About This Document. Response to Questions. Security Sytems Assessment RFQ



Similar documents
RFP No C017 OFFICE OF TECHNOLOGY INFORMATION SYSTEMS AND INFRASTRUCTURE PENETRATION TEST

Q&A ADDENDUM FOR INFORMATION SECURITY VULNERABILITY ASSESSMENT PUBLISHED 10/20/2015

PHILADELPHIA GAS WORKS Information Security Assessment and Testing Services RFP#30198 Questions & Answers December 4, 2015

After reviewing all the questions, the most common and relevant questions were chosen and the answers are below:

SECURITY. Risk & Compliance Services

Department of Children and Families (DCF) Request for Information (RFQ) #01U013DS1 HIPAA Compliance Review DCF Answers to Vendor Questions

ADDENDUM #1 REQUEST FOR PROPOSALS

REQUEST FOR PROPOSAL (RFP) # HIPAA SECURITY ASSESSMENT VENDOR QUESTIONS & ANSWERS ~ MAY 29, 2014

HIPAA SECURITY RISK ANALYSIS FORMAL RFP

Penetration Testing Getting the Most out of Your Assessment. Chris Wilkinson Crowe Horwath LLP September 22, 2010

RFP # Provide Information Security Assessment and Penetration Testing Due August 11, 2015 at 2:00PM (CST)

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

Information Security Assessment and Testing Services RFQ # Questions and Answers September 8, 2014

Application Security in the Software Development Lifecycle

THE TOP 4 CONTROLS.

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

Enterprise Information Technology Security Assessment RFP Answers to Questions

Cisco Advanced Services for Network Security

Virginia Government Finance Officers Association Spring Conference May 28, Cloud Security 101

QUESTIONS & RESPONSES #2

An Overview of Information Security Frameworks. Presented to TIF September 25, 2013

University of Pittsburgh Security Assessment Questionnaire (v1.5)

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

SECURITY RISK MANAGEMENT

Jumpstarting Your Security Awareness Program

How To Protect Yourself From A Hacker Attack

HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER

HIPAA Security. 6 Basics of Risk Analysis and Risk Management. Security Topics

Information Security for the Rest of Us

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Chapter 6: Fundamental Cloud Security

Response to Questions CML Managed Information Security

micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8.

Network Detective. HIPAA Compliance Module RapidFire Tools, Inc. All rights reserved V

Penetration Testing. I.T. Security Specialists. Penetration Testing 1

RFP IT002PACE. Questions & Answers

How To Test For Security On A Network Without Being Hacked

5 TIPS FOR MAXIMIZING THE VALUE OF YOUR SECURITY ASSESSMENT

Cyber Security An Exercise in Predicting the Future

Network Security Administrator

Client Security Risk Assessment Questionnaire

HIPAA Security Alert

Enterprise Computing Solutions

Information Security Services

Department of Management Services. Request for Information

SANS Top 20 Critical Controls for Effective Cyber Defense

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense

Information Security Organizations trends are becoming increasingly reliant upon information technology in

Managing IT Security with Penetration Testing

Supplier Security Assessment Questionnaire

Healthcare Security Vulnerabilities. Adam Goslin Chief Operations Officer High Bit Security

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 4 Finding Network Vulnerabilities

Network Test Labs Inc Security Assessment Service Description Complementary Service Offering for New Clients

Agenda. Cyber Security: Potential Threats Impacting Organizations 1/6/2015. January 10, 2015 Scott Petree

Cisco Security Optimization Service

Small Business IT Risk Assessment

Technical Testing. Network Testing DATA SHEET

Information Technology Security Review April 16, 2012

SECURITY 2.0 LUNCHEON

Top 20 Critical Security Controls

Nine Steps to Smart Security for Small Businesses

East African Information Conference th August, 2013, Kampala, Uganda. Security and Privacy: Can we trust the cloud?

Put into test the security of an environment and qualify its resistance to a certain level of attack.

