© 2016 NTT DATA, Inc.
2017 RISK ASSESSMENTCorporate Apps Overview
Office of Strategy & Governance
Tenet Healthcare Account
February 2017
© 2016 NTT DATA, Inc.2 Office of Strategy & Governance - Tenet Healthcare Account - Services
Risk Assessment Process
Risk Assessment Framework
THOR User Guide
Towers and Consideration
Governance and Program Tracking
Agenda
© 2016 NTT DATA, Inc.3 Office of Strategy & Governance - Tenet Healthcare Account - Services
Risk Assessment Process
Overview
Key roles and responsibilities
Process overview
2017 Risk assessment timeline
© 2016 NTT DATA, Inc.4 Office of Strategy & Governance - Tenet Healthcare Account - Services
2017 Annual IT Risk Assessment Overview
Mission
• Meet Business Needs - Institute a Simple but Effective Infrastructure Risk review Process
• Promote Collaboration
• Communicate to Tenet Owners the current state of infrastructure and what we think the risks are
• Provide recommendations on risk remediation prioritization
Benefits
• Budget planning and IT investment prioritization
• Project identification and selection
• Operational process and service management improvement
• Business continuity planning
• Technology portfolio and lifecycle management
Scope
• Corporate Applications determined to be in scope by Tenet IT and NTT Data account leadership
Focus Areas for 2017
• Application Criticality – Normalizing perceived criticality versus calculated criticality
• Risk Scores – Communicating the components of the score effectively to Tenet, in comparison to the trend from 2016
• Consistent scoring – choosing the impact, likelihood and risk category consistently across areas
• Navigating through lifecycle of a risk – from Needs funding to Funded to Complete
© 2016 NTT DATA, Inc.5 Office of Strategy & Governance - Tenet Healthcare Account - Services
Key Roles and ResponsibilitiesRole Description
SME/ Application Expert Account specified expert(s) for the application. Accountable for assessing risk for
each tower; May reach out to additional experts for each of the specific tower
Operations Support
Manager
Application Operations Leader responsible for the Applications Operations team
providing support for daily operations of the Business Application; Review the
Risk assessment and Mitigation status for each tower
Business Owner Specified NTT Data Business Owner accountable for the Business Application
Portfolio Leader Specified NTT Data Portfolio Leader responsible for a particular business area;
Final Review prior to Governance Review/ Tenet Approval
Governance Committee Group responsible for validating risk assessment data prior to client
communication
Tenet IT Owner Specified Tenet IT Owner accountable for the Business Application; Approves the
Risk Assessment and Mitigation Plan
Tenet VP Tenet sponsor responsible for Business Application review/ approval of Critical/
Important risks and their mitigation plans
© 2016 NTT DATA, Inc.6 Office of Strategy & Governance - Tenet Healthcare Account - Services
Process Overview
Tenet Acknowledgement
Infrastructure Directors Review Tenet IT owner engagementTenet VP Level
Acknowledgement
Governance Review
Review Assessment for consistency and completeness
Determine cut off for budget prioritization and reports to Tenet
Review Assessment (Business Owner/ Portfolio leader)
Check for completeness (risk condition, category, likelihood, impact)
Provide business context and risk of not addressing along with funding source and ROM $
Assess Risk (SME)
Identify and analyze risk conditions for each group by tower
Enter risk condition, category, likelihood, impact and mitigation details
Determine and agree on Infrastructure Criticality Score prior to risk assessment.
