Need power point from the paper attached . Do in the format given in the links

Running Head: MCKESSON CORPORATION

McKesson Corporation

Iswarya Doppalapudi

SEC.6040..B2H01.SP2017: Spring 2017

Web and Data Security

Frederick Smith

Wilmington University

Table of Contents

Executive Summary 3

Company Overview 3

Business Case 4

Cost ratio 5

Project charter 7

Project plan 8

Architecture 10

Information security framework 13

Regulations, policies, and procedures 14

ROI 16

Business-impact analysis plan 17

Center of excellence 18

Cost benefit analysis, value analysis, incident response plan 18

Strategic plan 19

SWOT analysis key analysis risk identification/mitigation plan 20

Risk Identification 21

Table 1: The Hardware and Software costs for projects 5

Table 2: Human Resources costs for project 6

Table 3: Incident Response 19

Figure 1: Architecture 11

Figure 2: Logical Network Model 12

Figure 3: ROI 16

Figure 4: Cost Benefit 17

McKesson Corporation

Executive Summary

Company: McKesson Corporation

Founded: 1833

URL: http://www.mckesson.com/about-mckesson/who-we-are/

Industry: Healthcare

Company Overview

McKesson Corporation was founded in 1833. The company has its headquarters in San Francisco and has more than 76,000 employees (McKesson, 2017). McKesson operates in two cores business segments that are (1) Distribution Solutions and (2) Technology Solutions.

McKesson Corporation is an American healthcare company that distributes pharmaceuticals at a retail sale level and providing health information technology, medical supplies, and care management tools. The company had sales of $122 billion in 2012.McKesson is based in the United States and distributes health care systems, medical supplies and pharmaceutical products (McKesson, 2017). Additionally, McKesson provides extensive network infrastructure for the health care industry; also, it was an early adopter of technologies like barcode scanning for distribution, pharmacy robotics, and RFID tags. It is a Fortune Global 500 company, and the fifth highest revenue generating company in the United States.

The company stands out because it builds essential connections that build health care smarter, making intelligent networks that expand access, cut back waste, and produce folks and knowledge nearer along(McKesson, 2017). McKesson offer the business with the resources, support and technology it must produce new standards and a world of higher health.

Business Case

McKesson Corporation deals in different types of businesses. The company deals with the distribution solutions, Medical-Surgical, Pharmacy systems, U.S Pharmaceuticals, McKesson Canada, Celesio, technology Solutions, Business performance services, connected care and Analytics, Enterprise information Solutions(McKesson, 2017). The company offers these business services to a broad range of customers including the pharmaceuticals and medical merchandise and business services to retail pharmacies and institutional suppliers like hospitals and health systems throughout North America and internationally.

Services available: McKesson’s Relay Health business is the national services provider for Common Well, which currently offers: Person Enrollment, Record Location, Patient Identification and Linking, Data Query and Retrieval. Member companies continually evaluate incremental service expansion into different care settings for the benefit of patients and provider organizations.

Partnering: As a founding member of the Common Well Health Alliance®, a not-for-profit trade association of health IT companies dedicated to health IT interoperability, McKesson has taken a leadership position in driving person-centered interoperability that will ultimately improve health outcomes for providers and patients. The company covers 72% of the acute-care EHR market. It also covers 34% of the ambulatory care EHR market. Market leaders and innovators in laboratory, imaging, retail pharmacy, long-term care and more(McKesson, 2017).

McKesson is an industry lead in Pharmaceutical distribution in U.S and Canada, Medical- surgical distribution to alternate care sites, Generics pharmaceutical distribution, Business in clinical services and providers. The company is the fourth largest pharmacy chain with 4700+ retail pharmacies are member of McKesson HealthMart franchise. McKesson delivers 1/3rd of pharmaceuticals used each day in North America. More than 200,000 physicians use McKesson technology and services.

Cost ratio

The cost analysis for the project involves three major cost elements that are hardware costs, software costs and human resource costs for the project. The hardware and software costs for the project are as shown in the table below:

Table 1: The Hardware and Software costs for projects

Cost item	Quantity	Unit Price	Total item price
Secure web domain		$60	$60
PCs & laptops	10	$500	$ 5000
Client OS (Windows)	10	100	$1000
Server OS (Linux distributions)		$100	$500
Anti-malware Software	Updated annually		$500
Cisco firewalls		$2000	$2000
Total			$9060

The following table shows the human resource costs for the project for McKesson Corporation:

Table 2: Human Resources costs for project

Human resource role	Monthly Pay	Total pay (estimated for sixty project days)
Project manager	$2000	$6000
Testing Lead Engineer	$3500	$10500
Requirements analysts	$6000	$18000
Computer network analyst	$3000	$9000
System Designers	$3000	$9000
Trainer	$1500	$4500
Software Developer/engineer	$5000	$15000
Database Admin	$5000	$15000
Total Human Resource Cost:		$87,000

The above costs sums up as follows:

Category of cost	Sub Total
Software Costs	$2050
Hardware Costs	$7000
Human resource Costs	$87,000
Total Project Costs	$95,050

Project charter

McKesson experiencing an era of unprecedented amendment in health care. New technology, new services and new ideas are going to be required to deliver improved outcomes for businesses and patients(Appari & Johnson, 2010). McKesson is at the forefront of that transformation. With this need of transformation, the company also requires a project to ensure that the web security and data security is enhanced.

