HC3 Draft Cloud Security Assessment

Transcription

1 HC3 Draft Cloud Security Assessment Respondent Contact Information First Name: Grant Company: Ostendio Last Name: Elliott Company Address: Ostendio Date: 01/27/2015 Information about your solution 2.1) How do users access your solution? Website Mobile Web Mobile Application (iphone/ipad/android) Text Messaging (SMS) Interactive Voice Response (IVR) Other 2.2) Does your solution support Single Sign On (SSO)? 2.3) What type of Single Sign On (SSO) does your solution support? Microsoft (Active Directory) Auth0 Kerberos Redhat Other

2 2.4) Does your application allow login from, Google, Facebook, or any other social media serving site? 2.5) What third party social media is login supported from? Facebook Google LinkedIn Other 2.6) Does your solution allow access using third party API's? 2.7) Please provide information for all locations (including backup locations) that may store or have access to sensitive data. Owned operated data center (On site operated data center) A) Is the facility located within the US? B) Please list the country where the facility is located. C) Does your facility undertake an annual SSAE 16 audit? If so, you may be asked to provide a copy of the most current SSAE 16 report. D) Which type? SSAE 16 Type I SSAE 16 Type II

3 E) Are you willing to allow us to physically inspect this Data Center? F) Does this data center have electronic key access that can be restricted realtime? G) Are you able to review access logs to the data center? H) How long are logs retrievable for? < 30 days < 90 Days < 180 days < 1 year > 1 year I) Do you have emergency access procedures in place for vendors, staff, and consultants needing access to physical equipment? J) Do you have video cameras or CCTV throughout the data center? K) Does your data center have redundant power such as an Uninterruptible Power Supply in case of primary power failure? L) Does your data center have redundant cooling in case of AC malfunctions? M) Does your data center have multiple ingress\egress points to the internet?

4 N) Are your servers located within locked cabinets inside the data center? O) Are the server face plate covers attached and locked on every server? P) Is the BIOS or lights out management password protected? Q) Are peripheral devices such as USB, DVD and serial ports disabled? R) Is your data center alarmed for unauthorized access? Colocation provided by Third Party Data Center provider (Colocation provided by third party data center provider) A) Who is your co location data center provider? Century Link Equinix Latasys LexisNexis Sunguard Verizon Terramark B) Does this facility undertake an annual SSAE 16 audit?

5 If so, you may be asked to provide a copy of the most current SSAE 16 report. C) Which type? SSAE 16 Type I SSAE 16 Type II D) Are you willing to allow us to physically inspect this Data Center? E) Does your colocation provider have access to your physical equipment? F) Please select the best description of the nature of your provider's access. Full Equipment access includes partial and access to the Operating System G) Does your provider have access to sensitive data i.e. Personal information, credit data? H) Has your provider signed an n disclosure Agreement (NDA) with you? I) Has your provider signed a Business Associate Agreement (BAA) with you? J) Were you able to customize your Business Associate Agreement (BAA) with your provider?

6 K) Is your equipment in a private cage or locked on an open floor? Private Cage Open floor locked cabinet Private cage with locked cabinets private cage or locked cabinets L) Does this data center have electronic key access that can be restricted realtime? M) Are you able to review access logs to the data center? N) How long are logs retrievable for? < 30 days < 90 Days < 180 days < 1 year > 1 year O) Do you have emergency access procedures in place for vendors, staff, and consultants needing access to physical equipment? P) Does this data center have video cameras or CCTV throughout? Q) Does your data center have redundant power such as an Uninterruptible Power Supply in case of primary power failure? R) Does your data center have redundant cooling in case of AC malfunctions?

7 S) Does your data center have multiple ingress\egress points to the internet? T) Are the server face plate covers attached and locked on the server? U) Is the BIOS or lights out management password protected? V) Are peripheral devices such as USB, DVD and serial ports disabled? W) Is this data center alarmed for unauthorized access? Cloud Service provided by Third Party Cloud Provider (Cloud Service provided by third party cloud provider) A) Which Service Provider do you use? Amazon Web Services (AWS) Akamai Apple BMC Software Citrix Dimension Data Dropbox Google HP IBM

8 Microsoft Netsuite Oracle Rackspace Salesforce SAP AG Saavis Terremark/Verizon VMWare Other B) Does this facility undertake an annual SSAE 16 (formerly SAS 70) audit? If so, you may be asked to provide a copy of the most current SSAE 16 report. C) Which type? SSAE 16 Type I SSAE 16 Type II D) What services are you using as part of your service offering (i.e. platform, computer, storage, etc.)? Infrastructure Web Services Storage Database Backup Desktops E) Will you be storing sensitive data on your cloud environment? F) Describe the nature and type of sensitive data stored (i.e. PHI, SSN, PCI, etc.).

