ePHI. (See 45 C.F.R. §§
164.306(b)(1), 164.308(a)(1)(ii)(A), and 164.316(b)(1).)
5. Determine the Likelihood of Threat Occurrence - The Security Rule requires

10 | IRM|Analysis® Software Manual - Version 5.1.6

© 2011-2020 Clearwater Compliance LLC  All Rights Reserved 
organizations to take into account the likelihood of potential risks to ePHI. (See 45
C.F.R.
§ 164.306(b)(2)(iv).)
6. Determine the Potential Impact of Threat Occurrence - The Rule also requires
consideration of the “criticality,” or impact, of potential risks to confidentiality,
integrity, and availability of ePHI. (See 45 C.F.R. § 164.306(b)(2)(iv).)
7. Determine the Level of Risk - The level of risk could be determined, for example, by
analyzing the values assigned to the likelihood of threat occurrence and resulting
impact of threat occurrence. (See 45 C.F.R. §§ 164.306(a)(2), 164.308(a)(1)(ii)(A), and
164.316(b)(1).)
8. Finalize Documentation - The Security Rule requires the risk analysis to be
documented but does not require a specific format. (See 45 C.F.R. § 164.316(b)(1).)
9. Periodic Review and Updates to the Risk Assessment - The risk analysis process should
be ongoing. In order for an entity to update and document its security measures “as
needed,” which the Rule requires, it should conduct continuous risk analysis to
identify when updates are needed. (45 C.F.R. §§ 164.306(e) and 164.316(b)(2)(iii).)

In our risk analysis methodology, as shown in the section below entitled “How Our Risk Analysis
Methodology Meets/Exceeds All HHS/OCR Guidance”, we help you complete the risk analysis
implementation specification (45 C.F.R. § 164.308(1)(ii)(A)) and make substantial progress in
meeting the requirements of the risk management implementation specification (45 C.F.R. §
164.308(1)(ii)(B)).

11 | IRM|Analysis® Software Manual - Version 5.1.6

© 2011-2020 Clearwater Compliance LLC  All Rights Reserved 
How Our Risk Management Methodology Meets/Exceeds All HHS/OCR
Guidance
Our Risk Management methodology incorporates all essential HHS/OCR-specified elements of a
risk analysis and extends beyond these requirements in several areas. Below, our Risk Analysis
Phases and sub-phases are mapped to the nine (9) HHS/OCR essential elements:
Our Risk Management Process HHS/OCR Elements of a Risk Analysis
Manage Account Scope of the Analysis
• Set up Entities
• Manage Users and Security Settings
Inventory Assets Data Collection
• Inventory Information assets that • Our Risk Analysis methodology
create, store, transmit or receive includes inventory forms for capturing
ePHI all relevant details about ePHI
• Group similar Component Groups
together for Risk Determination
Risk Determination Identify and Document Potential Threats and
• Document the presence of threats Vulnerabilities
and risks Access Current Security Measures
• Determine the current scope of Determine the Likelihood of a Threat
measures in place to avoid or Occurrence
mitigate identified risks Determine the Potential Impact of Threat
• Set the Likelihood that a threat can Occurrence
exploit a Vulnerability Determine the Level of Risk
• Set the severity of the Impact if the • Our Risk Analysis methodology
threat were to successfully exploit iterates through all applicable threat-
the vulnerability (s) vulnerability combinations for each
• Review Control, Likelihood and Component Type
Impact values for consistency

Risk Response Finalize Risk Response Actions and Log

• Identify acceptable levels of Risk and Periodic Review and Updates to the Risk
develop criteria for recognizing Risk Response Selections
levels • Our Risk Management Product
• Document residual risk after includes a workflow to make Risk
identified risks have been mitigated Response Evaluation and
and/or accepted Determination, as well as Risk
• Select a Risk Treatment Response tracking, much easier for
• Select and Implement Risk Response any organization.
Alternatives and Actions
Documentation Finalize Documentation
• Generate HIPAA Risk Rating and
Asset Inventory Reports

12 | IRM|Analysis® Software Manual - Version 5.1.6

© 2011-2020 Clearwater Compliance LLC  All Rights Reserved 
NIST IRM|Analysis®
The Security Rule does not specify exactly how a risk analysis should be conducted, but it does
reference the National Institute of Standards and Technology (NIST) Special Publication 800-302,
“Risk Management Guide for Information Technology Systems.”

The NIST publication offers a comprehensive approach to incorporating risk management into
the system or project development life cycle. Threats in the environment are identified, and then
vulnerabilities in information systems are assessed. Threats are then matched to vulnerabilities
to describe risk.

The NIST document includes a description of the roles of various persons in risk analysis and
management. It emphasizes the key role senior management plays in understanding security risk,
establishing direction, and supplying resources. HIPAA requires assigning responsibility to the
security official for the development and implementation of security policies and procedures.
This individual may lead the team that actually performs the risk analysis, do much of the policy
and procedure writing, and recommend or even select many of the controls.

The fact that NIST identifies the chief information officer, system and information owners,
business and functional managers, information technology (IT) security analysts, and trainers
recognizes the importance of a team that extends beyond IT and encompasses users. In a clinical
setting, users of information systems not only can assist in providing application and data
criticality information, but must also be involved in determining which mitigation strategies will
work.

Because many small clinics, medical practices or business associates do not have a full-time
information technology person not to mention a Chief Information Officer, system and
information owners, business and functional managers, information technology (IT) security
analysts, etc., the risk analysis should be completed by a combination of outside HIPAA-HITECH
Security specialists, practice management staff, the clinical staff and business leaders and
managers.

13 | IRM|Analysis® Software Manual - Version 5.1.6

© 2011-2020 Clearwater Compliance LLC  All Rights Reserved 
14 | IRM|Analysis® Software Manual - Version 5.1.6
© 2011-2020 Clearwater Compliance LLC  All Rights Reserved 
Our Security Risk Management Process Flow
The IRM|Analysis® Risk Management workflow includes 2 processes that combine to assist our
Customers in completing their Risk Management tasks. The first process guides our Customers in
finishing a thorough and bona fide Risk Analysis. The second process assists them with completing
the Risk Response steps necessary to respond to their Risks and then measure and document
their solutions.

The section below describes the Clearwater Compliance IRM|Analysis® Methodology in detail
and the rationale behind this approach. It also includes an overview of the Step-by-Step
Instructions on how to use the Clearwater IRM|Analysis® Software-as-a-Service product to
perform a Bona Fide Risk Analysis.

This Clearwater Compliance Security IRM|Analysis® Methodology and HIPAA IRM|Analysis®

Software-as-a-Service product have been used by organizations of all sizes and is purposefully
designed to be operational by all Covered Entities and Business Associates, from the largest (e.g.,
hospitals, insurers, long term care facilities, care management firms, etc.) to the smallest (e.g.,
small medical practices, clinics, dental offices, medical billing companies, etc.).

Our Risk Analysis workflow is illustrated in the diagram below:

15 | IRM|Analysis® Software Manual - Version 5.1.6

© 2011-2020 Clearwater Compliance LLC  All Rights Reserved 
Our practical approach to conducting and documenting a risk analysis
for the HIPAA Security Rule

Our process involves these five major phases :

1. Manage Account
1.1 Physical Locations
1.2 Setup entities
1.3 Setup users
1.4 Assign Roles to Users
1.5 Security Settings

2 Inventory Assets
2.1 Inventory information assets that create, receive, maintain, or transmit ePHI
2.2 Group similar Component/Assets together for Risk Determination

3 Risk Determination
3.1 Document the presence of key security controls in your organization
3.2 Set the likelihood and impact to determine Risk Rating
3.3 Set the severity of the impact if the threat were to successfully
exploit the vulnerability(s)
3.4 Review control, likelihood, and impact values for consistency
3.5 Manage Documents

4 Risk Response & Decision

4.1 Determine Risk Threshold
4.2 Select a Risk Treatment type for a risk
4.3 Evaluate Risk Treatment Alternatives in terms of Effectiveness and Feasibility
4.4 Calculate Residual Risk Level
4.5 Implementation Planning – Plan course of action for controls
4.6 Risk Action Plan – Implement and complete course of action
4.7 Reconcile the Project Residual Risk with the Actual Risk when controls are implemented

5 Documentation & Auditing

5.1 Generate Asset Inventory Reports
5.2 Generate Risk Rating Reports
5.3 Generate Risk Response Reports
5.4 Generate Component Groups Reports
5.5 Add a new report version to create a “Version History” data snapshot. These
reports provide values for all of your Risk Assessment audits and reports in the
Clearwater software at a specific point in time
5.6 Generate organizational reporting that includes all entities across an Enterprise

16 | IRM|Analysis® Software Manual - Version 5.1.6

© 2011-2020 Clearwater Compliance LLC  All Rights Reserved 
Accessing Clearwater Software – Logging In
Integrated Sign-On streamlines the login process by allowing you to access all Clearwater
Compliance Software Solutions from ONE, easy to use URL and website.

To log into your software, go to https://software.clearwatercompliance.com/login (right click

and choose open hyperlink) and select the Clearwater Compliance software product you’d like
to use from the drop-down list on the page, just above the log in. On the right side of the Single
Sign-On screen is the Clearwater Compliance News area. Here you will find the most up to date
Clearwater announcements, including the latest news in regards to Software Notifications and
Release Notes.

All users will automatically be logged out of the system after 30 minutes of
inactivity.

17 | IRM|Analysis® Software Manual - Version 5.1.6

If you cannot remember your password, click the Forgot Password link at the bottom left of the
login screen. Enter your email address in the appropriate text box and click Send. This will send
a system generated email with instructions for resetting your password.

Password Management

Clearwater’s IRM|Analysis® Software comes complete with several default password

settings to ensure all credentials are strong and secure. For all editions, a new organization
has the following default password requirements:
• A password must contain 8 characters
• A password must contain a combination of upper and lowercase
alphabetic characters, numbers, and special characters (e.g. !, @, #,
$, etc.)
• The last five passwords are remembered and cannot be reused when
changing your password
• All Users will automatically be logged out of the IRM tool after 30 minutes
of inactivity
• All passwords will be converted to a salted password in the database (if necessary)
• Analysts can only change their own password once per day
• Password Aging - Passwords for all user(s) will expire after 90 days
• There are no PW length limitations

18 | IRM|Analysis® Software Manual - Version 5.1.6

© 2011-2020 Clearwater Compliance LLC  All Rights Reserved 
Account Owner: Edit an Existing User or Reset a User’s Password

As an Account Owner, you can edit an existing user’s profile and reset their password. To edit
an existing user or reset their password, access the User List screen by selecting the Manage
Account link from the main menu and the User Management link from the submenu. Click on
the user record you wish to edit, which will highlight. Then click the pencil icon (Edit selected
row) at the top of the Users List.

This will bring up the Edit User Page allowing you to modify user information or reset the user’s
password. To reset a user’s password, scroll down about half way to the Password Management
section of the page.

19 | IRM|Analysis® Software Manual - Version 5.1.6

© 2011-2020 Clearwater Compliance LLC  All Rights Reserved 
Analyst: Change your Password
All Analysts can change their password once they have logged into the software. To change your
password, click the Manage Account link in the main menu and then the Profile link in the
submenu. Enter a new strong password, confirm it, and click Save. NOTE: As an Analyst, you can
only reset your password once per day.

20 | IRM|Analysis® Software Manual - Version 5.1.6

© 2011-2020 Clearwater Compliance LLC  All Rights Reserved 
Quick Start Guide: Manage Account
Entity and User Management can be accessed in the main IRM|Analysis® Software Menu by
clicking on the Manage Accounts link on the left.
• Profile - The current user’s assigned role will display along with permissions
• Physical Locations – Manage Physical Locations
• Entity Management – Manage Entities for which you will be performing a Risk Analysis
 Entity List – Add or Edit Entities associated to your account
 Entity Tags – Add or Edit Entity Tags for grouping, filtering and searching
 Entity Tag Categories – Add or Edit Tags Categories for grouping filtering and
reporting
• User Management -- Manage the Users that will have access to the IRM|Analysis®
Software
 User List – Manage the users in your account and their association to your
entities
 Manage Roles – Manage roles and determine what access each role should
have
 User Assignment – Assign users to roles – per product and/or entity
 User Import – To add multiple users at one, utilize the User Import Template
• Security Settings – Manage how often passwords will expire

21 | IRM|Analysis® Software Manual - Version 5.1.6

The first item in Manage Account menu is Profile. The customer will use this page to update
their profile and also to change their passwords. This will be the current user’s profile and will
display along with a description of the capabilities/permissions for that role. The following
fields for the current user are displayed:

1. First Name (required)

2. Last Name (required)
3. Title
4. Email Address (required)
5. PW (required)
6. Confirm PW (required)

You also have the option to Upload a Profile picture. If you choose to do this, it will take you to a
file explorer and you will select your file. It will upload automatically with further confirmations.

22 | IRM|Analysis® Software Manual - Version 5.1.6

Physical Locations are used to specify the locations of the components. They should be set up as
granular as possible. For example, if a server is in a server closet, don’t just list “Data Center” but
create a Physical Location that specifies the closet and locations within the Data Center. The
Physical Locations that you see are only those that have been set up for the current entity within
which you are working. You can also see the date it was created and the date it was last updated.
You may sort on any column on the page by utilizing the up and down arrows in each column
header. The Page Info help on this page also contains the following information.

Add a new Physical Location

Choose the Blue +New button. The

Location dialog will pop up. You can name
the locations and also give it an
abbreviation. After filling out your desired
fields, press the Save button to add the
Physical Location to the list or choose
Discard to cancel.

Edit a Physical Location

To edit a Physical Location in your list, click its row to select it, then press the Edit button. The
Edit a Location dialog will appear, which lets you modify the name of the location and its
abbreviation. Within the Edit a Location dialog, press the Save button to save your changes or
Discard to cancel them.

23 | IRM|Analysis® Software Manual - Version 5.1.6

Physical Locations created apply only to the current Entity (selected in the dropdown list in the
upper-right area of the screen). But you can copy Physical Locations to other Entities and use
them for those Entities' assets as well. Note that only Enterprise Account Owners may copy
locations to other entities, so the Copy... button will be enabled only if you are an Enterprise
Account Owner.
To copy a location, click its row to select it, then press the Copy... button. The Copy Location to
Entities dialog will appear, which lists other entities to which you may copy the selected
location. Within the Copy Location to Entities dialog, select the checkbox of each entity to
which you'd like to copy the selected location, then press the Copy button. If you change your
mind and don't want to copy the location, press the Cancel button.

Delete a Physical Location

To delete a location, click its row to select it, then press the Delete button. Note that you
cannot delete a Physical Location that has been specified as the location of a component. If the
Physical Location is eligible for deletion, the Delete? confirmation dialog will appear, which asks
you to confirm that you really want to delete the location. Press the Yes, delete it button to
delete the location or Never mind to keep it.

24 | IRM|Analysis® Software Manual - Version 5.1.6

© 2011-2020 Clearwater Compliance LLC  All Rights Reserved 
Entity Management
If you have purchased an Enterprise Subscription for IRM|Analysis®
Software-as-a-Service product, you should setup each of the entities for
which you will be performing a Risk Analysis before you begin adding assets
and start the risk determination process. In order to manage Entities, you
must have Enterprise Account Owner privileges (see the Manage Users
section below). To manage your Entities, click on the Manage Account link
in the program menu on the left of the page, then select the Entity
Management link in the submenu that appears below the program menu.

This will display the Entity List, allowing you to Add, Change, or Delete the Entities for which you
will be performing Risk Analyses.

You can filter at the top of the list by clicking in the Search field and begin typing. The entity
names will narrow to what you have put into the search box. This will quickly help you narrow
your results. For information on how to use Search, go to Appendix C – How to Use Search. To
clear your Search terms and reload the full Entity List again, simply backspace out of your search
terms.

25 | IRM|Analysis® Software Manual - Version 5.1.6

To add a new Entity, click on the +New icon, in the

upper left corner, above the Entity List. This will
cause the Create Entity dialog to appear and allow
you to enter relevant information about this
particular Entity.

Fields are as follows:

1. Entity Name (required)
2. Industry Type (required)
3. Number of Employees
4. City
5. Street
6. Zip
7. State (required)
8. Selected Products (minimum of 1 required)

Once you have supplied the required information, you will click the Save button to add this Entity.
If you no longer want to add it, choose Cancel in the lower right of the page.

26 | IRM|Analysis® Software Manual - Version 5.1.6

To edit, begin by clicking on the Entity

you wish to edit, which will highlight that
Entity, then choose the Edit button at the
top of the Entity List. This will bring up the
Edit Entity Dialog allowing you to modify
or update information. After updating
the appropriate information, click the
Save button to save your changes. Click
Cancel to return to the Entities List
without changing Entity data. Here you can also choose to include or exclude the entity from
Enterprise Extracts, Snapshots and Global Reports and Dashboards.

Entity List – Delete an Entity

To delete an Entity, begin by

clicking on the Entity you
wish to delete, which will
highlight this entity. Then
click the Red trash can icon
(Delete) at the top of the
Entity List. If the entity is set
as a parent, it may not be
deleted.

This will bring up a Warning box. You will choose to delete the Entity or you may cancel the action.

Be aware that if you choose to delete an Entity, it is removed from:

1. Entity List
2. Dropdown lists throughout the system
3. Assign Roles section of the Add User/Edit User form in User Management
4. Permissions Form in Manage Roles

27 | IRM|Analysis® Software Manual - Version 5.1.6

On the Entity Tags page, you can Add Entity Tags and Entity Tag Descriptions that
can be used to group Entities together. Entity Tags can be grouped using Entity Tag
Categories and be used for filtering and reporting purposes. You can also Delete and
Edit Entity Tags.

To add a new Entity Tag, choose the +New button, which will pull up a fillable form
with the fields Name, Description and Entity Tag Category. Categories include
Department, Line of Business and Region/ Division.

To edit an Entity Tag, choose the Entity Tag you wish to edit and choose the Edit
button. This will pull up the same fields that are available when adding an Entity
Tag.

To delete an Entity Tag, highlight the desired Entity

Tag and choose the Delete button. You will receive a
pop up warning. Choose Yes to continue or Cancel to
stop.

28 | IRM|Analysis® Software Manual - Version 5.1.6

To edit an Entity Tag, choose the Entity Tag you wish to edit and choose the Edit
button. This will pull up the same fields that are available when adding an Entity
Tag.

To delete an Entity Tag, highlight the desired Entity

Tag and choose the Delete button. You will receive a
pop up warning. Choose Yes to continue or Cancel to
stop.

29 | IRM|Analysis® Software Manual - Version 5.1.6

© 2011-2020 Clearwater Compliance LLC  All Rights Reserved 
User Management
There are four (5) different types of users within the IRM|Analysis®
Software-as-a-Service product.
1. Enterprise Account Owner
2. Analysis Entity Account Owner. This role has full access to enter
data and edit options for assigned Entities
3. Analyst, who has the ability to enter data but no access to options
or settings
4. Analysis Read Only, who has view only access to dashboards and
reports
5. Custom Roles – These allow our organization to customize access
and permissions for individual roles that might fall outside
predetermined roles.

The first Account Owner for the product is setup by Clearwater Compliance staff when the
account is originally provisioned. This initial Account Owner may then setup as many other
Enterprise Account Owners and the various Analyst Roles as they deem necessary. There are no
limitations on either the number of Account Owners or Analysts an individual account may have.

To better understand whether a user should be setup as an Enterprise Account Owner or Analyst,
here is a list of the additional administrative functions that an Enterprise Account Owner can
perform which an Analyst role cannot:
• Add, edit or remove additional Account Owners
• Add, edit, or remove other Analysts
• Reset passwords for Enterprise Account Owners or Analysts
• Add new or remove existing report versions on the Version History Page
• Manage User Permission Roles
• Utilize Custom Password Security Settings

For more information on permissions, please see Appendix M – User permissions based on role

User Management can be accessed in the main IRM|Analysis® Software

menu on the left. This will display another submenu that includes User
List, Manage Roles, User Assignment, and User Import. These pages will
allow Enterprise Account Owners to add, change, or delete users, assign
or remove Entities and users have access to, or reset passwords.

30 | IRM|Analysis® Software Manual - Version 5.1.6

The User List displays a summary of names, email addresses, and phone numbers for current
users of the software. A user with administrative privileges (such as an Enterprise Account
Owner) may Add, Edit, or Delete users, reset user passwords, and create or modify user roles
across products and entities based upon the number of product licenses purchased by the
Company. If you are an Enterprise Account Owner, you will see all current users that have a role
assigned. If you are in any other role, Enterprise Account Owners are filtered out of the list and
cannot be viewed.

31 | IRM|Analysis® Software Manual - Version 5.1.6

As an Account Owner, you can add an unlimited number of users to the IRM software. To add a
new user, access the User List screen by selecting the Manage Account link from the main menu
and the User Management link from the submenu and then select User List. Click on the plus sign
icon (Add new row) in the upper left corner of the Users List, as shown in the image below:

This will cause the Create a New User

Page to appear and allow you to enter
information about this user.

1. Start by entering the user’s first name, last name, email address, Job Title, and
phone number.

2. These are the required fields (denoted by a red *) for adding a New User.

3. If you wish to make this user an Enterprise Account Owner, click the Enterprise Account
Owner checkbox. This will cause the Assign Roles portion of this page to disappear, since
Enterprise Account Owners have access to any and all Entities that may have been setup.
To make this user an Analyst, rather than an Account Owner, leave the Enterprise
Account Owner checkbox unchecked.

4. Select all entities or a specific entity from the entities list box in the Assign Roles portion
of the page. (The entities that appear in this list are those that were previously setup
following the instructions described previously in Entity Management). Selecting a
specific entity will mean that this user will only be able to view or edit Risk Analysis values
and reports for this entity. If you wish to provide this user access to more than one entity,
simply select all additional entities using the check boxes on the right of each row. Each
time an entity is selected, they will be added to the list of entities this user can access.
Once a user has been associated with his/her entities, they will appear on the Edit User
screen under the Assign Roles section. To remove any user’s association with an Entity,
change the drop down under each column to No Access and click the save button in the
lower left of page.

32 | IRM|Analysis® Software Manual - Version 5.1.6

© 2011-2020 Clearwater Compliance LLC  All Rights Reserved 
5. Once you’ve either checked the Enterprise Account Owner checkbox or selected the
entities that you want to give this Analyst access to, you will need to set a strong
password for this user. A strong password is one that contains a minimum number of
characters (8) with a combination of upper and lowercase alphabetic characters,
numbers, and special characters (e.g. !, @, #, $, etc.). While you can create this password
yourself, clicking the Generate Random Password link will generate a strong password
for this user automatically. Clicking the Show Password link will show the password the
system generates. When you click the Save button, the information for this user will be
saved and the user will be notified by email that their account has been created. The
password you created, or that you let the system generate, will be included in this email.
As soon as the user logs into this application the first time, however, the user will be
asked to immediately change their password.

