After reviewing all the questions, the most common and relevant questions were chosen and the answers are below:
|
|
- Alvin Simmons
- 8 years ago
- Views:
Transcription
1 After reviewing all the questions, the most common and relevant questions were chosen and the answers are below: 1. Is there a proposed budget for this RFP? No 2. What is the expect duration for this contract? Based on vendor recommendation 3. Is or has some other firm currently performed this work? No 4. Can this assessment be worked remotely? Vendor 5. How many Public Facing External IP s are in scope for the External Penetration testing? ~20 6. How many Virtual Servers are in scope for the Internal Penetration testing? ~ We are a NY state approved security vendor that partners with a firm called Contextual Security out of Tennessee for these types of services. Would there be any challenges or issues if we, Network Security Group, submit this RFP with the understanding that the services will be performed by a partner of ours? Please include the condition as part of the RFP 8. In addition to the items listed in the Infrastructure overview, additional quantification would provide a better understanding of the network. Please specify the numbers of virtual machines, wireless networks and APs (and brand), databases, web servers, applications. Information will be provided during assessment. 9. We assume the configuration review to be performed with credentials. How will the vulnerability assessment/penetration testing be performed? Vendor should proposed the appropriate method 10. How many live IPs would be included in the assessment / test? ~ Is there an identified timeline, or should the Proposer provide in the RFP? Vendor can provide this information in the RFP. 12. Is the vulnerability assessment to include zero day vulnerabilities and unknown vulnerabilities in their applications, or to assess the applications for existing vulnerabilities? Vendor should proposed the appropriate method 13. Remote locations where are the locations? Vendor can find all the addresses from our website at Will visits to each be required? Vendor 15. Does the application assessment include Mobile apps? No 16. Does this assessment include any websites? No 17. HIPAA Technical Safeguards: a. How in depth does Nassau want the technical testing portion of the assessment to be? i. IE. The VPN configuration reviews, Malware Defenses Reviews, firewall/dmz and router configuration reviews, Server configuration, Remote Access Security reviews, etc Vendor
2 ii. Are you looking for an organization to gap these to make sure that you currently have appropriate safeguards in place? Yes iii. Are you looking for the respondent to test to validate that these are all configured and implemented correctly? Validate a sample of each category is acceptable 18. Are devices consistent across your entire network? IE Site one has the same firewalls/routers/switches on the same version as site two? Yes, for 5 of the 6 remote sites. The exception site is a substantially larger site. 19. What type of VPN are you currently utilizing? Information will be provided during assessment. 20. Do you currently have a network architecture diagram? Yes 21. What encryption devices and tools are you currently utilizing? Information will be provided during assessment. 22. Has the organization considered Incident response as part of the penetration test? Vendor 23. Does the organization perform quarterly vulnerability scanning with quarterly remediation? No 24. Can SecureState utilize social engineering during the penetration tests to validate training per HIPAA (5) (i)effectiveness? Yes 25. How many active Internal IP s/hosts/devices do you have? ~4, Are they all in scope for this assessment? Yes 27. Do you process, store, or transmit credit cards? No 28. Can reports utilize a CVSS scoring format, rather than DREAD? Yes. Vendor should proposed the appropriate method 29. Is a physical security assessment a requirement for our response? Yes i. If so, how many facilities are in scope? 7 ii. Are they generally close in proximity? Yes, within Nassau County 30. Apart from HIPAA, what security standards does NUMC follow? Will the assessment measure compliance against any particular IT security standard? (NIST/ISO) Vendor should proposed the appropriate method 31. What is the structure and makeup of the team responsible for IT and HIPAA security? Information will be provided during assessment. 32. Will the review include Disaster recovery sites and related policies and procedures? (The RFP mentions Main Hospital and 6 remote locations Yes 33. Does the assessment cover vendors and third parties with access to the organization's ephi? (the RFP mentions Business Associate security requirements in the Administrative controls section to what degree will this be a technical evaluation, if any?) Vendor should proposed the appropriate method 34. Are cloud services and any SaaS products used by NUMC going to be covered? No 35. Are mobile devices in scope for the assessment? Yes 36. Are medical devices and instruments in scope? No 37. Are patient portals and or any telemedicine solutions in scope? No 38. Will you provide the infrastructure inventory (if not detailed, then summary) for Network, Security, Servers, Virtualization, OS, Desktops/Laptops/VDIs? Yes
3 39. Will you provide the details of Business critical applications (i.e. EMR, PACS, Billing Systems etc.)? Yes 40. Are there any web servers in the provided IP ranges? Yes 41. Is testing the web applications to be in scope for this testing? Yes 42. Do you want a thorough analysis of the web pages or just web application testing? Vendor 43. If so, do you have an estimate of the number of pages in the web application? No 44. Please state which of the two (or both) test perspectives below you would like to perform: a. Non Credentialed testing This is testing without the ability to login to the site. b. Credentialed testing This testing is performed with a generic account provided by the client. The purpose of this testing is to assess what an attacker could do if they were given an account. Vendor 45. Will the penetration test include a test of the DMZ? Vendor should proposed the appropriate method 46. Are there any database that would be part of the test and if so, how many instances? Vendor 47. Are there any specific goals that need to be obtained, e.g., compromise of specific system, obtaining specific sensitive information, etc. Vendor should proposed the appropriate method 48. Wireless testing: at how many locations and where? 7 locations 49. Electronic Social engineering (listed under Internal): Please define what you would like. a. Is E mail Phishing desired? b. How many users? Vendor 50. When would you like the project to start? Within 60 days after a vendor is selected 51. DREAD reporting is stated as a requirement; however, this risk/threat modeling technique has been out of popular use since 2008 ( Would alternatives be considered for risk assessment? Vendor should proposed the appropriate method 52. Please note and briefly describe key Information Technology functions (e.g. system monitoring) that have been outsourced to a third party. Information will be provided during assessment 53. Has the organization performed a Risk Analysis, as required by HIPAA, in the past 12 months? Yes a. If so, was a Corrective Action Plan developed and executed? Yes, if possible 54. Have HIPAA specific Information Security Policies been developed? Yes 55. Does your definition of Vulnerability Assessment equate to only an automated scan? Vendor 56. Are all the servers different? I.e., are different operating systems in use or are they all using the same OS as in Server 2008? Yes
