Jennifer's Blog: 2014

This document delineates our policies and procedures for technology disaster recovery, as well as our process-level plans for recovering critical technology platforms and the telecommunications infrastructure. This document summarizes our recommended procedures. In the event of an actual emergency situation, modifications to this document may be made to ensure physical safety of our people, our systems, and our data.

Our mission is to ensure information system uptime, data integrity and availability, and business continuity.

Policy Statement

Corporate management has approved the following policy statement:

· The clinic shall develop a comprehensive IT disaster recovery plan.

· A formal risk assessment shall be undertaken to determine the requirements for the disaster recovery plan.

· The disaster recovery plan should cover all essential and critical infrastructure elements, systems and networks, in accordance with key business activities.

· The disaster recovery plan should be periodically tested in a simulated environment to ensure that it can be implemented in emergency situations and that the management and staff understand how it is to be executed.

· All staff must be made aware of the disaster recovery plan and their own respective roles.

· The disaster recovery plan is to be kept up to date to take into account changing circumstances.

Objectives

The principal objective of the disaster recovery program is to develop, test and document a well-structured and easily understood plan which will help the company recover as quickly and effectively as possible from an unforeseen disaster or emergency which interrupts information systems and business operations. Additional objectives include the following:

• The need to ensure that all employees fully understand their duties in implementing such a plan

• The need to ensure that operational policies are adhered to within all planned activities

• The need to ensure that proposed contingency arrangements are cost-effective

• Disaster recovery capabilities as applicable to key customers, vendors and others

Key Personnel Contact Info

Name, Title	Contact Option	Contact Number
Andrea Caracostis	Work	(713) 773-0803 Ext 110
	Mobile	713-254-2235
	Email Address	acaracostis@hopechc.org

SukJun Cheng	Work	(713) 773-0803 Ext 121
	Mobile	832-877-3738
	Email Address	mcheng@hopechc.org

Richard R Andrews	Work	(713) 773-0803 Ext 106
	Mobile	281-408-6427
	Email Address	randrews@hopechc.org

Shane Chen	Work	(713) 773-0803 Ext 105
	Mobile	713-398-4849
	Email Address	schen@hopechc.org

Victor Rodriguez	Work	(713) 773-0803 Ext 127
	Mobile	832-283-0651
	Email Address	vrodriguez@hopechc.org

Norma McCoy	Work	(713) 773-0803 Ext 115
	Mobile	832-896-8971
	Email Address	nmccoy@hopechc.org

Notification Calling Tree

External Contacts

Name, Title	Contact Option	Contact Number
Landlord / Property Manager -		7001 Corporate Investment Partner
Account Number	Phone	281-222-1678
7001 Corporate Dr, Suite 120 Houston, TX 77036

Power Company -		Reliant Energy
Account Number	Phone	713-207-7777
	Address	P.O. Box 3765, Houston, TX 77253-3765
	Web Site	http://www.reliant.com/Welcome.do;jsessionid=A3562B9178B06815579E9D7CA5F0ADE5
	Email	service@reliant.com

T1 Carrier -		TACHC
Account Number	Work	(512) 329-5959
	Fax	(512) 329-9189
	Address	5900 Southwest Parkway, Building 3 Austin, TX 78735
	Email Address	Lee Davila ldavila@tachc.org
	Web Site	http://www.tachc.org/

T1 Carrier – Medicaid -		AT&T
Account Number	Phone	1-888-944-0447
	Support	1-800-248-3632
	eContact	https://www.att.com/econtactus/emailUsForm.jsp?form=highSpeedInternet&subj=hsiChargesBill&Referrer_Page=cu
	Web Site	http://www.att.com/gen/landing-pages?pid=9213

PBX Carrier -		Logix
Account Number	Phone	Main: (713) 862-2000
	Phone	1-800-444-0258
	Fax	(713) 333-8731
	Address	2950 N. Loop W., 8th Floor Houston, TX 77092
	Sales Email Address	frank.pridey@logixcom.com
	Voice Help Desk	1-877-722-5283
	Web Site	http://www.logixcom.com

Hardware Supplier -		Directron
Account Number	Work	713-773-9898
	Address	10402 Harwin Drive Houston, Texas 77036, USA
	Tech Phone Number	713-773-3636 x1700
	Sales Email Address	General_sales@directron.us
	Tech Email Address	tech@directron.us

Server Supplier -		Dell
Account Number.	Phone	1-800-274-1550
	Web Site	http://content.dell.com/us/en/healthcare/healthcare-solutions.aspx?~ck=mn
	eContact	http://support.dell.com/support/topics/global.aspx/support/dellcare/contact_technical_support?c=us&l=en&s=gen
	Tech Support	1-800-822-8965

Workstation Supplier -		HP
Account Number	Support	866-625-0242 Option #1
	Sales	866-625-0242 Option #2
	Customer Service	866-625-0242 Option #3
	Web Site	http://www.hp.com/

Office Supplies -		Staples
Account Number	Phone	713-777-0614
	Fax	713-777-0683
	Address	8225 S. Gessner Rd Suite A, Houston, TX 77036
	Web Site	http://www.staples.com/