33 | IRM|Analysis® Software Manual - Version 5.1.6

As an Account Owner, you can delete an existing user’s profile. To delete an existing user, access
the User List screen by selecting the Manage Account link from the main menu and the User
Management link from the submenu. Click on the user record you wish to delete, which will
highlight this user. Choose the trash can icon Delete button at the top of the user’s list. Click the
delete button to confirm deletion or cancel to keep this user.

Manage Roles (Custom and Default)

Manage Roles allows you to control access and permissions available to each user.
Users may be assigned to a single role across one or more entities, or to a different role for each
entity to which they have been given access. Roles govern all actions a user is able to take within
the software, from the ability to view screens, to editing data to performing administrative tasks.
Select New to create a new role. Enter the desired Role Name (required) and Description
(optional) in the appropriate fields and click Create.
System-generated Roles may not be edited. Select a Customer Created Role for editing by clicking
on the row and editing the Role name. Edit the Name and Description as desired and then click
Update.
Delete a Role by clicking on the row containing the Role you would like to delete, and then click
Delete. A confirmation prompt will display. Confirm the deletion by selecting Delete in the dialog
window. If a role is deleted, all users previously assigned to that role will default to a null status
and will need to be reassigned to an existing role with appropriate permissions.
Edit Permissions allows you to further customize the permissions available to both Custom and
Default Roles. Select the row of a Role you wish to customize, and then click the Edit Permissions
tab.

34 | IRM|Analysis® Software Manual - Version 5.1.6

Editing permissions within roles allows you to decide what pages/screens Custom and Default
roles have access to view and/or update. To edit permissions within roles, first access the Role
List by selecting the Manage Account link from the main menu and the User Management and
Manage Roles links from the submenus. Select the current role name for which you like to edit
permissions and click the Edit key.

The Edit Permissions screen will allow you to select permissions based on the main menu or
submenu level. The initial screen you will see will let you select permissions at the main menu
level. Notice how each option lines up with the options on the IRM|Analysis® Main Menu:

You have three operations when determining access:

• Update (full editing and viewing capability)
• Read Only (view only; unable to edit or make any selections)
• None (unable to access or view screen)

35 | IRM|Analysis® Software Manual - Version 5.1.6

© 2011-2020 Clearwater Compliance LLC  All Rights Reserved 
If you select for a role to have access at the main menu level, that role will have that same
access for each of the submenu pages that lie within that main menu option. For example, if
you select for a role to have Update access at the Dashboard Main Menu level, they will have
Update access to ALL Dashboards. To assign role permissions at the main menu level, select the
push button for the operation you would like that role to acquire. To determine access at the
submenu level, click the blue + icon to the left of the Module column. This will expand out the
submenu options that lie within the main menu.

To assign role permissions at the submenu level, simply select the push button for the
operations you would like that role to possess.
If you have an Enterprise Subscription to the IRM tool, you can determine permissions based on
an entity. From the Edit Permissions page, click the blue + symbol to the left of the Permission
column to expand out your available entities.

36 | IRM|Analysis® Software Manual - Version 5.1.6

To assign a user to a Role (Custom or Default), first navigate to the Assign Users to Roles screen
by selecting the Manage Account link from the main menu, followed
by the User Management and User Assignment submenu links.

Click the dropdown menu for the appropriate person and select the Custom or Default Role
name. Follow these same steps to edit a person’s current role.

You may also assign multiple personnel to a role at once by using the multi-select feature. Simply
click the checkbox on the right for each individual you would like to be assigned to a particular
role and select the role name from the purple Selected Rows dropdown menu for a selected
individual.

To add all personnel to a particular role, select the checkbox at the column level then select the
appropriate role from the dropdown box.

37 | IRM|Analysis® Software Manual - Version 5.1.6

To edit a Default role name, first access the Role List by selecting
the Manage Account link from the main menu and the User
Management and Manage Roles links from the submenus.

Select the current role name you would like to edit to highlight, and then click Edit.

When the Edit Record dialog box opens, enter

the desired Role Name and Description
(optional) in the appropriate boxes and click
Update.

38 | IRM|Analysis® Software Manual - Version 5.1.6

To delete a Default or Custom role, go to the Role List by selecting the Manage Account link from
the main menu and the User Management and Manage Roles links from the submenus. Select
the current role name you would like to delete to highlight, and click the trash can icon. Confirm
the deletion by selecting Delete from the dialog window, or cancel to keep the Role.

If a role is deleted, all previously users assigned to that role will default to a null
status and will need to be reassigned to an appropriate role.

39 | IRM|Analysis® Software Manual - Version 5.1.6

© 2011-2020 Clearwater Compliance LLC  All Rights Reserved 
Quick Start Guide: Framing and Governance
Framing/Governance can be accessed in the main IRM|Analysis® Software menu by
clicking on the Framing/Governance link.

There are seven (7) items in the submenu:

• Risk Threshold – This is the Risk Tolerance set by your organization and reflects the overall
volume of Risk that you will withstand.
• Likelihood Settings – Scale of 0-5 of the likelihood that each vulnerability and threat could
occur.
• Impact Settings – Scale of 0-5 of the overall Impact or harm your organization would incur
if the vulnerability or threat were to occur
• Version Frequency – How many times a year you would like an automatic version history
to be saved.
• Custom Controls – Security Controls reflecting elements that are unique to your
organization.
• Control Tags – Control Tags are used to group records together for easier filtering and
reporting.
• RTO/RPO Settings – Setting your Recovery Time Objective (RTO) Settings and Recovery
Point Objectives

40 | IRM|Analysis® Software Manual - Version 5.1.6

Determining the Risk Threshold is part of the Risk Framing process described in the National
Institute of Standards and Technology Special Publication (NIST) 800-39. Risk Threshold is
related to Risk Tolerance, which is the overall volume of risk that an organization will withstand.
The chart below is one way of showing the organization’s risk burden. It is designed to help you
in the selection of a specific Risk Threshold. In addition to the chart below, you should consider
the organization’s tolerance for business, legal, regulatory, operational, financial and human
risks.

Setting the Risk Threshold helps identify risks for which specific responses are needed. Risks
below the threshold might be accepted. Risks equal to or above the Threshold will require Risk
Treatment, which is defined in the Risk Response phase. The organization should consider
exceptions to the identified Risk Threshold that are in keeping with the overall Risk Strategy and
in response to evolving and emerging threats.

To Accept different levels of Risk Ratings, or to set a specific Risk Threshold, select the Risk
Threshold Value from the drop-down box in the top right corner of the screen. The histogram
will then update the Report’s display, and Risks with values less than the threshold you have
chosen will be green.

When you select a different Threshold Value other

than the default, which is reflected as 10 (ten) (with
the Threshold dropdown box only displaying
“Select”), you will be prompted to confirm you are
intentionally selecting to Accept only those Risks
with a Risk Rating less than the Threshold number you have chosen.

The graph will not change the default coloring of the Risk Ratings in the system until you
confirm that you want your Risk Threshold to change. When you first go to the Risk Threshold

41 | IRM|Analysis® Software Manual - Version 5.1.6

© 2011-2020 Clearwater Compliance LLC  All Rights Reserved 
page, the graph does not reflect any Risks as being ‘Accepted’. However, once a Risk Threshold
value is chosen, then the graph will update to reflect the new value by coloring all Risk values
within the Threshold range in a light gray shadow. See the example of a Threshold of 6 selected
in the example below.

Each time you select a new Risk Threshold value, you will be reminded that all Risks less than
the selected value will be marked as Accepted.

A key will display below the chart to show the color, category and Risk Rating numbers for each
of the categories. The key will include the background color used to indicate Accepted Risk.

Standard Guidelines are:

• Green = Low Risk: 1-7
• Yellow = Medium Risk: 8-14
• Red = High: 15-24
• Purple = Critical: 25
• Gray = Accepted Risk

42 | IRM|Analysis® Software Manual - Version 5.1.6

When completing a Risk Determination for each identified risk, the user is required to select a
value for the Risk Likelihood. The options are presented in a dropdown list from which the user
may select in a number of places in the software. Here you can edit your Risk Likelihood
examples and percentages. To Edit, select the row to be edited by clicking on it and it will
highlight.

Choose the edit button. A pop-up will display with the fields that may be edited. Make your
edits, and then choose Edit to save or Cancel to go back to Likelihood Settings.

After that row is edited, the system will generate a date and
timestamp for the Last Update Column for that row.

43 | IRM|Analysis® Software Manual - Version 5.1.6

When completing a Risk Determination for each identified risk, the user is required to select a
value for the Risk Impact. The options are presented in a dropdown list from which the user
may select in a number of places in the software.

Clearwater Compliance has included a default scale and examples which are used by many
organizations. Defining the scale for Risk Impact is part of your organization’s Information Risk
Management Strategy and Framing processes.

You may edit the Example, Records Lost, Financial Impact, and Lost Productivity Hours
fields/columns. To edit, select the row to be edited by clicking on it. The row will highlight
green.

Choose the edit button and a pop-up will display with fields you can edit.

Change the appropriate fields to your custom setting and click Edit to save or Cancel to return
to Impact Settings and discard changes.

44 | IRM|Analysis® Software Manual - Version 5.1.6

© 2011-2020 Clearwater Compliance LLC  All Rights Reserved 
Under the data table for Impact Settings, a separate panel will display titled Breach Cost.

This is to help you determine what the cost will be to your organization should a breach occur.
These values will display in the Risk Questionnaire Form. This data is not currently used
elsewhere in the software, but will be part of a future release.

45 | IRM|Analysis® Software Manual - Version 5.1.6

Version History is a snapshot of your data. Here you will choose how often you would like the
software to automatically save that snapshot. When an entire risk analysis is complete, a
version (snapshot) of the data should be created by the user. Data, and reports will be saved in
the snapshot and may be retrieved from the History drop down. Version History can provide a
baseline for the organization to track their progress and changes.

By default, the software automatically creates a version snapshot once a year. Automatic
snapshots may be saved more frequently by changing the setting on this screen. Options
include: Every Month, Every Quarter, Twice a year, and Once a year.
• Every Month, snapshots are created on the 1st of the month
• Every Quarter, snapshots are created on 1/1, 4/1, 7/1 and 10/1
• Twice a year snapshots are created on 1/1 and 7/1
• Once a year snapshots are created on 1/1

If there are multiple entities associated with the account, the Enterprise Account owner may
elect to apply the version frequency setting to the current entity, or may choose to apply the
version frequency setting across all entities.

Manually initiated snapshots can be created at any time in the Reports -> Version History area.
This setting only applies to the frequency of the scheduled automatic snapshots. After selecting
a frequency setting, click the Save button. If you have recently completed a Risk Analysis is very
important to capture a Version Frequency.
If there are multiple Entities associated with the account, updating the Version Frequency
setting on this page will automatically update it for all the other Entities for Risk Analysis. This is
a subscription level setting by product type. All Entities associated with an account will have the
same Version Frequency setting.

46 | IRM|Analysis® Software Manual - Version 5.1.6

While the Clearwater Compliance software provides a very extensive list of security Controls,
you may want to create custom controls reflecting elements that are unique to your
organization. You can add custom controls here, and on both the Risk Questionnaire Form and
the Treat and Evaluate Form in Risk Response they will be available in a dropdown to add. They
will display on this list for editing and management. Custom Controls and their descriptions can
only be entered here.

To Add a new Custom Control, select the New button above the table.

This will display a pop-up box where you can enter a Control Name and Description.

There are safeguards in place that prevent you from entering duplicate custom controls. If a
Control is already in place with the same name, you will get this message: A custom control
with name ex: "URL Filtering" already exists for this location. Otherwise, you will choose create
and your new Custom Control will display at the bottom of the list.

47 | IRM|Analysis® Software Manual - Version 5.1.6

© 2011-2020 Clearwater Compliance LLC  All Rights Reserved 
One of the primary functions of this page is editing Custom Control names and descriptions. To
Edit an existing Custom Control, select the control name row that you would like to edit, which
will highlight it, then choose Edit. (Note that you may only choose one row at a time to enable
the edit or delete buttons).

Click Update to save your changes, or x out in the upper right corner of the box to go back to
Custom Controls.
You may also delete Custom Controls by choosing the Delete button above the list. If you are
deleting a Custom Control that has values populated elsewhere in the software you will receive
a warning.

If you choose Yes, this will remove this Control on the Controls Review and on the Risk
Response List. Caution should be shown in removing Custom Controls and how this might affect
previously entered risk information such as Risk Ratings.

48 | IRM|Analysis® Software Manual - Version 5.1.6

You can add Control Tags and Control Tag Descriptions which is useful for grouping, filtering,
and searching for information as well as for reporting. Use Control Tags to group Controls by
project, program or team. Control Tags are found in many places throughout the software, and
this screen provides an efficient method to view, add, edit and delete Control Tags and
descriptions (optional).

To add a new Control Tag, choose the New button.

The Create New Control Tag pop-up will come up and you can enter a Control Tag and a
description.

Choose Save to continue and you will now see that Control Tag listed. When you are in various
stages of your Risk Analysis process, these Control Tags will be options for you to utilize. Use
descriptions that are easily understood across your organization. For example, you can use
them to describe physical locations which can help you group together Controls that apply to a
specific office.

49 | IRM|Analysis® Software Manual - Version 5.1.6

© 2011-2020 Clearwater Compliance LLC  All Rights Reserved 
You can also Edit and Delete Control Tags. Editing a Control Tag will edit it across the software.
If you choose to delete the Control Tag, it will be completely removed throughout the software
and you can’t reverse this action. You will receive a pop-up warning.

You may also export any or all of the Control Tags, by clicking on the desired rows and using the
Export function at the top right of your page.

50 | IRM|Analysis® Software Manual - Version 5.1.6

The RTO & RPO (Recovery Time Objective and Recovery Point Objective, respectively) page allows
you to describe values that can be assigned to assets. While there are default values, you may
opt to describe/change the settings across all entities, or you may allow each entity to set their
own descriptions. There are 6 Tiers for each that can be assigned to assets. The lower the tier
number, the shorter the RTO or RPO.

You may edit your RTO or RPO tiers by choosing a row and then selecting Edit.

If you are an Enterprise Account Owner, you may also decide whether you want the descriptions
and examples you define here to apply to all entities in your organization and whether than can
be edited at the entity level. To make these choices, choose a row and then press the Options
button. Set or clear the appropriate checkboxes to control if these choices are going to be applied
globally or if they can be overridden at each entity level. These changes will go into effect
immediately. Other roles within the organization will be unable to override these changes.

51 | IRM|Analysis® Software Manual - Version 5.1.6

© 2011-2020 Clearwater Compliance LLC  All Rights Reserved 
Quick Start Guide: Dashboards
Dashboards can be accessed in the main IRM|Analysis® Software menu by clicking on the
Dashboards link in left navigation.

The Dashboards are:

• Governance
 Governance at a Glance – Depicts how well your company is managing risk
overall
 Governance at a Glance Single Entity – Depicts how well your company is
managing risk for a specific entity
 Governance Risks – Depicts your organization’s overall exposure to significant
risks
 Governance Control Gaps – Depicts deficiencies in security controls
• Risk Manager
 Risk Analysis Progress – Indicates the percentage of entries that have been
completed
 Control Deficiencies for Risks >= Threshold – Depicts percentage of how well
your organization is implementing controls to avoid risk
 Risk Response Progress for Risks >= Threshold – Indicates the percentage of
Risks above the threshold and the progress in Risk Response
• Charts and Graphs
 Rating Distribution by Asset – See highest Risk categories at a glance
 Risk Rating Trends – Depicts the average Risk Rating for an Asset over time

52 | IRM|Analysis® Software Manual - Version 5.1.6

The Governance Dashboards provide a minimal essential set of measures to oversee your
information risk management program. Because they contain so much key information, they
have their own Business Use Guide. Please see the screenshot below, which shows you where to
find the BUG.

53 | IRM|Analysis® Software Manual - Version 5.1.6

These dashboards show how well you are managing your risks and the overall progress of your
Risk Analysis. They are also included in the Business Use Guide.

Charts and Graphs Dashboards

There are currently 2 charts and graphs. Because the Governance and Risks Dashboards have
replaced many of these, many were sunset. Here, we will cover Rating Distribution by Asset and
Risk Rating Trends. These are not covered in the Dashboards Business Use Guide.

54 | IRM|Analysis® Software Manual - Version 5.1.6

The Rating Distribution by Asset Dashboard can be used to visually see each asset and its rating
dispersion by rating category (low, medium, high, critical). It includes each asset and the
number of risks in each category.

There is a navigational option in the Rating Distribution by Asset Dashboard. You can click on
the hyperlinked number on the bar chart for each asset and another browser tab will open
displaying the Risk Rating Detail Report for all of the Media/Label combinations for that Asset
for the rating you clicked.

The colors used on the Risk Rating Scale are determined by the severity of the risk presented
based on the answers provided by the user. Using the "Risk Rating for this Threat/Vulnerability
for the Media/Asset(s) Listed Above" section of each page in the questionnaire, a number is
calculated by multiplying the Risk Likelihood and Risk Impact.

The colors assigned are coordinated as follows:

• A Risk Rating score of 0 will leave the value on the report a blank white of "No Risk".
• A score of 1 to 7 will result in a "Low" risk and Green.
• A score of 8 to 14 will result in a "Medium" risk and be Yellow.
• A score of 15 to 24 will result in a "High" risk and be Red.
• A score of 25 will result in a "Critical" risk and be Purple (magenta).

When browsing the final Rating Distribution by Asset Dashboard, these color-coded sections
will allow the user to quickly and easily identify the assets in an alphabetic order and grasp
what assets have the most risks associated to them and which of these are in need of attention
(red and purple coded areas of bar chart).

This dashboard is primarily designed for management oversight. Most of the analysis
performed in the software is at the level of the media/asset groups and not individual assets.
This dashboard is for the entity the user has selected and does not provide data across entities.

To print a copy of the graph or to export to a variety of images (.png, .jpeg, .PDF, .svg) just go to
the upper right corner of the page and click on the tri-bar menu to display the selection of
choices.

55 | IRM|Analysis® Software Manual - Version 5.1.6

© 2011-2020 Clearwater Compliance LLC  All Rights Reserved 
A filter icon is located at the top on the right side of the page above the tri-bar icon. To limit
the amount of information displayed, simply click on the filter icon and begin typing the asset
name in the Assets dropdown text box – a drop down list will assist you with choosing the asset(s)
you want displayed on the dashboard. You may also select the number of assets to display on the
page – the choices are: All, 5, 10, 15, 20, or 25. Once a selection has been made, the page will
redisplay with the applicable information. If filter information is present a ‘clear filter’ icon will
appear . Clicking this icon will erase any selections and redisplay the original bar chart with all
assets and all rows.

There is also a version history selector on the top right side of the page . This selection
dropdown allows you to choose to see the rating distributions for a particular point in time

just by placing the cursor on one of the dropdown items and clicking, the report
will regenerate with the assets and their ratings for that time period.

56 | IRM|Analysis® Software Manual - Version 5.1.6

The Risk Rating Trends Dashboard can be used to visually see each asset and its rating
fluctuation over time. The ‘over time’ parameter is based on the version frequency you selected
on the Framing/Governance > Version Frequency page or you can also capture a version by
going to the Reports > Version History page and adding a snapshot for the current day and
time. Each asset and the rating number assigned at the time the snapshot for the version
history was recorded is included in the graph.

The dashboard is interactive as it allows you to choose which assets are shown. By scrolling to
the bottom of the page you can see the list of your assets.

The asset names that are bolded are the ones shown in the graph. To change the view, click on
a bolded asset to remove and then click on a non-bolded (grey) asset to add. Each asset has its
own corresponding legend and by default the first five (5) assets are plotted on the chart and
bolded in the legend/key. Assets in the graph are for the current entity only and only those
assets with at least one (1) risk rating are available to be shown.

Hovering over a data point in the graph on a particular trend line will display the date and time
of the snapshot as well as the rating number for the asset at that point in time. Asset / Risk
combinations that do not have a rating (N/A) or have a rating of zero (0) are excluded from the
trend bar graph.

This dashboard is primarily designed for management oversight. Most of the analysis
performed in the software is at the level of the media/asset groups on not individual assets.
This dashboard is for the entity the user has selected and does not provide data across entities.

57 | IRM|Analysis® Software Manual - Version 5.1.6

© 2011-2020 Clearwater Compliance LLC  All Rights Reserved 
Quick Start Guide: Assets
Assets can be accessed in the main IRM|Analysis® Software menu by clicking on the Assets link
on the left navigation panel.

There are 3 items in the submenu.

• Asset Inventory List – View, Add, Edit, Delete Assets or Change Asset Status
 Asset Inventory Form – Enter Assets and Related Components, geared for the
more experienced customer
 Asset Inventory Wizard – Step by Step detailed instructions to help you create
your Asset Inventory, which is helpful for new customers
 Asset Status - Use this if you want to change the status of an Asset, or multiple
Assets
• Asset Inventory Import – Use an Excel Template to upload many assets at once, rather
than adding them one by one
• Component Groups – Group your Components and Assets into categories of similar
controls and threats

58 | IRM|Analysis® Software Manual - Version 5.1.6

Performing an accurate and complete inventory of the systems and

devices to be included in the scope of your Risk Analysis is a fundamental
starting point for the rest of the Risk Analysis process. In performing a
Risk Analysis to comply with 45 CFR § 164.308(a)(1)(ii)(A) of the HIPAA
Security Rule, you will need to specifically include all Component Types
used by your organization to create, receive, maintain (i.e. store), or
transmit electronic Protected Healthcare Information (ePHI).
(NISTSP800-39, p.1)

While referred to as an Asset Inventory, it is not so much an inventory, in the traditional

accounting sense of the term, as a listing of the applicable applications, software, and
associated Component Types. Accordingly, you will not be counting the desktop
computers, servers, terminals, and other items used to support your ePHI infrastructure
as you would when performing a typical fixed assets inventory.

Additional guidance as to what should be specifically included or excluded in your

Asset Inventory is provided below:

59 | IRM|Analysis® Software Manual - Version 5.1.6

These are examples and not all-inclusive. Please see Component Types (page 64, No. 4) for more
detailed information on each one.

