ADDENDUM #1 REQUEST FOR PROPOSALS
|
|
- Leona Hudson
- 8 years ago
- Views:
Transcription
1 ADDENDUM #1 REQUEST FOR PROPOSALS HIPAA/HITECH/OMNIBUS Act Compliance Consulting Services TO: FROM: CLOSING DATE: SUBJECT: All Potential Responders Angie Williams, RFP Coordinator September 24, 2015 at 3:00PM (UNCHANGED) HIPAA/HITECH/OMNIBUS Act Compliance Consulting Services DATE: September 4, 2015 Proposers Questions and Answers Question #1: May I respond to the RFP noting this Partner (sub-contractor) in my response? A: Yes. Question #2: If allowed to respond with a sub-contractor, will we automatically receive less points than a company who has in-house PEN testers or will the Evaluator rate our response equally / without prejudice as compared to the other respondents? A: You will be evaluated equally whether subcontracting or having testers in-house. Question #3: To price a PEN test I ll need some more information about number of IP addresses, etc. Typically we scope the environment via phone conference. May I set up a time with you to discuss (scope) the PEN testing requirements or do you prefer I send you a list of questions via ? A: There are 30 IP addresses for penetration testing. There will not be a phone conference. Bidder may submit written questions and comments until 3:00 p.m. Pacific Time by September 1, Question #4: Does each of the 17 departments/offices have their own set of HIPAA-related policies and procedures that would need to be reviewed OR are there overarching ones at the County level? A: Not all 17 departments deal with HIPAA data. There is an overarching policy for all departments and each department that deals with HIPAA data has department specific practices and procedures.. Question #5: How many business-side interviews does the County anticipate the consultant to be conducting for data gathering purposes?
2 A: At a minimum, anticipate 2 interviews per department/office. This could increase depending on the complexity and volume of the HIPAA data handled by the department/office. Question #6: How many IT staff does the County have and could you breakdown the IT Department by position/title? A: Number of IT staff is not relevant. The vendor will be working with 5 key IT staff members. Question #7: What is the total number of applications/systems that would need to be reviewed for possible HIPAA compliance? A: The Apparently Successful Proposer will work with each Office/Department to determine. Question #8: How many servers does the County have? (Please provide number of physical vs. virtual servers.) A: Not relevant. We have approximately 10 servers dealing with HIPAA data (most are virtual). Question #9: How many internal target systems are expected to be in-scope of the external penetration testing? A: 10. Question #10: How many external target systems are expected to be in-scope of the external penetration testing? A: 30. Question #11: Does the County desire to have wireless penetration testing performed? If yes, how many wireless network will be in-scope? A: No. Question #12: What is the total population of BAAs/agreements/contracts from which we could select a sample? A: Approximately 100 BAA s/agreements/contracts that have HIPAA related elements
3 Question #13: Is it expected that each department/office in scope will have a separate and distinct HIPAA Privacy and Security Rule Gap Analysis Report developed and applicable just to their business operations? A: One report addressing the County s overall HIPAA Program compliance with specifics for each department/office included. Question #14: Is a presentation to Commissioners or County management expected at the end of the engagement? If yes, how many presentation sessions need to be factored into our fee quote? A: There will likely be a single final presentation expected. Question #15: What is the number of users in the environment (employees, contractors, others, etc.)? A: Approximately Question #16: How large is the county government body? a. Is it centrally located or distributed? b. Do remote sites have an on-site IT support presence? A: Kitsap County consists of 10 elected offices and 10 departments. The Courthouse Campus is located on Division St. in Port Orchard, WA, however there are a few departments/offices located within the county. Most remote sites do not have IT support on-site. Question #17: List any key outsourced IT services or security services (e.g. data center hosting)? A: Baracuda cloud backups. Question #18: Are security policies and procedures defined and applicable across all locations, with little to no deviation from site-to-site? A: The Apparently Successful Proposer will work with each Office/Department to determine. Question #19: When was the last information security risk assessment completed? A: A basic security assessment was likely completed in 2003 when the HIPAA program was developed and implemented, however the use and management of ephi has significantly increased since this initial assessment. Question #20: Do you utilize Cloud services?
4 A: Yes. Question #21: Is there a dedicated Information Security team or resource(s)? A: No. Question #22: Which applications/information systems are in scope? A: The Apparently Successful Proposer will work with each Office/Department to determine. Question #23: Are all sites that will be assessed on the same network infrastructure? a. If not, how many sites are on their own infrastructure? b. Are the sites that are on separate networks governed by a different set of security policies and procedures? A: Yes and we are governed by the same security policies and procedures. Question #24: Are there any strict compliance or organizational deadlines for finalizing the risk assessment? A: No but we must complete this as soon as possible. Question #25: Has the County determined a budget for this project? If so, can it be shared? A: There has not been a budget determined. Question #26: Does the County desire regular status updates/reports for the duration of the project? If so, at what frequency (e.g., bi-weekly, monthly)? A: Yes, weekly. Question #27: Does the County have a preference for contracting a local firm for this work? If so, what weight will this have in the evaluation process? A: There is no local preference for the work. Question #28: Does the County desire that the selected consultant give and/or facilitate presentations during the project? If so, at what milestones and to what audiences?
