copy of ssp controls questionnaires_master 7-2 (2)
TRANSCRIPT
CMS Control Description QuestionsContact for
Info.Responses / Comments
The organization prohibits the use of Voice over Internet Protocol (VoIP)
technologies, unless explicitly authorized, in writing, by the CIO or his/her
designated representative. If authorized, the organization:
a. Establishes usage restrictions and implementation guidance for VoIP
technologies based on the potential to cause damage to the information
system if used maliciously; and
b. Authorizes, monitors, and controls the use of VoIP within the information
system.
1. Does the organization use any type of VOIP service?
2. What are the restrictions in place for use of VOIP service?
3. Is there any authorization procedure for allowing use of VOIP service?
4. Does the security team monitor use of VOIP service?
DoIT - Security No information yet
Controls shall be implemented to protect ACA sensitive information (such
as PHI, PII or Privacy Act protected information) that is sent via email.
Implementation Standard(s)
1. Prior to sending an email, place all ACA sensitive information in an
encrypted attachment.
1. What are the guidelines for encrypting ACA sensitive information (e.g. PII,
PHI, etc.)?
2. Are all attachments sent via email encrypted if they contain sensitive
information?
3. Is there any automated mechanism to encrypt the attachments
automatically?
DoIT - Security No information yet
1. The information system provides additional data origin and integrity
artifacts along with the authoritative data the system returns in response to
name/address resolution queries.
1. Are any data origin and integrity artifacts provided while providing the
DNS service?
For example, does the information system use digital signatures for
providing origin authentication.
Or are DNS resource records used as authoritative data.
GSS No information yet
2. The information system, when operating as part of a distributed,
hierarchical namespace, provides the means to indicate the security status
of child subspaces and (if the child supports secure resolution services)
enable verification of a chain of trust among parent and child domains.
Does the organization make use of delegation signer (DS) resource records
in the DNS; in order to provide an indication of the seucirty status of child
subspaces.
GSS No information yet
The information systems that collectively provide name/address resolution
service for an organization are fault-tolerant and implement internal/external
role separation.
1. How many DNS servers support the New HEIGHTS, NH EASY, Mainframe?
2. How are the DNS servers configured - do they have backup, in case the
primary server fails?
3. Could you desribe the high level architecture of these DNS server(s)? For
example, network subnets, geographical areas, internal/external roles, are
the clients that could access the DNS server restricted by the organization?
GSS No information yet
2. (PII) When sending or receiving faxes containing PII:
(i) fax machines must be located in a locked room with a trusted staff
member having custodial coverage over outgoing and incoming
transmissions or fax machines must be located in a secured area;
(ii) accurate broadcast lists and other preset numbers of frequent fax
recipients must be maintained; and
(iii) a cover sheet must be used that explicitly provides guidance to the
recipient that includes: a notification of the sensitivity of the data and the
need for protection, and a notice to unintended recipients to telephone the
sender (collect if necessary) to report the disclosure and confirm
destruction of the information.
Are the guidelines provided by the control followed?
When sending or receiving faxes containing PII:
(i) fax machines must be located in a locked room with a trusted staff
member having custodial coverage over outgoing and incoming
transmissions or fax machines must be located in a secured area;
(ii) accurate broadcast lists and other preset numbers of frequent fax
recipients must be maintained; and
(iii) a cover sheet must be used that explicitly provides guidance to the
recipient that includes: a notification of the sensitivity of the data and the
need for protection, and a notice to unintended recipients to telephone the
sender (collect if necessary) to report the disclosure and confirm
destruction of the information.
Milenda Cox No information yet
1. The information system denies access to all proxies except for those
hosts, ports and services that are explicitly required
1. Are the ports, hosts and services restricted on the mainframe?
2. Is there a list of allowed ports/hosts/services which could access the
mainframe?
3. The document "Ports-services-authorized-list.pdf" is blank as it is
restricted access by DoIT. Will this document potentially cover this control
requirement?
DoIT - NetOps No information yet
SC-7(3) – The organization limits the number of access points to the
information system (e.g., prohibiting desktop modems) to allow for more
comprehensive monitoring of inbound and outbound communications and
network traffic.
1. Is there any measure implemented such as the Trusted Internet
Connection (TIC) to limit the number of access points?
- All agencies should maintain up to date inventories of their external
connections, including service provider, cost, location, capacity, and traffic
volumes throughout the TIC Initiative.
- PLan to reduce the number of access points
- Steps taken to reduce them
2. What are the various access points to the organization?
3. Are there any other measures to restric the number of access points?
DoIT - NetOps No information yet
SC-7(4) – Enhancement (Moderate):: The organization:
(a) Implements a managed interface for each external telecommunication
service;
(b) Establishes a traffic flow policy for each managed interface;
(c) Employs security controls as needed to protect the confidentiality and
integrity of the information being transmitted;
(d) Documents each exception to the traffic flow policy with a supporting
mission/business need and duration of that need;
(e) Reviews exceptions to the traffic flow policy within every three hundred
sixty-five (365) days; and
(f) Removes traffic flow policy exceptions that are no longer supported by an
explicit mission/business need.
1. Is there a traffic flow policy defined?
2. Are there traffic flow charts/diagrams/configurations?
3. Are traffic flow exceptions defined, recorded, reviewed, and revoked at
predetermined timeframe?
4. What all devices is the traffic flow policy implemented?
DoIT - NetOps No information yet
5. The information system at managed interfaces, denies network traffic by
default and allows network traffic by exception (i.e., deny all, permit by
exception).
1. What are the policy and configurations for the routers, switches,
firewalls, etc. ?