4 57. If any, how many are configured in exactly the same way? No. They are configured based on application requirements. 58. For the External Penetration Test, is this a: a. Black Box Pen Test the tester will be provided with only a domain name and be left to discover everything else on his own? This is the most time consuming and expensive kind of pen test. b. Gray Box Pen Test only some information is provided, but not everything. As the color implies, it is in the mid range regarding time and cost. c. White Box Pen Test all information such as IP addresses for all Internet facing devices is provided. This is the least expensive kind of external pen test as less time is involved regarding host / target identification. d. Under External Penetration Testing, you have listed: Recon, Enumeration, Network Surveying / Services Identification, Network Penetration Testing, and Password Cracking. But all of those are typically considered under the umbrella of an External Penetration Test. Typically an external attack is going to follow this flow. Please clarify is this is what is meant or something else: e. Reconnaissance f. Scanning (Host Identification) g. Enumeration (Network Surveying / Services Identification, etc) h. Gaining Access (Password Cracking, etc) i. Maintaining Access j. For Application Vulnerability Validation I need a clear definition of what this entails. Is there a particular web application that needs to be checked for vulnerabilities? Are there a bunch of applications? Usually an application such as a web app is first scanned for vulnerabilities and if any are identified, they are manually reviewed to ensure they are not false positives. Web app pen testing involves trying to exploit any real vulnerabilities present. k. As for the Internal Vulnerability Assessment, in many environments a standard OS image is deployed. If you get every endpoint scanned and some are mirror images of each other regarding configurations, settings, etc, you will be paying for nothing. To be cost and time efficient I recommend scanning only by groups. For instance, if the doctors use a particular image, test only one of that image or a few at random. Do this for all the different images and you get the results you want without the accompanying cost. If you want every single endpoint scanned, please confirm. l. Insofar as the Internal Pen Test is concerned, the same applies as the External Pen Test regarding the process flow with the exception to the Wireless Pen Test. For the Wireless Pen Test, is this a WEP, WPA/WPA2, or 802.1x enabled wireless network? Vendor 59. Electronic Social Engineering typically involves borne attacks using various payloads. Do you just want to see if the users fall for it with something harmless or you want to see if it can lead to a compromise? Do you want USB attacks to be included? Vendor should proposed the appropriate method
5 60. Please clarify Wireless Client based attacks. Are you referring to a typical LAN MITM attack just on the WLAN? Vendor 61. Is the goal to be completely HIPAA compliant or to simply address the security rule of HIPAA? Address HIPAA security rules 62. Although IT is leading the project, have the stakeholders been identified and will we be able to interview them? Yes 63. How many Covered Entities are being assessed under NuHeath and the scope of the RFP? NuHealth consists of Nassau University Medical Center, A. Holly Paterson Extended Care Facility, and Long Island FQHC which operates 5 Family Health Centers 64. Are the locations above all using the same EMR/EHR (In Patient and/or Ambulatory Group) system(s)? No 65. Please state the names of the EMR/EHR applications used. Medical billing system(s)? Please state the names of the Medical billing system. Vendor should proposed the appropriate method 66. Does NHCC/NuHealth have its own data centers? Yes. How many and where? 1 at Nassau University Medical Center 67. Are all 25 buildings in scope for the Physical assessment? Vendor should propose the appropriate method. A sample of certain percentages is acceptable. 68. The security testing requirements for this RFP are extensive. Is testing to be performed after hours Vendor 69. Please specify the rules of engagement pertaining to the vulnerability assessment testing and penetration testing. Vendor 70. Will we be provided with login credentials to perform credential vulnerability assessment scans to minimize False Positives out of the gate? If not, please specify what your expectations are regarding vulnerability assessment reporting and recommendations for patching and remediation (e.g., provide detailed instructions for remediation?) Vendor 71. How many Active Directory Domains are in use? Is the Testing Environment in Scope? No 73. Is this IT Security Risk Assessment part of the required annual HIPAA Security Rule assessment? Or is this for Meaningful Use Stage 1 or 2 attestation and Book of Evidence Submittal? We will utilize some or all of the outcome from the assessment to satisfy the above requirements. 74. Does NHCC/NuHealth have last year s risk assessment report and gap remediation checklist? If yes please share. If no explain why not. Yes. Additional information will be provided during assessment. 75. Did NHCC/NuHealth attest for Meaningful Use Stage 1? If yes how much money was earmarked for on going HIPAA compliance and maintenance? If no why not? Yes. Additional information will be provided during assessment. 76. Regarding providing cost magnitudes estimates (CAPEX and OPEX), do you want a 1 year, 2 year, 3 year financial model to support all gap remediation requirements along with on going
6 maintenance and life cycle support for maintaining HIPAA Security Rule compliance? This will be determined based on the outcome of the assessment 77. Who are the members of the IT Leadership that is mentioned regarding collaborating with them? Please provide names and titles. Information will be provided during assessment. 78. Do your employees have the ability to bring their own device (BYOD) for use your workplace and access your systems? No 79. Will we be allowed to install scanning tools on your current systems to assist us with understanding your current environment? Yes 80. Are the configurations for Workstations, Servers, and Network elements configured using templates and central management or is there likelihood for a large variety of configurations? There will be a large variety of configurations 81. Would a sampling of templates and as running systems be appropriate for Configuration Analysis, or is a comprehensive analysis of all systems required? Sampling is acceptable. 