Best IT Documents.com Blog


PCI, SOX, GLBA and Security Resources

Posted in Application (380),Compliances (1300),Data Center - SOC - NOC,Security (1500) by Guest on the December 3rd, 2018

IT Security / Technology Risk / Control Frameworks

SCF: Simplified Control Framework

http://www.controlframework.com/

 

COBIT 5

http://www.isaca.org/COBIT/Pages/default.aspx

 

COSO:

http://www.coso.org/

 

Risk and Control Frameworks:

http://www.solutionary.com/index/compliance/security-frameworks.php

 

Assessment Areas – PCI, SOX, NIST

  • Expert background in Technical Controls Assessment, Compliance, Risk, and Security control requirements.
  • SOX: SSAE 16 SOC 1 / ISAE 3402, SOC 2, SOC 3 , (Type 2),  (Security, Availability, Processing Integrity, Confidentiality, or Privacy) – (Policies, Communications, Procedures, Monitoring) Detailed vs High-Level
  • PCI DSS / PA-DSS– PCI: CDE, Access, Vendors, Net. Segmentation, ROC/AOC, submission, Management recommendations and Roadmap to compliance.  QSA / PA – QSA, ASV background.

 

Preparatory Research

  • Mapping Application Security to Controls: SDLC Assessments (very good)

https://www.isaca.org/Education/Online-Learning/Documents/Security-Innovation-11Jan12.pdf

  • A Compliance Primer for IT Professionals (Great overview – little dated but very good overview across controls)

http://www.sans.org/reading_room/whitepapers/compliance/compliance-primer-professionals_33538

http://www.corporatecomplianceinsights.com/wp-content/uploads/gravity_forms/14-f3c6012ed7b64af70e209c6db8553b08/2012/02/Aligning+Application+Security+and+Compliance1.pdf

  • SANS – MOACL – Mother of All Control Lists: (dated info but good)

http://www.sans.org/reading_room/whitepapers/compliance/meeting-compliance-efforts-mother-control-lists-moacl_33299

 

Technology Risk / IT Controls Integration Terminology

Technology Risk

Likelihood, Impact, and SDLC Project Mapping, System Characterization, Controls Benchmark, gap analysis, Risk Remediation & Prioritization, Corrective Action Plan (CAP), IT Risk / IT Controls Remediation Roadmap, Risk Register, Risk Framework, Risk Scorecard, KRI, Loss Events. System Characterization, Threat Identification, Vulnerability Identification, Control Analysis, Likelihood Determination, Impact Analysis, Risk Determination, Controls Recommendations, Results Documentation.

 

IT Controls

Security, Documentation, Changes to Documentation, Implementation, Life Expectancy of a Version and a Version Upgrade, Hierarchy of Access – who can inquire versus who can make changes, Approvals, Sign-offs, Maintenance, Back-ups, Disaster Planning and Back-up, Change management, Incident Management, etc.

 

PCI Terminology

PCI DSS 3.0, Qualified Security Assessor (QSA) who creates a Report on Compliance (ROC), or by a Self-Assessment Questionnaire (SAQ), (Internal Security Assessor(ISA), volume of card-holder transactions – Levels 1-4 Merchants,  Attestation of Compliance, ASV (Approved Scan Vendor),  12 Domains / 6 Control Objectives.

 

IT Governance / Regulations – Next PAGES – HIPAA, PCI, SOX, NIST

Omnibus Final Rule Summary

http://www.ama-assn.org/resources/doc/washington/HIPAA-omnibus-final-rule-summary.pdf

 

PCI / DSS

PCI DSS:   PCI DSS: v3.0, changes from 2.o to 3.0, terms, ROC Reporting instructions, prioritized approach tool, FAQ’s, SAQ’s

PCI / DSS 3.1: https://www.pcisecuritystandards.org/security_standards/documents.php

 

TERMINOLOGY:   PCI DSS 3.0, Qualified Security Assessor (QSA) who creates a Report on Compliance (ROC), or by a Self-Assessment Questionnaire (SAQ), (Internal Security Assessor(ISA),dependent on volume of card-holder transactions – Levels 1-4 Merchants,  Attestation of Compliance, ASV (Approved Scan Vendor),  12 Domains / 6 Control Objectives.

PCI/DSS 2.0:  https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf

(compensating controls p. 64+)

 

PCI / DSS Risk Assessment Guidelines: https://www.pcisecuritystandards.org/documents/PCI_DSS_v2_Risk_Assmt_Guidelines.pdf

 

PCI DSS – QSA – ROC:   PCI – Data Security Std – Validation Requirements

PCI-DSS: (SAQ/Attestation guide): http://www.elementps.com/merchants/pci-dss/compliance-level/

PCI / DSS:     https://www.pcisecuritystandards.org/security_standards

(ISO 27005, NIST SP 800-XX/30, Octave)

 

HIPAA and PCI Compliance ARE NOT INTERCHANGABLE (Data Center Knowledge.com)

SOX:

http://www.sox-online.com/act_section_404.html

SOX:SANS: Overview:        An Overview of Sarbanes-Oxley for the Information Security Professional

