azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

sync: auto-sync from HOWARD-HOME at 2026-06-24 10:25:39

Browse Source 
Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-06-24 10:25:39
This commit is contained in:
Howard Enos
2026-06-24 10:26:07 -07:00
parent 0d05c1a4a4
commit 47c9441781
1 changed files with 191 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

191
clients/cascades-tucson/docs/proposals/2026-technology-plan-review.md Normal file
View File

@@ -0,0 +1,191 @@
# Cascades of Tucson - Technology Plan Review
> Prepared for the planning meeting requested by Ashley Jensen (week of 2026-06-23 / 2026-06-30).
> Organized to Ashley's exact agenda: for each area we cover **Current state -> Gaps -> Action steps -> Timeline -> Priority**.
> Prepared by ACG (Az Computer Guru). Source of truth: `wiki/clients/cascades-tucson.md` (compiled 2026-06-23) + live systems.
> Contract: prepaid hour block @ $175/hr; **48.75 hrs remaining** (Syncro, live 2026-06-23). 0 open tickets.
---
## 0. Executive summary - established priorities
The single theme across every area is **Cascades runs PHI on one 16-year-old server with no redundancy**, while the surrounding identity, network, and voice layers have been substantially modernized over the last 90 days. The top priorities, in order:
| # | Priority | Area | Why it's #1-tier |
|---|----------|------|------------------|
| P1 | **Replace / de-risk CS-SERVER** | Hardware, DR | Single Dell R610 (~2009) DC holding all PHI; OS RAID-1 mirror DEGRADED 2026-06-15 (running on one aging spindle, zero redundancy). Data-loss + total-outage exposure. |
| P2 | **Close HIPAA audit + access gaps** | Security | No audit logging on the PHI share; audit-retention infra approved but not built; caregiver device allow-list still report-only; ALIS BAA unverified. |
| P3 | **Unify malware/EDR coverage** | Malware prevention | The PHI server is NOT under managed AV/EDR (Bitdefender); leftover previous-MSP Datto agents still installed. |
| P4 | **Verify & formalize DR/continuity** | Disaster recovery | Cloud backup now running (gap closed 2026-06-15) - must confirm it is image/bare-metal + retention, then document a real DR/BC plan and test a restore. |
| P5 | **Finish voice quality + M365 relicensing** | Communication, Software | Voice VLAN done; last fix (Poly 5GHz lock) is waiting on Vertical. 31 users still on a SUSPENDED M365 license - time-sensitive. |
| P6 | **Establish an AI acceptable-use policy** | Use of AI | No governance today; HIPAA makes uncontrolled staff use of public AI a PHI-leak risk. Pairs with the KPI-dashboard analytics opportunity. |
---
## 1. Hardware & Software
**Current state**
- **CS-SERVER** - Dell PowerEdge R610 (~2009, 16+ yrs). Single Domain Controller doing everything: AD, DNS, DHCP, file server, Hyper-V host, print server. Windows Server 2019.
- **Synology cascadesDS** NAS (DSM 7.2.1) - legacy file storage, transitioning to backup-only.
- **pfSense** firewall (Netgate, dual-WAN) + full **UniFi** network: 77 U7-Pro access points, 12 managed switches.
- **~29 managed workstations** (Syncro). Active domain migration to `cascades.local` + Microsoft Entra hybrid identity is well underway.
- **Microsoft 365** - Business Premium across the org.
**Gaps**
- **[CRITICAL] CS-SERVER OS mirror is degraded** (one drive failed 2026-06-15) - C: (OS/AD) is running on a single aging 5400 RPM laptop spindle with no redundancy. This is also the root cause of "server is slow" reports.
- **Single point of failure** - one elderly DC; if it dies, AD/file/print/DHCP all go down at once.
- **EOL workstations** - Lupe Sanchez's PC (Gateway i3-2120, Win11-unsupported) flagged for replacement; Chef-PC needs a full reinstall.
- **M365 relicensing** - 31 users still assigned to a **SUSPENDED** Business Standard license; 31 Business Premium seats sit free. Time-sensitive.
