Research

profilebwilson
PROJECT6Q.docx

Step 3: Choose a Case and Complete the Project Plan

Now that you have a better understanding of various aspects of organizational behavior from the readings in the previous step, select a hospital or health care organization as your case to research. Consider an organization you are familiar with or one for which you can find sufficient information. To maintain confidentiality, you do not need to mention the name of the organization. You can also refer to the Health and Human Services (HHS) site for organizations that have reported breaches. Verify that you can locate sufficient, reputable, and informative information on your chosen case.

Also, read this cybersecurity field overview to consider different roles that may apply as you review your case. 

Now that you have chosen a case, the next action is to establish how you will divide the work. Use your team space to share ideas and drafts of each member’s contribution. Complete all portions of the project plan and submit it to your team space by the end of Week 8.

To recap the deliverables, each team will have three weeks to complete the following:

· Complete and submit the team communication and project plans by the end of Week 8.

· Conduct research to capture the organization's infrastructure and processes, the threats to personal health information (PHI) and determine a strategy to mitigate the threats you anticipate. This research will go into the technical report (or white paper, nine to ten pages excluding cover sheet, references, and any appendices) in accordance with the directions in Steps 4 and 5. After the paper is written, you will create a one-page executive summary of the paper. It will be part of the technical report document, immediately after the cover sheet and before the text of the report. 

· Complete the lab activity to crack passwords and create a summary lab report. This should be done by Week 9.

· Develop a high-level narrated slide presentation for the organization’s board of directors. This asynchronous presentation must be no longer than 12 slides, excluding the references slide and cover slide. It is due at the end of Week 10

Step 4: Create an Organizational Profile for Your Case

Now, it is time to research your chosen case to determine how the organization’s IT department operates, how it is structured, and how PHI is moved around the organization for stakeholders’ use. Revisit guidelines on conducting research, if needed. Next, review the materials in the links below to define and describe the hospital’s information system infrastructure.  

· Overview of Systems & Networks

· Open Systems Interconnections (OSI) Model

· TCP/IP protocols

· Network protocols

It is important to understand the organization’s workflow processes—how they move patient information to the business units that need to process and manage that information, from billing to physician care. All these organizations employ hardware and software within their information systems. It is critical to understand these components, termed system architecture, and how the components are connected so that appropriate security is put in place to protect sensitive information. 

Your research should provide examples of how an information system is connected to cybersecurity components, like firewalls in the information system and network. Be sure you understand the benefits and weaknesses of your case’s network architecture. Your definition of the organization’s system architecture should include a high-level description of information systems hardware and software components and their interactions. Take time to read the following resources. They will help you construct your definition.

· Information systems hardware

· Information systems software

As you write your organizational profile, consult scholarly resources as well as online resources, newspapers, websites, and IT blogs for similar contemporary cases.

Topics to Consider in the Organizational Profile

Review the following topics to determine which two are the most critical to your analysis. Focus your writing on those that have the most impact and relevance to your recommendations. As you write about your selected topics, justify why each is critical. Rather than treat your chosen topics separately, blend them into an understandable narrative.

1. Describe the organization and structure. The structure will include the different business units and their functions. You may use an organizational chart to provide this information.

2. Define information security needs to protect mission-critical systems. Choose one or more mission-critical systems of the health care organization. Define the information protection needs for the organization's mission-critical protected health information (PHI). This information is stored in database medical records for doctors, nurses, and insurance claims billing systems, which are used to fulfill the organization’s information needs.

3. Define the workflows and processes for the high-level information systems that you have just identified. Workflows and processes for health care organizations define how the organization gets its work done.

4. Describe how the system architecture fulfills the needs of the health care organization. You may supply this information as a diagram with inputs, outputs, and technologies to define workflows and processes for the high-level information systems.

In the next step, you will consider threats to the organization’s information security and how to mitigate them.

Step 5: Develop Analysis of Threats to the Organization's Information Systems Infrastructure

Now that you have defined the hospital's information system infrastructure, you will have to learn about and demonstrate your understanding of the potential threats to those systems and the types of measures that could address those threats. In this section, you will learn about different types of identity access management solutions and how they protect against the threat of unauthorized access.

The National Initiative for Cybersecurity Education (NICE) framework refers to this work as conducting a “vulnerability assessment”.  There are open source and commercial tools to support vulnerability assessment. You will work with some in step 6.