2. Do they follow a deny-all policy?
3. Is there a list of ports/devices allowed access to the network?
(TIE TO PREVIOUS QUESTION)
DoIT - NetOps No information yet
System and Communications Protection (SC)
7. In the event of an operational failure of the boundary protection
mechanism, the information system prevents the unauthorized release of
information outside of the information system boundary or any unauthorized
communication through the boundary
1. Are there any mechanisms implemented in the network that would stop
the flow of information in case of critical border protection mechanisms
fail?
For example, if the firewall at the outer perimeter of the DMZ fails, then
does the system stop accepting new external connections?
DoIT - NetOps No information yet
8. The information system prevents remote devices that have established a
non-remote connection with the system from communicating outside of that
communications path with resources in external networks.
1. What type of remote connection is provided?
2. How are remote systems stopped from making connections outside of
the established pathway?
As an example, prevention of split-tunneling when VPN connections are
implemented?
DoIT - NetOps No information yet
The organization prohibits running collaborative computing mechanisms,
unless explicitly authorized, in writing, by the CIO or his/her designated
representative. If authorized, the authorization shall specifically identify
allowed mechanisms, allowed purpose, and the information system upon
which the mechanisms can be used. The information system:
a. Prohibits remote activation of collaborative computing devices; and
b. Provides an explicit indication of use to users physically present at the
devices.
SC-15(1) – Enhancement: If collaborative computing is authorized, the
information system provides physical disconnect of collaborative computing
devices in a manner that supports ease of use.
Are collaborative computing mechanisms allowed?
Collaborative mechanisms include: networked white boards, cameras, and
microphones. Need to validate this control from interviews.
DoIT - NetOps No information yet
The information system protects against or limits the effects of the following
types of denial of service attacks defined on the following sites or in the
following documents:
- SANS Organization www.sans.org/dosstep;
- SANS Organization's Roadmap to Defeating DDoS
www.sans.org/dosstep/roadmap.php; and
- NIST CVE List http://checklists.nist.gov/home.cfm.
1. Are there any mechanisms implemented to avoid DoS attacks? e.g.
firewalls, routers, blackholing, etc.
2. What are the maximum concurrent sessions that NH Easy could handle?
3. What are the countermeasures for avoiding DoS attacks on the
Mainframe? Could it be possible to attack the Mainframe (say via the web
server residing on it)
DoIT - WebOps No information yet
2. The information system utilizes stateful inspection/application firewall
hardware and software
1. The APD document describes that the DoIT group will be implementing
firewalls for the NH Easy application. However, what type of firewalls would
be used is not defined.
2. Does the organization currently utilize stateful inspection or firewalls at
the applications/system in scope?
DoIT - WebOps No information yet
3. The information system utilizes firewalls from a least two (2) different
vendors at the various levels within the network to reduce the possibility of
compromising the entire network.
1. What firewalls are currently implemented? Cisco, Juniper, etc.
2. Are they at separate levels within the network? Maybe one before DMZ
and another after DMZ.
3. The APD document describes that the DoIT group will be implementing
firewalls for the NH Easy application. However, what type of firewalls would
be used is not defined.
DoIT - WebOps No information yet
6. Publicly accessible (i.e. public web server) information system
components are physically allocated to separate sub networks with separate
physical network interfaces (i.e., DMZ)
1. The APD document says that "the proxy server in the DMZ will provide
the security for the online NH EASY application"
2. However, per the prior assessment no DMZ has been created.
- What is the current status of development of a DMZ?
- Are there any other mechanisms to separate publicly accessible
information systems?
DoIT - WebOps No information yet
CMS Control Description QuestionsContact for
Info.Responses / Comments
The organization includes the following requirements and/or specifications,
explicitly or by reference, in information system acquisition contracts based on
an assessment of risk and in accordance with applicable federal laws, Executive
Orders, directives, policies, regulations, and standards:
a. Security functional requirements/specifications;
b. Security-related documentation requirements; and
c. Developmental and evaluation-related assurance requirements.
a. Do the contracts/agreements for acquisition of software/service have
security requirements in them? Are below items provided in the
agreements:
i. Security functional requirements/specifications;
ii. Security-related documentation requirements; and
iii. Developmental and evaluation-related assurance requirements."
TSG Information received
The organization requires in acquisition documents that vendors/contractors
provide information describing the functional properties of the security controls
to be employed within the information system, information system components,
or information system services in sufficient detail to permit analysis and testing
of the controls.
a. Do the vendors/contractors provide details of the security
controls to be implemented within the information system?TSG No information yet
The organization ensures that each information system component acquired is
explicitly assigned to an information system, and that the owner of the system
acknowledges this assignment.
b. Are information system components mapped and explicitly
assigned to an information system? E.g. memory devices to be
assigned to mainframe
TSG Information received
The organization maintains an updated list of related system operations and
security documentation
a. Do you have system operations and security documentation
developed for the Mainframe? E.g. FRDs, TRDs, flowcharts,
configuration settings, other functional/technical documents, etc.
TSG Information received
The organization updates documentation upon changes in system functions and
processes. Must include date and version number on all formal system
documentation.
b. Are system changes / upgrades replicated in the system
documentation?
c. Are updates to such documentation tracked with versioning?
TSG Information received
The organization:
a. Requires that providers of external information system services comply with
organizational information security requirements and employ appropriate
security controls in accordance with applicable federal laws, Executive Orders,
directives, policies, regulations, standards, and guidance;
b. Defines and documents government oversight and user roles and
responsibilities with regard to external information system services;
a. How are security requirements communicated to the external
providers?
b. Are the vendors required to follow the State's security policies
or at the least match the security requirements?
c. Are government oversight requirements clearly defined and
communicated to the external provider?
d. Are user roles and responsibilities documented and
communicated to the external provider?