1. Internally or externally hosted applications, databases, and file stores that create,
store, transmit, or receive ePHI. This should include any applications, databases, or
file stores that are hosted by third-party service providers on the Internet (i.e.
“Cloud-based”). Examples include:
a. Electronic Medical Records (EMR) Applications
b. Clinical Management Systems (Emergency Room, Obstetrics, Pharmacy,
Outpatient, and Laboratory systems, etc.)
c. Practice Management Systems
d. Claim adjudication and payment systems
e. Data Warehouses and reporting systems
f. File servers (e.g. shared network directories, Sharepoint, etc.)
g. Email programs
2. Networks that your organization uses to exchange ePHI with other covered
entities or business associates, but only if your organization is responsible for
establishing and maintaining these networks, and thus could have ePHI related
to these networks stored within your company’s infrastructure. Examples of
such networks would include:
a. Electronic prescription networks (Emdeon’s eRX, Surescripts, etc.)
b. Health information exchange networks (Cerner, Indiana Health, etc.)
c. Medical Claims networks (MultiPlan, Verisk Health, etc.)
3. Medical devices that store ePHI. Examples include:
a. Radiological devices (X-ray, ultrasound, and MRI machines, etc.)
b. Pharmacy dispensing cabinets (Omnicell cabinets, Pyxis Med Stations, etc.)
c. Laboratory devices (DNA sequencer, hematology analyzer, etc.)
4. Multifunction printers and/or facsimile machines with hard drives or solid-
state drives that can store any ePHI that is scanned, copied, or printed.
5. Backup media that store ePHI, such as tapes, floppy disks, CDs, DVDs, smart
cards, USB keys, external hard disk and solid-state drives, smartphones,
personal digital assistants and other portable storage devices.

60 | IRM|Analysis® Software Manual - Version 5.1.6

1. Applications, databases, and file stores that do not create, store, transmit, or
receive ePHI.
2. Networks your organization uses to exchange ePHI with other covered entities
or business associates which have been established and are maintained by
other third parties. For example, networks maintained by an EMR vendor as
part of their application to exchange medical records with other providers.
3. Telephones and facsimile machines that do not store what is transmitted.
4. Individual spreadsheets, documents, and other files: for example, Word
documents or other MS Office file assets, such as documents that are exported
by company systems that maintain or manage ePHI-related information. These
will be covered by the workstations or servers on which they reside.

Asset Inventory List

Creating an Asset Inventory is a critical step in completing a bona fide Risk Analysis. An asset is
a business application, system or solution that creates, receives, maintains or transmits
sensitive information, such as Protected Health Information (PHI), personally identifiable
information (PII), payment card data, company proprietary business plans or financial data, etc.,
the confidentiality, integrity and availability of which must be safeguarded for the sake of
overall business risk management.

61 | IRM|Analysis® Software Manual - Version 5.1.6

Assets can be accessed in the main IRM|Analysis® Software menu on

the left, and you will see Asset Inventory List in the submenu. The
Asset Inventory List page displays all current Asset names and
descriptions entered by the Account Owner at your organization.

Columns in Asset Inventory List are:

1. ID Number
2. Asset Name
3. Asset Description
4. # of records
5. Owner
6. Inherited from (if an EH customer)
7. Created Date
8. Modified Date
9. Created By
10. Updated By
11. Status
12. Multiselect (can only be used to delete multiple Assets or change Asset Status at
once)

To add a new asset using the standard form, click on the New + icon in the upper left corner of
the Asset Inventory List, and choose via Form.

62 | IRM|Analysis® Software Manual - Version 5.1.6

This page should be completed as follows. (All fields are optional except Asset Name)

1. Asset name (required) - Provide a name for the information asset or application
containing ePHI. This may be proper name, an acronym or a few words that describe the
system (e.g. EMR Application, Radiological PACS, Microsoft Exchange, etc.).
2. Asset Description – Provide a more detailed description of the asset that would describe
it to those who may not know its purpose (e.g. “The Electronic Medical Record (EMR)
application is the primary system used throughout the facility to maintain a history of all
individual patient medical conditions, the treatment that was provided, who provided
this treatment and when.”). Asset description can be useful in assisting with assignment
of the Responsible Person, who will be leading the Risk Response effort for this Asset, in
the Risk Response process
3. Type of Sensitive Data – You may select multiple types. These options are ePHI, PCI, PII,
Customer Confidential and Student Records (FERPA).
4. Component Types - This is a list of Components that create, receive, maintain or
transmit sensitive data. Select the specific Component type used by this asset by clicking
on the Component Type. More than one Component Type item can be selected by
holding down the Ctrl key when clicking on the item with your mouse. Some examples:

• Backup – Backup is media (e.g. tapes, CDs, diskettes, etc.) and devices used for
secondary storage of the organization's programs and data. These include Backup
Media and Portable Storage Device

63 | IRM|Analysis® Software Manual - Version 5.1.6

© 2011-2020 Clearwater Compliance LLC  All Rights Reserved 
• End User Devices – Your selections include, Desktop, Desktop or Laptop, Digital
Camera, Diskless Workstation, Electronic Medical Device, Laptop, Pager, Scanners,
Printers, Copiers or Fax Machines, Smartphone and/or Tablet
• Infrastructure Devices – These will include Audio Recording System, Disk Array,
External Storage, Network Device, Platform-as-a-Service, Server and Video
Recording System
• Management – Management includes Security and Governance
• Medical Devices – Fixed Treatment and Diagnostic Device, Laboratory, Medication
and Supply Management, Mobile Treatment and Diagnostic Device, Pharmacy
Automation and Telemetry Device
• Networks – External Network, Internal Network – Wireless, and Internal Network
– Wired
• People – External User and Internal User
• Software – Application, Database, File Share, Interface – Interchange, Script and
Software-as-a- Service
• Third Parties – These are Contractors/Consultants

5. Importance of Asset – Here you will determine the Importance of an asset. You can
choose undecided, or rank them on a scale of 1-5 with 1 being Not important and 5
being Critically important. Keep in mind that this selection can drive risk impact rating or
the order in which Risk Determination is performed.
6. Number of end users and administrators – Include anyone who may have access to this
asset.
7. Recovery Time and Recovery Point Objectives – RTO is the maximum desired length of
time allowed between an unexpected failure or disaster and the resumption of normal
operations and service levels. RPO is the maximum acceptable amount of data loss
measured in time. Values are Tiers 0-5 for both. Your organization will determine how to
appropriately assign values to those Tiers.
8. Approximate number of sensitive records stored on this asset– Estimate the number of
ePHI records stored by this asset (e.g. number of patients, claims records, plan
members, employees, research subjects, etc.). This does not need to be an exact count
of the number of
records but should assist in considering the relative criticality of your different
information assets. Documenting this information will help later in considering the
impact to the organization if, for example there was a compromise to the confidentiality
of sensitive information. You can only enter a number into this field and you should omit
commas.
9. Source of Sensitive Information – Include any system or third party that inputs ePHI into
this asset. For example, the admissions, pharmacy management, and laboratory
management applications in a hospital would all provide ePHI inputs into an Electronic

64 | IRM|Analysis® Software Manual - Version 5.1.6

© 2011-2020 Clearwater Compliance LLC  All Rights Reserved 
Medical Record (EMR) system. External referring physicians might also provide excerpts
of patient records that could be input into the hospital’s EMR system. The more inputs
you have to an asset the greater potential risk to the confidentiality, availability and
integrity of protected information. You will consider this when evaluating risk likelihood
during Risk Determination.
10. Destination – List all destinations for sensitive information coming from this asset,
including downstream systems and external parties.
11. Business Owner – You may choose from the list of names in the dropdown or choose to
use Freeform Data to enter a new name. Understand that entering a name with
Freeform data does not ensure that this person will have access. A user must have a
profile set up in order to make changes to the software. This person should have overall
responsibility for the business services and operations supported by this asset.
Preferably an executive responsible for approving resources to reduce risks or with the
authority to accept risks for this asset.
12. Component Groups – Formerly called Media/Asset Groups, these are used to aggregate
components (formerly Media).
13. Grouping Expert – Assets and Components should be placed into Component Groups
with other assets and components that share the same risk profile.
14. Update or Save Button
15. Asset Status – New assets, by default are categorized as Draft. It is helpful to know the
definition of all statuses.

• Enabled status – Assets are included in Component Groups asset listing, Risk
Determination, Risk Response and Reports.
• Disabled/sunset status – By choosing to move an asset to disabled/sunset status,
you will remove the asset from Risk Determination, Risk Response, and related
Reports. If you disable/sunset all assets within a component group, the
component group will no longer display.
• Pre-production status – You may designate assets as pre-production status for the
purpose of completing a risk analysis prior to implementation. Assets with a pre-
production status will be included throughout the complete risk analysis process,
through risk response and risk reconciliation. Reports may be filtered to exclude
assets in pre-production status.
• Draft status – The asset will appear in your asset list but cannot be acted upon in
other ways until it is changed to Enabled or Pre-production status. All new assets
are automatically categorized as Draft.

16. Add another asset after saving checkbox.

65 | IRM|Analysis® Software Manual - Version 5.1.6

© 2011-2020 Clearwater Compliance LLC  All Rights Reserved 
Helpful Hint: Filling out the fields that are optional when adding an Asset allows
you to categorize them in your Risk Assessment and Risk Response phases later on during
the Risk Management process. In addition, the optional fields allow your company to
provide more information that will add credibility to your Risk Assessment and Risk
Management methodology in the event of an audit. While a number of fields are optional,
they help your organization give more thorough consideration to the consequences,
likelihood and impact of risks to your sensitive data.

Edit an Existing Asset

To edit an existing asset, click on the row containing the asset you wish to edit, then the Edit
(pencil icon) above the asset name.

This will take you to Edit Asset page which will allow you to then change or add information in
any of the fields reviewed above. Make the appropriate edits and click Save or Cancel to return
to the Assets Lists.

Deleting an Existing Asset

To Delete an Asset, first click on the row containing the asset you wish to delete. Then choose
the Delete button. This will open up a dialog box to ask you to confirm whether or not you wish
to delete this asset. Choosing Delete will delete it and choosing Cancel will return you to the
Asset Inventory List. You may also utilize the multiselect box in the final column to quickly
delete multiple Assets at once.

66 | IRM|Analysis® Software Manual - Version 5.1.6

© 2011-2020 Clearwater Compliance LLC  All Rights Reserved 
Helpful Hint: If an asset is deleted, this will not change historical
versions of the data results that have been saved in the system. However,
you will no longer be able to use this asset in any Risk Determination or Risk
Response steps in the Security Analysis.

Change an Asset Status

To change an Asset Status, first choose the Asset you will change and choose the Asset Status
you would like. Multiple statuses may not be applied to the same Asset. You may choose the
multi-select box on the far right to update multiple Asset Statuses at once. Statuses are defined
as:

1. Enabled status – Assets will appear in Component Groups asset listing, Risk Determination,
Risk Response, and Reports.
2. Disabled/sunset status – by choosing to move an asset to disabled/sunset status, you will
remove the asset from Risk Determination, Risk Response, and related report screens. If you
disable/sunset all assets within a component group, the component group will no longer
display
3. Pre-production status– you may designate assets as pre-production status for the purpose
of completing a risk analysis prior to implementation. Assets with a pre-production status
will be included throughout the complete risk analysis process, through risk response and
risk reconciliation. Reports may be filtered to exclude assets in pre-production status.

67 | IRM|Analysis® Software Manual - Version 5.1.6

The Asset Wizard is an

alternative entry method for
your assets. It provides you
with step-by-step detailed
instructions as you create your
Asset Inventory. This option is
recommended if you are new
to the software. New users
who have not accessed the
Asset Inventory List previously,
or users who do not have any
assets listed in their inventory, will see the Asset Inventory Wizard Selector popup when your
first access the page or if you have 0 Assets in your account. You may simply close of the Wizard
and it will not display for the remainder of your session. Existing users with Assets displayed will
use the quick selector under the +New via Wizard in the dropdown as shown in the screenshot.

There are 5 steps in the Asset Inventory Wizard

1. Basics
2. Component Types
3. Importance
4. Details
5. Component Groups

Helpful Hint: All five steps of The Asset Inventory Wizard have the same fields that
the Asset Inventory Form has. For a complete definition and explanation of each field, please
refer to Page 62 in the Analysis Software Manual on the Create Asset Form.

68 | IRM|Analysis® Software Manual - Version 5.1.6

© 2011-2020 Clearwater Compliance LLC  All Rights Reserved 
In order to add a new Asset, type in your Asset Name. This is the only required field, however
entering an Asset Description as well as the Type of Sensitive Data is valuable information and
should not be skipped unless unavoidable.

You now have the option to save your Asset as Enabled, Disabled/Sunset, Pre-production or
Draft. In order to better understand this feature, the definitions of each status are on page 65.

After you have finished Step 1 and saved your Asset to the desired status, please choose Next
at the bottom right of your page. This will take you to Step 2, Component Types page. At any
point from here forward in the Asset Inventory Wizard you may choose Previous in the bottom
left of the Wizard to review any previous steps. Here you will select all Component Types that
create, receive, maintain or transmit sensitive information. You will also choose if there are any
third parties that have access to this Asset. This is not a required step in the process, so if you
are unsure, you may skip this step and come back to it later. You may now return to the Asset
Inventory List, where your asset will be available. If you would like to continue to add more
detailed information regarding this Asset, you will choose Next in order to go to Step 3,
Importance.

Steps 3 and 4 will guide you through the “Who, When, Where, Why and How” Information
related to risk likelihood for this asset.

69 | IRM|Analysis® Software Manual - Version 5.1.6

© 2011-2020 Clearwater Compliance LLC  All Rights Reserved 
The Importance section of the wizard is where you will quantify key data and rate the
importance of the asset. Information that you can provide here is Recovery Time Objectives and
Recovery Point Objective (will be referred to as RTO and RPO from here forward), Number of
end users and administrators, Importance of Asset, and Approximate # of sensitive records
stored.

Step 4 is where you provide any details that you may wish to include about your Asset,
including the Source of the sensitive information, the destination and the asset business owner.
The software will show you examples that will be helpful in deciding what you may need to
provide.

The 5th and final step is Component Groups.

70 | IRM|Analysis® Software Manual - Version 5.1.6

© 2011-2020 Clearwater Compliance LLC  All Rights Reserved 
Step 5 will guide you through adding assets to Component Groups, which are similar to groups
previously labeled Media-Asset Groups. (Note: The term Media-Asset Groups is no longer being
used in the software, because there are components that are neither media nor assets. The
risks for these components still need to be considered and rated, so the terminology was
changed to components.) Component Groups will facilitate the Component Expert System®
grouping components for an easier, more efficient risk rating process. When assets are assigned
Component Types in Step 2, they are also assigned to default Component Group(s) for the
Component Type(s) selected. You can review the assigned Component Group(s) in Step 5. If
grouping modifications are needed, the Grouping Expert button will display the Asset Grouping
dialog, which will assist you with changing the component group assignment or creating a new
group.

Through a 3-step process, you can complete the following with the Grouping Expert button:
• Set component properties
• Review existing and suggested groups, and
• Select the groups that apply to this component. Components can be assigned to
multiple component groups if necessary.

Once component group options are edited in the Grouping Expert, the selections are displayed
in the Component Groups panel. Click the Close button when you have finished selecting
group(s). If needed, the Component Groups for this asset can be edited later by using the
Grouping Expert button.

Once you have updated the Asset Details, you may choose the Save button. By default, the Add
another asset after saving checkbox is checked, and if you choose Save, you will be taken back
to step 1 Basics to add another Asset. If you do not need to add an asset at this time, uncheck
that box, and you will be taken back to the Asset Inventory Import to review your asset. You
can access the Asset Inventory List to edit assets in order to add additional detail later.

71 | IRM|Analysis® Software Manual - Version 5.1.6

© 2011-2020 Clearwater Compliance LLC  All Rights Reserved 
Helpful Hint: You can access the Asset Inventory List to edit assets later if needed.

When you are ready to exit the

Wizard, simply click the Update
button or the X at the top right of
the form. If you have unsaved
changes you will receive a warning
message.

After you have exited the Asset Inventory Wizard, the software will take you back to the Asset
Inventory List and will be updated with the Assets and information you have provided.

72 | IRM|Analysis® Software Manual - Version 5.1.6

You may quickly add many assets at once by utilizing the Asset Inventory Import feature. You can
download an Excel template, add Assets to the spreadsheet and import the list into the system.
The template is protected to prevent data corruption. If you attempt to import the template and
the one required field of Asset Name is not complete, you will receive an error message. The
software also prevents you from importing assets with duplicate names.

Navigate to Asset Inventory Import by going to the main menu on the left, clicking Asset and
then in the submenu choosing Asset Inventory Import.

Click on the Download Asset Inventory Import Template. The file

(IRMAssetInventoryImport.xls) will download to the location of
your choice on your computer. The spreadsheet will show each
information field as a column. Enter assets into the spreadsheet,
ensuring that the required field is complete. Provide as much
information as possible for the optional fields. Note that you may
select more than one Component type for an asset. Save the
changes to the file. 2. Click Browse in order to locate your file. 3.
Click on the Import Asset Now button to upload the file.

A sample of the Asset Inventory Import File

73 | IRM|Analysis® Software Manual - Version 5.1.6

As part of the process of adding each item to the Asset Inventory, the specific
Component Types used by this asset must be selected. Initially, all
components using the same Component Types are grouped together by our
Component Expert System® feature. The first system generated Component
Group is the Default Group. For example, all applications using a Server
(component type) are grouped together, all applications using Backup Media
are grouped together initially into Default Component Groups for their
Component Type. You can add a new component group(s) and select a different group as the
Default Group at any time. The significance of the Default Group is that all newly added assets
will automatically be placed into that group. Additionally, you can rename the system
generated Default Group to another name. By placing multiple components with similar traits
into component groups together, they can be risk analyzed simultaneously, making the risk
analysis process more efficient.

The goal is to group components together into Component Groups comprised of different
assets, which share common security safeguards, properties and risks. For example, that all
backup media are tapes created by a common backup application secured in the same data
center or that all servers sit in the same data center, employ the same operating system and
anti-virus software, and are centrally administered in the same manner.

When the Component Groups used by certain systems are exposed to different security risks, it
is necessary to place those components into different groups, so that the risk associated with
each can be considered separately. For example, if a tape backup system is used for clinical
data, but backup data for financial system is sent to cloud storage, then the components using
different backup methods with different risks can be grouped separately for a more accurate
risk analysis.

If you attempt to create a new Component Group with the same properties of an existing
group, you will see a warning icon displayed with message as follows:

These groups have the same property values:

New Group 2
New Group 3
This will make it difficult for you to tell the groups apart when deciding which assets belong in
each group. Consider setting up your groups so that each group has a unique set of property
values.

Additionally, Component Groups must have unique group names.

74 | IRM|Analysis® Software Manual - Version 5.1.6

© 2011-2020 Clearwater Compliance LLC  All Rights Reserved 
For more information about component Groupings, please see Appendix H – Examples for
Component Grouping.

Create New Component Groups

Creating Component Groups involves:

• Reviewing default groups initially created by the system.
• Considering the security profile for each component-asset grouping. Assets with similar
controls, properties or threats should be grouped together.
• Editing groups so all assets grouped together for Component Type have the same security
profile. This may require creating, moving and/or combining component groups.
Additionally, some assets may be added to multiple Component Groups.

Click on the Asset Link in the program’s main menu, and choose Component
Groups.

This will display the Component Groups Page. All fields are optional.

75 | IRM|Analysis® Software Manual - Version 5.1.6

© 2011-2020 Clearwater Compliance LLC  All Rights Reserved 
From the dropdown list, select the Component Type you would like to review. Each
Component Group is displayed and can be expanded to view the assets associated with that
component group. Additionally, group properties can be set by selecting a value for the prompt
and new component groups can be added on this page by clicking the Add a Component Group
button.

The Search bar is helpful if you are looking for a group or a specific asset. Search for the group
or asset by typing a few characters from the asset name in the search bar. All groups containing
matches for the search criteria will be expanded and highlighted. See below:

• Asset(s) can be added to this group using the green button under the expanded group
row.
• A new component group for this component type can be added by using the +Add a
Component Group button.
• The group name can be edited using the pencil icon.
• Assets can be moved or copied from the current groups to other groups by expanding the
Component Group Row and clicking the Asset Name.
• The asset will be shaded and the Move to and Copy to options will display with a
dropdown list for the target group to be selected.

76 | IRM|Analysis® Software Manual - Version 5.1.6

To edit a component group, click the i (info) icon to the right of the component group name
from the Grouping Wizard Page. The Group Name, Group Description, Default Status, Risk
Analyst and Due Date can be entered here. Click Save when edits are complete.

Move and Copy Assets from Existing Component Groups

Assets can be moved or copied from their current groups to other groups by expanding the
Component Group Row and clicking the asset name. The asset will be shaded and the Move to
and Copy to options will display with a dropdown list for the “Select an Option” target group to
be selected. Once an option is selected from the list, click the Move or Copy button to complete
the workflow.

77 | IRM|Analysis® Software Manual - Version 5.1.6

The Copy Risk Determination Info function will allow you to copy the Risk Determination from
another group within this component type. It is available for newly entered Component Groups
(with New Badge) which Assets have been copied to from other risk rated component groups.

Copy Risk Determination Workflow Steps:

1. Select the new component group row (with NEW badge displayed.)
2. Click the Copy Risk Determination Info… button
3. A Copy Risk Determination Info from… column will appear with a ‘Select an Option’
dropdown list
4. Select a source group from the dropdown list
5. Click the Copy Risk Determination button. Note: If you change your mind about the
copy, click the Done button to cancel this action.
6. Once the Copy Risk Determination has been completed, the Rating Review page or Risk
Rating Report can be reviewed to show the risk determination data copied to the new
group.

Copy Component Group to Entity

Users can select a component group row and click the Copy Group to Entity button to copy this
group to another entity. When this option is selected, all assets in the selected component
group will be copied. If you want to copy only one asset, add that asset to its own groups, then
copy that group. Note: The following data will not be copied: Custom Controls, Global Control
Responses, Global Actions in Risk Response, Notes and Documents related to Global responses.
Global responses at the destination will NOT be overridden by source Global values. Also note
that duplicate Assets could be created if Assets in the source Group already exist in the
destination Entity.

78 | IRM|Analysis® Software Manual - Version 5.1.6

© 2011-2020 Clearwater Compliance LLC  All Rights Reserved 
Delete Group
Users can delete a component group by selecting the row and clicking the Delete Group button.
It is important to note that deleting a component group will result in deletion of any related
Risk Ratings, Control Settings, Notes and Documents. A warning will appear confirming deletion
of a component group.