To complete this section of the report, start by reviewing the following resources:

· Web security issues

· Insider threats

· Intrusion motives/hacker psychology

· CIA triad

Take what you learned about potential threats to assess the threat(s) to the hospital's information systems infrastructure. Include a brief summary of insider threats, intrusion motives, and hacker psychology in your report as it relates to your organization’s data processing systems. Relate these threats to the vulnerabilities in the CIA triad.

Your report will also include a description of the purpose and components of an identity management system, to include authentication, authorization, and access control. Include a discussion of doctors’ use of laptop devices when they visit their patients at the hospital and need access to hospital PHI data. Review the following resources:

· Authorization

· Access control

· Passwords

· Multifactor authentication

Next, expand your description by defining the types of access control management, to include access control lists in operating systems, role-based access controls, files, and database access controls. Define types of authorization and authentication and the use of passwords, password management, and password protection in an identity management system. Describe common factor authentication mechanisms to include multifactor authentication.

Topics to Consider in the Description of Threats and Mitigation Strategies

Review the following topics to determine which three to four are the most critical to your analysis. Focus your writing on those that have the most impact and relevance to your recommendations. As you write about your selected topics, justify why each is critical. Blend the topics you choose into a single narrative.

1. Describe potential threats to the organization’s critical mission areas. These may include sloppy information security practices, insider threats, or hackers wishing to steal personal data. Relate these threats to the vulnerabilities in the CIA triad.

2. Describe how the organization restricts access to protect billing and PHI. Explain the organization’s processes and workflows to safeguard PHI, specifically the use of passwords, password management, and password protection in an identity management system.

3. Define the access management system. What types of access control management, to include access control lists in operating systems, role-based access controls, files, and database access controls will it take to ensure that access is limited to those with a need to know?

4. Define factor authentication systems. How do common factor authentication mechanisms, to include multifactor authentication practices, safeguard sensitive information for an organization like this?

5. Discuss strategic considerations and provide recommendations. Review the mission and organization structure of your organization as well as roles within the organization, and recommend accesses, restrictions, and conditions for each role

6. Discuss the manager’s risk considerations. What will happen if the CIO and the leaders do nothing and decide to accept the risks? Could the CIO transfer, mitigate, or eliminate the risks? What are the projected costs to address the risks?

Now, you are ready to start writing your technical report (white paper). The technical report will identify vulnerabilities in the information systems infrastructure of the health care organization, and identify risks to the organization's data. Your paper will propose a way to prioritize these risks and propose remediation actions.

In the next step, you will complete a lab activity with password-cracking tools to prepare your lab report.

Step 6: Test Password-Cracking Tools and Write a Lab Report

You have successfully examined the threats to a health care organization's information systems infrastructure. Now, you must begin your research into password-cracking software. Do some quick independent research on password cracking as it applies to your organization, then complete the lab activity Password Cracking with Cain & Abel and Ophcrack.

Step 7: Prepare a Narrated Presentation

Now that you have completed your technical report and lab report, you are ready to develop a narrated presentation for the members of the hospital board as well as the CIO and other managers. Your technical report will provide an analysis of the infrastructure and the threats, based on the incident that first brought the organization’s security issues to your team’s attention.

Your findings from the team’s technical and lab reports will now be the basis of a presentation that you will provide for the hospital board. The board will make decisions concerning what actions are taken and how much money will be allocated for cybersecurity. Therefore, you will create a slide deck that captures the salient points of your research, the results of the lab tests of the password-cracking tools, and the team’s proposals to tighten information security practices. Consider the suggestions in the table below to focus your efforts for this presentation.

Topics to Address in the Narrated Presentation

Keep the primary goals of your presentation in mind as you build your presentation to the board: be credible, be clear, and provide reasoned solution recommendations.

1. Present your technical findings succinctly to a non-technical audience. Avoid acronyms or slang; opt for clear language and clear explanations.

2. Provide a high-level summary of the infrastructure, the vulnerabilities that may have enabled the breach, and recommended actions. Explain what happened, the impact on the organization, and your proposed actions with rationale and costs.

3. You are limited to 12 slides, excluding the cover and references slides. You will choose your best narrator to narrate the presentation for wider distribution. The format should be professional and free from typos or grammatical errors.