The objective of this step is to gather as much information as possible relative to your entity's information management and technology baselines as well as your processes and procedures related to information security. The intent is not to generate and in-depth network and system assessment but to establish the preliminary summary of your automation systems, use of electronic information (including PHI), and understand the relationship of your organization's security posture , both present and future, with regards to your business processes and needs.
While this step is often done in parallel with the assessment, it should be accomplished prior to Step Two, if possible. This review will also show the completeness of your organization's thought and documentation process and should be used to guide the development of the specific tools for Step Two.
Don't be afraid of collecting too much information. It's better than not enough. You may find that there is a lack of documentation in this area and should flag this area as a possible network/security base- lining effort that should be initiated and updated regularly. The notes should be organized in a cohesive fashion-the following is a suggested checklist for collecting information. Choose a format that is convenient for you, tying it to functional and operational areas wherever possible. The following table contains a representative checklist for data to be gathered and presentation options:
Category | Description/Objective | Specific Elements | Possible Documentation Format |
---|---|---|---|
Organizational | Identify principal players for both physical and electronic security including privacy | IM/T Human Resources Training (if separate from HR) Charts and Records Executive Management Plant/Facility Management Financial | Organizational Chart Job Descriptions |
Organizational | Identify and capture key organization documents | Strategic and tactical plans HIPAA Privacy and Security Plans Existing IT plans and standards IT Plans and Initiatives | Word documents Catalog of documents/data sources |
Organizational | Overview of Information System Management within Organization | Staffing Funding Roles and Responsibilities Relationship with rest of organization | Spreadsheets Org charts Job Descriptions |
Infrastructure | Basic Network Orientation to establish scope and extent | - | VISIO or network topology showing major sites and connections, location of key systems and sources of information |
Infrastructure | Detailed network diagrams, indicate key servers, indicate key areas where PHI is held and what the databases are etc. Indicate access points from external parties, even if air-gapped. Note: It helps to organize this information relative to the levels in the OSI stack. | Physical Logical Network Services such as DNS, Active Directory, WINS, Other | VISIO or graphical diagrams |
Infrastructure | Systems to include servers, workstations, databases, and applications | Physical: Type of machines-Pentium or RISC, physical standards if applicable End-User / Desktop Systems: O/S, standard applications, desk-top AV tools, other Server / Applications / Support Utilities: Backend application systems, including: Key application servers including roles and functions, basic database system used and user profile Network servers, applications, locations External system interfaces-a diagram helps no matter how simple Dial-up access-number of modems Description of physical environment that houses IT systems to include emergency power, server room organization, and phone system | Table formats, diagrams |
Policies and Procedures | Accumulation of organizational policy and procedures. | User Access Security and Confidentiality Agreements Physical access to hardware Disaster Planning/Business Continuity | Documentation, both physical and electronic |
Support Structure | Define how support is currently provided to end-users | Network and Systems-both internal and external services Applications (Development, Support, Helpdesk) Training | System administration and management documentation Training plans and lesson plans Security orientation materials Security Awareness Materials |