About This Document. Response to Questions. Security Sytems Assessment RFQ

Transcription

1 Response to Questions Security Sytems Assessment RFQ Posted October 1, 2015 Q: Which specific security assessment processes are sought for this engagement? The RFQ mentions several kinds of analysis and deliverables which can each be substantive, individual projects on their own. [Name redacted] is capable of providing all of the services described below, but we want to be sure that [name redacted] proposes an approach that meets PCORI s objectives. Risk Assessments identify whether required security controls are in place, and whether they provide a reasonable and appropriate or acceptable risk to the public, to PCORI and to PCORI s constituency. Risk assessments are a required basis for compliance and security management by government agencies, and nongovernment agencies alike. Risk assessments are a type of analysis that are commonly run within a project with planned interviews, evidence gathering, analysis and reporting. Risk assessments are often a discrete effort from other security analyses that are stated in the RFQ (as listed below). Vulnerability Assessments are scans of technical systems, applications, and devices that reveal a set of weaknesses in systems that lead to potential exploits. These are very useful in identifying opportunities for breaches and hack attacks, and for analyzing vulnerabilities in Risk Assessments. They can be run independent of Risk Assessments. About This Document This document answers all of the questions received as of September 15, Questions received after that date will not be answered. Questions are listed exactly as they were received. Language that includes personal or organization identifiers has been redacted. General terms (underlined) have been substituted to protect privacy. The Patient-Centered Outcomes Research Institute (PCORI) is an independent organization created to help people make informed healthcare decisions L St., NW, Suite 900 Washington, DC Phone: (202) Fax: (202) info@pcori.org Follow us on RFQ # PCO-SSA2015 Responses to Questions 1

2 Penetration Testing (of which Social Engineering is a part) is also run as a discrete project, but that creates valuable information that can be analyzed and prioritized in a risk assessment, or addressed and repaired independent of a risk assessment. Penetration tests are efforts by technicians to (safely) determine to what degree systems and information can be compromised. Penetration test reports can be analyzed in a risk assessment for prioritization of repair, or can be used directly to repair any flaws that led to demonstrated compromise. Disaster Recovery / Business Continuity Planning can be cursory or in-depth. A cursory review can be an explicit focus of a risk assessment that determines whether the classic parts of a business continuity disaster recovery plan is in place, and appears well designed. A more substantive review can provide you with a substantive, tested plan with assurances of appropriate detail and accuracy of the plan. Security Architecture Design can also be cursory or in-depth, depending on the challenges and risks that are identified during Risk Assessments and Penetration Tests. Incident Response Plan is another process or item that can be handled to a cursory or indepth degree. Security Policy Design is a process that can take considerable or little effort, depending on the current state of PCORI policies, and the complexity of the environment. A: The following processes (referenced above) are sought after as part of this engagement: Risk Assessments, Penetration Testing, Incident Response Plan, and Security Policy Design. Q: How flexible is PCORI s described timeline? We understand the timing that is described in the RFQ, but the actual time it would take to conduct the described work is typically significantly more than what is stated. As we come to understand PCORI s objectives as a result of discussing Item 1, we can help plan a project that meets your objectives for Item 2. A: Yes, we are flexible. Q: How complex and broad is the environment that will be assessed? This is an important element in our understanding of your objectives so that [name redacted] can appropriately estimate the time and skills our team would require in order to properly assess your environment. A: We are percent cloud-based and also have two physical sites in Washington, D.C. Q: How deep should the risk analysis be? [Name redacted] is capable of conducting risk assessments that are based on policy reviews and interviews, or additionally, the effectiveness of the controls after reviewing evidence. A: The analysis should encompass a deep analysis of our environment. Q: What is the scope of the investigation? For example, does it include PCORnet? A: No, it doesn t include PCORnet, it includes PCORI main systems. RFQ # PCO-SSA2015 Responses to Questions 2