Insurance –		Frost Insurance
Account Number	Work	713-388-1250
	Fax	713-388-1238
	Address	3707 Richmond Ave Houston, TX 77046
	Web Site	https://www.frostbank.com/Pages/Business-Property-Liability-Insurance.aspx

Electronic Health Record -		Sevocity Electronic Health Records
Account Number	Phone	877-777-2298
	Address	9830 Colonnade Blvd., Suite 377 San Antonio, TX 78230-2202
	Web Site	http://www.sevocity.com/
	Email address	support@sevocity.com
	Trouble ticketing	http://www.sevocity.com/ehr-customer-support

Practice Management -		Medical Systems, Inc.
Account Number	Phone	(978) 531-6000
	Address	Peabody Education and Business Center, 83 Pine Street Peabody, MA 01960
	Web Site	http://msi-chc.com/
	Email Address	Info@msi-chc.com
	Sales Contact	Helen Marie Simms HelenMarie.Simms@msi-chc.com
	Trouble Ticketing	http://msi-chc.com/help_desk/default.html
	User Name/Password

HCN (Platinum) -		Health Choice Network
Account Number	Phone	(305) 599-1015 ext. 18019
	Address	9000 N.W. 15 Street, Miami, FL 33172
	Mailing Address	9064 N.W. 13 Terrace, Miami, FL 33172
	Web Site	http://www.hcnetwork.org/
	Email Address	ifarinas@hcnetwork.org
	Sales Contact	Iliana Farinas
	Trouble Ticketing	http://www.hcnetwork.org/firstcall/
	User Name/Password	hcn\[UserName] login password

External Contacts Calling Tree

1 Plan Overview

1.1 Plan Updating

It is necessary for the DRP updating process to be properly structured and controlled. Whenever changes are made to the plan they are to be fully tested and appropriate amendments should be made to the training materials. This will involve the use of formalized change control procedures under the control of the IT Director.

1.2 Plan Documentation Storage

Copies of this Plan, CD, and hard copies will be stored in secure locations to be defined by the company. Each member of senior management will be issued a CD and hard copy of this plan to be filed at home. Each member of the Disaster Recovery Team and the Business Recovery Team will be issued a CD and hard copy of this plan. A master protected copy will be stored on specific resources established for this purpose.

1.3 Backup Strategy

Key business processes and the agreed backup strategy for each are listed below. The strategy chosen is for full backups to be maintained at the TACHC offices in Austin, TX. This strategy entails the maintenance of hosted applications which will enable online access.

KEY BUSINESS PROCESS	BACKUP STRATEGY
IT Operations	Off-site data storage facility
Email	Off-site data storage facility
Disaster Recovery	Off-site data storage facility
Finance	Off-site data storage facility
Human Resources	Off-site data storage facility
Web Site	Off-site data storage facility

1.4 Risk Management

There are many potential disruptive threats which can occur at any time and affect the normal business process. We have considered a wide range of potential threats and the results of our deliberations are included in this section. Each potential environmental disaster or emergency situation has been examined. The focus here is on the level of business disruption which could arise from each type of disaster.

Potential disasters have been assessed as follows:

Potential Disaster	Probability Rating	Impact Rating	Brief Description Of Potential Consequences & Remedial Actions
Flood	3	4	All critical equipment is located on 1st Floor
Fire	3	4	FM200 suppression system installed in main computer centers. Fire and smoke detectors on all floors.
Tornado	5
Electrical storms	5
Act of terrorism	5
Act of sabotage	5
Electrical power failure	3	4	Redundant UPS array together with auto standby generator that is tested weekly & remotely monitored 24/7. UPSs also remotely monitored.
Loss of communications network services	4	4	Two diversely routed T1 trunks into building. WAN redundancy, voice network resilience

Probability: 1=Very High, 5=Very Low Impact: 1=Total destruction, 5=Minor annoyance

2 Emergency Response

2.1 Alert, escalation and plan invocation

2.1.1 Plan Triggering Events

Key trigger issues at the clinic that would lead to activation of the DRP are:

• Total loss of all communications

• Total loss of power

• Flooding of the premises

• Fire on the premises

• Loss of the building

2.1.2 Assembly Points

Where the premises need to be evacuated, the DRP invocation plan identifies two evacuation assembly points:

• Primary – Far end of main parking lot;

• Alternate – Parking lot of company across the street

2.1.3 Activation of Emergency Response Team

When an incident occurs the Emergency Response Team (ERT) must be activated. The ERT will then decide the extent to which the DRP must be invoked. All employees must be issued a Quick Reference card containing ERT contact details to be used in the event of a disaster. Responsibilities of the ERT are to:

• Respond immediately to a potential disaster and call emergency services;

• Assess the extent of the disaster and its impact on the business, data center, etc.;

• Decide which elements of the DR Plan should be activated;

• Establish and manage disaster recovery team to maintain vital services and return to normal operation;

• Ensure employees are notified and allocate responsibilities and activities as required.