SysAid Cloud Architecture Including Security and Disaster Recovery Plan

Managing data security and privacy risk of third-party vendors

Checklist for HIPAA/HITECH Compliance Best Practices for Healthcare Information Security

University of Central Florida Class Specification Administrative and Professional. Information Security Officer

STATE OF NEW JERSEY IT CIRCULAR

Independent Security Operations Oversight and Assessment. Captain Timothy Holland PM NGEN

Security-as-a-Service (Sec-aaS) Framework. Service Introduction

Cybersecurity and internal audit. August 15, 2014

INFORMATION SECURITY California Maritime Academy

Big Data, Big Risk, Big Rewards. Hussein Syed

Managed Hosting & Datacentre PCI DSS v2.0 Obligations

VENDOR MANAGEMENT. General Overview

Disaster Recovery Plan (Business Continuity) Template

Critical Controls for Cyber Security.

Evolution of Penetration Testing

INCIDENT RESPONSE CHECKLIST

SAN ANTONIO WATER SYSTEM PURCHASING DEPARTMENT

[Insert Company Logo]

Network Security & Privacy Landscape

Transcription:

Response to Questions Security Sytems Assessment RFQ Posted October 1, 2015 Q: Which specific security assessment processes are sought for this engagement? The RFQ mentions several kinds of analysis and deliverables which can each be substantive, individual projects on their own. [Name redacted] is capable of providing all of the services described below, but we want to be sure that [name redacted] proposes an approach that meets PCORI s objectives. Risk Assessments identify whether required security controls are in place, and whether they provide a reasonable and appropriate or acceptable risk to the public, to PCORI and to PCORI s constituency. Risk assessments are a required basis for compliance and security management by government agencies, and nongovernment agencies alike. Risk assessments are a type of analysis that are commonly run within a project with planned interviews, evidence gathering, analysis and reporting. Risk assessments are often a discrete effort from other security analyses that are stated in the RFQ (as listed below). Vulnerability Assessments are scans of technical systems, applications, and devices that reveal a set of weaknesses in systems that lead to potential exploits. These are very useful in identifying opportunities for breaches and hack attacks, and for analyzing vulnerabilities in Risk Assessments. They can be run independent of Risk Assessments. About This Document This document answers all of the questions received as of September 15, 2015. Questions received after that date will not be answered. Questions are listed exactly as they were received. Language that includes personal or organization identifiers has been redacted. General terms (underlined) have been substituted to protect privacy. The Patient-Centered Outcomes Research Institute (PCORI) is an independent organization created to help people make informed healthcare decisions. 1828 L St., NW, Suite 900 Washington, DC 20036 Phone: (202) 827-7700 Fax: (202) 355-9558 Email: info@pcori.org Follow us on Twitter: @PCORI RFQ # PCO-SSA2015 Responses to Questions 1

Penetration Testing (of which Social Engineering is a part) is also run as a discrete project, but that creates valuable information that can be analyzed and prioritized in a risk assessment, or addressed and repaired independent of a risk assessment. Penetration tests are efforts by technicians to (safely) determine to what degree systems and information can be compromised. Penetration test reports can be analyzed in a risk assessment for prioritization of repair, or can be used directly to repair any flaws that led to demonstrated compromise. Disaster Recovery / Business Continuity Planning can be cursory or in-depth. A cursory review can be an explicit focus of a risk assessment that determines whether the classic parts of a business continuity disaster recovery plan is in place, and appears well designed. A more substantive review can provide you with a substantive, tested plan with assurances of appropriate detail and accuracy of the plan. Security Architecture Design can also be cursory or in-depth, depending on the challenges and risks that are identified during Risk Assessments and Penetration Tests. Incident Response Plan is another process or item that can be handled to a cursory or indepth degree. Security Policy Design is a process that can take considerable or little effort, depending on the current state of PCORI policies, and the complexity of the environment. A: The following processes (referenced above) are sought after as part of this engagement: Risk Assessments, Penetration Testing, Incident Response Plan, and Security Policy Design. Q: How flexible is PCORI s described timeline? We understand the timing that is described in the RFQ, but the actual time it would take to conduct the described work is typically significantly more than what is stated. As we come to understand PCORI s objectives as a result of discussing Item 1, we can help plan a project that meets your objectives for Item 2. A: Yes, we are flexible. Q: How complex and broad is the environment that will be assessed? This is an important element in our understanding of your objectives so that [name redacted] can appropriately estimate the time and skills our team would require in order to properly assess your environment. A: We are 75-90 percent cloud-based and also have two physical sites in Washington, D.C. Q: How deep should the risk analysis be? [Name redacted] is capable of conducting risk assessments that are based on policy reviews and interviews, or additionally, the effectiveness of the controls after reviewing evidence. A: The analysis should encompass a deep analysis of our environment. Q: What is the scope of the investigation? For example, does it include PCORnet? A: No, it doesn t include PCORnet, it includes PCORI main systems. RFQ # PCO-SSA2015 Responses to Questions 2