TSG No information yet
The organization monitors security control compliance by external service
providers.
c. How is monitoring of vendor's security posture, and whether they
are actually applying the controls?TSG No information yet
The organization prohibits service providers from outsourcing any system
function outside the U.S. or its territories.
d. Is there any explicit prohibition to outsource function/data
outside of the U.S.?TSG No information yet
The organization:
a. Uses software and associated documentation in accordance with contract
agreements and copyright laws;
b. Employs tracking systems for software and associated documentation
protected by quantity licenses to control copying and distribution; and
c. Controls and documents the use of peer-to-peer file sharing technology to
ensure that this capability is not used for the unauthorized distribution, display,
performance, or reproduction of copyrighted work.
a. Are software and associated documentation used in accordance
with contract agreements and copyright laws
b. Is there any tracking systems to ensure that software and
associated documentation that are protected by quantity licenses are
not copied and distributed;
TSG / Desktop
Admins GroupInformation received
1. The organization prohibits users from downloading or installing software,
unless explicitly authorized, in writing, by the CIO or his/her designated
representative. If authorized, explicit rules govern the installation of software by
users.
2. If user installed software is authorized, ensure that business rules and
technical controls enforce the documented authorizations and prohibitions.
c. Can users install any software on their own? Maybe from internet
or via CD drive? Is there any exception to this rule?
TSG / Desktop
Admins GroupInformation received
System and Services Acquisition (SA)
CMS Control Description QuestionsContact for
Info.Responses / Comments
The information system uniquely identifies and authenticates organizational
users
Does help desk requires user identification for any transaction that has
information security implications?DoIT - NetOps
The organization manages information system authenticators for users and
devices by:
a. Verifying, as part of the initial authenticator distribution, the identity of the
individual and/or device receiving the authenticator;
b. Establishing initial authenticator content for authenticators defined by the
organization;
c. Ensuring that authenticators have sufficient strength of mechanism for their
intended use;
d. Establishing and implementing administrative procedures for initial
authenticator distribution, for lost/compromised or damaged authenticators, and
for revoking authenticators;
e. Changing default content of authenticators upon information system
installation;
f. Establishing minimum and maximum lifetime restrictions and reuse conditions
for authenticators (if appropriate);
g. Changing/refreshing password authenticators as defined in IA-5(1);
h. Protecting authenticator content from unauthorized disclosure and
modification; and
i. Requiring users to take, and having devices implement, specific measures to
safeguard authenticators.
Is there any documentation for Authenticator Management? Is there any
automate process for Authenticator Management?TSG
The information system uses mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication. Is there any documentation for cryptographic module? TSG
The information system uniquely identifies and authenticates non-organizational
users
What is the procedure of information system uniquely identifies and
authenticates non-organizational users?TSG
The information system uniquely identifies and authenticates organizational
users
Are the process uniquely identified in the system ?
How are processes identified uniquely?
Password Management Need information on how the initial password is distributed to the user
What is the Password policy for New Heights
Does the org encrypt passwords in storage and in transmission
Identification and Authentication (IA)
CMS Control Description QuestionsContact for
Info.Responses / Comments
CP-8 – Telecommunications Services
Is there any alternate telecommunications services including necessary
agreements to permit the resumption of information system operations for
essential missions and business functions within the resumption time
period exists?
DoIT - NetOps /
GSS
Contingency Planning (CP)
CMS Control Description QuestionsContact for
Info.Responses / Comments
IR – 2 Incident Response Training
Does the organization train personnel in their incident response roles and
responsibilities with respect to the New Heights information system ie. Training users
to identifying and reporting of suspicious activities, both from external and internal
sources.
TSG
IR – 2 Incident Response Training Which team is responsible to train the users? TSG
IR – 2 Incident Response Training How often do they train the users? TSG
IR – 2 Incident Response Training Is there a training document? TSG
IR – 2 Incident Response Training What kind of training is provided? Is it simulation based training or classroom training? TSG
For how long are the closed incident cases in the system?
Incident Response (IR)
CMS Control Description
Develops and keeps current a list of personnel with authorized access to the facility
where the information system resides?
Reviews and approves the access list and authorization credentials every 180 days
and also removing from the access list personnel no longer requiring access.
Create a restricted area, security room, or locked room to control access to areas
containing PII.
Enforces physical access authorizations for all physical access points (including
designated entry/exit points) to the facility where the information system resides?
Inventories physical access devices within every three hundred sixty-five (365)
days
The organization controls physical access to information system distribution and
transmission lines within organizational facilities.
The organization controls physical access to information system output devices to
prevent unauthorized individuals from obtaining the output.
Monitors physical access to the information system to detect and respond to
physical security incidents
The organization controls physical access to the information system by
authenticating visitors before authorizing access to the facility where the
information system resides other than areas designated as publicly accessible.
The organization controls physical access to the information system by
authenticating visitors before authorizing access to the facility where the
information system resides
Physical and Environmental (PE)
The organization protects power equipment and power cabling for the information
system from damage and destruction
Organization provide the capability of shutting off power to the information system
or individual system components in emergency situations?
The organization provides a short-term uninterruptible power supply to facilitate an
orderly shutdown of the information system in the event of a primary power source
loss
The organization employs and maintains fire suppression and detection
devices/systems for the information system that are supported by an independent
energy source.
The org maintains temperature and humidity levels within the facility where the
information system resides within acceptable vendor-recommended levels
The organization protects the information system from damage resulting from
water leakage by providing master shutoff valves that are accessible, working
properly, and known to key personnel
The organization authorizes, monitors, and controls the flow of information system-
related components entering and exiting the facility and maintains records of those
items.