2.2 Disaster Recovery Team

The team will be contacted and assembled by the ERT. The team's responsibilities include:

• Establish facilities for an emergency level of service within 2.0 business hours;

• Restore key services within 4.0 business hours of the incident;

• Recover to business as usual within 8.0 to 24.0 hours after the incident;

• Coordinate activities with disaster recovery team, first responders, etc.

• Report to the emergency response team.

2.3 Emergency Alert, Escalation and DRP Activation

This policy and procedure has been established to ensure that in the event of a disaster or crisis, personnel will have a clear understanding of who should be contacted. Procedures have been addressed to ensure that communications can be quickly established while activating disaster recovery.

The DR plan will rely principally on key members of management and staff who will provide the technical and management skills necessary to achieve a smooth technology and business recovery. Suppliers of critical goods and services will continue to support recovery of business operations as the company returns to normal operating mode.

2.3.1 Emergency Alert

The person discovering the incident calls a member of the Emergency Response Team in the order listed:

Emergency Response Team

• Andrea Caracostis

• Richard Andrews

• Shane Chen

If not available try:

• Suk Jun Cheng

• Victor Rodriguez

The Emergency Response Team (ERT) is responsible for activating the DRP for disasters identified in this plan, as well as in the event of any other occurrence that affects the company’s capability to perform normally.

One of the tasks during the early stages of the emergency is to notify the Disaster Recovery Team (DRT) that an emergency has occurred. The notification will request DRT members to assemble at the site of the problem and will involve sufficient information to have this request effectively communicated. The Business Recovery Team (BRT) will consist of senior representatives from the main business departments. The BRT Leader will be a senior member of the company's management team, and will be responsible for taking overall charge of the process and ensuring that the company returns to normal working operations as early as possible.

2.3.2 DR Procedures for Management

Members of the management team will keep a hard copy of the names and contact numbers of each employee in their departments. In addition, management team members will have a hard copy of the company’s disaster recovery and business continuity plans on file in their homes in the event that the clinic building is inaccessible, unusable, or destroyed.

2.3.3 Contact with Employees

Managers will serve as the focal points for their departments, while designated employees will call other employees to discuss the crisis/disaster and the company’s immediate plans. Employees who cannot reach staff on their call list are advised to call the staff member’s emergency contact to relay information on the disaster.

2.3.4 Backup Staff

If a manager or staff member designated to contact other staff members is unavailable or incapacitated, the designated backup staff member will perform notification duties.

2.3.5 Personnel and Family Notification

If the incident has resulted in a situation which would cause concern to an employee’s immediate family such as hospitalization of injured persons, it will be necessary to notify their immediate family members quickly.

3 Media

3.1 Media Contact

Assigned staff will coordinate with the media, working according to guidelines that have been previously approved and issued for dealing with post-disaster communications.

3.2 Media Strategies

1. Avoiding adverse publicity

2. Take advantage of opportunities for useful publicity

3. Have answers to the following basic questions:

· What happened?

· How did it happen?

· What are you going to do about it?

3.3 Media Team

• Andrea Caracostis _

• Richard Andrews _

• Shane Chen _

3.4 Rules for Dealing with Media

Only the media team is permitted direct contact with the media; anyone else contacted should refer callers or in-person media representatives to the media team.

4 Insurance

As part of the company’s disaster recovery and business continuity strategies a number of insurance policies have been put in place. These include errors and omissions, directors & officers liability, general liability, and business interruption insurance.

If insurance-related assistance is required following an emergency out of normal business hours, please contact:

Policy Name	Coverage Type	Coverage Period	Amount Of Coverage	Person Responsible For Coverage	Next Renewal Date
Frost Insurance	Liability

5 Financial and Legal Issues

5.1 Financial Assessment

The emergency response team shall prepare an initial assessment of the impact of the incident on the financial affairs of the company. The assessment should include:

· Loss of financial documents

· Loss of revenue

· Theft of check books, credit cards, etc.

· Loss of cash

5.2 Financial Requirements

The immediate financial needs of the company must be addressed. These can include:

· Cash flow position

· Temporary borrowing capability

· Upcoming payments for taxes, payroll taxes, Social Security, etc.

· Availability of company credit cards to pay for supplies and services required post-disaster

5.3 Legal Actions

The company legal department and ERT will jointly review the aftermath of the incident and decide whether there may be legal actions resulting from the event; in particular, the possibility of claims by or against the company for regulatory violations, etc.

6 DRP Exercising

Disaster recovery plan exercises are an essential part of the plan development process. In a DRP exercise no one passes or fails; everyone who participates learns from exercises – what needs to be improved, and how the improvements can be implemented. Plan exercising ensures that emergency teams are familiar with their assignments and, more importantly, are confident in their capabilities.

Successful DR plans launch into action smoothly and effectively when they are needed. This will only happen if everyone with a role to play in the plan has rehearsed the role one or more times. The plan should also be validated by simulating the circumstances within which it has to work and seeing what happens.

Appendix B – Suggested Forms

Damage Assessment Form

Key Business Process Affected	Description Of Problem	Extent Of Damage

_____________

Management of DR Activities Form

• During the disaster recovery process all activities will be determined using a standard structure;

• Where practical, this plan will need to be updated on a regular basis throughout the disaster recovery period;

• All actions that occur during this phase will need to be recorded.

