Vendor Questionnaire



Similar documents
Question Name C 1.1 Do all users and administrators have a unique ID and password? Yes

How To Control Vcloud Air From A Microsoft Vcloud (Vcloud)

University of Pittsburgh Security Assessment Questionnaire (v1.5)

Print4 Solutions fully comply with all HIPAA regulations

GFI White Paper PCI-DSS compliance and GFI Software products

A Rackspace White Paper Spring 2010

A Nemaris Company. Formal Privacy & Security Assessment For Surgimap version and higher

SonicWALL PCI 1.1 Implementation Guide

Table of Contents. Page 1 of 6 (Last updated 30 July 2015)

Achieving PCI COMPLIANCE with the 2020 Audit & Control Suite.

Achieving PCI-Compliance through Cyberoam

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

FileCloud Security FAQ

74% 96 Action Items. Compliance

MANAGED FILE TRANSFER: 10 STEPS TO SOX COMPLIANCE

Retention & Destruction

MANAGED FILE TRANSFER: 10 STEPS TO HIPAA/HITECH COMPLIANCE

Global Partner Management Notice

Security Controls for the Autodesk 360 Managed Services

Did you know your security solution can help with PCI compliance too?

APPENDIX G ASP/SaaS SECURITY ASSESSMENT CHECKLIST

Security Overview Enterprise-Class Secure Mobile File Sharing

BOLDCHAT ARCHITECTURE & APPLICATION CONTROL

SMS. Cloud Computing. Systems Management Specialists. Grupo SMS option 3 for sales

Web Plus Security Features and Recommendations

Las Vegas Datacenter Overview. Product Overview and Data Sheet. Created on 6/18/2014 3:49:00 PM

December P Xerox App Studio 3.0 Information Assurance Disclosure

Procedure Title: TennDent HIPAA Security Awareness and Training

How To Protect Data From Attack On A Network From A Hacker (Cybersecurity)

SAQ D Compliance. Scott St. Aubin Senior Security Consultant QSA, CISM, CISSP

Ensuring Enterprise Data Security with Secure Mobile File Sharing.

TEXAS AGRILIFE SERVER MANAGEMENT PROGRAM

HIPAA Privacy & Security White Paper

PCI DSS Requirements - Security Controls and Processes

System Security Plan University of Texas Health Science Center School of Public Health

Client Security Risk Assessment Questionnaire

CHIS, Inc. Privacy General Guidelines

FINAL DoIT v.8 APPLICATION SECURITY PROCEDURE

March

Hosted SharePoint: Questions every provider should answer

BAE Systems PCI Essentail. PCI Requirements Coverage Summary Table

Controls for the Credit Card Environment Edit Date: May 17, 2007


1 Introduction 2. 2 Document Disclaimer 2

PCI Compliance - A Realistic Approach. Harshul Joshi, CISM, CISA, CISSP Director, Information Technology CBIZ MHM hjoshi@cbiz.com

MySQL Security: Best Practices

October P Xerox App Studio. Information Assurance Disclosure. Version 2.0

Small Business IT Risk Assessment

The Comprehensive Guide to PCI Security Standards Compliance

8/17/2010. Over 90% of all compromised merchants are PCI level 4 (small) merchants or merchants with less than 1 million transactions per year

Hosted Testing and Grading

GiftWrap 4.0 Security FAQ

Payment Card Industry Self-Assessment Questionnaire

FormFire Application and IT Security. White Paper

PierianDx - Clinical Genomicist Workstation Software as a Service FAQ s

SUPPLIER SECURITY STANDARD

05.0 Application Development

Securing the Service Desk in the Cloud

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER

MAXIMUM DATA SECURITY with ideals TM Virtual Data Room

Projectplace: A Secure Project Collaboration Solution

HIPAA Security Alert

How Managed File Transfer Addresses HIPAA Requirements for ephi

Catapult PCI Compliance

Minnesota State Colleges and Universities System Procedures Chapter 5 Administration. Guideline Payment Card Industry Technical Requirements

