You are on page 1of 29

Information Technology Risk

Assessment
Caitlyn Raymond International Registry

April 2012

Contents

Page

Executive Summary

Environment Overview

Findings Overview

Detailed Findings

11

Appendix

26

2012 Grant Thornton LLP. All rights reserved.

Information Technology Risk Assessment-Caitlyn Raymond International Registry

Executive Summary

Grant Thornton, LLP was engaged by the Caitlin Raymond International Registry (CRIR) to perform
an information technology risk assessment based on the ISO 27002 security standard. This assessment
was conducted between February and April 2012 and was intended to provide CRIR with information
about risks that could affect the availability of its technology and information systems or the
confidentiality and integrity of the information contained within them. During this assessment Grant
Thornton conducted:

Interviews with key stakeholders and technology staff


Detailed system and application configuration reviews
Network vulnerability scanning
Onsite hands-on system configuration reviews

Our assessment determined that CRIR has done a good job developing and maintaining proprietary
applications to that support the organizations business operations. However, we identified a number
of issues within the underlying technology infrastructure that prevent a significant risk to the
organization. These issues stem from recent staffing changes that have left the organization with
inadequate internal resources to support the network or server infrastructure. Specifically, CRIRs
application development team is attempting to perform server and network administration tasks that
they do not have the skillset or time to complete effectively.
As a result, CRIRs technology infrastructure is aging and not well maintained. Some of the hardware,
software and operating systems supporting critical applications are over ten years old and are no longer
supported by the manufacturers. Servers or network devices have been not been built with secure
configurations and are susceptible to common vulnerabilities. Regular maintenance activities including
patching, backups and vulnerability management are either not being performed or are being
performed ineffectively.
To address these issues with the technology infrastructure, we suggest that Caitlyn Raymond takes
action immediately. First, the organization should look to hire a minimum or one, but ideally two
network / system administrators whose sole focus is to support the technology infrastructure. Next,
the organization should plan a technology refresh, replacing unsupported hardware, software and
operating systems with updated technology.

2|P a g e

Information Technology Risk Assessment-Caitlyn Raymond International Registry

As an alternative to hiring new staff to support the technology infrastructure, Caitlyn Raymond could
also look to outsource its data center and support functions to a 3rd party hosting and managed services
provider. The organization could also look to merge these functions with UMass Memorial, and allow
the technology teams at the hospital handle these critical tasks.

3|P a g e

Information Technology Risk Assessment-Caitlyn Raymond International Registry

Project Scope and Approach

In the spring of 2012, Grant Thornton was contracted by the Caitlyn Raymond International Registry
to conduct a risk assessment of its technology infrastructure and applications based on the ISO 27002
information security standard. The focus of the assessment was the infrastructure and core functionality
of CRIR with an emphasis on the Intranet application and supporting technologies including web
based services, databases and communications technology, as these govern the majority of CRIR
business functions including its Donor and Patient transactions.
ISO 27002 is an internationally recognized standard for information security that evaluates risks to the
confidentiality, integrity and availability of information assets. The standard is comprised of a number
of high-level sections, as described below:

Information risk management policies and procedures


Security institution
Asset classification and control
Personnel security
Physical and environmental security
Communication and operations management
Access control
Systems development and maintenance
Business continuity management
Compliance

Grant Thornton conducted its assessment of Caitlyn Raymonds technology infrastructure through a
combination of the following activities:

Conducting interviews with key functional and technical personnel


Performing hands-on system configuration reviews
Reviewing documentation provided by Caitlyn Raymond
Using automated tools to collect information on device configuration
Performing vulnerability scans using automated tools

