NOTICE TO ALL PROSPECTIVE RESPONDENTS RFP 18-ITSS/CY. Addendum No. 1 issued September 7, RFI responses are in red bold print

Transcription

1 DEDICATED TO THE HEALTH OF OUR COMMUNITY NOTICE TO ALL PROSPECTIVE RESPONDENTS RFP 18-ITSS/CY Addendum No. 1 issued September 7, 2018 RFI responses are in red bold print How many public IP addresses will need to be scanned/monitored? 92 Public IPs How many private IP addresses will be need to be scanned/monitored? 1700 Private IPs How many servers will need to be scanned/monitored? 250 Servers How many applications will need to be scanned/assessed/monitored? Two How many login systems are to be assessed? Most applications are Active Directory Integrated Please provide an estimate of how many static and dynamic pages are within scope of the assessment? We cannot disclose at this time. Will application source code or documentation be available to tester? No How many network devices will need to be scanned/assessed/monitored? 100 Network Devices and 131 APs Will load-balancers, IDS, IPS, and WAF, be in line with the elements that need to be assessed? If so please identify device and type of device. Yes, however we cannot disclose at this time. Do you wish us to perform a credentialed assessment or a non-credentialed assessment? Non-credentialed assessment Do you want Fuzzing performed against the server infrastructure? No Do you wish role based testing performed against the applications? No Do you wish us to perform a credentialed scan against web applications? No Do you wish us to attempt to escalate privilege should we gain entry to a system/application? Yes Do you wish us to pivot exploits for further penetration as we escalate privilege? Yes Does the Health Care District of Palm Beach County have a SIEM? If so what model/brand of SIEM? Health Care District of Palm Beach County does have a local SIEM but a Hosted SIEM solution is within scope for this RFP

2 Is management or co-management of the SIEM in scope of the RFP? Yes Can you offer details of what you re looking for in the OCR Audit simulation? OCR Mock Audit service is engineered to simulate the actual experience of a random audit conducted by the Office of Civil Rights (OCR), and is administered with the same strict approach and document requests as OCR to ensure audit readiness. Do you have a preference to Onsite or Online Security Awareness training or would you like to see options for both? Online Security Awareness training How many SSID s in the wireless network? Eleven (11) How many buildings and how far apart are they? We have multiple locations within Palm Beach County. From our headquarters can be a distance of 10 minutes to 1 hour driving distance. What type of encryption is used on the wireless network(s)? We used the latest and more secure encryption according to best practices. What is the estimated square footage of the wireless coverage? We have multiple locations within Palm Beach County all sites have their own wireless networks. Will we be required to enumerate rogue devices? Yes Will we be assessing wireless attacks against wireless clients? If so how roughly how many clients? Yes only for Wireless penetration test. Couple clients will be sufficient Has Palm Beach HCD ever had a Risk Assessment or audit performed before this RFP? Yes Has Palm Beach HCD ever experienced an information breach? If so, how many annually? We cannot disclose at this time. How many QH locations are within scope of the risk assessment and gap analysis audit? One How many IT locations are within scope of the risk assessment and gap analysis audit? Two How many data center locations are within scope of the risk assessment and gap analysis audit? Three How many customer care (call) centers are within scope of the risk assessment and gap analysis audit? One How many satellite offices are within scope of the risk assessment and gap analysis audit and are they all of a common network footprint and physical configuration? We have around 15 locations with common network footprint and physical configuration Does Palm Beach HCD contract with any third parties that provide services that require access to sensitive data? If yes, how many? Yes, however we cannot disclose at this time. Page 2 of 8