Configuration Information

Simone Brunozzi, AWS Technology Evangelist, APAC. Fortress in the Cloud

IT Security Procedure

Vendor Risk Assessment Questionnaire

HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant

BMC s Security Strategy for ITSM in the SaaS Environment

WISHIN Pulse Statement on Privacy, Security and HIPAA Compliance

Global ediscovery Client Data Security. Managed technology for the global legal profession

Privileged. Account Management. Accounts Discovery, Password Protection & Management. Overview. Privileged. Accounts Discovery

twilio cloud communications SECURITY ARCHITECTURE

WildFire Reporting. WildFire Administrator s Guide 55. Copyright Palo Alto Networks

WHITE PAPER. Support for the HIPAA Security Rule RadWhere 3.0

Cloud Contact Center. Security White Paper

Network Detective. HIPAA Compliance Module RapidFire Tools, Inc. All rights reserved V

How NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements

CorreLog Alignment to PCI Security Standards Compliance

Locking down a Hitachi ID Suite server

KeyLock Solutions Security and Privacy Protection Practices

Secure and control how your business shares files using Hightail

Implementation Guide

PCI Requirements Coverage Summary Table

White Paper. Support for the HIPAA Security Rule PowerScribe 360

Log Management Standard 1.0 INTRODUCTION 2.0 SYSTEM AND APPLICATION MONITORING STANDARD. 2.1 Required Logging

Automate PCI Compliance Monitoring, Investigation & Reporting

Blackboard Collaborate Web Conferencing Hosted Environment Technical Infrastructure and Security

2: Do not use vendor-supplied defaults for system passwords and other security parameters

Network Security Guidelines. e-governance

Adopt and implement privacy procedures, train employees on requirements, and designate a responsible party for adopting and following procedures

VMware vcloud Air Security TECHNICAL WHITE PAPER

Security Considerations

Chapter 1 The Principles of Auditing 1

ActivIdentity 4TRESS AAA Web Tokens and SSL VPN Fortinet Secure Access. Integration Handbook

Altus UC Security Overview

Transcription:

Instructions: This questionnaire was developed to assess the vendor s information security practices and standards. Please complete this form as completely as possible, answering yes or no, and explaining the answer fully. I. Authentication/Authorization 1) Is your application integrated or can it be integrated with Hospital s Central Identity Management Model for both authentication and authorization? a) Do you allow third party integration to your security repository? i) Do you have an API set for your security tables? ii) Are roles, facilities, user ID, and password information exposed in the API set? iii) What methods do you use for standard integrations? (i.e. Active Directory, LDAP, SAML, etc.) b) What is required from a user to authenticate? (e.g. user ID, password) 2) Do you have role-based security (i.e. access to specific components is based on the role of the user, a Nurse role has x, x, and x capabilities in the system)? 3) Will Hospital Intranets be the only method for users accessing this application? a) If web-based, is there another URL available outside of the portal? b) If an outside URL is allowed, is the user authenticated through the IAM? NO Yes No No /NO Page 1 of 6 Our compliance delivery system was developed by the team responsible for developing the SafetySend, Inc. compliance messaging system. It is a mature compliance gateway used by organizations such as The United Nations, Tenet Health Systems and other hospitals, universities and government agencies. Based on this level of enterprise integration it would be logical to conclude it would work in an enterprise healthcare provider organization. *If required we will have changes made to accommodate. If all appropriate security measures, access rights and policy enforcement is in place. Available upon request. May require customization for specific applications. SafetySend is a versatile technology platform that can handle multiple connections/gateways. We can modify the connections per facility security policy and protocols. USER ID and Password. However for HIPAA/GLBA regulatory compliance practices to be met we store a secondary password and challenge question/answer for additional verification purposes and password reset requests. We have a SSL VPN intranet/extranet/internet application that can be provided to review patient inquiry information and health history forms. Depending on security access policy and permission settings.

