PierianDx - Clinical Genomicist Workstation Software as a Service FAQ s



Similar documents
PCI Requirements Coverage Summary Table

BAE Systems PCI Essentail. PCI Requirements Coverage Summary Table

PCI Requirements Coverage Summary Table

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

Payment Card Industry Self-Assessment Questionnaire

Client Security Risk Assessment Questionnaire

Payment Card Industry Data Security Standard

Section 1 CREDIT UNION Member Information Security Due Diligence Questionnaire

APPENDIX G ASP/SaaS SECURITY ASSESSMENT CHECKLIST

Question Name C 1.1 Do all users and administrators have a unique ID and password? Yes

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

University of Pittsburgh Security Assessment Questionnaire (v1.5)

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

Becoming PCI Compliant

SAQ D Compliance. Scott St. Aubin Senior Security Consultant QSA, CISM, CISSP

6. AUDIT CHECKLIST FOR NETWORK ADMINISTRATION AND SECURITY AUDITING

INCIDENT RESPONSE CHECKLIST

BKDconnect Security Overview

How To Control Vcloud Air From A Microsoft Vcloud (Vcloud)

State of Wisconsin DET File Transfer Protocol Service Offering Definition (FTP & SFTP)

Security FAQs (Frequently Asked Questions) for Xerox Remote Print Services

IBX Business Network Platform Information Security Controls Document Classification [Public]

FORT HAYS STATE UNIVERSITY CREDIT CARD SECURITY POLICY

Did you know your security solution can help with PCI compliance too?

Retention & Destruction

CHIS, Inc. Privacy General Guidelines

March

Chapter 1 The Principles of Auditing 1

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Passing PCI Compliance How to Address the Application Security Mandates

TechGuard Firewall Products Specs/Parts/Competitive Analysis

A Rackspace White Paper Spring 2010

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4

Las Vegas Datacenter Overview. Product Overview and Data Sheet. Created on 6/18/2014 3:49:00 PM

PCI DSS Requirements - Security Controls and Processes

Assuria can help protectively monitor firewalls for PCI compliance. Assuria can also check the configurations of personal firewalls on host devices

custom hosting for how you do business

Small Business IT Risk Assessment

System Security Plan University of Texas Health Science Center School of Public Health

Security Considerations

PCI Compliance - A Realistic Approach. Harshul Joshi, CISM, CISA, CISSP Director, Information Technology CBIZ MHM hjoshi@cbiz.com

Autodesk PLM 360 Security Whitepaper

Critical Controls for Cyber Security.

FormFire Application and IT Security. White Paper

SECURITY OVERVIEW FOR MY.ENDNOTE.COM. In line with commercial industry standards, Thomson Reuters employs a dedicated security team to protect our

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

H.I.P.A.A. Compliance Made Easy Products and Services

TOP 10 WAYS TO ADDRESS PCI DSS COMPLIANCE. ebook Series

Birst Security and Reliability

Payment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version to 2.0

SMS. Cloud Computing. Systems Management Specialists. Grupo SMS option 3 for sales

Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015

Achieving PCI-Compliance through Cyberoam

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

Live Guide System Architecture and Security TECHNICAL ARTICLE

State of New Mexico Statewide Architectural Configuration Requirements. Title: Network Security Standard S-STD Effective Date: April 7, 2005

Information Security Services. Achieving PCI compliance with Dell SecureWorks security services

Hosted Testing and Grading

Vendor Questionnaire

ARE YOU REALLY PCI DSS COMPLIANT? Case Studies of PCI DSS Failure! Jeff Foresman, PCI-QSA, CISSP Partner PONDURANCE

BMC s Security Strategy for ITSM in the SaaS Environment

Hosting Services VITA Contract VA AISN (Statewide contract available to any public entity in the Commonwealth)

Electronic Prescribing of Controlled Substances Technical Framework Panel. Mark Gingrich, RxHub LLC July 11, 2006

Security Controls for the Autodesk 360 Managed Services

Oracle Maps Cloud Service Enterprise Hosting and Delivery Policies Effective Date: October 1, 2015 Version 1.0

1B1 SECURITY RESPONSIBILITY

SysAid IT On-Demand Architecture Including Security and Disaster Recovery Plan

Vendor Audit Questionnaire

Goals. Understanding security testing

Access Control BUSINESS REQUIREMENTS FOR ACCESS CONTROL

SonicWALL PCI 1.1 Implementation Guide

WISHIN Pulse Statement on Privacy, Security and HIPAA Compliance

U06 IT Infrastructure Policy

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Using Skybox Solutions to Achieve PCI Compliance