Project Scope: The project will cover the following scope items:

Databases: all the organizational databases and data warehouse that contain business data, management data and network data. The project will also ensure the technological solutions that it provides to pharmaceutical companies and other customers have secure database.
Web security: the project will cover the web applications for the company as well as the web interfaces of the solutions that the company distributes.

Objectives of the project: To strengthen the health of the company’s business by working with health care organizations of all sorts. The company also aims at serving to all these companies with management prices, develop efficiencies and improve quality.

The project also aims at improving the web security for all the web application solutions that the company uses and offers to other companies. This will enhance the confidentiality, integrity and availability of the information(Stallings, 2000). Lastly, the project aims at enhancing the data security by implementing effective access control to healthcare records and other information systems that interface the organizational database.

Project plan

The plan of the project is to ensure all the identified activities and milestones are accomplished within the next sixty days after the initialization of the project. The project will take the major phases as described by the Project Management Body of Knowledge or PMBOK. The following are the activities for the project and their estimated timeline(Project Management Institute, 2013):

Task Name	Duration
1.0 McKesson Corporation Web and Data Security Project	63 days
1.1: Project Initialization	4 days
Determine project scope	1 day
Define preliminary resources	1 day
Secure core resources	day
1.2: Requirements Analysis	11 days
Conduct needs analysis	1 day
Draft preliminary software specifications	2 days
Develop preliminary budget	1 day
Review hardware specifications/budget with team	1 day
Incorporate feedback on software specifications	1 day
Develop delivery timeline	1 day
Obtain approvals to proceed (concept, timeline, budget)	1 day
Secure required resources	1 day
1.3: Planning the implementation	13 days
Implement changes suggested in system	1 day
Component Design implementation	3 days
Implementation starts	3 days
Assessment Evaluation	1 day
System evaluation	1 day
Prepare user manual	1 day
User sign-offs	2 days
1.4: Design	9 days
Review preliminary hardware specifications	1 day
Develop functional specifications	2 days
Develop prototype based on functional specifications	1 day
Review functional specifications	1 day
Incorporate feedback into functional specifications	2 days
Obtain approval to proceed	2 days
1.5: Hardware Installation and Configuration	13 days
Review functional specifications	1 day
Hardware System Procurement	1 day
Hardware Installation and system Development	7 days
Configure hardware system	2 days
Develop code	1 day
Software Installation	2 days
Configure and Manage Operating Systems	1 day
Developer testing (primary debugging)	1 day
1.6: Testing	13 days
Develop unit test plans using product specifications	3 days
Develop integration test plans using product specifications	2 days
1.6.1: Hardware Testing	6 days
Software Testing	5 days
Develop the test cases	1 day
Unit Testing	1 day
Integrating Testing	1 day
Functionality Testing	1 day
Testing Evaluation	1 day
1.7: Training	49 days
Develop test plans	3 days
Develop user training materials	5 days
Schedule trainings	3 days
Develop training specifications for end users	1 day
Develop training specifications for helpdesk support staff	1 day
Finalize training materials	1 day
Signoffs	3 days
Get signoffs on the plans and deliverables	3 days

Architecture

The project will implement a network architecture that considers easy integration with security controls. The network architecture will also provide easy integration with database interfacing components and maintain the database security. Two major architecture models are enough to define the proposed solution. These models are the physical model and the logical model. The physical model shows the connectivity and placement of network devices in the proposed network architecture as shown the diagram below(Hedström, Kolkowska, Karlsson, & Allen, 2011):

Need power point from the paper attached . Do in the format given in the links 1

Figure 1: Architecture

The logical network model shows the addressing model and logical functions of the network as shown in the following diagram:

Need power point from the paper attached . Do in the format given in the links 2

Figure 2: Logical Network Model

The physical and logical models shows above are representation of the main office at the San Francisco. The McKesson’s headquarter office has the most functionalities and requires an implementation of a network that will allow scalability and support of several business operations with very low latency and high throughput and quality of service(Juba, Huang, & Kawagoe, 2013).

As shown in the proposed logical and physical network diagrams, the network infrastructure is very simple to design and will help integrate with security mechanisms. The network allows separations of organizational functions. For instance, the core business data is in a separate network called a core network while the public database and customer database is in the public network. This allows for security of the organizational database(Idris…, 2010). The logical model also shows that the network will have different sub networks within the main Wide Area Network as shown by the IP addressing that has different network address for different networks.