4|P a g e

Information Technology Risk Assessment-Caitlyn Raymond International Registry

Environment Overview

CRIR Overview

CRIR is a nonprofit organization affiliated with UMass Memorial Medical Center in Massachusetts.
CRIR was originally established in 1986 as a unit within the Division of Hematology-Oncology of the
Department of Pediatrics at the University of Massachusetts Medical Center specifically as a
coordinating center for conducting national and international searches for unrelated donors.
CRIR maintains Hub Status in Bone Marrow Donors Worldwide and the European Marrow Donor
Information System, maintains an affiliation with the National Marrow Donor Program, and is a
member registry of the World Marrow Donor Association (WMDA).
Today, The Caitlin Raymond International Registry accesses 89 bone marrow donor registries and cord
blood banks worldwide and has performed a search for more than 64,000 patients. Since its inception,
the Caitlin Raymond International Registry has remained a comprehensive resource for patients and
physicians conducting a search for unrelated bone marrow or cord blood donors.
Information Technology Overview

Caitlyn Raymonds information technology department has built a proprietary application that allows
employees to administer patients and donors in an efficient and effective manner.
This system was originally developed in the 1980s using RBase. In the late 1990s, MS Access was
introduced as a front-end and patient and donor data was moved into a MS SQL database. Recently, a
web-based front-end has replaced Access as the primary application interface providing a more flexible
and secure framework.
This application, referred to internally as The Intranet is a complex system with numerous modules
and acts like as an ERP (enterprise resource planning system) system for the organization. The intranet
supports both front-office operations --- i.e. managing donor and patient registration and matching -as well as back-office functions such as the general ledger, AP / AR and an IT ticketing system. The S
full list of modules can be found below:

Collection of Stem Cells:


Donor Testing Services:
Intranet:

Donor and patient receiving


Test and register new Donors
Administration of Modules
5|P a g e

Information Technology Risk Assessment-Caitlyn Raymond International Registry

IS Module:
Recruitment:
Report Tracker:
Sample Processing:
Ticketing System:
Finance Modules:

IS Project / Inventory Devices / "Internal SharePoint"


User for recruiting new donors
Used to track documents from within the application
Management of DNA samples from new donors
IT or operations related tickets
Finance

Users of The Intranet are only allowed to access particular modules based on their logon credentials.
During our assessment, we walked through the user authentication process and evaluated the security
controls in place to prevent unauthorized access. A high-level description of the authentication process
can be found below:
At Login:

Validate users credentials:


Checks if the users password has expired and needs to be changed
Checks if the user account is blocked, due to failed login attempt
o One failed login attempt, the account is blocked for 15 seconds
o Two failed login attempts, the account is blocked for 45 seconds
o Three failed login attempts, account is blocked for 15 minutes and IT staff is notified
via email
Creates new session: both the session start and session regenerate ID are used.
Creates a hashed user agent and session string to be stored in session data and user cookies
The session data is stored in a database protected with a username and password.
When application Page loads:

Checks session expiration


Sets session's time to 90 minutes
Verifies the user agent matches the session data and cookies
Prevents SQL injection by using custom SQL statement before change commands are
permitted.
Checks if the IP address is within defined range
User Authentication is verified
User permissions for content are verified
Updates corresponding tables

At Session Close:

Session connections are terminated


Deletes session cookie
Deletes hashed session information from database
User is returned to the login page.

6|P a g e

Information Technology Risk Assessment-Caitlyn Raymond International Registry

In our opinion, the controls that Caitlyn Raymonds application development team has implemented to
prevent users from accessing data without authorization are adequate. In general, CRIR has taken the
best practice of using a layered authentication and multiple techniques to mitigate misuse and this has
significantly reduced risk of compromise to the Intranet application.
Network Diagram

To support this application, Caitlyn Raymond operates a single data center located within its office
facility in Worcester, Mass. A network diagram can be found below:

As can be seen in the diagram above, Caitlyn Raymonds network is a flat, layer-2 network. Users,
servers and publicly accessible systems all reside on the same logical network and route by default to a
Linksys edge / core firewall / router.
Caitlyn Raymonds public website is not hosted out of the Worcester, Mass data center, but instead is
hosted at Rackspace, a 3rd party hosting provider. Email services are also outsourced to a cloud-based
provider.
Caitlyn Raymonds VoIP phone system is provided by and managed by the UMass Memorial Medical
Center and utilizes a separate layer two switched network.
7|P a g e

Information Technology Risk Assessment-Caitlyn Raymond International Registry

Server Inventory

The table below provides an inventory of servers supported by Caitlyn Raymonds information technology team:

Host Name

Operating
System

Warranty?

