Need power point from the paper attached . Do in the format given in the links
Running Head: MCKESSON CORPORATION
McKesson Corporation
Iswarya Doppalapudi
SEC.6040..B2H01.SP2017: Spring 2017
Web and Data Security
Frederick Smith
Wilmington University
Table of ContentsExecutive Summary 3
Company Overview 3
Business Case 4
Cost ratio 5
Project charter 7
Project plan 8
Architecture 10
Information security framework 13
Regulations, policies, and procedures 14
ROI 16
Business-impact analysis plan 17
Center of excellence 18
Cost benefit analysis, value analysis, incident response plan 18
Strategic plan 19
SWOT analysis key analysis risk identification/mitigation plan 20
Risk Identification 21
Table 1: The Hardware and Software costs for projects 5
Table 2: Human Resources costs for project 6
Table 3: Incident Response 19
Figure 1: Architecture 11
Figure 2: Logical Network Model 12
Figure 3: ROI 16
Figure 4: Cost Benefit 17
McKesson Corporation
Executive SummaryCompany: McKesson Corporation
Founded: 1833
URL: http://www.mckesson.com/about-mckesson/who-we-are/
Industry: Healthcare
Company OverviewMcKesson Corporation was founded in 1833. The company has its headquarters in San Francisco and has more than 76,000 employees (McKesson, 2017). McKesson operates in two cores business segments that are (1) Distribution Solutions and (2) Technology Solutions.
McKesson Corporation is an American healthcare company that distributes pharmaceuticals at a retail sale level and providing health information technology, medical supplies, and care management tools. The company had sales of $122 billion in 2012.McKesson is based in the United States and distributes health care systems, medical supplies and pharmaceutical products (McKesson, 2017). Additionally, McKesson provides extensive network infrastructure for the health care industry; also, it was an early adopter of technologies like barcode scanning for distribution, pharmacy robotics, and RFID tags. It is a Fortune Global 500 company, and the fifth highest revenue generating company in the United States.
The company stands out because it builds essential connections that build health care smarter, making intelligent networks that expand access, cut back waste, and produce folks and knowledge nearer along(McKesson, 2017). McKesson offer the business with the resources, support and technology it must produce new standards and a world of higher health.
Business CaseMcKesson Corporation deals in different types of businesses. The company deals with the distribution solutions, Medical-Surgical, Pharmacy systems, U.S Pharmaceuticals, McKesson Canada, Celesio, technology Solutions, Business performance services, connected care and Analytics, Enterprise information Solutions(McKesson, 2017). The company offers these business services to a broad range of customers including the pharmaceuticals and medical merchandise and business services to retail pharmacies and institutional suppliers like hospitals and health systems throughout North America and internationally.
Services available: McKesson’s Relay Health business is the national services provider for Common Well, which currently offers: Person Enrollment, Record Location, Patient Identification and Linking, Data Query and Retrieval. Member companies continually evaluate incremental service expansion into different care settings for the benefit of patients and provider organizations.
Partnering: As a founding member of the Common Well Health Alliance®, a not-for-profit trade association of health IT companies dedicated to health IT interoperability, McKesson has taken a leadership position in driving person-centered interoperability that will ultimately improve health outcomes for providers and patients. The company covers 72% of the acute-care EHR market. It also covers 34% of the ambulatory care EHR market. Market leaders and innovators in laboratory, imaging, retail pharmacy, long-term care and more(McKesson, 2017).
McKesson is an industry lead in Pharmaceutical distribution in U.S and Canada, Medical- surgical distribution to alternate care sites, Generics pharmaceutical distribution, Business in clinical services and providers. The company is the fourth largest pharmacy chain with 4700+ retail pharmacies are member of McKesson HealthMart franchise. McKesson delivers 1/3rd of pharmaceuticals used each day in North America. More than 200,000 physicians use McKesson technology and services.
Cost ratioThe cost analysis for the project involves three major cost elements that are hardware costs, software costs and human resource costs for the project. The hardware and software costs for the project are as shown in the table below:
Table 1: The Hardware and Software costs for projects
Cost item | Quantity | Unit Price | Total item price |
Secure web domain | $60 | $60 | |
PCs & laptops | 10 | $500 | $ 5000 |
Client OS (Windows) | 10 | 100 | $1000 |
Server OS (Linux distributions) | $100 | $500 | |
Anti-malware Software | Updated annually | $500 | |
Cisco firewalls | $2000 | $2000 | |
Total | $9060 |
The following table shows the human resource costs for the project for McKesson Corporation:
Table 2: Human Resources costs for project
Human resource role | Monthly Pay | Total pay (estimated for sixty project days) |
Project manager | $2000 | $6000 |
Testing Lead Engineer | $3500 | $10500 |
Requirements analysts | $6000 | $18000 |
Computer network analyst | $3000 | $9000 |
System Designers | $3000 | $9000 |
Trainer | $1500 | $4500 |
Software Developer/engineer | $5000 | $15000 |
Database Admin | $5000 | $15000 |
Total Human Resource Cost: | $87,000 |
The above costs sums up as follows:
Category of cost | Sub Total |
Software Costs | $2050 |
Hardware Costs | $7000 |
Human resource Costs | $87,000 |
Total Project Costs | $95,050 |
McKesson experiencing an era of unprecedented amendment in health care. New technology, new services and new ideas are going to be required to deliver improved outcomes for businesses and patients(Appari & Johnson, 2010). McKesson is at the forefront of that transformation. With this need of transformation, the company also requires a project to ensure that the web security and data security is enhanced.