5 A: Yes, weekly to project team and final management presentation. Question #29: Does the County require that proof of insurance be returned with the proposal, or would the County request this upon execution of a contract? A: Proof of insurance should be provided upon execution of a contract. Question #30: Does the County anticipate that the selected consultant will meet with County staff by functional area? If so, what are the functional areas and at what staff level does the County anticipate the consultant will conduct these meetings (e.g., County leadership, management)? A: Yes, department management and HIPAA Coordinators. Question #31: Does the County anticipate that any external or third-party stakeholder groups will take place in any of the requested interviews? A: Possibly. Question #32: Section II.F: Do the departments identified represent one physical location each? What is the distance from the most central location to the most outlying location? A: Most of the departments/offices are on the Courthouse Campus. The furthest remote location is 15 miles away. Question #33: Section III.A.7: How many third-party entities is the County sharing ephi with? A:. Estimate 30. Question #34: Section III.A.10: Please provide a definition of sampling or a range of how many County contracts are to be reviewed. A:. Estimate 100 contracts that have HIPAA Program components. Question #35: Section III.A.10: Are the contracts to be reviewed electronic, paper, or a combination? A:. Electronic. Question #36: Section III.B: Are the policies to be reviewed electronic, paper, or a combination?
6 A:. Electronic. Question #37: Section III.D: Please clarify the scope of the on-site validation of physical security controls. For example, are intrusion attempts required? A: An audit of required physical security requirements. Question #38: Do all systems that are in scope reside in a central location (i.e., Information Services Network Operating Center)? A: Yes. Question #39: To the extent that you are able, please provide a summary of the in-scope infrastructure and systems (e.g., number and types of systems, operating systems, databases, firewalls). A: Approximately 5 servers hosting HIPAA data, 30 servers for external penetration testing and 10 servers for internal penetration testing a. Mainly virtual servers b. Microsoft Server 2008 c. Checkpoint Firewalls. Question #40: Is there a centralized medical records department for the County s healthcare-related departments? A: Each Department/Office manages their records, however some may have access to a centralized system. The County also is self-insured for employee medical benefits and this is managed by the Human Resources Department. Question #41: Are the medical records electronic, paper, or a combination? A: Combination Question #42: Para II.F Facilities to be visited: Can you provide approximate distances between the various locations that are noted? A: See Question 32.
7 Question #43: Para III.A: Please define Branch/Program in your opening paragraph noting a written report of analysis findings for each branch/program? How many branch/programs exists and do you want a written report for each? A: Each of the 17 departments, although some may not deal with HIPAA. One report detailing the HIPAA Program overall with department/office specifics included. Question #44: Para III.A.6: Can you describe your expectations regarding to include the costs of failure related to privacy or security breaches and related public communication costs? Are you looking for more historical perspective within the industry, or types of costs vs. exact dollars? A: Costs related to breaches from an industry perspective. Question #45: Para III.E: HIPAA Security Risk Analysis As written, it appears that you expecting a single over-arching SRA for Kitsap County-held PHI, or are you expecting multiple reports by a Kitsap entity, or branch/program? If multiple, how many and what is the determination. A: See Question 13. Question #46: Para III.F: Internal Penetration Test a. How many total devices will need to be assessed? b. How many offices will need to be assessed? c. Are all the offices connected to each other, meaning can we conduct the penetration test from one physical location and "see" all the devices at the other offices that are in scope? A: 10, see RFP document for listing of departments to be assessed, all of our offices are on the same network. Question #47: Para III.G: External Penetration Test a. How many total systems will need to be assessed? b. Are any of these systems hosted by a cloud provider? A: See Question 3, see Question 17. Question #48: Appendix A, Sect 4 Compensation references Exhibit B for Contractor Compensation. For purposes of this RFP, we have assumed that Exhibit B is for the final agreement and that our price proposal is not required to be in this format (refer to Para VI.5 (a), (b), and (c)). If a specific pricing format is required, please provide? A: Yes, there is no specific format required.
8 Question #49: The scope of work section of the RFP indicates Kitsap County offices and departments must be visited to perform the assessment. How many such offices and departments and locations are in scope? A: See Question 32. Question #50: The RFP describes the following deliverables including: a. Gap analysis to HIPAA Security and Privacy requirements, b. HIPAA Privacy and Security policy development, c. Training program development, a risk analysis, d. Internal penetration test, e. External penetration test, f. Onsite validation of physical security control Is there a specific order desired for these activities? A: No specific order Question #51: Is the training program to be developed, as well as, implemented? How many training sessions may be required as a part of this engagement? Is there a desired medium for training such as web training or web sessions or classroom training? A: Develop the training program, preferably web based, to allow for internal implementation and oversight. Question #52: The RFP lists a requirement to identify gaps in compliance with WA state privacy and security regulations and confidentiality statutes. Are there specific regulations and statutes in mind? A: Other privacy and security requirements such as RCW or RCW as applicable Question #53: The scope and deliverables section requires an onsite visit of all involved branches/programs/ offices. How many such facilities and locations are there? Are they similarly configured and is it acceptable to select a representative sample of such locations for site visits? A: See Question 32. Question #54: List PHYSICAL locations where ephi is created, received, maintained or transmitted, including locations of:
9 a. IT equipment / Data Center(s) b. IT equipment / Third-party service providers c. Backup or failover site(s) d. Media storage onsite e. Media storage offsite? A: Data Center, CenCom Building and Barracuda Cloud Storage. Question #55: List the NUMBER and PHYSICAL locations of IT personnel, including contractors, who support the ephi environment: a. Application Support / Business Analysts b. System Administrators / Engineers c. Network Administrators / Engineers d. Data Base Administrators e. Application Developers / Testers f. Others? A: All IT personnel are located on the Courthouse Campus The Total IT staff supporting ephi is approximately 5. Question #56: Please identify third-party organizations engaged to support the ephi environment and explain their support role(s)? A: The Apparently Successful Proposer will work with each Office/Department to determine. Question #57: Can third-party organizations which provide IT applications or infrastructure services to your Organization provide an external auditor s report concerning the design and operating effectiveness of the control environment? A: The Apparently Successful Proposer will work with each Office/Department to determine. Question #58: Describe your Organization s IT security compliance efforts to-date in terms of the following: a. Privacy and security officers identified? b. HIPAA / HITECH security policies in place? c. IT / ephi environment risk analysis performed?