The org employs appropriate security controls at alternate work sites to include, but
not limited to, laptop cable locks, recording serial numbers and other identification
information about laptops, and disconnecting modems
The organization positions information system components within the facility to
minimize potential damage from physical and environmental hazards and to
minimize the opportunity for unauthorized access
The organization protects the information system from information leakage due to
electromagnetic signals emanations.
QuestionsContact for
Info.
- Is there a list of personnel with authorized access to the facility?
- What is the process for accessing the area containing PII?
- Is there a written documentation?
- How many level of barriers to access PII information?
- Is the access monitored?
- How is the facility protected? (guards / keys / biometrics /smart card/PIN
combination)
- Who maintains the keys / access devices?
- Does the org changes combinations and keys when keys are lost or
comprimised?
- Does the org change combination or take back the keys for terminated /
tranferred / retired employees?
- Is the access monitored?
- Does the org have an maintain an inventory for physical access devices?
- Is there a process to review the inventory every 365 days?
- Are Protective measures taken to control physical access to information
system distribution and transmission lines include:such as locked wiring
closets; disconnected or locked spare jacks?
- Are physical access logs reviewed?
- How often are the logs reviewed?
- Is there a real-time surveillance equipment?
- Does the organization escorts visitors and monitors visitor activity?
- Does the The organization requires two forms of identification for visitor
access to the facility?
- Does the org Maintains visitor access records?
- Does the org Review visitor access records monthly?
Physical and Environmental (PE)
- Does the organization employs redundant and parallel power cabling
paths?
- Does the organization employs automatic voltage controls to the
equipments?
- Does the org permit only authorized maintenance personnel to access
infrastructure assets, including power generators, HVAC systems, cabling,
and wiring closets?
- Who are the authorized personnel?
- Is the emergency shutoff automatic?
- Where are the emergency shutoff switches or devices placed?
- Does the org protect emergency power shutoff capability from unauthorized
activation?
- Is the uninterruptible power supply manual or automatic?
- Are there automatic emergency lighting?
- Does the fire detection devices/systems activate automatically?
- Is there an automatic notification sent to the organization and emergency
responders in case of fire?
- Does the organization ensures that the facility undergoes fire marshal
inspections and promptly resolves identified deficiencies?
- Does the org maintains temperature and humidity levels within the facility?
- Is there an automatic temperature and humidity controls in the facility to
prevent fluctuations?
- Is there an alarm that notifies the fluctuation temperature and humidity?
- Is there an automatic notification sent in case of fluctuation in temperature
and humidity?
- Does the organization employ the mechanism of protecting the information
system from water damage without manual intervention?
How does the org effectively authorize the entry and exit of information
system components from the facility.
Has different sets of security controls for specific alternate work sites or
types of sites defined? Need an example
Does the organization consider the location or site of the facility with regard to
physical and environmental hazards? Or Consider the location of physical
entry points where unauthorized individuals, while not being granted access,
might nonetheless be in close proximity to the information system?
CMS Control Description
a. Develops a security assessment plan that describes the scope of the
assessment including:
- Security controls and control enhancements under assessment;
- Assessment procedures to be used to determine security control effectiveness;
and
- Assessment environment, assessment team, and assessment roles and
responsibilities;
b. Assesses the security controls in the information system within every three
hundred sixty-five (365) days in accordance with the Information Security (IS)
Acceptable Risk Safeguards (ARS) Including Minimum Security Requirements
(CMSR) Standard, to determine the extent to which the controls are implemented
correctly, operating as intended, and producing the desired outcome with respect
to meeting the security requirements for the system;
c. Produces a security assessment report that documents the results of the
assessment; and
d. Provides the results of the security control assessment within every three
hundred sixty-five (365) days, in writing, to the Business Owner who is responsible
for reviewing the assessment documentation and updating system security
documentation where necessary to reflect any changes to the system.
For FTI: The agency shall conduct, periodically, but at least annually, an
assessment of the security controls in the systems that receive, store, process or
transmit FTI. (Pub 1075, Ref. 9.4)
Implementation Standard(s)
1. A security assessment of all security controls must be conducted prior to issuing
the initial authority to operate for all newly implemented systems.
2. The annual security assessment requirement mandated by OMB requires all
CMSRs attributable to a system or application to be assessed over a 3-year period.
To meet this requirement, a subset of the CMSRs shall be tested each year so that
all security controls are tested during a 3-year period.
3. The Business Owner notifies the CISO within thirty (30) days whenever updates
are made to system security authorization artifacts or significant role changes
Security Assessment and Authorization (CA)
a. Develops and submits a Plan of Action and Milestones (POA&M) for the
information system within thirty (30) days of the final results for every
internal/external audit/review or test (e.g., ST&E, penetration test) to document the
organization's planned remedial actions to correct weaknesses or deficiencies
noted during the assessment of the security controls and to reduce or eliminate
known vulnerabilities in the system; and
b. Updates and submits existing POA&M monthly until all the findings are resolved
based on the findings from security controls assessments, security impact
analyses, and continuous monitoring activities.
Implementation Standards
For FTI: The agency must submit an updated Corrective Action Plan (CAP) twice
each year to address corrective actions identified during an on-site safeguards
review until all findings are closed. The CAP is submitted as an attachment to the
SAR, and on the CAP due date which is six months from the scheduled SAR due
date. (Pub 1075, Ref. 7.5
a. Authorizes connections from the information system to other information
systems outside of the authorization boundary through the use of
Interconnection Security Agreements;
b. Documents, for each connection, the interface characteristics, security
requirements, and the nature of the information communicated; and
c. Monitors the information system connections on an ongoing basis
verifying enforcement of security requirements.
Implementation Standard(s)
1. Record each system interconnection in the System Security Plan (SSP)
and Information Security (IS) Risk Assessment (RA) for the CMS system
that is connected to the remote location.
