DEPARTMENT OF MEDICAL ASSISTANCE SERVICES VULNERABILITY ASSESSMENT AND NETWORK PENETRATION TEST FEBRUARY 2007



Similar documents
DEPARTMENT OF MEDICAL ASSISTANCE SERVICES VULNERABILITY ASSESSMENT AND NETWORK PENETRATION TEST JUNE 2009

How To Check If A System Is Secure

VIRGINIA WORKERS COMPENSATION COMMISSION REPORT ON AUDIT FOR THE YEARS ENDED JUNE 30, 2006 AND JUNE 30, 2007

DEPARTMENT OF ALCOHOLIC BEVERAGE CONTROL REPORT ON AUDIT FOR THE YEAR ENDED JUNE 30, 2012

DEPARTMENT OF ALCOHOLIC BEVERAGE CONTROL REPORT ON AUDIT FOR THE YEAR ENDED

EMERGENCY MANAGEMENT PERFORMANCE AND STATE HOMELAND SECURITY PROGRAM FEDERAL GRANTS

Using the HITRUST CSF to Assess Cybersecurity Preparedness 1 of 6

HIPAA Compliance Evaluation Report

STATE OF NORTH CAROLINA

OFFICE OF AUDITOR OF STATE

Security Controls What Works. Southside Virginia Community College: Security Awareness

Overview TECHIS Carry out security testing activities

DEPARTMENT OF MINORITY BUSINESS ENTERPRISE

NIST National Institute of Standards and Technology

White Paper Strengthening Information Assurance in Healthcare

Computer Security Auditing

Who Should Know This Policy 2 Definitions 2 Contacts 3 Procedures 3 Forms 5 Related Documents 5 Revision History 5 FAQs 5

Performance Audit Opportunities to Improve State IT Security

ESKISP Conduct security testing, under supervision

STATE OF ILLINOIS NORTHERN ILLINOIS UNIVERSITY ALUMNI ASSOCIATION REPORT REQUIRED UNDER GOVERNMENT AUDITING STANDARDS Year Ended June 30, 2008

Vulnerability Management Policy

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections

HIPAA Security. 6 Basics of Risk Analysis and Risk Management. Security Topics

STATE OF ARIZONA Department of Revenue

locuz.com Professional Services Security Audit Services

Independent Auditors' Management Letter

INTRODUCTION TO NETWORK SECURITY. Nischit Vaidya, CISSP Instructor

MEANINGFUL USE DESK AUDIT

5.5. Penetration Tests. Report of the Auditor General of the Ville de Montréal to the City Council and to the Urban Agglomeration Council

VIRGINIA SMALL BUSINESS FINANCING AUTHORITY RICHMOND, VIRGINIA REPORT ON AUDIT FOR THE YEAR ENDED JUNE 30, 2002

What is required of a compliant Risk Assessment?

HEALTHCARE SECURITY AND PRIVACY CATALOG OF SERVICES

A Performance Audit of IT Security at Universities and Quasi-Government Agencies

Information Assurance Metrics Highlights

John P Zelsnack CISSP/CISM/CRISC/Securty+/ITILv3 Senior Technical Manager/Cyber Security Engineer General Dynamics - Advanced Information Systems

Can Your Diocese Afford to Fail a HIPAA Audit?

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security

HUMAN RESOURCES MANAGEMENT NETWORK (HRMN) SELF-SERVICE

State of West Virginia Office of Technology Policy: Information Security Audit Program Issued by the CTO

STATEMENT OF JOHN E. MCCOY II DEPUTY ASSISTANT INSPECTOR GENERAL FOR AUDITS U.S. DEPARTMENT OF HOMELAND SECURITY BEFORE THE

IBM Internet Security Systems October FISMA Compliance A Holistic Approach to FISMA and Information Security

How To Audit The Minnesota Department Of Agriculture Network Security Controls Audit

SHARING BEST PRACTICES IN INFORMATION SECURITY PREVENTION TIPS & RESPONSE TECHNIQUES

Strategies for assessing cloud security

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

YOUR HIPAA RISK ANALYSIS IN FIVE STEPS

How to Practice Safely in an era of Cybercrime and Privacy Fears

FINAL May Guideline on Security Systems for Safeguarding Customer Information

State of Virginia Small Business Financing Authority (BDF)

Taking Information Security Risk Management Beyond Smoke & Mirrors

National Information Management Conference and Exposition Thursday, April 23, 2009

Need for Database Security. Whitepaper

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

BUSINESS ASSOCIATE AGREEMENT. (Contractor name and address), hereinafter referred to as Business Associate;

Chapter 1: Information Security Fundamentals. Security+ Guide to Network Security Fundamentals Second Edition

ESKISP Assist security testing, under supervision

HIPAA Security Rule Compliance

Virginia Government Finance Officers Association Spring Conference May 28, Cloud Security 101

5 Tools For Passing a

Financial Statements of. Community Initiatives Fund

BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO

Information System Audit. Arkansas Administrative Statewide Information System (AASIS) General Controls

IT Professional Standards. Information Security Discipline. Sub-discipline 605 Information Security Testing and Information Assurance Methodologies

COMMONWEALTH of VIRGINIA

U.S. Department of Energy Office of Inspector General Office of Audits & Inspections. Evaluation Report

PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES

Penetration Testing Service. By Comsec Information Security Consulting

Our Commitment to Information Security

AUTOMATED PENETRATION TESTING PRODUCTS

Presentation for : The New England Board of Higher Education. Hot Topics in IT Security and Data Privacy