79 | IRM|Analysis® Software Manual - Version 5.1.6

© 2011-2020 Clearwater Compliance LLC  All Rights Reserved 
Quick Start Guide: Risk Determination
Risk Determination can be accessed in the Main IRM|Analysis® Software Menu by clicking on the
Risk Determination Link on the left.
• Controls – Global – Review Control Responses and override previous responses given on
the Risk Questionnaire Form.
 This page can be used to update multiple control responses at the global level
for a particular control.
 Control Responses can be selected one by one and save automatically when
moving from one Control to the next in line.
 Remove a previous response by clicking on the clear column for that control
response.
 Add Global Level Control Notes and Upload Documents from this page
• Controls by Component Group - This page is an alternative way for you enter Risk
Determination with an emphasis on the Asset having a more important role.
• Risk Questionnaire List - Includes the Component Group, Information Asset Name, total
number of sensitive records, and the columns for answering the risk analysis questions
related to Responsible Party, Due Date, etc.
 View each Record’s Risk Questionnaire Form for more information by clicking
on the orange review link for each record.
 Answer Risk Analysis questions for each record by clicking on the blue continue
link. It will only display if the questions have not been completed.
 Update multiple records at one time, by selecting the checkbox for multiple
rows and then using the Select box at the top of the screen to update Risk
Analyst or Due Date.
• Controls Review – Allows review and update of multiple records at one time. In addition
to the columns displayed on the Risk Questionnaire List page, you can also view the Threat
Source and Events, Vulnerability and Controls.
 This page can be sorted by multiple columns’ data, and answers for each
Control can be chosen by quickly selecting values from the Response column.
 Notes can be added to provide detail.
 Choose the Vulnerability Link to review Control details for each record on the
page.
• Rating Review – Allows review and update for Multiple Risk Ratings at one time.
 Risk Likelihood and Risk Impact can be updated easily by selecting updated
values in the drop-down boxes for each field.
 Risk Rating is automatically recalculated when Risk Likelihood or Risk Impact
are updated.
 To review Control and Risk Rating Details for each record, the Vulnerability
Link can be clicked to display the detailed Risk Questionnaire Form,

80 | IRM|Analysis® Software Manual - Version 5.1.6

© 2011-2020 Clearwater Compliance LLC  All Rights Reserved 
How can our Proven Risk Analysis Algorithm benefit you?
The Security Analysis software greatly simplifies what can otherwise be a complex process. The
software was developed based on the National Institute of Standards & Technology (NIST)
guidance on Risk Management and Analysis, upon which the HIPAA Risk Analysis guidance is also
based.

The software addresses all the key elements of the HHS/OCR guidance on how to perform a bona
fide risk analysis, allowing subscribers to create, maintain and readily present a complete
inventory about all information technology assets used to create, receive, maintain, or transmit
electronic Protected Health Information and all associated components.

The NIST standard provides a useful framework but leaves organizations with the daunting task
of identifying and maintaining a list of up to date threats, vulnerabilities, and controls. However,
Clearwater has pre-populated, and is continuously maintaining, the latest threats, vulnerabilities,
and security controls related to healthcare within the software.

Triggered by the information asset inventory, the user is presented with relevant threats and
vulnerabilities suggested by the system to determine risk levels. The Clearwater Risk Algorithm®
maps each asset and component to the latest threats, vulnerabilities, and controls is unique in
the industry.

In addition, the suggested control set has been carefully condensed to those that are appropriate
to healthcare from the NIST set of over 800 controls. The software leads the user through the
process of assessing the risk rating for each threat/vulnerability pair, comprised of its likelihood
and impact.

The Clearwater Risk Algorithm® saves customers time, can prevent “missing” threats and
vulnerabilities, and provides insights that can help you prevent the exploitation of your
vulnerabilities.

81 | IRM|Analysis® Software Manual - Version 5.1.6

Controls by Component Group

After you have completed your Asset Inventory, the next step is to begin Risk Determination. The
first page is Controls by Component Group. This page will be used when looking for an alternative
way to enter the Risk Determination information with an emphasis on the Asset having a more
important role in the layout. Controls can be viewed and Responses can be set at the Control and
Asset level for managing Component Groups.

This page will treat Physical Locations as additional Component Groups, with the component type
of "Physical Location". This is an alternative to the Normal Path of completing Risk Analysis.

The Controls by Component Group page can be found by clicking on Risk Determination in the
Clearwater Compliance IRM|Analysis® left side navigation menu. The Controls by Component
Group page will be the first option in the Risk Determination submenu that displays.

Component Groups created during the Component Grouping process will be listed in
alphabetical order on this page. There are three different views for the Controls by Component
Group page as follows:

1.) Component Type/Component Group Level

2.) Control Level
3.) Asset Level

82 | IRM|Analysis® Software Manual - Version 5.1.6

© 2011-2020 Clearwater Compliance LLC  All Rights Reserved 
Controls by Component Group - Group Level View
At the Component Group Level, users can view the component type/component group name,
associated assets, assign or view risk analyst and assign or view due date (see Screenshot 1
below). To expand a Component Group to display the associated controls, click the + icon.

Screenshot 1: Component Group Type/Component Group Level

83 | IRM|Analysis® Software Manual - Version 5.1.6

To view the Control Level, click on the + icon located left of the Component/Group Name. This
will display each control associated with the selected Component/Group Name. Control
Advisory Badges are available for quick review from the Control Level. Responses can be set at
the component group level.

Screenshot 2: Component Group has been expanded to display the associated controls.

Each control contains help text information to provide a point of reference and clarification that
will assist in determining the appropriate response. The help text available includes the
following:

1. Control Advisories are informational regarding changes to Control Descriptions, such as

New, Updated, Pending Sunset or Sunset. Control Advisories are available in the Control
Status Filter. Click on the Control Advisory Badge to view the detailed advisory.

2. A Question Mark icon to the right of each control name is available to view the control
definition. Click the Question Mark to view detailed description of the control.

3. By clicking the NIST icon, mapping information is displayed indicating which NIST controls
are mapped to the specific Clearwater Compliance control. For more information on
controls, see the Controls-Global section.

Control Responses can be selected to indicate the following:

• Yes = Control is active
• In Progress = Control is in process of being implemented
• N/A = Not Applicable

From the Control Level, users can clear Responses, add Component Notes, and Upload
documents for each control. This process facilitates completion of a bona fide Risk Assessment
while allowing users to populate global control responses down to all applicable components
and assets.

84 | IRM|Analysis® Software Manual - Version 5.1.6

To view the Asset Level, click on the + icon located left of the Control. All assets in the selected
component group will be displayed and responses entered at the Control Level will display for
each asset (see Screenshot 3 below).

Screenshot 3: Asset Level responses

Users can change responses at the asset level as needed, which activates the Pending Group
Changes Dialog (see Screenshot 4 below).

Screenshot 4: Pending Group Changes

Note: When asset level responses are set, the Pending Group Changes button is activated/orange
(for this visit to the page) because the asset’s properties no longer match the properties of its
component group and a new group can be created for the new set of properties.

85 | IRM|Analysis® Software Manual - Version 5.1.6

When an asset’s control responses are changed and no longer match the component group’s
responses, the Pending Group Changes button is activated. It will display a badge with the count
of pending group changes. The Pending Changes will remain pending during this visit to the page
until they are managed. If a user has pending changes and navigates away from the page, the
pending changes are lost.

To manage Pending Group Changes:

1. Click the orange Pending Group Changes button.
2. A dialog will be displayed to move the asset to an existing group with matching properties
or allowing the user to create a new cloned destination component group that matches
the new set of properties.

Screenshot 5: Pending Asset Grouping Changes Dialog with Create a New Cloned Group

3. Enter the new cloned group name and optional description

4. Click Create
5. With the Yes, make this change radio button selected, click the Done button.

The new Component Group will be created and will contain the asset with the new set of control
responses. The Pending Group Changes button will become inactive until new pending control
changes are made. The asset will no longer be a member of the original component group. This
facilitates organizing components with matching controls into separate component groups.

Filtering

A funnel filter is available on this page for assistance locating any desired results. Filter fields
include Component Type, Component Group Name, Asset, Control, Custom Control, Control
Tag, Control Response, Risk Analyst, Control Advisory, Global Setting and Due Date.

86 | IRM|Analysis® Software Manual - Version 5.1.6

The next page is Controls – Global. In this area, you will determine which controls and
safeguards you have in place to protect your sensitive information.

The Controls- Global page can be found by clicking on Risk Determination in the main
Clearwater Compliance IRM|Analysis® software menu. The Controls – Global page will be the
first link in the Risk Determination submenu that displays.

Appropriate controls and safeguards for components you created during the Asset inventory
process will be listed in alphabetical order on this screen. There are three different views for
the Global page: Global, Component/Group Name and Asset Level. The Global screen will
display the Global view for each control by default. To view the Component/Group Name view,
click on the + icon in front of the Control Name. This will allow you to view each component
group name associated with a control. To view at the Asset Level, click on the + icon in front of
the Component/Group Name. This will allow you to see all assets in the expanded Component
Group.

New and updated Badges are available for quick review. Once reviewed the user may check a
checkbox to indicate they have reviewed the advisory. The color of the advisory badge will then
change to gray.

Each control contains additional information to provide a point of reference and clarification
that will assist you in determining your response. For example, you can click on the Question
Mark icon beside each control name to get a definition of that specific control.

87 | IRM|Analysis® Software Manual - Version 5.1.6

© 2011-2020 Clearwater Compliance LLC  All Rights Reserved 
By clicking the NIST icon, you can view which NIST controls are mapped to the specific
Clearwater Compliance control. Clearwater Controls are mapped to NIST SP 800-53 Controls.
There are over 800 of the NIST controls, and they are rolled into the Clearwater Controls.
Clearwater Compliance has culled out the NIST controls that relate to healthcare and safety
defense and mapped applicable NIST controls to the right level of granularity for the healthcare
security environment.

On this page, you can select whether or not you have the Control in place, whether or not it’s in
process of being implemented, or just not applicable (N/A). You may also clear Responses,
Notes, and Upload documents for each control. These actions can be completed from the
Global or Component Level View. This better enables customers to complete a bona fide Risk
Assessment while at the same time allowing them to populate global control responses down
to all applicable Component and assets.

You can see that the example control, Acceptable Use Policy is applicable for multiple groups of
Components. The Controls screen in this case helps our Customers, because the Acceptable Use
Policy control tends to be global in nature, and the Controls screen enables the Customer to
select one answer (such as Yes, this control is in place) and populate that Yes answer for every
group of Component that is impacted by that specific control. Here you will also see Control
Tags associated with that Component Group. Control Tags are added in Framing/Governance
and can be used for filtering and reporting purposes.

88 | IRM|Analysis® Software Manual - Version 5.1.6

© 2011-2020 Clearwater Compliance LLC  All Rights Reserved 
Some controls are more technical in nature and change from Component to Component.
Therefore, it is possible to select different responses for different Component groupings. For
example, the control named ‘Account Lockout After Too Many Failed Logins’ could have
different control responses for Desktops than it would have for Servers. Therefore, you can
select different responses at the Component grouping levels rather than selecting a global
response for this control.

Helpful Hint: You can keep up with the latest and newest controls in the Clearwater
software by using the New or Updated Control Filter drop-down. To do this, click on the drop
down and select New. This will display the list of the newest controls in the software. The most
recently added controls were added after Clearwater’s reviews of NIST special publication 800-
53 Revision 4, which was a major update to the controls.

Adding, Updating or Clearing the Control Responses

Responses can be added at the Global, Component or Asset Level. To add a response, select the
option that best fits the current situation for the control and Component at your organization.
If you select a response at the Global level, all Component associated with that control will
reflect that selection. To have varying responses for Component associated with a control,
answer the control from the Component level. If your individual asset has a different control
response, you can set an asset level response. Note: When asset level responses are set, the
Pending Group Changes button is activated/orange (for this visit to the page) because the
asset’s properties no longer match the properties of its component group and a new group can
be created for the new set of properties.

You can also update your answers for each Component grouping level within each control. Even
if you have provided a global response of Yes, for example, you can then go back and select No
for one particular type of Component. If you are changing a selected answer, you will get a
dialog box that prompts you to decide if you want to change your answer for the one
Component level for that control.

If the user updates a control from this screen that will override all existing responses made on
the Risk Questionnaire Form or this screen. A user warning is provided when appropriate. If a
user returns to a control via the Risk Questionnaire Form and makes a new response it will
override any previous global responses for that specific Component/asset/vulnerability/control.

89 | IRM|Analysis® Software Manual - Version 5.1.6

© 2011-2020 Clearwater Compliance LLC  All Rights Reserved 
When you expand a control, all component groups with this control will be displayed.
Additionally, you can expand a component group row to view all of the assets in that group.
Control responses can be changed at the asset level if needed. If an asset level control is
changed, the orange Pending Group Changes button is activated with a badge displaying the
number of pending changes. To manage Pending Group Changes, click this button and you will
be presented with a dialog helping you to move that asset to a new destination component
group that matches the new set of properties. See the Pending Group Changes section for steps
to manage pending group changes.

Responses applied at the global level for other Component / Component Grouping associated
with this control will be kept or saved.

The most recent response made via the Control Screen or the Risk Questionnaire Form is
always the final response stored in the system. If a global response is ever checked it remains
checked unless cleared with the Clear all button. When you add a new Component, any global
responses previously made to controls associated with that Component type will be applied to
the new Component.

90 | IRM|Analysis® Software Manual - Version 5.1.6

© 2011-2020 Clearwater Compliance LLC  All Rights Reserved 
If you chose to select a
new response button,
then the Component
level response for that
control will be updated
and the responses for
all Component Groups
for that Control set will
no longer be considered
global responses
(because at least one Component Group has a different answer).

To Clear Responses, click the circle X icon under the Clear in the green header bar. Responses
can be cleared from the Global or Component Level. If you choose to clear a response you will
receive a Warning pop-up that will warn you that it cannot be reversed. You will then choose to
Remove or Cancel.

91 | IRM|Analysis® Software Manual - Version 5.1.6

Notes can be added at the Global or Component Level from the Controls – Global Screen.
Global notes are added at the control level and Component level notes are added after you
open the control and add note to Component/Group

Adding notes over time demonstrates a living, breathing compliance program by documenting
in the notes the ways your compliance program evolves and changes over time. Notes are
date/time stamped with the author’s name and there is a counter for each type of note. Notes
are hyperlinked so that you can go back and review all prior notes.

To add a new note, decide if you want to create it on the Global or Component level and click
the note icon that corresponds with the appropriate level and control. You will then choose the
+New button to enter the desired information in the Notes text area and click Save.

Helpful Hint: You can review, edit, add and delete Global Notes from the Controls Global
screen. You can do this with Component level Notes from the Component /Assets screen (which
can be found by clicking on the Risk Questionnaire List link in the Risk Determination submenu).
If you go to the Risk Questionnaire List to review Notes, you will be able to see both Global and
Component level Notes in the list. However, you will not be able to delete Global Notes on the
Component Groups screen. To delete Global Notes, go to the screen where they are added: The
Controls – Global screen.

92 | IRM|Analysis® Software Manual - Version 5.1.6

The Controls– Global page also includes a column for viewing and uploading documents. These
documents can be saved to help describe the ways your organization is supporting a Yes
response to a specific control, for example. The number of documents saved for each control
will be counted and saved in the Upload Documents icon. To upload a new document, click on
the orange page icon.

When you select this, Document History page will load (which can also be found by clicking on
the Documents menu in the main IRM Software menu on the left of the page). On the
Documents page, you will be able to view any previously uploaded documents, look at the
history (number of times uploaded, etc.), and choose whether or not you want to delete the
document from the list.

Controls Global page can be exported or printed by clicking the Printer icon in the upper right
corner. For more information on how to export, please see Appendix A – Export to CSV / Excel.
For more information on how to print, please see Appendix B – Printing Reports.

93 | IRM|Analysis® Software Manual - Version 5.1.6

Once you’ve entered Control responses in the Controls – Global screen, the next step is viewing
the Risk Questionnaire List. The Risk Questionnaire List will display all of information asset
groups you created and help you manage your workload. Customers will be able to view a
synopsis of each Component /Asset Group and decide which assets to continue to evaluate on
the Risk Questionnaire Form by viewing information on the Risk Questionnaire List. For
example, each group of assets that need to be analyzed can be reviewed and prioritized based
on information that can be seen on the Risk Questionnaire List, such as total number of records
impacted by each Asset or Component Grouping, or by Risk Determination Date set for each
Component type.

The Risk Questionnaire List may be found by choosing Risk

Determination the IRM main menu, then selecting Risk
Questionnaire List in the submenu below.

For each, you can see the progress made, Component ID,
Component Group, Information Assets, Total Sensitive
Records, Risk Analyst, Due Date and Action. A majority of this information is provided based
on data entered when creating your Asset Inventory (i.e. Total Sensitive Records).

You can prioritize your work based on the progress bar for each Component /Group name
combination, and choose to move forward (or Continue) for those groups in which you have
already made the most progress. The progress bar in the left-most column will indicate
percentage completed, and the numerical percentage will also be written within the progress
bar icon.

94 | IRM|Analysis® Software Manual - Version 5.1.6

© 2011-2020 Clearwater Compliance LLC  All Rights Reserved 
The Component /Group is the overall name of the Component /Asset combination being
evaluated. The Component/Group can be an overall description of the Information Assets
included, and can describe more than one type of Information Asset. For example, in the print
screen below, the Component/Group Backup Media is used to describe the Information Assets
related to backup media for the EMR, Infor and line by line applications.

Next the Component/Group is the listing of the Information Assets that are being
evaluated. The Information Assets can be one or more groups of assets. Each information
asset name will be listed in a list with a comma separating each asset.

The Total Sensitive Records is the sum of all records impacted by those specific Information
Asset(s) or Component Grouping.

The Risk Analyst column is the person chosen to perform whatever action is needed to
ensure the associated Risk listed is handled. This person will be different than the Business
Owner. The Risk Analyst can be selected from any user who has been added to the system;
all personnel that have been given access are listed when you click on the Risk Analyst
column’s drop-down box.

95 | IRM|Analysis® Software Manual - Version 5.1.6

© 2011-2020 Clearwater Compliance LLC  All Rights Reserved 
The Due Date listed for each Component/Group and Information Assets being
evaluated is the most immediate due date for the information assets in the list. If more
than one information asset is selected, then the nearest date associated with that
grouping of Component /assets will be the Due Date displayed. The Due Date is the
date that the controls for the Threat/Vulnerability need a response and
likelihood/impact value selected.

96 | IRM|Analysis® Software Manual - Version 5.1.6

In the Action column of the Risk Questionnaire List, you will have the option to Continue
or Review. If you select to Continue for a Component Group, you will be taken to a
series of Risk Questionnaire Form pages for that Component Group. The Review link
will allow you to review your work and calculated risk ratings for that particular
information asset group. If you have already completed all selections for a particular
Component grouping, then the link to the right of the Component grouping will only
display a disabled Completed button (rather than having both a Continue and a Review
link listed).

The Multi-Select button next to the Action column will allow you to select multiple
Component Groups to continue on with, or Review on the Risk Questionnaire Form. Click
the check box associated with the applicable Component groups or click the top check box
to select/de-select all. You can also select only one or a few rows at a time, if you prefer to
set Due Dates or Responsible party for multiple Risks but do not want to select the answers
one at a time. Updating multiple rows at one time is one way to more efficiently complete
your Risk Analysis.

To only view Component Groups for which you are responsible, click Component
dropdown. This will allow you to view All or only the Components that you are yours.

97 | IRM|Analysis® Software Manual - Version 5.1.6

© 2011-2020 Clearwater Compliance LLC  All Rights Reserved 
You may also filter the results on the Risk Questionnaire List page by clicking on the filter
(funnel) icon next to the Component button. This filter allows you to select which value(s) from
each field that you want to see. You can filter on any number of selected values based on what
you choose for each field in the list and then click on the submit button in the lower right-hand
corner of the pop-up window.

The Risk Questionnaire List can be exported to Excel or PDF by clicking on the printer icon. For
more information on how to export, please see Appendix A – Export to CSV / Excel.

98 | IRM|Analysis® Software Manual - Version 5.1.6

If you select Continue for a Component Group from the Risk Questionnaire List under the
Action column header, you will be taken to a series of Risk Questionnaire Form pages, each
page with its own risk scenario and risk rating. The Risk Questionnaire Form is used to
evaluate all controls for the selected Component Group by threat and vulnerability and
determine a risk rating for the threat/vulnerability based on the risk likelihood and risk
impact.

Clearwater’s Risk Questionnaire Form screen includes conditional formatting. This

formatting prompts your next move by highlighting uncompleted steps with a RED box. For
example, if you arrive at the Risk Questionnaire page and there is a RED box around the
Risk Likelihood and Risk Impact section (as seen below), you need to determine the Risk
Rating before moving on to the next Threat/Vulnerability for that Component OR the Risk
Response process. Similarly, if you go to the Risk Questionnaire screen and there is a red
box around the Control Responses section, you need to consider a response for the
applicable controls before moving on to the Risk Rating process.

Now let’s look at the different sections of the Risk Questionnaire Form in more detail. The
controls listed on the Risk Questionnaire Form are calculated and displayed based on the
Clearwater Compliance Risk Analysis Algorithm.

The top of the Risk Questionnaire Form will include:

1. Progress Bar
2. Component Group
3. Information Assets
4. Scenario Advisory
5. Threat Source
6. Threat Event
7. Vulnerability

99 | IRM|Analysis® Software Manual - Version 5.1.6

© 2011-2020 Clearwater Compliance LLC  All Rights Reserved 
The controls for that Threat/Vulnerability combination will be displayed in the middle of the
Risk Questionnaire Form screen.

If you need more help understanding the controls listed, you can click on the Question Mark
symbol to see definitions, or click on the NIST symbol to see the NIST specific controls that
are mapped to the Clearwater Controls listed on the Risk Questionnaire for the selected
Component grouping.

When you use the Controls – Global screen first, your control responses will already be
populated for you on the Risk Questionnaire Form screen. You can override the answers
on each Control Response if you choose.

The Response that can be selected to address each Control and whether or not the
Threat/Vulnerability combination is being addressed are listed in the column next to each
Control and Requirements listing. Possible Responses are:

• Yes – This Threat/Vulnerability is being addressed for this Control

• In Progress
• No – Nothing is being done at this time
• N/A – This Threat/Vulnerability combination does not apply

100 | IRM|Analysis® Software Manual - Version 5.1.6

© 2011-2020 Clearwater Compliance LLC  All Rights Reserved 
The Global checkbox on the Risk Questionnaire Form will copy over Global selections from the
Controls-Global process and allow you to edit these selections during the Risk Questionnaire
Form process. If you check the global checkbox on the Risk Questionnaire Form and there were
no previous Component level responses for this control, the following will happen:

• All Component level responses will be updated now, and in the future
• Future notes for this control will be applied globally
• You will receive a warning notification confirming the change

If you check global on the Risk Questionnaire Form and there were previous
Component/Asset level responses for this control, the following will happen:

• Previous Component level notes will be removed

• Previous Component level responses will be updated
• You will receive a warning message about the updating of previous
responses

If you uncheck global and change the response on the Risk Questionnaire Form, the following
will happen:

• The response for all other Component Group combinations will stay the same
• The global note checkbox becomes unchecked on the Controls Global page
• Global notes should be deleted on the Controls Global page and elsewhere in the product
for that locations
• You will receive a warning message about the change

Notes can also be added for each Control and Threat/Vulnerability combination. Often
these notes are very helpful when being added on the Risk Questionnaire Form because
they can show progress over time (or describe the ways in which the threat/vulnerability is
already being addressed).

