Information Systems and Identity Management

Transcript of video

You are a systems administrator in the IT department of a major metropolitan hospital. Your

duties are to ensure the confidentiality, availability, and integrity of patient records, as well as
the other files and databases used throughout the hospital. Your work affects several
departments, including Human Resources, Finance, Billing, Accounting, and Scheduling. You
also apply security controls on passwords for user accounts. Just before clocking out for the day, you
notice something strange in the hospital's computer system. Some person, or group, has accessed
user accounts and conducted unauthorized activities. Recently, the hospital experienced intrusion into
one of its patient's billing accounts. After validating user profiles in Active Directory and matching them
with user credentials, you suspect several user's passwords have been compromised to gain access to
the hospital's computer network. You schedule an emergency meeting with the director of IT and the
hospital board. In light of this security breach, they ask you to examine the security posture of the
hospital's information systems infrastructure and implement defense techniques. This must be done
quickly, your director says. The hospital board is less knowledgeable about information system
security. The board makes it clear that it has a limited cybersecurity budget. However, if you can
make a strong case to the board, it is likely that they will increase your budget and implement
your recommended tool companywide. You will share your findings on the hospital's security posture.
Your findings will be brought to the director of IT in a technical report. You will also provide a non-
technical assessment of the overall identity management system of the hospital and define practices to
restrict and permit access to information. You will share this assessment with the hospital board in the
form of a narrated slide show presentation. You know that identity management will increase the
security of the overall information system's infrastructure for the hospital. You also know that, with a
good identity management system, the security and productivity benefits will outweigh costs incurred.
This is the argument you must make to those stakeholders.

Project 6: Organizational Profile and Access Management Case

Start Here

Daily life requires access to a lot of information, and information systems help us access that
information. Desktop computers, laptops, and mobile devices keep us connected to the information
we need through information systems. However, our easy access to communication and information
also creates security and privacy risks. Laws, regulations, policies, and guidelines protect information
and information owners, and the role of cybersecurity is to protect the confidentiality, integrity, and
availability of information.

This project focuses on the processes and practices of identity management as a component of a
layered security defense system that governs users' access, authorization, and authentication. You will
work as part of a team to produce reports on the processes and practices of identity management at a
health-care facility and deliver the key findings to the board in a presentation.
Your team has four deliverables for this project:

Executive summary. This will be a single, double-spaced page, and in the same template document as
the technical report, located immediately following the cover sheet and before the text of the report.

Technical report. A nine- to 10-page double-spaced Word document with structure and citations in
APA format, using the provided template. This will include your organizational profile, threat analysis,
and strategies for mitigation. The page count does not include the cover sheet, executive summary,
figures, diagrams, tables, or the references section.

Lab report. This will summarize the lab activity, including how your team came to the results, using
screenshots to show your work.

Narrated presentation. This presentation will not exceed 12 slides, excluding the cover and references
slides. It will be narrated by a single voice.

There are nine steps that will lead you through this project. Begin by watching the video above, which
introduces the fictional scenario that serves as the framework for this project. Then continue to Step
1: Get to Know Your Team.

Project 6: Organizational Profile and Access Management Case

Step 2: Learn About Organizational Behavior

In the previous step, your team got to know each other and agreed on a communications plan. In this
step, take some time to read about teamwork and leadership. Think about the challenges members
must overcome to work together effectively and how they can do this to achieve a positive outcome
for an organization. Bad experiences have their own lessons for individuals and groups. In your own
group, you will experience some practical challenges such as schedules, resistance to group work, and
perhaps failure of some members to contribute fully. Consider this an incubator of sorts in which you
may encounter experiences similar to the case you are studying. As you grapple with logistical,
technical, and other team issues, you are gaining experience with normal team challenges. So, relax
and consider this a useful journey!

In the next step, you will choose your case study, review the deliverables, and create a project plan.