The organization updates the security authorization:
- At least every three (3) years;
- When substantial changes are made to the system;
- When changes in requirements result in the need to process data of a
higher sensitivity;
- When changes occur to authorizing legislation or federal requirements;
- After the occurrence of a serious security violation which raises questions
about the validity of an earlier security authorization; and
- Prior to expiration of a previous security authorization.
QuestionsContact for
Info.
Is there any comprehensive documentation around System Security Plan for
the New HEIGHTS?
Is there any comprehensive documentation for the security risk assessment
that was documented in the New HEIGHTS systems?
DoIT - Security
Security Assessment and Authorization (CA)
Is there any Plan of Action and Milestones exist for New HEIGHTS systems? DoIT - Security
A. Is there any formal agreement between State of NH DHHS and outside
entities?
B. Is there any documentation of Interface characteristics, security
requirements, and the nature of the information communicated to the New
HEIGHTS mainframe?
C. What is the process of monitoring the system connection on an ongoing
basis verifying enforcement of security requirement?
D. Is there any documantation of system security plan (SSP) or Information
Security Risk Assessment (ISRA)?
DoIT - Security
How did the organization updates the security authorization for the
following?
- At least every three (3) years;
- When substantial changes are made to the system;
- When changes in requirements result in the need to process data of a
higher sensitivity;
- When changes occur to authorizing legislation or federal requirements;
- After the occurrence of a serious security violation which raises questions
about the validity of an earlier security authorization; and
- Prior to expiration of a previous security authorization.
DoIT - Security
CMS Control Description QuestionsContact for
Info.Responses / Comments
Establishes usage restrictions and implementation guidance for each allowed
remote access method;
What specific configurations/implementation guidance are provided for
each type of RA method (SSL/IPSec/Citrix)TSG
Monitors for unauthorized remote access to the information system 1. Does the security team monitor the remote access, especially
unauthorized use of it?
2. What are the tools that are used to monitor the access?
3. Are logs reviewed to identify such access?
4. How frequently is this activity performed?
5. Who is responsible for conducting this review?
TSG
The organization enforces the selected requirements for remote connections to
the information system.
How does the organization enforce the requirements on remote
connections?
How is access granted? Is there a set process?
How is access monitored?
TSG
1. The organization employs automated mechanisms to facilitate the monitoring
and control of remote access methods.
2. The organization monitors for unauthorized remote connections to the
information system at least quarterly, and takes appropriate action if an
unauthorized connection is discovered.
1. What automated mechanisms are in place?
2. Are detailed logs generated for all remote users?
3. Are unauthorized remote connections monitored? At what frequency?
4. Is there a responsible team/person assigned to monitor?
5. How are unauthorized connections blocked/prevented/revoked?
TSG
The organization uses cryptography to protect the confidentiality and integrity of
remote access sessions.
1. Could you describe the VPN installed?
2. What type of VPN is in place?
3. What are the encryption levels?
4. What advanced protocols are used? E.g. SSH tunnel, Blocking mode ON
5. How is Citrix secured? Is there TFA using physical tokens?
TSG
The information system routes all remote accesses through a limited number of
managed access control points.
Are there port restrictions for using VPN?
Are the entry/access points monitors and restricted?
Is there a list of allowed access points?
TSG
The organization :
a. Designates individuals authorized to post information onto an information
system that is publicly accessible;
b. Trains authorized individuals to ensure that publicly accessible information
does not contain nonpublic information;
c. Reviews the proposed content of publicly accessible information for nonpublic
information prior to posting onto the information system;
d. Reviews the content on the publicly accessible information system for
nonpublic information monthly; and
e. Removes nonpublic information from the publicly accessible information
system, if discovered.
1. Have you identified the individuals who are allowed to post information
on public systems? e.g. on NH Easy
2. Is there any training program provided for ensuring that public systems
would not have any non-public information?
3. Is there a process to review the content that is posted on the public
systems? So that you can be sure no restricted/confidential/private
information is uploaded on it.
4. Is there a monthly review of public systems, in order to ensure no
restricted/confidential/private information is posted on it?
5. Have there been cases where you have removed the nonpublic
information from public systems?
TSG
Inspects administrator groups, root accounts and other system related accounts
on demand, but at least once every fourteen (14) days to ensure that
unauthorized accounts have not been created.
Yes. Currently there's report that also includes public facing accounts as
well. There is a policy that is being in place to review the admins (Privileged
Account & Access review policy)
1. Does the daily report also include modifications?
Transactions come from Pam, and there's a report sent back to Pam, there
are no modify transactions, if there are transactions that fail, TSG reviews
and follow up individually. Case workers & DC.
Second report for TSG (refer above) includes modify
The information system automatically terminates emergency accounts within
twenty-four (24) hours and temporary accounts with a fixed duration not to
exceed three hundred sixty-five (365) days.
Ad-hoc and customary process to disable emergency and temp accounts.
Manual, not auto.There is a review at least once a year
Disable all file system access not explicitly required for system, application, and
administrator functionality.On-going process, Refer to SoD.
The organization explicitly authorizes access to privileged functions (e.g., system-
level software, administrator tools, scripts, utilities) deployed in hardware,
software, and firmware; and security relevant information is restricted to
explicitly authorized individuals.
No document, ad-hoc email based communication to audthorize access to
privileged runction. No policy. Follow up for a list.
SC
CMS Control Description QuestionsContact for
Info.Responses / Comments
Establishes usage restrictions and implementation guidance for each allowed
remote access method;
What specific configurations/implementation guidance are provided for
each type of RA method (SSL/IPSec/Citrix)TSG
Monitors for unauthorized remote access to the information system 1. Does the security team monitor the remote access, especially
unauthorized use of it?