When you click on the Note link, the Note details dialog box will open. This allows you to
see a summary of each Note entered before (during the Controls – Global process), edit
those notes, and create any new notes that are needed. The types of Notes that may be
displayed include Global Control Notes, Component Control Notes, and Detailed Control
Notes.

You can also Add or Delete any related documents in the Risk Questionnaire Form by
clicking on the Documents icon.

101 | IRM|Analysis® Software Manual - Version 5.1.6

© 2011-2020 Clearwater Compliance LLC  All Rights Reserved 
Below the control listed and response selected, you will be prompted to select the Risk
Likelihood and Risk Impact for each Threat/Vulnerability.

For each Threat/Vulnerability and Component combination, the Risk Likelihood will be the
probability of an adverse impact to the organization if the Control/Risk represented by the
control were to be exploited. Risk Likelihood is selected by thinking about the current company
processes and safeguards and the way your company does business. What is the likelihood that
each vulnerability and threat could occur? How many points of risk or vulnerability are there in
the way you currently do business that are related to each threat?

Risk Impact is selected by thinking about the number of records that would be affected by the
threat being evaluation, or by thinking about the number of days that the system would be
impacted if the threat being evaluated were actually to happen.

The selection of the Likelihood and Impact will allow the Clearwater Algorithm to calculate and
populate the overall Risk Rating for the threat listed for the Asset grouping being evaluated.
The Risk Rating is calculated by multiplying the Risk Likelihood by the Risk Impact. For each
Control, you will be prompted to select the Likelihood and Impact separately so that the Risk
Rating can be calculated.

102 | IRM|Analysis® Software Manual - Version 5.1.6

The following scale is recommended for selecting Risk Likelihood or Probability

• Not applicable (0) – Will never happen
• Rare (1) – May happen once every 20 years
• Unlikely (2) – May happen once every 10 years
• Moderate (3) – May happen once every 5 years
• Likely (4) - May happen once every year
• Almost Certain (5) – May happen multiple times a year or is currently happening

How should I determine Risk Impact?

The following scale is recommended for selecting Risk Impact

• Not Applicable (0)
 Does not apply
• Insignificant (1)
 Remediate within 1 hour
 No interruption of Operations
• Minor (2)
 Remediate within 8 hours
 No serious interruptions of Operations
 Multiple other Controls would have to fail for the threat to exploit the
vulnerability
• Moderate (3)
 Remediate in more than 8 hours
 Disruption of Operations
 Creates new minor vulnerabilities
• Major (4)
 Multi-hour interruption of Operations
 Data breach reportable to HHS immediately (>5,000 records)
 An OCR investigation could potentially result in penalties
 Creates a new serious vulnerability
• Severe (5)
 Multi-day interruption of Operations
 Data breach reportable to HHS immediately (>50,000 records)
 An OCR investigation would likely result in penalties
 Creates many new serious vulnerabilities

103 | IRM|Analysis® Software Manual - Version 5.1.6

© 2011-2020 Clearwater Compliance LLC  All Rights Reserved 
Once both Risk Likelihood and Risk Impact are selected, the Risk Rating is calculated by the
software and displayed on the screen. The Risk rating value will be given a color based on the
Risk Rating value and the category in which that Rating falls (Low, Medium, High, or Critical).
For each high or critical rating, it is best to add a Note to the Risk Rating that will suggest a
recommendation for next steps. This note or recommendation will show well thought out steps
and due diligence in the Risk Analysis process.

When you click on the Risk Notes link next to the Risk Rating field, you will see the Notes detail
page. Here, like in the Notes fields above for the Controls, previous notes can be listed in
summary format for each type of note. If a note has not yet been added, the details screen will
simply show summary data for the Risk and provide an empty box for Adding a Note. When you
have typed in the information, click on the Create button to return to the Risk Questionnaire
Form screen. Your note will be in the view under the Note column.

The Pending Group Changes button will be gray when there are no pending changes. If you
make changes that would cause assets to change groups, the button will become enabled.
When there are one or more pending changes, the button will be orange with a red pending
change count badge on the upper right of that corner. See the Pending Group Changes section
for steps to manage the pending group changes.

After each Risk threat and vulnerability evaluation for each control, you can then click the Go to
the Next Threat/Vulnerability for this Component button to continue stepping through the
process for evaluating Risk Rating for each risk scenario associated with the Component groups
you have entered into the system.

If you would prefer to return to the list of Components, you can click on the Return to Risk
Questionnaire List button on the bottom middle of the page.

It is no longer necessary to answer all Controls before being able to move to the next
Threat/Vulnerability for a Component Group. You may come back and answer controls at any
time.

104 | IRM|Analysis® Software Manual - Version 5.1.6

In the Risk Determination area, you’ll complete Controls responses in the Controls- Global
page. You will then use the Risk Questionnaire Form to enter Risk Ratings. Once you have
entered most of your Control Responses and Risk Ratings, it’s time to review your work.

The Controls Review page is a tabular display of all the Customer controls responses for
each of the Components, Assets, Threats, Vulnerabilities, and Controls. It gives the detailed
responses and allows you to review your work. You can also see the detailed Notes. You can
get to the Controls Review screen by clicking on the Risk Determination menu in the
Clearwater Compliance IRM|Analysis® software, and then clicking on the Controls Review
Link in the submenu at the left of the screen.

One way to use this tabular view is to sort by the column names. You can sort by answers
listed, or by the control headings to see the answers you’ve given for each Component Type
on the screen. This will allow you to spot any inconsistencies in your answers for a particular
Component type listed.

The Controls Review screen displays the Component/Group Devices for which each Control’s
answer applies. The first column on the page lists the Component Group that are impacted by
the Control. This Label can be used to describe the collection of Assets for this control, such as
describing type, location, or group of users of whom these particular Components are used. By
default, the Controls Review page will display the first component type that has more than one
Component Group Associated to it.

The Component Type Funnel Filter is displayed on the top left of the page, and clicking this
funnel will display all Component Categories and Types. Here, you will see the number of

105 | IRM|Analysis® Software Manual - Version 5.1.6

© 2011-2020 Clearwater Compliance LLC  All Rights Reserved 
Component Groups related to each Component Type Category. You may choose as many or as
few Component Types that you wish to display.

The next column lists the Asset Name(s) for which this control applies. There can be one or
more Assets in this column. Different Assets will be separated by a comma.

The third column on the page lists the Control Advisories. Here you can quickly see any new or
updated Controls. Once reviewed, you may check a checkbox to indicate that you have
reviewed the advisory and the color will change to gray.

The Control name, which describes what the Control applies to, is listed in the column after
Control Advisories. In this column, you may also click on the NIST symbol to see the NIST
specific controls that are mapped to the Clearwater Controls listed on the Risk Questionnaire
for the selected Component grouping.

106 | IRM|Analysis® Software Manual - Version 5.1.6

© 2011-2020 Clearwater Compliance LLC  All Rights Reserved 
Following the Control Column are Control Tags. Control Tags and Control Tag Descriptions can
be used to group records together. Control Tags can later be used for filtering and reporting
purposes.

For reference point, we also provide you a created date and an updated date so you can see
when you last touched a record and if it might possibly need review.

Next will be Responses. The response will provide answers to whether or not this specific
Control is being addressed, which explains whether or not the Threat/Vulnerability combination
is being addressed for these Assets.

The next column is Clear which allows you to clear or remove the Response type. If you choose
this, you will receive a warning message that this action cannot be reversed and you will be
prompted to Remove or Cancel.

The Global column contains the Global response, and the Notes column displays a counter to
indicate how many Notes have been added, regardless of which type of Note it was (Global,
Component, or Detailed). It is helpful and recommended to include details in the Notes about
how Controls are being handled if you have marked Yes at the Component level response. It is
also helpful to add a Note to show progress as you transition from a ‘No’ response to ‘In
progress’ or ‘Yes’.

The final column consists of checkboxes. This gives you the option to change or clear the
Response to individual or multiple Components. You may choose the top level checkbox and
open the purple multi-select section of the software, which is helpful when you need to make
multiple changes across different Component Groups.

107 | IRM|Analysis® Software Manual - Version 5.1.6

© 2011-2020 Clearwater Compliance LLC  All Rights Reserved 
If you click on the Notes counter, the Control Notes from the Risk Analysis screen will appear.
This Control Notes screen will display Global Notes, Component Level Notes, and Detail Notes,
each type of which will be indicated with a different type of icon / symbol. More information
about the types of Notes and their icons is located in Appendix G – Icon Definitions.

The Controls Review data can be exported to Excel in .csv format and/or printed. To export the
data, click on the printer icon in the upper right corner of the page. For more information,
please see Appendix A – Export to CSV / Excel.

Filtering the Controls Review Data

The Controls Review page contains a component types filter, quick filters and a funnel filter.
These filters can be used together, allowing you to precisely select only those values and
combinations of values for each field that are most relevant to be reviewed. Click on the
Component Type Selector on the left or the quick filters or funnel icon at the top right
corner of the screen.

For each field in the Search Filter(s), you can select one or more of the possible values
available for that field. When you click the Submit button, the combination of the data
values you have selected will be filtered and displayed. Click the word “All” next to each
field name to display a list of values for that field from which you can select. To select a
field value to include in the filtering, click the checkbox in the list for each field. Once all the
changes are made, click Submit.

108 | IRM|Analysis® Software Manual - Version 5.1.6

© 2011-2020 Clearwater Compliance LLC  All Rights Reserved 
After a filter has been set up you will notice a new icon on the page, the funnel icon with a
clear option – this is used to clear all the filter items you have with just one click.

There are many ways to filter in Controls Review to assist you in viewing and updating only
the controls that are applicable for the work you are doing.

The Quick Column Selector provides you with three different levels of summarization: view
Controls Globally, by Component, or by Risk.

• Controls – Global - display records by control summarized for the entire entity.
Responses made on this view will apply to all controls for the entity.

• Controls - Component - display records by control summarized by Component Group

for the entire entity. Responses made on this view will apply to controls by
Component Group for the Entity for the entity. The exception for this is when the
Global Checkbox is used.

• Controls – Risk - display records by control summarized by Component Group by Risk

Scenario for the entire entity. Responses made on this view will apply to controls by
Component for the Entity for the entity. The exception for this is when the Global
Checkbox is used.

There is also an option to filter by Control Type. For definitions of each type of control,
choose the Page Level Help (Lightbulb icon) on Controls Review.
• All Controls
• Administrative Controls
• Asset Related Controls
• Physical Controls
• Technical Controls

Next, you can filter by Response type. This could be helpful, for example, you wanted to see
what Controls have no response and need to be addressed.
• All Controls
• Control Responded
• No Response

109 | IRM|Analysis® Software Manual - Version 5.1.6

© 2011-2020 Clearwater Compliance LLC  All Rights Reserved 
There are also quick filters for Control Status and Scenario Status. They both contain the
same values of:
• All (including sunset)
• Active
• New OR Updated
• New
• Updated
• Sunset

110 | IRM|Analysis® Software Manual - Version 5.1.6

In the Risk Determination area, you enter your Controls and review your controls and the
responses you’ve made for your controls on the Controls Review Screen. The next step is
looking at your Risk Ratings.

To get to the Rating Review page, click on Risk Determination in the main IRM
software menu at the left of the screen. Then, in the Risk Determination
submenu, click on the Rating Review link.

You will use your Rating Review page to review your Risk Ratings for
consistency. You can also use the Risk Rating Review page for a peer-to-peer
review for each Risk Rating that has been determined. There are many
different ways to view the Risk Rating Screen by sorting the columns, setting
custom filters or using predefined filters which are shown above the Risk
Impact and Risk Rating column headers on the right side of the page.

Data displayed on this page is filtered by the Component Types filter settings. You can change
the Component Categories and Component Types selected and click Update to adjust the rows
displayed.

111 | IRM|Analysis® Software Manual - Version 5.1.6

© 2011-2020 Clearwater Compliance LLC  All Rights Reserved 
The first column on the Rating Review screen is the Component/Group Name. There can be one
or more groups of Components listed for each Rating. The label part of this column often is
used to differentiate groups of Assets and Threats/Vulnerabilities by describing Type, Location,
or Geography related to the Assets listed.

The next column is the Asset Name(s) for the Components listed. The Asset Name(s) listed here
can be a single Asset or several groups of Assets.

The third column is Scenario Advisory than contains badges that are available for quick review.
Once reviewed the user may check a checkbox to indicate they have reviewed the advisory. The
color of the advisory badge will then change to gray.

Following the badges are the Threat Source and Threat Event Columns. Threat Source is typically
who or what may cause an impact to the Components included in the Risk.

The Threat Event is the way in which the Components may be impacted by the Threat Agent
when determining the Risk Rating.

The Vulnerability column describes the ways in which the Asset(s) listed may be impacted.
Sorting or filtering by Vulnerability is a useful way to compare risk ratings. If you click on the
Vulnerability hyperlink, the Risk Questionnaire Form displayed shows the details of control
responses and notes to give you more information on why you selected that kind of Risk Rating
for that control.

112 | IRM|Analysis® Software Manual - Version 5.1.6

© 2011-2020 Clearwater Compliance LLC  All Rights Reserved 
Next, you will see the Created Date and Updated Date columns.

The column after the Dates is Risk Likelihood. Risk Likelihood and Risk Impact are both selected
fields chosen by the Compliance Analyst(s) completing the Risk Analysis. Risk Likelihood is one
of the values used by the IRM Software to calculate overall Risk Rating.

After the Risk Impact column is the calculated Risk Rating column. The Risk Rating is
automatically calculated by the IRM software when the Risk Likelihood and the Risk Impact are
selected. The Risk Ratings are color-coded based on severity, ranging from green (Low Risk) to
yellow to red to purple (Highest Risk). You can sort by Risk Rating, and it will display your
Component/Group name, Asset Name, Scenario Advisory, Threats, Vulnerabilities and Risk
Ratings. You can then evaluate if each grouping is rated consistently and similarly. This view will
also help you determine which assets may not have answers or ratings yet populated.

There is also a Clear column which allows you to clear both the Risk Likelihood and Impact.

After the Clear column is the Notes indicator. This allows you to enter or view notes about this
item’s Risk Rating and any other notes added on the Risk Questionnaire Form. The notes will be
associated to a specific Entity and Risk Scenario (Component Group – Threat Source – Threat
Event and Vulnerability).

The last column on the Rating Review page is the Action selection column. Use this column if
you want to quickly update multiple answers for multiple Ratings for Likelihood or Impact on
the screen. Click the checkbox next to each Control’s Risk Rating for which you would like to
update your Likelihood or Impact answer. You may choose the top level checkbox to open the
multi-select feature that allows you to update multiple selections at once.

You can export or print the Rating Review data by clicking on the Printer Icon link in the upper
right corner of the page. The data will be exported in .csv or PDF format.

113 | IRM|Analysis® Software Manual - Version 5.1.6

The colors used on the Risk Rating Scale are determined by the severity of the risk presented
based on the answers provided by the user. Using the "Risk Rating for this Threat/Vulnerability
for the Components/Asset(s) Listed Above" section of each page in the questionnaire a number
is calculated by multiplying the Risk Likelihood and Risk Impact.

The colors assigned are coordinated as follows:

• A Risk Rating score of 0 will leave the value of No Risk.

• A score of 1 to 7 will result in a Low Risk (green).
• A score of 8 to 14 will result in a Medium Risk (yellow).
• A score of 15 to 24 will result in a High Risk (red).
• A score of 25 will result in a Critical Risk (magenta)

When browsing the final Risk Rating report, these color-coded sections will allow the user to
quickly and easily identify the assets most and least at-risk through a glance and respond
accordingly.

Each time you update the Risk Likelihood and Risk Impact on the Rating Review screen, the Risk
Impact will automatically re-calculate. If the value for the new Risk Rating falls into a different
color category, then both the value and the color of the Risk Rating will update.
To see more detail for each Component’s Risk Rating, you can hover over or click on the risk
rating value.

114 | IRM|Analysis® Software Manual - Version 5.1.6

The Rating Review page has a filter capability with a great deal of flexibility, allowing you to
select only those values and combinations of values for each field that are most important to
you to see on the screen. To filter the results on the page, click on the funnel icon at the top
right corner of the screen.

For each field in the Search Filter(s), you can select one or more of the possible values available
for that field by choosing from the dropdown menu. You may choose multiple categories in
each field. When you click the Submit button, the combination of the data values you have
selected will be filtered and displayed.

115 | IRM|Analysis® Software Manual - Version 5.1.6

© 2011-2020 Clearwater Compliance LLC  All Rights Reserved 
Quick Start Guide: Risk Response
Risk response can be accessed in the main IRM Software menu, from the Risk Response List
• Risk Response List - allows you to see all of your Risks equal to or above your Risk
Threshold at a glance. This is also where you will be able to view and navigate to Simple
Treatment, Threat and Evaluate and Risk Action Plan tabs for each Component
Group/Asset, etc.
 Simple Tab – Allows you to quickly supply the minimum amount of data to
indicate your plan for a control associated with this risk scenario.
 Treat and Evaluate Tab – Supply data about your analysis of each control for
this risk scenario. This includes setting values for Effectiveness, Cost and
Feasibility.
 Risk Action Plan Tab – More fully describe your plan for handling each
Control/Recommendation associated with this Risk Scenario. This includes
Providing a description, set Implementation Details, who is responsible, when
it’s due and when it is implemented.
• Risk Response Optimizer – This page displays the list of Risks that will have the greatest
Impact and the controls that are most affecting your organization.
• Controls Response Review - where you will review your control responses for consistency
and accuracy. In general, “review pages” in the software are intended for reviewing
completed work or making updates to multiple records using the multi-select feature.
• Risk Reconciliation - enables you to close the loop in the Risk Management Life Cycle.
Once controls are enhanced or implemented for a risk, you can update the Risk Rating in
the Risk Analysis directly from Risk Response.

116 | IRM|Analysis® Software Manual - Version 5.1.6

117 | IRM|Analysis® Software Manual - Version 5.1.6

An important Risk Management Activity that is part of Risk Framing, is the determination of
Threshold. Risk Threshold is the specific level of risk that requires treatment by an organization
and is a key element of the Risk Strategy. You will have addressed this and your Risk Tolerance
earlier in the Software. Based on the organization’s Risk Threshold, Risks will require treatment
or acceptance.

Once Risks have been identified during the Risk Analysis process, it is time to work
on a Risk Response. Risk Response begins with Risk Response Identification. The Risk
Treatment options within Risk Response Identification include;
• Risk Acceptance
• Risk Avoidance
• Risk Mitigation
• Risk Transfer

According to NIST SP 800-39, pages 43-44 the next step in Responding to Risks is to Evaluate
Alternatives to respond to the risk and define a course of action based on;
• Effectiveness - the expected effectiveness in achieving desired risk
response...controls can be added or enhanced. To add is to (i) build in additional,
but related, functionality to a basic control. To enhance is to (ii) increase the
strength of a basic control.
• Feasibility- the anticipated feasibility of implementation, including, for
example, mission, business impact, political, legal, social, financial, technical,
and economic considerations.

118 | IRM|Analysis® Software Manual - Version 5.1.6

© 2011-2020 Clearwater Compliance LLC  All Rights Reserved 
A Risk Response Decision should then be made based on an understanding of the Residual Risk
remaining after the course of action is implemented. The course of action to reduce the risk to
acceptable levels is then managed through Implementation Planning. Risk Response
Implementation Planning includes plans for monitoring the effectiveness of risk response
measures, individuals responsible for the risk response and a timeline for implementation of
risk response measures. Once the implementation process has been defined, it’s time to
consider the Risk Action Plan. The Risk Action Plan enables your organization to drive your
planned controls and recommendations to reduce risks to completion. The purpose of the Risk
Action Plan is to provide a central location for all planned implementations, where previous
control information can be reviewed, a priority status can be selected, a completion date can
be designated and a plan status can be entered.

119 | IRM|Analysis® Software Manual - Version 5.1.6

There are several quick filters at the top right on the page to assist you in narrowing down to
exactly what you would like to view.
• Clicking on the My Risks filter will filter down to only the data for risks with you
listed as the Responsible Party.
• By default, this page will not display any risks that you have accepted. Choosing the
Include Accepted filter will display those.
• As with most pages within IRM|Analysis®, there is also a quick funnel filter that
allows you to filter many ways with many combinations.

The Risk Response List page also has a Helpful Hint explaining how to use the page below the
page name as a lightbulb icon.

The Risk Response List enables you to view Risk Scenarios with a Risk Rating and see progress in
a risk response workflow. A Risk Scenario is a specific combination of Threat Source, Threat Event,
and Vulnerability. By default, this page initially displays records with a Risk Rating equal to or
above the Risk Threshold OR with a Risk Treatment Type of Mitigate, Avoid or Transfer. By
filtering with "Include Accepted", risk scenarios with a Treatment type of "Accept" will be
included on the list. In addition, this page will only display data related to risk scenarios where all
controls have a response.

Risk Response is focused on determining the appropriate answers / actions for the Risk Scenario
itself as well as the Controls that are associated with the scenario. The Treatment, Status, and
Risk Reconciliation column reflect your progress through the Risk Response workflow. If a Risk
Response step has not been completed, "TBD" will display in these columns. The "TBD" indicates
that the step has yet to be completed. If a Risk Treatment Type is set to "Accept", you’ll see “N/A”
in the Status and Reconciliation columns.

After you have completed your Risk Analysis, your next step will be to view your Risks equal to
or above the risk threshold on your Risk Response List. On the Risk Response List, you will be able
to see the workflow of Risk Response including the Treatment Type, Approval Status,

120 | IRM|Analysis® Software Manual - Version 5.1.6

© 2011-2020 Clearwater Compliance LLC  All Rights Reserved 
Implementation Planning status, Action Plan Status, and determine if the Risk has been
Reconciled. If no action has been taken on a risk then the values will display as TBD for all of these
steps.

Before beginning Risk Response, the Risk Threshold should be confirmed. It has a default setting
of 10 on a 1-25 scale and will serve as a guide in deciding which risks should be Accepted and
which need additional action.

The Risk Response List is a summary of the Risk Response process, organized by:
• Progress
• Component Group
• Asset Name
• Scenario Advisory
• Threat Source/Threat Event
• Vulnerability
• Current Risk Rating
• Residual Risk Rating
• Treatment Status
• Reconciliation Status

The first column on this tabular view of data is the progress bar for Risk Response List. This
progress bar illustrates percentage complete in the Risk Response process based on Risk
Treatment, Evaluate Alternatives, Implementation Planning, Action Plan and Reconciliation
steps. As each step is completed in the workflow, it represents 20% of the progress for the row.
The overall progress bar in the first column header updates as each row reaches 100%. There is
no partial credit applied for each row to the overall progress bar.