Activity Name:

Reference Number:

Brief Description:

Commencement Date/Time	Completion Date/Time	Resources Involved	In Charge

__________________

Disaster Recovery Event Recording Form

• All key events that occur during the disaster recovery phase must be recorded.

• An event log shall be maintained by the disaster recovery team leader.

• This event log should be started at the commencement of the emergency and a copy of the log passed on to the business recovery team once the initial dangers have been controlled.

• The following event log should be completed by the disaster recovery team leader to record all key events during disaster recovery, until such time as responsibility is handed over to the business recovery team.

Description of Disaster:

Commencement Date:

Date/Time DR Team Mobilized:

Activities Undertaken by DR Team	Date and Time	Outcome	Follow-On Action Required

Disaster Recovery Team's Work Completed: <Date>

Event Log Passed to Business Recovery Team: <Date>

_________________

Disaster Recovery Activity Report Form

• On completion of the initial disaster recovery response the DRT leader should prepare a report on the activities undertaken.

• The report should contain information on the emergency, who was notified and when, action taken by members of the DRT together with outcomes arising from those actions.

• The report will also contain an assessment of the impact to normal business operations.

• The report should be given to business recovery team leader, with a copy to senior management, as appropriate.

• A disaster recovery report will be prepared by the DRT leader on completion of the initial disaster recovery response.

• In addition to the business recovery team leader, the report will be distributed to senior management

The report will include:

• A description of the emergency or incident

• Those people notified of the emergency (including dates)

• Action taken by members of the DRT

• Outcomes arising from actions taken

• An assessment of the impact to normal business operations

• Assessment of the effectiveness of the BCP and lessons learned

• Lessons learned

__________

Mobilizing the Disaster Recovery Team Form

• Following an emergency requiring recovery of technology infrastructure assets, the disaster recovery team should be notified of the situation and placed on standby.

• The format shown below can be used for recording the activation of the DR team once the work of the damage assessment and emergency response teams has been completed.

Description of Emergency:

Date Occurred:

Date Work of Disaster Recovery Team Completed:

Name of Team Member	Contact Details	Contacted On (Time / Date)	By Whom	Response	Start Date Required




Relevant Comments (e.g., Specific Instructions Issued)

___________

Mobilizing the Business Recovery Team Form

· Following an emergency requiring activation of the disaster recovery team, the business recovery team should be notified of the situation and placed on standby.

· The format shown below will be used for recording the activation of the business recovery team once the work of the disaster recovery team has been completed.

Description of Emergency:

Date Occurred:

Date Work of Business Recovery Team Completed:

Name of Team Member	Contact Details	Contacted On (Time / Date)	By Whom	Response	Start Date Required




Relevant Comments (e.g., Specific Instructions Issued)

____________

Monitoring Business Recovery Task Progress Form

• The progress of technology and business recovery tasks must be closely monitored during this period of time.

• Since difficulties experienced by one group could significantly affect other dependent tasks it is important to ensure that each task is adequately resourced and that the efforts required to restore normal business operations have not been underestimated.

Note: A priority sequence must be identified although, where possible, activities will be carried out simultaneously.

Recovery Tasks (Order of Priority)	Person(s) Responsible	Completion Date	Milestones Identified	Other Relevant Information
Estimated	Actual
1.
2.
3.
4.
5.
6.
7.

___________

Preparing the Business Recovery Report Form

· On completion of business recovery activities the BRT leader should prepare a report on the activities undertaken and completed.

· The report should contain information on the disruptive event, who was notified and when, action taken by members of the BRT together with outcomes arising from those actions.

· The report will also contain an assessment of the impact to normal business operations.

· The report should be distributed to senior management, as appropriate.

The contents of the report shall include:

· A description of the incident

· People notified of the emergency (including dates)

· Action taken by the business recovery team

· Outcomes arising from actions taken

· An assessment of the impact to normal business operations

· Problems identified

· Suggestions for enhancing the disaster recovery and/or business continuity plan

· Lessons learned

Communications Form

· It is very important during the disaster recovery and business recovery activities that all affected persons and organizations are kept properly informed.

· The information given to all parties must be accurate and timely.

· In particular, any estimate of the timing to return to normal working operations should be announced with care.

· It is also very important that only authorized personnel deal with media queries.

Groups of Persons or Organizations Affected by Disruption	Persons Selected To Coordinate Communications to Affected Persons / Organizations
Name	Position	Contact Details
Customers
Management & Staff
Suppliers
Media
Stakeholders
Others

____________

Returning Recovered Business Operations to Business Unit Leadership

· Once normal business operations have been restored it will be necessary to return the responsibility for specific operations to the appropriate business unit leader.

· This process should be formalized in order to ensure that all parties understand the change in overall responsibility, and the transition to business-as-usual.

· It is likely that during the recovery process, overall responsibility may have been assigned to the business recovery process lead.

· It is assumed that business unit management will be fully involved throughout the recovery, but in order for the recovery process to be fully effective, overall responsibility during the recovery period should probably be with a business recovery process team.