Supplier Information Security Addendum for GE Restricted Data

VERIFONE ENHANCED ZONE ROUTER

Information Technology Branch Access Control Technical Standard

Projectplace: A Secure Project Collaboration Solution

Ovation Security Center Data Sheet

Connecticut Justice Information System Security Compliance Assessment Form

Network Security Guidelines. e-governance

Security & Infra-Structure Overview

SolarWinds Security Information Management in the Payment Card Industry: Using SolarWinds Log & Event Manager (LEM) to Meet PCI Requirements

a) Encryption is enabled on the access point. b) The conference room network is on a separate virtual local area network (VLAN)

Injazat s Managed Services Portfolio

Why SaaS (Software as a Service) and not COTS (Commercial Off The Shelf software)?

74% 96 Action Items. Compliance

INTRUSION DETECTION SYSTEMS and Network Security

Transcription:

PierianDx - Clinical Genomicist Workstation Software as a Service FAQ s Network Security Please describe the preferred connection method(s) between the PierianDx network and a healthcare organization s secure network. The Clinical Genomicist Workstation (CGW) is a web application and the client machine does not require any special software or hardware components other than high-speed internet connectivity. The recommended speed for the internet connection (upload speed) is a minimum of 5mbps. Our networks will be inter-connected using a site-to-site VPN allowing necessary servers and sequencers to connect from a healthcare organization s secure network to PierianDx s secure network. If the Internet is used to facilitate a network connection from a Healthcare Organization s LAN to PierianDx s production network, what methods are used to protect information transmitted over the Internet (e.g. TLS, SSL, FTPS/SFTP, etc.)? CGW is a highly secured web application and its data is stored within a HIPAAcompliant data center hosted at Washington University within its secure Washington University Clinical Operations Network (WUCON). The web application uses an SSL connection so that the messages over the internet are secured. Secure Sockets Layer (SSL) is a commonly used protocol for managing the security of a message transmission on the Internet. For transferring files, either SFTP (Secured File Transfer Protocol) or samba share over VPN will be used. Describe any network security features, such as firewalls, proxy servers, etc. that PierianDx uses to protect its network from unauthorized access. WUCON is a HIPAA compliant network operated by the Washington University School of Medicine. WUCON operation and policies are audited periodically by internal and external organizations. WUCON is protected by redundant Cisco 5580 ASA firewalls and two DMZ networks. Security policies forbid any connection into WUCON except from the DMZ. This means that all requests for WUCON services are directed to servers within the DMZs. This is enforced in such a way that WUCON only has private (RFC 1918) addressing, that is not routed on the Internet. Therefore, one cannot connect to any service in WUCON through the firewall directly. The typical method for getting information from WUCON is for the request to terminate on a Microsoft ISA/TMG server in the DMZ and this server functions as an application firewall and validates the web request or email message. The traffic then passes into WUCON from the DMZ in a secure fashion. All connections to resources terminate in the DMZ. The DMZ server then takes the request and passes it into WUCON or gets the information through database queries or other means. Then, the response passes out through the DMZ to the system that made the original request.

Does PierianDx require the use of multi-factor authentication for administrative control of routers, firewalls, or other critical network infrastructure components on its network? Yes. CGW uses a multifactor authentication system. As explained above, unless the client IP ranges are registered with Washington University in St. Louis (WU), no one would be able to access any systems behind the firewall. The backend connection is secured using a certificate provided by the vendor. Once it passes these checks, user s user id will be authenticated against an Identity Management system. If it matches, then the user password will be checked to authenticate the user. Once this step is successful, the system checks to determine the authorization for this user in CGW. The user will be limited to the functions as per the role assigned in CGW. Does PierianDx perform and document internal security audits on its network infrastructure? If so, how often are these test performed and what is the process used? There is an Information Security team that sets policies and manages the security perimeter. Besides the firewall, we have Intrusion Detection Systems inside WUCON that check for suspect traffic. All logs from the firewalls, IDS and other sensors are passed to a Security Information Event Monitor (SIEM) that aggregates the information and generates reports. The Information Security Team is responsible for monitoring the SIEM and responding to alerts indicating anomalous behavior. Does PierianDx perform, or have a third party perform, external penetration tests on its network infrastructure? If so, how often are these test performed and what is the process used? There is a quarterly PCI scan of WU s external address space. The Security Services performs a quarterly vulnerability scan of all external address space. WU has periodic scans and hires an external vendor to do penetration tests every other year. Does PierianDx have documented requirements for customer network security (with audit functions) to ensure that other customers will not compromise its production network? If so, please describe. Yes. All customer access in the CGW architecture occurs via unique SSL certificates. Is PierianDx HIPAA / Hitech compliant? Yes. WUCON network is HIPAA compliant, and it supports all clinical operations for the Washington University School of Medicine. Is PierianDx PCI compliant? We are not certified as PCI Compliant. CGW currently does not allow any credit card transactions and therefore this compliance is not applicable.

