REQUEST FOR PROPOSAL (RFP) # HIPAA SECURITY ASSESSMENT VENDOR QUESTIONS & ANSWERS ~ MAY 29, 2014

Transcription

1 REQUEST FOR PROPOSAL (RFP) # HIPAA SECURITY ASSESSMENT VENDOR QUESTIONS & ANSWERS ~ MAY 29, 2014 Q1) Page 2, Section A and Page 5, Section H --- Does the County desire only an assessment of compliance with the HIPAA Security Rule, or is assessment of compliance with the Privacy and Breach Notification Rules also included in the scope of services? (Note that the initial overview indicates compliance with security regulations"; however, Section H requests estimates for developing HIPAA Privacy and Security policies and procedures.") Yes, both. Q2) Page 2, Section A, c) --- Please provide the number of departments in Douglas County. 17 departments. Q3) Page 3, Section C --- To assist us in determining the level of effort and cost for completing the scope of services can you provide the following: a) The number and size of the network(s) in scope (i.e., the number of active IP addresses and/or network class). Single campus network with 3,000 IP endpoints. b) The number of web applications in scope. We have approximately 60 web-based apps exposed to the internet, and 50 that are intranet. c) The locations (i.e., each city and the number of locations/facilities in each city) at which wireless network assessment would need to be performed; and the number of wireless access points at each location. We have 17 locations that are wireless enabled. We will rely on the selected vendor to identify how many of those need to be evaluated. d) The number of host servers in scope for assessment and the operating system(s) type and version in use for the host servers. Approximately 17 physical hosts running approximately 600 virtual. e) The number of firewalls in scope. About 10. f) The number of databases in scope for assessing encryption. Those that the selected vendor identify that need to be encrypted; we anticipate at least 4. g) The nature of backups (i.e., are backups to tape, to disk/san, etc.) for assessing encryption. We have tape and disk. h) The number of IT employees (for accessing access to systems and data). 60 i) The number and location of facilities where physical access to servers and storage would be assessed. 3 j) The approximate number of security policies and procedures. We do not disclose this information. Q4) Page 3, Section C --- The scope of services includes assessing IT employee access to systems and data. Does the County desire that access for employees other than IT employees also be assessed? 1

2 Q5) Page 3, Section C --- The required deliverables (bullet 4) states that the vendor will provide a report that includes itemized costs for each recommendation provided, including consulting services costs. Does the County expect that the selected vendor will perform recommended remediation and that the costs provided would be for the vendor to perform that remediation? (Note that providing detailed costs for hardware, software, and consulting services that would be selected by the County and/or provided by other vendors would be difficult.) Not necessarily. Our goal is a map of what needs to be done, and which are critical and which we can have a plan for addressing at a later time. We would also like a cost estimate to make remediations when the gaps are understood. Q6) Page 4, Section D --- Does the County have desired or required dates for starting and/or completing the requested services? No. That will be negotiated with the selected vendor. Q7) Page 5, Section H --- What is the County s available budget for completing the services requested in the RFP? We do not have a pre-defined budget for this. We would create a budget request that conforms to the estimated costs of the evaluation provided by the selected vendor. Q8) Page 5, Section H --- Are travel costs reimbursable as separate expenses for the services requested, or should estimated travel costs be included within any proposed overall fixed costs? Estimated travel costs should be included, not to exceed "billed at actual." Q9) Requirements for corporate references found in section G.1.b on p. 5 state that performance of HIPAA Privacy and Security Gap Analyses for at least 5 entities Is this correctly interpreted to mean: HIPAA Gap Analyses and Privacy and Security Gap Analyses? Please elaborate on the type of experience required. Yes, both. Q10) Section F.1 on p. 4 states that respondents shall describe how a HIPAA Meaningful Use Security Risk Analysis obligation would be met with the proposal. This is the only mention of Meaningful Use in the RFP. Can the County please elaborate on the expectations to evaluated Meaningful Use in the county systems? By meaningful use, we are referring to that language in the HIPAA regulations themselves. Q11) The Overview section A and the entire RFP does not indicate how many systems would be reviewed for this engagement. Can the County state the number and size of the systems that are expected to be evaluated? 2

3 Q12) There is no expectation set in the RFP for the date of delivery of the work products described. Does the County have a timetable in which it expects delivery of the written documentation and other work products as described in Section C. a-c? Please see the responses in Q6. Q13) When was the last time a vulnerability scan and penetration testing was performed? We don't release that information to the public. Q14) Are there any systems hosted by a third-party? If hosted is the hosting party aware of security testing? Though none contain HIPAA related data. If deemed necessary, we will work with our hosted databases to support the security testing. Q15) For internal/external penetration testing, Douglas County looking to test as follow? a) Physical security test to gain access to physical space by evading physical security controls b) Social Engineering test to gain sensitive information from one or more of your employees (to infer or solicit sensitive information) c) Client Side Exploits gain access to client systems through social engineering and targeted client exploits. d) Wireless Testing gain access to networks by bypassing wireless security controls. e) Server Side Exploits gain access to server systems We are looking to the selected vendor to recommend appropriate testing. Q16) Were the findings resolved and is the previous report available for review? No. Q17) How many IP addresses are in scope for the scan and test? A rough estimate of the number of IP end-points is 3,000. Q18) Is Douglas County requesting a black box or white box testing? We are looking to the selected vendor to recommend appropriate testing. Your suggestions will be evaluated for their potential risk. Q19) What is the extent of current Information Security Policies? Are they based/aligned on an industry standard, such as ISO, NIST, PCI? That will be discussed with the selected vendor. Q20) Does the County have data classification in place currently for PHI? No. 3