The network infrastructure includes cloud services since McKesson Corporation has a great need of connecting to the cloud services. This connection will allow for remote access of network resources as well as ensure business continuity by providing a disaster recovery plan. The network clearly utilizes Wide Area Network or WAN due to the nature of McKesson business. The physical infrastructure shows that the required devices are database server, file server, firewall, mail server, routers, switches and personal computers among other devices. The devices are ideal for development of modern technological solutions to healthcare organizations that McKesson provides(Idris…, 2010).

The network infrastructure does not differ much from the original architecture. Most of the components will be reused and the network will have a simple infrastructure for availability and resilience of the network. The wired network will be centralized so that a data warehouse will fit in and access data from all the data sources of the organization.

Information security framework

The security framework for the project involves two major components; positioning of the network database and components and security policy, regulations and procedures. The security policy will be discussed in the next section. Placement of network devices and resources is aimed to provide database and resource security. The networks are clearly separated to avoid attackers from accessing private information without permission. The positioning and placement aspect of the security framework ensures that the critical aspects like the database server, email server and web server for McKesson Corporate are placed in the web security layer(Idris…, 2010).

The databases for the organization are just after the firewall and the border router to ensure implementation of a layered security. The firewall will provide security and protect the internal users when accessing external network and resources.

There is also separation of the network to the DMZ where the region contains a Cisco switch alongside the public users and clients. This positioning is to provide endpoint server protection. The layer also utilizes the firewall for security controls such as stateful inspection by the firewall and DDoS inspection(Idris…, 2010).

Regulations, policies, and procedures

Several types of security policies exist that an organization can implement based on the requirements and business operations. For McKesson, the presence of password policy is very critical because most applications like Electronic Health Records (EHR) and other information systems rely of access control to enhance security(Appari & Johnson, 2010). The policy plan for the organization is as follows:

All the applications that the McKesson Corporate uses or develops for distribution should require its users to access its resources through a strong password.
The users should develop strong passwords and memorize the passwords. The policy highly prohibits any user from writing their password on any object including table, wall, desks, chairs, marts or any place in the office or home.
A strong password includes eight characters length with special characters, number and alphabets.
Any user is highly prohibited from using any language’s vocabulary, jargon, dialect or phrase to create password. A password with combination of a username, emails, name, location and/or personal information is highly prohibited.

Procedures and Behaviors

All users are to be assigned permissions with regard to the Electronic Health System or any other information system. A user is not, in any circumstance, required to access information that they have no permission or authority to access. Violation of this regulation will lead to contract termination and punishment.
A user is not to access information or database on behalf of other users. The system administrators are to be responsible to accessing this type of resource or on behalf of users only when performing troubleshooting activities(Appari & Johnson, 2010). Violation of this procedure will lead to punishment and prosecution in a court of law.

ROI

One of the big deals and measures of a project’s success for organizations is Return on Investments or ROI. The security aspects that will prevent loss rather generation of income will largely contribute ROI in this project for McKesson. Through prevention of attacks like DDoS, data loss and malware infection on data will lead to the company saving huge amounts of money annually. Without proper security, organization often lose credit card details, personal information and even customer data that other competing organization will utilize when they get hold of them to gain competitive advantage in the market. This will reduce the sales of the company and lead to financial losses due to compensation of the lost data to the customers and other stakeholders. Therefore, preventing these losses through the web and data security project will lead to a big positive ROI for the company.

Need power point from the paper attached . Do in the format given in the links 3

Figure 3: ROI

Business-impact analysis plan

The plan for business impact analysis is mainly categorized into impact on the business operations and impact on the business customers including reputation of the company and the market share. The following are the major area that the project will affect the business:

Increase in customer satisfaction: due to the improved security, customers will feel safe with the technological solutions from McKesson hence increase customer satisfaction.
Efficiency in operation: the company will have all users guided through the security policy and the users will have knowledge on their roles and permission concerning the information systems. This will reduce confusion among employees and enhance operation efficiency(Brookhart, Sturmer, Glynn, Rassen, & Schneeweiss, 2010).
Increase in revenue: security is the major consideration for the pharmaceuticals and other healthcare providers when purchasing an information system. With this project, the sales will increase because of implementation of security controls.

Center of excellence

The project’s center of excellence is the implementation of low cost solution for data security. Integration of cloud service solutions will be the greatest components in data security while developing a data warehouse that supports all the operations of the company will yield significant benefits and excellence. The project will utilize Online Transaction Processing and Information as a Service (IaaS) to maximize the operations of the company. This will reduce the costs of operation while increasing the security aspects of all information systems the company uses and produces for sale.