SSAE 16  / ISAE 3402 / SOC 1-3: Service Organization Controls Report:  https://www.ssae-16.com/

IACPA – SOC – Service Organization Controls:

SOC 1 / SOC 2, SOC3 (Type 2): http://www.ssae16.org/white-papers/ssae-16-soc-1-2-3.html

 

Understanding SaaS Compliance – SSAE 16 / SOC 1 / SOC 2: https://en.wikipedia.org/wiki/Service_Organization_Controls

 

Terminology: (Security, Availability, Processing Integrity, Confidentiality, or Privacy) – (Policies, Communications, Procedures, Monitoring) Detailed vs High-Level

GLBA:

http://searchcio.techtarget.com/definition/Gramm-Leach-Bliley-Act

 

ISO:

ISO/27001 / 2:

http://www.27000.org/iso-27001.htm

http://www.27000.org/iso-27002.htm

 

ISO/27005:

http://www.27000.org/iso-27005.htm

 

NIST:

NIST SP 800 Series

NIST SP 800-53 (R4):

http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final_updated-errata_05-01-2010.pdf

NIST RMF RISK MANAGEMENT FRAMEWORK (800-37):

NIST SP 800-64: Security in the SDLC: http://csrc.nist.gov/publications/nistpubs/800-64-Rev2/SP800-64-Revision2.pdf

NIST SP 800-30: http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf

IT Controls Checklists:  http://www.checklist20.com/

 

Technology Risk

5 Biggest IT risks explained (very good): http://www.youtube.com/watch?v=5UXhJyTunhM

(Hacking/ social engineering, Fraud, Disasters, Change / Disruptive, ROI)

 

Risk Register: 4 Steps (very good):  http://www.youtube.com/watch?v=mNQzRdWy9Ow

(Risk Frameworks, Categories, Strategic Objectives/Map / Balanced Scorecards / Weightings / Likelihood / Impacts / Risk Score)

Why most Risk Assessments are Wrong (TR): http://www.youtube.com/watch?v=PA9rqNBZWIw&feature=endscreen&NR=1

 

Risk Assessment (TR): http://www.youtube.com/watch?v=eD2mQ6ooYO4

Archer: Risk Management: http://www.youtube.com/watch?v=6KaapSEkOlQ

 

IT Risk Management 2.0: http://www.youtube.com/watch?v=VkmIOJYA3hM

Strategic Risk Management Dashboards: http://www.otusanalytics.com/wp/?p=422

Risk, Event Management& Importance of Excellence (Great ): http://www.youtube.com/watch?v=t8Mr23rLps0

 

Technology Risk Radar: http://www.kpmg.co.uk/email/11Nov13/OM006033A/index.html#46

Archer: eGRC:  http://www.youtube.com/watch?v=SMkj8twTM6c

Archer Smart Suite Framework: http://www.infosecurityproductsguide.com/technology/2007/Archer_Compliance.html

Technology Risk Assessments

RISK Assessments:   https://www.smart-ra.com/News/Uploads/100511122641_ISACA_CPE%20Meet_May%202011_1.pdf

Risk Assessment Report Template – example: Risk Assessment Report Template (CDC – OCIO)

Information Risk Assessments: Understanding the process:

OCTAVE – Method – Intro: http://www.cert.org/octave/methodintro.html

 

IT Information Security Risk Assessments Tools / Templates / Audit Guides:

RISK Assessment Toolkit: CA – CIO.gov (good info):  http://www.cio.ca.gov/OIS/government/risk/toolkit.asp

 

Agile Risk Management in 5 simple steps: http://michaellant.com/2010/06/04/five-simple-steps-to-agile-risk-management

Burndown Chart: http://www.mountaingoatsoftware.com/blog/managing-risk-on-agile-projects-with-the-risk-burndown-chart

 

Some of the independent resources available include:

·         Center for Internet Security (CIS):  http://benchmarks.cisecurity.org/

·         National Institute of Standards and Technology (NIST):  http://csrc.nist.gov/publications/nistpubs/800-123/SP800-123.pdf

·         National Security Agency (NSA):  https://www.nsa.gov/ia/mitigation_guidance/security_configuration_guides/operating_systems.shtml

Comments Off on PCI, SOX, GLBA and Security Resources

Sample Visio – Prod Autosys Design

Sample Visio – Prod Autosys Design

www.bestitdocuments.com

Comments Off on Sample Visio – Prod Autosys Design

Healthcare HIPAA, HITRUST, HITECH Resources

 

IT Security / Technology Risk / Control Frameworks

HITRUST: (RISK Framework)

http://www.hitrustalliance.net/about/

 

Assessment Areas – HIPAA

  • Expert background in Technical Controls Assessment, Compliance, Risk, and Security control requirements.
  • HIPAA Security Rule (3 Safeguards – Administrative, Physical, Technical), Required vs. Addressable. HIPAA Gap Assessments, HIPAA IT Auditing or HIPAA IT Controls Design, Integration, Testing. Gap Assessments, Privacy Gap Assessment – Pre Audits.
  • Understanding of risk and control frameworks such as HITRUST, COBIT, UCF, ITIL, and ISO