- ~25 switch ports negotiating 100 Mbps instead of gigabit (cabling/NIC); 3 switches offline.
**Action steps**
1. Interim: replace CS-SERVER OS drives with 2x 480 GB enterprise SSD (gated on verified backup first).
2. Strategic: scope a **server replacement / DC modernization** - the real fix for the SPOF and the slowness.
3. Replace Lupe's workstation; reinstall Chef-PC (open tickets #32194, #32254).
4. Complete M365 relicensing (31 Standard -> Premium).
5. After WiFi stabilizes: correct the 100 Mbps switch ports and investigate the 3 offline switches.
**Timeline** - SSD swap near-term (once backup verified); relicensing immediate; workstation swaps near-term; server-replacement a larger project to scope jointly. **Priority: HIGH (P1).**
---
## 2. Communication Technology
**Current state**
- **Email** - Microsoft 365 / Exchange Online. SPF, DKIM, and DMARC (`p=quarantine`) all published. Shared mailboxes `grievances@` and `Surveys@` created 2026-06-12.
- **Voice** - Vertical hosted/cloud PBX. 37 devices (28 Poly WiFi handsets + 8 AudioCodes desk phones + the Vertical management desktop) **consolidated onto an isolated Voice VLAN 30 (completed 2026-06-19)** - HIPAA-segmented, phones marking DSCP EF for QoS.
- **WiFi** - heavily optimized 2026-06-19: 5 GHz retransmits roughly halved, 2.4 GHz power rebalanced, ~587 concurrent clients across 77 APs.
**Gaps**
- **Residual dropped calls** - several Poly handsets cling to the saturated 2.4 GHz band despite strong 5 GHz signal. Fix is a phone-side 5 GHz-only lock - **request is with Vertical (Richard Turner), awaiting their push.** This is the last open voice item.
- **Bistro phone missing** - one bad phone was pulled; a replacement is pending.
- **Voice QoS** designed but not yet built (insurance for WAN failover / saturation).
- **6 GHz WiFi band is dark** - the largest untapped clean wireless capacity; enabling it needs a WPA3 conversion on the main SSID (supervised change).
- DMARC sits at `quarantine` (could progress to `reject`); DMARC reports route to an unmonitored mailbox.
**Action steps** - chase the Vertical 5 GHz lock to closure; install/re-key the Bistro replacement; build voice QoS; plan the supervised 6 GHz / WPA3 change window.
**Timeline** - voice closeout is days-out pending Vertical; QoS and 6 GHz are scheduled change windows. **Priority: MEDIUM-HIGH (P5).**
---
## 3. Security for Sensitive Data (HIPAA / PHI)
**Current state** - HIPAA is the primary compliance driver. PHI lives on CS-SERVER and in **ALIS** (clinical EHR). A modern, identity-based access-control model is largely deployed:
- **Microsoft Entra Conditional Access** splits staff into two postures - caregivers locked to the Cascades network + approved devices (credentials useless off-site); office/clinical staff get MFA off-site.
- **ALIS single sign-on** is live (Entra is the second factor).
- **Caregiver device-lockdown GPO** - auto screen-lock at 3 min, auto sign-out at 15 min (HIPAA 164.312(a) for shared PHI devices).
- **Voice VLAN isolation**, per-room network L2 isolation, MFA for all users, DMARC enforcement.
**Gaps (open HIPAA items)**
- **No audit logging on the PHI file share** (164.312(b)); Object Access auditing disabled; no SMB encryption on the Homes share.
- **Audit-retention infrastructure** (90-day + 6-year) approved 2026-04-29 but **not yet built**.
- **Break-glass admin accounts** not created; FIDO2 keys unconfirmed.
- **ALIS Business Associate Agreement (BAA)** with Medtelligent not yet verified.
- Caregiver device **allow-list still in report-only** mode (cutover pending); ALIS-native 2FA should be disabled in favor of Entra SSO-only.
