Health Body Wellness Center

Information Security Management System (ISMS)

Health Body Wellness Center (HBWC) promotes medical research, evaluation, and sharing of information between health care professionals. The HBWCs Office of Grants Giveaway (OGG) provides for the distribution of federally supported medical grants. OGG uses a Microsoft Access database program called Small Hospital Tracking System (SHGTS) to manage the medical grant distribution process. A risk assessment of SHGTS was conducted to evaluate vulnerabilities and establish a baseline of potential threats. This document will outline an ISMS plan for HBWC and provide recommendation of additional steps needed to implement and maintain this plan. Use of the ISO 27000 series certification process will provide a framework for the ISMS. The Plan-Do-Check-Act (PDCA) model provides a stepby-step process for planning, implementing, and management of the ISMS plan. The ISMS outline, network drawing, and additional recommended steps will be discussed below. A1. Business Objectives The first step of any ISMS is the identification of the business objects that need to be included in the planning and maintenance of an organization. Listed below are HBWCs major objects to be considered when developing ISMS. (Arnason, S, & Willett, K.D, 2008) Staff: Basic users, RAS users, Administrators, Executives, and Database Administrators roles, access levels, and responsibility should be defined. Facilities: HBWC headquarters in room 1234 & OGG offices in room 5678 (Location of servers and network devices) physical security must be examined. Technology: Microsoft Windows 95/NT Server environment, Access 97 database, and network devices and configuration of said equipment (Patches & Updates). Discussion of vulnerabilities associated with unsupported Operating Systems (OS) and Applications (Access) should be covered. Key players: Management, Human Resources (HR), Information Technology (IT) staff all should provide players to make up the ISMS committee. The key to success is having management drive the process and establish the framework for the company to follow. Motivations: HBWCs goal is to provide an effective method to promote medical research and the exchange of information of heath care professionals. Institutions rely on grants from OGG to meet this goal. The establishment of a secure environment for SHGTS to operate is paramount to success. Snapshot of security posture: No current ISMS policy is in place at this time. With the aid of the SHGTS risk assessment a review of the overall security posture and development of a comprehensive ISMS plan for HBWC and its customers. Objectives: Evaluate all systems and data on the HBWCs Local Area Network (LAN) to implement an affective ISMS to meet the ISO 27000 series standard. The Confidentiality, Integrity, and Availability (CIA) triad are key considerations of all systems/data that should be evaluated and covered during the PDCA process. A2. Guiding Security Principles Three key principles of security are the CIA triad; they provide a basis for identifying and applying industrial security standards for the protection and prevention of IT systems. Confidentiality policies are designed to prevent unauthorized access to data, databases, including paper data, electronic media, telephone, and data networks (bits and bits). Integrity policies to prevent the modification of data in transit, transaction integrity, and data at rest. The use of encryption technologies insures data integrity. Availability policies include equipment maintenance, monitoring degraded services, and response to loss of asset. These security principles are the basis of a good ISMS program and provide a guideline for its development. (Tipton, H, & Henry, K. 2007)

File:FYT2_Task2 By Thomas A. Groshong Sr Page 1 of 5

Health Body Wellness Center

Information Security Management System (ISMS)
A3. Processes The processes that will be included in the ISMS are the PDCA process, and a transition plan to move HBWC from the current As-is-state to the To-be-state. The PDCA process provides guidance on four steps; develop a plan, implement the plan, verify the plan is in use, and improvement of the plan. Management must first establish guidance for the ISMS team to build a security plan that is current by todays standards. Next a full risk and vulnerability assessment has to be completed that identifies the current threats so an action plan can be developed that addresses them. The plan will provide guidance on the migration of the companys network and how to migrate from the As-is-state to the To-be-state. The ISMS plan will be consistent with ISO 27000 series certification processes. A timeline for implementation, verification/validation, and improvement will be defined as part on the ISMS process. (Arnason, S, & Willett, K.D, 2008) A4. Information Systems (IS) Systems included in the scope of the ISMS are all network devices to include workstations, servers, routers, firewalls, switches and modems. Shown below is the As-is Network Drawing that shows the current state of the HBWC network before implementation of the ISMS policies and procedures. The ISMS team will identify upgrades to the systems that will include OS upgraded, patches/bug fixes, and implementation of system processes such as Active Directory (AD), Demilitarized Zone (DMZ) creation, Migration of the Remote Access Server (RAS) to Virtual Private Network (VPN) Technology, and migration of SHGS (Access) to a SQL (web based) database. Access Control Lists (ACLs) will be clearly evaluated and revised to meet current authentication and authorization requirements to meet industrial standards for security. A review of the Malware (Anti-Virus) detection system must be reviewed to validate up-to-date protection of all systems that touch the HWC network to include Remote User devices. A5. IT Infrastructure The ISMS plan will evaluate the information flow and provide steps that change the current flow of information to improve the security of the network and the data that is exchanged. Remote users currently access the SHGS database using a RAS configuration as shown in the LAN drawing below. The Headquarters (HQ) and OGG offices use Windows XP workstations for normal user computer processing. Windows NT servers that provide discretionary access control (HBWC-DC-01), SHGS database access (HBWC-DB-01), and RAS (HBWD-RA-01) connectivity. Network devices such as modems, switches, firewall, proxy, and router provide secure connectivity to internal (Files Shares) and external (Internet Cloud) networks. The elimination of the RAS connectivity and providing a VPN connection will vastly improve security and provide Remote Users with a far more robust connection. In addition the migration of the SHGS database from Access 97 to SQL and establishing a Web presence will reduce the need for Remote Users need for remote access the HBWC network other than teleworkers. Part of the overall migration of SHGS would be the creation of a DMZ on the firewall to isolate the Web traffic and access of webSHGS. The ISMS team will evaluate the firewalls capabilities to determine if upgrade or replacement will be required before implementation. The Internetwork Operating System ( IOS) and/or Current Version of network devices will be upgraded to versions that reduce known threats and improve security. The addition of upgrades to workstations to Microsoft Windows 7 Professional, Microsoft Office 2010 Professional, and Microsoft Windows Server 2008 would greatly enhance security and reduce risk. With the migration to Server 2008 the addition of AD to the current infrastructure will allow better management of the users and computers on the HBWC LAN.