 

Preparatory Research

  • Electronic Medical Records: Success Requires an Information Security Culture:

http://www.sans.org/reading_room/whitepapers/HIPAA/electronic-medical-records-success-requires-information-security-culture_34242

  • Aligning Application Security and Compliance: (good info)

http://www.corporatecomplianceinsights.com/wp-content/uploads/gravity_forms/14-f3c6012ed7b64af70e209c6db8553b08/2012/02/Aligning+Application+Security+and+Compliance1.pdf

  • SANS – MOACL – Mother of All Control Lists: (dated info but good)

http://www.sans.org/reading_room/whitepapers/compliance/meeting-compliance-efforts-mother-control-lists-moacl_33299

 

HIPAA Terminology

Covered Entity, Business Associate, Conduit, Meaningful Use/MU Phase I/II/III, Breach Notification Rule, OCR, ePHI / PHI, BNR, PNR, CFR 45 CFR 164.x (9/2013 – 3/2014), Final HIPAA Omnibus Rule, BA Contracts,

 

IT Governance / Regulations – HIPAA

HIPAA / Omnibus HIPAA Privacy, Security, Governance, And Compliance.

 

HIPAA

http://www.hhs.gov/ocr/privacy/HIPAA/understanding/summary/index.html

 

HIPAA: Survival Guide

http://www.HIPAAsurvivalguide.com/HIPAA-omnibus-rule.php

(Good info)

Terminology

Covered Entity, Business Associate, Baa / Contracts, Conduit, Meaningful Use/Mu Phase I/Ii/Iii, Breach Notification Rule, OCR, Ephi / Phi, Bnr, Pnr, Cfr 45 Cfr 164.X (9/2013 – 3/2014), Final HIPAA Omnibus Rule, Ba Contracts, HIPAA / Hitrust:  HIPAA And Hitrust – What’s The Difference?

 

Overview of HIPAA/Hitech Omnibus Final Rule

Omnibus / Healthit

Http://Www.Darkreading.Com/Privacy/New-HIPAA-Omnibus-Rule-Changes-Health-It/240148673

 

EPHI Identifiers / De-Identification

HHS: Guidance on Methods for De-Identification

HIPAA Phi: List of 18 Identifiers and Definition of PHI

EPHI Computer Systems Inventory:

https://community.pepperdine.edu/it/security/ric/invephi.htm

 

Yale: Break Glass Procedure: Granting Emergency Access to Critical EPHI Systems

Meaningful Use: What Is Meaningful Use?

Http://Www.Healthit.Gov/Policy-Researchers-Implementers/Meaningful-Use

 

Breach Notification Rule: HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414

Covered Entities & Business Associates: § 160.103 Definitions.

  • De-Identification of PHI. Methods In Accordance With HIPAA Privacy Rule.
  • Summary Of The HIPAA Security Rule: HHS: Summary Of The HIPAA Security Rule
  • HIPAA Security Risk Analysis Tips – 9 Essential Elements
  • Complete A Privacy Rule Compliance Assessment (45 CFR §164.530)
  • MU – HIPAA Security Risk Analysis: How To Conduct A Meaningful Use / HIPAA Security Risk Analysis:
  • ECFR: Electronic Code Of Federal Regulations:
  • Cornell Law School – 45 CFR 164 – Summaries: http://www.law.cornell.edu/cfr/text/45/part-164

Are You Ready For A HIPAA Audit? 5 Insights for Executives

HIPAA Audit Tips – Prepare For Audits Using Omnibus Final Rule

White Paper: The HIPAA Final Omnibus Rule: New Changes Impacting Business Associates

Deloitte Brief: Update: Privacy and Security Of Protected Health Information Omnibus Final Rule and Stakeholder Considerations

 

OCR HIPAA Audits: Findings/Recommendations: Notification of Findings And Recommendations Report From OCR HIPAA Audits

HHS/OCR: HIPAA Lessons – UCLA: Specific Lessons from HIPAA Privacy and Security Case At

 

OCR HIPAA Audits: What To Expect When OCR Audits Come

HIPAA Interview and Document Request: HIPAA Security Onsite Investigations and Compliance Reviews: – Great Sample

OCR HIPAA Audit Briefings:  OCR Data On First 20 HIPAA Compliance Audits

HIPAA Enforcement: Case Examples Organized By Covered Entity:

 

Http://Www.HHS.Gov/OCR/Privacy/HIPAA/Enforcement/Examples/Casebyentity.Html#2healthcareprovider

 

HIPAA Settlements / Resolution Agreements

HIPAA-Hitech Compliance: Proven HIPAA Audit Tips – Actions You Should Take Now To Prepare For OCR HIPAA Audits