82. What level of Internal Penetration Testing is required? Typical methodology involves a first pass with vulnerability scan and automated penetration tools followed by manual testing to identify and exploit specific vulnerabilities. Can the penetration piece be mostly automated, or is extensive manual effort expected? Is a sampling of targets an acceptable scope or is a comprehensive investigation touching all possible targets required? Vendor should proposed the appropriate method 83. We assume the configuration review to be performed with credentials. How will the vulnerability assessment/penetration testing be performed? Vendor should proposed the appropriate method 84. Are all in scope facilities managed by a centralized IT Department? Yes 85. Identify the data centers in scope. Are the owned, leased, or third party? Owned 86. Are all in scope facilities governed by a centralized IT Security Team? Yes 87. Does NuHealth System rely on any shared services or systems from New York City Information Technology & Telecommunications? If so please explain in detail. No 88. Are all in scope NuHealth facilities governed by a common/centralized set of policies and procedures? Yes 89. Does NuHealth System wish to follow a specific risk analysis framework/methodology (e.g., NIST , HITRUST CSF, Octave)? Vendor 90. Is NuHealth System s objective to satisfy the (a)(1)(ii)(A) Risk Analysis requirement or does NuHealth also wish to have controls tested to ensure they are operating as intended? Vendor 91. Is NuHealth System currently involved in an OCR investigation/corrective action plan (CAP)? No 92. Does NuHealth System have designated Privacy and Security Officers? Yes 93. Please describe the applications in scope for the assessment, including: Name, number of users, and manufacturer (if not internally developed). Information will be provided during assessment 94. Are in scope applications administered by a centralized IT department or does each application have a local administration function? It s a combination
7 95. Please describe the network topology for all in scope facilities. Information will be provided during assessment 96. Does NuHealth System maintain an ephi asset inventory identifying all systems where ephi may be accessed? If so, please provide the following: Count by type (e.g., server, database, application), operating system, and physical or virtualized. Information will be provided during assessment 97. Describe the organizational hierarchy for the IT and IT Security Departments, including number of departments, responsibilities, and number of employees for each. Information will be provided during assessment 98. Does NuHealth System permit the flow of ephi to ancillary devices such as smartphones, external hard drives, USB devices, etc.? Yes If so, should these devices be included in scope? Yes 99. Will NuHealth System provide a dedicated project manager? Yes, if required Does NuHealth System have a HITRUST subscription? No 101. Are any system design changes or hardware upgrades planned for the information technology systems within the upcoming year? Examples: Network design upgrades, Hardware refresh projects. Yes. Due to nature of the business, this is ongoing Has NuHealth System previously performed a security assessment (such as HIPAA risk assessment, PCI Gap assessment) and will any previously completed security assessments be made available? Yes 103. How would NuHealth System like to see the deliverables provided? In other words, should reports be provided by facility and by activity (i.e. pen testing report, vulnerability scan report, risk assessment report, etc.)? Vendor 104. Do you require and overall HIPAA Enterprise risk assessment? No 105. How many employees are in your organization? ~5, Are the systems managed within a private data center or the data center of a third party? If it is a third party, is the physical access dedicated or shared? It is a combination 107. Are you interested in a physical penetration test, a physical security review, or both? Physical Security Review 108. Who is the executive sponsor(s) of this project? CIO 109. Will NHCC provide the selected consultant with a project liaison or coordinator to assist with the coordination, scheduling, and communications of this project? Yes 110. Will NHCC be willing to provide materials, transmitted securely, to allow the successful consultant to review documentation and make preparations prior to conducting work onsite at NHCC? Yes 111. Is this a new contract or a renewal of an earlier contract? If it is a renewal, who is/was the incumbent vendor? New contract 112. Will New York firms receive preference over out of state firms? No 113. Regarding RFP Section V (page 10): The RFP mentions that bidders need to complete and return the Affirmation of Understanding of and Agreement pursuant to State Finance Law, as found in Appendix I. We do not see this form in Appendix I. Can NHCC provide bidders with this form or instructions as to where we can find it online? Pending answer from Legal
8 114. Regarding Exhibit JC of the RFP (page 20): It would seem that consulting services of this nature would not qualify as Covered Staff according to the definition provided. Please confirm our understanding or clarify. Correct 115. Does this inventory cover the medical facility, extended care facility and Community Health Practices operations? Yes 116. The main building and 6 remote locations as well as 25 buildings were referenced in the RFP. How many and which of these locations are connected directly to the internet? Information will be provided during assessment 117. Are all of the buildings/remote locations on the same LAN/WAN and can these sites be scanned from the central location? Yes 118. Is the system included in the assessment requirement and is it your expectation that outbound will be evaluated for policy infringement? Vendor should proposed the appropriate method 119. Are mobile devices included in the inventory and included in the assessment requirement? Yes 120. Is there a complete infrastructure inventory available in electronic format for use during the assessment? Yes 121. Is there one set of IT policies & procedures or do they differ by organization? One set 122. Is there a complete vendor list available electronically that can be used during the assessment for a BAA audit? Yes 123. Do you have an estimated number of systems and applications which create, receive, process or transmit ephi? Information will be provided during assessment 124. Is it expected that the vendor is going to create and document a comprehensive listing of the systems and applications which create, receive, process or transmit ephi? If so, is this high level in nature or is the vendor expected to use automated tools in the discovery of ephi? Information will be provided during assessment 125. How are responsibilities for compliance areas such as HIPAA Security assigned? This will assist us in determining who to interview to discuss the Security compliance processes. The IT department is responsible for HIPAA security 126. Does a standardized process for receiving and investigating reports of unauthorized disclosures, and reporting of security incidents when necessary, exist? Yes 127. Do these processes vary by department/location, or are they centralized? Centralized 128. Do HIPAA / Information Security training requirements vary for staff, management, and executive levels, or by department/location? It s based on the user role Are there any restrictions to using offshore resources? We prefer work is being done by resources from U.S Does your organization have any dedicated connections to other organization s networks (vendors, business partners)? Yes 131. Does your organization use site to site Virtual Private Network (VPN) tunnels? Yes 132. How many databases and what type of databases does your organization use? (Examples Oracle, Microsoft SQL, IBM DB2, MySQL) Information will be provided during assessment