4) Does your application comply with Hospital s standard user ID/password policies? a) 8 character strong password? 6-x, any mix of chars b) firstname.lastname user ID? Email address c) password changes at 90 days? Forced password changes at X days per Hospital policy. d) lockout after 5 invalid logon attempts Lock out after X attempts per Hospital policy e) cannot use last 5 passwords Default currently at 3, but change to 5 is acceptable per Hospital policy. f) Does your application require two-factor authentication? (not required) We have multiple authentication methods that include: IP, user/pass, Public/Private Key, Port Assignment, etc. 5) Does your application use Hospital s 9-digit unique ID to uniquely identify users? NO No provision provided. But we are willing to adopt this into our security policy for Hospital if given specifications. a) If not, what is used? Email Address/User ID, Password b) What specific user information is used as the primary key for users? Email Address/User ID, Password and security challenges specified in HIPAA 164.306 and GLBA 314.4/5.501 6) Is user credential information ever passed over the internet for authentication or authorization? a) If yes, how it is protected (e.g. SSL, other encryption method)? b) If no, is the user information transmitted within the Hospital environment, and if so, is all transfer of this information behind the firewall within the trusted network? SSL 256 bit is default but other methods are available upon request. II. Audit/ Logging 1) Is your application subject to SOx, HIPAA, PCI, CMS, or other regulations? a) Does your application contain financial data? Can financials be altered or are they view only? b) Does your application contain PHI? If yes, is access secured by facility? Page 2 of 6 We have been a compliance provider for 8 years. All data in this application is view only. Yes. All data access meets HIPAA and GLBA regulatory compliance standards.

c) Does your application take in or store credit card numbers? But this will not be part of the application as it applies to Hospital in the current form. 2) Does your application produce audit logs? Our application provides both individual and corporate audit trails as defined in HIPAA and GLBA regulations. a) In what format? MS SQL 2005 exported to desired format b) What fields are tracked and what information is logged about the user interacting with the fields? c) Is this information tracked whenever a record is accessed, when changes are made, or other (explain)? Page 3 of 6 Originator of PHI, Recipient of PHI, Time/Date Stamp of Send and Receive, CC, BCC, Expiration Date, Retraction Notification, Retracted by This information is tracked in real time for all individual users. Each individual field has the option of turning tracking on/off per access policy. d) For ASP, how long is this information stored? At least 7 years e) Where/how is this information stored (e.g. centrally, encrypted, trusted network)? Stored on SAN at primary data center. Carrier grade secure hosting facility with military card key access requirements. Fail over connections to redundant secondary secure facility as well as redundant NAS connection synchronizing daily using encrypted channel. 3) Does your application track logon, logoff, and password resets? a) If no, can this be accomplished technically through a web service call or FTP post? b) If no, is this information stored within the SQL application, and if so how and in what format? 4) Do you store SSN, DOB, passwords, or password security questions/answers for users? a) If yes, is this information transmitted to other applications and within the trusted network or outside? b) If yes, is the information encrypted during SSL 1024 bit (scalable upon request) transfer? What encryption method is used? c) If yes, is this information encrypted at rest? What encryption method is used? MS SQL 2008 Database Encryption by passphrase 5) Are any processes in place to detect anomalies in user interaction based on business rules, such as one user logged on at multiple locations, large number of invalid logon attempts, etc and are Multiple Layers. 1. Firewall 2. Proprietary Interceptor Application, 3. Web Application and 4. Database Access. Lockout and Denial of Service set per security policy.