Project 6: Organizational Profile and Access Management Case

Step 3: Choose a Case and Complete the Project Plan

Now that you have a better understanding of various aspects of organizational behavior from the
readings in the previous step, select as your case to research a hospital or health-care organization
that has suffered a cybersecurity breach. Consider an organization you are familiar with or one for
which you can find sufficient information about cybersecurity policies and practices. To maintain
confidentiality, you do not need to mention the name of the organization. You can start with this list
of 2020 breaches. Most of these breaches are logged in the US Department of Health and Human
Services (HHS) Breach Portal where you can also search. Verify that you can locate sufficient reputable
information on your chosen case to complete the project; start with this custom CBR 600 research
guide from the UMGC library.

Cybersecurity Fundamentals

The principles of confidentiality, integrity, and availability (CIA) are fundamental concepts in this field.
Look at this cybersecurity field overview to consider different roles that may apply as you review your
case. Finally, review the article Muddling Through Cybersecurity: Insights From the US Health-Care
Industry

After you have chosen a case, you need to establish how you will divide the work. Use your team
space to share ideas and drafts of each member's contribution. Complete all portions of the project
plan and submit it to your team space by the end of Week 8.

Each team will have three weeks to complete your deliverables:

 Complete and submit the team communication and project plans by the end of Week 8.

 Conduct research to capture the organization's infrastructure and processes and the threats to
personal health information (PHI) and to determine a strategy to mitigate the threats you
anticipate. This research will go into the technical report (nine to ten pages excluding cover
sheet, references, and any appendices), also called a white paper, in accordance with the
directions in Steps 4 and 5.

 After the paper is written, you will create a one-page executive summary of the paper. It will
be part of the technical report document, between the cover sheet and the text of the report.

 Complete the lab activity to crack passwords and create a summary lab report. This should be
done by Week 9.

 Develop a high-level narrated slide presentation for the organization's board of directors.
This asynchronous presentation must be no longer than 12 slides, excluding the references
slide and cover slide. It is due at the end of Week 10.

 Finalize all deliverables and assign one group member to upload them into the team project
assignment folder. All deliverables are due no later than the end of Week 10.

Project 6: Organizational Profile and Access Management Case

Step 4: Create an Organizational Profile for Your Case

Now you will research your chosen case to determine how the organization's IT department operates,
how it is structured, and how PHI is moved around the organization. You may not find this exact
information for your health-care organization that suffered a breach. In that case, use the material on
organizational structure to draft a plausible layout for an organization like your case.

Next, review Overview of Systems & Networks for the basics about an information system

infrastructure. 

It is important to an organization that its workflow processes, such as how they move patient
information to the business units that need to process and manage that information, are unimpeded
and secure. All organizations employ hardware and software within their information systems and
connect them in a network. It is critical to understand these components, termed system architecture,
and how the components are connected so that IT professionals can ensure that there is sufficient
security in place to protect sensitive information.

Your profile of the organization's system architecture should include a high-level description of
information systems' hardware and software components and their interactions. Take time to read
the following resources on the roles and responsibilities within an IT department and some basic
information about operation systems in general.

 Information systems hardware

 Information systems software

As you write your organizational profile, consult scholarly resources as well as newspapers, websites,
and IT blogs for information on how health-care organizations are generally set up. Revisit guidelines
on conducting research or the CBR600 research guide, if needed. Use the information you find to
create a plausible description and supporting diagram of the IT infrastructure for your organization,
which will become part of your technical report.

Include the following in your profile:

 Description and diagram of your organization and its structure and critical missions

o Describe the organization and structure. The structure will include the different
business units and their functions. You will build an organizational chart and a
description of the nodes to provide this information. Demonstrate the basic elements
and describe how they are connected to each other via a network.

o Diagram what you describe above. This is just visual aid to help executives understand
how security concepts can be applied to the existing system, not a detailed plan for
network engineers. See a few example diagrams to get a sense of what yours might
look like.

 An explanation of information security needs to protect mission-critical systems.

o Choose one or more mission-critical systems of the health-care organization. Define

the information protection needs for the organization's mission-critical protected
health information (PHI). Describe how this information is (or should be) stored so
that it is accessible by those who need it (e.g., doctors, nurses, patients, insurance
claims billing systems). You should also refer to the facts of the breach you are
covering, especially if medical records were compromised.