10 d. Accurate and up-to-date ephi inventory? e. IT security compliance assessment performed? f. Remediation plan developed and progressing? g. Business Continuity Plan / Disaster Recovery Plan? h. Business Associate compliance management? A: Each department has designated privacy and security officers. These department officers would ensure security policies, inventory, and compliance assessments are conducted. The County s IS department maintains a General Business Continuity/Disaster Recovery Plan, however this is not necessarily specific to HIPAA data. Business Associate compliance is a department/office function. Question #59: Describe any technical testing performed, how frequently, and any scope limitations. a. External vulnerability scans or assessments? b. Internal vulnerability scans or assessments? c. Penetration testing? d. Third party assessments or testing? A: No testing has been performed recently. Question #60: Please describe your ephi environment in terms of the technologies in use, including: a. Perimeter security and protection b. Domain / LDAP architecture c. Virtualization d. Operating systems e. Database management systems f. Encryption of ephi at rest g. Encryption of ephi in transit h. Audit trails and logs? A: A-G IS Department has security systems in place. The intent of this consult is to determine whether the systems in place are sufficient and appropriate. H Each Department/Office maintains an audit trail and log. Question #61: Please describe any use of network segmentation to limit access to sensitive data.
11 A: There are none. We use Active Directory rights. Question #62: Are IT services centralized in one place and managed by a central department? A: Yes. Question #63: If IT services are distributed, please provide a brief description of how it is managed. A: N/A. Question #64: Please quantify the number of application, database, file, web, and other servers used to store, process, or transmit ephi. A: 5. Question #65: Please describe your ephi environment in terms of the applications in use, including: a. ephi Applications Overall (Note the approximate number of ephi applications and comment on whether a list of these applications exists.) b. ephi Applications Desired in Scope (Note the number of ephi applications which should be within the scope of services and list them below.)? A: Each department/office accesses specific applications. This will be determined during the consult. Question #66: Specify the number of business lines and/or business process areas which create, receive, maintain or transmit ephi. (Note: This drives the potential number of business process subject matter expert interviews and/or questionnaires.) A:. Approximately 10 department/offices Question #67: Number of external IP addresses (internet-facing, publicly routable)? A: 30. Question #68: Number of internal IP addresses? A: 10.
12 Question #69: Does any technical testing (e.g., automated scans) need to be performed outside of normal business hours (8 am to 6 pm Monday through Friday)? A: No. Question #70: Can internal network technical testing be performed remotely via a VPN connection or must it occur physically onsite? A: On-site. Question #71: How do the remote locations connect to each other? A: All on our network (LAN/WAN). Question #72: How many applications are in scope? A: See Question 7. Question #73: Is the desired testing blackbox? A: No.
HIPAA SECURITY RISK ANALYSIS FORMAL RFP
HIPAA SECURITY RISK ANALYSIS FORMAL RFP ADDENDUM NUMBER: (2) August 1, 2012 THIS ADDENDUM IS ISSUED PRIOR TO THE ACCEPTANCE OF THE FORMAL RFPS. THE FOLLOWING CLARIFICATIONS, AMENDMENTS, ADDITIONS, DELETIONS,
More informationClient Security Risk Assessment Questionnaire
Select the appropriate answer from the drop down in the column, and provide a brief description in the section. 1 Do you have a member of your organization with dedicated information security duties? 2
More informationREQUEST FOR PROPOSAL (RFP) #021-14 HIPAA SECURITY ASSESSMENT VENDOR QUESTIONS & ANSWERS ~ MAY 29, 2014
REQUEST FOR PROPOSAL (RFP) #021-14 HIPAA SECURITY ASSESSMENT VENDOR QUESTIONS & ANSWERS ~ MAY 29, 2014 Q1) Page 2, Section A and Page 5, Section H --- Does the County desire only an assessment of compliance
More informationIT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:
IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: 1. IT Cost Containment 84 topics 2. Cloud Computing Readiness 225
More informationAfter reviewing all the questions, the most common and relevant questions were chosen and the answers are below:
2015 007 After reviewing all the questions, the most common and relevant questions were chosen and the answers are below: 1. Is there a proposed budget for this RFP? No 2. What is the expect duration for
More informationRFP No. 1-15-C017 OFFICE OF TECHNOLOGY INFORMATION SYSTEMS AND INFRASTRUCTURE PENETRATION TEST
RFP No. 1-15-C017 OFFICE OF TECHNOLOGY INFORMATION SYSTEMS AND INFRASTRUCTURE PENETRATION TEST Questions and Answers Notice: Questions may have been edited for clarity and relevance. 1. How many desktops,