  1. Set privacy and security risk management & governance program in place (45 cfr § 164.308(a)(1))
  2. Develop & implement comprehensive HIPAA privacy and security and breach notification policies & procedures (45 cfr §164.530 and 45 cfr §164.316)
  3. Train all members of your workforce (45 cfr §164.530(b) and 45 cfr §164.308(a)(5))
  4. Complete a HIPAA security risk analysis (45 cfr §164.308(a)(1)(ii)(a))
  5. Complete a HIPAA security evaluation (= compliance assessment) (45 cfr § 164.308(a)(8))
  6. Complete technical testing of your environment (45 cfr § 164.308(a)(8))
  7. Implement a strong, proactive business associate / management program (45 cfr §164.502(e) and 45 cfr §164.308(b))
  8. Complete privacy rule and breach notification rule compliance assessments (45 cfr §164.500 and 45 cfr §164.400)
  9. Document and act upon a remediation plan

 

HHS.GOV – HIPAA: Security Series

  1. Security 101 for Covered Entities
  2. Security Standards Administrative Safeguards
  3. Security Standards – Physical Safeguards
  4. Security Standards – Technical Safeguards
  5. Security Standards – Organizational, Policies & Procedures, and Documentation Requirements
  6. Basics of Risk Analysis & Risk Management
Comments Off on Healthcare HIPAA, HITRUST, HITECH Resources

Sample Visio – O365 Technology Relationships

O365 Technology Relationships

www.bestitdocuments.com

Comments Off on Sample Visio – O365 Technology Relationships

Sample Visio – Azure Event Log Drawing 1

Azure Events Drawing

www.bestitdocuments.com

Comments Off on Sample Visio – Azure Event Log Drawing 1

Sample Visio – Azure Event Log Drawing 2

Azure Event Drawing

www.bestitdocuments.com

Comments Off on Sample Visio – Azure Event Log Drawing 2

CA Autosys R11.3.5 Schema Tables

Posted in Application (380),Data Center - SOC - NOC,Security (1500),Web Services (250) by Guest on the November 11th, 2018

CA Autosys R11.3.5 Schema Tables

www.bestitdocuments.com

Comments Off on CA Autosys R11.3.5 Schema Tables

Sample – Distributed Storage, Backup & Long-term Retention guidelines

Posted in Application (380),Data Center - SOC - NOC,Web Services (250) by Guest on the October 16th, 2018

Distributed Storage, Backup & Long-term Retention

The IT Storage provides tiered storage service levels that align with storage provider capabilities and are based on your business requirements. A detailed description of the tiers can be found below. In addition to tiered disk rates, a monthly data Backup charge, and a long-term Backup data retention charge have been implemented and described below.

  • The characteristics of Tier 1 SAN/NAS Disk, Tier 2 SAN/NAS Disk and Tier 3 SAN/NAS Disk are described below.
  • The cost for backing up disk storage to tape is in addition to the storage costs. The frequency of the backups varies by tier of disk. Backup of internal disk is a consumption-based charge model to more-accurately reflect the costs of the distributed tape backup environment.
  • A long-term data retention cost is incurred for data retained longer than 56 days.

The following table is a summary of the tiered levels of disk; additional details for each tier follow the table.

Disk Resource Tier 1 Tier 2 Tier 3
Connectivity to Storage Area Network (SAN) Dual path, Fiber Channel. Single path, Fiber Channel Single path, iSCSI, low-end Fiber.
Disk drives High performance, high availability RAID. Moderate performance, high availability RAID. Serial ATA (SATA) interface, low-performance RAID.
Scalability High Moderate Low
Non-disruptive maintenance Yes Usually, but some outages required. Hardware/software maintenance requires an outage.
Pro-active hardware monitoring Yes Yes No
Root cause analysis Yes For significant problems. None
Support hours 7×24 7×24 5×8 (7:00-16:30, Mon-Fri)
Backup schedule Full weekly, daily incrementals, plus monthly DR. Full weekly, daily incrementals, plus monthly DR. No routine backup; monthly DR only. Additional backups at users request.

 

Tier 1 SAN/NAS Disk Characteristics:

  • Dual path connectivity to SAN or NAS (Network) attached high performance fiber disk array.
  • High availability RAID configuration, to minimize disruption from a disk hardware failure.
  • Highly scalability.
  • Non-disruptive hardware and micro-code upgrades.
  • Pro-active hardware monitoring, root cause analysis for all problems and downtime problem escalation within 30 minutes.
  • 7×24 support for hardware, availability and performance.
  • Standard backup schedule (full weekly backups with daily incrementals. Additional backups may be requested). The IT Storage maintains monthly backups of the data for disaster recovery purposes; other special backups may also be taken when maintenance is applied to the Tier 1 SAN disk environment.

 

Tier 2 SAN/NAS Disk Characteristics:

Single path connectivity to SAN or NAS (Network) attached moderate performance fiber disk array.

  • High availability RAID configuration to minimize disruption from a disk hardware failure.
  • Moderate scalability.
  • Hardware and micro-code upgrades may be disruptive.
  • Pro-active hardware monitoring, root cause analysis for problems that significantly impact the environment; downtime problem escalation after 4 hours.
  • 7×24 support for hardware and availability; no performance analysis is included in the base rate.
  • Support for performance problems and other support services are available on a time and material basis at the standard IT Storage workday rate.
  • Standard backup schedule (full weekly backups with daily incrementals; additional backups may be requested). The IT Storage maintains monthly backups of the data for disaster recovery purposes; other special backups may also be taken when maintenance is applied to the Tier 2 SAN disk environment.