Cost benefit analysis, value analysis, incident response plan

Cost	Benefit
Downtime costs: the integration and interfacing of data warehouse will have to cause downtime of about 4 hours a day for two weeks	Increased speed of data access. It will also lead to improved performance in terms of querying the database and enforcing referential integrity.
High costs of installation and configuration	Improved information security with encryption and authentication techniques.

Figure 4: Cost Benefit

Incidence response: the plan will involve all the activities that should be performed during an incidence. The plan will also include the list of individuals and contacts that they can be reached on. The following is an example of the incident response plan for the company during implementation of the project:

Table 3: Incident Response

Incident

Contact Persons

Responsibility

Database destruction

John Doe: 183 7123456

Mark Ten: 24567689899

Kelvin Sigh: 1234567890

Database backup: updating the current database backup.

Physical restoration of the database files

Procurement of database servers, hard disks and storage media.

Incident 2

List of names

List of roles

Strategic plan

The project’s strategic plan is to have some of the human resource outsourced to ensure the project completes faster and reduce the downtime and costs due to implementation. The outsourced team members will ensure project tasks are accomplished within time by performing them simultaneous as other project members accomplish certain tasks(Project Management Institute, 2013). The operations of the company will continue as planned because most of the implementation processes such as installation of new software solutions and hardware configuration will be done during the weekend or late in the evening when the company’s business hours are over. This will be strategic in reducing the project implementation costs.

Other activities will follow the project plan described in the previous section of this document. The project manager will identify the project’s critical path and allocate more resources to the critical activities of the project to ensure the project is within the timeline and within the budget.

SWOT analysis key analysis risk identification/mitigation plan

Strengths:

Existence of database security and security policies to support the new project.
Existence of skilled human resource in the IT department to integrate the project solutions quickly.
Availability of resources from the high sales and profitability of the company.

Weaknesses:

Wide coverage of the McKesson’s business offices will cause communication problems thus poor interpretation of needs.
Lack of accountability of the current employees in some retail offices to achieve measurable performance that is clear.

Opportunities:

The McKesson’s management is allowing the IT department and other stakeholders to implement innovative solutions.
Availability of advanced technologies within the organization and even in the industry will yield the success of the project.

Threats:

Changes in Medicaid match and technology policies at federal level
Employee turnover may reduce the performance of the project since it depends on 90% of IT department’s human resource.

Risk Identification

The following are the risks that are likely to cause negative effects to the project:

Poor technology implementation: These include integration of old versions of information systems and poor compatibility of acquired software components. Mitigation will include risk avoidance through selection of the most recent versions of all software to be used in the project.
Risk Transfer and Contracting: There is a standard saw regarding risk management—namely, that the owner ought to assign risks to the parties’ best ready to manage them. Though this sounds sensible, it's so much easier afore said than done. It’s not possible, for instance, to assign risks once there's no quantitative measure of them. Risk allocation while not quantitative risk assessment will result in tries by all project participants to shift the responsibility for risks to others, rather than checking out an optimum allocation supported reciprocally recognized risks. Contractors typically comply with take risks solely in exchange for adequate rewards. to see a good and equitable value that the owner ought to pay a contractor in-tuned the risks related to specific uncertainties, it's necessary to quantify the risks.

References

Appari, A., & Johnson, M. E. (2010). Information security and privacy in healthcare: current state of research. International Journal of Internet and Enterprise Management, 6(4), 279. https://doi.org/10.1504/IJIEM.2010.035624

Brookhart, M. A., Sturmer, T., Glynn, R. J., Rassen, J., & Schneeweiss, S. (2010). Confounding control in healthcare database research: challenges and potential approaches. Med Care, 48(6 Suppl), S114-20. https://doi.org/10.1097/MLR.0b013e3181dbebe3

Company Profile & Description | McKesson. (2017). Mckesson.com. Retrieved 16 April 2017, from http://www.mckesson.com/about-mckesson/who-we-are/

Hedström, K., Kolkowska, E., Karlsson, F., & Allen, J. P. (2011). Value conflicts for information security management. Journal of Strategic Information Systems, 20(4), 373–384. https://doi.org/10.1016/j.jsis.2011.06.001

Idris…, N. A. (2010). Wireless Local Area Network (LAN) Security Guideline. Cybersafe.My Cybersafe.My.

Juba, Y., Huang, H. H., & Kawagoe, K. (2013). Dynamic isolation of network devices using OpenFlow for keeping LAN secure from intra-LAN attack. In Procedia Computer Science (Vol. 22, pp. 810–819). https://doi.org/10.1016/j.procs.2013.09.163

Project Management Institute. (2013). A guide to the project management body of knowledge (PMBOK ® guide). Project Management Institute. https://doi.org/10.1002/pmj.20125

Stallings, W. (2000). Network security essentials : applications and standards. William Stallings books on computer and data communications technology.