information systems security and assurance

  

Here are weekly assignments to address for each week which will contribute to the Final Project: Each weekly assignment will between 250-350 words.

· Week 1 – Develop your network boundary based on the requirements provided, see Appendix A of the syllabus. Follow the assignment in Appendix A. You will need to draw the network boundary and provide a detailed network description of the network boundary.

· Week 2 – Describe the security and privacy requirements for the network boundary. This is a physician’s office, so please describe the HIPAA security and privacy requirements you need to follow for your network boundary. Use the HIPAA, HiTech, and Omnibus Laws to help you create HIPAA security and privacy requirements.

· Week 3 – We need to ensure the physician’s office is secure and the HIPAA data is protected. Read NIST SP 800-53 rev 4. How can this document help you ensure your physician’s office is secure? Out of the 18 control families, pick two control families and address the controls in complete sentences for your network boundary.

· Week 4 – We need to ensure the network boundary is hardened. Please review the DOD STIG for Oracle 12. Select 20 controls and address how the Oracle server has been hardened in the physician’s office.

· Week 5 – We are preparing for an audit of the system for HIPAA compliance. What are all of the documents we will need to have prepared for the upcoming audit? Please explain why each document is important. What scans should you run on the system, please describe the scan and on why systems the scan ought to be facilitated.

· Week 6 – The auditors have finished their assessment. In Appendix B, we have the findings from the audit. Please address in detail how each finding should be mitigated. Match up each control to the SP800-53 control family and control number.

· Week 7 – The physician’s office now wants to add tele-medicine to the functionality of their network. Explain in great detail, 500 words or more how this will impact the physician’s office and what we need to do from an information assurance perspective. Make sure you include change management in this discussion.

· Week 8 – Turn-in of FINAL PROJECT. Bring together your past 7 weeks of work. Add narrative transitions where appropriate and ensure you have addressed the instructor’s feedback provided each week. Conclude your project with a 500 word narrative explaining why information security is important in the Healthcare field. Cite Scripture to demonstrate your understanding of how faith integrates with the information technology and healthcare fields. Check to ensure that APA format has been used and you have at least 14 peer-reviewed references.

APPENDIX A

Information Assurance Project

In order to understand the practical impact of Information Assurance, we will work on a project over the next 8 weeks. One of the major requirements in information assurance is documentation and being able to articulate your understanding of a security requirement or control. Please design a network for a hypothetical physician’s office and provide a network description with the following:

1 Server with Scheduling software (pick one)

1 Server for billing (pick one)

1 Server with a data base for patient data – Oracle 12

1 Server for email – Microsoft Exchange Email

The office has 10 patient rooms with a desktop in each room running Windows 10 for the OS

The office is based on wireless networking with TCP/IP.

There are two doctors in this office.

This office has an Internet connection to the mother company. 

The network boundary for this assignment is just this physician’s office.

In your network description please provide the following:

Describe the purpose of this network. 

Describe the network and equipment, the servers and the software in place.

Describe the security you have in place.

APPENDIX B

The auditors have completed their assessment. The following are the findings determined during the audit. Please address in detail how each finding should be mitigated.

  

Identified   Vulnerability

Identify   the Matching Control in the SP 800-53 – Control Family and Control Number

What would   be the appropriate mitigations?

 

1. People can gain physical access to the physician’s office   without anyone checking ID.

 

2. The server room does not have a lock on the door.

 

3. There are default admin accounts with elevated privileges

 

4. The receptionist of the office provided the password to the   server via an inbound phone call.

 

5. There are unused open ports on all of the servers.

 

6. The scheduling software shows verbose code.

 

7. There is no encryption on the network. PHI/PII data is sent over   the wireless network in clear text.

 

8. The PHI/PII data on the database server resides on unencrypted   drives.

 

9. In an interview with the Nurse, she stated there is no training   for HIPAA Security or Privacy provided.

 

10. On the desktops, there are Microsoft vulnerabilities in the   Windows 10 OS which have not been patched.

 

11. The auditor watched an employee make changes to the Oracle   server without following change management.