 

Tier 3 SAN/NAS Disk Characteristics:

Single path connectivity to SAN, using iSCSI, NFS or low-end fiber attached to low performance SATA disk array.

  • High availability RAID configuration, to minimize disruption from a disk hardware failure.
  • Low to moderate scalability.
  • Disruptive hardware and micro-code upgrades.
  • No pro-active hardware monitoring or root cause analysis performed. Down-time problem escalation after 24 hours, 7:00 AM-4:30 PM, EDT time, Monday through Friday.
  • Hardware and availability support 7:00 AM- 4:30 PM, EDT time.
  • No performance analysis is included in the base rate.
  • Support for performance problems and other support services are available on a time and material basis at the standard IT Storage workday rate).
  • No routine backup of the data; all backups are individually scheduled (e.g. weekly, monthly, etc) at the user’s request. The IT Storage maintains monthly backups of the data for disaster recovery purposes; other special backups may also be taken when maintenance is applied to the Tier 3 SAN disk environment.

www.bestitdocuments.com

Comments Off on Sample – Distributed Storage, Backup & Long-term Retention guidelines

Sample – Healthcare (HIPAA, HiTRust, HiTech) Tiered Application and System Support Services

Healthcare (HIPAA, HiTrust, HiTech) Tiered Application and System Support Services

Tiered Application and System Support Services

Measures include:

o   Time to Respond (Priority 1-4)

o   Time to Resolve (Priority 1-4)

o   % of Open Break Fix Issues that Exceed the SLA

o   Tier 1 Applications / System Availability (system uptime):

 

  • Cerner
  • Meditech
  • PACs
  • PPP
  • McKesson Star
  • Lawson
  • Core Network Systems
  • EICU

 

Tiered Application and System Support Services

  • Time to Respond – Amount of time required for an incident (ticket) to be assigned for work.

Ø  Monthly Goals:

Description Proposed Goal
Priority 1 (Urgent): 90% within 15 minutes
Priority 2 (High): 90% within 4 Business Hours
Priority 3 (Med): 90% within 1 Business Day
Priority 4 (Low): 90% within 3 Business Days

 

Name of SLA Proposed Goal
Time to Respond Priority 1 (Urgent) 90% within 15 Minutes
Time to Respond Priority 2 (High) 90% within 4 Business Hours
Time to Respond Priority 3 (Medium) 90% within 1 Business Day
Time to Respond Priority 4 (Low) 90% within 3 Business Days

 

Tiered Application and System Support Services

  • Time to Resolve – Amount of time required for an incident (service) to be restored.

Ø  Monthly Goals:

Description Proposed Goal
Priority 1 (Urgent): 90% within 4 Hours
Priority 2 (High): 90% within 8 Business Hours
Priority 3 (Med): 90% within 3 Business Days
Priority 4 (Low): 90% within 10 Business Days

 

Name of SLA Proposed Goal
Time to Resolve Priority 1 (Urgent) 90% within 4 Hours
Time to Resolve Priority 2 (High) 90% within 8 Hours
Time to Resolve Priority 3 (Medium) 90% within 3 Business Days
Time to Resolve Priority 4 (Low) 90% within 10 Business Days

 

  • % of Open Break Fix Issues that Exceed SLA – percentage of open Incidents (tickets) that exceed the SLA for all Priority levels in a given month.

Ø  Monthly Goal:  < 35%

Name of SLA Proposed Goal
% of Open Break Fix Issues that Exceed SLA < 35% of Open Break Fix Issues

 

 

 

 

 

  • Tier 1 Applications / System Availability

Ø  Monthly Goal:  >99.9%

Name of SLA Proposed Goal
Tier 1 Applications / System Availability >99.9% Availability
Tier 1 Applications / System Availability >99.9% Availability
Tier 1 Applications / System Availability >99.9% Availability
Tier 1 Applications / System Availability >99.9% Availability
Tier 1 Applications / System Availability >99.9% Availability
Tier 1 Applications / System Availability >99.9% Availability
Tier 1 Applications / System Availability

(Core Network Systems)

>99.9% Availability
Tier 1 Applications / System Availability >99.9% Availability

 

Customer Support Services

  • Measures include:

Ø  Total Call Volume

Ø  Average Speed to Answer

Ø  Call Abandonment Rate

Ø  First Call Resolution Rate

 

  • Total Call Volume – number of calls into each of the Help Desks in a given month.
Help Desk Proposed Goal
Denver  Administration xxxxxx
Houston HD xxxxxx
California Server xxxxxx
  • Average Speed to Answer / per Queue (Seconds) – average length of time required (in seconds) to answer calls into the Help Desk in a given month.