Q: Does it include the security practices of contractors, such as implementers and developers? A: Yes. Q: Does it include the use of information by review boards or other groups external to PCORI s staff? A: No, it does not. Q: What is the basis of your distinction between an internal and an external system? A: Internal PCORI staff facing External Non-PCORI staff Q: While PII and PHI is emphasized, the security of other information, such as financial information, should also be considered. Is this correct? A: Yes. Q: What is scope of the PCORI network? For example, does it include PCORnet? A: It is local to two PCORI sites and all the applications in the cloud (i.e., SharePoint, Fluxx, Salesforce, etc.) Q: We are concerned that PCORI may be expecting that the contractor can conduct an in-depth examination (e.g., to the hardware or operating system level) for Software as a Service applications such as Salesforce and Foundation Connect, as well as for Platform as a Service solutions such as Amazon Web Services. Can you please comment on your expectations for security examination, for services that are managed and delivered by third-party service providers? A: Our expectation is that the vendor uses industry best practices. Q: Has any IT risk assessment already been performed, such as identifying strategic assets and the cost of their being compromised? Did executive management participate in the risk assessment? If so, how? A: No, there have not been any already performed. Q: Is executive management expected to participate in the risk assessment associated with this study? A: This is dependent upon the depth of the study. Q: How are you defining Social Engineering in the proposal? A: Unauthorized person using PCORI staff to gain access to PCORI Data. Q: Are information owners expected to participate in the Information Asset Profiling process? A: TBD RFQ # PCO-SSA2015 Responses to Questions 3

Q: How many locations are subject to vulnerability assessment, attack and penetration testing and application security testing? A: 2 Q: Is PCORI s email system within the scope of the investigation? A: Yes Q: Security Assessment/Penetration Test Scoping questions for PCORI: How many data centers are there? 0 How many physical locations are there? 2 Are all Security Procedures and Policies centrally managed? Yes How many individuals will need to be interviewed in order to collect relevant Policy and Procedure Information? All SME RFP identifies ISO27001 as a reference model. Is PCORI sensitive to HIPAA and/or PCI control requirements? Yes A: See above Q: External Test: Will you provide address ranges? If not would you like a Black Hat Test sequence executed? What are the Number of IP's owned / in scope? What are the Number of IP s managed by another party? 10 What is the Number of separate DMZs? 2 What are the Number of IP's active within the scope? 254 What Number of Web Applications and description (approx # of pages, components)? Is there a Mobile Device Management Solution in place? How many PDAs? Etc are in scope? Yes, 100 PDA s Are there any Modems in scope? No How many external WIFI environments exist? 1 A: Should they be selected as a vendor this information will be provided. Q: Internal Test: What is Number of IP's owned. How many subnets? What is the Number of Servers, Desktops What are the Number of IP's active Wireless Testing: RFQ # PCO-SSA2015 Responses to Questions 4

What is the # SSID's & physical location (s) Social Engineering: What is the # of phishing targets? A: Should they be selected as a vendor this information will be provided. Q: External Network Penetration Testing Total number of *active* IP s (external): Number of servers: Number of network devices (est.): Is the environment hosted internally or by a third party? A: Should they be selected as a vendor this information will be provided. Q: Internal Network Penetration Testing Total number of *active* IP s (internal): Servers: o Total Server Count: 4 physical, others virtual o Breakdown of Windows: 4 o Breakdown of Linux: 0 o Breakdown of Other: 0 Workstations: o Total workstation count: 250 o How many standard builds or images are you using to deploy these workstations (this is to see how much we will be able to take advantage of sampling)? 1 Number of network devices (est.): 1 Q: Application Penetration Testing: For the application penetration testing, the most important information for scoping purposes is to get an estimate of size of the application. This includes number of pages, number of user level roles (ie. Admin, User, etc.), whether the pages are mostly comprised of static or dynamic content, and how many unique input fields are being used across all pages. This information will provide a good understanding of how long and complex the testing of the application will be. With that in mind, please address the following questions to the best of your ability. Application Penetration Testing Questions How many applications are in scope for this security assessment? 10-11 RFQ # PCO-SSA2015 Responses to Questions 5