3 Does Palm Beach HCD develop applications that store, transmit, or manage sensitive data? If so, how many? Yes, One application Do you presently have a reasonable complete set of documented policies and procedures that addresses your required compliance standards? Yes Has an internal discovery process ever been performed to identify Palm Beach HCD sensitive data at rest or to determine sensitive data paths? Yes To your knowledge, do you consider your network appropriately segmented? We cannot disclose at this time. Are there any databases in scope of the risk assessment and gap analysis audit? If so, what kind and how many? Yes To your knowledge, when sensitive data is at rest, is it encrypted? We cannot disclose at this time. During the Risk Assessment and/or audit, how many individuals (i.e., information security stakeholders) will be required to be interviewed? As many as it takes to perform a successful risk assessment. Is English going to be the primary language or will a bilingual resource be required? Yes, English How many firewalls, and other network devices are within the scope of review? Four firewalls How many configuration rules are within each of these (on the average)? We cannot disclose at this time. Are there multiple brands of firewalls and if so what are they? One brand Does Palm Beach HCD require onsite assistance for incident response or remote assistance only? Onsite and remote depending on the incident On the average, how many and what kind of devices (i.e., servers, workstations, databases, firewalls, routers, IPS/IDS systems, and other devices relevant to this effort) are required to be monitored? All network devices are in scope Will Palm Beach HCD require outsourcing of network device management? If so, please specify roughly they type of device and how many? No Does Palm Beach HCD have a ticketing system we are required to use? If so, please name it. No How many locations are included within the SOC as a service offering? All Locations How many end users are within Palm Beach HCD? 1350 users Page 3 of 8

4 How id security awareness training performed presently? Online training How many courses are presently required to meet present compliance standards? 6 Courses What topics will the security awareness be required to encompass (i.e., compliance, phishing, malware, developer best practices, sensitive information handling, etc.)? Compliance, phishing, malware, sensitive information handling, ransomware. Are there any internal legal requirements particular to Palm Beach HCD that need to be included in the training? If so, what are they? No Is this training required to be remote, hosted, Onsight, etc.? Which is required? Hosted Will testing, and tracking of attendance and test scoring be required? Yes Primary location of back-office staff and operations? West Palm Beach, FL Do you currently have a Risk Management program in place? Yes How many employees are dedicated to Compliance and Security? We cannot disclose at this time. What is the primary EMR or system of record for HIPAA covered data? Medhost, Athena Health, Matrix Care, McKesson Can you provide a brief overview of the IT environment and architecture? Centrally located? All on-premises? Hybrid Cloud? We cannot disclose at this time. Are mobile devices used in the environment? Yes Briefly describe your business with regard to storing, processing and transmitting credit card data, including a description of each acceptance channel. We cannot disclose at this time. Number of individuals in your IT department(s)? 40 Number of servers in your Cardholder Data Environment (CHE), keeping in mind that if there is no network segmentation, the entire enterprise comprises the CHE. We cannot disclose at this time. Number and types of platforms in the CHE? We cannot disclose at this time. How many authentication mechanisms are in scope? Duplicate Number of distinct POS applications? Two Number of applications that store process or transmit Cardholder Data (CHD) (and how many of these are custom code)? Two Page 4 of 8

5 Number and types of databases that store process or transmit CHD? We cannot disclose at this time. Number and types of encryption solutions for data at rest? We cannot disclose at this time. Have you completed a Self-Assessment Questionnaire and / or gap assessment? If so when? Yes. Current Are there any wireless systems that are used to either store, process or transmit CHD or that are connected to networks that do? We cannot disclose at this time. Are data centers internally managed or hosted at a PCI compliant data center? We cannot disclose at this time. Number of call centers that work with CHD (if applicable? 1 Number and type outsourced functions within IT? We cannot disclose at this time. Have quarterly Approved Scanning Vendor (ASV) scans been completed? Yes Are you in need on Penetration Testing services? Yes Do you currently complete any other type of third-party assessments / audits (SOC 1, SOC 2, HIPAA, ISO 27001, etc.)? Yes Are all the locations connected to a single data center where we can collect the logs of all the locations? No Do you have a logger or SIEM at your infrastructure? If yes, please provide details. Health Care District of Palm Beach County does have a local SIEM but a Hosted SIEM solution is within scope for this RFP Do you have NetFlow enabled? If yes, what is the flow per second (FPS)? No Do you have proxy enabled? If yes, what is the proxy event per second (EPS) or proxy event per day (EPD) or proxy log GB size per day? No Do you have web filtering enabled? Yes Do you have endpoint protection solution? If yes, does it have a centralized console to collect the logs of all the locations? Yes Do you require us to maintain the logs for more than one month in the cloud for any compliance purpose? We will do online log retention in the cloud for one month and offline retention for 2 months. Please share any specific log retention requirements for compliance? 6 months archive Page 5 of 8