Ø  Monthly Goal:  < 55 seconds

 

Help Desk Proposed Goal
Denver  Administration < 55 seconds
Houston HD < 55 seconds
California Server < 55 seconds

 

  • Call Abandonment Rate / per Queue – rate of calls where the caller hung up while phoning the Help Desk in a given month.

Ø  Monthly Goal:  < 15%

Help Desk Proposed Goal
Denver  Administration < 15%
Houston HD < 15%
California Server < 15%

 

  • First Call Resolution Rate – rate of incidents resolved during the first call to the Help Desk.

Ø  Monthly Goal:  > 50%

Help Desk Proposed Goal
Denver  Administration > 50%
Houston HD > 50%

 

 

 

  • Measures currently include:

Ø  Tier 1 Application and System Back-Ups

v  Monthly Goal:  >75% Successfully backed up within window

Name of SLA Proposed Goal
Tier 1 Application and System Back Ups >75% Successfully

 

Security Services

  • Measures include:

Ø  Virus Protection on Currency Servers within 7 days

Ø  Virus Protection on Currency Desktops within 7 days

v  Monthly Goal:  > 90%

Name of SLA Proposed Goal
Virus Protection Currency Servers (Within 7 Days) > 90% Virus Protection Compliance
Virus Protection Currency Desk Tops (Within 7 Days) > 90% Virus Protection Compliance

 

  • Measures include:

Ø  Change Timeliness of Non-Routine Changes (Urgent, High, and Medium)

Ø  Change Accuracy of Non-Routine Changes (Urgent, High, and Medium)

Ø  % of Urgent and High Unplanned Emergency Changes

Name of SLA Proposed Goal
Change Timeliness of Non-Routine Changes (Urgent, High, and Medium) > 95% Of Changes completed within the Change window
Change Accuracy of Non Routine Changes (Urgent, High, and Medium) > 95% Change Success
% of Urgent and High Unplanned Emergency Changes < 20% of High and Urgent Changes Submitted as Emergency

 

Report and Review Services

  • SLA Review Reports published to the OCIO and Service Delivery Sub-Committee on time
  • Percentage of SLAs that meet or exceed targets (Scorecard Metric)
  • Scorecard published to the OCIO and Service Delivery Sub-Committee on time
  • Scorecard data received on time
  • Percentage of Scorecard measures that meet or exceed targets

Ø  SLA Dashboard and ITS Balanced Scorecard are published on the last business day of each reporting month

 

Name of SLA Proposed Goal
SLA Review Reports Published to OCIO and Service Delivery Sub-Committee on Time > 95% Reported on Time
Percentage SLAs that meet or exceed targets (SCORECARD METRIC) > 80% Reported Green (18 month goal)
Scorecard Published to OCIO and Service Delivery Sub-Committee on Time > 95% (15th of the Month)
Scorecard Data Received on Time > 95% (Received prior to the 26th of the Month)
Percentage of Scorecards measures that meet or exceed targets > 80% Reported Green

 

 

Report and Review Services

Measures include:

Ø  Customer Satisfaction (LITED) Reports Published to the OCIO and Service Delivery Sub-Committee on Time

Ø  LITED:  percent overall that meets overall expectations of IT Delivery in 5 focus areas. (SCORECARD METRIC)

Ø  LITED:  percent of Action Plans completed on Time (SCORECARD METRIC)

Ø  SLA Review Reports Published to OCIO and Service Delivery Sub-Committee on Time

Ø  Percentage of SLAs that meet or exceed targets (SCORECARD METRIC)

Ø  Scorecard Published to OCIO and Service Delivery Sub-Committee on Time

Ø  Scorecard Data Received on Time

Ø  Percentage of Scorecards measures that meet or exceed targets

 

Customer Satisfaction (LITED) Reports Published to the OCIO and Service Delivery Sub-Committee on Time

Ø  Published on the last business day of the reporting month

Name of SLA Proposed Goal
Customer Satisfaction (LITED) Reports Published to OCIO and Service Deliver Sub-Committee on Time > 95% Reported on Time

 

LITED:  Percent overall that meets overall expectations of IT Delivery in 5 focus areas. (SCORECARD Performance Review and National Scorecard METRIC)

Ø  Did IT meet the overall expectations of Service Delivery in the following Focus Areas:

  • Operations Service Delivery (OSD) – includes Help Desk, Desktop Support and Direct Customer Support
  • Program & Project Delivery (PPD) – includes EPMO, Legal, Contract & Vendor Management
  • Service Quality (SVC)
  • Value Creation (VAL)
  • Relationships (REL)

 

Name of SLA Proposed Goal
LITED:  % overall that meets overall expectations of IT Delivery in 5 focus areas. (SCORECARD METRIC) > 75% Reported Meets Expectations

 

 

LITED:  Percent of Action Plans completed on time.  (SCORECARD Performance Review and National Scorecard METRIC)

Name of SLA Proposed Goal
LITED:  % of Action Plans completed on Time (SCORECARD METRIC) >95% Completed

 

SLA Review Reports published to the OCIO and Service Delivery Sub-Committee on time