9 Protected Health Information Social Security Numbers Payment Card Information Banking Personally identifiable Information G) How will you track the sensitive data's location and access? Spreadsheet tification Using a ticketing systems 3rd Party application H) Has your provider signed an n disclosure Agreement (NDA) with you? I) Has your provider signed a Business Associate Agreement (BAA) with you? J) Were you able to customize your Business Associate Agreement (BAA) with your provider? K) Do you use a third party service to manage the configuration and security of this cloud service? L) Does your third party service provider have access to sensitive data? M) Has this third party signed a Business Associate Agreement (BAA) with you and the provider?

10 with me, not with the cloud provider with me and the cloud provider with me, with the Cloud Provider to both me and the cloud provider N) Does your cloud provider give you a single management console for administration of all services? O) How do you access the cloud based services? Point to Point VPN Tunnel Client Access VPN Tunnel Remote Desktop SecureShell Web authentication P) Are you using multi form authentication methods to access your cloud services? VPN access with UserID\ Certificate AWS MFA Radius Q) Is your cloud environment connected to your internal network or colocation environment? R) Are you using API s to communicate with your cloud environment? For backups offsite Authentication purposes Retrieval of data Upload data

11 t using API's S) Will your customer be required to use API calls to communicate with your service? T) Are you using any third party API's to deliver your service? U) What types of security measures have been put in place to secure API usage? Basic Authentication with TLS OAuth1.0 OAuth2 V) Do you have access to the Hypervisor logs?, direct access, but requests from provider W) What type of firewall are you using to secure the perimeter network? ne Cisco Open Source Embedded Windows Server Firewall Embedded Linux Server Firewall Access Control List X) Are your guests on private virtual resources or shared resources? Private

12 Shared Y) If using cloud storage do you do the following encrypt the virtual drives? provide your own encryption keys take snapshots of the storage area replicate the storage area to another location? log access to storage directories Don't Use cloud storage Z) How do you access your storage area? HTTP HTTPS Third Party API Internally provided API Server Connected API Don't Use Cloud Storage AA) How does your provider handle the deletion of virtual guests, storage, and/or web services? Delete data immediately and overwrite Delete data immediately using FIPS\DOD methods AB) How does your cloud environment notify you of updates and vulnerabilities within the hosted environment? tify you via Create a service ticket Broadcast a message on its website, blogs, support sites AC) How does your cloud environment handle incidents, updates, and vulnerabilities within the hosted environment? Provide a minimum of 48 hours before applying updates Provide you with workarounds if necessary Patch straightaway if a critical vulnerability arises

13 AD) Does your cloud provider allow vulnerability scans on your servers? AE) Are any of your services being replicated to international locations? AF) Does the Service Level Agreement have clearly defined terms, definitions and performance parameters? AG) Are there penalties for missing predefined SLA's? AH) If using the cloud, how does their notification rule coincide with your notification rule? Operating Systems 3.1) Are you using open source applications to support your solution? 3.2) Which open source applications are currently deployed in your environment? Linux

14 Apache Tomcat Mysql Postgress SQL ActiveMQ OpenVPN PHP Java Pfsense Vyatta 3.3) Are you using virtualization to provide your solution, if so which? Vmware Xenserver Microsoft t using virtualization 3.4) Which Desktop operating systems are being used in your environment? Microsoft 7 or 8 MacOS Linux 3.5) Do you have the ability to monitor portable devices? 3.6) Which antivirus\antimalware software are you using to protect your servers? Symantec McAfee ForeFront ne

