Moss Adams

General

  1. Given the 13 different business areas specified as in-scope, what is the minimum number of interviews the University anticipates for the vendor to cover all the assessment areas?
  2. There is no minimum number. Interviews can be done in groups if desired. Vendor should also anticipate other areas to be identified during the review process.
  3. Aside from HIPAA and PCI DSS, are there other information security best practice frameworks that we are to leverage when assessing alignment of the University’s cybersecurity posture?
  4. We are interested in using NIST Cybersecurity Framework as our overarching guiding tool. Therefore, having a baseline assessment of where we are with our alignment to that standard would be extremely useful.
  5. Under 40.1, third bullet, it states, “You should prepare a PDF or Word document with your responses to the items listed in section 2.0.” I am assuming the RFP meant to say “section 20.2 through 20.5, correct?
  6. Yes - but it should be 20.1 through 20.5
  7. Under 20.1, page 8, section regarding deliverables expected, 5th bullet, it states, “Assistance in the development of missing, inadequate, or otherwise unacceptable policies and procedures required for regulatory compliance,….” The development of policies and procedures could be a separate engagement altogether, and we will not know the number and type of policies and procedures we will need to develop until we know all the compliance gaps. Therefore, can pricing for this deliverable be determined by the successful vendor after the Risk Assessment and Compliance Gap Analysis has been completed?
  8. Yes, this would be a part of negotiations.
  9. Can you please provide a high-level overview of the IT environment at the University: (1) approximate number of servers, (2) number of virtual vs physical servers, (3) number of Active Directory domains (if applicable), and (4) server operating system and RDBMS platforms in use?
  10. Physical server count - 35
  11. Virtual server count - 163
  12. # AD Domains - 1
  13. Server OS - Windows 2016, 2012R2, 2008, 2003, RedHat Linux, Oracle Linux, Ubuntu Linux
  14. RDBMS - Oracle, Microsoft SQL, FileMaker
  15. Will there be a preference given to in-state vendors?
  16. No.

HIPAA Risk Assessment-related

  1. The risk assessment is only limited to the HIPAA Security Rule, correct? (The Privacy Rule is not in-scope.)
  2. The risk assessment should satisfy the mandatory requirement under the HIPAA Security Rule. However, the overall gap analysis of the HIPAA environment should evaluate the University’s compliance with the Security, Privacy, and Breach rules as well as HITECH.
  3. How many facilities/departments are expected to be in-scope?
  4. Student Health Center
  5. Counseling Center
  6. Speech Pathology
  7. Athletic Training
  8. Human Resources (University is self-insured)
  9. Information Systems and Technology
  10. Academics - researchers who may be using HIPAA data
  11. Any others that may be revealed during the overall assessment.
  12. How many systems handle electronic protected health information (ePHI)?
  13. UCA Student Health - 41
  14. What are the systems that handle ePHI and for what purpose?
  15. Medicat - EHR system
  16. IVS - video recording and playback of speech pathology client sessions
  17. X-Ray machine
  18. Network drives
  19. Are all systems that handle ePHI in a centralized location? (e.g., centrally managed data center)
  20. No. There is a standalone x-ray machine in SHC that stores digital images. There is also the potential for academic research data containing ePHI that is housed outside the UCA datacenter.
  21. Does the University utilize any third-party hosting services or cloud-based services for processing, storage, or transmission of ePHI? If yes, could you please list the vendors and their purpose?
  22. Gmail for University email. Labs will submit invoices via email
  23. Does the University utilize any third-party service providers for any aspect of the IT environment/IT operations at the University? If yes, could you please list the vendors and their purpose?
  24. Google - G Suite for Education (faculty, staff, and students)
  25. Blackboard - hosted learning management system
  26. Clickatell - used to send out appointment reminders
  27. Raiser’s Edge - fundraising application
  28. Microsoft - Office365 is not used for email but is used for Office applications on personally owned devices
  29. Ticketing systems used by athletics and the Reynold’s Performance Hall.
  30. Can users access systems that handle ePHI via mobile devices?
  31. They can make an appointment on their mobile device but cannot access the clinical notes portion of the EHR system.
  32. Does the University issue tablets and/or smart phones that are authorized to access systems that handle ePHI?
  33. We do not have any tablets. We do have a phone but we haven’t used it in months since we started texting appointment reminders.
  34. Does the University allow for BYOD mobile devices to be used?
  35. Yes, but not for access to ePHI.

