'(3$570(172)+($/7+ +80$16(59,&(6 &HQWHUVIRU0HGLFDUH 0HGLFDLG6HUYLFHV 6HFXULW\%RXOHYDUG0DLO6WRS1 %DOWLPRUH0' 00£ fOlt M O lE \1£1> 10 RV1 OFFICEOF I FOAAtATIO ERVICES CENTERS FOR MEDICARE & MEDICAID SERVICES Office of Information Services 7500 Security Boulevard Baltimore, MD 21244-1850 Health Insurance eXchange (HIX) August – September 2013 Security Control Assessment (SCA) Report Final Report October 11, 2013 CMS SENSITIVE INFORMATION—REQUIRES SPECIAL HANDLING epic.org EPIC-14-02-03-CMS-FOIA-20200917-Production-Security-Control-Assessment-Report 000001 CMS000095 CMS SENSITIVE INFORMATION—REQUIRES SPECIAL HANDLING +HDOWK,QVXUDQFHH;FKDQJH +,; $XJXVW±6HSWHPEHU)LQDO5HSRUW 2FWREHU Table of Contents 1 Executive Summary .............................................................................................................. 1 1.1 HIX Background .......................................................................................................... 1 1.1.1 Plan Management (PM)..................................................................................... 2 1.1.2 Eligibility & Enrollment (E&E) ........................................................................ 3 1.1.3 Financial Management (FM) ............................................................................. 6 1.2 Assessment Scope ........................................................................................................ 7 1.2.1 Joint Assessments ............................................................................................. 8 1.3 Known functionality not tested ..................................................................................... 9 1.4 Summary of Assessment ............................................................................................. 10 1.5 Summary of Findings ................................................................................................. 11 1.6 SUMMARY OF RECOMMENDATIONS ................................................................. 13 2 Introduction ........................................................................................................................... 1 2.1.1 Plan Management (PM)..................................................................................... 1 2.1.2 Eligibility & Enrollment (E&E) ........................................................................ 2 2.1.3 Financial Management (FM) ............................................................................. 6 2.2 Assessment Methodology ............................................................................................. 7 2.2.1 Joint Assessments ............................................................................................. 7 2.3 Assessment Summary ................................................................................................... 8 3 Detailed Findings .................................................................................................................. 9 3.1 Methodology for Application-Only Security Control Assessment ................................. 9 3.1.1 Application-Only Vulnerability Assessment .................................................... 10 3.1.2 Tests and Analyses .......................................................................................... 10 3.1.3 Tools ............................................................................................................... 10 3.2 Methodology for Security Test Reporting ................................................................... 11 3.2.1 Risk Level Assessment.................................................................................... 11 3.2.2 Ease-of-Fix Assessment .................................................................................. 12 3.2.3 Estimated Work Effort Assessment ................................................................. 13 3.2.4 CMS FISMA Controls Tracking System Names .............................................. 13 3.3 Business Risks ............................................................................................................ 13 3.3.1. BUSINESS RISK............................................................................................RISK............................................................ 15 (b)(5)(b)(5)b)(5(b)(5) ................................ 15 3.3.2. BUSINESS RISK............................................................................................ 17 (b)(5) (b)(5)(b)(5)b)(5 ........................... 17 3.3.3. BUSINESS RISK............................................................................................ 19 (b)(5)(b)(5)b)(5(b)(5) ......................... 19 3.3.4. BUSINESS RISK............................................................................................ 21 (b)(5)(b)(5)b)(5(b)(5) ...................................................................................... 21 &HQWHUVIRU0HGLFDUH 0HGLFDLG6HUYLFHV 3DJHL CMS SENSITIVE INFORMATION—REQUIRES SPECIAL HANDLING epic.org EPIC-14-02-03-CMS-FOIA-20200917-Production-Security-Control-Assessment-Report 000002 CMS000096 CMS SENSITIVE INFORMATION—REQUIRES SPECIAL HANDLING +HDOWK,QVXUDQFHH;FKDQJH +,; $XJXVW±6HSWHPEHU)LQDO5HSRUW 2FWREHU 3.3.5. BUSINESS RISK............................................................................................ 23 (b)(5)(b)(5)b)(5(b)(5) .................................... 23 3.3.6. BUSINESS RISK............................................................................................ 25 (b)(5)(b)(5)b)(5(b)(5) ...................................................................... 25 3.3.7. BUSINESS RISK............................................................................................ 27 (b)(5) (b)(5)(b)(5)b)(5 ...................................................................... 27 3.3.8. BUSINESS RISK............................................................................................ 29 (b)(5)(b)(5)b)(5(b)(5) .................................................................. 29 3.3.9. BUSINESS RISK............................................................................................ 31 (b)(5)(b)(5)b)(5(b)(5) ......................................................................... 31 3.3.10.BUSINESS RISK............................................................................................ 33 (b)(5)(b)(5)b)(5(b)(5) ................................................................. 33 3.3.11.BUSINESS RISK............................................................................................ 35 (b)(5)(b)(5)b)(5(b)(5) .................................................................................. 35 3.3.12.BUSINESS RISK............................................................................................ 37 (b)(5)(b)(5)b)(5(b)(5) ....................................... 37 3.3.13.BUSINESS RISK............................................................................................ 39 (b)(5)(b)(5)b)(5(b)(5) ......................................................... 39 3.3.14.BUSINESS RISK............................................................................................ 41 (b)(5)(b)(5)b)(5(b)(5) .......................................... 41 3.3.15.BUSINESS RISK............................................................................................ 43 (b)(5)(b)(5)b)(5(b)(5) ............................................... 43 3.3.16.BUSINESS RISK............................................................................................ 45 (b)(5)(b)(5)b)(5(b)(5) ............................................................................ 45 3.3.17.BUSINESS RISK............................................................................................ 47 (b)(5)(b)(5)b)(5(b)(5) .................................................................. 47 3.3.18..BUSINESSUS RISK............................................................................................RISK................. 49 (b)(5)(b)(5)b)(5 (5) ........................................................................... 49 3.3.19.BUSINESS RISK............................................................................................ 51 (b)(5) (b)(5)(b)(5)b)(5 ............................................................................... 51 3.3.20.BUSINESS RISK............................................................................................ 53 (b)(5)(b)(5)b)(5(b)(5) ................................................................................... 53 3.3.21.BUSINESS RISK............................................................................................ 55 (b)(5)(b)(5)b)(5(b)(5) ................................................................... 55 3.3.22.BUSINESS RISK............................................................................................ 57 (b)(6)(b)(6)b)(6(b)(6) ............................. 57 3.4 Informational Risks .................................................................................................... 59 3.4.1 Business Risk .................................................................................................. 60 (b)(5)(b)(5)b)(5(b)(5) ....................................................................... 60 3.4.2 Businessus ess Risk s .......................................................................................................................................... 62 (b)(5)(b)(5)b)(5(b)(5) .......................................................... 62 3.4.3 Business
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages293 Page
-
File Size-