3 Q: Does it include the security practices of contractors, such as implementers and developers? A: Yes. Q: Does it include the use of information by review boards or other groups external to PCORI s staff? A: No, it does not. Q: What is the basis of your distinction between an internal and an external system? A: Internal PCORI staff facing External Non-PCORI staff Q: While PII and PHI is emphasized, the security of other information, such as financial information, should also be considered. Is this correct? A: Yes. Q: What is scope of the PCORI network? For example, does it include PCORnet? A: It is local to two PCORI sites and all the applications in the cloud (i.e., SharePoint, Fluxx, Salesforce, etc.) Q: We are concerned that PCORI may be expecting that the contractor can conduct an in-depth examination (e.g., to the hardware or operating system level) for Software as a Service applications such as Salesforce and Foundation Connect, as well as for Platform as a Service solutions such as Amazon Web Services. Can you please comment on your expectations for security examination, for services that are managed and delivered by third-party service providers? A: Our expectation is that the vendor uses industry best practices. Q: Has any IT risk assessment already been performed, such as identifying strategic assets and the cost of their being compromised? Did executive management participate in the risk assessment? If so, how? A: No, there have not been any already performed. Q: Is executive management expected to participate in the risk assessment associated with this study? A: This is dependent upon the depth of the study. Q: How are you defining Social Engineering in the proposal? A: Unauthorized person using PCORI staff to gain access to PCORI Data. Q: Are information owners expected to participate in the Information Asset Profiling process? A: TBD RFQ # PCO-SSA2015 Responses to Questions 3

4 Q: How many locations are subject to vulnerability assessment, attack and penetration testing and application security testing? A: 2 Q: Is PCORI s system within the scope of the investigation? A: Yes Q: Security Assessment/Penetration Test Scoping questions for PCORI: How many data centers are there? 0 How many physical locations are there? 2 Are all Security Procedures and Policies centrally managed? Yes How many individuals will need to be interviewed in order to collect relevant Policy and Procedure Information? All SME RFP identifies ISO27001 as a reference model. Is PCORI sensitive to HIPAA and/or PCI control requirements? Yes A: See above Q: External Test: Will you provide address ranges? If not would you like a Black Hat Test sequence executed? What are the Number of IP's owned / in scope? What are the Number of IP s managed by another party? 10 What is the Number of separate DMZs? 2 What are the Number of IP's active within the scope? 254 What Number of Web Applications and description (approx # of pages, components)? Is there a Mobile Device Management Solution in place? How many PDAs? Etc are in scope? Yes, 100 PDA s Are there any Modems in scope? No How many external WIFI environments exist? 1 A: Should they be selected as a vendor this information will be provided. Q: Internal Test: What is Number of IP's owned. How many subnets? What is the Number of Servers, Desktops What are the Number of IP's active Wireless Testing: RFQ # PCO-SSA2015 Responses to Questions 4

5 What is the # SSID's & physical location (s) Social Engineering: What is the # of phishing targets? A: Should they be selected as a vendor this information will be provided. Q: External Network Penetration Testing Total number of *active* IP s (external): Number of servers: Number of network devices (est.): Is the environment hosted internally or by a third party? A: Should they be selected as a vendor this information will be provided. Q: Internal Network Penetration Testing Total number of *active* IP s (internal): Servers: o Total Server Count: 4 physical, others virtual o Breakdown of Windows: 4 o Breakdown of Linux: 0 o Breakdown of Other: 0 Workstations: o Total workstation count: 250 o How many standard builds or images are you using to deploy these workstations (this is to see how much we will be able to take advantage of sampling)? 1 Number of network devices (est.): 1 Q: Application Penetration Testing: For the application penetration testing, the most important information for scoping purposes is to get an estimate of size of the application. This includes number of pages, number of user level roles (ie. Admin, User, etc.), whether the pages are mostly comprised of static or dynamic content, and how many unique input fields are being used across all pages. This information will provide a good understanding of how long and complex the testing of the application will be. With that in mind, please address the following questions to the best of your ability. Application Penetration Testing Questions How many applications are in scope for this security assessment? RFQ # PCO-SSA2015 Responses to Questions 5