Project Scope: The project will cover the following scope items:
Databases: all the organizational databases and data warehouse that contain business data, management data and network data. The project will also ensure the technological solutions that it provides to pharmaceutical companies and other customers have secure database.
Web security: the project will cover the web applications for the company as well as the web interfaces of the solutions that the company distributes.
Objectives of the project: To strengthen the health of the company’s business by working with health care organizations of all sorts. The company also aims at serving to all these companies with management prices, develop efficiencies and improve quality.
The project also aims at improving the web security for all the web application solutions that the company uses and offers to other companies. This will enhance the confidentiality, integrity and availability of the information(Stallings, 2000). Lastly, the project aims at enhancing the data security by implementing effective access control to healthcare records and other information systems that interface the organizational database.
Project planThe plan of the project is to ensure all the identified activities and milestones are accomplished within the next sixty days after the initialization of the project. The project will take the major phases as described by the Project Management Body of Knowledge or PMBOK. The following are the activities for the project and their estimated timeline(Project Management Institute, 2013):
Task Name | Duration |
1.0 McKesson Corporation Web and Data Security Project | 63 days |
1.1: Project Initialization | 4 days |
Determine project scope | 1 day |
Define preliminary resources | 1 day |
Secure core resources |
|
1.2: Requirements Analysis | 11 days |
Conduct needs analysis | 1 day |
Draft preliminary software specifications | 2 days |
Develop preliminary budget | 1 day |
Review hardware specifications/budget with team | 1 day |
Incorporate feedback on software specifications | 1 day |
Develop delivery timeline | 1 day |
Obtain approvals to proceed (concept, timeline, budget) | 1 day |
Secure required resources | 1 day |
1.3: Planning the implementation | 13 days |
Implement changes suggested in system | 1 day |
Component Design implementation | 3 days |
Implementation starts | 3 days |
Assessment Evaluation | 1 day |
System evaluation | 1 day |
Prepare user manual | 1 day |
User sign-offs | 2 days |
1.4: Design | 9 days |
Review preliminary hardware specifications | 1 day |
Develop functional specifications | 2 days |
Develop prototype based on functional specifications | 1 day |
Review functional specifications | 1 day |
Incorporate feedback into functional specifications | 2 days |
Obtain approval to proceed | 2 days |
1.5: Hardware Installation and Configuration | 13 days |
Review functional specifications | 1 day |
Hardware System Procurement | 1 day |
Hardware Installation and system Development | 7 days |
Configure hardware system | 2 days |
Develop code | 1 day |
Software Installation | 2 days |
Configure and Manage Operating Systems | 1 day |
Developer testing (primary debugging) | 1 day |
1.6: Testing | 13 days |
Develop unit test plans using product specifications | 3 days |
Develop integration test plans using product specifications | 2 days |
1.6.1: Hardware Testing | 6 days |
Software Testing | 5 days |
Develop the test cases | 1 day |
Unit Testing | 1 day |
Integrating Testing | 1 day |
Functionality Testing | 1 day |
Testing Evaluation | 1 day |
1.7: Training | 49 days |
Develop test plans | 3 days |
Develop user training materials | 5 days |
Schedule trainings | 3 days |
Develop training specifications for end users | 1 day |
Develop training specifications for helpdesk support staff | 1 day |
Finalize training materials | 1 day |
Signoffs | 3 days |
Get signoffs on the plans and deliverables | 3 days |
The project will implement a network architecture that considers easy integration with security controls. The network architecture will also provide easy integration with database interfacing components and maintain the database security. Two major architecture models are enough to define the proposed solution. These models are the physical model and the logical model. The physical model shows the connectivity and placement of network devices in the proposed network architecture as shown the diagram below(Hedström, Kolkowska, Karlsson, & Allen, 2011):
Figure 1: Architecture
The logical network model shows the addressing model and logical functions of the network as shown in the following diagram:
Figure 2: Logical Network Model
The physical and logical models shows above are representation of the main office at the San Francisco. The McKesson’s headquarter office has the most functionalities and requires an implementation of a network that will allow scalability and support of several business operations with very low latency and high throughput and quality of service(Juba, Huang, & Kawagoe, 2013).