More informationAbout This Document. Response to Questions. Security Sytems Assessment RFQ
Response to Questions Security Sytems Assessment RFQ Posted October 1, 2015 Q: Which specific security assessment processes are sought for this engagement? The RFQ mentions several kinds of analysis and
More informationVendor Questions and Answers
OHIO DEFERRED COMPENSATION REQUEST FOR PROPOSALS (RFP) FOR COMPREHENSIVE SECURITY ASSESSMENT CONSULTANT Issue Date: December 7, 2016 Written Question Deadline: January 11, 2016 Proposal Deadline: RFP Contact:
More informationDepartment of Children and Families (DCF) Request for Information (RFQ) #01U013DS1 HIPAA Compliance Review DCF Answers to Vendor Questions
Department of Children and Families (DCF) Request for Information (RFQ) #01U013DS1 HIPAA Compliance Review s to Vendor Questions Questions as Submitted by Vendors (Duplicates omitted) 1. Have controls
More informationQ&A ADDENDUM FOR INFORMATION SECURITY VULNERABILITY ASSESSMENT PUBLISHED 10/20/2015
Q&A ADDENDUM FOR INFORMATION SECURITY VULNERABILITY ASSESSMENT PUBLISHED 10/20/2015 UPDATE HISTORY: 10/21/2015 10/30/2015 11/5/2015 Questions submitted by Proposers All proposers should reference the following
More informationVendor 1 QUESTION CCSF RESPONSE
Vendor 1 QUESTION 1 If we have already filled out the vendor profile application, business tax declaration and local business forms will we need to fill them out again? 2 Is CCSF open to rolling up all
More informationINCIDENT RESPONSE CHECKLIST
INCIDENT RESPONSE CHECKLIST The purpose of this checklist is to provide clients of Kivu Consulting, Inc. with guidance in the initial stages of an actual or possible data breach. Clients are encouraged
More informationManaging data security and privacy risk of third-party vendors
Managing data security and privacy risk of third-party vendors The use of third-party vendors for key business functions is here to stay. Routine sharing of critical information assets, including protected
More informationH.I.P.A.A. Compliance Made Easy Products and Services
H.I.P.A.A Compliance Made Easy Products and Services Provided by: Prevare IT Solutions 100 Cummings Center Suite 225D Beverly, MA 01915 Info-HIPAA@prevare.com 877-232-9191 Dear Health Care Professional,
More informationREQUEST FOR PROPOSAL INFORMATION SECURITY PROGRAM PROVIDER
REQUEST FOR PROPOSAL INFORMATION SECURITY PROGRAM PROVIDER OCTOBER 18, 2013 1 Table of Contents I. EXECUTIVE OVERVIEW... 3 II. BACKGROUND... 3 A. Goals & Objective of Request... 3 B. Project Scope... 4
More informationHealthcare Management Service Organization Accreditation Program (MSOAP)
ELECTRONIC HEALTHCARE NETWORK ACCREDITATION COMMISSION (EHNAC) Healthcare Management Service Organization Accreditation Program (MSOAP) For The HEALTHCARE INDUSTRY Version 1.0 Released: January 2011 Lee
More informationSpokane Airport Board (Spokane International Airport, Airport Business Park, Felts Field) Addendum #1 - Q&A
Spokane Airport Board (Spokane International Airport, Airport Business Park, Felts Field) Request for Proposals (RFP) for PCI DSS COMPLIANCE SERVICES Project # 15-49-9999-016 Addendum #1 - Q&A May 29,
More informationRequest for Proposal For: PCD-DSS Level 1 Service Provider St. Andrew's Parish Parks & Playground Commission Bid Deadline: August 17, 2015 at 12 Noon
Request for Proposal For: PCD-DSS Level 1 Service Provider St. Andrew's Parish Parks & Playground Commission Bid Deadline: August 17, 2015 at 12 Noon Request for Proposal P a g e 2 Table of Contents 1.
More informationPHILADELPHIA GAS WORKS Information Security Assessment and Testing Services RFP#30198 Questions & Answers December 4, 2015
QUESTIONS ANSWERS Q1 What is the goal of testing? A1 We engage in this type of testing to promote our own best practices and ensure our security posture is as it should be. Q2 No of active IP s (internal):
More informationSecurity Threat Risk Assessment: the final key piece of the PIA puzzle
Security Threat Risk Assessment: the final key piece of the PIA puzzle Curtis Kore, Information Security Analyst Angela Swan, Director, Information Security Agenda Introduction Current issues The value
More informationUniversity of Wisconsin-Madison Policy and Procedure
Page 1 of 14 I. Policy II. A. The, the units of the UW-Madison Health Care Component and each individual or unit within UW-Madison that is a Business Associate of a covered entity (hereafter collectively
More informationInstructions for Completing the Information Technology Examination Officer s Questionnaire
Instructions for Completing the Information Technology Examination Officer s Questionnaire Please answer the following information security program questions as of the examination date pre-determined by
More informationSupplier Security Assessment Questionnaire
HALKYN CONSULTING LTD Supplier Security Assessment Questionnaire Security Self-Assessment and Reporting This questionnaire is provided to assist organisations in conducting supplier security assessments.