Office of Information Technology E-Government Services

University of Illinois at Chicago Health Sciences Colleges Information Technology Group Security Policies Summary

NEIAF June 18, IS Auditing 101

Preemptive security solutions for healthcare

Best Practices For Department Server and Enterprise System Checklist

Cyber-Security White Paper Final 1Q2013 Version. to HIT Commission Feb. 21, 2013

Privacy for Beginners: What Every Healthcare Worker Needs to Know About HIPAA and Privacy

White Paper. Understanding NIST FISMA Requirements

Network & Information Security Policy

Server Management-Scans & Patches

LOBBYING DISCLOSURE IN PENNSYLVANIA 2014 ANNUAL REPORT PENNSYLVANIA DEPARTMENT OF STATE. June Tom Wolf Governor

Guidance on Risk Analysis Requirements under the HIPAA Security Rule

4 Ways an Information Security Analyst Improves Business Productivity

Aberdeen City Council IT Security (Network and perimeter)

HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant

Strategic Plan On-Demand Services April 2, 2015

HIPAA Audits: How to Be Prepared. Lindsey Wiley, MHA, CHTS-IM, CHTS-TS HIT Manager Oklahoma Foundation for Medical Quality

Health Insurance Portability and Accountability Act (HIPAA) Overview

Overview TECHIS Carry out risk assessment and management activities

REQUEST FOR BOARD ACTION

In Brief. Smithsonian Institution Office of the Inspector General

Assuria Auditor The Configuration Assurance, Vulnerability Assessment, Change Detection and Policy Compliance Reporting Solution for Enterprise

How To Protect A Wireless Lan From A Rogue Access Point

INFORMATION TECHNOLOGY RISK MANAGEMENT PLAN

Electronic Signature Policy

Information Security for Managers

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

Transcription:

DEPARTMENT OF MEDICAL ASSISTANCE SERVICES VULNERABILITY ASSESSMENT AND NETWORK PENETRATION TEST FEBRUARY 2007

AUDIT SUMMARY Our vulnerability assessment and network penetration test of the Department of Medical Assistance Services (DMAS) as of January 8, 2008 found. Based on our assessment of the risks the systems face and the tests of the operating effectiveness of the controls developed by DMAS to alleviate those risks, overall information security controls in place at the time of the testing appear sufficient to protect critical and sensitive information from external threats; and Certain areas where DMAS can make improvements to information security controls that protect critical and sensitive information from internal threats Recommendations regarding these improvements are part of a separate report that is exempted from public disclosure in accordance with Section 2.2-3705.2.3 of the Code of Virginia. This provision allows for the exemption from disclosure information that describes the design, function, operation, or access control features of any security system.

February 13, 2008 The Honorable Timothy M. Kaine Governor of Virginia State Capitol Richmond, Virginia The Honorable Thomas K. Norment, Jr. Chairman, Joint Legislative Audit and Review Commission General Assembly Building Richmond, Virginia The Department of Medical Assistance Services (DMAS) requested the Auditor of Public Accounts (Auditor) perform a vulnerability assessment and network penetration test. DMAS requested that the Auditor use its technical staff experienced in security control work and operations to perform an independent assessment of the risks the systems face (vulnerability assessment) and a test of the operating effectiveness of the controls (penetration test). We conducted the review as of January 8, 2008, and examined whether information systems management and administration had reasonably assessed risk and that the controls placed into operation were effective in mitigating the assessed risks. DMAS requires this type of test every year to satisfy due diligence requirements for the federal Health Insurance Portability and Accountability Act (HIPAA) and internal policies. DMAS has created an information security controls environment that attempts to protect the areas where information systems management perceives risk and has tailored the controls accordingly. The auditors used a variety of scanning software and techniques during the vulnerability and penetration test. Not only did the review investigate the state of the network and systems, it also included the content of published data. The review of the published data ensures that accidental release of information does not occur. Outside of the scope of this engagement were social engineering attacks. Social engineering attacks include posing as technical support staff to elicit responses from users designed to aid in network penetration, or searching desks to reveal notes with passwords and user IDs. This type of test typically identifies significant security weaknesses. However, we did not perform this type of test work because of the effect that these tests can have on employee confidentiality, property rights, and the relationship between users and information systems staff. This project was limited to the DMAS network. This test work did not include any information housed for DMAS at the Virginia Information Technologies Agency (VITA) or any of the information housed at First Health, DMAS service provider for processing Medicaid claims. This engagement did not have a goal of identifying all of the potential weakness to which the systems could have been subject.

Based on our assessment of the risks the systems face and the tests of the operating effectiveness of the controls developed by DMAS to alleviate those risks, overall information security controls in place at the time of the testing appear sufficient to protect critical and sensitive information. However, we noted certain areas where DMAS can make improvements to enhance systems security. We have provided the management of DMAS the details of our recommendations in a separate report that is exempted from public disclosure in accordance with Section 2.2-3705.2.3 of the Code of Virginia. This provision allows for the exemption from disclosure of information that describes the design, function, operation, or access control features of any security system. We discussed this report with management at an exit conference held on February 13, 2008. We have not included management s response in this report because the information included in their response is also exempted from public disclosure in accordance with Section 2.2-3705.2.3 of the Code of Virginia. However, management generally concurred with our recommendations and agreed to take appropriate corrective action. GGG:clj clj:19 AUDITOR OF PUBLIC ACCOUNTS

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information