PCI DSS Risk Assessment-related

  1. What merchant level is the University?
  2. Program Level 4
  3. Has the University had a report on compliance (ROC) audit performed in the past?
  4. No.
  5. Is the University’s cardholder data environment (CDE) segmented from the rest of the University’s networks and systems?
  6. Not at this time.
  7. How many systems/applications acquire, process, store, or transmit cardholder data?
  8. Cashnet - Student tuition and fee payment (Online)
  9. Bear Card - Run through Blackboard (online and point-of-sale)
  10. Vendini - Reynolds Performance ticketing software (online and point-of-sale)
  11. Authorize.net - Used by Outreach (point-of-sale)
  12. Credit card point-of sale terminals - eight locations (multiple terminals depending on location)
  13. How many locations are part of the cardholder data environment?
  14. We have eight department locations with an online presence for the areas noted above.
  15. In addition, Aramark operates from our campus using our band for their credit card sales transactions.
  16. The Athletics office utilizes a software called Ticket Return to process their transactions similar to Paypal.
  17. An additional eight locations utilize a point-of-sale credit card terminal that is chip compliant.
  18. Could you please describe the means in which the University acquires cardholder data and the number of point-of-sale systems?
  19. Customers can present their card at the point-of-sale systems to be swiped or inserted for cards with the chip. The data is transmitted and processed at our processor Elavon. There are currently 8 departments on campus utilizing a point-of-sale system.
  20. Customers can go online and complete the payment process by entering the credit card information into one of the online locations listed above in question #2. No data is stored on site.
  21. Does the University utilize mobile point-of-sale systems (e.g., Square)?
  22. Yes, Square.
  23. For the PCI DSS risk assessment deliverable, does the University expect the consultant to gauge the alignment of controls as described in a PCI Report on Compliance (ROC) or one of the self-assessment questionnaires (SAQs)? If one of the SAQs, which will apply?
  24. PCI SAQ. Successful bidder will recommend the correct version.
  25. Alternatively, would the University prefer the consultant to assess risk as it applies to meeting each of the 12 requirements under PCI DSS in a broader manner versus a sub-requirement/control-by-control analysis?
  26. We would like both the PCI SAQ and the sub-requirement/control-by-control analysis.
  27. Has the University engaged an approved scanning vendor (ASV) to conduct the required quarterly vulnerability assessment scans and the annual penetration testing?
  28. Not yet.

Securance Consulting

PCI Compliance Review

  1. Does UCA require that the vendor be a Qualified Security Assessor (QSA) to complete the PCI compliance portion of the project?
  2. Yes.
  3. For PCI, what is UCA’s merchant level designation (i.e., Level 1, 2 3 or 4)?
  4. Program Level 4.

HIPAA Compliance Review

  1. Which departments are included in the scope of the HIPAA compliance review?
  2. Student Health Center
  3. Speech Communications and Disorders
  4. Human Resources (University is self insured)
  5. Information Technology
  6. Athletic Training
  7. Counseling Center
  8. Academics - researchers who may be using HIPAA data
  9. Any others that may be revealed during the overall assessment.
  10. How many total physical locations are included in the scope of the HIPAA compliance review?
  11. One. Several buildings on the Conway, AR campus.
  12. Does UCA have documented HIPAA policies and procedures?
  13. Some.
  14. Is there a designated Security and Privacy Officer?
  15. Yes. We have a designated Security Officer and a designated Privacy Officer. They are not the same person.

Technical Testing

  1. Is vulnerability assessment and penetration testing included in the scope of this effort?
  2. No. UCA will provide the successful bidder a copy of its most recent IT security audit findings (June 2017).
  3. Does the vendor need to perform detailed application security testing? If so, how many applications are in scope? Of these, how many are web applications?
  4. Yes, one locally hosted.
  5. Are there any databases that the vendor will need to test? If so, how many?
  6. Yes, two. Medicat and Ellucian Banner.
  7. Are server configuration reviews desired? If so, what operating systems are in scope?
  8. No. UCA will provide the successful bidder a copy of its most recent IT security audit findings (June 2017).
  9. Does UCA want the vendor to review the configurations of firewalls and network devices?
  10. No. UCA will provide the successful bidder a copy of its most recent IT security audit findings (June 2017).
  11. Is wireless network testing desired?
  12. No. UCA will provide the successful bidder a copy of its most recent IT security audit findings (June 2017).
  13. Is social engineering in scope? If so, what techniques are desired (email phishing, phone pretexting, and/or physical social engineering), and how many users/locations are in scope?
  14. No. UCA will provide the successful bidder a copy of its most recent IT security audit findings (June 2017).

General Inquiries

  1. When was UCA’s last risk assessment performed?
  2. General IT security audit annually. HIPAA risk assessment, unknown. PCI risk assessment, 2015.
  3. Is the IT organization centralized or decentralized?
  4. Hybrid. Core services are centralized. Computer purchasing, software purchases are decentralized.
  5. Has UCA adopted a security control framework? If so, which one?
  6. No, but we are interested in using NIST Cybersecurity Framework as our overarching guiding tool. Therefore, having a baseline assessment of where we are with our alignment to that standard would be extremely useful.
  7. Are general security policies, procedures and standards documented?
  8. Some.