One-Time
Annual
Tenet Budget PlanningPost assessment
© 2016 NTT DATA, Inc.7 Office of Strategy & Governance - Tenet Healthcare Account - Services
2017 Risk Assessment Timeline
Jan Feb Mar Apr May Jun Jul Aug Mitigation Management
Jul 31, 2017 - Complete Risk Assessment Cycle
Jul
Corp App Gov. Rev MeetingsApr – Jun
Corp App Assessment/ AttestationsMar – Jun
Shared Infra Gov. Rev MeetingsMar
Shared Infra Assessment/ AttestationsFeb - Mar
Feb Corp Application and Shared Infrastructure Assessment Info Session
Feb Finalize Info Session Package
Jun - Jul Import and Analyze Data for Reporting
Tenet Budget Planning
NTT Data
Obtain Tenet Acknowledgements
Corp Applications Criticality Assessment and ReviewJan – Feb
Assess CriticalityDetermine
ScopeAssess Risk
Review Risk Assessment
Engage Tenet Dir/ CIO
Acknowledge Risk – VP
Prioritize Risk/ Mitigation
Input into Budget Process
© 2016 NTT DATA, Inc.8 Office of Strategy & Governance - Tenet Healthcare Account - Services
Feb 21 and Feb 23 Shared Infra Info Sessions
Feb 28 and Mar 1 Corp Apps Info Sessions
Mar 20 – Mar 29 Governance Reviews for Shared Infra (includes 2 contingency days)
Apr 6 – May 24 Governance Reviews for Corp Apps
May 24 Tentative end date for Governance Reviews
May 29 Shared Infra – Portfolio level review
Jun 1 – Jun 9 Corp Apps - Portfolio level reviews
Jun Tenet Director level acknowledgements
Jul 31 Tenet VP Acknowledgement signatures due
Corporate Applications - Milestones
© 2016 NTT DATA, Inc.9 Office of Strategy & Governance - Tenet Healthcare Account - Services
Risk Assessment Framework
Risk Assessment Components
Risk Score Methodology
Common Conditions
Risk Assessment Reports
© 2016 NTT DATA, Inc.10 Office of Strategy & Governance - Tenet Healthcare Account - Services
Application Criticality ScoreA
pp
lica
tio
n C
ritica
lity
(10
0 p
oin
ts m
ax)
Regulatory Compliance (30 points)
SOX
PCI
PII, PHI, HIPAA , others
Downtime Impacts (30 points)
Patient Care
Financial
Hospital Operations
Current DR Option (40 points)
Availability Ranking 0-5 One time assessment activity
Collaborative assessment between owners and service providers
Annual confirmation & adjustment prior to Risk Assessment kick off
© 2016 NTT DATA, Inc.11 Office of Strategy & Governance - Tenet Healthcare Account - Services
Risk Assessment Components• Risk Assessment Score - Maximum 100 points/ Risk
– Risk Category * Likelihood * Impact
• Risk Category
– Security (4 points)
– Support, Age, Performance (2 points)
– Monitoring, Alerts, Others (1 point)
• Likelihood of Occurrence
– Very unlikely to occur (1 point)
– Less likely to occur (2 points)
– 50/50 chance of occurring (3 points)
– More likely to occur than not (4 points)
– Currently Occurring ((5 points)
• Impact of Risk
– Insignificant impact, additional reviews may be required (1 point)
– Small impact, small increased cost, but absorbable (2 points)
– Impact, increased cost (3 points)
– Substantial impact, remediation not in place, increased costs (4 points)
– Inability to offset impact, business case/objective not viable (5 points)
• Risk Prioritization
– Based on Criticality Score and Risk Severity Score
– Threshold can be adjusted based on risk tolerance and funding availability
© 2016 NTT DATA, Inc.12 Office of Strategy & Governance - Tenet Healthcare Account - Services
Risk Score Methodology
• Risk Item Score – max of 100 (high)
– 50% of Application Criticality Score
– 50% of Risk Severity Score – Category * Impact * Likelihood
• Application/ Technology Risk Score
– Sum of all Risk Item Scores
– No max score – depending on the number of risk items within the group
– All open risks (including funded or mitigation in progress) are scored
Application Criticality Score
Application Risk
