ACCESS CONTROL TEAM PROJECT
ISOL 531 ACCESS CONTROL
FALL 2017
SEMESTER TEAM PROJECT
COMPREHENSIVE MEDICAL SERVICES “CMS ”, is a highly advanced teaching and
research hospital and medical facility that has gained notoriety around the world for its cutting
ed ge technology and its high success rate in treating critically ill and severely burned patients.
Currently there are three “branches ” or “facilities ” in the United States , located in Los Angeles,
Saint Louis and Boston . Patients come from all around the world to receive treatm ent at one of
the three CMS facilities and hospitals. The existing facilities share information between them.
If for example a patient presents for treatment at the Boston facility on one visit, his medical
providers and account representatives will have access to his personally identifiable information ,
prior medical diagnosis and treatment records, insurance , billing and payment history in real time
regardless of which of the other facilities he has treated at previously. CMS is expanding its
serves and will open a fourth facility in the southern United States. To that end, CMS as
purchased a 10 -acre tract of land just outsid e the city limits of Ga lveston, Texas. Other than
purchasing the land and retaining an architect, CMS is still in the planning phase. It is CMS ’s
intention to erect what will most likely be a 10 story structure in which CMS expects to house
the hospital facility, doctor ’s offices, outpatient surgery center, administrative offices,
management services which will include insurance, accounting (accounts payable and receivable
included) , loading docks for shipping and receiving, multiple parking facilities, and a data center.
You r team has been hired by COMPREHENSIVE MEDICAL SERVICES “CMS ” to
analyze and design a complete access control model for its new facility located in Ga lveston,
Texas. The new Galveston facility should share information with the other three facilities, so that
the patient information will be available in real time regardless of which f acility the patient
presents for treatment. Medical teams at all four facilities should be able to review the patients
records and collaborate on the best course of treatment for it patients.
The complete access control model that you develop should be written in narrative for m
using the APA format. Please use ample subsections or subheading as app ropriate. Y our paper
should have a 1 -in margin on top, bottom, left and right margins. The paper should be double
spaced. Use a cover page with a title, and the name of each team member who contributed to
your project/paper. Each page should have a page number in the bottom right margin. The
paper should also include a table of contents, that include subject headings, subheadings or
subtopics, references or sources, and illustrations as well as page numbers for each.
For each major area or section of your model , which you will explain and justify in your
paper, you should identify the options you considered in the form of a null and alternative
hypothesis. D iscuss the alternatives you considered , giving pros and cons of each, and p rov e
information from the research you conducted that assisted you in arriving at your conclusion, or
in establishing your hypothesis as to why one alternative was selected over another. You MUST
cite the sources for your research any time you make reference to your research, whether that be
through direct quotations or in summary. Your work should include no fewer than five (5)
sources.
In addition to the written research paper that you will use to “sell ” CMS on the access
control mode l that you developed, when you present or “pitch ” your model to CMS (and the rest
of the class) you will use audio visual aids in the form of a Power P oint presentation. Also use
schematic diagrams, drawings , tables and illustrations where appropriate. Fo r all diagrams,
drawings, illustrations, and tables that you use or reference in your oral presentation and Power
Point slides, please also include the same visual aids in the appendix of your written paper.
Your access control model should include, but is not limited to a discussion of the
following:
1. The different types of computing systems and networks that you anticipate will be
necessary and the types of databases stored on each network.
2. The types of users you anticipate for y our different systems and networks.
3. Which users, if any, will have remote access to the systems. 4. What nature and extent of security that will be necessary for each of the systems or
networks that you identify, including a discussion of things such as necessary
firewalls.
5. For each or type of user identified which of the systems, databases, networks, and/or
classes or types of information or data t hey will have access to. Include an
explanation of why th ey do or do not have access to certain systems, networks,
databases and types of information.
6. For each type or class of users discuss the type (s) and layer(s) of authe ntication that
will be required, discussing the options available and why you made the
authentication decision that you selected. Consider and discuss the logical access
controls for your subjects as well as authentication factors .
7. Discuss the privileges that will be assigned to u sers, clas ses of users or types of users
for each of your systems, networks and/or databases. Consider and discuss group
access controls.
8. Discuss the classification schemes of information that will reside on your networks,
systems and/o r databases and explain the security classifications for each. Include
how and when information may possibly be declassified .
9. Consider how and when information/data will be d estroyed or d isposed of at the end
of its useful lifecycle. Also, consider the process of taking the computers, hard drives,
and other physical components out of service at the end of their useful life.
10. Perform risk assessment for major components and discuss how you will handle risk
for each major system/network/database. Consider and discuss alternatives and
options for backup, mitigatio n of loss, loss prevention, and recovery. Explain why
you chose one option over another.
11. Discuss and make recommendation s for CMS ’s policies, standards, guidelines and
procedures for information security. With regard to information security policies,
demonstrate your critical thinking by developing an acceptable use policy for CMS
that will describe what tasks can and c annot be p erformed using the organization ’s
computing resources. Discuss the password policy, the account management polic y
and the remote access policy that you would re commend. While you will be unable to
develop a complete set of standards needed to support CMS ’s policies, please
highlight what you would consider the most significant standards and procedures that
detail authentication, password management, and remote access. Discuss where you
believe separation of duties , job rotation, and other policies are essential within the
different departments or divisions of the organization in order to maximize security .
12. Discuss the alternative available and your recommendations for employee training
regarding CMS ’s overall access control and security.
13. Don ’t overlook physical security! Discuss perimeter security and design a
comprehensive plan for physical, building, parking structures, points of entry,
creating physical obstacles and barriers that enhance security. Discuss the physical
and logical placement of the data control center and its p hysical security. If you
consider it beneficial use a schematic or drawing to illu strate physical security (and
any other aspect of your access control model where illustrations, diagrams, or tables
woul d enhance your explanation and/or presentation).
14. Consider biometric access controls for the different a reas, systems, networks etc. that
you have identified and discuss the alternative, explaining your recommendation and
why you arrived at the conclusion that you did. Also, consider various options for
technology -related access control solutions where a pplicable and explain the
alternatives and your recommendation for security and the possibility of outsourcing
parts or all of it.