Midwest Health Systems
Case Analysis Assignment
In this case, the context is Midwest Health Systems (Midwest) and the scenario is evaluating a
enterpise information security architecture. Your analysis of this case will be framed around a
number of questions that are presented at the end of this writeup. As laid out in our syllabus, your
analysis should, at minimum, meet the “2-why” standard.
While you can find a number of strategies out there for conquering case analyses (many of them
are very good), I recommend the approach of reading the case at least once without consideration
of the questions. That opens the mind up to absorbing details that might otherwise erroneously
get dismissed in a “know the questions, hunt for the answers” type of approach. After that, lay our
your outline with each question framing a new major section. Then, re-read the case analysis and
as you go through, build the outline of your answer with references to page numbers so you can
quickly go back. Once the outline is built, you should have a clean connection between your point
and some evidence from the case. At that point, it is a matter of polishing the communication
without inadvertently changing the thesis.
The case can be found in your Harvard Coursepack, referenced in the Materials section of our
syllabus. The case analysis must be submitted through Blackboard in Microsoft Word or .pdf
format before 11:59pm Sunday, March 28
Case Analysis Questions:

  1. Identify the IT general control risks evident from the case. For each risk identified,
    identifiy possible controls to mitigate those risks and explain why you believe the
    control would work.
  2. Define residual risk and then identify at least three such risks from the case,
    mapping those examples conceptually to your definition of residual risk.
  3. Do you agree with the audit team’s conclusion that the only significant areas of
    concern in IT general controls are access security and change management? Please
    explain your answer at a “2-why” minimum standard.
  4. What course(s) of action do you recommend that Nelson take based on your analysis
    of identified risks and suggested controls?