Score Risk Title Category Impact Likelihood
Risk
Score
Application 1 30 50Windows 2008 out of
mainstream support Support 3 5 30
Not integrated with OPAS Monitoring 2 5 20
Application 270
109
Failover will degrade
performance Performance 3 3 44
No encryption at rest Security 3 5 65
© 2016 NTT DATA, Inc.13 Office of Strategy & Governance - Tenet Healthcare Account - Services
Towers for 2017 assessment
• IT Risk is identified, assessed and categorized for the following focus areas (Towers) for each
Business Application– 1. Client Architecture
– 2. Network Infrastructure/Access
– 3. Hardware & Operating System
– 4. Application/Database
– 5. Integrated Interface
– 6. Hosting Infrastructure
– 7. Storage/Data Recovery
– 8. System/Application Monitoring
– 9. Security
– 10. Disaster Recovery
• The Risk description and Mitigation Status for each risk item is then documented, reviewed and
communicated to Tenet Leadership
© 2016 NTT DATA, Inc.14 Office of Strategy & Governance - Tenet Healthcare Account - Services
Common Conditions• Refer to common conditions in THOR for:
• Guidelines – Common guidelines and guidelines across all towers
• Quick reference tables with lifecycle support dates for 2017
• Complete list of common conditions and guidelines can be found in THOR
© 2016 NTT DATA, Inc.15 Office of Strategy & Governance - Tenet Healthcare Account - Services
Risk Assessment Reports
• Spreadsheet Report – for analysis, sorting and prioritizing
• Executive Risk Summary Report (earlier known as VP Acknowledgment) List of applications that need funding
Other applications that were part of risk assessment with no risk or funded risk
Applications that need funding
2017 Risks Overview
Appendix with 2017 Risk Titles
• Risk Detail Report (earlier known as IT Owner Acknowledgment) List of applications that need funding
Other applications that were part of risk assessment with no risk or funded risk
For each application
• Risks with Mitigation Plans that Need Funding
• Risks with Mitigations Plans that Do Not Need Funding
• Risks with Mitigations Plans that are Funded
© 2016 NTT DATA, Inc.16 Office of Strategy & Governance - Tenet Healthcare Account - Services
2016 Corporate Applications Dashboard
0 - 100
101 - 200
> 200
Tenet VP Portfolio Corporate Application Application
Criticality
Score
2016 Risk
Score
Deferred Risk
Score
Funded Risk
Score
Mike Hongola Financial
Genesys Payroll (Mainframe) 70 335 105
HRMSWeb Shared 40 300
AlarisSM & CQI-CareFusion 30 271
HEDS 50 260 40 41
Hyperion System 11 30 244 30 175
S2K 60 241
AvantGard ResIQ 20 210 140
Authorized Signers 20 202
HR Retention 20 195
Genesys Payroll (NT) 40 157
BIQ 20 152
HRMSWeb 70 150 100
Kronos iSeries TimeKeeper 40 131
ESS Portal 30 117 70
EIS 10 105
TMS Enterprise 20 105
Appadmin 10 85
VacTrac 20 84
BIDS 10 82 20 25
AdHocHRMS 20 60
AdHocHRMSPY 20 60
Saba 10 45 20 25
Balanced Scorecard 20 25
CFDB 20 25 25
Liz Johnson
Financial
IMMS 80 307 112
Triton 50 304
StaffRunner & PCSS 50 300
IMMS Data Warehouse 30 150 30
PIMS 20 98
Clinical
Merge iConnect Access 80 558 140
Cerner Millennium (Core) 80 543 381
ACUO Vendor Neutral Archive 80 396 168
Powerscribe 360 Central 50 294
Omnicell 40 188 40
AIMS 20 180
PowerInsight Explorer 40 141
Cerner CareAware iBus 30 140 40
STARSWeb 20 130
Cerner 724Access Downtime Viewer 40 128 35
Cerner CareAware Multimedia 50 115 30
MediLinks Rehab Manager 40 98
RightBed 50 92
Everbridge Aware 20 80 30
Cerner Millennium CareMobile 30 75 50
Allscripts Care Management 70 75
Tenet ACI-PMO Sharepoint Site 65 65
Quantros eCQS 30 62
Quantros eSRM 30 62
Cerner Physician Express 20 58
STARS Enterprise 30 50
Patient Accounting
Horizon Patient Folder 50 477 95 327
Disclosure Tracking 40 312 262