6 Is the application internal, or public facing? Both o If public facing, please provide a URL for each app in scope: 1. App1: TBD 2. App2: TBD 3. App3: TBD Application No. 1: (repeat for each application) Sizing: How many web pages comprise the application? How many of those web pages are static? How many of those web pages are dynamic? How many total input parameters are used (input fields across all pages)? How many unique input parameters are used (input parameters reused on several pages)? How many user levels/roles are defined within the application (ie Admin, User, Customer)? o How many user roles are in scope for the testing? A: This information will be provided to the winning bidder. Q: Wireless Assessment: Number of wireless networks in scope: 5 Number of wireless access points: Give or take 10 Number of controllers: 2 Number of locations (unique cities or geographical locations.): 2 Q: Social Engineering Electronic: o For each building: 1. Number of floors: 6 2. Approximate square footage: This information will be provided to the winning bidder. What types of attacks are desired? RFQ # PCO-SSA2015 Responses to Questions 6

7 o Phishing (if so, how many users are in scope)? Yes o Pre-Text Calling (if so, how many users are in scope)? Yes o Vishing? Yes Will we enumerate/identify the targets via reconnaissance or will targets be identified? TBD If attacks are successful is data compromise or exploitation desired, or simply notating the success/failure of the attacks? TBD What is the ultimate objective (access to data, a particular system, etc.)? Find our weakness and determine solutions. Q: Physical: What types of attacks are desired? o Dumpster Diving? TBD o USB Drops? TBD o Server room infiltration? TBD How many locations and users are in scope? All staff (250) Will any information be shared prior to attacks (whitebox/blackbox)? TBD What is the ultimate objective (access to a particular area, etc.)? Find our weak access points. Q: Risk Assessments 1. How many total employees does PCORI have? How many employees are in the IT, Operations, and Security teams? IT 26 Operation 75 Security none 3. How many locations does PCORI have? 2 4. What types of systems are used in the environment? (eg. Windows Desktops, Windows Servers, Linus, Apple, ICS, Mainframe, etc.) Information will be provided at a later point in the process if you have been identified to advance. RFQ # PCO-SSA2015 Responses to Questions 7

8 5. Please provide more information regarding the scope and outcome of the information asset profiling request. Does an asset inventory exist today and if so, is this request to review and assess current state? Yes, we have an asset inventory solution in place today, but we are currently consolidating asset inventory solutions. This is not in the scope of this RFP. 6. Please provide more information regarding the scope and outcome for the request to review and define security policies. Are security policies in place today and if so, approximately how many? Do additional policies need to be developed? Yes, there are some generic security policies in place. However, part of the assessment would be to recommend additional policies to meet industry standards. 7. Please provide more information regarding the scope and outcome of the request to define a disaster recovery plan. Does a business continuity or disaster recovery plan exist today, either formal or informal? Yes, we have a basic disaster recovery plan, but disaster recovery is not included in the scope of this RFP. 8. Is this a strict deadline? Is there any flexibility to it? The deadline is dependent upon the recommendation and the final statement of work agreed upon. Q: Phase I Information Risk Assessment o Current Systems Review o Review of existing procedures and policies to highlight gaps and threats (compare to standards such as ISO27001 controls) 1. Vulnerability assessment: How many systems in scope and how many internal vs external 2. Attack and penetration testing: How many systems in scope and how many internal vs external 3. Application security testing: How many systems in scope and how many internal vs external 4. Review existing disaster recovery plan/business continuity plan 5. Network risk analysis 6. Review physical security 7. Prepare Risk Matrix (using confidentiality, integrity, and availability as parameters) 8. Information Asset Profiling 9. Social Engineering How many users in scope? Onsite vs. remote or both? A: All staff 250. RFQ # PCO-SSA2015 Responses to Questions 8