IT 3358
For this project, I have chosen the global organization I currently work for, Aetna Inc. They are American based organization out of Hartford, CT that offers medical, dental, pharmacy, behavioral health, and long-term care/disability plans. They are currently a subsidiary of CVS Health since November 2018, so the organization has a growing need of security strategies. They have many sites worldwide and employee almost 50,000 people. Currently insuring over 40 members globally and having a network of over 2 million doctors they have a substantial amount of data that needs to be protected with an enterprise security infrastructure.
Like many organizations, data breaches are common without devoting the appropriate efforts to securing your network data, it will most likely be compromised in some way shape or form. Data breaches have caused Aetna havoc in the past causing the organization to pay out millions of dollars in fines. Security can be reactive because it is impossible to foresee future threats, but being proactive with advancing in security with an enterprise security infrastructure plan can help minimize attacks. Over 93% of healthcare organizations have experienced a data breach of some kind over the past five years, according to Black Book research (Osborne, 2019). Cybercriminals will continue to exploit security vulnerabilities in the healthcare industry because of the reward of getting access to protected health information (PHI). This can include patient names, addresses, telephone numbers, medical conditions, treatments, pharmaceutical information, and insurance records. Carbon Black estimates that PHI can sell for up to six times as much as standard PII. IBM claims that this is up to $408 per record, whereas Black Book estimates that these records can go for as much as $423 (Osborne, 2019). So, our goal is to be proactive and maintaining adequate security hygiene to prevent breaches from occurring in the first place.
The success of the enterprise security infrastructure depends on the abilities of the people, processes, and technology to deliver, so it is important that the stakeholders included have sufficient understanding of the strategy and solutions. This will help the business stakeholders be better positioned for budgeting, planning and the upskilling that is required. So, it is imperative that all stakeholders know how the shared responsibility and how our organizations specific security policies affect job roles. Creating an interdepartmental security committee will help our stakeholders because it will provide them with the resources that will give them the knowledge to make informed decisions. For instance, the chief security officer (CSO) is going to be responsible for everything from the devices in the network to the data that gets collected. They can’t handle everything in the project, so that’s when the vice chair steps in will lead the day-to-day security tasks. The vice chair will seek ways to make the overall security infrastructure stronger. So, different stakeholders play different roles and communicate to make more informed decisions which leads to an optimized, cost-effective security plan.
When using the SDLC (System Development Life Cycle), the timeframe will vary, but our goal is to have the enterprise security infrastructure project complete by the end of the year. We know our scope of the problem is data protection, so we need to determine the resources and costs needed. This reasonably can take a month to finish and then we do our systems analysis and requirements phase. This is where we will consider the functional requirements of the project and analyze our needs to make sure the system meets our expectations. This phase may take 1-2 months and then we have the systems design stage. Here we will describe in detail the specifications, features, and operations that will satisfy the functionality requirements. This could also take 1-2 months to fully complete and then we begin the real work in the development stage. We will start the production of implementing the security infrastructure. This may take the longest of about 3-5 months depending how the integration and testing goes in the 5 stage. We will continually have a quality assurance professional communication whether or not the proposed plan is meeting our needs and business goals. Stage 6 and 7 are the implementation and operations/maintenance phases, so here we want to make sure the system is fine-tuning and making sure the project met the requirements and if not then we can adjust accordingly.
The roles of availability, confidentiality, and authentication are huge because they are designed to guide policies for information security within the organization. Confidentiality is like privacy because it is a set of rules that limits access to information. Integrity involves the assurance of maintaining the consistency, accuracy, and trustworthiness of data over its entire life cycle and availability ensures rigorously maintaining all hardware, performing repairs immediately when needed and maintaining a correctly functioning operating system environment. These three elements are crucial in the project scope because they are important components of security.
Challenges that we anticipate coming up are compliance with laws and regulations. There are local, state, and country laws that have to be abided, so it is important that we follow privacy guidelines for different areas. For our sites located in Europe for instance, we have to follow the GDPR (General Data Protection Regulation) which is not required in the U.S. We can have gaps of security measures if we do not properly setup our security policies. Whether dealing with our organization across the globe or locally operating these matters have to be addressed in the planning stage, so we are not blindsided and could affect our project.
References
Bridges, J. (2019, November 14). How to Write a Scope of Work. Retrieved January 20, 2020, from https://www.projectmanager.com/training/write-scope-work
Osborne, C. (2019, November 21). The latest healthcare data breaches in 2019. Retrieved January 19, 2020, from https://portswigger.net/daily-swig/the-latest-healthcare-data-breaches-in-2019
Rouse, M. (n.d.). What is confidentiality, integrity, and availability (CIA triad)? – Definition from WhatIs.com. Retrieved January 20, 2020, from https://whatis.techtarget.com/definition/Confidentiality-integrity-and-availability-CIA