CareMedic AccelerateAR Claims Management 40 252 202
MCEL 40 238 102
DSG Direct 40 237 102
3M 360 Encompass 40 228 75 103
ePremis 40 206
CareMedic AccelerateAR MedicareRT 40 202 102
eScription 50 199
OnDemand Web 50 170 89
Remote Coding Portal 30 130 75 55
Enterprise Master Person Index 30 92 27
Patient Access 40 85 35
PBAR 80 70
3M Coding and Reimbursement System 30 65
Data Exchange 40 50
ABILITY 40 50
Tenet VP Portfolio Corporate Application Application
Criticality
Score
2016 Risk
Score
Deferred
Risk Score
Funded
Risk Score
Brian BarnesEnterprise
System
Sitefinity Consumer Websites 30 385 161
eTenet Logon 20 218 156
Compliance Central 20 188 154
Patient Data Reporting 40 187 32
CFOR 10 168 168
AIMS Legal 20 154 30
eReserve 40 151
eCATS 20 145 46
Hospital Consumer Websites 20 143 124
WebTrends 10 135 135
Enterprise Content Management 30 116 55
Data Access and Showcase Query 50 113 45
BPM - Pega 20 102
CaseTrack 20 102 20
Insight Analytics & Meaningful Use Compliance
Reporting 50 83 26
MASS 30 75
eTenet Portal 20 65 15
Tenet Media Servers 10 61 15
eTenet Divested 20 58 15
SharePoint Team Sites 20 55 15
Physician Contact Management 10 55 20
Business Intelligence Enterprise Data Warehouse 30 33
Tenet Hospital Intranet Sites 10 30 30
Enterprise Reporting Portal 30 30 30
MyAlerts 10 28 13
Cost Accounting 20 25
ExecutiveRecruiting 10 20
Support Portal 10 20 20
MyTenet 20 15
eCDM 10 14
MySites 10 13 13
David Bordofske Ambulatory
NextGen EHR/EPM 60 467 69
eMDS 50 246 31
Health Data Integrator 40 160
Mirth Health Information Exchange (HIE) 20 144 20
Ensemble 40 130 40
Event Messaging Service 40 115
Symed 20 99 15
Nuance Dragon 10 73 20
Tenet Physician Portal 20 14
Ricky Johnston
IS Security
ESSO 50 319
ADAM 80 134
AuthMinder 40 76
AirWatch MDM 10 55
eID 10 30
IdentityMinder 30 25
SiteMinder 10 19
Infrastructure
Exchange 20 95 25
RightFax 40 47
Active Directory 40 42
© 2016 NTT DATA, Inc.17 Office of Strategy & Governance - Tenet Healthcare Account - Services
2016 Corporate Applications Risk Matrix
Application to be decommissioned
Tenet VP Portfolio IT Owner Corporate ApplicationCriticality
ScoreRisk Score
IE 10
and
earlier
JRE/
Java
7
Win
2000
Win
2003
SQL
2000
SQL
2005
.Net
2.0
PHI/ PII
unencrypted
at transit/ rest
Not ADAM
aware/
Manual
Provisioning
No
Complianc
e Central
Task
No HIPAA
Compliant
Audit Logging
Unsupported
App Version
David Bordofske Ambulatory
Kale Woods
Ensemble 40 130 P P P
Event Messaging Service 40 115 P
Health Data Integrator 40 160 P P
Mirth Health Information Exchange (HIE) 20 144 P P
Tenet Physician Portal 20 14 P
Richard Voets
eMDS 50 246 P P
NextGen EHR/EPM 60 467 P
Symed 20 99 P
Liz Johnson
Clinical
Guy Neel
AIMS 20 180 P P P P P
Allscripts Care Management 70 75 P
Cerner 724Access Downtime Viewer 40 128 P
Cerner CareAware iBus 30 140 P P
Cerner CareAware Multimedia 50 115 P
Cerner Millennium (Core) 80 543 P
Cerner Millennium CareMobile 30 75 P
Everbridge Aware 20 80 P
Omnicell 40 188 P P
STARSWeb 20 130 P P P P
Tenet ACI-PMO Sharepoint Site 65 P
Patricia Klamm
ACUO Vendor Neutral Archive 80 396 P
Merge iConnect Access 80 558 P P
Powerscribe 360 Central 50 294 P
Financial
Bill WattsIMMS 80 307 P P P
PIMS 20 98 P P
Margo FussellStaffRunner & PCSS 50 300 P P P
Triton 50 304 P P P P
Patient
Accounting
Carl Gamble
ABILITY 40 82 P
CareMedic AccelerateAR Claims Management 40 252 P P
CareMedic AccelerateAR MedicareRT 40 202 P P
Data Exchange 40 50 P
DSG Direct 40 237 P P
ePremis 40 206 P P
MCEL 40 238 P P P
Heidi Catalan PBAR 80 70 P
Kim Taylor
3M 360 Encompass 40 228 P
3M Coding and Reimbursement System 30 65 P
Disclosure Tracking 40 312 P P P P P
eScription 50 199 P P
Horizon Patient Folder 50 477 P P P P
Remote Coding Portal 30 130 P
Suzanne Webb