9 133. Will the vendor selected be provided with floor plans for each location depicting infrastructure and security surveillance points such as video camera locations, wire closets etc? Only general floor plans will be provided
Vendor Questions and Answers
OHIO DEFERRED COMPENSATION REQUEST FOR PROPOSALS (RFP) FOR COMPREHENSIVE SECURITY ASSESSMENT CONSULTANT Issue Date: December 7, 2016 Written Question Deadline: January 11, 2016 Proposal Deadline: RFP Contact:
More informationPHILADELPHIA GAS WORKS Information Security Assessment and Testing Services RFP#30198 Questions & Answers December 4, 2015
QUESTIONS ANSWERS Q1 What is the goal of testing? A1 We engage in this type of testing to promote our own best practices and ensure our security posture is as it should be. Q2 No of active IP s (internal):
More informationADDENDUM #1 REQUEST FOR PROPOSALS 2015-151
ADDENDUM #1 REQUEST FOR PROPOSALS 2015-151 HIPAA/HITECH/OMNIBUS Act Compliance Consulting Services TO: FROM: CLOSING DATE: SUBJECT: All Potential Responders Angie Williams, RFP Coordinator September 24,
More informationAbout This Document. Response to Questions. Security Sytems Assessment RFQ
Response to Questions Security Sytems Assessment RFQ Posted October 1, 2015 Q: Which specific security assessment processes are sought for this engagement? The RFQ mentions several kinds of analysis and
More informationHIPAA SECURITY RISK ANALYSIS FORMAL RFP
HIPAA SECURITY RISK ANALYSIS FORMAL RFP ADDENDUM NUMBER: (2) August 1, 2012 THIS ADDENDUM IS ISSUED PRIOR TO THE ACCEPTANCE OF THE FORMAL RFPS. THE FOLLOWING CLARIFICATIONS, AMENDMENTS, ADDITIONS, DELETIONS,
More informationNetwork Detective. HIPAA Compliance Module. 2015 RapidFire Tools, Inc. All rights reserved V20150201
Network Detective 2015 RapidFire Tools, Inc. All rights reserved V20150201 Contents Purpose of this Guide... 3 About Network Detective... 3 Overview... 4 Creating a Site... 5 Starting a HIPAA Assessment...
More informationINCIDENT RESPONSE CHECKLIST
INCIDENT RESPONSE CHECKLIST The purpose of this checklist is to provide clients of Kivu Consulting, Inc. with guidance in the initial stages of an actual or possible data breach. Clients are encouraged
More informationQ&A ADDENDUM FOR INFORMATION SECURITY VULNERABILITY ASSESSMENT PUBLISHED 10/20/2015
Q&A ADDENDUM FOR INFORMATION SECURITY VULNERABILITY ASSESSMENT PUBLISHED 10/20/2015 UPDATE HISTORY: 10/21/2015 10/30/2015 11/5/2015 Questions submitted by Proposers All proposers should reference the following
More informationClient Security Risk Assessment Questionnaire
Select the appropriate answer from the drop down in the column, and provide a brief description in the section. 1 Do you have a member of your organization with dedicated information security duties? 2
More informationResponse to Questions CML 15-018 Managed Information Security
Response to Questions CML 15-018 Managed Information Security 1. What are the most critical aspects that need to be provided for this RFP, in light of the comment that multiple awards might be provided?
More informationRFP No. 1-15-C017 OFFICE OF TECHNOLOGY INFORMATION SYSTEMS AND INFRASTRUCTURE PENETRATION TEST
RFP No. 1-15-C017 OFFICE OF TECHNOLOGY INFORMATION SYSTEMS AND INFRASTRUCTURE PENETRATION TEST Questions and Answers Notice: Questions may have been edited for clarity and relevance. 1. How many desktops,
More informationDepartment of Children and Families (DCF) Request for Information (RFQ) #01U013DS1 HIPAA Compliance Review DCF Answers to Vendor Questions
Department of Children and Families (DCF) Request for Information (RFQ) #01U013DS1 HIPAA Compliance Review s to Vendor Questions Questions as Submitted by Vendors (Duplicates omitted) 1. Have controls
More informationPCI DSS 3.0 Changes Bill Franklin Executive IT Auditor bfranklin@compassitc.com January 23, 2014
PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor bfranklin@compassitc.com January 23, 2014 Agenda Introduction PCI DSS 3.0 Changes What Can I Do to Prepare? When Do I Need to be Compliant? Questions
More informationIs your business prepared for Cyber Risks in 2016
Is your business prepared for Cyber Risks in 2016 The 2016 GSS Find out Security with the Assessment Excellus BCBS customers hurt by security breach Hackers Access 80 Mn Medical Records At Anthem Hackers
More informationInformation Security Assessment and Testing Services RFQ # 28873 Questions and Answers September 8, 2014
QUESTIONS ANSWERS Q1 How many locations and can all locations be tested from a A1 5 locations and not all tests can be performed from a central location? central location. Q2 Connection type between location
More information11th AMC Conference on Securely Connecting Communities for Improved Health
11th AMC Conference on Securely Connecting Communities for Improved Health Information Security Testing How Do AMCs Ensure Your Networks are Secure June 22, 2015 Ray Hillen, Dennis Schmidt, Adam Bennett
More informationCybersecurity Health Check At A Glance
This cybersecurity health check provides a quick view of compliance gaps and is not intended to replace a professional HIPAA Security Risk Analysis. Failing to have more than five security measures not
More informationHIPAA: Compliance Essentials
HIPAA: Compliance Essentials Presented by: Health Security Solutions August 15, 2014 What is HIPAA?? HIPAA is Law that governs a person s ability to qualify immediately for health coverage when they change
More informationCyber Security An Exercise in Predicting the Future
Cyber Security An Exercise in Predicting the Future Paul Douglas, August 25, 2014 AUDIT & ACCOUNTING + CONSULTING + TAX SERVICES + TECHNOLOGY I www.pncpa.com I www.pntech.net What is Cyber Security? Measures
More informationSECURITY. Risk & Compliance Services
SECURITY Risk & Compliance s V1 8/2010 Risk & Compliances s Risk & compliance services Summary Summary Trace3 offers a full and complete line of security assessment services designed to help you minimize
More informationTelemedicine HIPAA/HITECH Privacy and Security
Telemedicine HIPAA/HITECH Privacy and Security 1 Access Control Role Based Access The organization shall provide secure rolebased account management. Privileges granted utilizing the principle of least
More informationGoals. Understanding security testing
Getting The Most Value From Your Next Network Penetration Test Jerald Dawkins, Ph.D. True Digital Security p. o. b o x 3 5 6 2 3 t u l s a, O K 7 4 1 5 3 p. 8 6 6. 4 3 0. 2 5 9 5 f. 8 7 7. 7 2 0. 4 0 3
More information2011 2012 Aug. Sept. Oct. Nov. Dec. Jan. Feb. March April May-Dec.