As shown in the proposed logical and physical network diagrams, the network infrastructure is very simple to design and will help integrate with security mechanisms. The network allows separations of organizational functions. For instance, the core business data is in a separate network called a core network while the public database and customer database is in the public network. This allows for security of the organizational database(Idris…, 2010). The logical model also shows that the network will have different sub networks within the main Wide Area Network as shown by the IP addressing that has different network address for different networks.
The network infrastructure includes cloud services since McKesson Corporation has a great need of connecting to the cloud services. This connection will allow for remote access of network resources as well as ensure business continuity by providing a disaster recovery plan. The network clearly utilizes Wide Area Network or WAN due to the nature of McKesson business. The physical infrastructure shows that the required devices are database server, file server, firewall, mail server, routers, switches and personal computers among other devices. The devices are ideal for development of modern technological solutions to healthcare organizations that McKesson provides(Idris…, 2010).
The network infrastructure does not differ much from the original architecture. Most of the components will be reused and the network will have a simple infrastructure for availability and resilience of the network. The wired network will be centralized so that a data warehouse will fit in and access data from all the data sources of the organization.
Information security frameworkThe security framework for the project involves two major components; positioning of the network database and components and security policy, regulations and procedures. The security policy will be discussed in the next section. Placement of network devices and resources is aimed to provide database and resource security. The networks are clearly separated to avoid attackers from accessing private information without permission. The positioning and placement aspect of the security framework ensures that the critical aspects like the database server, email server and web server for McKesson Corporate are placed in the web security layer(Idris…, 2010).
The databases for the organization are just after the firewall and the border router to ensure implementation of a layered security. The firewall will provide security and protect the internal users when accessing external network and resources.
There is also separation of the network to the DMZ where the region contains a Cisco switch alongside the public users and clients. This positioning is to provide endpoint server protection. The layer also utilizes the firewall for security controls such as stateful inspection by the firewall and DDoS inspection(Idris…, 2010).
Regulations, policies, and proceduresSeveral types of security policies exist that an organization can implement based on the requirements and business operations. For McKesson, the presence of password policy is very critical because most applications like Electronic Health Records (EHR) and other information systems rely of access control to enhance security(Appari & Johnson, 2010). The policy plan for the organization is as follows:
All the applications that the McKesson Corporate uses or develops for distribution should require its users to access its resources through a strong password.
The users should develop strong passwords and memorize the passwords. The policy highly prohibits any user from writing their password on any object including table, wall, desks, chairs, marts or any place in the office or home.
A strong password includes eight characters length with special characters, number and alphabets.
Any user is highly prohibited from using any language’s vocabulary, jargon, dialect or phrase to create password. A password with combination of a username, emails, name, location and/or personal information is highly prohibited.
Procedures and Behaviors
All users are to be assigned permissions with regard to the Electronic Health System or any other information system. A user is not, in any circumstance, required to access information that they have no permission or authority to access. Violation of this regulation will lead to contract termination and punishment.
A user is not to access information or database on behalf of other users. The system administrators are to be responsible to accessing this type of resource or on behalf of users only when performing troubleshooting activities(Appari & Johnson, 2010). Violation of this procedure will lead to punishment and prosecution in a court of law.
One of the big deals and measures of a project’s success for organizations is Return on Investments or ROI. The security aspects that will prevent loss rather generation of income will largely contribute ROI in this project for McKesson. Through prevention of attacks like DDoS, data loss and malware infection on data will lead to the company saving huge amounts of money annually. Without proper security, organization often lose credit card details, personal information and even customer data that other competing organization will utilize when they get hold of them to gain competitive advantage in the market. This will reduce the sales of the company and lead to financial losses due to compensation of the lost data to the customers and other stakeholders. Therefore, preventing these losses through the web and data security project will lead to a big positive ROI for the company.
Figure 3: ROI
Business-impact analysis plan
The plan for business impact analysis is mainly categorized into impact on the business operations and impact on the business customers including reputation of the company and the market share. The following are the major area that the project will affect the business:
Increase in customer satisfaction: due to the improved security, customers will feel safe with the technological solutions from McKesson hence increase customer satisfaction.
Efficiency in operation: the company will have all users guided through the security policy and the users will have knowledge on their roles and permission concerning the information systems. This will reduce confusion among employees and enhance operation efficiency(Brookhart, Sturmer, Glynn, Rassen, & Schneeweiss, 2010).