Enterprise Master Person Index 30 92 P P
OnDemand Web 50 170 P
Patient Access 40 85 P
© 2016 NTT DATA, Inc.18 Office of Strategy & Governance - Tenet Healthcare Account - Services
2016 Corporate Applications Risk Matrix - Continued
Application to be decommissioned
Tenet VP Portfolio IT Owner Corporate ApplicationCriticality
Score
Risk
Score
IE 10 and
earlier
JRE/
Java 7
Win
2000
Win
2003
SQL
2000
SQL
2005
.Net
2.0
PHI/ PII
unencrypted
at transit/
rest
Not ADAM
aware/ Manual
Provisioning
No
Compliance
Central Task
No HIPAA
Compliant
Audit Logging
Unsupporte
d App
Version
Brian BarnesEnterprise
Systems
Andi Wiese
AIMS Legal 20 154 P
CaseTrack 20 102 P
eTenet Divested 20 58 P
eTenet Logon 20 218 P
ExecutiveRecruiting 10 20 P
Hospital Consumer Websites 20 143 P P P
Physician Contact Management 10 55 P P
Sitefinity Consumer Websites 30 385 P P P P
WebTrends 10 135 P P P
Elaine Johnson
Data Access and Showcase Query 50 113 P
eReserve 40 151 P P
MASS 30 75 P
Patient Data Reporting 40 187 P P P P
Enterprise Reporting Portal 30 30 P
Mathew MahaffeyInsight Analytics & Meaningful Use Compliance
Reporting
50 83P
Sonia Khosla Business Intelligence Enterprise Data Warehouse 30 33 P
Todd Coffee
BPM Pega 20 102 P P P
CFOR 10 168 P P P
Compliance Central 20 188 P P P
eCATS 20 145 P P P
Enterprise Content Management 30 116 P
Mike Hongola Financial
Hoai-Son Nguyen
AdHocHRMS 20 60 P
AdHocHRMSPY 20 60 P
BIQ 20 152 P
Genesys Payroll (Mainframe) 70 335 P P P P
Genesys Payroll (NT) 40 157 P P
HEDS 50 260 P P
HR Retention 20 195 P P P P
HRMSWeb 70 150 P
HRMSWeb Shared 40 300 P P P P P P
VacTrac 20 84 P
Jim Forehand
AlarisSM & CQI-CareFusion 30 271 P P P P
Authorized Signers 20 202 P
AvantGard ResIQ 20 210 P P P
Balanced Scorecard 20 25 P
EIS 10 105 P P P
S2K 60 241 P P
TMS Enterprise 20 105 P P
Neil AnsonHyperion System 11 30 244 P P P
Kronos iSeries TimeKeeper 40 131 P
Ricky Johnston
Infrastructure Bruce Mears RightFax 95 P
IS Security Christy Rodgers
eID 10 30 P P
ESSO 50 319 P P
SiteMinder 10 19 P
© 2016 NTT DATA, Inc.19 Office of Strategy & Governance - Tenet Healthcare Account - Services
THOR User Guide
URL/ Navigation
THOR mechanics
General information – key fields
THOR changes – risk detail
THOR changes - risk and mitigation summary
THOR changes - Ability to share/ link identified risks
© 2016 NTT DATA, Inc.20 Office of Strategy & Governance - Tenet Healthcare Account - Services
Navigation URL/ Navigation
• https://thor.pschealth.com/oea/
Access Request to THOR is via eID
• https://thor.pschealth.com/OEA/views/tenetoea/Requesting%20THOR%20Access%20Via%20EID.htm
In case of issues with access, reach out to Tenet helpdesk ([email protected]) or call 800-639-7575 and open an incident ticket to the "Tenet-THOR" assignee group
© 2016 NTT DATA, Inc.21 Office of Strategy & Governance - Tenet Healthcare Account - Services
THOR Mechanics
Select an application to view
Click Edit
© 2016 NTT DATA, Inc.22 Office of Strategy & Governance - Tenet Healthcare Account - Services
New User Interface NavigationClick on Save Changes
button to make sure changes are saved
Overview presentation and Common Conditions
for quick reference
Use this right pane menu to navigate across
towers easily
© 2016 NTT DATA, Inc.23 Office of Strategy & Governance - Tenet Healthcare Account - Services
Name
• Unique name to identify the application
Description
• Ensure that the application is described accurately and briefly with the right level of detail for a wide range of audience
Tenet Executive Summary
• The primary Tenet business use of this application (less than 250 chars)
Business Function Supported – Canonical Application names to match the Application Portfolio Optimization (APO)
Software Vendor – Provide the names of primary vendor of the application