there processes for follow-up? a) Can these anomalies be detected automatically and trigger events based on pre-determined rules (e.g. alerts, emails, pages, etc)? b) What methods can be used for reporting on logged data? c) Is there a standard reporting mechanism and using what tools? 6) Are procedures in place for the following: a) Development of application updates and patches? b) Code reviews to ensure data integrity and security? c) Timely application of patches in the production deployment? d) Testing before deployed to production environment? III. Threat Evaluation and Response Also each user connected to our SSL VPN has individual signature session to prevent sniffing data packets. Alerts can be sent via email, fax, SMS or recorded voice message. SQL Dump to CSV, XLS, PDF, etc. in specified format or web access reporting. SharePoint is also an acceptable option Yes, Web based reports querying SQL tables Specifications must be submitted in writing and approved by both parties We have an online support ticket for 24/7/365 support. Code reviews can be done quarterly or as needed to optimize business process. System undergoes daily maintenance routine. All system and security updates are tested on development servers before be applied to production servers. See above. We are a 8 year old company and product with a mature software development cycle. 1) Are service accounts required for your application to run? If so, how many/what type? a) Have you completed an exception for setup and use of these IDs? b) For vendor products how will you connect to your application for support? NO All users who are granted access will be given a link to setup their IDs and an administration console will be provided. It is Hospital s responsibility to assign a security officer who will have the ability to add/delete users, suspend access, reset passwords, change security questions, modify contact information, etc. There is an integrated support system that is ticket based. User will be assigned a support ticket and will have access to review that status of each request. Most support tickets are handled same day with a few handled during system maintenance and will be completed the following day. c) Is a site-to-site VPN tunnel setup to allow This can be made available, but not required as a SSL VPN is already Page 4 of 6

secure access? established. 2) Has your application been scanned for vulnerabilities? a) Were the vulnerabilities all remedied? b) What tool was used for scanning? Nessus and Comodo c) For vendor applications, does your product NO None that we are aware have any known vulnerabilities? 3) For ASP models, what is your ongoing vulnerability management process? Ongoing Vulnerability Scanning, Server Hardening Procedures, Application Hardening Procedures. Our application is locked down pretty tight. We only allow assigned IPs any latitude whatsoever. a) What scanning mechanism do you use for vulnerability assessment? How often do you scan? What is your process for remediation for vulnerabilities you find? b) What Anti-virus program do you use? What is the update/patch process? How often are patches pushed? Nessus c) Do you utilize any other software, such as Intrusion Prevention (Network and/or Host), Intrusion Detection, Network Access Control, etc) and if so, using what products? 4) Has your site undergone a SAS70 audit? NO a) When was the last audit? b) What were the results? c) How often are these audits performed? d) Are you certified under any other standards NO around information security, such as ISO? 5) What is your process for notifying customers of potential information breaches? a) What criteria must be met for you to disclose a potential breach? Multi-Layer Page 5 of 6 We scan bi-weekly. We take action dependent on the level of vulnerability uncovered. Action could be immediate to during regular scheduled maintenance depending on circumstances. We use a three tiered security process. Firewall uses Gateway Anti-Virus and Content Filtering We have an Interceptor solution that uses F-Prot for Windows to filter all inbound data traffic and we use a Symantec hybrid solution on our servers. We have firewall based intrusion detection as well as internal security protocols developed within the application that are trigger enabled. We use a SonicWall Pro Firewall for the network segment this web application resides. We have a security officer alert system of scheduled maintenance times, heightened security events and natural disaster events. We have withstood several hurricanes, severe security threats and continue to be stable and trusted solution. Network administrators are notified of any potential security breach that is relevant to their domain or users immediately. 99.999% of attempts are stopped at firewall level and security officer is not notified. We notify security officer of after multiple failed login attempts, suspicious activity

such as high bandwidth consumption or ANY unauthorized access that comes to the attention of network administrators. We provide the ability of a Hospital Security Officer to monitor log in times, IP s and other criteria as needed as a secondary layer of access supervision. b) How and when is disclosure done? Security notifications are sent out immediately via emails. SMS, Fax and Recorded Voice Notifications are also available. IV. Physical Security 1) Do you employ the following at your data center: a) Electronic locks on server room doors? As well as locked server cabinets inside locked server room doors b) Access card or biometric readers? Access Cards 2) Are visitors required to sign in before they have No visitors allowed who are not on the approved list. access to the data center? 3) Are all doors (offices, storage rooms, etc.) within or near the data center locked at the close of Sever room is concrete doors, walls, floors with no additional access points. business hours? 4) Is the data center staffed continuously (24/7)? If not, what are the hours of operation? Page 6 of 6

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information