Increase in revenue: security is the major consideration for the pharmaceuticals and other healthcare providers when purchasing an information system. With this project, the sales will increase because of implementation of security controls.
The project’s center of excellence is the implementation of low cost solution for data security. Integration of cloud service solutions will be the greatest components in data security while developing a data warehouse that supports all the operations of the company will yield significant benefits and excellence. The project will utilize Online Transaction Processing and Information as a Service (IaaS) to maximize the operations of the company. This will reduce the costs of operation while increasing the security aspects of all information systems the company uses and produces for sale.
Cost benefit analysis, value analysis, incident response plan Cost | Benefit |
Downtime costs: the integration and interfacing of data warehouse will have to cause downtime of about 4 hours a day for two weeks | Increased speed of data access. It will also lead to improved performance in terms of querying the database and enforcing referential integrity. |
High costs of installation and configuration | Improved information security with encryption and authentication techniques. |
Figure 4: Cost Benefit
Incidence response: the plan will involve all the activities that should be performed during an incidence. The plan will also include the list of individuals and contacts that they can be reached on. The following is an example of the incident response plan for the company during implementation of the project:
Table 3: Incident Response
Incident | Contact Persons | Responsibility |
Database destruction | John Doe: 183 7123456 Mark Ten: 24567689899 Kelvin Sigh: 1234567890 | Database backup: updating the current database backup. Physical restoration of the database files Procurement of database servers, hard disks and storage media. |
Incident 2 | List of names | List of roles |
The project’s strategic plan is to have some of the human resource outsourced to ensure the project completes faster and reduce the downtime and costs due to implementation. The outsourced team members will ensure project tasks are accomplished within time by performing them simultaneous as other project members accomplish certain tasks(Project Management Institute, 2013). The operations of the company will continue as planned because most of the implementation processes such as installation of new software solutions and hardware configuration will be done during the weekend or late in the evening when the company’s business hours are over. This will be strategic in reducing the project implementation costs.
Other activities will follow the project plan described in the previous section of this document. The project manager will identify the project’s critical path and allocate more resources to the critical activities of the project to ensure the project is within the timeline and within the budget.
SWOT analysis key analysis risk identification/mitigation plan Strengths:
| Weaknesses:
|
Opportunities:
| Threats:
|
The following are the risks that are likely to cause negative effects to the project:
Poor technology implementation: These include integration of old versions of information systems and poor compatibility of acquired software components. Mitigation will include risk avoidance through selection of the most recent versions of all software to be used in the project.
Risk Transfer and Contracting: There is a standard saw regarding risk management—namely, that the owner ought to assign risks to the parties’ best ready to manage them. Though this sounds sensible, it's so much easier afore said than done. It’s not possible, for instance, to assign risks once there's no quantitative measure of them. Risk allocation while not quantitative risk assessment will result in tries by all project participants to shift the responsibility for risks to others, rather than checking out an optimum allocation supported reciprocally recognized risks. Contractors typically comply with take risks solely in exchange for adequate rewards. to see a good and equitable value that the owner ought to pay a contractor in-tuned the risks related to specific uncertainties, it's necessary to quantify the risks.
References
Appari, A., & Johnson, M. E. (2010). Information security and privacy in healthcare: current state of research. International Journal of Internet and Enterprise Management, 6(4), 279. https://doi.org/10.1504/IJIEM.2010.035624
Brookhart, M. A., Sturmer, T., Glynn, R. J., Rassen, J., & Schneeweiss, S. (2010). Confounding control in healthcare database research: challenges and potential approaches. Med Care, 48(6 Suppl), S114-20. https://doi.org/10.1097/MLR.0b013e3181dbebe3
Company Profile & Description | McKesson. (2017). Mckesson.com. Retrieved 16 April 2017, from http://www.mckesson.com/about-mckesson/who-we-are/
Hedström, K., Kolkowska, E., Karlsson, F., & Allen, J. P. (2011). Value conflicts for information security management. Journal of Strategic Information Systems, 20(4), 373–384. https://doi.org/10.1016/j.jsis.2011.06.001
Idris…, N. A. (2010). Wireless Local Area Network (LAN) Security Guideline. Cybersafe.My Cybersafe.My.
Juba, Y., Huang, H. H., & Kawagoe, K. (2013). Dynamic isolation of network devices using OpenFlow for keeping LAN secure from intra-LAN attack. In Procedia Computer Science (Vol. 22, pp. 810–819). https://doi.org/10.1016/j.procs.2013.09.163
Project Management Institute. (2013). A guide to the project management body of knowledge (PMBOK ® guide). Project Management Institute. https://doi.org/10.1002/pmj.20125
Stallings, W. (2000). Network security essentials : applications and standards. William Stallings books on computer and data communications technology.