121 | IRM|Analysis® Software Manual - Version 5.1.6

© 2011-2020 Clearwater Compliance LLC  All Rights Reserved 
The Second Column is Component Group. This is the Component group added by your
organization to describe the Component Grouping for the Risk Row.

Next is Assets. This is a list of Assets that are grouped with the Risk Row. (1)

Following Assets is the Scenario Advisory. Scenario Advisories are changes made to Algorithms
as defined earlier in the manual. (2)

The next column is Threat Source/ Event. A threat source is characterized as: (i) the intent and
method targeted at the exploitation of a vulnerability; or (ii) a situation and method that may
accidentally exploit a vulnerability. In general, types of threat sources include: (i) hostile cyber or
physical attacks; (ii) human errors of omission or commission; (iii) structural failures of
organization-controlled resources (e.g., hardware, software, environmental controls); and (iv)
natural and man-made disasters, accidents, and failures beyond the control of the organization.
A Threat Event is an event with the potential to adversely impact organizational operations and
assets through unauthorized access, destruction, disclosure, or modification of information,
and/or denial of service and is caused by a Threat Source. (3)

122 | IRM|Analysis® Software Manual - Version 5.1.6

© 2011-2020 Clearwater Compliance LLC  All Rights Reserved 
After Threat Source/Event is Vulnerability. “A vulnerability is a weakness in an information
system, system security procedures, internal controls, or implementation that could be exploited
by a threat source. Most information system vulnerabilities can be associated with security
controls that either have not been applied (either intentionally or unintentionally), or have been
applied, but retain some weakness.” NIST SP 800-30 Rev 1 Page 9. Should you need further
explanation with a specific Vulnerability you may click the orange question mark next to the
Vulnerability name and you will see definitions along with examples. You may also click the blue
hyperlink on each vulnerability to be directed to the Risk Questionnaire Form.

The next column is the Risk Rating. This is the factor of the Risk Likelihood multiplied by the
Risk Impact, as selected by your organization during the Risk Analysis process. You can hover
over the number under the Risk Rating column and it will show you the Likelihood and
Impact settings chosen that determined the Risk Rating.

After Risk Rating, you will find the Residual Risk Rating column. This column will not be
populated with a number until Residual Risk is selected by the customer on the Evaluation
– Risk Treat and Evaluate Form page. The Evaluation responses that need to be answered
include Effectiveness, Estimated Cost, Feasibility, and selected Action for each Control or
Recommendation. Once Evaluate Alternatives steps have been completed, then the
Customer can select the Residual Risk Likelihood and Residual Risk Impact on the Risk Treat
and Evaluate page. These values are used to estimate what risk (if any) would be present
after the selected action steps have been completed. Residual Risk Likelihood multiplied by
the Residual Risk Impact is calculated to populate the overall Residual Risk Rating number.
This is the projected Risk Rating for this Risk after the course of action has been fully
implemented.

123 | IRM|Analysis® Software Manual - Version 5.1.6

© 2011-2020 Clearwater Compliance LLC  All Rights Reserved 
Following the Ratings are the Treatment, Status and Reconciliation Statuses. Those are further
discussed and defined below.

You can expand each row on the Risk Response List to make settings that address each risk
scenario. Upon expansion, you’ll see two distinct areas to be addressed. The first area is Risk
Information. This area allows you to set the Risk Treatment Type, assign a Risk Owner, create and
view Notes related to the risk, view the current Status of your response to the risk, approve the
planned response (only users with sufficient privileges can approve a risk action plan), as well as
view and/or set the Residual and Reconciled Risk ratings.

A required step in the Risk Treatment Process is to select a Risk Treatment Type that will best
address the need to reduce a risk to sensitive information. You will have the options of Accept,
Avoid, Mitigate or Transfer from the Select Risk Treatment Type dropdown menu.

Risk Treatment options include:

• Accept
• Avoid
• Mitigate
• Transfer

124 | IRM|Analysis® Software Manual - Version 5.1.6

© 2011-2020 Clearwater Compliance LLC  All Rights Reserved 
The following are definitions of these choices from NIST Special Publication 800-39 pg. 42-23.
• Accept - “Risk acceptance is the appropriate risk response when the identified risk is
within the organizational risk tolerance. Organizations can accept risk deemed to be low,
moderate, or high depending on particular situations or conditions.”
• Avoid - “Risk avoidance may be the appropriate risk response when the identified risk
exceeds the organizational risk tolerance. Organizations may conduct certain types of
activities or employ certain types of information technologies that result in risk that is
unacceptable. In such situations, risk avoidance involves taking specific actions to
eliminate the activities or technologies that are the basis for the risk or to revise or
reposition these activities or technologies in the organizational mission/business
processes to avoid the potential for unacceptable risk. “
• Mitigate - “Risk mitigation, or risk reduction, is the appropriate risk response for that
portion of risk that cannot be accepted, avoided, shared, or transferred.” It typically
involves the implementation of new or enhanced controls and counter-measures to
reduce the likelihood or impact of the risk.”
• Transfer - “Risk transfer is the appropriate risk response when organizations desire and
have the means to shift risk liability and responsibility to other organizations.”

The next section is where you will Select a Risk Owner. Assign responsibility for Risk Response
for this item to someone at your organization who has credentials to the Clearwater software.
The names available for selection on this list will be limited to those who have update
Permissions for this page of the software. Designating a Risk Owner is an optional step in the
Risk Treatment process. Clicking on the Send Email Notification button (paper airplane icon) will
send an email notice to the assigned Risk Owner notifying them that they have Risk Response
responsibilities for this Risk. This notice will be sent to the associated email address for the user
as listed in the Clearwater IRM|Pro® User Management area. The message will be sent from
“Clearwater Compliance Software Message." Note that you can use the Edit Freeform Data to
include an owner that is not set up as a user, but they will not have access to the software. You
will need to set them up as a user in order for them to work.

The message describes the Risk Scenario they are responsible for, including related component,
asset(s), threat, and vulnerability. The user is encouraged to contact the Customer’s Account
Owner if they have questions about the assignment.

125 | IRM|Analysis® Software Manual - Version 5.1.6

© 2011-2020 Clearwater Compliance LLC  All Rights Reserved 
Next, Risk Notes can provide a continuous history of the lifecycle of the risk from initial Risk
Rating through Response and Management. You may enter Risk notes and/or view previously
created notes based on your permission level. The number in the Notes icon indicates the
number of existing notes for this risk. Click on the icon to view all Risk Notes.

Next will be the status that was set in Risk Determination. These statuses with their definitions
are:
• Not Evaluated – Not all Controls have an Action
• Evaluated – All Controls have an Action
• Planned – All Controls have an Action set and an Implementation manager and a Due Date
• Deferred – All Controls have an Action set and a plan status of Deferred
• Implemented – All Controls have an Action set and a plan status of Implemented
• Implemented/Deferred – All Controls have an Action set and at least one control has a
plan status of Implemented and others can only have a plan status of Implemented or
Deferred
• Reconciled – The risk has been Reconciled and has been Implemented or Deferred.

Following the Status is the Approved checkbox. A management decision should be made to
approve this course of action. Since control responses often include expenditures and contend
with other projects for limited resources it is appropriate that someone with management
authority approve the course of action. It is best that such decisions be made by someone from
the organization's leadership who owns the risk and with budgetary authority to make such a
decision. The ability to mark alternatives approved can be limited by the permissions capability
in the Manage Account area. The Approval checkbox is not required but its use is recommended.

Next, you will see the Residual Risk Rating which is defined earlier in the software manual. For
clarification the Risk Rating Types are:
• Prior Risk Rating – Rating from the previous Risk Analysis Cycle
• Risk Rating – Current rating as selected in Risk Determination of the current Risk Analysis
cycle
• Residual Risk Rating – Projected Rating based on the evaluation of alternatives in Risk
Response during the current Risk Analysis cycle
• Reconciled Risk Rating – Rating determined during Risk Reconciliation during the current
Risk Analysis cycle

126 | IRM|Analysis® Software Manual - Version 5.1.6

© 2011-2020 Clearwater Compliance LLC  All Rights Reserved 
Finally, displayed is the Reconciled Risk Rating. Updates to the Reconciled Risk Rating will
reflect the rating after planned changes have either been implemented or deferred. The final
Reconciled Risk Rating will be applied for the selected Component Group and vulnerability
combination to multiple areas of the Risk Analysis, including Risk Ratings, Dashboards, Risk
Ratings Reports, as well as updating the Reconciliation Status from TBD to Reconciled on the
Risk Reconciliation List

The second area in an expanded row is the Control Plans and Actions section. This area shows all
the controls associated with the risk scenario and allows you to set an action for each control, as
well as create a detailed action plan and set other details for you plan, such as who’s responsible
for implementing the plan (the Implementation Manager) and the date the implementation is
due. For each control listed, you will find the following columns.
• Progress Indicator
• Control Advisory Badge
• Control or recommendation
• Control Tags
• Control Response

127 | IRM|Analysis® Software Manual - Version 5.1.6

On the right side of the panel are three (3) tabs where you can plan a response to the risk. The
first tab is the Simple Tab. True to the name, the Simple Tab allows you to quickly and simply
address a risk. There are dropdown menus to quickly choose the Action to be taken, an
Implementation Manager, and a Due Date. You have a Global option on this tab that will allow
you to mirror a chosen Action on multiple controls.

Next is the Action field. The Action field allows you to select Add, Enhance, and Omit or Not
applicable. Effectiveness and Feasibility must be selected prior to choosing an Action, unless the
value of Not applicable is selected. If you select Not applicable, Effectiveness and Feasibility
fields are not required. Actions:

• Add – Select Add if the control is not present for this Component Group or in your
environment and needs to be added
• Enhance – Select Enhance if the control is only partially implemented and needs to be
improved
• Omit – Select Omit if the Control is not effective or feasible based on your analysis
• Not Applicable – Select if you want to take no action on the control at this time. Not
Applicable is automatically marked for controls that were marked Yes or N/A during Risk
analysis but this may be edited

128 | IRM|Analysis® Software Manual - Version 5.1.6

© 2011-2020 Clearwater Compliance LLC  All Rights Reserved 
All options must have an Action selected before proceeding to the selection of Residual Risk
values.

Next you will see the column for Global. By checking Global for a Clearwater Control, evaluation
information entered for that control will be applied to all Component Groups where this control
applies. That includes Effectiveness, Feasibility, Cost information and Notes.

If Global is not checked, evaluation information entered for this control will only be applied to
this Component Group.

By checking Global for a Custom Control, evaluation information entered for the control may be
applied any time you associate this Custom Control with a Component Group.

When Global is not checked for a Custom Control, evaluation information entered will only be
applied to this Component Group

If the global checkbox is unchecked after having previously been applied to any control, the
global relationship will be removed for that specific control, but data for other Component
groups will not be affected. This allows you to edit the current Clearwater Control or Custom
Control without removing data for other Component groups to which the global control had
been applied.

129 | IRM|Analysis® Software Manual - Version 5.1.6

© 2011-2020 Clearwater Compliance LLC  All Rights Reserved 
Documents for Clearwater Controls or Custom Controls are not associated globally when the
Global checkbox is checked.

Next, you have the option to choose an Implementation Manager.The

Implementation Manager is the person that is responsible for applying and
executing the plans for the specific control. This is a dropdown box where
you will be able to select from a list of personnel at your organization that
have ‘Update’ permissions for the Implementation Planning page to assign
an Implementation Manager. (For more information on Permissions, go to
Manage User Permissions: Default and Custom Roles).

Next is the Implementation Due Date. This is when you expect the full
implementation to be complete.

Implemented Date is the date that you complete your Risk Treatment on that control for that
Risk Scenario.

The next three fields are Control Notes, Upload Documents and Clear. These fields are editable
and can be treated the same as the columns found in the Risk Treat and Evaluate Form. Clear will
removed your answers. These columns are found on all three tabs and perform the same way on
all three.

Risk Notes entered during the Risk Determination phase can be viewed in the Risk Response
phase but cannot be deleted. Risk Notes entered during the Risk Response phase, however, can
be deleted from the Risk Response pages. Risk Notes are labeled with the phase during which
they were entered, such as: Risk Determination, Risk Treatment, Evaluate Alternatives, etc.

The optional Treat and Evaluate Tab and Risk Action Plan Tab are found to the right of the Simple
Tab. These tabs allow you to provide additional detail about your planned risk response, such as
evaluating Effectiveness, estimating costs to implement your plan, and assessing plan Feasibility.
You’ll find help icons (?) on each of the tabs to help you understand the data requested on each
tab.

130 | IRM|Analysis® Software Manual - Version 5.1.6

On this page, you will select the best Risk Treatment Option (Mitigate, Avoid, Transfer or Accept)
for reducing a risk to sensitive information. The Treat and Evaluate tab includes evaluating each
Control and Recommendation for its Effectiveness, Estimated Cost, and Feasibility. Based on NIST
Standards, a thoughtful evaluation of alternative controls to reduce risk is recommended.

The first column is Effectiveness. Effectiveness is the expected value in achieving a desired risk
response. Ask yourself, ‘How effective will implementing this course of action be in reaching our
desired risk level based on our Risk Threshold?’ From this section, you can select ‘Highly
Effective’, ‘More Effective’, ‘Effective’, ‘Less Effective’ or ‘Not at all Effective’ from the dropdown
menu. Selecting the effectiveness is a required step in the Evaluate Alternatives process.

The next column is Estimated Cost which is the approximate financial amount that will be
absorbed by your organization if the current plan of action is executed. Although this is not a
required field during the Evaluate Alternatives process, it is a good practice to add the dollar
amount associated with the plan of action to help determine its feasibility.

131 | IRM|Analysis® Software Manual - Version 5.1.6

© 2011-2020 Clearwater Compliance LLC  All Rights Reserved 
Next you will see Feasibility. Feasibility is the anticipated feasibility of implementation, including,
for example, mission, business impact, political, legal, social, financial, technical, and economic
considerations (NIST SP 800-39 pg 43-44). Ask yourself, ‘How possible and reasonable is this
plan’? The available options for choosing feasibility are ‘Highly Feasible’, ‘More Feasible’,
‘Feasible’, ‘Less Feasible’ and ‘Not at all Feasible’.

The next two columns are Global and Action, both of which are covered in the Simple Tab
section of the manual.

132 | IRM|Analysis® Software Manual - Version 5.1.6

The Risk Action Plan tab enables your organization to drive the implementation of your planned
controls and recommendations to reduce risks. The idea for the Risk Action Plan is to review each
control (row) and to select a priority, completion date and plan status. To assist you in managing
implementation, we have included all Evaluation information (as entered during the Evaluate
Alternatives process) and Related Risk Information to the individual control. The columns not
covered on Simple Tab or Treat and Evaluate Tab are Description, Plan for Monitoring
Effectiveness and Plan Status/Priority.

For the Description field, it is recommended that you use a proper name or brief description for
the plan. For example, if the control or recommendation is ‘Encryption of backup media’, the
Description would most likely be the Proper Name of the Encryption.

After the Description will be Plans for Monitoring Effectiveness. Here, you will enter the detailed
strategy for how you plan to test the control initially and monitor the control periodically once it
is in place. Both fields will reflect the description and plans for monitoring effectiveness earlier
in your Risk Determination process and can be edited/added from here.

Finally, we have the Plan Status/Priority column. You have the ability to choose a Priority value
of Urgent, High, Medium, Low and the default value is select.

133 | IRM|Analysis® Software Manual - Version 5.1.6

© 2011-2020 Clearwater Compliance LLC  All Rights Reserved 
When funding and resources are constrained there are
significant benefits to placing a priority on the implementation
of actions that reduce a number of risks at the same time. That
type of activity is called Risk Response Optimization.

134 | IRM|Analysis® Software Manual - Version 5.1.6

The Risk Response Optimizer displays the list of Risks that will have the greatest impact on your
organization. This is an ideal place to view what should be considered your top priorities. It will
only display risk rating information that is equal to or above your threshold and controls that
have a response of In Progress and No. This is an informational page that will show you what you
need to address.

There are three levels in the Risk Response Optimizer. On the first level you are able to see the
Controls above the threshold (shown in the header row) that your organization has chosen. The
page is sorted so that you will always see the Control that has the most critical number of risks.
It also displays the number of Risks associated with that control as well as the average Risk Rating.
In each level there is also the option to choose the hyperlink Risk Response, when if chosen, will
take you to the Risk Response List which will be filtered for what information you were viewing
on the Optimizer. Below is a screenshot of level 1 and the important fields to note.

If you expand the first level by choosing the + symbol, you are able to see the vulnerabilities that
are associated with the control. As in the first level, you are able to choose the Risk Response
hyperlink.

135 | IRM|Analysis® Software Manual - Version 5.1.6

© 2011-2020 Clearwater Compliance LLC  All Rights Reserved 
You can expand further, and the third level will show you which Component/Group, Assets and
Scenarios that are associated with the vulnerability. To address these individually, simply choose
the Risk Response link, and you will again be taken to the Risk Response List.

136 | IRM|Analysis® Software Manual - Version 5.1.6

The Controls Response Review page stores all of your control responses and allows you an overall
view to your selections. These will include all of the Evaluation information you have chosen,
your plans for Implementation and your Risk Action Plan. This list is helpful for easy review of
both consistency and accuracy. This page displays controls associated with a Risk Rating that is
equal to or above your Risk Threshold, or with a Risk Treatment type of Mitigate, Avoid, or
Transfer.

You will navigate to Controls Response Review in the Main Menu of the IRM
Software under Risk Response.

Just as in Risk Response List, there are three tabs on the Controls Response
Review Page. Please refer to Risk Response List (pg 120) for Simple Tab,
Treat and Evaluate Tab and Risk Action Plan Tab for detailed instructions
and definitions.

In Summary
• Simple Tab – Default for all Control Plans and Actions
• Treat and Evaluate Tab – Document the evalution of each risk as well as
the treatment.
• Risk Action Plan Tab – Allows the analyst to describe, in detail what the
plan is for risk remediation.

You may expand each row where you will see the Threat Source/Threat
Event, Vulnerability, Current Risk Rating and Residual Risk Rating as well as
the Risk Treatmenet and Risk Status. You can choose the hyperlink under
the Risk Response column and that will take you to the Risk Respones List for that scenario.

Use this tabular view to sort by column name, or click the filter icon to customize your view.

As with other pages within Risk Response, all tabs will also let you Filter, Clear Filter, Print or
Export. Using filters to focus review and editing is highly recommended in use of this page.

137 | IRM|Analysis® Software Manual - Version 5.1.6

The Risk Reconciliation process follows a linear workflow. You must first complete
Implementation Planning and update the Risk Action Plan after completing the remediation steps
for the control before you will be able to calculate a Reconciled Risk Rating.

The Risks on this page are filtered based on the Risk Action Plan Status as follows:

• All Controls for a risk must have a status of Implemented or Deferred

• If all Controls related to a specific Risk are marked Deferred on the Risk Action Plan Tab,
the Risk will not display on the Risk Reconciliation page. At least one of the controls must
have a status of Implemented in order to display.

Risk Rating Types have previously been defined, but should you need guidance, you may click the
help icon at the top left of the page.

Updates to the Reconciled Risk Rating will reflect the rating after planned changes have either
been implemented or deferred. The final Reconciled Risk Rating will be applied for the selected
Component Group and vulnerability combination to multiple areas of the Risk Analysis,
including Risk Ratings, Dashboards, Risk Ratings Reports, as well as updating the Reconciliation
Status from TBD to Reconciled on the Risk Reconciliation List.

The first column on the Risk Reconciliation List is where you can click on the blue + symbol to
view the associated Clearwater Controls and their related NIST mappings for that Component
Group threat and vulnerability combination. Details from the Risk Action Plan such as
Implementation Manager, Due Date, Completion Date, Plan Status, Control Notes and uploaded
documents will display in the expanded view.

138 | IRM|Analysis® Software Manual - Version 5.1.6

© 2011-2020 Clearwater Compliance LLC  All Rights Reserved 
You can then click on the sub-row blue + symbol. When this is expanded the Risk Action Plan
summary for the control is displayed. While you are able to update the Description and Plans for
Monitoring Effectiveness verbiage, the other fields are taken from the Risk Action Plan page of
the software. Should you wish to edit these, you will need to go to Risk Action Plan.

Next is the progress bar which will display the overall completion percentage for Risk
Reconciliation and is calculated using the number of risks with a Risk Rating divided by the
number of risks that meet the filter criteria applied on the page.

The next columns on this page are Component/ Group Name, Asset Name, Threat Source, Threat
Event, and Vulnerability. None of these fields are editable and are taken directly from the
information you supplied in Risk Determination and Risk Response.

139 | IRM|Analysis® Software Manual - Version 5.1.6

© 2011-2020 Clearwater Compliance LLC  All Rights Reserved 
The next column is the Prior Risk Rating. If you have chosen Risk Likelihood and Risk Impact in
the column selector, they will be in view, otherwise they are hidden. These fields are read only,
and were selected during the Risk Determination Process.

After Prior Risk Rating is Risk Rating and Residual Risk Rating as defined above.

The most important feature on this page is the Reconciled Risk Rating. Selections can be made or
changed for your Reconciled Risk Likelihood and Risk Impact. Based on the implementation of
new or enhanced controls were you able to achieve a Reconciled Risk Rating lower than the
predicted Residual Risk Rating? Did some controls get deferred and perhaps the Reconciled Risk
Rating will be higher than the predicted Residual Risk Rating? If you make changes here, you will
receive a warning pop-up that tells you that updating the Reconciled Risk Rating will also update
the ratings in Risk Analysis. This will also update on Dashboards, Risk Rating Report and other
areas for this Component Group and vulnerability.

140 | IRM|Analysis® Software Manual - Version 5.1.6

© 2011-2020 Clearwater Compliance LLC  All Rights Reserved 
The next three columns are Reconciliation Status, Date Reconciled, Risk Owner (non-default) and
Risk Approver (non-default). The Reconciliation Status and Date Reconciled are set when the
Reconciled Risk Rating is updated on this page. The Risk Owner, if populated, was selected on
the Treat and Evaluate page or other places in the workflow. If the Reconciled Risk Rating has not
been set, the Reconciliation Status and Date will be TBD. It will not show reconciled until you
have chosen the Reconciled Risk Rating.

The final column is the Multi-Select Box. Use this column if you want to quickly update multiple
Reconciled Risk Ratings. Click the checkbox on each row you want to update and select a response
on the purple row.

If you choose to clear prior responses you will receive a warning pop up that this action cannot be
undone.

141 | IRM|Analysis® Software Manual - Version 5.1.6

The Risk Reconciliation List page has a filter capability with a great deal of flexibility, allowing you
to select only those values and combinations of values for each field that are most important to
you to see on the page. To filter the results on the page, click on the funnel icon at the top right
corner of the page.