More informationQUESTIONS & RESPONSES #2
QUESTIONS & RESPONSES #2 RFP / TITLE 070076 IT Cybersecurity Assessment and Plan CONTACT Michael Keim, CPPB, Sr. Contract Adminstrator EMAIL procurement@portoftacoma.com PHONE NUMBER 253-428-8608 SUBMITTAL
More informationSmall Business IT Risk Assessment
Small Business IT Risk Assessment Company name: Completed by: Date: Where Do I Begin? A risk assessment is an important step in protecting your customers, employees, and your business, and well as complying
More information2011 2012 Aug. Sept. Oct. Nov. Dec. Jan. Feb. March April May-Dec.
The OCR Auditors are coming - Are you next? What to Expect and How to Prepare On June 10, 2011, the U.S. Department of Health and Human Services Office for Civil Rights ( OCR ) awarded KPMG a $9.2 million
More information1. Perimeter Security Dealing with firewall, gateways and VPNs and technical entry points. Physical Access to your premises can also be reviewed.
Service Definition Technical Security Review Overview of Service Considering the increasing importance of security, the number of organisations that allow for contingency in their Information Security
More informationHITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What?
HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What? Introduction This material is designed to answer some of the commonly asked questions by business associates and other organizations
More informationOIG Security Audits of EHR Incentive Program Participants
OIG Security Audits of EHR Incentive Program Participants April 12-16, 2015 David G. Schoolcraft and Elana R. Zana Attorneys Ogden Murphy Wallace, P.L.L.C. 1 DISCLAIMER: The views and opinions expressed
More informationIntelligent Vendor Risk Management
Intelligent Vendor Risk Management Cliff Baker, Managing Partner, Meditology Services LeeAnn Foltz, JD Compliance Resource Consultant, WoltersKluwer Law & Business Agenda Why it s Needed Regulatory Breach
More informationUniversity of Illinois at Chicago Health Sciences Colleges Information Technology Group Security Policies Summary
University of Illinois at Chicago Health Sciences Colleges Information Technology Group Security Policies Summary This Summary was prepared March 2009 by Ian Huggins prior to HSC adoption of the most recent
More informationCITY OF CORONA RFP 15-005SB. ADDENDUM No. 2
CITY OF CORONA ADDENDUM No. 2 Purchasing Division (951) 736-2272 400 S. Vicentia Ave., Ste. 320 purchasing@discovercorona.com Corona, CA 92882 09/22/2014 Scott Briggs Addendum No. 2 for the Evaluation
More informationIndependent Security Operations Oversight and Assessment. Captain Timothy Holland PM NGEN
Independent Security Operations Oversight and Assessment Captain Timothy Holland PM NGEN 23 June 2010 Independent Security Operations Oversight and Assessment Will Jordan NGEN Cyber Security 23 June 2010
More informationNetwork Detective. HIPAA Compliance Module. 2015 RapidFire Tools, Inc. All rights reserved V20150201
Network Detective 2015 RapidFire Tools, Inc. All rights reserved V20150201 Contents Purpose of this Guide... 3 About Network Detective... 3 Overview... 4 Creating a Site... 5 Starting a HIPAA Assessment...
More informationJOHNSON COUNTY COMMUNITY COLLEGE 12345 College Blvd., Overland Park, KS 66210 Ph. 913-469-3812 Fax 913-469-4429
JOHNSON COUNTY COMMUNITY COLLEGE 12345 College Blvd., Overland Park, KS 66210 Ph. 913-469-3812 Fax 913-469-4429 ADDENDUM #1 September 21, 2015 REQUEST FOR PROPOSALS #16-033 FOR CLOUD BASED BACKUP & RECOVERY
More informationVendor Management Challenges and Solutions for HIPAA Compliance. Jim Sandford Vice President, Coalfire
Vendor Management Challenges and Solutions for HIPAA Compliance Jim Sandford Vice President, Coalfire Housekeeping You may submit questions throughout the webinar using the question area in the control
More informationInstructions for Completing the Information Technology Officer s Questionnaire
Instructions for Completing the The (Questionnaire) contains questions covering significant areas of a bank s information technology (IT) function. Your responses to these questions will help determine
More informationCHIS, Inc. Privacy General Guidelines
CHIS, Inc. and HIPAA CHIS, Inc. provides services to healthcare facilities and uses certain protected health information (PHI) in connection with performing these services. Therefore, CHIS, Inc. is classified
More informationSTATE OF NEW JERSEY Security Controls Assessment Checklist
STATE OF NEW JERSEY Security Controls Assessment Checklist Appendix D to 09-11-P1-NJOIT P.O. Box 212 www.nj.gov/it/ps/ 300 Riverview Plaza Trenton, NJ 08625-0212 Agency/Business (Extranet) Entity Response
More information211 LA County. Technology Infrastructure Assessment. Request for Proposals. August 2012 Request for Proposals- 211 LA County 1
211 LA County Technology Infrastructure Assessment Request for Proposals August 2012 Request for Proposals- 211 LA County 1 1. General conditions and proposers directions 1.1. Overview 1.1.1. 211 LA County
More informationEnterprise Information Technology Security Assessment RFP Answers to Questions
Enterprise Information Technology Security Assessment RFP Answers to Questions GENERAL QUESTIONS Q: How do the goals of the security assessment relate to improving the way VEIC does business? A: Security
More informationRFP IT002PACE. Questions & Answers