In the next step, you will consider threats to the organization's information security and how to
mitigate them.

Project 6: Organizational Profile and Access Management Case

Step 5: Develop Analysis of Threats to the Organization's Information Systems Infrastructure

Now that you have defined your organization's information system infrastructure, you will learn
about and demonstrate your understanding of the potential threats to those systems and the types of
measures that could mitigate those threats. These pieces will finish your technical report. First, you
will learn about different types of identity access management solutions and how they protect against
unauthorized access.

The National Initiative for Cybersecurity Education (NICE) framework refers to this work as conducting
a vulnerability assessment. To conduct a vulnerability assessment, a trained specialist would assess
threats and vulnerabilities; determine deviations from acceptable configurations, enterprise, or local
policy; assess the level of risk; and develop and/or recommend appropriate mitigation
countermeasures in operational and nonoperational situations. Your team will not carry out all of
these tasks, but you will assess the potential threats and vulnerabilities and the risk to your
organization, and you will develop a mitigation strategy that includes an identity management system
and any other safeguards you deem necessary.

To complete this section of your report, start by reviewing the following resources:

 Information System Architecture

 Web Security Issues

 Insider Threats

 Intrusion Motives/Hacker Psychology

Take what you learned about potential threats to assess the threat(s) to the organization's
information systems infrastructure that you wrote about in Step 4. Provide a brief summary of the
kinds of threats that an organization could face, addressing insider threats, intrusions, hacker
psychology, and other weakness that might provide opportunities to breach the system. Relate these
threats to the vulnerabilities in the CIA triad.

Next you will provide a mitigation strategy that will include a description of an identity management
system, which will include authentication, authorization, and access control. Remember that you are
already expecting that your organization will need to update its identity management processes and
policies, and you are laying the groundwork for the investment this will require.  As an example, think
about the requirements for doctors' use of laptop devices when they visit their patients at a hospital
and their need to connect to the hospital PHI data.

Review the following resources:

 Authorization

 Access control

 Passwords

 Authentication

 Multifactor authentication

Now, explain how your organization should restrict access to protect billing and PHI. Explain the
organization's processes and workflows to safeguard PHI, including the use of passwords, password
management, and password protection. Define types of authorization and authentication and the use
of passwords, password management, and password protection in an identity management system.
Describe common factor authentication mechanisms to include multifactor authentication.

Finally, review the mission and organization structure of your organization as well as roles within it,
and recommend accesses, restrictions, and conditions for each role. What will happen if the CIO and
the leaders do nothing and decide to accept the risks? Could the CIO transfer, mitigate, or eliminate
the risks? What are the projected costs to address the risks?

You may not know exactly what your organization's current strategy is, but you can project a plausible
scenario based on the CIO's acceptance or rejection of your proposal for an access control system. 

Project 6: Organizational Profile and Access Management Case

Step 6: Write an Executive Summary

Now that you have finished writing your technical report, it is time to write an executive summary.
The goal of an executive summary is to capture the main highlights of a document in a concise,
readable format that can bring key decision makers up to speed. Your executive summary should be
double-spaced and no more than a page in length. When you submit it at the end of the project, it will
go in the same template document as the technical report, immediately following the cover sheet and
before the text of the report.

After you have drafted your executive summary, your team will test the strength of passwords with
two password cracking tools. 

Project 6: Organizational Profile and Access Management Case

Step 6: Write an Executive Summary

Now that you have finished writing your technical report, it is time to write an executive summary.
The goal of an executive summary is to capture the main highlights of a document in a concise,
readable format that can bring key decision makers up to speed. Your executive summary should be
double-spaced and no more than a page in length. When you submit it at the end of the project, it will
go in the same template document as the technical report, immediately following the cover sheet and
before the text of the report.

After you have drafted your executive summary, your team will test the strength of passwords with
two password cracking tools. 