6 Do business applications need to monitor for application level security? If yes, how many? Any compliance requirements such as PCI, HIPAA? Yes, Four Please indicate whether you would like us to test the web applications also as part of this test. Yes Are all the IP addresses mentioned accessible from a single location or do we have to travel to each location to perform the test? Yes, accessible from a single location Is sampling allowed? No Where does remediation fits into your processes? Remediation are completed by HCD IT Teams Platform type (PIX, Checkpoint, JUNOS, Netscreen, ASA, GB, Other) Number of rules; Please provide us with a copy of the rules that are running on your firewall(s). We cannot disclose at this time. Periodicity of training Annual/Half-yearly/Quarterly Quarterly Is the expectation limited to monthly reviews - Yes What has been done to date on this effort? Hosted SOC is implemented What entity or vendor is currently providing services to the District similar to the services described in the RFP? We cannot disclose at this time. Is there a budget for this initiative? Yes Can you share the budget for this initiative? No Are any of these projects new initiatives or are all activities currently being performed? Currently being performed. Can services under this contract be provided by remote resources (resources outside commuting distance to the District)? Yes Are we able to submit more than 3 references? Yes Is it a requirement that our Florida reference be a healthcare client? Preferred What is the estimated level of effort in FTEs for the SOC as a Service requirement? 24x7x365 monitoring Does the SOC already exist or does it need to be built? Hosted SOC need to be built How is the SOC as a Service work being done now? HCD has console access through the hosted environment Page 6 of 8

7 What tools are being used to operate the SOC and is there a preference on the tools we use? SOC is hosted provided by Vendor What security standards need to be met? HIPAA/HITECH/PCI Approximately, how many different firewall configurations and network diagrams will need to be reviewed? We cannot disclose at this time. What work is expected to be completed as part of continued maintenance of the program? Work with IT and Compliance department to improve the program with recommended remediation plans. Is there a preference between on-site and on-line training? On-line training Have policies and procedures ever been assessed with respect to HITRUST compliance? Yes Approximately, how many policies and procedures need to be reviewed or developed? All Can monthly meetings be conducted via teleconference? Yes Have you prioritized how these projects will be rolled out and which initiatives will take precedent? Yes Do you currently leverage LDAP, AD, and DHCP? Who are the providers for those solutions? Yes, Microsoft What types of networks will be targeted during this engagement? Internal or External? Both If Internal, is the target network accessible from a single location? Yes If the assessment is to be performed remotely, how will Rapid7 access the targeted networks? (e.g. Targets accessible via Internet, VPN, PTK (see bottom of this document for PTK details), or Other please describe) VPN Are there any unique requirements to gain access to the target network? Examples: A hardware token, ACLs, Ethernet MAC address registration, VPN registration, etc. Please explain. ACLs, VPN registration Will an Intrusion Detection System (IDS) or Intrusion Prevention System (IPS) be deployed within the targeted environments? Yes If an IDS/IPS is deployed, can it be configured to ignore traffic from vendor during the course of testing, as IPS/IDS systems can often dramatically slow testing efforts? Yes Will vendor consultants be able to utilize their own systems and tools during testing? If no, explain Yes. Page 7 of 8

8 Will vendor be provided with credentials to domains or hosts within the testing environment? If yes, specify the accounts and roles provided. No Will vendor be provided with any documentation about the target environment? If yes, specify what documentation will be provided. No Are any in-scope assets hosted by third parties? If yes, provide details. No Will vendor be required to produce a client-facing document for third-party distribution? No Please explain annually. Are you looking for a partner to perform this work multiple years concurrently as part of this agreement? If so, how many years are you looking for? 1 year with option to extend yearly Are you looking for a line by line audit of the configuration, or the development of standards for current and future deployments? Yes Is there an established program in place today or is this net new? Yes there is an established program Are you looking for a partner to outsource this function to? Specifically the verbiage throughout the year Yes What locations are included for the Wireless Pen Test? All Locations with wireless networks Please describe the goal/focus of the Network Architecture Review. Is this for evaluation of the Network Security Architecture? Can you provide any further details generally regarding the size of the network/locations? Yes it is for Network Security Architecture and best practice. All locations are within Palm Beach County Exhibit C suggests you are looking for management services of your existing firewalls is this correct? If so, please provide the number of Firepower firewalls and the number of ASA firewalls. Please list which are standalone vs HA pairs. No management services of existing firewalls. Firewall Rules Best Practices and Network Arch Review only I acknowledge receipt of Addendum No. 1 to RFP 18-ITSS/CY, dated 9/7/2018. (Name of Company) (Authorized Representative s Name) (Dated Signature) Page 8 of 8