RFP IT002PACE Questions & Answers 1. Please provide the total number of devices at each campus required for the assessment i.e. inventory at the higher level along with its brief description. 2. Approximately
More informationRequest for Resume (RFR) CATS II Master Contract. Section 1 General Information R00B4400024
RFR Number: (Reference BPO Number) Functional Area (Enter One Only) Section 1 General Information R00B4400024 Functional Area 10 - IT Management Consulting Services Position Title/s or Service Type/s (Short
More informationKLC Consulting, Inc. All Rights Reserved. 1 THIRD PARTY (VENDOR) SECURITY RISK MANAGEMENT
1 THIRD PARTY (VENDOR) SECURITY RISK MANAGEMENT About Kyle Lai 2 Kyle Lai, CIPP/G/US, CISSP, CISA, CSSLP, BSI Cert. ISO 27001 LA President of KLC Consulting, Inc. Over 20 years in IT and Security Security
More informationACCEPTING PAYMENT CARD ASSESSMENT Pre-Selection Questionnaire
ACCEPTING PAYMENT CARD ASSESSMENT Pre-Selection Questionnaire Overview This pre-implementation questionnaire is designed to provide the Boston College Internal Audit Department with a general understanding
More informationRequest for Proposal RFP No. IT-2015-101. Phone System Replacement
Request for Proposal RFP No. IT-2015-101 November 23 rd 2015 Phone System Replacement Deadline for Receipt of Proposals: January 18 th, 2016 at 4:30pm Proposals to be submitted by e-mail to Morgan Calvert
More informationUniversity of Pittsburgh Security Assessment Questionnaire (v1.5)
Technology Help Desk 412 624-HELP [4357] technology.pitt.edu University of Pittsburgh Security Assessment Questionnaire (v1.5) Directions and Instructions for completing this assessment The answers provided
More informationSection 1 CREDIT UNION Member Information Security Due Diligence Questionnaire
SAMPLE CREDIT UNION INFORMATION SECURITY DUE DILIGENCE QUESTIONNAIRE FOR POTENTIAL VENDORS Section 1 CREDIT UNION Member Information Security Due Diligence Questionnaire 1. Physical security o Where is
More informationTemplate K Implementation Requirements Instructions for RFP Response RFP #
Template K Implementation Requirements Instructions for RFP Response Table of Contents 1.0 Project Management Approach... 3 1.1 Program and Project Management... 3 1.2 Change Management Plan... 3 1.3 Relationship
More informationVendor Risk Assessment Questionnaire
Vendor Risk Assessment Questionnaire VENDOR INFORMATION: Vendor Name: Vendor Address: Vendor Contact Name: Vendor Contact Phone No: Vendor Contact Email: DATA SENSITIVITY What is the nature of data that
More informationInformation Security Assessment and Testing Services RFQ # 28873 Questions and Answers September 8, 2014
QUESTIONS ANSWERS Q1 How many locations and can all locations be tested from a A1 5 locations and not all tests can be performed from a central location? central location. Q2 Connection type between location
More informationSMS. Cloud Computing. Systems Management Specialists. Grupo SMS www.grupo-sms.com 949.223.9240 option 3 for sales
SMS Systems Management Specialists Cloud Computing Grupo SMS www.grupo-sms.com 949.223.9240 option 3 for sales Cloud Computing The SMS Model: Cloud computing is a model for enabling ubiquitous, convenient,
More informationHIPAA Audit Risk Assessment - Risk Factors
I II Compliance Compliance I Compliance II SECTION ONE COVERED ENTITY RESPONSIBILITIES AREA ONE Notice of Privacy Practices 1 Is your full notice of privacy practices given to every new patient in your
More informationOPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE
OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE Please provide all relevant documents responsive to the information requests listed within each area below. In addition to the specific documents requested,
More informationCSU, Chico Credit Card PCI-DSS Risk Assessment
CSU, Chico Credit Card PCI-DSS Risk Assessment Division/ Department Name: Merchant ID Financial Account Location (University, Auxiliary Organization) Business unit functional contact: : Title: Telephone:
More informationLeveraging Dedicated Servers and Dedicated Private Cloud for HIPAA Security and Compliance
ADVANCED INTERNET TECHNOLOGIES, INC. https://www.ait.com Leveraging Dedicated Servers and Dedicated Private Cloud for HIPAA Security and Compliance Table of Contents Introduction... 2 Encryption and Protection
More informationOffice of the City Auditor and Clerk
Office of the City Auditor and Clerk Externally Hosted IBM iseries System Arrangement For Utility Billing System Final Executive Summary Internal Audit Report Internal Audit Project # 08-05 May 28, 2008
More informationCounselorMax and ORS Managed Hosting RFP 15-NW-0016
CounselorMax and ORS Managed Hosting RFP 15-NW-0016 Posting Date 4/22/2015 Proposal submission deadline 5/15/2015, 5:00 PM ET Purpose of the RFP NeighborWorks America has a requirement for managed hosting
More informationSample Statement of Work
Sample Statement of Work Customer name Brad Miller brad@solidborder.com Fishnet Security Sample Statement of Work: Customer Name Scope of Work Engagement Objectives Customer, TX ( Customer or Client )
More informationEllucian Cloud Services. Joe Street Cloud Services, Sr. Solution Consultant
Ellucian Cloud Services Joe Street Cloud Services, Sr. Solution Consultant Confidentiality Statement The information contained herein is considered proprietary and highly confidential by Ellucian Managed
More informationRFP 2007-046 Addendum #3 Client Database Management Software Questions and Answers