Is the application internal, or public facing? Both o If public facing, please provide a URL for each app in scope: 1. App1: TBD 2. App2: TBD 3. App3: TBD Application No. 1: (repeat for each application) Sizing: How many web pages comprise the application? How many of those web pages are static? How many of those web pages are dynamic? How many total input parameters are used (input fields across all pages)? How many unique input parameters are used (input parameters reused on several pages)? How many user levels/roles are defined within the application (ie Admin, User, Customer)? o How many user roles are in scope for the testing? A: This information will be provided to the winning bidder. Q: Wireless Assessment: Number of wireless networks in scope: 5 Number of wireless access points: Give or take 10 Number of controllers: 2 Number of locations (unique cities or geographical locations.): 2 Q: Social Engineering Electronic: o For each building: 1. Number of floors: 6 2. Approximate square footage: This information will be provided to the winning bidder. What types of attacks are desired? RFQ # PCO-SSA2015 Responses to Questions 6

o Phishing (if so, how many users are in scope)? Yes o Pre-Text Calling (if so, how many users are in scope)? Yes o Vishing? Yes Will we enumerate/identify the targets via reconnaissance or will targets be identified? TBD If attacks are successful is data compromise or exploitation desired, or simply notating the success/failure of the attacks? TBD What is the ultimate objective (access to data, a particular system, etc.)? Find our weakness and determine solutions. Q: Physical: What types of attacks are desired? o Dumpster Diving? TBD o USB Drops? TBD o Server room infiltration? TBD How many locations and users are in scope? All staff (250) Will any information be shared prior to attacks (whitebox/blackbox)? TBD What is the ultimate objective (access to a particular area, etc.)? Find our weak access points. Q: Risk Assessments 1. How many total employees does PCORI have? 250 2. How many employees are in the IT, Operations, and Security teams? IT 26 Operation 75 Security none 3. How many locations does PCORI have? 2 4. What types of systems are used in the environment? (eg. Windows Desktops, Windows Servers, Linus, Apple, ICS, Mainframe, etc.) Information will be provided at a later point in the process if you have been identified to advance. RFQ # PCO-SSA2015 Responses to Questions 7

5. Please provide more information regarding the scope and outcome of the information asset profiling request. Does an asset inventory exist today and if so, is this request to review and assess current state? Yes, we have an asset inventory solution in place today, but we are currently consolidating asset inventory solutions. This is not in the scope of this RFP. 6. Please provide more information regarding the scope and outcome for the request to review and define security policies. Are security policies in place today and if so, approximately how many? Do additional policies need to be developed? Yes, there are some generic security policies in place. However, part of the assessment would be to recommend additional policies to meet industry standards. 7. Please provide more information regarding the scope and outcome of the request to define a disaster recovery plan. Does a business continuity or disaster recovery plan exist today, either formal or informal? Yes, we have a basic disaster recovery plan, but disaster recovery is not included in the scope of this RFP. 8. Is this a strict deadline? Is there any flexibility to it? The deadline is dependent upon the recommendation and the final statement of work agreed upon. Q: Phase I Information Risk Assessment o Current Systems Review o Review of existing procedures and policies to highlight gaps and threats (compare to standards such as ISO27001 controls) 1. Vulnerability assessment: How many systems in scope and how many internal vs external 2. Attack and penetration testing: How many systems in scope and how many internal vs external 3. Application security testing: How many systems in scope and how many internal vs external 4. Review existing disaster recovery plan/business continuity plan 5. Network risk analysis 6. Review physical security 7. Prepare Risk Matrix (using confidentiality, integrity, and availability as parameters) 8. Information Asset Profiling 9. Social Engineering How many users in scope? Onsite vs. remote or both? A: All staff 250. RFQ # PCO-SSA2015 Responses to Questions 8

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information