The OCR Auditors are coming - Are you next? What to Expect and How to Prepare On June 10, 2011, the U.S. Department of Health and Human Services Office for Civil Rights ( OCR ) awarded KPMG a $9.2 million
More informationH.I.P.A.A. Compliance Made Easy Products and Services
H.I.P.A.A Compliance Made Easy Products and Services Provided by: Prevare IT Solutions 100 Cummings Center Suite 225D Beverly, MA 01915 Info-HIPAA@prevare.com 877-232-9191 Dear Health Care Professional,
More informationNASSAU HEALTH CARE CORPORATION a/k/a the NuHealth System
Q: Can you provide additional detail on the selection process and timeline? Specifically: Who will be the members of the selection committee? Roles within Nassau Health Care Corporation. A: A selection
More informationTom Walsh, CISSP Tom Walsh Consulting, LLC Overland Park, KS. Session Objectives. Introduction Tom Walsh
Effectively Completing and Documenting a Risk Analysis Tom Walsh, CISSP Tom Walsh Consulting, LLC Overland Park, KS Session Objectives Identify the difference between risk analysis and risk assessment
More informationSecurity Management. Keeping the IT Security Administrator Busy
Security Management Keeping the IT Security Administrator Busy Dr. Jane LeClair Chief Operating Officer National Cybersecurity Institute, Excelsior College James L. Antonakos SUNY Distinguished Teaching
More informationJohn Essner, CISO Office of Information Technology State of New Jersey
John Essner, CISO Office of Information Technology State of New Jersey http://csrc.nist.gov/publications/nistpubs/800-144/sp800-144.pdf Governance Compliance Trust Architecture Identity and Access Management
More informationEnabling Solutions for HIPAA Compliance. Presented by: Mike McDermand
Enabling Solutions for HIPAA Compliance Presented by: Mike McDermand HIPAA Agenda About Computer Associates International, Inc. (CA) AHA HCCA HIPAA security survey Summary results Highlights of responses
More informationOPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE
OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE Please provide all relevant documents responsive to the information requests listed within each area below. In addition to the specific documents requested,
More informationPayment Card Industry (PCI) Data Security Standard ROC Reporting Instructions for PCI DSS v2.0
Payment Card Industry (PCI) Data Security Standard ROC Reporting Instructions for PCI DSS v2.0 September 2011 Changes Date September 2011 Version Description 1.0 To introduce PCI DSS ROC Reporting Instructions
More informationQUESTIONS & RESPONSES #2
QUESTIONS & RESPONSES #2 RFP / TITLE 070076 IT Cybersecurity Assessment and Plan CONTACT Michael Keim, CPPB, Sr. Contract Adminstrator EMAIL procurement@portoftacoma.com PHONE NUMBER 253-428-8608 SUBMITTAL
More informationRFP # 15-74 Provide Information Security Assessment and Penetration Testing Due August 11, 2015 at 2:00PM (CST)
August 6, 2015 McHenry County Government Center Purchasing Department Donald Gray, CPPB, Director of Purchasing 2200 N Seminary Avenue Administration Building Room 200 Woodstock, IL 60098 Phone: 815-334-4818
More informationCITY OF CORONA RFP 15-005SB. ADDENDUM No. 2
CITY OF CORONA ADDENDUM No. 2 Purchasing Division (951) 736-2272 400 S. Vicentia Ave., Ste. 320 purchasing@discovercorona.com Corona, CA 92882 09/22/2014 Scott Briggs Addendum No. 2 for the Evaluation
More informationGUIDE TO INFORMATION SECURITY TESTING AND ASSESSMENT
GUIDE TO INFORMATION SECURITY TESTING AND ASSESSMENT Shirley Radack, Editor Computer Security Division Information Technology Laboratory National Institute of Standards and Technology A comprehensive approach
More informationSpokane Airport Board (Spokane International Airport, Airport Business Park, Felts Field) Addendum #1 - Q&A
Spokane Airport Board (Spokane International Airport, Airport Business Park, Felts Field) Request for Proposals (RFP) for PCI DSS COMPLIANCE SERVICES Project # 15-49-9999-016 Addendum #1 - Q&A May 29,
More informationInformation Security Services
Information Security Services Information Security In 2013, Symantec reported a 62% increase in data breaches over 2012. These data breaches had tremendous impacts on many companies, resulting in intellectual
More informationPenetration Testing and Vulnerability Scanning
Penetration Testing and Vulnerability Scanning Presented by Steve Spearman VP of HIPAA Compliance Services, Healthicity 20 years in Health Information Technology HIPAA Expert and Speaker Disclaimer: Nothing
More informationCRYPTOGEDDON: HEALTH CARE COMPROMISE. Todd Dow, CISA, PMP Founder, cryptogeddon.com @toddhdow, toddhdow@gmail.com
CRYPTOGEDDON: HEALTH CARE COMPROMISE Todd Dow, CISA, PMP Founder, cryptogeddon.com @toddhdow, toddhdow@gmail.com WHAT IS CRYPTOGEDDON? An online scavenger hunt using hacker tools Use infosec tools to solve
More informationSystem Security Plan University of Texas Health Science Center School of Public Health
System Security Plan University of Texas Health Science Center School of Public Health Note: This is simply a template for a NIH System Security Plan. You will need to complete, or add content, to many
More informationPierianDx - Clinical Genomicist Workstation Software as a Service FAQ s
PierianDx - Clinical Genomicist Workstation Software as a Service FAQ s Network Security Please describe the preferred connection method(s) between the PierianDx network and a healthcare organization s
More informationSANS Top 20 Critical Controls for Effective Cyber Defense
WHITEPAPER SANS Top 20 Critical Controls for Cyber Defense SANS Top 20 Critical Controls for Effective Cyber Defense JANUARY 2014 SANS Top 20 Critical Controls for Effective Cyber Defense Summary In a