- **Exposed credential** - a Synology sign-in credential was committed in plaintext to our vault history; rotate it.
**Action steps** - enable file-share/object-access auditing + build the retention store; create break-glass accounts; obtain/verify the ALIS BAA; complete the caregiver allow-list cutover; rotate the exposed Synology credential.
**Timeline** - auditing + retention is the headline near-term HIPAA workstream. **Priority: HIGH (P2).**
---
## 4. Services Purchased or Contracted (vendor inventory)
| Service | Vendor | Purpose | Note for review |
|---------|--------|---------|-----------------|
| Managed IT services | ACG | Support / projects | Prepaid block, 48.75 hrs remaining |
| Microsoft 365 | Microsoft | Email, identity, Office | Relicensing 31 users (see Hardware/Software) |
| ALIS | Medtelligent | Clinical EHR (PHI) | **BAA verification required** |
| Hosted voice | Vertical | Phone system | 5 GHz lock pending with them |
| Internet (dual-WAN) | Cox | Fiber primary + coax failover | WAN2 upload still to be measured |
| Cloud backup | MSP360 / CloudBerry (-> ACG) | Off-site backup | Installed 2026-06-15 (see DR) |
| Firewall / network | Netgate (pfSense) + UniFi | Perimeter + LAN/WiFi | Healthy, optimized |
| Endpoint security | Bitdefender | AV/EDR | Partial coverage (see Malware) |
| Line-of-business SaaS | QuickBooks, Bill.com, Relias (LMS), You've Got Leads (CRM), TELS / Direct Supply (facilities), Focus HR (HR/payroll), Helpany (caregiver app), POS | Operations | Catalogued for the KPI dashboard |
**Gaps** - ALIS BAA; no central contract/renewal calendar; M365 license true-up. **Action** - build a one-page renewal/BAA tracker. **Priority: MEDIUM.**
---
## 5. Assistive Technology
**Current state** - In ACG's current scope, the resident/clinical-facing technology is **ALIS** (clinical EHR) and **Helpany** (the caregiver app). A physical access-control vendor engagement is on record (ticket #32324, 2026-05-26). No dedicated resident accessibility / nurse-call / emergency-call system is currently documented under ACG management.
**Gap / open question** - Ashley's agenda lists assistive technology "if any." We should **clarify scope with her**: does she mean resident-facing assistive/accessibility devices, nurse-call / emergency-response systems, or staff-facing clinical tooling? That determines whether this becomes an ACG workstream or stays vendor-owned.
**Action step** - confirm definition + current vendors at the meeting; if any of it touches PHI or the network, fold it into the security and DR plans. **Priority: CLARIFY FIRST.**
---
## 6. Disaster Recovery & Continuity
**Current state**
- **Cloud backup is now running** - MSP360/CloudBerry to ACG's backup server, installed 2026-06-15, which **closed the longstanding "no backup" HIPAA gap**. Last full completed SUCCESS 2026-06-22 (0 errors).
- Synology is being repurposed as a secondary/backup target.
- pfSense config is backed up (vaulted + on-box); Netgate AutoConfigBackup to be enabled.
- **Proven outage procedure** - the 2026-06-23 planned building power outage was handled with a clean, scripted self-shutdown of all core devices and verified-clean recovery (after an unclean 2026-06-17 outage taught the lesson). UPS + iDRAC auto-recovery + Synology auto-restart provide bring-up backstops.
**Gaps**
- **Verify the backup is image-based / bare-metal + system-state**, not just files, and that retention is set - before relying on it.
- **No AD redundancy** - single DC = no failover for login/file/DNS.
- **Degraded RAID** keeps data-loss risk live until the SSD swap.
- **No formal written DR/BC plan** - no documented RTO/RPO, no tested restore.
- UPS battery-side placement of all core gear not fully verified onsite.
**Action steps** - confirm backup completeness + run a test restore; document a DR/BC plan with RTO/RPO; add a second (or cloud-hosted) DC for AD redundancy; finish the SSD swap; enable AutoConfigBackup; verify UPS coverage.