For each field in the Search Filter(s), you can select one or more of the possible values available
for that field. Click the dropdown box under each field name to display a list of values for that
field from which you can select. When you click the Submit button, the combination of the data
values you have selected will be filtered and displayed.

You can quickly clear any filters you have chosen by clicking the Funnel Ion with a red circle and
crossthrough.

The Risk Reconciliation List may also be exported to Excel or PDF by clicking on the printer icon
link in the upper right corner of the page. The data will be exported in .csv or PDF format.

142 | IRM|Analysis® Software Manual - Version 5.1.6

© 2011-2020 Clearwater Compliance LLC  All Rights Reserved 
Documents
The Document screen functions as a central library, allowing you to see and manage all
documents that have been uploaded into the system. Risk Response and Risk Determination both
have document upload capabilities and you can view those here as well as add any new
documents. You can access the documents screen in the Main Menu of the IRM Software.

There are two levels in the list of documents. The top level shows the current file name associated
with the uploaded file. Here you will see the File Name, Control Name, Component and Asset
Name. When a file is uploaded directly in the Documents page, the Control Name, Component,
and Asset Name(s) will display N/A. Additionally, when a file is uploaded from elsewhere in the
software at a global level the Component and Asset Name(s) fields will display N/A.

You can click the blue + icon next to the filename and it will expand to show any or all previously
uploaded versions (known as version-level filename) with the most recent first. In this sub-row
you can see the:
1. File Name
2. Who Uploaded the file
3. Date it was uploaded
4. Size of file
5. Type of file

143 | IRM|Analysis® Software Manual - Version 5.1.6

© 2011-2020 Clearwater Compliance LLC  All Rights Reserved 
For all documents, you may choose to Upload a document, view/add notes, view or download a
file or delete. To view or add notes click on the blue note icon. Top-level notes and version-level
notes are the same.

To upload a new version, click the Upload icon in that row. An Upload document dialogue box
will display. Browse to the file to upload and click the Upload button. The dialogue box will close
and the new version will now show as the current file name with the previous version listed below
it.

To delete a file, you will click the red x icon. If you choose to delete a top-level document, you
will receive a pop up warning box cautioning you that it will delete all documents in the version
level as well. You may also delete a file from the version level which will not affect any files on
the top-level.

To upload a file that is not associated with the other records begin by clicking the upload button
in the header. This will create a new document file name in the top-level documents.

144 | IRM|Analysis® Software Manual - Version 5.1.6

© 2011-2020 Clearwater Compliance LLC  All Rights Reserved 
The Documents page has a filter capability with a great deal of flexibility, allowing you to
select only those values and combinations of values for each field that are most important
to you to see on the page. To filter the results on the page, click on the funnel icon at the
top right corner of the page. You can filter by File Name, Control Name, Component Group
and/or Asset(s) Name. To quickly remove any filters previously set, you can click the funnel
item with a red cross-through.

There is also a Quick Filter that lets you choose which Control Type you would like to view
the Documents for. The options are All Controls (Default), Administrative Controls, Asset
Related Controls, Parent System/Data Center Controls, and Subsidiary/Child/Clinic
Controls.

Documents may also be exported to Excel or PDF by clicking on the Printer Icon in the upper right
corner of the page. The data will be exported in .csv format. For more information, please see
Appendix A – Export to CSV / Excel.

Clicking on the Column Selector icon displays a dropdown list with the names of the columns that
can be hidden or displayed by clicking on it.
• Selected/displayed columns are identified with a green checkmark
• Non-selected/hidden columns are identified with a red checkmark
• As changes are made, the page updates to reflect column changes.

145 | IRM|Analysis® Software Manual - Version 5.1.6

146 | IRM|Analysis® Software Manual - Version 5.1.6

© 2011-2020 Clearwater Compliance LLC  All Rights Reserved 
Quick Start Guide: Reports
Reports are accessed in the main IRM Software menu by clicking on the Reports menu. All reports
can be saved as part of each version history data snapshot excluding the Enterprise Extracts. They
can also be printed and exported to Excel and PDF unless otherwise noted.

• Risk Rating Report – This report can be used to prove that you have completed a Bona
Fide Risk Analysis
• Risk Rating Detail Report – Shows a listing of all unique risks by Component Groups
• Asset Inventory Report – This report displays information Assets that you have entered
while completing your Asset Inventory
• Risk Response Detail Report – This report shows risks identified in the Risk Analysis and
associated Control Improvements
• NEW Risk Response Control Status Summary Report – This is our new Operational
Reporting tool that is currently in Beta testing. While it is currently available to use, we
are retaining our old reports until we have perfected it and the following two reports. This
report is broken down by Assets, which then display the Risk Scenario and all control
statuses.
• NEW Risk Rating Detail Report - This is our new Operational Reporting tool that is
currently in Beta testing. It displays the same information as the old Risk Rating Detail
report, but is delivered in a timelier manner and better format.
• NEW Asset Component Group Report - This is our new Operational Reporting tool that is
currently in Beta testing. It displays the Asset, asset status and pertinent Component
Grouping/type information.
• Enterprise Extracts – The Enterprise Extracts sub-menu is only visible to those in the
Enterprise Account Owner role or special roles with the Enterprise Extracts permissions.
They include Data for every entity across the Enterprise. There are ten standard reports
and each report has a detailed description of what is included on it on the Enterprise
Extracts Page
➢ Entity List Detail
➢ User Roles Detail
➢ Asset Inventory
➢ Asset Grouping
➢ Risk Response List
➢ Component Groups Detail
➢ Physical Locations by Entity
➢ Risk Rating Detail
➢ Risk Rating
➢ Risk Action Plan
• Version History (data snapshot) – This report is a collection of reports, each of which is
captured and saved as a point in time data snapshot whenever a Version History is added
• Component Groups Detail Report – This report displays details for each Component
Group followed by a listing of the Assets contained in each group

147 | IRM|Analysis® Software Manual - Version 5.1.6

The Risk Rating Report can be used to prove that you have completed a bona fide Risk Analysis.
It includes all of the key elements of a Risk Analysis, including the Component Group that stores
the sensitive information, Threat Source/Event, Vulnerability, Risk Likelihood, Risk Impact, and
overall Risk Rating, Created Date and Updated Date, as well as the Physical Location.

The first column is the Scenario Advisory column and will be helpful to you when there are
changed to Scenarios. These include New, Updated and Sunset. There is also a quick filter so
that you filter down to either:
• Active
• New
• Updated
• Sunset
• Pending Sunset
• New or Updated

There are several navigational options in the Risk Rating Report. For example, you can click
arrows next to each column name to sort the report.

The colors used on the Risk Rating Scale are determined by the severity of the risk presented
based on the answers provided by the user. Using the "Risk Rating for this Threat/Vulnerability
for the Component(s) Listed Above" section of each page in the questionnaire, a number is
calculated by multiplying the Risk Likelihood and Risk Impact.

The colors assigned are coordinated as follows:

• A Risk Rating score of 0 will result in No Risk (white)
• A score of 1-7 will result in a Low Risk (green)
• A score of 8-14 will result in a Medium Risk (yellow)
• A score of 15-24 will result in a High Risk (red)
• A score of 25 will result in a Critical Risk (purple)

When browsing the final Risk Rating report, these color-coded sections will allow the user to
quickly and easily identify the assets most and least at-risk through a glance and respond
accordingly.

148 | IRM|Analysis® Software Manual - Version 5.1.6

© 2011-2020 Clearwater Compliance LLC  All Rights Reserved 
If you click on the Risk Rating column header, the report will display all Risks from lowest to
highest or from highest to lowest, alternating and re-sorting each time you click the column
name header. Each time the report re-sorts, you may see a dialogue box that says “Please wait”
while the data is being sorted for display on the screen.

If you want to see more detail about any particular Risk rating, you can click on the hyperlink
under the Vulnerability column and go back to review the Risk Questionnaire form.

If you have used the Version History capability in the software, you will be
able to view prior versions of the Risk Rating Report. Click on the History
drop-down and select the date/timestamp of the Risk Rating Report you’d
like to review. This allows you to show improvement over time at a detailed
level. For more information, go to the Version History instructions.

Reports can be exported to Excel by clicking on the Printer icon at the top
right corner of the page. For more information, go to Appendix A –
Exporting to CSV / Excel.

149 | IRM|Analysis® Software Manual - Version 5.1.6

The Risk Rating Detail Report will show a listing of all unique risks (threat-vulnerability
combinations) identified for each Component Group, the Risk Rating score, control responses
and associated risk notes. The report’s default sort is by the Risk Rating, descending order to
show the highest risks first.

The first column is the Scenario Advisory column and will be helpful to you when there are
changed to Scenarios. These include New, Updated and Sunset. The first column is the Scenario
Advisory column and will be helpful to you when there are changed to Scenarios. These include
New, Updated and Sunset. There is also a quick filter so that you filter down to either:
• Active
• New
• Updated
• Sunset
• New OR Updated

This report can be used to review all identified risks and to show that the organization has
conducted a bona fide risk analysis of their information assets. Data cannot be edited or
changed from the report screen, but clicking on the vulnerability link will direct the user to the
Risk Questionnaire Form for that risk. Edits can be made to the data in the Risk Questionnaire
Form.

150 | IRM|Analysis® Software Manual - Version 5.1.6

© 2011-2020 Clearwater Compliance LLC  All Rights Reserved 
By default, current data is used for the report. To use data captured in a previous version or
snapshot, select the date of the snapshot from the History Quick Filter. Once selected, the
report will update to reflect data from that snapshot. To display the current data in the report
again, select Current from the list.

A filter can be applied to the list to

find rows that meet specific criteria.
To apply a filter, click the Filter icon
(a funnel). Select the criteria for the
filter using the dropdown lists in the
filter form and click the Submit
button. The list will only display the
rows that meet the selected criteria.

When a filter is applied, the remove filter icon will display. To remove the filter and display the
entire list, click the Remove Filter button.

151 | IRM|Analysis® Software Manual - Version 5.1.6

© 2011-2020 Clearwater Compliance LLC  All Rights Reserved 
You can generate an Excel or PDF file containing the report, which may then be printed. To
generate this report, click on the Printer icon in the upper right corner. The file will download to
the download folder or other location set by the user on the user’s computer. The displays a
prominent date time stamp in the header which is useful in demonstrating a history of
performing Risk Analysis each year or more. This is also important in the unfortunate event of
an audit or investigation.

152 | IRM|Analysis® Software Manual - Version 5.1.6

Once the Asset Inventory phase is complete, the Asset Inventory Report will show a listing of all
information assets. An asset is a business application, system or solution that creates, receives,
maintains or transmits sensitive information, such as Protected Health Information (PHI),
personally identifiable information (PII), payment card data, company proprietary business
plans or financial data, etc., the confidentiality, integrity and availability of which must be
safeguarded for the sake of overall business risk management. This report can be used to
review all information assets that have been included in the risk analysis. Editing of data may be
done in the Asset Inventory area of the application under the Asset menu item in the left
navigation pane.

As with other Reports and most Dashboards in the Clearwater Compliance software, a Version
History data snapshot can be saved of the Asset Inventory Report. Each Version History may
then be viewed by clicking on the History drop-down box at the top right corner of the page,
and selecting the date/time stamp of the data snapshot you would like to review. For more
information, go to the Version History instructions.

You may decide what columns are most important for you to view or print and choose those in
the column selector so that only the information you need is displayed.

Asset Inventory Report has a filter capability with a great deal of flexibility, allowing you to
select only those values and combinations of values for each field that are most important to
you to see on the screen. To filter the results on the page, click on the funnel icon at the top
right corner of the screen.

When a filter is applied, the remove filter icon will display. To

remove the filter and display the entire list, click the Remove
Filter button.

You can generate an Excel or PDF file containing the report, which may then be printed. To
generate this report, click on the Printer icon in the upper right corner. The file will download to
the download folder or other location set by the user on the user’s computer. The displays a
prominent date time stamp in the header which is useful in demonstrating a history of
performing Risk Analysis each year or more. This is also important in the unfortunate event of
an audit or investigation.

153 | IRM|Analysis® Software Manual - Version 5.1.6

On this report, you can view risks identified in the Risk Analysis and associated control
improvements. Use this report when you want to demonstrate that specific actions are being
taken to reduce risks. This report is sorted by Risk Rating in descending order. Data cannot be
edited or changed from this screen. Available information can be seen in the Header of each
column in the screenshot below.

The first column is the Scenario Advisory column and will be helpful to you when there are
changed to Scenarios. These include New, Updated, Pending Sunset and Sunset. The first
column is the Scenario Advisory column and will be helpful to you when there are changed to
Scenarios. These include New, Updated and Sunset. There is also a quick filter so that you filter
down to either:
• Active
• New
• Updated
• Sunset
• New OR Updated

There are some important quick filters on this page. By default, the page shows those controls
that have an Action of Add or Enhance as entered on the Treat and Evaluate form. You can
display all controls, even those that have no Action value in Risk Response by selecting Controls
Show All. You can use the Controls Selector to Show All or Add/Enhance. Add/Enhance will only
show you Controls that have Add or Enhance selected as an Action. If you choose Show All,
then it will display all Controls that have an Action of Add, Enhance, No Change, Omit or TBD.
The default View is Show All.

154 | IRM|Analysis® Software Manual - Version 5.1.6

© 2011-2020 Clearwater Compliance LLC  All Rights Reserved 
By default, this report shows risks that are equal to or above the Risk Threshold or that have a
Risk Treatment Type of Mitigate, Avoid or Transfer as entered on the Treat and Evaluate form.
You can display all risks, even those that have a Risk Treatment type of Accepted by selecting
Include Accepted. You may also choose Hide Accepted to exclude risks that have a Risk
Treatment set to Accept.

There are a number of navigation options in the Risk Response Detail Report, including arrows
next to or beneath the column names so you may sort by any of those.

A filter can be applied to the list to find rows that meet specific criteria. To apply a filter, click
the Filter icon (a funnel). Select the criteria for the filter using the dropdown lists in the filter
form and click the Submit button. The list will only display the rows that meet the selected
criteria.

When a filter is applied, the remove filter icon will display. To remove the filter and display the
entire list, click the Remove Filter button.

You can generate an Excel or PDF file containing the report, which may then be printed. To
generate this report, click on the Printer icon in the upper right corner.

155 | IRM|Analysis® Software Manual - Version 5.1.6

This report is new and included in our new Operational Reporting project. It is currently in Beta
testing for all customers. This report includes Assets, Component Groups, Risk Scenarios, Current
Risk Rating, Residual Risk Rating. Treatment Type, as well as all other relevant Risk Response
information.

You may choose to filter by several points of data by choosing the (?) symbol on the left of the
report.

156 | IRM|Analysis® Software Manual - Version 5.1.6

© 2011-2020 Clearwater Compliance LLC  All Rights Reserved 
This report can also be exported to your chosen format by utilizing the export button. The report
will export the data that is displayed on the screen, whether you have a filter chosen or not.

You may also utilize the find function to look for specific data. Simply choose the Binoculars Icon
to open the Find dialogue.

157 | IRM|Analysis® Software Manual - Version 5.1.6

The New Risk Rating Detail Report has the same functions as all of the new reports, with filtering,
find and exporting. This report contains Component Group Name, Scenario Advisory, Threat,
Vulnerability, Likelihood, Impact, Rating, Created Date, Updated Data as well as the Assets,
Controls, Control Type, and the Control Response.

158 | IRM|Analysis® Software Manual - Version 5.1.6

This report displays relevant Component Groups information for each asset in your Asset
Inventory List. Columns displayed are Asset, Asset Status, Component Type, whether it is in a
default group or not, Component Group, Physical Location, Component Group Creator, Date it
was created, and when the asset was added to the Group.

159 | IRM|Analysis® Software Manual - Version 5.1.6

The Enterprise Extracts submenu is visible only to those in the Enterprise Account Owner role.
An Enterprise Extract report is not based upon the entity displayed in the entity dropdown
when an organization has multiple locations, but instead includes ALL data for every entity
across the entire Enterprise, rendered in CSV file format.

Standard enterprise extract reports have been configured to provide information for key
reporting areas:

• Entity List Detail

• User Roles Detail
• Asset Inventory
• Asset Grouping
• Risk Response List
• Component Groups Detail
• Physical Location by Entity
• Risk Rating Detail
• Risk Rating
• Risk Action Plan

Descriptions and specifics of each Extract can be found in the Enterprise Extracts page next to
the name of each report.

160 | IRM|Analysis® Software Manual - Version 5.1.6

© 2011-2020 Clearwater Compliance LLC  All Rights Reserved 
To further customize the data provided in the extracts, use
the filter to tailor the report to provide the data you would
like to see. For example, the use of filters can provide data
for a single entity or a grouping of entities based upon
state, region, division, industry specialty or industry type.

If multiple entities are selected in the filter, extracted data

will include data from all those entities.

Risk related reports can be configured to display a specific

range of risk ratings, and risk severity, for example, or users
may want to filter by a set of controls or by a certain type of product.

The filter function will support the selection of multiple values within a single filter. After
clicking in the filter field, begin typing to narrow the list dynamically. Once you have made all
your filter selections, click Submit to apply the filter.

You will then choose which Enterprise Extract you would like to Save as a CSV file by clicking the
report name, at which time you will receive a pop up. At this time, you may save this file to your
desired location. Extract .CSV filenames shall include the extract title and date and time of
export.

Some of the larger Enterprise Extracts, such as the Risk Rating Detail will generate a file that will
automatically download to your Documents page in the software. You will receive a message
when this is going to occur. Please be patient while waiting for the report. You will also receive
an email when it is available to view.

Enterprise Extracts are not included in version history snapshots. If you would like to
version your Enterprise Extracts, we recommend you run reports at the desired frequency and
save them to your Documents library.

161 | IRM|Analysis® Software Manual - Version 5.1.6

Clearwater Compliance has a Version History feature that allows you to capture all reports and
dashboards associated with an assessment at one time. This will then allow you to refer to
them during future Risk Management audits. Once you have completed a Risk Analysis, it’s a
good idea to capture this snapshot to use as a baseline and show improvement over time.
Version History is available for all Dashboards and Reports in the IRM Software, with the
exception of Enterprise Extracts.

Click on the Version History link on the left navigation menu of the page. This will open the
Version History page, which lists all saved reports and dashboards throughout the software by
time/date stamp.

162 | IRM|Analysis® Software Manual - Version 5.1.6

To create a Version History data snapshot, Click the +New blue box at the top of the Version
History snapshot list grid to add a new Version History snapshot.

When the Create new entry window opens, add whatever Notes you would like to include with
the Version History into the Notes field, such as the purpose for this Version History being
saved (for example, end of first Risk Analysis completion, or Quarterly Risk Management Audit,
etc.). Then, click the Create button to save the new Version History. *Enterprise Account
Owners now have the option to take Enterprise Level snapshots in every entity with just one
click.

Once the new Version is saved, the Version History page will re-load, and you will see all saved
Versions in the Version History list.

163 | IRM|Analysis® Software Manual - Version 5.1.6

To edit notes associated with a Version History, click on the desired Version History snapshot
row of information you wish to edit on the Version History list page. Once the row is
highlighted, click the Orange Edit box above the list.

Make appropriate changes to the notes for that Version snapshot, and then click the Update
button.

Helpful Hint: You can edit comments / Notes associated with previous Versions.
However, be aware that you cannot change prior responses or risk ratings, prior security
assessment responses, or prior privacy assessment responses. This allows the integrity of the
Assessment Histories to be maintained.

Review a Version History Data Snapshot

You can view version history from all dashboards and reporting screens. First, decide what
report or dashboard you would like to view and go to that page in the IRM software. By default,
you will view the current data for that report. To view a Version History snapshot, select the
History dropdown menu at the top right of the page.

The Version data snapshots that have been saved will be listed in reverse chronological
order, with the most recent Version History snapshot being the first one in the list.

Click on the version you would like to view based on the time/date stamp and version number.

164 | IRM|Analysis® Software Manual - Version 5.1.6

To delete a Version History data snapshot, click on the row of the Version History you would
like to remove. This will highlight the row. Then click the Red Delete box with the trash can
icon at the top of the Version History list grid. Confirm the deletion on the deletion warning
dialogue box by clicking the Delete button. If you change your mind, you can click the Cancel
button on the warning dialogue box and you will return to the original Version History list
without deleting any Version History data snapshot.

Component Groups Detail Report

The Component Groups Detail Report Page displays the following details for each Component
Group: Component Group Name, Component Category, Component Type, Default Group
indicator, Risk Owner, Due Date, Physical Location, Group Properties, followed by a listing of
Assets contained in the group.

By default, current data is displayed in the report.

To display data captured in a previous version or
snapshot, select the date of the snapshot from the
History button in the toolbar in the upper right area
of the page. Once selected, the report will update
to display data from the selected snapshot. To
display the current data in the report again, select
Current from the History Quick Filter.

A filter can be applied to the list to display only rows that meet specific criteria. To apply a filter,
click the Filter (funnel) button. Select the criteria for the filter using the dropdown lists in the
filter form, then click the Submit button. The list will display only the rows that meet the selected
criteria. When a filter is applied, the Remove Filter button will appear to the right of the Filter
icon. To remove the filter and display the entire list again, click the Remove Filter button.

165 | IRM|Analysis® Software Manual - Version 5.1.6

© 2011-2020 Clearwater Compliance LLC  All Rights Reserved 
You can export the report as a PDF or Excel file, which may then be printed. To export the report
as a file, click the Print button in the toolbar and choose “EXCEL” or “PDF”. Note: The Asset listing
will not be included in the PDF or Excel version of the report. The PDF displays a prominent
date/time stamp at the bottom center of each page, which is useful in demonstrating a history
of performing Risk Analysis each year. This is also helpful in the unfortunate event of an audit or
investigation.

166 | IRM|Analysis® Software Manual - Version 5.1.6

© 2011-2020 Clearwater Compliance LLC  All Rights Reserved 
Notifications
To get to the Notifications Screen, click on the Bell icon link in the upper right side of the page
header. Notifications include information on Release Notes, Software Enhancements, Customer-
Requested features, Algorithm changes, new Video Tutorials and upcoming Webinars. If a new
notification is available, you will see the number highlighted red next to the bell icon. You can
view the notifications any time by clicking on the icon while on any page.

167 | IRM|Analysis® Software Manual - Version 5.1.6

© 2011-2020 Clearwater Compliance LLC  All Rights Reserved 
Clearwater Help Center and Customer Forum
This searchable, online tool is the central library for help with everything HIPAA and Clearwater
Compliance Software Solutions and includes:
• Articles
• Write Boards
• Video Tutorials
• Product User Manuals
• FAQ’s
• News and Announcement
• HIPAA Resource Library
• Ask and answer questions about specific metrics or features of the Clearwater products
• Share tips and tricks
• Makes connections with other compliance professionals
• Access customer-only resources that answer FAQ’s or explain key concepts.