2. What are the tools that are used to monitor the access?
3. Are logs reviewed to identify such access?
4. How frequently is this activity performed?
5. Who is responsible for conducting this review?
TSG
The organization enforces the selected requirements for remote connections to
the information system.
How does the organization enforce the requirements on remote
connections?
How is access granted? Is there a set process?
How is access monitored?
TSG
1. The organization employs automated mechanisms to facilitate the monitoring
and control of remote access methods.
2. The organization monitors for unauthorized remote connections to the
information system at least quarterly, and takes appropriate action if an
unauthorized connection is discovered.
1. What automated mechanisms are in place?
2. Are detailed logs generated for all remote users?
3. Are unauthorized remote connections monitored? At what frequency?
4. Is there a responsible team/person assigned to monitor?
5. How are unauthorized connections blocked/prevented/revoked?
TSG
SI-2 What is the test environment for OS/Database upgrades? TSG
SI-2(2) Is there any Vulnerability scan performed on New HEIGHTS/NH
Easy/Mainframe/DB
Reddy
DoIT
SI-3 Malicious code protection on servers, entry points like routers etc. DoIT
SI-3What is the scope of McAfee GroupShield? Is it the only McAfee product
deployed?DoIT
SI -8 Is the spam protection module enabled on GrouShield?
SI-3 How are False Positives handled? DoIT
Are the McAfee products centrally managed?
SI-3
Is the malicious code protection tool configured to run scans during system
boot? What is the frequency of scanning configured? Is it at least once a
day?
DoIT
SI-3(2) Is the malicious code protection tool updated automatically? DoIT
SI-3(3)Is there protection to prevent users from circumventing the malicious code
protection capabilities? Can they disable the AV tool to install something?DoIT
SI-4 Are there any IDS devices DoIT
SI-4 Are the IDS devices interconnected in any way? DoIT
SI-4(4)Are the inbound/outbound connections monitored? Are the Cisco devices
allowing connections to the mainframe and db regularly monitored?
ERS
DoIT
TSG
SI4(5)Are we considering vulnerability scanning for New HEIGHTS and NH Easy
app?ERS
Are there any vulnerability scans performed on the network devices? DoIT NetOps
SI-4(6) Can users circumvent IDS policies? DoIT NetOps· Does NetOps employ any malicious code
protection mechanism at entry points to detect
malicious code o Is there a documented
policy/process to update
the malicious code o Is malicious code
blocked and quarantined
and is an alert sent to
administrator in response o Are non-privileged users
prohibited from
circumventing malicious
code protection capabilitieso Is the desktop malicious
code scanning software
configured to perform
critical system file scans · Are IDS devices installed at network perimeter
points and host-based IDS sensors on critical
serversAre the individual intrusion detection tools
interconnected into a system wide intrusion
detection system using common protocols
Does Net ops receive security alerts, advisories and directives from
designated external organizations on ongoing basis
Does NetOps generate internal alerts based on security alerts/advisories
Have key personnel been identified that need to be notified about security
alerts/advisories? Are they notified?
SI 5 Does DoIT receive any security alerts, advisories from US-CERT, vendors?
Are there any internal alerts, advisories or directives generated and
distributed throughout the organization?
Is there a time frame which is followed to address/notify system
owners/users about non compliance?
SI-12
Does the organization handles and retains both information within and
output from the information system in accordance with applicable federal
laws, Executive Orders, directives, policies, regulations, standards, and
operational requirements.
Melinda Cox
SI
CMS Control Description Column1Contact for
Info.Responses / Comments
Do the configurations follow any guidelines provided by another
organizations?Reddy
Is there a document that lists mandatory configuration setting?
- Are exceptions monitored/documented?Reddy
What is the scope of the Advanced Tracking system?
- Does it have the baseline config for NH Easy & New HEIGHTS?
- Does it list hardware config needed?
Reddy
Does the CA SCM tool have any list of software authorized to execute on
the information system? (white list vs black list?)Reddy
Does the PPR document also act as Change request forms or is there is a
separate document? (For hw and sw changes)Reddy
Are the changes to the information system evaluated for potential security
risks?Reddy
Is there an inventory of information system components that Reddy
Is there a baseline config document for NH Easy and/or New HEIGHTS?
- Is it updated if new hardware is put in? ReddyTSG
DoIT
There is a baseline config. There is a spreadsheet that list
non-default values for WebSphere. There is no spearate set
of document where config is managed explicitly. There is a
document for currrent state and to-be state. There are hw
changes that happen frequently. COnfig management of sw
is done though separate process but no standalone process.
Does the group performing sw/hw tests look for security flaws? TSG
DoITNothing specifc done for security, unless IBM sends an alert.
Is there a document that lists mandatory configuration settings
- Are exceptions monitored/documented?TSG
DoIT
IBM implementation document, informs changes from
previous version.
Is there a “least functionality” config that restricts and disables use of
services/ports/network protocols to ensure only essential capabilities are
provided?
DoIT
Is a list of specifically needed system services, ports, and network protocols
maintained and documented?DoIT
Is there a list of software programs authorized (white list) or unauthorized
(black list) to execute on the information systemDoIT
TSG
is there any web content filtering DoIT
Is there any security analysis performed? Are configuration-controlled
changes to the system allowed with explicit consideration for security
impact analyses? Are these documented and retained? Is there a policy, if
not, as a customary process how long are they retained?
Reddy
DoIT
TSG
Are updatres to the system tested in a separate enviroment? What's the
environment called? How long are these tests conducted? Are the test
results retained? What is the process to fix flaws?