____________

Business Process/Function Recovery Completion Form

The following transition form should be completed and signed by the business recovery team leader and the responsible business unit leader, for each process recovered.

A separate form should be used for each recovered business process.

Name Of Business Process
Completion Date of Work Provided by Business Recovery Team
Date of Transition Back to Business Unit Management (If different than completion date)
I confirm that the work of the business recovery team has been completed in accordance with the disaster recovery plan for the above process, and that normal business operations have been effectively restored. Business Recovery Team Leader Name: ________________________________________ Signature: ________________________________________________________________ Date: __________________________ (Any relevant comments by the BRT leader in connection with the return of this business process should be made here.)
I confirm that above business process is now acceptable for normal working conditions. Name: ___________________________________________________________________ Title: ____________________________________________________________________ Signature: ________________________________________________________________ Date: __________________________

El Centro Infrastructure Assessment–2012

Infrastructure Assessment

August 3

2012

KNS Consulting

El Centro De Corazon

Infrastructure Assessment

August 3

2012

KNS Consulting

El Centro De Corazon

Findings

Network Infrastructure

Service Providers

Three service providers provide El Centro with both phone and internet: AT&T, CBeyond, and Airband.

Airband – primary provider for Eastwood – provides Internet and phone

CBeyond – Secondary internet provider for Eastwood; primary provider for all other clinics

AT&T – PRI – phone provider for CBeyond connections

External IP addresses:

· Airband – 63.133.130.xx/29

· CBeyond – 74.7.204.xx/29

**Note – during assessment Alpheus Communications installed fiber connections at all clinics. The plan was to have Eastwood as the primary provider of internet services to all clinics. At this time, including this new service into the clinic’s infrastructure has been delayed until the network can be configured to support it.

Current Issues:

· Airband does not provide a stable connection – PRI and internet are constantly flipping

· CBeyond does not provide a stable connection – PRI and internet are constantly flipping

· Trouble tickets with providers take days to completely resolve

· Service outages are constantly recurring and affects clinic business and patients

Firewalls

There are three types of firewalls used at El Centro: Windows, Linux server hosted and router hosted.

Windows Firewall –

· VMXP1 port 80 redirect for elcentrochc.org web site

· VHOST public IP used for remote access

Linux Firewall –

· DOCS public IP address

· COMM public IP address

Router Firewall

· Non functional

Routers

Each Clinic hosts a HP ProCurve 7203dl router. All routing is performed via static routes. IP addressing schema for each clinic has been standardized. IP addresses 1-69 and 200-254 are excluded ranges. Printers and other network devices are assigned IP addresses in the lower ranges while the upper ranges are filled with servers.

Issues found relating to the schema are as follows:

· DHCP issuing out addresses in the excluded ranges

· Scoop hard coding MAC addresses into the DCHP instead of assigning static IPs to servers

· Servers assigned static IP addresses in the DHCP ranges

IP address schema is as follows:

Dunn –

· 10.1.9.0/24 - Internal

· 10.1.19.0/24 - Tunnel

· 72.16.240.xx/29 - CBeyond

Eastwood –

· 10.1.1.0/24 - Internal

· 10.1.11.0/24 - Tunnel

· 63.133.130.18/29 – Air Band

· 74.7.204.xx/29 - CBeyond

Long –

· 10.1.6.0/24 - Internal

· 10.1.16.0/24 – Tunnel

· 72.54.195.xx- CBeyond

Magnolia –

· 10.1.7.0/24 - Internal

· 10.1.17.0/24 - Tunnel

· 74.7.204.xx/29 - CBeyond

Navigation –

· 10.1.3.0/24 - Internal

· 10.1.13.0/24 – Tunnel

· 74.7.204.xx/29 - CBeyond

Wayside

· 10.1.5.0/24 - Internal

· 10.1.15.0/24 – Tunnel

· 69.115.163.xx/29 - CBeyond

Switches

The number of switch types and brands vary per site. The environment is mixed between managed HP POE and non-POE switches and non-managed Net Gear switches. All managed switches are assigned an IP address. Security settings for the switches have been turned on for the web interface for most switches. However, telnet is not secure as it does not require user name or password to access.

Server Infrastructure

The main infrastructure consists of the DOCS, COMM, DB and TS servers that are owned and managed by El Centro. At this time, there is no external or cloud backup device however, some backups are being directed to the DOCS server.

Domain Controller

Conceptually a single server, this server consists of three services that include LDAP, DNS and DHCP. At El Centro, the three services are split between two servers: DOCS and COMM. DOCS supports DNS while COMM supports DHCP and LDAP.

LDAP manages the users rights and access, while DHCP and DNS both work together to assign, manage and route IP address. All three services are critical to the functionality of the network. In El Centro’s case, they experience many issues related to the misconfiguration or malfunction of these services. The most recent issues include:

· LDAP users with roaming profiles are only logged in temporarily to a Windows workstation.

o Causes users to lose session added configurations

o Causes printer unavailability

o Causes user profile errors in logs

· DNS services chronically failing

o New computers cannot be added to the domain

o Users are unable to resolve internal addresses

o Users are unable to resolve external addresses

o Causes network to run sluggish

· DHCP services issuing addresses in excluded ranges

o Causes IP conflicts

o Causes devices to stop working correctly

Email Server

In good practice, this server would reside on a single physical server or on a single virtual server. El Centro’s email server resides on both COMM and DOCS. DOCS supports the database portion of the mail services while COMM supports the web and application interface.