  • Percentage of SLAs that meet or exceed targets (Scorecard Metric)
  • Scorecard published to the OCIO and Service Delivery Sub-Committee on time
  • Scorecard data received on time
  • Percentage of Scorecard measures that meet or exceed targets

Ø  SLA Dashboard and IT Balanced Scorecard are published on the last business day of each reporting month

Name of SLA Proposed Goal
SLA Review Reports Published to OCIO and Service Delivery Sub-Committee on Time > 95% Reported on Time
Percentage SLAs that meet or exceed targets (SCORECARD METRIC) > 80% Reported Green (18 month

goal)

Scorecard Published to OCIO and Service Delivery Sub-Committee on Time > 95% (15th of the Month)
Scorecard Data Received on Time > 95% (Received prior to the 26th of the Month)
Percentage of Scorecards measures that meet or exceed targets > 80% Reported Green

 

Tiered Applications and System Support Services

Customer Support Services

Business Continuity Management Services

Security Services

Change Management Services

IT Release and Project Management Services

Report and Review Services

Contracting and Vendor Management Support Services

 

In relation to the clinical needs of the patient

    1. In anticipation of Medicare AND insurer changes
  1. These are not the only influencers of cost & revenue (i.e. Case Managers, Physicians, OR Staff, Service Line Leadership)
    1. Cerner
    2. Meditech
    3. PACs
    4. PPP
    5. McKesson Star
    6. Lawson
    7. Core Network Systems
    8. EICU

 

Corporate Future Growth Strategy Involves Significant Influx Of New Physicians, Staff, And Clinical Facilities.

  • Align newly acquired operations with Corporate security standards quickly and efficiently – without impact to acquisition/integration timelines.

 

Address security gaps at time of acquisition.

  • Avoid inheriting non-compliant systems or processes
  • Synergy with tech-refresh activities associated with the acquisition

 

Due Diligence

  • Identify any security issues that are material to the acquisition.
  • Assess amount of security investment needed to bring acquired operation into compliance with Corporate standards.

 

 

Pre-Integration

  • Risk assessment to identify gaps in infrastructure and processes.
  • Remediation to stop-gap any critical items.
  • Establish roles and provision access for new staff.
  • Overlay Corporate standard security technologies.

 

Post-Integration

  • Bring systems and processes into alignment with Corporate standards.
  • Ensure and maintain compliance.

 

Internal Scans

  • Vendor being used for initial scans to allow for implementation of program by staff
  • Internal team will lead vendor initiative and implement program simultaneously

 

External Scans

  • All Corporate external addresses
  • Denver address space represented here
  • Remaining results to be reviewed with groups next week

 

Acquisition Scans

  • Qualys acquisition represented
  • Rescan April 2019
  • Remediation results reported after rescan
  • Chattanooga Heart scan report to be completed next week.

 

Divestiture Scans

  • No active divestitures

 

Future State Vision

  • Consistent, holistic enterprise-wide approach.
  • Cover all information assets.
  • Coordinate security and business resilience.
  • Enable access to accommodate physician growth and workforce mobility.
  • Establish a control structure framework to meet and manage HIPAA and PCI compliance.

 

Program Maturity Objectives

  • Meet defined customer service objectives.
  • Predictable cost for sustainable compliance.
  • Active management and significant reduction of risk.
  • Adoption across entire enterprise.
  • Business decisions influenced by trends and metrics.
  • Program covers new and emerging risks (mobile, virtualization etc.).

 

www.bestitdocuments.com

 

Comments Off on Sample – Healthcare (HIPAA, HiTRust, HiTech) Tiered Application and System Support Services

Sample – Storage TIERed descriptions

Posted in Application (380),Data Center - SOC - NOC,Web Services (250) by Guest on the October 4th, 2018

What are the general guidelines for the Tiers?

The following are the high-level guidelines for the tiers:

·         Tier 1:  Build on high speed (15,000 RPM disks), this is the fastest tier available and is appropriate for PROD applications/databases with high workload demands and high counts of concurrent users.

·         Tier 2:  Built on medium performance (10,000 RPM disks), this tier is appropriate for most workloads of PROD and non-PROD applications/databases with moderate workload demands and counts of concurrent users.  The bulk of the storage at KP, along with the bulk of the applications/DB instances live here.

·         Tier 3:  Build on modest performance (7,200 RPM disks), this tier is appropriate for very low use PROD workloads and general non-PROD use for applications with very light workload demands and concurrent user counts.  This storage is low cost to Corporate and works well for bulk storage of lightly used data, backup space, and executables.  

·     Tier 3 is also a good choice for lower (non-PROD) environments where functionality testing is the only requirement and there are low numbers of concurrent users. 

The exception however would be non-prod environments that are used during detailed load testing, where there is a need to extrapolate the performance results to help size for eventual PROD deployments.

 

·         Tier 0: Within a VMAX, there are ESD drives (which most companies call Solid State Disk) which are essentially large memory modules. This is Tier 0. Super high performance, with super high cost. The highest of the high workload requirements usually go here. We have a bit of Tier 0 around KP, but it is not currently used for PROD or NON-PROD.