File:FYT2_Task2 By Thomas A. Groshong Sr Page 2 of 5

Health Body Wellness Center

Information Security Management System (ISMS)

Internet Cloud via ISP WAN

Healthy Body Wellness Center (HBWC) As-Is Network Drawing

DSL/Cable Modem Router DSL/ISP Cable/Phone Media Copper CAT5e (Ethernet) Telephone Dial Up POTS lines

Modem wks1 wks2 wks3 wks4 wks5 wks6

Proxy Server Firewall

Workstations OGG Offices 5678 Windows XP

Network Switch

wks1 wks2 wks3 wks4

HBWC-DB-01 SHGTS JINX Server Windows NT Server

HBWC-DC-01 Account Server Windows NT Server

wks5 wks6 RAS Modem

Workstations HBWC Headquarters 1234 Windows XP

HBWC-RA-01 RAS Server Windows NT Server Remote Access Modem Bank

Remote Access Dial Up Connections

wks1 wks2 wks3 wks4 wks5

Telephone company provided lines used to access RAS server

* Notes: Equipment Rack Locations Network Devices Room 1234 Servers Room 1234
wks6

Remote Workstations Managed by HBWC

22Jul2012 Healthy Body Wellness Center FYT2Task2

File:FYT2_Task2 By Thomas A. Groshong Sr Page 3 of 5

Health Body Wellness Center

Information Security Management System (ISMS)
Recommended Additional Steps B1. Discussion HBWC has a LAN that is up and running (As-is-state) and the ISMS team will create a plan to migrate and/or update (To-be-state) it to improve security. PDCA provided a step-by-step process that identifies threats and vulnerabilities and provides a framework to implement, audit, and improve. The logical steps of the PDCA process are; Plan Prepare an ISMS plan with forecasts and management approval the will provide establish security norms and follow industrial standards (ISO 27001). Do Implement the ISMS plan and follow the ISMS team recommendations as set forth in the plan. Check Review and verify the policies exist and are being used per the plan. Establishing a process to audit the ISMS must be created. A review of the effectiveness of the program and any residual risk should be identified. Monitoring and review during the check stage determines the effectiveness of the ISMS plan. Recommendations for improvement are made from audits and assessments made during this stage. Act Improvement of the ISMS policies is a direct result of the check stage of PDCA. Once the review has been completed, the implementation of improvement reduces overall risk and provides a more secure environment for HBWC. The PDCA is not a one-time process and you are done. It is designed in a way that continual review (Check) and improvement (Act) is done. This requires assessments either in-house or external to audit, make recommendations, and provide a process feedback on the ISMS. (Arnason, S, & Willett, K.D,

2008)
B2. Justification The PDCA process provides four stages for the planning, implementation, review, and improvement of the ISMS policies and procedures. By adopting a plan that continually audits, reviews, and improves the LAN security posture a more effective and comprehensive ISMS is created. Industrial standards such as ISO 27001, NIST, COBIT, and ITIL all suggest a plan of continual evaluation and improvement. In the case of HBWC it is clear that the As-is-state did not have any improvement process. The lack of a security plan or improvement process has made HBWCs current systems vulnerable to a great number of threats. The establishment of a comprehensive ISMS policy and the adoption of the PDCA process will greatly reduce the risk of threats and vulnerabilities of HBWC, and it users. Due diligence requirements establish very clear legal ramification for lack of proper handling and due care of information. Organizations must be concerned with relevant compliance to requirements like Sarbanes-Oxley (SOX), Health Insurance Portability and Accountability Act (HIPAA), and Personally Identifiable Information (PII). Establishing a process of continued review and improvement will allow HBWC can adapt to changes in risk (threats) and adapt to ever changing legal responsibilities. (Arnason, S, & Willett, K.D, 2008)

File:FYT2_Task2 By Thomas A. Groshong Sr Page 4 of 5

Health Body Wellness Center

Information Security Management System (ISMS)

Reference Page
Arnason, S, & Willett, K.D. (2008). How to achieve 27001 certification an example of applied compliance. New Auerbach Publications. Tipton, H, & Henry, K. (2007). Official (ISC)2 guide to the CISSP CBK. Boca Raton, FL: Auerbach Publications. Tipton, H, & Krause, M. (2007). Information security management handbook, Sixth Edition. Boca Raton, FL: Auerbach Publications.

File:FYT2_Task2 By Thomas A. Groshong Sr Page 5 of 5