4 Q21) Are PHI data accessible for the entire Douglas County network? No. Q22) Will the penetration test be performed covertly or overtly? Overtly. Q23) Are IT operations centralized or de-centralized? Centralized. Q24) What is the policy for viewing or accessing confidential information? If viewing or accessing confidential information is required for the analysis (as opposed to reviewing descriptions of that data and the data types) then the vendor representatives and those doing the assessment would have to sign the appropriate related confidentiality agreements, and complete a national fingerprint background check. Q25) Do development or test environments exist for tested systems/applications? Q26) My question is related to Section G. Experience and References: b) The documentation must thoroughly describe how the Responder has supplied expertise for similar contracts and work related to HIPAA Privacy and Security compliance and the performance of HIPAA Privacy and Security Gap Analyses for at least five (5) entities within the past two (2) years, with a minimum of three (3) being State and/or Local Government clients. The Responder must provide Agency with reference names and contact numbers for these entities to include: The requirement states three entities must include State and Local Government clients. Would Alaska Native and American Native Organizations be considered a local or state government? For example, the Cook Inlet Tribal Council or the Ketchikan Indian Community (KIC) which consists of Tribal members? Q27) Fee Schedule Section item 2 refers to Developing HIPAA Privacy and Security policies and procedures. However, there is no mention of this in the body of the RFP and in the scope and deliverables sections. Are policies and procedures to be included? Is pricing for policies and procedures really required? If so, please provide a description of the requirements and scope. As stated in the RFP, we would expect the evaluation to include which policies and procedures are required for us to comply with HIPAA regulations, and we would appreciate a cost estimate included in the assessment results on remediation to produce said policy and procedures. 4

5 Q28) Fee Schedule Section Item 3 refers to reviewing existing HIPAA and IT Security Training program and proposing necessary enhancements. However, there is no mention of this in the body of the RFP and in the scope and deliverables sections. While the HIPAA and IT security training would be reviewed as part of this HIPAA assessment, is this meant to be a more in-depth analysis of the training program? If so, please provide more details on requirements and scope. No. We want our HIPAA and IT security-training program to be assessed and any gaps identified. Q29) Approximately how many total nodes (IP addresses) (all devices on network) internal, and many nodes for external that are in scope for the assessment? (Knowing this provides basis for pricing) Q30) How many web-based applications (internal and or external) are in scope? Are these large, medium or small in scale? (Knowing this provides basis for pricing) Q31) What departments or county divisions use or have access to HIPAA related, protected health information? Are there any hospitals, medical clinics included as part of scope? Q31A. We would anticipate the vendor would help discover that. We are aware of at least 4 departments that house or have access to HIPAA data. Q31b. Yes, 1 medical clinic. Q32) How many systems (servers, devices, etc.) do you want to have configuration analysis performed on? Q33) Has there been a HIPAA Assessment done previously and have any remediation actions been taken? (What is the baseline for this?) We don't provide that information. Q34) Has the HIPAA Data been classified? No. Q35) Is the scope of this limited to HIPAA Data and associated Systems? Q36) Is the County wanting a One time or One-time & On-going service o If yes: 8x5 or 24X7 Frequency of review? Length of Term? One time. Any future endeavors would be requested through a separate RFP. 5

6 Q37) Is there a current and up to date network diagram? Q38) Has the County completed a current Inventory: o # IP addresses o # Firewalls, Target hosts, Aggregate web pages Are any targets owned by other entities/orgs o # Desktops, Devices, Servers? o # Registered Domains o # of ISP s o Are there any Load balancers? o Is there currently and IDS/IPS solution in place? o Operating Systems being used? (Windows XP, 7 or 8; Linux; Oracle; etc.) Q39) Section 1 C mentions Common Infrastructure Assessment (VMWare, SAN, etc.). Can the County provide further details? That is meant to encompass the underlying technical infrastructure as managed by DC IT. Q40) Is there currently any encryption/authentication being used? Can you provide details? We do not provide this information to the public. Q41) What existing applications will be come into contact with HIPAA Data? o Future Applications planned? We have four current applications that use HIPAA data and we have plans for future applications as well. We anticipate the analysis will help us identify any and all document and data types that fall under HIPAA. Q42) Has the County identified what departments are in-scope for HIPAA as either a Covered Entity/Component or Internal Business Associate? If so, can you please provide how many and the names of each? This is anticipated to be part of the evaluation. Q43) Can you please provide details on the number and location of the offices for the identified County departments that may be in-scope for the assessment? The max number of county facilities is 17, but we anticipate only a subset of 3 will be in scope. Exact identification is anticipated to be part of the evaluation. Q44) Can you please provide details about the County s Information Technology department including the number of employees and whether the department is centralized or decentralized? Centralized, with approximately 60 IT employees. 6