Software Customization Type – Specify if the App is developed in-house, off the shelf product, or customized for NTT Data
Review the following name and update where applicable – used for all communication and reporting
• Ops Support Manager
• Application Technical Expert
• Portfolio Leader
• Business Owner
• Tenet VP
• Tenet IT Owner
General Information – Key Fields
Option to select multiple names for Application Technology Expert
© 2016 NTT DATA, Inc.24 Office of Strategy & Governance - Tenet Healthcare Account - Services
Architecture Diagram – Upload client architecture, network architecture diagrams and any supporting documents.
Ex: Example diagrams can be found in Solution Architecture Template
TPM Quadrant
• 0- Develop, 1-Invest, 2-Grow, 3-Harvest, 4-Sunset, 5-Shutdown, 6-Decommissioned
Application Hosting and Support – include information only for relevant sections
• 3rd Party Hosted
• 3rd Party Supported
• 3rd Party Name
General Information – Key Fields
Classify files uploaded
Upload a new document with the right classification
© 2016 NTT DATA, Inc.25 Office of Strategy & Governance - Tenet Healthcare Account - Services
Facility Name
General Information – Key Fields
Click on Select to confirm selection
© 2016 NTT DATA, Inc.26 Office of Strategy & Governance - Tenet Healthcare Account - Services
Application Criticality
Criticality scores will be a view only section, please reach out to Ramya Raja for updates to criticality score and component values
© 2016 NTT DATA, Inc.27 Office of Strategy & Governance - Tenet Healthcare Account - Services
Risk Detail – Add
Tenet Logo indicates that the field will be
included in reports to be shared with Tenet
The risk score is a calculated field and is 50% of criticality score and 50% of product of category,
impact and likelihood
Hit Save to save the risk before coming out of the window
Click on Add New at the end of each tower Click on No Changes needed if everything stays the same as 2016 assessment for the specific tower
© 2016 NTT DATA, Inc.28 Office of Strategy & Governance - Tenet Healthcare Account - Services
Risk Detail - Edit
Risks created prior to 2017 can only be edited to capture the status of the risk, if the risks moved from Needs Funding to Funded or Funded to Complete, etc.
Risk Title cannot be edited to retain the risk.
© 2016 NTT DATA, Inc.29 Office of Strategy & Governance - Tenet Healthcare Account - Services
Mitigation Status Classification
To remediate the risk, action could be taken in the form of an action plan, IT controls, monitoring etc.
Record the suggested remediation, status and specific dates
Needs Funding
Funded
Complete
No Mitigation Plan
Deferred
Deferred status will be disabled until after the Risk Assessment status is flipped to
Completed Tenet Review. All risks marked Deferred after Tenet review last year, have
been defaulted to Needs Funding
© 2016 NTT DATA, Inc.30 Office of Strategy & Governance - Tenet Healthcare Account - Services
Linking risks
Select risks from business apps/ shared infrastructure groups
Displays linked risk
Ability to link risks identified in other apps or shared infrastructure groups
© 2016 NTT DATA, Inc.31 Office of Strategy & Governance - Tenet Healthcare Account - Services
Summarize Risk and Mitigation and Include Business Context1. When SME/ App Tech Experts
complete their assessment, change status to “Assessment
Complete”
2. When Business Owner review is complete indicate the status”
3. When the Portfolio Leader has completed the risk and mitigation
review click button to mark it Ready for Governance Review
PMO will be monitoring updates to the group and status changes will be reported to governance committee periodically.