**Timeline** - backup verification + test restore is the immediate item; DR/BC document and AD redundancy pair with the CS-SERVER replacement project. **Priority: HIGH (P4).**
---
## 7. Malware Prevention & Virus Protection
**Current state**
- **Bitdefender GravityZone** (ACG's managed security platform) protects Cascades endpoints - **3 endpoints currently enrolled** in the tenant as of last audit.
- **GuruRMM** (ACG's RMM) is deployed for monitoring/patching; **Microsoft Defender / Exchange Online Protection** cover email.
**Gaps**
- **[IMPORTANT] CS-SERVER - the PHI server - is NOT in Bitdefender** (no managed AV/EDR on the most sensitive box).
- **Leftover previous-MSP agents** - Datto RMM (CentraStage) + Datto EDR (Infocyte/DattoAV) are still installed alongside our tools, causing agent sprawl and contributing to the server slowness.
- Only ~3 of ~29 managed devices are confirmed in Bitdefender - **coverage is incomplete and needs a full audit**.
**Action steps**
1. Enroll CS-SERVER and all remaining workstations into Bitdefender.
2. Remove the legacy Datto stack everywhere it remains.
3. Standardize on **Bitdefender (AV/EDR) + GuruRMM (management) + Defender/EOP (email)** and run a coverage audit so 100% of devices report in.
**Timeline** - run the coverage audit before the meeting; remediation is near-term. **Priority: HIGH (P3).**
*(Note: exact live endpoint counts to be confirmed via a Bitdefender coverage pull just before the meeting.)*
---
## 8. Use of AI
**Current state** - There is **no production AI system deployed at Cascades today**. The nearest active item is the **KPI dashboard** Ashley requested (2026-06-17): a single dashboard pulling KPIs across ALIS, QuickBooks, Bill.com, Relias, the CRM, TELS, Focus HR, etc. Recommended path is Phase 1 scheduled exports -> SharePoint -> Power BI, Phase 2 API automation - an analytics/automation foundation that AI can later build on. It is parked pending Ashley's day-one KPIs.
**Gaps / opportunities**
- **No AI acceptable-use policy** - the key governance gap. In a HIPAA environment, uncontrolled staff use of public AI tools (ChatGPT, etc.) is a PHI-leak risk. A simple policy + guardrails should come first.
- **Microsoft 365 Copilot** is a natural opportunity (the org already has M365), but needs HIPAA review before enabling on PHI-adjacent data.
- **Vendor AI features** (e.g., any AI inside ALIS or other SaaS) should be reviewed against their BAAs.
**Action steps** - (1) draft an AI acceptable-use policy for staff; (2) evaluate M365 Copilot with HIPAA guardrails; (3) progress the KPI dashboard as the sanctioned analytics path; (4) review vendor AI features against BAAs.
**Timeline** - policy first (quick); Copilot + dashboard are scoped opportunities. **Priority: MEDIUM (P6) - governance before adoption.**
---
## Suggested meeting flow
1. Walk the **priorities table (Section 0)** - agree on the order.
2. Lead with **CS-SERVER replacement (P1)** + **DR verification (P4)** - they are the same conversation and the biggest risk-reducers.
3. **HIPAA security gaps (P2)** + **malware coverage (P3)** - the compliance block.
4. **Voice closeout + M365 relicensing (P5)** - quick wins / time-sensitive.
5. **AI policy + KPI dashboard (P6)** - forward-looking.
6. **Clarify "assistive technology" scope (Section 5)** with Ashley.
7. Agree timelines + which items draw against the prepaid block vs. a separate project quote (server replacement).
---
## Pre-meeting to-do for ACG (to make this airtight)
- [ ] Live Bitdefender coverage pull (exact enrolled vs. unmanaged device counts).
- [ ] Live Syncro hours confirmation (currently 48.75 hrs).
- [ ] Confirm the cloud backup is image/bare-metal + retention (the DR linchpin).
- [ ] Get a rough budget number for the CS-SERVER replacement to bring to the meeting.