RFP 2007-046 Addendum #3 Client Database Management Software 1 n/a n/a During the vendor conference, a list of major participants was offered in a PowerPoint presentation. Will all team members be present
More informationChecklist for Vulnerability Assessment
Checklist for Vulnerability Assessment Implement processes to test for the presence of wireless access points (802.11), and detect and identify all authorized and unauthorized wireless access points on
More informationHealthcare IT Compliance Service. Services > Overview MaaS360 Healthcare IT Compliance Service
Services > Overview MaaS360 Ensure Technical Safeguards for EPHI are Working Monitor firewalls, anti-virus packages, data encryption solutions, VPN clients and other security applications to ensure that
More informationIT - General Controls Questionnaire
IT - General Controls Questionnaire Internal Control Questionnaire Question Yes No N/A Remarks G1. ACCESS CONTROLS Access controls are comprised of those policies and procedures that are designed to allow
More informationHIPAA Security & Compliance
Creative Mind. Creative Heart. Creative Care. 2014 WALA Spring Conference HIPAA Security & Compliance Jeff Grady Thursday, March 27 10:30 am HIPAA Security & Compliance A TIME FOR ACTION Jeff Grady, Senior
More informationResponse to Queries Received for RFP of Security Integrator - Tender No. 63
Sr.N RFP Clause Original Query Reply/Remark o. 1. Perform Incident Management with respect to the following: For Forensic Analysis of logs Please clarify the systems/devices Contain attacks through for
More informationCITY AND COUNTY OF DENVER AUDITOR S OFFICE REQUEST FOR PROPOSAL FOR PROFESSIONAL AUDITING SERVICES. Additional Information.
CITY AND COUNTY OF DENVER AUDITOR S OFFICE FOR PROFESSIONAL AUDITING SERVICES Additional Information March 10, 2016 The following questions were asked and answered at the February 26, 2016 Pre-Proposal
More informationResponse to Questions CML 15-018 Managed Information Security
Response to Questions CML 15-018 Managed Information Security 1. What are the most critical aspects that need to be provided for this RFP, in light of the comment that multiple awards might be provided?
More informationIntroduction and Background
Request for Bid Network Security Assessment March 28, 2016 Introduction and Background Purpose of the Request for Proposal The Library Network operates a wide area telecommunications network for 70 public
More informationNetwork Test Labs Inc Security Assessment Service Description Complementary Service Offering for New Clients
Network Test Labs Inc Security Assessment Service Description Complementary Service Offering for New Clients Network Test Labs Inc. Head Office 170 422 Richards Street, Vancouver BC, V6B 2Z4 E-mail: info@networktestlabs.com
More informationState of Oregon. State of Oregon 1
State of Oregon State of Oregon 1 Table of Contents 1. Introduction...1 2. Information Asset Management...2 3. Communication Operations...7 3.3 Workstation Management... 7 3.9 Log management... 11 4. Information
More informationAddendum No. 2 RFP # 13-10340-3950 SAP ERP SYSTEM AND INFORMATION SECURITY PROGRAM ASSESSMENTS
Addendum 2 RFP # 13-10340-3950 SAP ERP SYSTEM AND INFORMATION SECURITY PROGRAM ASSESSMENTS Prospective Respondents: You are hereby notified of the following information in regard to the referenced RFP:
More informationSecurity from a customer s perspective. Halogen s approach to security
September 18, 2015 Security from a customer s perspective Using a cloud-based talent management program can deliver tremendous benefits to your organization, including aligning your workforce, improving
More informationINFORMATION TECHNOLOGY OFFICER S QUESTIONNAIRE. Instructions for Completing the Information Technology Examination Officer s Questionnaire
Institution Charter Date of Exam Prepared By INFORMATION TECHLOGY OFFICER S QUESTIONNAIRE Instructions for Completing the Information Technology Examination Officer s Questionnaire The Information Technology
More informationOUTSOURCING DUE DILIGENCE FORM
OUTSOURCING DUE DILIGENCE FORM SERVICE TO BE OUTSOURCED 1. Type of service to be outsourced: Accounting/Finance: Compliance Consulting: Legal Services: Administrative Functions: Information Technology:
More informationRequest for Resume (RFR) CATS+ Master Contract All Master Contract Provisions Apply. Section 1 General Information
Section 1 General Information RFR Number: (Reference BPO Number) Functional Area (Enter One Only) R00B4400129 FUNCTIONAL AREA 7 INFORMATION SYSTEM SECURITY LABOR CATEGORY Security, Computer Systems Specialist
More informationEVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07
EVALUATION REPORT Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review March 13, 2015 REPORT NUMBER 15-07 EXECUTIVE SUMMARY Weaknesses Identified During the FY 2014
More informationAnalysis of IT Infrastructure and Plan for Disaster Recovery. Response to Questions Regarding RFP 180-13-02 Updated August 20, 2013
Analysis of IT Infrastructure and Plan for Disaster Recovery Response to Questions Regarding RFP 180-13-02 Updated August 20, 2013 1. Is there a 3 to 5 year IT Strategic Plan that would provide insight
More informationHIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT
HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT A Review List This paper was put together with Security in mind, ISO, and HIPAA, for guidance as you move into a cloud deployment Dr.