· RoundCube is the application that provides email for the Clinic and can be accessed via:

o Outlook

o http:// webmail.elcentrochc.org web interface

· Does not support integration with Outlook

· Does not support shared calendars

· Does not support server managed inbox folder and file synchronization

· Limited functionality

Database Server

The database server has the following attributes:

· Name: DB

· IP Address: 10.1.1.251

· Custom build server

· Two Intel Xeon 2100 series quad core processors

· 8GB RAM

· 146 GB Hard drives.

· Supports Media Dent application and database

· Sevocity

Current Issues:

· The server is configured with one hard drive and has a Windows Server 2008 Standard R2 operating system.

· At present the server has available only 6 GB of hard drive space.

· During the assessment of the hard drive it was noted that over a year’s worth of images are stored on the server and as a result, the hard drive is running out of space.

· The server was not configured according to Microsoft’s best practices.

o Server was not speced out according to needs

o Server was not configured according to Microsoft Best Practices

o Server has no hard drive redundancy (No RAID configuration)

**Note – at this time there are six hard drives waiting to go into the DB server. This task will be performed once the network has been stable for one week. Server will be scheduled to be off line during non-clinic hours for upgrade.

Terminal Server

· Name: TS

· IP Address: 10.1.1.249

· Custom build server

· Two Intel Xeon 2100 series quad core processors

· 16GB RAM

· 146 GB Hard drives.

· Supports Media Dent application

· Terminal Services

· Sevocity

· DNS

· Terminal Services

· Hyper V

Current Issues:

· Problematic latency issues when running Media Dent

· Corrupted computer account in LDAP

· Resides in ECDC workgroup

· Cannot be placed back on domain due to malfunctioning DNS on LDAP server

Cabling Infrastructure

Server Room (MDF)

· Cables were not labeled

· Cables unmanaged and tangled

· Switches located in various places

· Servers located in various places

· UPS sitting directly on floor

· Unsecure

Current issues:

· Cannot add new server to server room until MDF is cleaned up and tagged

· Switch racks needs to have equipment removed

· Heat – need additional cooling

· Space – move servers to room behind server room and combine rooms

· All switches need to be installed properly in switch rack

Server Room Switch Rack – upper/rear Server Room Switch Rack – lower/rear

All IDFs

· Cables were not labeled

· Cables unmanaged and tangled

· Switches located in various places

Recommendations

Network Infrastructure

Service Providers

· Connect Alpheus Communications equipment and integrate new services into clinic infrastructure

· Find a new service provider to obtain PRI’s and failover internet

Firewalls

· Obtain enterprise level firewall for Eastwood

· Obtain smaller firewalls for surrounding clinics

· NAT server IP addresses to external IP addresses

· Create more robust ACLs

· Obtain content filtering module or service for firewall

Routers

· Create new IP schema for all clinics

· Obtain enterprise level routers for all sites that support VLANs

· Configure routers with new IP schema

· Add new configurations for Alpheus services

Switches

· Obtain layer 2 and layer 3 switches

· Configure switches for VLANs

· Configure layer 3 inter VLAN routing on layer 3 switches

Server Infrastructure

Domain Controller

· Build out new Windows Domain Controller

o Active Directory

o Certificate Services

o DNS

· Build secondary domain controller

o AD

o DHCP

o DNS

o Print server

o Windows Distribution Services

· Create Active Directory domain user accounts

o Redirect My Documents folder

o Add AUP to initial startup screen via default Group Policy

o Map network drives

o Deploy printers via Group Policy

o Deploy software via Group Policy

Email Server

· Build out new Windows Exchange 2010 email server

· Migrate all users to new email

· Customize email to clients specifications (i.e. shared calendars, global address lists, etc)

Database Server

· Complete installation of new hard drives and configure

· Complete installation of RAM

· Analyze current system configuration – move media Dent to new hard drives

· Clean up OS and reconfigure all apps so they do not reside on the C:\ drive

Terminal Server

· Install new hard drives to increase capacity

· Complete configuration of Hyper V supported DC and App server

· Move all software to new hard drives

· Clean up OS

· Work with Media Dent to install application according to their best practices

Cabling Infrastructure

Server Room

· Cabling on walls should be in conduit or cable management trays

· All cabling should be properly labeled

· All switches should be mounted on switch rack

· All servers should be mounted in a server rack

· Move switch rack to center of room or approximately 3’ from back wall and 3’ from side walls

· Mount router in switch rack

· Re-plumb cables to accommodate rack location

· Color-code cables for easier identification

· Other improvements as necessary

IDFs

· Cabling on walls should be in conduit or cable management trays

· All cabling should be properly labeled

· All servers and switches should be mounted on switch rack

· Mount router in switch rack

· Color-code cables for easier identification

· Other improvements as necessary

Hope Clinic Disaster Recovery Presentation - 2012

Hope Clinic Disaster Recovery Presentation

VIEW SLIDE SHOW

DOWNLOAD ALL

RYSS–Acceptable Encryption Policy 2009

Acceptable Encryption Policy

Revised: 06/30/2009

1. Purpose.

The purpose of this policy is to limit the use of Encryption by Authorized Users to methods that receive substantial public review and work effectively. Additionally, this policy provides direction to ensure compliance with Federal regulations, and to ensure legal authority is granted for the dissemination and use of Encryption technologies outside of the United States.