CGW Platform Does PierianDx have a documented policy for hardening the operating system on its Web and other servers? If so, please describe. Industry best practices and hardware/software vendor recommended policies are documented and are followed by the IT Team. How does PierianDx ensure separation of data and security authorizations between different customer applications that may be hosted on its network? In the CGW Hosted model, each customer uses a dedicated application and web server. The database server is shared but we have schema level authorizations at the customer level. What is PierianDx s process for evaluating and installing operating system and application vendor critical patches and security alerts? All operating system and application patches are applied semi-annually and kept up to date according to hardware/software vendor recommendations. How does PierianDx monitor the utilization of the Network and Servers used to host this application? We have monitoring systems deployed for all of our servers. In case of an exception or reaching capacity threshold, alerts are sent to the system/network administrators. What are PierianDx s data retention policies? For compliance reasons, all relevant Genomic data should be kept at least for 15 years. However, all CGW Case Reports are maintained in CGW indefinitely. For Clinical Trials, the established policy is to retain data up to a minimum of 15 years after the trial has ended. However, CGW maintains fastq files, alignment files, variant call format files and coverage files along with quality control metrics files indefinitely. The report which is generated and signed out from CGW is also kept indefinitely. Users who have access to patient case reports can access past reports indefinitely. Does PierianDx encrypt all data when it is at rest? Who holds the encryption keys? No. We do not do any data encryptions. Data is protected through other mechanisms as explained above under the data security measures.

IT Operations How many physical sites does PierianDx have that are capable of hosting this application? Where are the sites located? One location; Washington University s Data Center located in St. Louis, MO. Does PierianDx own and physically manage the primary data center used to host this application? Washington University owns or leases the buildings and manages all data centers. What are the physical security features of the primary data center facility used to host this application and, if applicable, any secondary or Hot Site facilities. The access to the data center is controlled through security badges. Only authorized system administrators and managers have access to this building. All access is monitored, logged and audited regularly. How does PierianDx screen the staff who may have physical or administrative access to servers and software components used to support his application? We do not use any part time employees or contractors in the system/network administrator teams and all our team members are full time employees. In case of a vendor contractor requiring access, a full time employee always accompanies the person. How long does PierianDx retain audit and security logs? How are these logs stored and protected against modification or deletion? We usually keep these logs for a period of 6 months. The logs are accessible only by the system/network administrators and IT auditors. Does PierianDx have documented procedures for intrusion detection and security incident response/escalation? Yes. We do have documented policies for this. What is PierianDx s data center disaster recovery configuration and process? We have a documented procedure for bringing up all infrastructure within a period of 72 hours immediately following a disaster.

Services What is PierianDx s service level and support structure, including escalation and response times? We have a CGW Help Desk with email and phone-based support working during normal Customer working hours that will respond within 8 business hours. More details are provided in the SAAS agreement. Does PierianDx provide services that allow users to request ID unlocking, password reset, etc, and what procedures does PierianDx use to authenticate the user before performing the requested action? The backend authentication is controlled through a certificate. Access to CGW can be reset provided the user can identify the user name, email address and phone number and also able to send a request from the user email address. Password resets are provided only over the phone to the end user and the phone number should match the vendor records. Note that this process only applies to authentication provided by the CGW. If authentication is provided by the Customer s identity management system, services provided will be based on that identity provider s policies and regulations. Web Browser Support Does CGW require browser add-ons including (but not limited to): ActiveX controls, toolbars, Java applets, flash or Shockwave componentry, or Browser Helper Objects in order for the customer to use the proposed system? Java itself is required to launch the Integrative Genomics Viewer (IGV). The version of Java may change with IGV versions and/or CGW versions and such version changes will be communicated to the customer.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information