More informationInformation Technology Security Review April 16, 2012
Information Technology Security Review April 16, 2012 The Office of the City Auditor conducted this project in accordance with the International Standards for the Professional Practice of Internal Auditing
More informationData Security and Healthcare
Data Security and Healthcare Complex data flows Millions of electronic medical records across many systems New and emerging business relationships Changing and maturing compliance frameworks Diverse population
More informationIT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results
Acquire or develop application systems software Controls provide reasonable assurance that application and system software is acquired or developed that effectively supports financial reporting requirements.
More informationAssistant Director, Technology Procurement 301-985-7707. RFP 91263 Network and Telephony Managed Services Addendum #1 dated 01/23/2015
DATE: January 26, 2015 TO: FROM: RE: All Prospective Proposers Amy Kisloski Assistant Director, Technology Procurement 301-985-7707 RFP 91263 Network and Telephony Managed Services Addendum #1 dated 01/23/2015
More informationDESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE
DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE Please provide all relevant documents responsive to the information requests listed within each area below. In addition to the
More informationSecurity Controls What Works. Southside Virginia Community College: Security Awareness
Security Controls What Works Southside Virginia Community College: Security Awareness Session Overview Identification of Information Security Drivers Identification of Regulations and Acts Introduction
More informationWilliamson County Technology Services Technology Project Questionnaire for Vendor (To be filled out withprospective solution provider)
Williamson County Technology Services Technology Project Questionnaire for Vendor (To be filled out withprospective solution provider) General Project Questions Please provide the proposed timeline estimate:
More informationPayment Card Industry (PCI) Data Security Standard ROC Reporting Instructions for PCI DSS v2.0
Payment Card Industry (PCI) Data Security Standard ROC Reporting Instructions for PCI DSS v2.0 September 2011 Changes Date September 2011 Version Description 1.0 To introduce PCI DSS ROC Reporting Instructions
More informationServices Providers. Ivan Soto
SOP s for Managing Application Services Providers Ivan Soto Learning Objectives At the end of this session we will have covered: Types of Managed Services Outsourcing process Quality expectations for Managed
More informationGoals. Understanding security testing
Getting The Most Value From Your Next Network Penetration Test Jerald Dawkins, Ph.D. True Digital Security p. o. b o x 3 5 6 2 3 t u l s a, O K 7 4 1 5 3 p. 8 6 6. 4 3 0. 2 5 9 5 f. 8 7 7. 7 2 0. 4 0 3
More informationPCI DATA SECURITY STANDARD OVERVIEW
PCI DATA SECURITY STANDARD OVERVIEW According to Visa, All members, merchants and service providers must adhere to the Payment Card Industry (PCI) Data Security Standard. In order to be PCI compliant,
More informationCritical Controls for Cyber Security. www.infogistic.com
Critical Controls for Cyber Security www.infogistic.com Understanding Risk Asset Threat Vulnerability Managing Risks Systematic Approach for Managing Risks Identify, characterize threats Assess the vulnerability
More informationHIPAA Secure Now! How MSPs Can Profit From Selling HIPAA security services
HIPAA Secure Now! How MSPs Can Profit From Selling HIPAA security services How MSPs can profit from selling HIPAA security services Managed Service Providers (MSP) can use the Health Insurance Portability
More informationSecure HIPAA Compliant Cloud Computing
BUSINESS WHITE PAPER Secure HIPAA Compliant Cloud Computing Step-by-step guide for achieving HIPAA compliance and safeguarding your PHI in a cloud computing environment Step-by-Step Guide for Choosing
More informationLogging In: Auditing Cybersecurity in an Unsecure World
About This Course Logging In: Auditing Cybersecurity in an Unsecure World Course Description $5.4 million that s the average cost of a data breach to a U.S.-based company. It s no surprise, then, that
More informationPCI-DSS Penetration Testing
PCI-DSS Penetration Testing Adam Goslin, Co-Founder High Bit Security May 10, 2011 About High Bit Security High Bit helps companies obtain or maintain their PCI compliance (Level 1 through Level 4 compliance)
More informationINFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION
INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION Information security is a critical issue for institutions of higher education (IHE). IHE face issues of risk, liability, business continuity,
More informationOIG Security Audit: What You Need To Know
Watch the Replay on YouTube OIG Security Audit: What You Need To Know Executive Series Webinar July 23rd, 2015 Today s Speakers Elana R. Zana Attorney & Author Ogden Murphy Wallace P.L.L.C. ezana@omwlaw.com
More informationHIPAA Privacy and Security Risk Assessment and Action Planning
HIPAA Privacy and Security Risk Assessment and Action Planning Practice Name: Participants: Date: MU Stage: EHR Vendor: Access Control Unique ID and PW for Users (TVS016) Role Based Access (TVS023) Account
More informationSupplier Information Security Addendum for GE Restricted Data
Supplier Information Security Addendum for GE Restricted Data This Supplier Information Security Addendum lists the security controls that GE Suppliers are required to adopt when accessing, processing,
More informationOffice of Information Technology Hosted Services Service Level Agreement FY2009
Application Name: Application Agreement Start Date: 07/01/08 Customer Name: Customer Agreement Renewal Date: 06/30/09 SLA Number: HSxxxFY09A Service Description: This document describes the technical support
More information