Creating and maintaining an accurate inventory of data assets is a critical step in risk management and enables the implementation of right-sized cybersecurity controls that satisfy the unique needs of the organization. Classifying assets according to their value and inherent risk further enhances the ability to quantify cyber risk and provides additional value to the organization.

The objectives of this service are as follows:

1. Develop an inventory of data assets and the information systems they reside on.
2. Identify data owners and custodians for each data set.
3. Identify the vendors, processes, and technology that store, process, and handle data, both internal and external to the organization.
4. Develop policies and processes to enable the safe handling of data and assets.

The methodology consists of the following activities:

1. INTERVIEW SCHEDULE
   1. The Client will identify and document all individuals required to attend sessions by completing the interview schedule.
   2. DeepSeas will work with the Client to define data elements to be collected within the inventory.
2. KICKOFF PRESENTATION
   1. DeepSeas will provide interview session attendees with details on how the interview sessions will be conducted and what information is going to be collected. This will be delivered on Day 1 to kick off asset inventory development.
3. WORKSHOP
   1. ASSET INVENTORY DEVELOPMENT
      1. DeepSeas to conduct interview sessions and observations presentation over three (3) consecutive business days. 
      2. Interview sessions (Day 1 & Day 2) will identify and document:
         1. Department (Scope)
         2. Asset Name
         3. Asset Description
         4. Asset Type
         5. Data Owner
         6. Data Custodian
         7. Primary Storage
         8. Permitted Access
         9. Data Types
         10. Confidentiality Value
         11. Integrity Value
         12. Availability Value
   2. WORKING SESSION (Day 3)
      1. Observations Presentation - DeepSeas to deliver Observations Presentation to include:
         1. Insights into repositories storing data elements critical to the business.
         2. General observations as noted during the interview sessions.
      2. Documentation
         1. DeepSeas to conduct a review of the Asset Inventory.
         2. DeepSeas to develop and review the Information Classification policy, Information Handling Reference, and Acceptable Use Policy

The Data Classification and Asset Inventory service are based on the following regulations and standards:

• FIPS 199 Standards for Security Categorization of Federal Information and Information Systems
• NIST SP 800-53 Security and Privacy Controls for Federal Information Systems

DeepSeas will produce the following deliverables:

1. ASSET INVENTORY - DeepSeas will deliver an asset inventory that identifies discovered data sets, including the classification of each.
2. ACCEPTABLE USE POLICY - DeepSeas will provide an Acceptable Use Policy.
3. INFORMATION CLASSIFICATION POLICY - DeepSeas will provide an Information Classification Policy.
4. INFORMATION HANDLING REFERENCE - DeepSeas will provide a Client-specific information handling reference.
5. LIST OF GAPS (RISK REGISTER) - DeepSeas will document gaps identified during the engagement in a Risk Register that can then be used by the Client to conduct risk management. The Risk Register is not managed by DeepSeas as part of this project, unless vCISO Strategy & Governance is included in this proposal.

DOCUMENTATION SUPPORTING PROJECT DELIVERY

DeepSeas will leverage and/or provide the following materials:

1. DEPARTMENT LIST - DeepSeas will provide the Client with a list of departments typically chosen for an interview. Use of this list is at the discretion of the client.
2. SCHEDULE TEMPLATE - DeepSeas will populate chosen departments into a scheduling template and provide it to the Client as a tool to help coordinate resources.
3. DATA CLASSIFICATION AND ASSET INVENTORY MEMO - DeepSeas will provide a template for Clients to leverage when working to schedule interview sessions with their team to set expectations and reduce pushback. Use and distribution of this are at the client's discretion.
4. DATA CLASSIFICATION AND ASSET INVENTORY KICKOFF PRESENTATION (PDF) - DeepSeas will provide the client with a PDF copy of the kickoff presentation given at the beginning of the workshop.
5. DATA CLASSIFICATION AND ASSET INVENTORY CHEAT SHEET - DeepSeas will provide the client with a quickly referenceable document summarizing information explained during the kickoff. Use and distribution of this are at the client's discretion.
6. OBSERVATIONS PRESENTATION (PDF) - DeepSeas will provide a PDF copy of the observations presentation.

PROJECT-SPECIFIC ASSUMPTIONS

1. Any outstanding work required to complete the asset inventory after the two (2) workshop days will be conducted by the Client. If the client would like DeepSeas to assist in this completion, a change order will be required to scope the additional effort.
2. For any departments that cannot attend their confirmed session, the workshop will continue without substitution. Should the client request these departments be interviewed, a change order will be required to scope the additional effort.
3. If the client has an existing Acceptable Use Policy or Information Classification Policy, DeepSeas will review them for effectiveness.
4. If client existing Acceptable Use Policy or Information Classification Policy are deemed insufficient, the client to utilize DeepSeas Acceptable Use Policy template and Information Classification Policy template.

The client is responsible for the completion of the following tasks, in accordance with agreed-upon timelines established as part of the project plan.

1. Client to assign a point of contact (POC) responsible for client coordination and logistics.
2. The client is responsible for scheduling and coordination of internal client resources for all project work.
3. The client is responsible for returning the completed interview schedule no less than 2 weeks prior to the proposed workshop dates.
4. The client will include the DeepSeas delivery team on calendar invites leveraging the client's video conferencing platform for workshops.
5. The client is responsible for the approval and implementation of policies and handling references.