1. COMPUTER NETWORK UPGRADE
PROJECT PLAN PROPOSED BY:
NETWORK SOLUTIONS INC.
CHRIS ODLE SEPTEMBER 2015
INFORMATION TECHNOLOGY CAPSTONE
PROFESSOR KAREN QUAGLIATA
2. Who is Healthmark Medical?
• Medical supply company
founded in 1969
• Huge range of products and
services from endoscopic rentals
to instrument trays and
sterilization equipment
• Thriving business, opening larger
3 story facility to handle their
200+ employees and various
departments Founder Ralph Basile
3. Defining the Problem:
• Huge portion of business relies on
internet and phone sales
• Current hardware and software
having issues supporting the
demanding workload
• Software errors, connectivity issues,
dropped calls, PC crashing and data
loss
• Hardware and software issues are
extreme detriment to company
financially, as well as reputation
4. Scope Statement and Analysis
• Project Manager-Chris Odle of
Network Solutions
• Create network &
communications layout that
will solidify Healthmark’s
technology needs for years to
come
• Time is of the essence and this
project will need to be
completed in 6 months
Scope Statement Layout
Milestones/Deliverables
Project Success Criteria
Limits and Exclusions
Signatures of Approval
6. Stakeholders and Communication Plan
• Identify key stakeholders in the
project and their level of
involvement
• Rating system for stakeholders
is a power mapping strategy on
the metrics of power & interest
• Assess individuals importance
and needs to become most
efficient relaying information
throughout the life cycle of the
project
9. File Management System
(WBS) Work Breakdown Structure
Devise Work
Packages
Assign
Resources
Associate Time
Tables
Recognize WP
Predecessors
Create Intuitive
Timeline
10. WBS - Tabular
Form
172 Estimate
Work Days
186 Constraint
3 Levels
Duration,
Predecessors
11. Cost Analysis & Summary
• Create detailed and accurate
cost estimates to work in
conjunction with WBS
• Assists the project team in the
areas of: decision making,
effectively schedule work
packages, develop cash flow for
different phases, and will keep
the project on course and
within scope
• Cost breakdown of software,
hardware, labor and
professional fees
12. Technical Implementation Approach
• This section covers in detail
how the project team plans to
implement the network
upgrade
• For the purpose of clarity, this
section is broken down into
multiple subsections
• Custom built network diagram
will also be included via the
project team
13. Demarcation Point (DEMARC)
Demarcation Point: A demarcation
point, or demarc, is the point of
division between the internet service
provider’s (ISP) network, and
Healthmark Medical’s computer and
communication network. Fiber-optic
cable is being provided and installed
by the local ISP and will be installed
externally completing the connection
to the secure data center. Some of
the reasons network solution chose
fiber optic cabling for the
demarcation connection is:
Faster Digital Signals
Larger Carrying Capacity
Less Signal Degradation
Low Power
Utilizes Light Signals
14. Network Topology and Backbone
This is the part of the installed
network which segments and
interconnects significant shared
devices, while taking on the majority
of the network traffic. Network
Solutions plans to install and utilize a
hybrid star-wired bus topology
stacking 48 port switches from floor
to floor, resulting in a simple
distributed backbone. This setup is
ideal for its ease of use, as well as
the network’s scalability.
15. IP Addressing
IP addressing will effectively
ensure proper communication
between devices, as well as assist
in the proper transportation of
important data packets
throughout the network.
Network designers and architects
will map out and analyze the best
solution for the proposed
network architecture.
◦ Gateway: 10.12.1.1/24
◦ Subnet Mask: 255.255.255.0
◦ Range was chosen due to size needs
◦ Static IP's delegated to server, switches,
firewall, and printers to make them easily
accessible, all other workstations will be
DHCP for ease of use
16. Hardware & Software
• Servers
• Routers
• Switches
• Firewalls
• PCs
• Monitors
• VOIP Headsets
• Printers/Fax Machines
• Speakers
• Office 365
• Microsoft Server Licensing
• VOIP Software
In-depth analysis of each component
provided within project plan
20. Risks & Concerns
• A risk is an uncertain event or
condition that, if it occurs, has
a positive or negative effect on
project objectives
• The risk management strategy
will identify as many project
orientated risks as possible,
while minimizing their impact
and also detailing responses
that may happen to materialize
Risk Event Identified
Likelihood
Impact
Mitigation Strategy
22. Security
Physical security
• 24-hour monitoring of data centers.
• Multi-factor authentication, including biometric scanning for data
center access.
• Internal data center network is segregated from the external
network.
• Role separation renders location of specific customer data
unintelligible to the personnel that have physical access.
• Faulty drives and hardware are demagnetized and destroyed.
23. Logical Security
Logical security
• Lock box processes for strictly supervised escalation process greatly
limits human access to your data.
• Servers run only processes on whitelist, minimizing risk from
malicious code.
• Dedicated threat management teams proactively anticipate,
prevent, and mitigate malicious access.
• Port scanning, perimeter vulnerability scanning, and intrusion
detection prevent or detect any malicious activity
24. Data Security
Data security
• Encryption at rest protects your data
on our servers.
• Encryption in transit with SSL/TLS
protects your data transmitted
between you and Microsoft.