15 3.7) Which antivirus\antimalware software are you using to protect your workstations? Symantec McAfee ForeFront ne 3.8) Are you able to remote scan the software in use inside your environment (including workstations)? 3.9) Which applications are you using to manage your code revisions? Git Subversion Team viewer ne 3.10) Are you using any of these cloud based code revision providers? GitHub Bitbucket Atlassian ne 3.11) Which are you using to manage patches across your environment? Centralized Patch Management Individual Patch Management Combination of both Encryption

16 4.1) Are you using encryption for data at rest and in transit within your environment? 4.2) Which items do you encrypt? Portable devices, thumb drives, CD, and DVD's File shares Databases Websites File Transfers PC's and tablets Connections to internal resources ne 4.3) Does your cloud provider have access to your encryption keys? 4.4) Please provide details. Backup & Recovery 5.1) What type of backup solutions have you deployed? Tape Back Ups Disk to Disk Snapshots

17 Real time replication 5.2) Do you backup to an offsite location? 5.3) Is your offsite backup to the cloud? 5.4) How often do you test the restore capabilities of your backup? Other 5.5) Do you have a failover site in case of a loss of services from your primary data center? 5.6) What type of location is your failover site? Fully real time replicated environment 5.7) Do you run test failover scenarios of the production environment? Information Security 6.1) Does your company have an active Information Security program in place? Governance

18 6.2) Does your company have a single person responsible for Information Security? 6.3) Does your company have a single person responsible for Data Privacy? 6.4) Does your company conduct any type of formal risk analysis on a regular basis? 6.5) How often are these Risk Assessments performed? Other 6.6) Provide the date of the last risk analysis/assessment conducted 27 Jan, ) Does your company perform regular Information Security audits? 6.8) How are these audits performed? External Industry accredited / certified Audit Internal Industry accredited / certified Audit Informal internal audit Other 6.9) What standards are used for these audits? ISO/IEC Standard of Good Practice NIST SP 00 53

19 ISO RFC 2196 ISA/IEC (formerly ISA 99) ISA Security Compliance Institute IASME HIPAA/HITECH OCR Audit Protocols COBIT 4.1 GAPP Other 6.10) How often are these audits performed? Other 6.11) Provide the date of the last external Information Security audit conducted 27 Jan, ) Do you perform vulnerability scans regularly? 6.13) How often do you perform a vulnerability assessment? Other 6.14) Are any of these assessments conducted by third party providers? 6.15) Will off shore consultants have access to your cloud environment?

20 6.16) Will your off shore consultants have access to sensitive data? 6.17) Please list the countries where these staff are located. 6.18) Do you have a Key Management Policy and Procedure in place for your encryption keys? 6.19) Do you have a Data Classification policy where data is classified by sensitivity? 6.20) Do you have an encyption policy and procedure that details how you encrypt sensitive data? 6.21) Do you have Policy and Procedure outlining backup and disaster recovery procedures? 6.22) Do you have practice recovery procedures as part of business continuity planning? 6.23) Have you identified critical assets in your environment?

21 6.24) Have you completed a business impact assessment on critical systems? 6.25) Do you know where all sensitive data such as PHI resides in your environment? 6.26) Do you conduct regular access audits to ensure you know who is accessing sensitive data and how they are using it? 6.27) Does your organization have a data retention policy? 6.28) Does your organization have a secure data disposal and destruction policy? 6.29) Do you perform DR gaming or Business Continuity tabletop exercises for your critical systems? 6.30) How often do you conduct tabletop exercises? Other 6.31) Have you established a Critical Incident Response Team (CIRT)? 6.32) How often does your CIRT meet? Weekly Bi Weekly

22 Monthly Bi Monthly Quarterly Other 6.33) Do you have a formal remediation process when issues are discovered during testing? 6.34) Do you have a formal policy and procedure for the procurement/use of software within your organization? 6.35) Do you have in place a policy and procedure for the deployment of software patches? 6.36) Are you using a centralized tool to facilitate patch management? What tool are you using? 6.37) Do you have a policy or procedure for defining and reporting incidents?

23 6.38) Have you had any critical incidents reported in the last 3 years? 6.39) Did any of these incidents result in a breach of sensitive data? How was the incident handled and what remediation steps were taken to fix it? 6.40) Do you have a policy or procedure for reporting unauthorized access to sensitive data? Breach tification 6.42) Do you have a Breach tification policy? 6.43) Have you reported any Breaches in the past 3 years? Please provide details.

24