Work Project Inventory
Overview
Complete inventory of work projects at Children’s Hospital Los Angeles (CHLA), organized by priority and status.
Generated: 2026-03-25
Summary
| Priority | Count | Status |
|---|---|---|
P0 - Critical |
4 |
Behind/Blocked |
P1 - High |
6 |
Mixed |
P2 - Strategic |
6 |
Planned/Partial |
Total |
16 projects |
P0 - Critical Projects
| Project | Status | Owner | Blocker |
|---|---|---|---|
BEHIND |
Evan |
Certificate "password required" - nmcli fix documented |
|
BEHIND |
Ben Castillo / InfoSec |
DB replication issues, no SSL/HTTPS |
|
BEHIND (10%) |
Evan |
No progress on planning, need stakeholder meetings |
|
BLOCKED |
Evan |
CISO decision pending |
P1 - High Priority Projects
| Project | Status | Owner | Target |
|---|---|---|---|
Blocked |
Evan |
Q1 2026 |
|
Complete |
Evan |
Assessment done - no refresh needed |
|
Pending |
Evan |
Q1 2026 |
|
Active |
Evan |
— |
|
Active |
Evan |
— |
|
Active |
Evan |
C-level visibility |
P2 - Strategic Projects
| Project | Status | Owner | Notes |
|---|---|---|---|
Partial |
Evan |
Monad selected (2026-03-09) |
|
NOT STARTED |
TBD |
New HHS security policies |
|
NOT STARTED |
TBD |
PowerBI metrics |
|
NOT STARTED |
TBD |
Endpoint protection consolidation |
|
In Progress |
Team |
Modern landing zone |
|
In Progress |
Victor |
SCEP + Victor, Paul testing |
Project Details
Linux Research (Xianming Ding)
Priority |
P0 - Critical |
Status |
BEHIND |
Owner |
Evan |
Objective |
EAP-TLS for Linux workstations, dACL, UFW |
Documentation |
|
Related |
domus-ise-linux component |
Current Blocker: Certificate "password required" issue with nmcli. Fix documented but needs implementation.
iPSK Manager High Availability
Priority |
P0 → P1 |
Status |
BEHIND |
Owner |
Ben Castillo (original), InfoSec (HA) |
Objective |
Pre-shared key automation with HA deployment |
Documentation |
|
GitHub |
Issues:
-
No SSL/HTTPS - credentials transmitted in clear text
-
No secure ODBC
-
Secondary server provided but NOT configured
-
Database replication not implemented
Phases: DB Replication → App HA → Load Balancer → ISE Integration
MSCHAPv2 to Certificate-Based Authentication Migration
Priority |
P1 |
Status |
10% Complete |
Owner |
Evan |
Objective |
Migrate 6,088 endpoints from MSCHAPv2 to EAP-TLS/EAP-TEAP |
Documentation |
|
Timeline |
~4 months (proposed) |
Migration Waves:
| Wave | Device Type | Count | Contact |
|---|---|---|---|
1 |
Chromebooks |
1,754 |
Paul Tran |
2 |
WYSE Thin Clients |
857 |
Andrew Rolle |
3 |
Windows Domain |
270 |
Intune Team |
4 |
macOS |
331 |
JAMF Team |
5 |
iOS/iPhone |
1,760 |
Intune/JAMF |
Next Action: Schedule meetings with Paul Tran (Chromebooks) and Andrew Rolle (WYSE).