The Help Center is a self-service feature, meaning that it gives you the opportunity to solve your
own issues easily. Providing this feature in one more way that Clearwater is dedicated to making
sure our clients have the information they need, when they need it and ensuring customer
satisfaction. To access the Help Center, click the Lifesaver icon at the top right of all Clearwater
screens.

All Clients and end users are considered members of the Clearwater Community and encourage
to visit the Customer Forum.

168 | IRM|Analysis® Software Manual - Version 5.1.6

© 2011-2020 Clearwater Compliance LLC  All Rights Reserved 
Keys for Success
• Top Management Sponsorship and Oversight
• Mutual agreement by Senior Management on the risks, and the costs
associated with mitigating those risks, to ensuring understanding
throughout the organization and appropriate informed decision-making on
the priorities to be undertaken
• Sufficient budgets to ensure risk mitigation on agreed priorities
• Specific assignments for risk mitigation by name for areas of responsibility
• Rigorous project tracking with frequent updates on progress

A successful IRM|Analysis® and management program depends on people—people given the

authority and assuming responsibility for complying with policy and following procedure, for
awareness and reporting incidents, and for offering suggestions for mitigating risk.

The Security Rule contains many more administrative and physical safeguard standards than
technical standards. Even as it only addresses protected health information in electronic form,
it is people that make security happen.

169 | IRM|Analysis® Software Manual - Version 5.1.6

1. Health and Human Services – Office for Civil Rights, “Guidance on Analysis
Requirements under the HIPAA Security Rule”,
(https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/secur
ityrule/rafinalguidancepdf.pdf)

2. National Institute of Standards and Technology (NIST) Special Publication 800-30,

"Risk Management Guide for Information Technology Systems"
(http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf)

3. National Institute of Standards and Technology (NIST) Special Publication 800-

33, " Underlying Technical Models for Information Technology Security"
(http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-33.pdf)

4. National Institute of Standards and Technology (NIST) Special Publication

800-66 Revision 1, "A Resource Guide for Implementing The HIPAA Security
Rule" (http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-
66r1.pdf)

5. National Institute of Standards and Technology (NIST) Special Publication 800-

14, “Generally Accepted Principles and Practices for Securing Information
Technology Systems”
(http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-14.pdf)

6. National Institute of Standards and Technology (NIST) Special Publication 800-53

Revision 4 Final, "Recommended controls for Federal Information Systems and
Organizations" (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-
53r4.pdf)

7. Notice of Proposed Rulemaking (NPRM) – “Modifications to HIPAA Privacy, Security

and Enforcement Rules under The Health Information Technology for Economic and
Clinical Health Act (HITECH)” (https://clearwatercompliance.com/hipaa-hitech-
news/omb-receives-hipaa-hitech-omnibus-final-rulemaking-from-hhs/)

8. “HIPAA Security Final Rule” (https://www.hhs.gov/hipaa/for-

professionals/security/index.html)

170 | IRM|Analysis® Software Manual - Version 5.1.6

Appendix A – Export to CSV or PDF

Some of the Reports and Dashboards in the IRM Software are exportable to Excel (in .csv format)
or PDF. If a report or dashboard is exportable, you will see a Printer or Tri-Bar Icon in the upper
right corner of the screen). In this example, using the Asset Inventory Report, the Printer icon link
is visible in the top right corner of the report page.

When you click on the Export to Excel link, the IRM Software will automatically create a .csv of
the Asset Inventory Report and will either download it automatically to your computer, or will
prompt you for where to save the .csv file (based on how you have set up your own computer’s
settings). If the file downloads automatically, in most browsers the file will be shown in the
bottom left corner of the browser screen, as illustrated below.

If it prompts you to save it, then this will display along the bottom of your computer and when
you click ‘Save’ it will open it for you in the format of that you have chosen.

When you click on the .csv file to open it, you will see the Asset Inventory Report data displayed
in columnar format.

171 | IRM|Analysis® Software Manual - Version 5.1.6

At this time, you may either Save or Print your files.

Appendix B – How to print or export Dashboards using the tri-bar menu icon

Some of the dashboards allow exporting or printing using the tri-bar icon under the filter icon or
history version dropdown in the upper right corner of the page. To accomplish this: click on the
icon and place cursor on the format desired and click the mouse. Some dashboards will allow
printing the page or downloading in these formats: .png, .jpeg, .pdf, .svg, .csv, .xls or .xlsx. In most
instances, the downloaded files will appear on the download ‘shelf’ at the bottom of the page for
chrome browsers or any number of other places depending on which browser you use. For
additional help you can refer to Appendix A.

172 | IRM|Analysis® Software Manual - Version 5.1.6

Search allows you to view Search Fields at the top of lists. Simply click the Search button
located (usually) at the top right side of the page.

A good example of using the Search feature is on the Asset Inventory List page. To search for a
specific Asset, simply type in the word(s) related to the Assets that you wish to find and press
the Enter key. This will load only the Assets into the list that match your search terms. In
addition, if you only type in part of a word, the Search functionality will return all Assets
matching that partial term. For example, typing in “Brent” into the search field will return all
rows with Brent mentioned anywhere for that Asset (could be the Asset owners name or even
part of the description).

To clear your Search terms and reload the full Asset Inventory List again, remove whatever is
typed in the search box and press Enter key.

Appendix D – How to use Sorting in Reports and Grids

There are a number of navigational options available when using IRM Software. On many
pages, grids are used to organize the data, and in Clearwater Compliance Reports, the data is
sorted into columns for display.

To sort any data that is displayed in a Report or grid on the page, look at the headings for each
column on the page. If the column headings have up/down arrows then that data view or
Report is sortable by that column’s data.

If you click on the Risk Rating column header in the Risk Rating report, for example, the report
will display all Risks from lowest to highest or from highest to lowest, alternating and re-sorting
each time you click the column name header.

173 | IRM|Analysis® Software Manual - Version 5.1.6

The multi-row select functionality in the IRM Software is only available on certain screens, such
as the Control Response Review. In order to utilize multi-row select, click the individual
checkboxes to the right on each selectable row.

Below, the first three rows are selected and the fourth row is not selected. Notice an additional
(lavender color) row is displayed, this row allows you to select or enter responses that will be
applied to the multi-selected rows.

In the example above you can choose to select an Effectiveness, Cost, Feasibility, Global, or
Action to the selected rows from the dropdown boxes or text enterable fields.
Once you have made your choices and have updated the rows you have selected, then you can
click on the red ‘X’ in the (lavender color) selection row to remove the multi-row select
checkboxes from the screen.

174 | IRM|Analysis® Software Manual - Version 5.1.6

Below is the Primary Risk Management Map for completing a Risk Analysis as defined within
the Clearwater Compliance IRM|Analysis® Software. Beneath the Risk Management Map, you
will see a list of site menu selections - that will allow you to complete the Workflow Action
listed.

175 | IRM|Analysis® Software Manual - Version 5.1.6

This Appendix will also review all of the different icons available on pages and sections of the
Clearwater Compliance software.

Name Icon Meaning

Risk Management Map Identifies on what page the

customer is currently active

Page Level Help Tell me more – Contextual

Help

Filter Displays a dialog box that

allows customers to limit the
information that displays on
the page
Minimize Navigation Collapses the left navigation
so that the customer can see
more information on the
page
Edit Allows customers to change
applicable fields

Export Allows customers to produce

the page in an external
format

Save Allows the saving of updated

information on this page

Cancel Allows for ignoring any

changes to the page

176 | IRM|Analysis® Software Manual - Version 5.1.6

Delete Allows customers to delete

information from a page

Question Mark Provides additional

information on an item it is
place next to

Browse Allows customers to search

documents in locations
outside of the software

Import Assets Now Upload document to the

software for the import of
assets

Help Center Directs customer to search

page for software
documentation and help
topics
Notifications Provides documentation
about software releases and
other relevant information

NIST List of Controls that a

vulnerability or threat
represents

Progress Bar A measure of how far along a

customer is in the software
for items on the page

List Expansion Expand an item

177 | IRM|Analysis® Software Manual - Version 5.1.6

Clear Response Remove selected response

View Note Add/edit/delete and review

notes

Review Documents Add/Delete or review

documents

Column Selector Add of remove the columns

that appear in the data table
on the current page

Risk Rating Calculated Risk for this item

Dollar Sign Review other risks where

this control is applicable

Tag Allows customers to group

items together that enhance
reporting, analysis, and
filtering
Wrench Navigate to the Risk Treat
and Evaluate page for this
Risk Scenario

Database Component Level Control

178 | IRM|Analysis® Software Manual - Version 5.1.6

Upload a Document Add, Delete and Review

Documents

Upload Add, delete and Review

Documents

Custom Identifies a Custom Control

Created by the user

179 | IRM|Analysis® Software Manual - Version 5.1.6

One of the key considerations in completing an Asset Inventory is how the Component Groups
may need to be grouped during Risk Analysis. There are many combinations of groupings that
will work, and every company’s Component Groupings will be unique to the way the company
doing the analysis does business.

Components and Assets can be grouped into any combination that makes sense for your
business. You can use the Label for each Component Group to help you determine the best
combinations.

For example, in this grouping below, Components and Assets could be grouped by the
Department or Division location of the Asset. The Assets below are combined into a single
grouping in this case, despite being from different departments in the company. This may be
done based on security policy for these Assets, and how the security measures (such as anti-
virus updates, patches, asset locks, restricted access, etc.) are planned and implemented in the
same way.

In the cases where Component Groups are handled by 3rd parties, you may want to group the
Component Groups from various vendors into a single grouping.

In this Component Group, all Smartphones are together because their security
measures and responses will be similar.

180 | IRM|Analysis® Software Manual - Version 5.1.6

Mapping Guidance Items to Clearwater Software Features

In the slide below, seven key components of the HHS OCR Guidance on Risk Analysis are
highlighted and mapped to key Clearwater Compliance IRM|Analysis® features and
functionality.

Appendix K – How to user Filtering

Filter icon located (usually) at the top right side of the page. A good example of using the
filtering feature is on the Controls Global page. To limit the amount of information displayed,
simply click on the filter icon and begin typing in any of the dropdown list boxes until your
desired item is displayed. Add your desired item to the list box and continue to fill in the other
list boxes the same way. Once all your selections have been made, click on the submit button in
the bottom left corner. This will load only the data items that meet your filter specifications. If
you decide not to filter, just click on the close button in the bottom right corner.

181 | IRM|Analysis® Software Manual - Version 5.1.6

The Column selector icon is located at the top right side of the page. A good example of using the
filtering feature is on the Rating Review page. To limit the amount of columnar information
displayed, simply click on the column selector icon and click or unclick the circled checkmark
next to each column name. Once a selection has been clicked/unclicked, the page will redisplay
with the applicable column information.

Appendix M – User Permissions based on Role

Module Area Analysis Entity Analyst Analysis

Account Owner Read Only

Dashboard All Areas UPDATE NONE NONE

Risk Rating UPDATE UPDATE READ ONLY

Distribution

Risk Rating Trends UPDATE UPDATE READ ONLY

Risk Rating Averages UPDATE UPDATE READ ONLY

Top Vulnerabilities UPDATE NONE NONE

Top Entities UPDATE NONE NONE

Risk Response UPDATE NONE NONE

Top Assets UPDATE NONE NONE

Asset Inventory All Areas UPDATE NONE NONE

Asset List UPDATE UPDATE NONE

Component Groups UPDATE UPDATE NONE

Asset Inventory UPDATE NONE NONE

Import

Risk All Areas UPDATE UPDATE NONE

Determination

Controls – Global UPDATE UPDATE NONE

Risk Questionnaire List UPDATE UPDATE READ ONLY

182 | IRM|Analysis® Software Manual - Version 5.1.6

Risk Questionnaire UPDATE UPDATE NONE

Form

Controls Review UPDATE UPDATE READ ONLY

Custom Controls UPDATE UPDATE NONE

Rating Review UPDATE UPDATE READ ONLY

Risk Response All Areas UPDATE NONE NONE

Risk Response List UPDATE UPDATE READ ONLY

Treat and Evaluate UPDATE UPDATE NONE

Approve Alternatives UPDATE READ ONLY NONE

Implementation UPDATE UPDATE NONE

Planning

Risk Action Plan UPDATE UPDATE READ ONLY

Risk Reconciliation UPDATE READ ONLY NONE

Documents All Areas UPDATE UPDATE NONE

Your Documents UPDATE UPDATE NONE

Reports All Areas UPDATE NONE NONE

Risk Rating Report UPDATE UPDATE READ ONLY

Asset Inventory UPDATE UPDATE READ ONLY

Report

Risk Registry Detail UPDATE READ ONLY READ ONLY

Report

Version History UPDATE NONE NONE

Enterprise Extracts UPDATE NONE NONE

Manage Account All Areas UPDATE NONE NONE

Entity Management UPDATE NONE NONE

User Management UPDATE NONE NONE

183 | IRM|Analysis® Software Manual - Version 5.1.6

Security Settings UPDATE NONE NONE

Cascading Profiles UPDATE NONE NONE

Framing/Govern All Areas UPDATE NONE NONE

ance

Risk Threshold UPDATE READ ONLY READ ONLY

Likelihood and Impact UPDATE READ ONLY NONE

Settings

Version Frequency UPDATE NONE NONE

184 | IRM|Analysis® Software Manual - Version 5.1.6

Qualys Quick Tour PDF
No ratings yet
Qualys Quick Tour PDF
12 pages
An LDG en
No ratings yet
An LDG en
112 pages
Clearwater Analytics Cleaned
No ratings yet
Clearwater Analytics Cleaned
16 pages
Eventloganalyzer Userguide PDF
No ratings yet
Eventloganalyzer Userguide PDF
218 pages
IRDA Guideline On Information and Cyber Security
No ratings yet
IRDA Guideline On Information and Cyber Security
2 pages
Iraq Development Management System (Idms) : Analytics User Manual
No ratings yet
Iraq Development Management System (Idms) : Analytics User Manual
117 pages
ContractLens Menu Structure (User Experience Enhanced)
No ratings yet
ContractLens Menu Structure (User Experience Enhanced)
4 pages
Meridium APM SIS Management V3.6.0.0.0
No ratings yet
Meridium APM SIS Management V3.6.0.0.0
491 pages
FIU-IND Report Validation Guide
No ratings yet
FIU-IND Report Validation Guide
28 pages
NHA MIS User Manual
No ratings yet
NHA MIS User Manual
36 pages
2020 Rizing COVID19 Portlet Configuration Guide
No ratings yet
2020 Rizing COVID19 Portlet Configuration Guide
42 pages
Fountain Training Manual
No ratings yet
Fountain Training Manual
167 pages
SAP PM & SM User Exits Guide
100% (1)
SAP PM & SM User Exits Guide
19 pages
EHS-End-User-Manual-Risk Assessment v1.1
No ratings yet
EHS-End-User-Manual-Risk Assessment v1.1
16 pages
GDP 12.x Documentation
No ratings yet
GDP 12.x Documentation
1,701 pages
AI Automation of UAR
No ratings yet
AI Automation of UAR
7 pages
Expressclear Manual Branch Ver 3.2
No ratings yet
Expressclear Manual Branch Ver 3.2
98 pages
Qualys Quick Tour
No ratings yet
Qualys Quick Tour
14 pages
ISF - IRAM2 - Risk Evaluation and Risk Treatment Assistant - Practitioner Guide
No ratings yet
ISF - IRAM2 - Risk Evaluation and Risk Treatment Assistant - Practitioner Guide
19 pages
EHS-End-User-Manual-Work Area Management v1.1
No ratings yet
EHS-End-User-Manual-Work Area Management v1.1
21 pages
Hunter Water Integrates QHSE System
No ratings yet
Hunter Water Integrates QHSE System
2 pages
Genius PDF
No ratings yet
Genius PDF
46 pages
Annex Notification 23-2015 PDF
No ratings yet
Annex Notification 23-2015 PDF
353 pages
Informatica Power Center 9.0.1: Building Financial Data Mode - Lab#29
No ratings yet
Informatica Power Center 9.0.1: Building Financial Data Mode - Lab#29
23 pages
Loio EN
No ratings yet
Loio EN
558 pages
Module 2
No ratings yet
Module 2
22 pages
Governance & Compliance
No ratings yet
Governance & Compliance
17 pages
Iwmp Mis User Manual
No ratings yet
Iwmp Mis User Manual
270 pages
Tepcca User Manual - v1
No ratings yet
Tepcca User Manual - v1
18 pages
Enterprise Performance Management Epm Update 24.03
No ratings yet
Enterprise Performance Management Epm Update 24.03
2 pages
Information Risk Management Guide
100% (1)
Information Risk Management Guide
29 pages
Moduls
No ratings yet
Moduls
2 pages
Integrated Risk and Compliance Management at Microland
100% (3)
Integrated Risk and Compliance Management at Microland
45 pages
Oracle Fusion Cash Management Training
No ratings yet
Oracle Fusion Cash Management Training
3 pages
Project Report On Insurance Management System
No ratings yet
Project Report On Insurance Management System
10 pages
Chapter#1 Mis
No ratings yet
Chapter#1 Mis
5 pages
Informatica MDM Course
No ratings yet
Informatica MDM Course
3 pages
2022 Ims Management Review Report
No ratings yet
2022 Ims Management Review Report
17 pages
CISA Study Schedule
100% (1)
CISA Study Schedule
2 pages
Security Assessment & Methodologies
No ratings yet
Security Assessment & Methodologies
28 pages
Guardium 12.0 Documentation
100% (1)
Guardium 12.0 Documentation
1,651 pages
SMB Sales Impl Guide
No ratings yet
SMB Sales Impl Guide
29 pages
SMB Sales Impl Guide
No ratings yet
SMB Sales Impl Guide
29 pages
FIU FINNet2.0 User Manual FINGate RE Dashboard and MIS Reports v1.1
No ratings yet
FIU FINNet2.0 User Manual FINGate RE Dashboard and MIS Reports v1.1
54 pages
Fifth Third Bank Portal Guide
No ratings yet
Fifth Third Bank Portal Guide
10 pages
Travelport Selective Access User Guide
No ratings yet
Travelport Selective Access User Guide
203 pages
Ds Integrated Risk Management.
No ratings yet
Ds Integrated Risk Management.
3 pages
SMB Sales Impl Guide
No ratings yet
SMB Sales Impl Guide
27 pages
Informatica Course Content
No ratings yet
Informatica Course Content
4 pages
CISA Domain 1 - Information System Auditing - PART A & B
No ratings yet
CISA Domain 1 - Information System Auditing - PART A & B
55 pages
Listen and Respond
No ratings yet
Listen and Respond
2 pages
SMB Sales Impl Guide
No ratings yet
SMB Sales Impl Guide
27 pages
Sales Cloud Implementation Guide
No ratings yet
Sales Cloud Implementation Guide
27 pages
Sertica Analytics User Guide
No ratings yet
Sertica Analytics User Guide
45 pages
Articles - 5 31 2023
No ratings yet
Articles - 5 31 2023
30 pages
Oasis UI Guide
No ratings yet
Oasis UI Guide
30 pages
01 16 2025 FR (Final)
No ratings yet
01 16 2025 FR (Final)
245 pages
FY 2026 Governor's Report - FINAL
No ratings yet
FY 2026 Governor's Report - FINAL
400 pages
Atlanta Evergreen Marriott Floor Plan
No ratings yet
Atlanta Evergreen Marriott Floor Plan
1 page
Selenium Supplementation in Obese Patients With Su
No ratings yet
Selenium Supplementation in Obese Patients With Su
11 pages
Selenium Supplementation in Obese Patients With Su
No ratings yet
Selenium Supplementation in Obese Patients With Su
11 pages
Budget Insurance POLICY NUMBER 778754485
No ratings yet
Budget Insurance POLICY NUMBER 778754485
13 pages
Module #01 - An Overview of Financial Management
No ratings yet
Module #01 - An Overview of Financial Management
12 pages
Shalin VK - Mechanical Engineer - Resume PDF
100% (1)
Shalin VK - Mechanical Engineer - Resume PDF
3 pages
Verified PDF Download Optimization Modeling For Supply Chain Applications FULL Version
100% (1)
Verified PDF Download Optimization Modeling For Supply Chain Applications FULL Version
407 pages
Non-Disclosure Agreement: Between
No ratings yet
Non-Disclosure Agreement: Between
3 pages
Econ Module-5 Non-Price Determinants
No ratings yet
Econ Module-5 Non-Price Determinants
6 pages
UNDP CIPS Training Catalogue 2019 PDF
0% (1)
UNDP CIPS Training Catalogue 2019 PDF
20 pages
Poultry Farm Business Blueprint
No ratings yet
Poultry Farm Business Blueprint
8 pages
COA CIRCULAR NO. 84 236 October 26 1984
No ratings yet
COA CIRCULAR NO. 84 236 October 26 1984
5 pages
MSC in Sustainable Agriculture and Business19
No ratings yet
MSC in Sustainable Agriculture and Business19
2 pages
SB Order 2024
No ratings yet
SB Order 2024
35 pages
Trade Marketing and Its Effects
No ratings yet
Trade Marketing and Its Effects
32 pages
Resolution of Disputes Notes
No ratings yet
Resolution of Disputes Notes
114 pages
Accredited Meat Importers List 2011
100% (2)
Accredited Meat Importers List 2011
13 pages
Ibm Dissertation
100% (2)
Ibm Dissertation
7 pages
VVC Good Future Money New Commisison Chart 2025 PDF
No ratings yet
VVC Good Future Money New Commisison Chart 2025 PDF
20 pages
ICON Student Registration Form
No ratings yet
ICON Student Registration Form
4 pages
This Study Resource Was: Modified, Disclaimer
No ratings yet
This Study Resource Was: Modified, Disclaimer
3 pages
2023-2024 Salary4
No ratings yet
2023-2024 Salary4
2 pages
FAQs
No ratings yet
FAQs
8 pages
Tttu3163-Sistem Sokongan Keputusan 18
No ratings yet
Tttu3163-Sistem Sokongan Keputusan 18
3 pages
ENX300 Lesson Canvas Version
No ratings yet
ENX300 Lesson Canvas Version
28 pages
How To Get An Import License
No ratings yet
How To Get An Import License
14 pages
Jhon Galicia
No ratings yet
Jhon Galicia
1 page
Tax Invoice
No ratings yet
Tax Invoice
1 page
IT Auditing and Data Management Quiz
No ratings yet
IT Auditing and Data Management Quiz
37 pages
Tax Invoice/Bill of Supply/Cash Memo
No ratings yet
Tax Invoice/Bill of Supply/Cash Memo
1 page
Account Upgradtion ZD For Isave
No ratings yet
Account Upgradtion ZD For Isave
4 pages
Cisam Module
No ratings yet
Cisam Module
216 pages
Regional Rural Banks in India
No ratings yet
Regional Rural Banks in India
4 pages