Scope:

This document further refines the principals and concepts for SolMed Certification and Accreditation.  The tactical intent is to provide policy, guidance, Authority, and identify situations where enterprise oversight has been established. All SolMed Data Centers, Network Operations, Internal IT and Purchasing of Software for use on SolMed Computing equipment and on non-SolMed computing equipment on the SolMed Network are governed by this plan.

Policy Guidance:

External (Outward facing) Computing portals shall be monitored and maintained with the highest level of attention to Security, Availability, and performance. Inward and Outbound traffic (cross firewall)  to Internet and other external destinations/sources represent a high tier of Risk to the overall SolMed Computing Environment.  Internal interfaces, SolMed Intranet, and internal Email all provide a secondary tier risk to SolMed, and are (when outbound) a special potential source of risk to our Customers,  Partners, etc. These will also be monitored and maintained with the high level of attention.

All applications are subject to Security Certification and Vulnerability Remediation. Accreditation will be required for new applications, and will be phased in for existing applications within the next 12 months.

Inventory and Licensing

Hardware and Software are both elements of the IT Infrastructure Enforcement Points. Components of both the physical (Hardware) and applications (Software, including Operating Systyems, Utility suites, and Business applications)  will be evaluated and monitored for security vulnerabilities.

All hardware equipment installations installed on any portion of the SolMed Network will be registered with the Security Department, including: equipment Manufacturer, Hardware Serial Number, IP address, Node (name) identification, Loadable Software and Software Version.  Maintenance contracts and allowed access to equipment for maintenance must be authorized by the SolMed Security department.  Direct access via embedded Modems to Network installed equipment requires executive exception authorization.        

All applications requiring license for use (e.g. Microsoft Windows, MS Office, Oracle, UNIX, Financial Application Suite, Virus Protection, Encryption, SSL / Tunneling, etc.) must be registered with the SolMed Security department. Product name, Software supplier, Serial Number,  Software Version, License Certificate, License Expiration date, and IP address of installation point must be recorded.  Software not requiring license for use, including certified tools (e.g. Spybot) must be registered with SolMed Security.  Non-Certified, Non-Licensed software requires executive exception authorization.

Periodic Inventory Certification

Annual Hardware Inventory updates to the Security Department will be performed coincident to Capital Asset Inventory. Metrics for unreported changes reconciled during the inventory will be reported as process defects to Management.

Annual Software Inventory will be performed on at least 20% of end-user computing equipment. This will generally be performed through the network via privileged direct access to PCs, MACs, and other workstations. Validation of Enterprise Server Software Configurations will be performed unannounced at least quarterly, at random on all  Data Center Managed equipment. Metrics for unreported deviations from recorded Software versions and products reconciled during the inventory will be reported as process defects to Management.

Vulnerability Assessments, Certification, and Accreditation

Vulnerability Assessments (VA) will be performed on all applications in the SolMed Inventory, unless exception/waiver is granted by CIO and CFO.  Subsequent VA will be performed as requested (e.g. request for new application Review),  due to security-related incident, in support of  business process change or new enterprise initiative.  Changes to the user Population (Internal vs. External); Data composition (Export Controled, SolMed Proprietary,  PIA…) require execution of a Vulnerability Assessment.

The VA will generally include the following:

1. Network scan (internal and external)

2. Host evaluation (hands-on or remote)

3. Technical Q&A (Processes, Procedures, &  Risk Awareness Interviews)

4. Modem scan (if it answers, are controls in place)

5. Penetration test (from intruder’s viewpoint; what can be stolen or compromised)

Additionally, applications will be accessed by the assessor as a non-SolMed User would. The assessor will attempt to exercise every path that may lead to a vulnerability in the application that a non-SolMed user can perpetrate.  Each menu item and menu option will be explored.  Every icon and selectable area will be clicked on and navigated.  Every item in pull-down menus will be investigated.  Every box that allows free-form input will be tested with multiple allowed and illegal inputs.  The assessor will be looking for the following:

1. Ability to break out of the application and gain access to the server.

2. Ability to gain a command prompt or special/elevated privileges on the server.

3. Ability to access a Web browser (with no restrictions on url)

4. Ability to browse the network and/or file shares

5. Ability to browse the server shares and information

6. Ability to gain desktop access

7. Ability to read/write shares/folders that are not specifically authorized for the user

8. Ability to run applications not authorized for the user

9. Ability to create/run user executables on the server

10. Ability to access network assets not authorized for the user

Perimeter Hardening and Monitoring

Perimeter hardware will receive a permanent installation of  a host-based agent and will be reviewed periodically throughout the lifetime of the equipment.  ‘Perimeter’ for purposes of a vulnerability assessment is defined as “a device with connectivity to the Internet or a non-SolMed network or physical device”.  Wireless access points qualify for a perimeter designation.

• Installation of a suite of intrusion detection and configuration management clients with central reporting capabilities

• Permanent registration to “manager” from which the software will be run periodically for lifetime of computing device

Remediation / VA Corrective Action

Discovery of any non-compliant situation requires documentation and  correction or mitigation.  When corrections cannot be implemented during the period the VA is conducted, a summary of those findings are sent to your SolMed Security Specialist (SSS) upon closure of the VA.  Your SSS will work with the asset owners, service providers and other appropriate personnel to prepare a non-compliance report.  Depending on the severity of the non-compliant situation, an executive may be required to sign your non-compliance report to implement or maintain your configuration. 

Accreditation

Following completion of VA without findings, or following completion of Remediation and Security team re-review of the application; application for Accreditation shall be submitted to the CIO on behalf of the Application Business and IT Owners by the SolMed security team. Accreditation Status and Accreditation approval Date will be maintained as part of Hardware and Application Inventory detail by the SolMed Security Department.