2. Scope.

This policy applies to all Authorized Users including TCCC-RYSS employees and affiliates.

3. Policy.

Proven, standard Encryption methods (e.g. DES, Blowfish, RSA, RC5, IDEA, etc.) must be used as the basis for Encryption technologies. These methods represent the actual Cipher used for an approved application. For example, Network Associate's Pretty Good Privacy (PGP) technology uses the IDEA method in combination with RSA or Diffie-Hellman methods, while Secure Socket Layer (SSL) technology uses RSA Encryption. Symmetric Cryptosystem key lengths must be at least 128 bits. Asymmetric Cryptosystem keys must be of a length that yields equivalent strength. Park TCCC-RYSS’s key length requirements are reviewed annually and upgraded as technology allows.

Authorized Users may not use Proprietary Encryption Algorithms for any purpose, unless reviewed by qualified experts outside of the vendor in question and approved by Information Security personnel. Be aware that the export of Encryption technologies is restricted by the U.S. Government. Residents of countries other than the United States need to be aware of the Encryption technology laws of the country in which they reside.

4. Enforcement.

Any Authorized User found to be in violation of this policy will be considered an Unauthorized User, and as such are subject to disciplinary action pursuant with the Enforcement section of the Unauthorized Use Policy.

RYSS–Acceptable Use Policy 2009

Acceptable Use Policy

Revised: 06/30/2009

1. Overview.

This policy is intended to protect the TCCC-RYSS’s faculty, employees, Students and employees as well as TCCC-RYSS from the consequences of illegal or damaging actions by individuals using the TCCC-RYSS Information Technology Network.

The TCCC-RYSS Information Technology Network includes: Internet/Intranet/Extranet-related systems, including but not limited to computer/Networking equipment, Software, Operating Systems, storage media, Network accounts providing electronic mail, Instant Messaging, student information system, WWW browsing, and FTP, which are the property of TCCC-RYSS. They are to be used for TCCC-RYSS business purposes and to serve the interests of TCCC-RYSS, and as well as all Authorized Users. Effective computer Security is a team effort requiring the participation and support of every TCCC-RYSS faculty member, employee, student and Authorized User who deals with information and/or information systems. It is the responsibility of every computer user to know the TCCC-RYSS Information Technology Policies and Procedures, and to comply with the TCCC-RYSS Information Technology Policies and Procedures.

2. Purpose.

This policy describes the Authorized Use of the TCCC-RYSS Information Technology Network and protects TCCC-RYSS and Authorized Users. Unauthorized uses expose TCCC-RYSS to many risks including legal liability, Virus attacks, and the compromise of Network systems, Services, and information.

3. Scope.

This policy applies to all persons with a TCCC-RYSS-owned, third party-owned, or personally-owned computing device that is connected to the TCCC-RYSS Information Technology Network. 4.

4. Policy.

a. General Use and Ownership.

1. Data created by Authorized Users that is on the TCCC-RYSS Information Technology Network is the property of TCCC-RYSS. There is no guarantee that information stored on the TCCC-RYSS Information Technology Network device will be confidential.

2. Authorized Use includes reasonable personal use of the TCCC-RYSS Information Technology Network by Authorized Users. TCCC-RYSS departments are responsible for creating guidelines concerning personal use of the TCCC-RYSS Information Technology Network. In the absence of such guidelines, employees should consult their supervisor, manager, or the Information Security Guidelines; Students should consult the Student Assistance Center.

3. Any information that an Authorized User considers to be sensitive or vulnerable should be encrypted. For guidelines on information classification, see Information Security's Information Sensitivity Policy. For guidelines on encrypting Email and documents, consult Information Security's Awareness Initiative.

4. Authorized TCCC-RYSS employees may monitor the TCCC-RYSS Information Technology Network traffic at any time, in accordance with the Information Security Audit Policy.

5. TCCC-RYSS reserves the right to audit Networks and systems on a periodic basis to ensure compliance with the TCCC-RYSS Information Technology Policies and Procedures.

b. Security and Proprietary Information.

1. Authorized Users are required to classify the user interface for information contained on the TCCC-RYSS Information Technology Network as “confidential” or “not confidential,” as defined by TCCC-RYSS Confidentiality Guidelines. Confidential information includes, but is not limited to: TCCC-RYSS private data, specifications, student information, and research data. Employees are required to take all necessary steps to prevent unauthorized access to this Sensitive Information.

2. Authorized Users are responsible for the Security of their passwords and accounts and must keep passwords confidential and are not permitted to share accounts.