• Threat management, security
monitoring, and file/data integrity
prevents or detects any tampering of
data.
25. Admin & User Controls
Admin and user controls
• Rights Management Services prevents file-level access without the right user
credentials.
• Multi-factor authentication protects access to the service with a second factor
such as phone.
• S/MIME provides secure certificate-based email access.
• Office 365 Message Encryption allows you to send encrypted email to anyone.
• Data loss prevention prevents sensitive data from leaking either inside or
outside the organization.
• Data loss prevention can be combined with Rights Management and Office 365
Message Encryption to give greater controls to your admins to apply
appropriate policies to protect sensitive data.
26. Privacy – HIPAA/Title II Compliance
As with any company operating within the strict guidelines of the medical field, a major area of focus for
Healthmark has always remained to be the privacy of all of their clients’ and customers’ sensitive information.
The data in question has to be stored to a strict set of guidelines in accordance with the HIPAAAct/Title II
(Become HIPAA Compliant). This act created strict and transparent guidelines on how organizations should
store and interact with sensitive patient/client information. This act was created to ensure privacy and security
for patients in the United States, while also providing opportunities for medical organizations to acquire more
technologically savvy means of assisting their patients/clients (Become HIPAA Compliant). To become
compliant an entity must meet certain criteria with regards to a few specific points of interest: privacy,
security, enforcement, and breach notification
27. Privacy – HIPAA/Title II Compliance Guidelines
HIPAA II Compliance Guidelines
Specific Technical Requirements and Implentation Strategies
Access Control - Unique User Identification (required): Assign a unique name and/or number for identifying and
tracking user identity.
Access Control - Emergency Access Procedure (required): Establish (and implement as needed) procedures for
obtaining necessary ePHI during an emergency.
Access Control - Automatic Logoff (addressable): Implement electronic procedures that terminate an electronic
session after a predetermined time of inactivity.
Access Control - Encryption and Decryption (addressable): Implement a mechanism to encrypt and decrypt ePHI.
Audit Controls (required): Implement hardware, software, and/or procedural mechanisms that record and examine
activity in information systems that contain or use ePHI.
Integrity - Mechanism to Authenticate ePHI (addressable): Implement electronic mechanisms to corroborate that
ePHI has not been altered or destroyed in an unauthorized manner.
Authentication (required): Implement procedures to verify that a person or entity seeking access to ePHI is the one
claimed.
Transmission Security - Integrity Controls (addressable): Implement security measures to ensure that electronically
transmitted ePHI is not improperly modified without detection until disposed of.
Transmission Security - Encryption (addressable): Implement a mechanism to encrypt ePHI whenever deemed
appropriate.
Facility Access Controls - Contingency Operations (addressable): Establish (and implement as needed) procedures
that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode
operations plan in the event of an emergency.
Facility Access Controls - Facility Security Plan (addressable): Implement policies and procedures to safeguard the
facility and the equipment therein from unauthorized physical access, tampering, and theft.
Facility Access Controls - Access Control and Validation Procedures (addressable): Implement procedures to
control and validate a person’s access to facilities based on their role or function, including visitor control, and
control of access to software programs for testing and revision.
Facility Access Controls - Maintenance Records (addressable): Implement policies and procedures to document
repairs and modifications to the physical components of a facility which are related to security (e.g. hardware, walls,
doors, and locks).
Workstation Use (required): Implement policies and procedures that specify the proper functions to be performed,
the manner in which those functions are to be performed, and the physical attributes of the surroundings of a
specific workstation or class of workstation that can access ePHI.
Workstation Security (required): Implement physical safeguards for all workstations that access ePHI, to restrict
access to authorized users.
Device and Media Controls - Disposal (required): Implement policies and procedures to address the final disposition
of ePHI, and/or the hardware or electronic media on which it is stored.
Device and Media Controls - Media Re-Use (required): Implement procedures for removal of ePHI from electronic
media before the media are made available for re-use.
Device and Media Controls - Accountability (addressable): Maintain a record of the movements of hardware and
electronic media and any person responsible therefore.
Device and Media Controls - Data Backup and Storage (addressable): Create a retrievable, exact copy of ePHI,
when needed, before movement of equipment.
Security Management Process - Risk Analysis (required): Perform and document a risk analysis to see where PHI is
being used and stored in order to determine all the ways that HIPAA could be violated.
Security Management Process - Risk Management (required): Implement sufficient measures to reduce these risks
to an appropriate level.
Security Management Process - Sanction Policy (required): Implement sanction policies for employees who fail to
comply.
Security Management Process - Information Systems Activity Reviews (required): Regularly review system activity,
logs, audit trails, etc.
Assigned Security Responsibility - Officers (required): Designate HIPAA Security and Privacy Officers.
Workforce Security - Employee Oversight (addressable): Implement procedures to authorize and supervise
employees who work with PHI, and for granting and removing PHI access to employees. Ensure that an employee’s
access to PHI ends with termination of employment.
Information Access Management - Multiple Organizations (required): Ensure that PHI is not accessed by parent or
partner organizations or subcontractors that are not authorized for access.
Information Access Management - ePHI Access (addressable): Implement procedures for granting access to ePHI
that document access to ePHI or to services and systems that grant access to ePHI.