© 2016 NTT DATA, Inc.32 Office of Strategy & Governance - Tenet Healthcare Account - Services
Towers and Considerations
Considerations for risk scoring
– Client Architecture
– Network Infrastructure/Access
– Hardware & Operating System
– Application/Database
– Integrated Interface
– Hosting Infrastructure
– Storage/Data Recovery
– System/Application Monitoring
– Security
– Disaster Recovery / Business Continuity
© 2016 NTT DATA, Inc.33 Office of Strategy & Governance - Tenet Healthcare Account - Services
Client ArchitectureFactors to consider from the Client’s Architecture perspective
• Browser and its compatibility
• Client version and supportability
• Terminal Services (Attachmate, IBM Client Access, Blue Zone)
• Thick client by itself may not pose an IT Risk/ threat
• Active X can pose security risks
• Any support/ licensing concerns
• Compatibility with server platform (ex. Windows 7)
• Virtualizable/ Mobility
• Browser/ OS/ Java compatibilities
© 2016 NTT DATA, Inc.34 Office of Strategy & Governance - Tenet Healthcare Account - Services
Factors to consider
• Redundant NICs, Switches, WAN Routers, WAN Circuits, WAN Carriers
“Yes” only if physical NICs are actively being used for redundancy
• Outdated equipment
LAN: NICs, Routers, Switches, Firewalls
WAN: Routers, Circuits
• Bandwidth less than Tenet requirements
• Security: Denial of Service
Network Infrastructure/ Access
© 2016 NTT DATA, Inc.35 Office of Strategy & Governance - Tenet Healthcare Account - Services
Factors to consider
• Validate all the servers warranty info
• Hardware Maintenance Contract
• Support for Operating System Release/ Version/ Patch Level
Mainstream, Extended Support, No support
Vendor provided Hotfixes and security patch
• OS Maintenance Level
• Hardware spare
Hardware and Operating System
Potential Impact
• End-of-life H/W or OS version
Potential loss of warranty and vendor support
Potential slowdown/disruption of application
• Server hardware failure, Un-redundant server-storage architecture
Potential disruption to application/database availability
• Security: Denial of Service, Unauthorized Access
Potential hacking and/or unauthorized access to application and its data
© 2016 NTT DATA, Inc.36 Office of Strategy & Governance - Tenet Healthcare Account - Services
Factors to consider
• Single Server architecture, failover/HA capabilities
• End of life Ex databases hosted in the SQL Server 2000 or 2005
Expiring Licenses, limit on concurrent users
• Validate running backups
• Dependency on other applications
• Lack of redundant connectivity between application, data and network
• Approaching server capacity limit for data processing
Application/ Database
© 2016 NTT DATA, Inc.37 Office of Strategy & Governance - Tenet Healthcare Account - Services
Factors to consider
• Frequent breakdowns in integration interface
• Data encryption during transmission does not meet Tenet standards
• Interface incompatible with source/destination
• Insufficient Interface capacity to handle source/destination data traffic
Integrated Interface
© 2016 NTT DATA, Inc.38 Office of Strategy & Governance - Tenet Healthcare Account - Services
Factors to consider
• Tier-1 Level data center capabilities
Potential downtime due to non-redundant capacity and distribution paths
Potential compromises to physical environment due to failures in power supply, cooling, etc.
Site disasters could significantly disrupt uptime
• Tier-2 Level data center capabilities
Potential compromises to physical environment due to failures in power supply, cooling, etc.