 

www.bestitdocuments.com

 

Comments Off on Sample – Storage TIERed descriptions

Sample Visio – Cloud Network Architecture Risks

Posted in Application (380),Visio Samples - Stencils (457),Web Services (250) by Guest on the October 2nd, 2018

Cloud Network Architecture Risks

www.bestitdocuments.com

Comments Off on Sample Visio – Cloud Network Architecture Risks

Sample Visio – SAML Integration: Single Sign-On (SSO) for Cloud Apps

Posted in Application (380),Visio Samples - Stencils (457),Web Services (250) by Guest on the September 30th, 2018
Comments Off on Sample Visio – SAML Integration: Single Sign-On (SSO) for Cloud Apps

Sample Visio – ITIL SDLC Framework

Posted in Application (380),Visio Samples - Stencils (457),Web Services (250) by Guest on the September 22nd, 2018

ITIL SDLC Framework

www.bestitdocuments.com

Comments Off on Sample Visio – ITIL SDLC Framework

Sample Visio – Web Tiered layout

Posted in Application (380),Visio Samples - Stencils (457),Web Services (250) by Guest on the September 15th, 2018

Web Tiered layout

www.bestitdocuments.com

 

Comments Off on Sample Visio – Web Tiered layout

Sample Visio – ITIL Application Product Workflow

Posted in Application (380),Visio Samples - Stencils (457),Web Services (250) by Guest on the September 9th, 2018

ITIL Application Product Workflow

www.bestitdocuments.com

 

Comments Off on Sample Visio – ITIL Application Product Workflow

Sample Visio – Consideration SDLC Programming Framework

Posted in Application (380),Visio Samples - Stencils (457),Web Services (250) by Guest on the September 5th, 2018

Consideration SDLC Programming Framework

www.bestitdocuments.com

 

Comments Off on Sample Visio – Consideration SDLC Programming Framework

Sample Visio – Web Design and Development

Posted in Application (380),Visio Samples - Stencils (457),Web Services (250) by Guest on the August 27th, 2018
Comments Off on Sample Visio – Web Design and Development

Definition of an Application

An application is defined as an environment that consists of a set of deployed (installed) software that is executable on hardware supporting business function(s) and is managed as a unit.

 

Important information maintained about an application includes:

  • Design and functional information
  • Software information
  • Database Information
  • Descriptive / identifying information
  • Datacenter / geographical information
  • Disaster recovery information
  • Collaboration information
  • Support roles / responsibilities and Contact information.        
  • PCI Compliance information
  • HIPAA Compliance information
  • SOX Compliance information

 

www.bestitdocuments.com

Comments Off on Definition of an Application

Sample – HIPAA Access Components – Identity Management Visio

Comments Off on Sample – HIPAA Access Components – Identity Management Visio

Visio – Application Security Principles

Posted in Application (380),Compliances (1300),O S (375),Web Services (250) by Guest on the August 13th, 2018

Application Security Principles

www.bestitdocuments.com

Comments Off on Visio – Application Security Principles

WebSphere Install Sample Guide

WebSphere Install Sample Guide

www.bestitdocuments.com

Comments Off on WebSphere Install Sample Guide

Spreadsheet – WebSphere Filesystem Allocations Permissions

Comments Off on Spreadsheet – WebSphere Filesystem Allocations Permissions

WebSphere Application Server Internals.pdf

Comments Off on WebSphere Application Server Internals.pdf

Legacy – NetCache – CLI Help Documents

Comments Off on Legacy – NetCache – CLI Help Documents

XML – eXML

Posted in Application (380),Web Services (250) by Guest on the July 8th, 2018

Glossary:

Extensible Markup Language

Identifies and describes data in documents such as Webpages or text messages. This makes the data useful to software such as Web Browsers and B-B e-commerce systems. It’s is an official, open standard.

 

Extensible Markup Language (XML) – A common, independent data format across the enterprise and beyond that provides:

  • Standard data types and structures, independent of any programming language, development environment, or software system.
  • Pervasive technology for defining business documents and exchanging business information, including standard vocabularies for many industries.
  • Ubiquitous software for handling operations on XML, including parsers, queries, and transformations.

 

Web services – XML-based technologies for messaging, service description, discovery, and extended features, providing:

  • Pervasive, open standards for distributed computing interface descriptions and document exchange via messages.
  • Independence from the underlying execution technology and application platforms.
  • Extensibility for enterprise qualities of service such as security, reliability, and transactions.
  • Support for composite applications such as business process flows, multi-channel access, and rapid integration.
  • Service-oriented architecture (SOA) – A methodology for achieving application interoperability and reuse of IT assets that features:
  • A strong architectural focus, including governance, processes, modeling, and tools.
  • An ideal level of abstraction for aligning business needs and technical capabilities, and creating reusable, coarse-grain business functionality.
  • A deployment infrastructure on which new applications can quickly and easily be built.
  • A reusable library of services for common business and IT functions.
Comments Off on XML – eXML
Next Page »