DoIT
Is the detection of unauthorized, security-relevant configuration changes
incorporated into the organization's incident response capability to ensure
that such detected events are tracked, monitored, corrected, and available
for historical purposes
DoIT
Is there an asset (hw/sw) invetory list with current specs?DoIT
TSG
Is the inventory list accuretly maintained? How often is reviewed/updated? DoIT
Are there roles and responsibilities for group documented? Is access to the
New HEIGHTS system granted based on their roles?DoIT
Configuration Management (CM)
CMS Control Description QuestionsContact for
Info.Responses / Comments
AU-6
Is network traffic, bandwidth utilization rates, alert notifications, and border
defense devices reviewed to determine anomalies on demand but no less
than once within a twenty-four (24) hour period. Generate alerts for
technical personnel review and assessment.
DoIT
AU-6
Is there a process to investigate suspicious activity or suspected violations
on the information system and report findings to appropriate officials and
take appropriate action.
DoIT
Networking
AU-6Are automated utilities used to review audit records at least once every
seven (7) days for unusual, unexpected, or suspicious behavior.
AU-2
Is logging enabled for perimeter devices, including firewalls and routers.
(a) Log packet screening denials originating from un-trusted networks,
(b) Packet screening denials originating from trusted networks,
(c) User account management,
(d) Modification of packet filters,
(e) Application errors,
(f) System shutdown and reboot,
(g) System errors, and
(h) Modification of proxy services.
Audit (AU)
CMS Control Description QuestionsContact for
Info.Responses / Comments
PM-2
Is there a senior information security officer? What is the person's
responsibilities? Is there a document that gives an overview of the person's
responsibilities?
PM-3Doe the capital planning and investment requests include resource to
implement an information security program? Are exceptions documented?
Are the resources required documented in any business case/Exhibit
300/Exhibit 53?
Are the resources required documented in any business case/Exhibit
300/Exhibit 53?
PM-4
Does the org have a process to document and maintain plans of action and
milestones for the security program and the associated information
system?
Reddy
DoIT
TSG
PM-5 Is there an invetory of information systems? DoIT
PM-6Are there any outcome based-metrics that can be used by the org to
measure efficiency/effectiveness of the infosec program?ERS team
PM-7 ERS team
Audit (AU)
CMS Control Description QuestionsContact for
Info.Responses / Comments
The organization:
a. Categorizes information and the information system in accordance with
applicable federal laws, Executive Orders, directives, policies, regulations,
standards, and guidance;
1. has information classification performed?
2. Are systems identified based upon the information they process,
transmit, or store?
Reddy
b. Documents the security categorization results (including supporting
rationale) in the security plan for the information system; and1. If information classification is performed, then is it further utilized to
categorize information and systems into various security buckets? E.g. PII
storage HDD, should be classified and protected to the highest level
2. Are these results documented somewhere?
Reddy
c. Ensures the security categorization decision is reviewed and approved by
the authorizing official or authorizing official designated representative.
Based upon responses to above questions:
Is the categorization reviewed and approved by an authorized individuals?
E.g. CIO?
Reddy
The organization:
a. Conducts an assessment of risk, including the likelihood and magnitude
of harm, from the unauthorized access, use, disclosure, disruption,
modification, or destruction of the information system and the information it
processes, stores, or transmits;
b. Documents risk assessment results in accordance with the Information
Security (IS) Risk Assessment (RA) Procedures;
c. Reviews risk assessment results within every three hundred sixty-five
(365) days; and
d. Updates the risk assessment within every three (3) years or whenever
there are significant changes to the information system or environment of
operation (including the identification of new threats and vulnerabilities), or
other conditions that may impact the security or authorization state of the
system.
1. When was the last risk assessment performed?
2. Is there any documentation for capturing the results?
3. What is the frequency at which the risk assessments are performed?
4. Who performs them?
5. Is the risk assessment performed as per the information security risk
assessment?
Reddy
Scans for vulnerabilities in the information system and hosted applications
within every ninety (90) days and when new vulnerabilities potentially
affecting the system/applications are identified and reported;
1. Are vulnerability scans performed?
2. How often are they performed?Reddy
Employs vulnerability scanning tools and techniques that promote
interoperability among tools and automate parts of the vulnerability
management process by using standards for:
- Enumerating platforms, software flaws, and improper configurations;
- Formatting and making transparent, checklists and test procedures; and
- Measuring vulnerability impact;
1. What tools are employed to perform VM scanning?
2. Any other automation mechanisms in place to perform the VM scanning?Reddy
Analyzes vulnerability scan reports and results from security control
assessments;1. Are the VM scanning reports analyzed by any particular group? Reddy
Remediates legitimate vulnerabilities based on the Business Owner's risk
prioritization in accordance with an organizational assessment of risk; and
1. Is there a remediation plan?
2. Are there action items created for security teams to perform after a VM
scan is conducted?
3. Is there any prioritization activitiy for these scans?
Reddy
Shares information obtained from the vulnerability scanning process and
security control assessments with designated personnel throughout the
organization on a "need to know" basis to help eliminate similar
vulnerabilities in other information systems (i.e., systemic weaknesses or
deficiencies).
Are the reports shared across various departments (based on need to
know)?
Is there a common security portal (such as SharePoint) ?Reddy
Perform external network penetration testing and conduct enterprise
security posture review as needed but no less than once within every three
hundred sixty-five (365) days, in accordance with CMS IS procedures.
1. Is external network penetration testing performed?
2. If so, how often?
3. Are the results documented?
Reddy
The organization employs vulnerability scanning tools that include the
capability to readily update the list of information system vulnerabilities
scanned.
1. Are there any VM scanning tools employed?
2. Are they utilized frequently?Reddy
Risk Assessment (RA)
CMS Control Description QuestionsContact for
Info.Responses / Comments
The organization:
a. Schedules, performs, documents, and reviews records of maintenance
and repairs on information system components in accordance with
manufacturer or vendor specifications and/or organizational requirements;
Implementation Standard(s)
1. (For PII only) In facilities where PII is stored or accessed, document
repairs and modifications to the physical components of a facility which are
related to security (for example, hardware, walls, doors, and locks).
