Course Security Scenario
Course assignments require you to address security assurance issues. Use the information in scenario below to complete your course security policy planning assignments. The scenario is relatively simple, so make sure to state any assumptions that you make to fill in gaps when necessary for substantiating positions taken in your assignment work.
You have been hired as an information assurance and compliance consultant at a large health system called Laskondo Healthcare. The organization is comprised of three (3) hospitals, 1,000 licensed beds, 8,000 employees, of which 1,750 are medical staff, and over 2,000 volunteers.
As a healthcare system, Laskondo manages and transmits a considerable amount of confidential data, including protected health information (PHI) on behalf of its patients. This data is often transmitted between and with external healthcare professionals and offices, as well as suppliers and vendors, as needed. Additionally, data is often shared within the three system hospitals.
Upon starting the job, you quickly understand that information security and compliance have not been properly implemented or governed.
Laskondo is lacking organization-wide standardized policies and strategic plans that adequately address system security assurance. In a recent audit, there were findings that the security controls in place at all three hospital facilities were lacking from a HIPAA-compliant perspective. Additionally, proper business continuity efforts have yet to be developed, implemented or tested, leaving the organization with unwanted risk of major disruption or incident.
The CIO has recognized that there are systemic policy weaknesses and has asked you to draft new organizational system assurance security policies that adequately guide the organization in the areas listed below using modern systems assurance security policies, practices and techniques.
• Acceptable Use.
• Workstation Security.
• Password Management.
• Logging Standards.
• Vulnerability Management.
• Patch Management.
• Logical Access Control.
• Physical Access Control.
• Separation of Duties.
• Change Control Management.
• Access Request Approvals.
• Business Continuity Planning.
• Incident Response Procedures.
• Encryption Usage in a regulated healthcare environment.
• Remote Access.
• Network Device Security.
• Intrusion Detection.
• Application Security and Testing.
The high-level technical infrastructure details of the organization are as follows:
• Networking devices
o Firewalls (1 in each hospital)
o Routers / Switches (multiple in each hospital)
o Baremetal – VMware ESX 5.5 (5).
o Baremetal – CentOS 7.3 (Qty 15).
o Baremetal – Windows Server 2012 R2 (Qty 35).
o Virtual – CentOS Linux (Qty 50).
o Virtual – Windows Server 2012 R2 (Qty 125).
o Windows 10 desktop systems, various models (Qty 250).
Course Security Scenario