Review the material we've discussed so far - IA program governance, device discovery, service enumeration, vulnerability assessments, attacker methodology, etc and begin an outline of your proposal. Final projects should be 4-7 pages not including network diagrams, figures, etc. if you choose to include them.
Scenario
You are an information security consultant and have recently been hired by a new client to update their information security program. Submit your final report as a .doc or .docx attachment via this assignment, please do not email me your report.
Hoosier Medical Systems has grown by acquisition over the last five years. They operate two hospitals and four doctor's offices in the central Indiana area. They have managed information technology in an ad-hoc manner for years and have recently hired a Chief Information Officer who is pushing for a centralized data center to support the IT needs of organization; he has limited experience in information security, so Hoosier Medical System has hired you to fill in the gap. There is no one dedicated to security, no security awareness program, no dedicated security hardware or software (other than client managed anti-virus), and no one has examined potential regulatory issues that may impact Hoosier Medical Systems.
The doctor's offices are running a mix of Windows XP, ME, Vista, and 7. There is no standard build, one of the two part-time IT staff members usually buy new workstations as needed from Best Buy.
They also have wireless at most offices for the doctor's to use their personal laptops in patient rooms without the need to plug into the live network jack in every room, they often bring their laptops home to review patient records and for general personal use. Each office handles their own billing and accept credit cards via a single Hoosier Medical System website or over their VoIP phone system.
Each office has a file server, domain controller, network switch, and router directly connected to the Internet. The router has an ACL limited some network protocols. They send and receive some information between the two hospitals, including patient records, payroll, billing information, and other administrative data.
The hospitals have a larger and slightly better managed technology infrastructure. They have a small network room which was a janitor closet. Each floor has its own network hub which connects all workstations together. All departments use the same file server, but the finance department has created a shared folder limited to just their department.
The new CIO plans to completely rebuild the infrastructure, starting with a new high availability data center. He wants to re-architect and centralize data storage, applications, device management, etc. He's not convinced that he needs to do much with the workstations at each site, but employees complain about lack of technical support and sporadic malware infections - they all have administrative rights.
He would like your perspective on the workstation issue, architecture suggestions, and anything else that they should consider when redesigning their IT infrastructure.
Your assignment is to document recommendations based on the scenario provided. Begin with the first section we covered in class and suggest a governance model for the Hoosier Medical System's new information security program.
Consider each section, one by one, and apply the material we've covered in class to this client's situation. Think about the attacker methodology, but this is not an incident response scenario.
You may suggest an annual penetration test, but there's no need to go into specific detail. Your final report should be 4-7 pages, single spaced (excluding diagrams if you choose to include them). There are plenty of issues to discuss and opportunities for improvement.