Description
Instructions for Assessment 3
Part 1 – Eliminating Threats With a Layered Security Approach Lab
Note: Not all sections mentioned in the lab’s directions are required for this assessment.
Based on the specific actions taken in the lab, interpret the importance of disabling unneeded services and the potential detriment if these efforts are not taken. (PLEASE SUBMIT ON THE COURSE ASSESSMENT TEMPLATE SECTION PART 1.3 RESPONSE)
Part 2 – Security Planning: Password Management and Logging Standards Presentation
Consider the following policies using information found in the Course Security Scenario as context.
Password Management.
Logging Standards.
Create a 10–15 minute presentation (using a common presentation software of your choice) that describes Password Management and Logging Standards policies that you would recommend to stakeholders interested in organizational security for the company described in the Course Security Scenario. Your presentation must include audio narration with supporting visual depictions.
Consider the following scoring guide criteria as you complete your assessment:
Provide required screenshots that document lab completion.(Screenshots are completed)
Create a password management policy that is appropriate for the Course Security scenario.
Create a logging standards policy that is appropriate for the Course Security scenario.
Interpret the importance of disabling unneeded services and the potential detriment if this is not done.
Create a presentation that accurately communicates a security plan to stakeholders.
Additional Instructions
Place your written work and all screenshots from Part 1 (make sure to include the step number associated with each screenshot) in the Assessment X Template. Submit a zip file containing both the Assessment X Template and the Part 2 presentation file.
You have been hired as an information assurance and compliance consultant at a large health system called Laskondo Healthcare. The organization is comprised of three (3) hospitals, 1,000 licensed beds, 8,000 employees, of which 1,750 are medical staff, and over 2,000 volunteers.
As a healthcare system, Laskondo manages and transmits a considerable amount of confidential data, including protected health information (PHI) on behalf of its patients. This data is often transmitted between and with external healthcare professionals and offices, as well as suppliers and vendors, as needed. Additionally, data is often shared within the three system hospitals.
Upon starting the job, you quickly understand that information security and compliance have not been properly implemented or governed.
Laskondo is lacking organization-wide standardized policies and strategic plans that adequately address system security assurance. In a recent audit, there were findings that the security controls in place at all three hospital facilities were lacking from a HIPAA-compliant perspective. Additionally, proper business continuity efforts have yet to be developed, implemented or tested, leaving the organization with unwanted risk of major disruption or incident.
The CIO has recognized that there are systemic policy weaknesses and has asked you to draft new organizational system assurance security policies that adequately guide the organization in the areas listed below using modern systems assurance security policies, practices and techniques.
Policy Areas:
Acceptable Use.
Workstation Security.
Password Management.
Logging Standards.
Vulnerability Management.
Patch Management.
Logical Access Control.
Physical Access Control.
Separation of Duties.
Change Control Management.
Monitoring.
Access Request Approvals.
Business Continuity Planning.
Incident Response Procedures.
Encryption Usage in a regulated healthcare environment.
Remote Access.
Network Device Security.
Intrusion Detection.
Application Security and Testing.
Technical Details
The high-level technical infrastructure details of the organization are as follows:
Networking devices
Firewalls (1 in each hospital)
Routers / Switches (multiple in each hospital)
Servers
Baremetal – VMware ESX 5.5 (5).
Baremetal – CentOS 7.3 (Qty 15).
Baremetal – Windows Server 2012 R2 (Qty 35).
Virtual – CentOS Linux (Qty 50).
Virtual – Windows Server 2012 R2 (Qty 125).
Workstations
Windows 10 desktop systems, various models (Qty 250).