More informationREQUEST FOR PROPOSAL (RFP) #021-14 HIPAA SECURITY ASSESSMENT VENDOR QUESTIONS & ANSWERS ~ MAY 29, 2014
REQUEST FOR PROPOSAL (RFP) #021-14 HIPAA SECURITY ASSESSMENT VENDOR QUESTIONS & ANSWERS ~ MAY 29, 2014 Q1) Page 2, Section A and Page 5, Section H --- Does the County desire only an assessment of compliance
More informationHIPAA RISK ASSESSMENT
HIPAA RISK ASSESSMENT PRACTICE INFORMATION (FILL OUT ONE OF THESE FORMS FOR EACH LOCATION) Practice Name: Address: City, State, Zip: Phone: E-mail: We anticipate that your Meaningful Use training and implementation
More informationSecurity Manual Template Policy and Procedure Manual Compliance Management Made Easy ISO 27000 / HIPAA / SOX / CobiT / FIPS 199 Compliant
Brochure More information from http://www.researchandmarkets.com/reports/3302152/ Security Manual Template Policy and Procedure Manual Compliance Management Made Easy ISO 27000 / HIPAA / SOX / CobiT /
More informationPrivacy + Security + Integrity
Privacy + Security + Integrity Docufree Corporation Data Security Checklist Security by Design Docufree is very proud of our security record and our staff works diligently to maintain the greatest levels
More informationRetention & Destruction
Last Updated: March 28, 2014 This document sets forth the security policies and procedures for WealthEngine, Inc. ( WealthEngine or the Company ). A. Retention & Destruction Retention & Destruction of
More informationLarry Wilson Version 1.0 November, 2013. University Cyber-security Program Critical Asset Mapping
Larry Wilson Version 1.0 November, 2013 University Cyber-security Program Critical Asset Mapping Part 3 - Cyber-Security Controls Mapping Cyber-security Controls mapped to Critical Asset Groups CSC Control
More informationEnterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006
Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 April 2013 Hologic and the Hologic Logo are trademarks or registered trademarks of Hologic, Inc. Microsoft, Active Directory,
More informationRequest for Proposal INFORMATION SECURITY ASSESSMENT SERVICES RFP #12-680-004. Addendum 1.0
Request for Proposal INFORMATION SECURITY ASSESSMENT SERVICES RFP #12-680-004 Addendum 1.0 ISSUE DATE: February 23, 2012 Receipt of this addendum should be acknowledged on the Proposal Form. Inquiries
More informationRedhawk Network Security, LLC 62958 Layton Ave., Suite One, Bend, OR 97701 sales@redhawksecurity.com 866-605- 6328 www.redhawksecurity.
Planning Guide for Penetration Testing John Pelley, CISSP, ISSAP, MBCI Long seen as a Payment Card Industry (PCI) best practice, penetration testing has become a requirement for PCI 3.1 effective July
More informationNetwork Detective. PCI Compliance Module Using the PCI Module Without Inspector. 2015 RapidFire Tools, Inc. All rights reserved.
Network Detective PCI Compliance Module Using the PCI Module Without Inspector 2015 RapidFire Tools, Inc. All rights reserved. V20150819 Ver 5T Contents Purpose of this Guide... 4 About Network Detective
More informationHITRUST CSF Assurance Program
HITRUST CSF Assurance Program Simplifying the Meaningful Use Privacy and Security Risk Assessment September 2010 Table of Contents Regulatory Background CSF Assurance Program Simplifying the Risk Assessment
More informationAppalachian Regional Commission Evaluation Report. Table of Contents. Results of Evaluation... 1. Areas for Improvement... 2
Report No. 13-35 September 27, 2013 Appalachian Regional Commission Table of Contents Results of Evaluation... 1 Areas for Improvement... 2 Area for Improvement 1: The agency should implement ongoing scanning
More informationAn Overview of Information Security Frameworks. Presented to TIF September 25, 2013
An Overview of Information Security Frameworks Presented to TIF September 25, 2013 What is a framework? A framework helps define an approach to implementing, maintaining, monitoring, and improving information
More informationThe Protection Mission a constant endeavor
a constant endeavor The IT Protection Mission a constant endeavor As businesses become more and more dependent on IT, IT must face a higher bar for preparedness Cyber preparedness is the process of ensuring
More informationA Nemaris Company. Formal Privacy & Security Assessment For Surgimap version 2.2.6 and higher
A Nemaris Company Formal Privacy & Security Assessment For Surgimap version 2.2.6 and higher 306 East 15 th Street Suite 1R, New York, New York 10003 Application Name Surgimap Vendor Nemaris Inc. Version
More informationWhat s New with HIPAA? Policy and Enforcement Update
What s New with HIPAA? Policy and Enforcement Update HHS Office for Civil Rights New Initiatives Precision Medicine Initiative (PMI), including Access Guidance Cybersecurity Developer portal NICS Final
More informationPCI DATA SECURITY STANDARD OVERVIEW
PCI DATA SECURITY STANDARD OVERVIEW According to Visa, All members, merchants and service providers must adhere to the Payment Card Industry (PCI) Data Security Standard. In order to be PCI compliant,
More informationGFI White Paper PCI-DSS compliance and GFI Software products
White Paper PCI-DSS compliance and Software products The Payment Card Industry Data Standard () compliance is a set of specific security standards developed by the payment brands* to help promote the adoption
More informationSWAP EXECUTION FACILITY OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE
SWAP EXECUTION FACILITY OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE Please provide all relevant documents responsive to the information requests listed within each area below. In addition to the specific
More informationAnalyze. Secure. Defend. Do you hold ECSA credential?
