Week 3 remaining

Week 3/cf_Course_Security_Secenario (2).docx

IT4803 – Systems Assurance Security

Course assignments require you to address security assurance issues. Use the information in scenario below to complete your course security policy planning assignments. The scenario is relatively simple, so make sure to state any assumptions that you make to fill in gaps when necessary for substantiating positions taken in your assignment work.

Background

You have been hired as an information assurance and compliance consultant at a large health system called Laskondo Healthcare. The organization is comprised of three (3) hospitals, 1,000 licensed beds, 8,000 employees, of which 1,750 are medical staff, and over 2,000 volunteers.

As a healthcare system, Laskondo manages and transmits a considerable amount of confidential data, including protected health information (PHI) on behalf of its patients. This data is often transmitted between and with external healthcare professionals and offices, as well as suppliers and vendors, as needed. Additionally, data is often shared within the three system hospitals.

Upon starting the job, you quickly understand that information security and compliance have not been properly implemented or governed.

Laskondo is lacking organization-wide standardized policies and strategic plans that adequately address system security assurance. In a recent audit, there were findings that the security controls in place at all three hospital facilities were lacking from a HIPAA-compliant perspective. Additionally, proper business continuity efforts have yet to be developed, implemented or tested, leaving the organization with unwanted risk of major disruption or incident.

The CIO has recognized that there are systemic policy weaknesses and has asked you to draft new organizational system assurance security policies that adequately guide the organization in the areas listed below using modern systems assurance security policies, practices and techniques.

Policy Areas:

· Acceptable Use.

· Workstation Security.

· Password Management.

· Logging Standards. 

· Vulnerability Management.

· Patch Management.

· Logical Access Control.

· Physical Access Control.

· Separation of Duties.

· Change Control Management.

· Monitoring.

· Access Request Approvals.

· Business Continuity Planning.

· Incident Response Procedures.

· Encryption Usage in a regulated healthcare environment.

· Remote Access.

· Network Device Security.

· Intrusion Detection.

· Application Security and Testing.

Technical Details

The high-level technical infrastructure details of the organization are as follows:

· Networking devices

· Firewalls (1 in each hospital)

· Routers / Switches (multiple in each hospital)

· Servers

· Baremetal – VMware ESX 5.5 (5). Comment by csprafka: Tim, I hope these tools are covered in the labs. That would be idea. If they are not, we’ll need to give learners resources on these topics if they are not covered in the Labs.

· Baremetal - CentOS 7.3 (Qty 15).

· Baremetal – Windows Server 2012 R2 (Qty 35).

· Virtual – CentOS Linux (Qty 50).

· Virtual – Windows Server 2012 R2 (Qty 125).

· Workstations

· Windows 10 desktop systems, various models (Qty 250).

1

2