3.3 Introduction to the Sample Scenario

As we explore the details of the OCTAVE Method in Chapters 4 to 11, we illustrate major concepts using examples from a running scenario. The organization in the scenario is a fictitious, medium-sized, medical facility called MedSite. MedSite is a hospital with several clinics and labs, some of which are at remote locations. The hospital includes the following functional areas:

• A permanent administrative organization

• Permanent and temporary medical personnel, including physicians, surgeons, and medical staff

• Permanent and temporary maintenance personnel, including facility and maintenance staff

• A small information technology department (three people) responsible for on-site computer and network maintenance and upgrades and for help desk activities (e.g., handling simple user requests)

MedSite's Organizational Structure

The MedSite administrator is the chief administrator for the hospital and has a small staff responsible for overseeing MedSite operations. In addition, each major functional area of the organization (administrative, medical, labs, and remote clinics) reports directly to the chief administrator. MedSite's senior management team includes the MedSite administrator and the individuals who lead the functional areas of the organization. Each functional area of MedSite contains one or more operational areas. The head of each operational area is considered to be a middle manager in the organization. Figure 3-5 shows the organizational chart for MedSite.

MedSite's System

MedSite's main computer system is the Patient Information Data System (PIDS). PIDS includes the main PIDS server, the network, desktop PCs, and a variety of medical applications. The system also links and integrates a set of smaller, older databases related to patient care, lab results, and billing.

Patient data can be entered into PIDS or one of the other databases at any time from any workstation. Physicians, administrative clerks, lab technicians, and nurses have authorization to enter data into PIDS as well as other systems. Personal computers, or workstations, are located in all offices, treatment rooms (including emergency rooms), nursing stations, and labs. In addition, physicians can also access PIDS remotely using their home personal computers. In fact, there is talk around the hospital that medical personnel will soon be able to access PIDS using personal digital assistants (PDAs).

An independent contractor, ABC Systems, provides support for most of the systems at MedSite as well as for the network. MedSite's information technology personnel and another contractor each maintain some of the legacy systems still being used by MedSite's staff. The information technology staff members from MedSite provide on-site help desk support and basic system maintenance. ABC Systems provided MedSite's information technology personnel with limited systems and network training about a year ago.

MedSite's senior managers decided they wanted a comprehensive review of information security evaluation within their facility. Several new regulations are expected to be mandated by the government in the upcoming year, requiring MedSite to document the results of an information security risk evaluation. The regulations will also require MedSite to implement a practice-based standard of due care, meaning they would have to institutionalize recognized good security practices. After some discussion and consultation with other medical facility managers, they decided to use the OCTAVE Method. Funding for internally staffed activities was easier to find than more money for contractors, and senior managers hoped that their staff would learn better security practices while doing this evaluation.

During each activity in Part II, we will chart MedSite's progress as it conducts the OCTAVE Method. Chapter 4 starts exploring the OCTAVE Method in detail and examines how to prepare for the evaluation.