1 Analyze. Secure. Defend. Do you hold ECSA credential? TM E C S A EC-Council Certified Security Analyst 1 EC-Council Cyber Security Professional Path Threat Agent Application of Methodology So You Can
More informationAPPENDIX G ASP/SaaS SECURITY ASSESSMENT CHECKLIST
APPENDIX G ASP/SaaS SECURITY ASSESSMENT CHECKLIST Application Name: Vendor Name: Briefly describe the purpose of the application. Include an overview of the application architecture, and identify the data
More informationHoneywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014
Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Process Solutions (HPS) June 4, Industrial Cyber Security Industrial Cyber Security is the leading provider of cyber security
More informationKASEYA CLOUD SOLUTION CATALOG 2016 Q1. UPDATED & EFFECTIVE AS OF: February 1, 2016. Kaseya Catalog - 1 - Kaseya Copyright 2016. All rights reserved.
KASEYA CLOUD SOLUTION CATALOG 2016 Q1 UPDATED & EFFECTIVE AS OF: February 1, 2016 Kaseya Catalog - 1 - Overview of the Kaseya Cloud Subscription Solutions The Kaseya Cloud solutions are designed to meet
More informationKlickstart Business Solutions & Services
About us With an Engineering background & vast experience spanning across two decades with an expertise in Technology Marketing, Branding, Business development & Sales we set out to create a platform every
More informationPCI COMPLIANCE REQUIREMENTS COMPLIANCE CALENDAR
PCI COMPLIANCE REQUIREMENTS COMPLIANCE CALENDAR AUTHOR: UDIT PATHAK SENIOR SECURITY ANALYST udit.pathak@niiconsulting.com Public Network Intelligence India 1 Contents 1. Background... 3 2. PCI Compliance
More informationPenetration Testing. Request for Proposal
Penetration Testing Request for Proposal Head Office: 24 - The Mall, Peshawar Cantt, 25000 Khyber Pakhtunkhwa, Islamic Republic of Pakistan UAN: +92-91-111-265-265, Fax: +92-91-5278146 Website: www.bok.com.pk
More informationPresented by Evan Sylvester, CISSP
Presented by Evan Sylvester, CISSP Who Am I? Evan Sylvester FAST Information Security Officer MBA, Texas State University BBA in Management Information Systems at the University of Texas Certified Information
More informationCompliance Guide ISO 27002. Compliance Guide. September 2015. Contents. Introduction 1. Detailed Controls Mapping 2.
ISO 27002 Compliance Guide September 2015 Contents Compliance Guide 01 02 03 Introduction 1 Detailed Controls Mapping 2 About Rapid7 7 01 INTRODUCTION If you re looking for a comprehensive, global framework
More informationReal World Healthcare Security Exposures. Brian Selfridge, Partner, Meditology Services
Real World Healthcare Security Exposures Brian Selfridge, Partner, Meditology Services 2 Agenda Introduction Background and Industry Context Anatomy of a Pen Test Top 10 Healthcare Security Exposures Lessons
More informationDigital Pathways. Penetration Testing
Penetration Testing inftouch@digitalpathwyas.co.uk Penetration testing, vulnerability tests, assurance projects, ethical hacking it all means broadly the same thing; testing a corporate network to determine
More informationITEC441- IS Security. Chapter 15 Performing a Penetration Test
1 ITEC441- IS Security Chapter 15 Performing a Penetration Test The PenTest A penetration test (pentest) simulates methods that intruders use to gain unauthorized access to an organization s network and
More informationSAQ D Compliance. Scott St. Aubin Senior Security Consultant QSA, CISM, CISSP
SAQ D Compliance Scott St. Aubin Senior Security Consultant QSA, CISM, CISSP Ground Rules WARNING: Potential Death by PowerPoint Interaction Get clarification Share your institution s questions, challenges,
More informationTable of Contents...2 Introduction...3 Mission of IT...3 Primary Service Delivery Objectives...3 Availability of Systems... 3. Improve Processes...