3. Authorized Users are responsible for logging out of all systems and accounts when they are not being used; they must not be left unattended.

4. All laptops and workstations that are part of or connected to the TCCC-RYSS Information Technology Network are required to be secured with a password-protected screensaver with the automatic activation feature set at 10 minutes or less, or by logging-off when the device will be unattended.

5. Encryption of information must be used in compliance with Information Security's Acceptable Encryption Use Policy.

6. Authorized Users are required to exercise special care to protect laptop computers that are part of or connected to the TCCC-RYSS Information Technology Network in accordance with the “Laptop Security Guidelines.”

7. Postings by Authorized Users from a TCCC-RYSS Email address must contain a disclaimer stating that the opinions expressed are strictly those of the author and not necessarily those of TCCC-RYSS, unless posting has been done in the course of TCCC-RYSS business.

8. All computers used by Authorized Users that are connected to the TCCC-RYSS Information Technology Network, whether owned by the individual or TCCC-RYSS, must be continually executing approved Virus-scanning Software with a current Virus Database.

9. Authorized Users must use extreme caution when opening e-mail attachments received from unknown senders, which may contain Viruses, e-mail bombs, or Trojan Horse codes.

c. Unacceptable Use of the TCCC-RYSS Information Technology Network.

The following activities are prohibited, although TCCC-RYSS employees who are Authorized Users may be exempted from these restrictions during the performance of their legitimate job responsibilities. Under no circumstances is an Authorized User permitted to engage in any activity that is illegal under local, state, federal or international law while utilizing the TCCC-RYSS Information Technology Network.

Unacceptable use includes, but is not limited to the following activities:

System and Network Activities

The following activities are strictly prohibited, with no exceptions:

1. Violations of the rights of any person or company protected by copyright, trade secret, patent or other Intellectual Property, or similar laws or regulations, including, but not limited to, the installation or distribution of copyrighted or other Software products that are not licensed for use by TCCC-RYSS.

2. Unauthorized copying of copyrighted material including, but not limited to, digitization and distribution of photographs from magazines, books or other copyrighted sources, copyrighted music, and the installation of any copyrighted Software for which TCCC-RYSS or the Authorized User does not have an active license is strictly prohibited.

3. Exporting Software, technical information, Encryption Software or technology, in violation of international or regional export control laws, is illegal. TCCC-RYSS management must be consulted prior to export of any material that is in question.

4. Introduction of Malicious Software into the TCCC-RYSS Information Technology Network (e.g., Viruses, Worms, Trojan Horses, e-mail bombs, etc.).

5. An Authorized User’s revelation of that person’s account password to others or allowing use of an Authorized User’s account by others, including family and other household members when an Authorized User’s computer is connected to the TCCC-RYSS Information Technology Network from home or other non-TCCC-RYSS locations.

6. The use of a component of the TCCC-RYSS Information Technology Network or other computing asset to actively engage in procuring or transmitting material that violates sexual harassment or hostile workplace laws or that violates any TCCC-RYSS policy. Pornographic material is a violation of sexual harassment policies.

7. Making fraudulent offers of products, items, or services originating from any TCCC-RYSS account or otherwise made from a computer connected to the TCCC-RYSS Information Technology Network.

8. Causing Security breaches or disruptions of communication over the TCCC-RYSS Information Technology Network. Security breaches include, but are not limited to, accessing data or other communications of which the Authorized User is not an intended recipient or logging into an account that the Authorized User is not expressly authorized to access. For purposes of this section, "disruption" includes, but is not limited to, Network Sniffing, traffic floods, Packet Spoofing, Denial of Service, etc.

9. Port Scanning or Security Scanning is expressly prohibited unless prior notification to Information Security is made.

10. Executing any form of Network monitoring which will intercept data not intended for the Authorized User is expressly prohibited, unless this activity is a part of the Authorized User’s normal job/duty.

11. Circumventing User Authentication or Security of any device, Network, or account.

12. Interfering with or denying Service to any user other than the individual's Host (for example, a Denial of Service attack).

13. Using any Program/script/command, or sending messages of any kind, with the intent to interfere with or disable a user's terminal session, via any means locally or remotely.

14. Providing information about, or lists of, TCCC-RYSS employees or Students to non-TCCC-RYSS parties.

Email and Communications Activities

1. Sending unsolicited Email messages, including the sending of "junk mail" or other advertising material to individuals who did not specifically request such material (Email SPAM).

2. Any form of harassment via Email, instant messenger, telephone, or pager, whether through language, frequency, or size of messages.

3. Unauthorized use, or forging, of Email header information.

4. Solicitation of Email for any other Email address, other than that of the Authorized User’s own account, with the intent to harass or to collect replies.

5. Creating or forwarding Chain email, Phishing, or other scams of any type.

6. Use of the TCCC-RYSS’s name in any unsolicited Email on behalf of, or to advertise, any service or product without the explicit written permission of TCCC-RYSS.

7. Posting the same or similar non-business-related messages to large numbers of Usenet newsgroups (newsgroup SPAM).

5. Enforcement.