Project 6: Organizational Profile and Access Management Case

Step 7: Test Password-Cracking Tools and Write a Lab Report

You have successfully examined the threats to a health-care organization's information systems
infrastructure and ways in which the organization can increase its security by an active management
system. Now, you must begin your practical research into password-cracking
software; authentication and hashing functions will get you started. Then, do some quick independent
research on password cracking as it applies to your organization, then complete the lab activity
Password Cracking With Cain & Abel and Ophcrack using the lab instructions under Complete This Lab.

In this lab activity, you will test two password-cracking tools, since not all password-cracking tools will
perform with the same speed, precision, and results. Your report will assess these characteristics as
you test the organization's systems for password strength and complexity and complete the validation
testing. You will compare the results you obtain using the two tools.

Resources

 Accessing the Virtual Lab Environment: Navigating UMGC Virtual Labs and Lab Setup

 Self-Help Guide (Workspace): Getting Started and Troubleshooting

 Link to the Virtual Lab Environment: https://vdi.umgc.edu/

Lab Instructions

 Password Cracking With Cain & Abel and Ophcrack

Getting Help

To obtain lab assistance, fill out the support request form.

Make sure you fill out the fields on the form as shown below:

 Case Type: UMGC Virtual Labs Support

 Customer Type: Student (Note: faculty should choose Staff/Faculty)

 SubType: ELM-Cyber (CST/DFC/CBR/CYB)

 SubType Detail: Pick the category that best fits the issue you are experiencing

 Email: The email that you currently use for classroom communications

In the form's description box, provide information about the issue. Include details such as steps taken,
system responses, and add screenshots or supporting documents.

Lab Report Instructions

Explain to the director of IT and the members of the board that the health-care organization's
antivirus software will detect password-cracking tools as malware. Also explain how this impacts the
effectiveness of testing security controls like password strength. Through persuasive arguments in
your lab report and presentation, help the organization's leaders understand the risks and benefits of
using password-cracking tools. If any of the tools take longer than two to three minutes to guess a
password, record the estimated length of time the tool anticipates taking to guess it.

Topics to Address in the Lab Report

1. Compare and contrast the results from the two methods used to crack the user accounts.

a. Describe the tools' speed at cracking the passwords and draw conclusions that are
relevant to the organization's cybersecurity posture. Explain how the tools respond to
password complexity.

2. Explain how strong passwords are constructed and your team's recommendations for the
organization.
 a. Explain the four types of character sets used for strong passwords, how many you
should use, the general rules for password length, and recommendations for how
often passwords should be changed.

3. Discuss the benefit of penetration testing.

a. Explain what that would entail in the organization and what the team could learn
from the testing. Discuss the pros and cons of using the same usernames and
passwords on multiple systems.

4. Discuss any ethical or legal considerations for how you would use password cracking tools.

When you have completed your lab report, complete with screenshots to demonstrate what you did,
you will work on the presentation for the board of directors.

Project 6: Organizational Profile and Access Management Case

Step 8: Prepare a Narrated Presentation

Now that you have completed your technical report and lab report, you are ready to develop
a narrated presentation for the members of your organization's board as well as the CIO and other
managers. Your technical report will provide an analysis of the infrastructure and the threats, based
on the incident that first brought the organization's security issues to your team's attention. You will
use your team's finding from both reports as the basis for this presentation.

 The board will decide what actions are taken and how much money will be allocated for
cybersecurity. Therefore, your slide deck must capture the salient points of your research, the results
of the lab tests of the password-cracking tools, and the team's proposals to tighten information
security practices. Consider the suggestions in the table below to focus your efforts for this
presentation.

Topics to Address in the Narrated Presentation

Keep the primary goals of your presentation in mind as you build your presentation to the board: Be
credible, be clear, and provide reasoned, actionable recommendations.

 Present your technical findings succinctly for a non-technical audience.

o Avoid acronyms, slang, or jargon; opt for clear language and clear explanations.

 Provide a high-level summary of the infrastructure, the vulnerabilities that may have enabled
the breach, and recommended actions.

o Explain what happened, the impact on the organization, and your proposed actions
with rationales and estimated costs.