Table of Contents Table of Contents...2 Introduction...3 Mission of IT...3 Primary Service Delivery Objectives...3 Availability of Systems... 3 Improve Processes... 3 Innovation... 4 IT Planning & Alignment
More informationHow To Protect Your Data From Being Stolen
DATA SECURITY & PCI DSS COMPLIANCE PROTECTING CUSTOMER DATA WHAT IS PCI DSS? PAYMENT CARD INDUSTRY DATA SECURITY STANDARD A SET OF REQUIREMENTS FOR ANY ORGANIZATION OR MERCHANT THAT ACCEPTS, TRANSMITS
More informationVulnerability management lifecycle: defining vulnerability management
Framework for building a vulnerability management lifecycle program http://searchsecurity.techtarget.com/magazinecontent/framework-for-building-avulnerability-management-lifecycle-program August 2011 By
More informationSecurity Threat Risk Assessment: the final key piece of the PIA puzzle
Security Threat Risk Assessment: the final key piece of the PIA puzzle Curtis Kore, Information Security Analyst Angela Swan, Director, Information Security Agenda Introduction Current issues The value
More informationCase 2:13-cv-01887-ES-JAD Document 282-2 Filed 12/09/15 Page 1 of 116 PageID: 4879. Appendix A
Case 2:13-cv-01887-ES-JAD Document 282-2 Filed 12/09/15 Page 1 of 116 PageID: 4879 Appendix A Case 2:13-cv-01887-ES-JAD Document 282-2 Filed 12/09/15 Page 2 of 116 PageID: 4880 Payment Card Industry (PCI)
More informationOvation Security Center Data Sheet
Features Scans for vulnerabilities Discovers assets Deploys security patches transparently Allows only white-listed applications to run in workstations Provides virus protection for Ovation Windows workstations
More informationPatient Privacy and Security. Presented by, Jeffery Daigrepont
Patient Privacy and Security Presented by, Jeffery Daigrepont Jeffery Daigrepont, SVP No Financial Conflicts to Report Jeffery Daigrepont, Senior Vice President of The Coker Group, specializes in health
More informationPCI Assessments 3.0 What Will the Future Bring? Matt Halbleib, SecurityMetrics
PCI Assessments 3.0 What Will the Future Bring? Matt Halbleib, SecurityMetrics About Us Matt Halbleib CISSP, QSA, PA-QSA Manager PCI-DSS assessments With SecurityMetrics for 6+ years SecurityMetrics Security
More informationHITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What?
HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What? Introduction This material is designed to answer some of the commonly asked questions by business associates and other organizations
More informationHIPAA Privacy and Security Risk Assessment and Action Planning
HIPAA Privacy and Security Risk Assessment and Action Planning Practice Name: Participants: Date: MU Stage: EHR Vendor: Access Control Unique ID and PW for Users (TVS016) Role Based Access (TVS023) Account
More informationIntelligent Vendor Risk Management
Intelligent Vendor Risk Management Cliff Baker, Managing Partner, Meditology Services LeeAnn Foltz, JD Compliance Resource Consultant, WoltersKluwer Law & Business Agenda Why it s Needed Regulatory Breach
More informationWHITEPAPER. Addressing Them with Secure Network Access Control. Executive Summary... An Evolving Network Environment... 2
WHITEPAPER Top 4 Network Security Challenges in Healthcare Addressing Them with Secure Network Access Control Executive Summary... 1 Top 4 Network Security Challenges Addressing Security Challenges with
More informationDESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE
DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE Please provide all relevant documents responsive to the information requests listed within each area below. In addition to the
More informationINFORMATION TECHNOLOGY ENGINEER V
1464 INFORMATION TECHNOLOGY ENGINEER V NATURE AND VARIETY OF WORK This is senior level lead administrative, professional and technical engineering work creating, implementing, and maintaining the County
More informationPCI Compliance - A Realistic Approach. Harshul Joshi, CISM, CISA, CISSP Director, Information Technology CBIZ MHM hjoshi@cbiz.com
PCI Compliance - A Realistic Approach Harshul Joshi, CISM, CISA, CISSP Director, Information Technology CBIZ MHM hjoshi@cbiz.com What What is PCI A global forum launched in September 2006 for ongoing enhancement
More informationSpooks in the Machine
A Higher Education Services Company Spooks in the Machine Proactive Strategies for Securing the Network Steven M. Helwig, CISSP Technical Director shelwig@sungardcollegis.com Contents of Presentation Aligning
More informationNEXPOSE ENTERPRISE METASPLOIT PRO. Effective Vulnerability Management and validation. March 2015
NEXPOSE ENTERPRISE METASPLOIT PRO Effective Vulnerability Management and validation March 2015 KEY SECURITY CHALLENGES Common Challenges Organizations Experience Key Security Challenges Visibility gaps
More informationKASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES. www.kaspersky.com
KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES www.kaspersky.com EXPERT SERVICES Expert Services from Kaspersky Lab are exactly that the services of our in-house experts, many of them global
More informationCompliance Challenges. Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) Member, FBI InfraGard. Increased Audits & On-site Investigations
Enabling a HITECH & HIPAA Compliant Organization: Addressing Meaningful Use Mandates & Ensuring Audit Readiness Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) Member, FBI InfraGard Compliance Mandates Increased
More informationDeveloping the Corporate Security Architecture. www.avient.ca Alex Woda July 22, 2009
Developing the Corporate Security Architecture www.avient.ca Alex Woda July 22, 2009 Avient Solutions Group Avient Solutions Group is based in Markham and is a professional services firm specializing in
More informationCybersecurity Strategy
SYSTEM SOFT TECHNOLOGIES Cybersecurity Strategy Overview With the exponential growth of cyberspace over the past two decades has come increasing risk of data security breaches involving sensitive and private
More informationCybersecurity and internal audit. August 15, 2014
Cybersecurity and internal audit August 15, 2014 arket insights: what we are seeing so far? 60% of organizations see increased risk from using social networking, cloud computing and personal mobile devices
More informationInformation Technology 2016-2021 Strategic Plan
Information Technology 2016-2021 Strategic Plan Draft Table of Contents Table of Contents... 3 Introduction... 4 Mission of IT... 4 Primary Service Delivery Objectives... 4 Availability of Systems...
More informationTop 10 PCI Concerns. Jeff Tucker Sr. Security Consultant, Foundstone Professional Services
Top 10 PCI Concerns Jeff Tucker Sr. Security Consultant, Foundstone Professional Services About Jeff Tucker QSA since Spring of 2007, Lead for the Foundstone s PCI Services Security consulting and project
More informationThe Business Case for Security Information Management
The Essentials Series: Security Information Management The Business Case for Security Information Management sponsored by by Dan Sullivan Th e Business Case for Security Information Management... 1 Un
More informationVendor 1 QUESTION CCSF RESPONSE
Vendor 1 QUESTION 1 If we have already filled out the vendor profile application, business tax declaration and local business forms will we need to fill them out again? 2 Is CCSF open to rolling up all
More information