Vulnerability/Penetration (PEN) Testing (Lot 4) Service: 5.G

Transcription

1 Vulnerability/Penetration (PEN) Testing (Lot 4) Service: 5.G

2 CONTENTS 1. WHY LEICESTERSHIRE HEALTH INFORMATICS SERVICE? SERVICE OVERVIEW OUR PEOPLE ORDERING AND INVOICING PROCESS FURTHER INFORMATION... 7 Author: Colin Swift Product Manager colin.swift@leics-his.nhs.uk Prepared for: The Health Informatics Service is provided by Leicestershire Partnership NHS Trust on behalf of the Leicester, Leicestershire and Rutland Health Community. Page 2 of 8

3 1. Why Leicestershire Health Informatics Service? Leicestershire Health Informatics Service (LHIS) is hosted by the Leicestershire Partnership NHS Trust. The Trust serves a population of one million people across Leicester, Leicestershire and Rutland and has a budget in excess of 250 million and employs over 5,000 staff in a wide variety of roles. This hosting arrangement provides LHIS with a sound financial and organisation platform from which to operate along sound business practices. LHIS provides a vast range of IT products, services and solutions to its clients. LHIS delivers these solutions nationwide to all sectors of the Healthcare market and beyond including primary care NHS Trusts, Clinical Commissioning Groups (CCG s), Commissioning Support Units (CSU), care homes, hospices and General Practices, Acute Hospital Trusts, arm s length bodies and Any Qualified Providers (AQP s). LHIS has approximately 130 highly qualified IT staff including dedicated teams of project managers, change managers, web developers, application developers, content editors, I.T trainers, service desk analysts, business intelligence and data warehousing staff, network engineers, desktop and enterprise support. As an NHS organisation LHIS has extensive experience of NHS standards, clinical systems security, NHS procedures, information governance and risk management. LHIS has passed its Health Informatics Standards Accreditation (HISA); this has been developed by the HSCIC to allow commissioners of IM&T services within the NHS to build this as a quality standard that they should look for when considering future supply. The LHIS client base has grown through word of mouth recommendations based on LHIS s excellent track record of service and delivery to include non NHS public sector organisations such as Councils, Charities, Schools and Colleges. 2. Service overview The LHIS penetration service is scoped individually to ensure that the specific vulnerabilities that would render a system or organisation to attack are identified. Once identified LHIS will provide recommendations to enable the organisation to mitigate the threat. The LHIS Tigerscheme certified security professionals are able to test for both internal and external vulnerabilities of individual systems, whole data centres or complete organisations. Tigerscheme does not apply a theory only approach to certification and requires the ability to apply knowledge successfully. LHIS certified Tigerscheme testers are provided with an ID card that can be used to check credentials and training history online. Page 3 of 8

4 Testing Process The LHIS penetration and vulnerability testing process is shown below: Scoping Mitigation and Remedial action Reconnaissance Reporting Assessment and Testing LHIS consultants work together with the customer to agree a scope that meets the client s security requirements and encompasses the required range of testing. This will include as applicable: Scoping Discussions about any critical systems. Sensitivity of information held. The locations of sensitive information. Previously raised issues or concerns. Any historical testing or assessment. Page 4 of 8

5 At this stage the consultant will gather information on the target organisation as required to assist with the identification of potential vulnerabilities that could be exploited. This information might include: Reconnaissance Employee details such as names. DNS records. Organisational structure and hierarchy. Reports and publications. Website data and metadata. Social media posts and tweets. News articles. addresses. Assessment and Testing The information collected during the reconnaissance phase information is used to support assessment. The assessment provides information that can be used in the subsequent full scale penetration testing. This phase attempts to identify all vulnerabilities that potentially could lead to a breach of security. Once the testing is completed the results are analysed to create a report detailing Reporting Breakdown of the testing results. The security issues to address. Recommendations to resolve vulnerabilities. Mitigation and Remedial action Following the reporting stage LHIS is able to assist with the implementation of any remedial actions required and if necessary to perform a retest to ensure the vulnerabilities identified have been resolved. Page 5 of 8

6 Range of services LHIS range of penetration and vulnerability testing services include: Application This assesses the threat from potential authenticated and unauthenticated attackers. Testing is likely to include users, roles, session management, input validation, injection attacks and logic errors. Infrastructure This covers testing of network, servers, firewalls, VoIP and any other infrastructure components that potentially could present vulnerabilities. The testing ensures that the infrastructure has been built and secured with best practice adhered to. Social engineering This testing provides a detailed view of how internal processes and/or staff can be manipulated to divulge sensitive information or to perform actions which might lead to the exposure of vulnerabilities leading to attacks. 3. Our people Our ICT Security personnel have qualifications including: Tigerscheme member. Certified Information Systems Auditor. Certified Security Testing Professional. Certified Ethical Hacker. Many are also members of professional bodies such as: The British Computer Society (BCS). UK Council of Health Informatics Professionals (UKCIP). Most LHIS staff members possess graduate or postgraduate qualifications in ICT, security or are Chartered IT Professionals Page 6 of 8

7 4. Ordering and invoicing process Call us on option 7 crmteam@leics-his.nhs.uk LHIS will provide assistance with completing the G-Cloud call-off contract, which will include an order form. 5. Further Information If you have any queries, questions, wish to request further information please contact (quoting G-Cloud V enquiry ) as follows crmteam@leics-his.nhs.uk option 7 More LHIS information can also be found at: Page 7 of 8

8 Page 8 of 8