Scope:
This
document further refines the principals and concepts for SolMed
Certification and Accreditation. The tactical intent is to provide
policy, guidance, Authority, and identify situations where enterprise
oversight has been established. All SolMed Data Centers, Network
Operations, Internal IT and Purchasing of Software for use on SolMed
Computing equipment and on non-SolMed computing equipment on the SolMed
Network are governed by this plan.
Policy Guidance:
External (Outward facing) Computing portals
shall be monitored and maintained with the highest level of attention to
Security, Availability, and performance. Inward and Outbound traffic
(cross firewall) to Internet and other external destinations/sources
represent a high tier of Risk to the overall SolMed Computing
Environment. Internal interfaces, SolMed Intranet, and internal Email
all provide a secondary tier risk to SolMed, and are (when outbound) a
special potential source of risk to our Customers, Partners, etc. These
will also be monitored and maintained with the high level of attention.
All
applications are subject to Security Certification and Vulnerability
Remediation. Accreditation will be required for new applications, and
will be phased in for existing applications within the next 12 months.
Inventory and Licensing
Hardware and Software are both elements of
the IT Infrastructure Enforcement Points. Components of both the
physical (Hardware) and applications (Software, including Operating
Systyems, Utility suites, and Business applications) will be evaluated
and monitored for security vulnerabilities.
All hardware equipment installations
installed on any portion of the SolMed Network will be registered with
the Security Department, including: equipment Manufacturer, Hardware
Serial Number, IP address, Node (name) identification, Loadable Software
and Software Version. Maintenance contracts and allowed access to
equipment for maintenance must be authorized by the SolMed Security
department. Direct access via embedded Modems to Network installed
equipment requires executive exception authorization.
All
applications requiring license for use (e.g. Microsoft Windows, MS
Office, Oracle, UNIX, Financial Application Suite, Virus Protection,
Encryption, SSL / Tunneling, etc.) must be registered with the SolMed
Security department. Product name, Software supplier, Serial Number,
Software Version, License Certificate, License Expiration date, and IP
address of installation point must be recorded. Software not requiring
license for use, including certified tools (e.g. Spybot) must be
registered with SolMed Security. Non-Certified, Non-Licensed software
requires executive exception authorization.
Periodic Inventory Certification
Annual Hardware Inventory updates to the
Security Department will be performed coincident to Capital Asset
Inventory. Metrics for unreported changes reconciled during the
inventory will be reported as process defects to Management.
Annual Software Inventory will be performed on at least 20% of end-user
computing equipment. This will generally be performed through the
network via privileged direct access to PCs, MACs, and other
workstations. Validation of Enterprise Server Software Configurations
will be performed unannounced at least quarterly, at random on all Data
Center Managed equipment. Metrics for unreported deviations from
recorded Software versions and products reconciled during the inventory
will be reported as process defects to Management.
Vulnerability Assessments, Certification, and
Accreditation
Vulnerability Assessments (VA) will be
performed on all applications in the SolMed Inventory, unless
exception/waiver is granted by CIO and CFO. Subsequent VA will be
performed as requested (e.g. request for new application Review), due
to security-related incident, in support of business process change or
new enterprise initiative. Changes to the user Population (Internal vs.
External); Data composition (Export Controled, SolMed Proprietary, PIA…)
require execution of a Vulnerability Assessment.
The VA
will generally include the following:
-
Network scan (internal and external)
-
Host evaluation (hands-on or remote)
-
Technical Q&A (Processes, Procedures, & Risk Awareness Interviews)
-
Modem scan (if it answers, are controls in place)
-
Penetration test (from intruder’s viewpoint; what can be stolen or
compromised)
Additionally, applications will be accessed by the assessor as a non-SolMed
User would. The assessor will attempt to exercise every path that may
lead to a vulnerability in the application that a non-SolMed user can
perpetrate. Each menu item and menu option will be explored. Every
icon and selectable area will be clicked on and navigated. Every item
in pull-down menus will be investigated. Every box that allows
free-form input will be tested with multiple allowed and illegal
inputs. The assessor will be looking for the following:
-
Ability
to break out of the application and gain access to the server.
-
Ability
to gain a command prompt or special/elevated privileges on the server.
-
Ability
to access a Web browser (with no restrictions on url)
-
Ability
to browse the network and/or file shares
-
Ability
to browse the server shares and information
-
Ability
to gain desktop access
-
Ability
to read/write shares/folders that are not specifically authorized for
the user
-
Ability
to run applications not authorized for the user
-
Ability
to create/run user executables on the server
-
Ability
to access network assets not authorized for the user
Perimeter Hardening and Monitoring
Perimeter hardware will receive a permanent installation of a
host-based agent and will be reviewed periodically throughout the
lifetime of the equipment. ‘Perimeter’ for purposes of a vulnerability
assessment is defined as “a device with connectivity to the Internet or
a non-SolMed network or physical device”. Wireless access points
qualify for a perimeter designation.
-
Installation of a suite of intrusion detection and configuration
management clients with central reporting capabilities
-
Permanent registration to “manager” from which the software will be
run periodically for lifetime of computing device
Remediation / VA Corrective Action
Discovery of any non-compliant situation
requires documentation and correction or mitigation. When corrections
cannot be implemented during the period the VA is conducted, a summary
of those findings are sent to your SolMed Security Specialist (SSS) upon
closure of the VA. Your SSS will work with the asset owners, service
providers and other appropriate personnel to prepare a non-compliance
report. Depending on the severity of the non-compliant situation, an
executive may be required to sign your non-compliance report to
implement or maintain your configuration.
Accreditation
Following completion of VA without findings,
or following completion of Remediation and Security team re-review of
the application; application for Accreditation shall be submitted to the
CIO on behalf of the Application Business and IT Owners by the SolMed
security team. Accreditation Status and Accreditation approval Date will
be maintained as part of Hardware and Application Inventory detail by
the SolMed Security Department. |