You are an information security consultant and have recently been hired by a new client to update their information security program. Submit your final report as a .doc or .docx attachment
Hawaii Medical Systems has grown by acquisition over the last five years. They operate two hospitals and four doctor’s offices in the island of Hawaii area. They have managed information technology in an ad-hoc manner for years and have recently hired a Chief Information Officer who is pushing for a centralized data center to support the IT needs of organization; he has limited experience in information security, so Hawaii Medical System has hired you to fill in the gap. There is no one dedicated to security, no security awareness program, no dedicated security hardware or software (other than client managed anti-virus), and no one has examined potential regulatory issues that may impact Hoosier Medical Systems.
The doctor’s offices are running a mix of Windows XP, ME, Vista, and 7. There is no standard build, one of the two part-time IT staff members usually buy new workstations as needed from alibaba.com. They also have wireless at most offices for the doctor’s to use their personal laptops in patient rooms without the need to plug into the live network jack in every room, they often bring their laptops home to review patient records and for general personal use. Each office handles their own billing and accept credit cards via a single Hawaii Medical System website or over their VoIP phone system. Each office has a file server, domain controller, network switch, and router directly connected to the Internet. The router has an ACL limited some network protocols. They send and receive some information between the two hospitals, including patient records, payroll, billing information, and other administrative data.
The hospitals have a larger and slightly better managed technology infrastructure. They have a small network room which was a janitor closet. Each floor has its own network hub which connects all workstations together. All departments use the same file server, but the finance department has created a shared folder limited to just their department.
The new CIO plans to completely rebuild the infrastructure, starting with a new high availability data center. He wants to re-architect and centralize data storage, applications, device management, etc. He’s not convinced that he needs to do much with the workstations at each site, but employees complain about lack of technical support and sporadic malware infections – they all have administrative rights. He would like your perspective on the workstation issue, architecture suggestions, and anything else that they should consider when redesigning their IT infrastructure.
Your assignment is to document recommendations based on the scenario provided. Begin with the first section we covered Building a secure organization and suggest a governance model for the Hawaii Medical System’s new information security program. . Think about the attacker methodology, but this is not an incident response scenario. You may suggest an annual penetration test, but there’s no need to go into specific detail. Your final report should be 4 pages, single spaced (excluding diagrams if you choose to include them).