7 Q45) How many and what types of functions are outsourced within IT? No functions are outsourced within IT. However, IT does make use of consultants and contractors. Q46) To help quantify the scope and level of effort to perform the activities identified in section C, Scope of Services, can you please provide a current application/system inventory or the number of in-scope systems? If possible, please include the types of databases supporting these applications/systems. We do not provide this information to the public. Q47) Does the County utilize virtualization technology and if so, please provide some additional details? Beyond that, we don't provide that information. Q48) Can you please provide details around the number of data centers, server rooms, and physical locations of each? Beyond that, we don't provide that information. Q49) Can you please provide details about how comprehensive the HIPAA security policies and procedures documentation is (i.e., number of policies, procedures, etc.)? We do not want to disclose amounts of policies and procedures that we currently have. Please provide your estimate to review documentation, identify gaps, and propose remediation to any of the gaps. Q50) Regarding the External penetration testing and vulnerability assessment, (1) How large are the ranges to be tested (example: 2 /24 s or 512 IPs)? (2) Approximately how many IPs are active within the ranges above? 2/24. Q51) Regarding the Internal penetration testing and vulnerability assessment, (1) How large are the ranges to be tested (example: 2 /24 s or 512 IPs)? (2) Approximately how many IPs are active within the ranges above? 3,000 endpoints (approximately). Q52) Regarding the web application assessment, how many web applications are to be tested? For each application, please answer the following: a) How many pages of the application are to be tested? b) Will the application be tested in an authenticated way? (will you provide the testing team with application credentials?) c) How many application roles will be tested? d) How many authenticated pages will be tested? 7

8 Most of our approximately 60 external web and 50 internal applications are comprised of 2 to 4 pages/forms. Typically 3 roles on the internal applications. External, typically 1 or 2 roles. We expect both unauthenticated and authenticated testing. We will provide credentials. Q53) Regarding the wireless assessment, is the wireless assessment a vulnerability assessment or a penetration test? How many physical locations will be assessed? For each physical location: a) How large is each building in sq. feet to be assessed? b) How many wireless networks are deployed? c) What encryption and authentication methods are deployed on each network? We have 17 facilities with 100 access points. Beyond that, we don't provide that information. Q54) Within Section H, Fee Schedule, you have requested a fee estimate for assisting the County in developing HIPAA Privacy and Security policies and procedures. Can you please provide some additional details about the current state of these policies? Have they been revised to address the HIPAA Omnibus Final Rule requirements? How many policies support the current HIPAA compliance program at the County? We do not want to disclose amounts of policies and procedures that we currently have. Please provide your estimate to review documentation, identify gaps, and propose remediation to any of the gaps. Q55) Within Section H, Fee Schedule, you have requested a fee estimate for assisting the County in reviewing the County's existing HIPAA and IT Security Training program. Can you please provide some additional details about the current training programs at the County? When was the last time the training content was updated? Does the County currently utilize a Learning Management System (LMS) to delivery and manage the training content? We do not want to disclose training that we currently have. Please provide your estimate to review current process, identify gaps, and propose remediation to any of the gaps. Q56) Should any anticipated travel expenses be included in the overall fee estimate or included as a separate line item? Estimated travel costs should be included, not to exceed "billed at actual." Q57) Has a budget been defined for this project and if so, would you be able to share those details? Please see the response in Q7. Q58) How large is the internal network? How many workstations & servers? Q59) How large is the external network? How many IP addresses? 8

9 Q60) How many physical locations will be tested? We have 17 facilities with 100 access points. Q61) Can the internal networks of each physical location be tested from one central location? Q62) Will user credentials be provided for the internal network testing? Q63) Should the wireless assessment include all physical locations, or just a representative subset? We will rely on the selected vendor to identify how many of those need to be evaluated. Q64) Should the wireless and physical assessments include penetration tests? Q65) How many web applications are there and what is the primary function of each? The function of each app is varied, but beyond that, we don't provide that information. Q66) Will credentials be provided for the web applications? If so, how many different roles for each application should be tested? Yes, we will provide credentials. Please see the responses in Q52. Q67) For the proposal, is each of the requested scopes on page 3 of the RFP required to be a separate task, or can they be combined? For example, can the Host Diagnostic Assessment, VPN Assessment, and Firewall Diagnostic Assessment all be included in an overall penetration test of the internal network? Please propose whatever you feel would give us the best result. Q68) The RFP does provide an option to list "EXCEPTIONS TO PROPOSAL QUALIFICATIONS AND/OR REQUIREMENTS (page 4, E. General Requirements). Would it be appropriate to exclude the itemized costs and the suggested timelines for remediation? The section is up to you to provide your exceptions. END OF VENDOR QUESTIONS & ANSWERS 9