1. What is the process to schedule maintenance of a system component?
2. Who initiates the reqeust for maintenance?
3. Who approves the request?
4. Who performs the maintenance? Is there any security personnel
overlooking the maintenance activity?
5. Does a paper trail exist for the maintenance activities?
6. Is the vendor/manufacturer provided schedule followed? Is there a
tracking mechanism?
7. Is there a review procedure to document repaird to physical
components? e.g. walls, doors, etc.
1. (For PII only) In facilities where PII is stored or accessed, document
repairs and modifications to the physical components of a facility which are
related to security (for example, hardware, walls, doors, and locks).
Reddy
b. Controls all maintenance activities, whether performed on site or
remotely and whether the equipment is serviced on site or removed to
another location;
1. What are the controls implemented on maintenance activity? Approval
chain, monitoring, review, etc.Reddy
c. Requires that a designated official explicitly approve the removal of the
information system or system components from organizational facilities for
off-site maintenance or repairs;
1. Does an authorized individual approve the removal of a system
component from the facility ? E.g. a mainframe memory needs to be
removed from facility - is it approved by anyone?
Reddy
e. Checks all potentially impacted security controls to verify that the controls
are still functioning properly following maintenance or repair actions.
1. Is there a process to identify controls that would be affected due to
maintenance activities?
2. Does the organization validate the functioning of the controls after the
maintenance activity is completed?
Reddy
the organization maintains maintenance records for the information system
that include:
- date and time of maintenance;
- name of the individual performing the maintenance;
- name of escort, if necessary;
- a description of the maintenance performed;
- a list of equipment removed or replaced (including identification numbers,
if applicable).
1. Are records maintained for maintenance activities carried out?
2. What are the fields captured in these records?Reddy
The organization approves, controls, monitors the use of, and maintains on
an ongoing basis, information system maintenance tools.
Are there specific maintenance tools utilized? for example, diagnostic and
test equipment used to conduct maintenance on the information system
How is the use of such tools monitored?
Is there an approval process?
How long are the tools kept onsite? Are they removed after a
predetermined interval?
Reddy
The organization inspects all maintenance tools carried into a facility by
maintenance personnel for obvious improper modifications.
Enhancement Supplemental Guidance: Maintenance tools include, for
example, diagnostic and
test equipment used to conduct maintenance on the information system.
Are the above mentioned tools inspected periodically and/or before use? Reddy
The organization checks all media containing diagnostic and test programs
for malicious code before the media are used in the information system.
Is scanning performed for media containing diagnostic / test programs for
malicious code?Reddy
The organization prohibits non-local system maintenance unless explicitly
authorized, in writing, by the CIO or his/her designated representative. If
authorized, the organization:
a. Monitors and controls non-local maintenance and diagnostic activities;
b. Allows the use of non-local maintenance and diagnostic tools only as
consistent with organizational policy and documented in the security plan for
the information system;
c. Employs strong identification and authentication techniques in the
establishment of non-local maintenance and diagnostic sessions;
d. Maintains records for non-local maintenance and diagnostic activities;
and
e. Terminates all sessions and network connections when non-local
maintenance is completed.
Implementation Standard(s)
1. If password-based authentication is used during remote maintenance,
change the passwords following each remote maintenance service.
1. Are non-local system maintenance activities allowed? E.g. installation
using Remote Desktop
2. What are the authentication mechanisms for such maintenance
activities?
3. Is there monitoring of such activities?
Reddy
The organization audits non-local maintenance and diagnostic sessions and
designated organizational personnel review the maintenance records of the
sessions.
Are record maintaned? And are they periodically reviewed? Reddy
The organization documents, in the security plan for the information
system, the installation and use of non-local maintenance and diagnostic
connections.
Is the use of non-local maintenance allowed?
Is it documented in the security plan / information security policy?Reddy
Maintenance (MA)
The organization:
(a) Requires that non-local maintenance and diagnostic services be
performed from an information system that implements a level of security at
least as high as that implemented on the system being serviced; or
(b) Removes the component to be serviced from the information system
and prior to non-local maintenance or diagnostic services, sanitizes the
component (with regard to sensitive information) before removal from
organizational facilities, and after the service is performed, inspects and
sanitizes the component (with regard to potentially malicious software and
surreptitious implants) before reconnecting the component to the
information system.
1. What are the secdurity measures expected on the system used for non-
local maintenance?
2. Is there segregation of components before using non-local maintenance?
Reddy
The organization:
a. Establishes a process for maintenance personnel authorization and
maintains a current list of authorized maintenance organizations or
personnel; and
b. Ensures that personnel performing maintenance on the information
system have required access authorizations or designates organizational
personnel with required access authorizations and technical competence
deemed necessary to supervise information system maintenance when
maintenance personnel do not possess the required access authorizations.
1. Is there a process for maintenance personnel authorization
2. Is there a current list of authorized maintenance organizations or
personnel
Requirement:
b. Ensures that personnel performing maintenance on the information
system have required access authorizations or designates organizational
personnel with required access authorizations and technical competence
deemed necessary to supervise information system maintenance when
maintenance personnel do not possess the required access authorizations.
Reddy
The organization obtains maintenance support and/or spare parts for critical
systems and applications (including Major Applications [MA] and General
Support Systems [GSS] and their components) within twenty-four (24)
hours of failure.
1. Is there any SLA with service organization to obtain critical components /
spare parts
2. Is there a determined time interval within which to procure the spare
parts?
Reddy