Research Segmentation
Priority |
P0 - Critical |
Status |
BLOCKED |
Owner |
Evan |
Objective |
All research endpoints to Untrusted VLAN |
Documentation |
|
Blocker |
CISO decision pending |
ISE 3.4 Migration
Priority |
P1 |
Status |
Blocked |
Owner |
Evan |
Objective |
Upgrade from ISE 3.2p9 to 3.3+/3.4 |
Documentation |
|
Target |
Q1 2026 |
ISE Hardware Refresh Assessment
Priority |
P1 |
Status |
COMPLETE |
Owner |
Evan |
Objective |
18-month hardware replacement planning |
Documentation |
|
Decision Date |
2026-03-16 |
Findings:
-
Hardware: SNS-3755-K9 enterprise-class - NO refresh needed
-
Software: Version 3.2 past SW maintenance (ended 2025-10-31)
-
Action: Upgrade to ISE 3.3+ before EOS (2028-10-31)
-
Timeline: Plan upgrade within 6-12 months
Switch Upgrades
Priority |
P1 |
Status |
Pending |
Owner |
Evan |
Objective |
IOS-XE fleet update (C9300, 3560CX) |
Target |
Q1 2026 |
NebulaONE Enterprise AI Platform
Priority |
P1-Critical |
Status |
Active |
Owner |
Evan (Network Security / Platform Engineering) |
Objective |
Enterprise AI platform deployment on Azure |
Documentation |
|
Visibility |
C-Level |
Vendor |
Cloudforce |
Responsibilities:
-
Network Architecture Review - Hub-and-spoke model
-
Security Architecture - Zero Trust implementation
-
Logging/SIEM Integration - Central Log Analytics workspace
-
Compliance - HIPAA-ready infrastructure design
-
IaC Security - Terraform/Bicep security patterns
Key Stakeholders: Alexander Urasaki (Lead), Cliff Meyer (Logging), Shehab Hassanien (Security), Suman Giri (Platform)
QRadar → Sentinel Migration
Priority |
P2 |
Status |
Partial |
Owner |
Evan |
Objective |
Full SIEM platform transition with cost optimization |
Documentation |
|
Decision |
Monad (Vendor) selected 2026-03-09 |
Strategy: ETL pipeline between log sources and SIEM to reduce volume while maintaining compliance.
Components:
-
Monad Evaluation - Complete
-
In-House Alternative - Complete (not selected)
-
SDK Integration - In Progress
-
Log Source Inventory - Planned
-
Filtering Strategy - Planned
HHS Regulatory Compliance
Priority |
P2 |
Status |
NOT STARTED |
Owner |
TBD |
Objective |
New HHS security policies implementation |
InfoSec Reporting Dashboard
Priority |
P2 |
Status |
NOT STARTED |
Owner |
TBD |
Objective |
PowerBI metrics for executives |
EDR Migration (AMP → Defender)
Priority |
P2 |
Status |
NOT STARTED |
Owner |
TBD |
Objective |
Endpoint protection consolidation |
Azure Legacy Migration
Priority |
P2 |
Status |
In Progress |
Owner |
Team |
Objective |
Modern landing zone architecture |
ChromeOS EAP-TLS
Priority |
P2 |
Status |
In Progress |
Owner |
Victor |
Objective |
SCEP + certificate deployment for Chromebooks |
Testers |
Victor, Paul |
Documentation Locations
Current Structure (Needs Consolidation)
| Location | Purpose | Files |
|---|---|---|
|
Detailed PRJ-*.adoc documentation |
5 files |
|
Portfolio presentation pages |
6 files |
|
Index page for portfolio |
1 file |
|
Dedicated SIEM migration project |
4 files |
|
Status tracker (P0/P1/P2) |
1 file |
Recommended Consolidation
Merge all work project documentation into projects/chla/ with PRJ-* naming convention:
-
projects/chla/linux-research/index.adoc(new) -
projects/chla/research-segmentation/index.adoc(new) -
projects/chla/ise-34-migration/index.adoc(new) -
projects/chla/PRJ-qradar-sentinel.adoc(absorb siem-qradar-to-sentinel/)
Keep partials/trackers/work/projects.adoc for status tracking.
Action Items
-
Consolidate
portfolio/work-chla/intoprojects/chla/ -
Create missing PRJ-*.adoc files for undocumented projects
-
Update tracker partial with this inventory
-
Review quarterly