Site disasters could significantly disrupt uptime
• Tier-3 Level data center capabilities
Site disasters could significantly disrupt uptime
• Inadequate availability of skilled resources
Longer lead times for incident resolution, application enhancements
Hosting Infrastructure
© 2016 NTT DATA, Inc.39 Office of Strategy & Governance - Tenet Healthcare Account - Services
Factors to consider
• Storage Lifecycle
• Redundant Storage Interfaces and document the specifics
Ensure that capacity does not suffer due to component failure
• Inadequate Capacity to accommodate future growth
• Single access path to storage device
• Data Corruption
• Off-server data backup capability is lacking/inadequate
• Storage disk failure
• Data Backup Plan
Storage Data Recovery
© 2016 NTT DATA, Inc.40 Office of Strategy & Governance - Tenet Healthcare Account - Services
Factors to consider
• Ability to report/ monitor status of key elements
• Lack of automated monitoring of hardware availability
• Inadequate communication of monitoring events
Potential Impact
• Disruption of operation in key elements could go undetected
• Delayed detection of hardware failure
• Potential disruption to application
• Potential HIPAA compliance failure
• Potential of unauthorized access to PHI
System/ Application Monitoring
© 2016 NTT DATA, Inc.41 Office of Strategy & Governance - Tenet Healthcare Account - Services
Factors to consider
• Unauthorized access to PHI and CC information
• Unauthorized/ Undocumented access to application user, server and database
• Virus Protection
Tenet Standard product – Silence Protect
Security Access Control Exception if no protection
• Vulnerabilities
• Data encryption at rest and transit
• Audit Logging and Compliance Central
Potential Impact
• Potential compliance failure – PCI, HIPAA
• Potential of unauthorized access to PHI
• Potential loss of application/data
Security
© 2016 NTT DATA, Inc.42 Office of Strategy & Governance - Tenet Healthcare Account - Services
Security
© 2016 NTT DATA, Inc.43 Office of Strategy & Governance - Tenet Healthcare Account - Services
Factors to consider
• Business Impact Analysis for application – Is there a requirement for DR site/ equipment
• Sufficient capacity at DR
• DR Testing
Potential Impact
• Potential delay/inability to recover from disaster/severe disruption
• Potential compliance failure
• Potential data loss or inadequate data recovery
Disaster Recovery
© 2016 NTT DATA, Inc.44 Office of Strategy & Governance - Tenet Healthcare Account - Services
Governance and Program Tracking
Governance measures
Governance Review Schedule
Meeting Invitation for Governance Review
Reminders and communication
© 2016 NTT DATA, Inc.45 Office of Strategy & Governance - Tenet Healthcare Account - Services
Risk Assessment Project Management Guidelines• Determine In-Scope Applications and applications for 2017 Risk
Assessment
• Review and Update Criticality Assessment
• Planning– Information Session for Risk Assessment
– Governance Review Schedule
– Develop guidance materials
• Track Progress
• Reporting for Tenet
• Risk Assessment PM – Cherye Moore
Accountable Role Tasks Recommended Timeline
App Tech Experts/ SME • Assess risk for each tower/ application
• Update THOR and set status to “Assessment Completed”
2 weeks prior to meeting date
Business owner • Review/update risk status and mitigation status in THOR
• Set status to “Business Owner Review Complete”
1 week prior to meeting date
Portfolio leader • Review/update risk status and mitigation status in THOR
• Click “Ready for Governance Review” button
1 day prior to meeting date
App Tech Experts/ SME • Resolve action item 10 Days after Governance Review
© 2016 NTT DATA, Inc.46 Office of Strategy & Governance - Tenet Healthcare Account - Services
Meeting Invitation for Governance Review
Contents include:
• Skype meeting link
• Apps being reviewed
• Suggested statuses according to time frame. Please have technologies in Ready for Governance Reviewstatus no later than 9 a.m. on the day of the review.
• Recommended statuses according to time frame.
Please note that unless told otherwise, only NTT Data people who have assigned roles in THOR will be included in the invitation
If additional people are needed for these meetings and/or for related communications, please let Cherye Moore know
From: Cherye Moore
© 2016 NTT DATA, Inc.47 Office of Strategy & Governance - Tenet Healthcare Account - Services
Reminder Emails and Action Items• 2-Week Reminder
• 1-Week Reminder
• 1-Day Reminder
• Post Review Action Items
• Action Item completion reminder – 10 days after the review
Recommended Status to show where the teams should be to make sure they go through
internal reviews in a timely manner
Top Related