Purchase
Date

Server Type

CPU

Memory

Disk

Function

Comedian

WinXP

Aug-10

HP Compaq
dc5850

AMD Phenom II
X4 810

1.75GB

220GB

EMDIS Application

Marvin

Suse Linux

Aug-05

DELL
PowerEdge
2800

(2) 3.0 GHz/2


MB Cache

2GB
DDR2

36GB, 36GB,
73GB, 73GB,
73GB, 73GB SCSI

Not working - MySQL Master,


Network Backup to USB HD

Minerva

WinXP

2003

DealDepot

Intel Celeron

512MB

40GB

Workstation for Rebecca

Mycroft

Ubuntu
Linux

Jun-08

Vision

2GB
DDR2

3x250GB

Dev Intranet and Dev MySQL

Nagasaki

Ubuntu
Linux

Jun-08

Vision

2GB
DDR2

3x250GB

Live MySQL, CUPS Print


Server, Network Backup to
USB HD

Jul-09

ReadyNAS

2TB Dual Gig RM


NW

Network Storage (G:)

512 MB
SDRAM

(2) 18GB 10K


RPM Ultra 160
SCSI

Network Print Server, DNS,


DHCP, Anti-virus Server, File
Server, Active Directory,
Automated Tasks

2GB
DDR2

3x250GB

Not running

2GB
DDR2

3x250GB

Live Intranet

NAS

Server1

Win2K
Server

Sep-02

DELL
PowerEdge
1500SC

Terminator

Ubuntu
Linux

Apr-08

Vision

Terminator2

Ubuntu
Linux

Apr-08

Vision

(2) AMD
Athlon(tm) 64
X2 Dual Core
Processor 4400
(2) AMD
Athlon(tm) 64
X2 Dual Core
Processor 4400

(2) 1.4 GHz/512


Cache
(2) AMD
Opteron(tm)
1212
(2) AMD
Opteron(tm)
1212

8|P a g e

Information Technology Risk Assessment-Caitlyn Raymond International Registry

Findings Overview

Risk categories

Based upon our review of the overall the control environment of the company, we have identified
number of findings. Each of these findings has been classified as high, medium or low risk based on
the following definitions:

High A high risk finding is assigned to vulnerabilities that have a high threat or impact
potential and could allow unauthorized privileged access, grant the ability to alter systems in
some way or leave the organization vulnerable to losses of sensitive information and the
potential financial penalties in the event of a breach. It is recommended that these findings are
corrected immediately.

Medium A medium risk finding is assigned to vulnerabilities that pose a moderate level of
risk to the organization and could allow a threat access to systems with unprivileged access.
Medium risk findings generally represent systematic organizational problems that often lead to
the introduction of new high risk technical findings if they are not corrected.

Low A low risk finding are areas that do not meet the best practicies put forth in the ISO
standard but do at the same time pose little to no imdediate risk to the environement. If low
risk findings are not corrected, they often lead to the introduction of new medium and high
risk technical and administrative findings.

9|P a g e

Information Technology Risk Assessment-Caitlyn Raymond International Registry

10

Summary of Findings

Grant Thornton identified numerous issues within the Caitlyn Raymond technology infrastructure. A
summary can be found in the tables below:

1
2
3

4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28

29
30

Policy, Process and Organizational Issues

Risk

No Information security policy


Information security responsibilities not defined
Information security processes, standards, and guidelines not established

Med
Low
Med

Technical Issues

Risk

Use of out-of warranty, out-of date or unsupported hardware


Use of consumer based products in an enterprise environment
No patch or vulnerability management for operating systems or applications
No server configuration standards / system hardening
Use of unnecessary or undocumented services and applications
Use of administrator/ root account to manage systems
Remote access to Linux systems with root account is enabled
Use of weak / or default passwords
IT administrators unable to access network devices
Broken processes for identity and authentication management
No system-state backups being taken
Backup tapes stored in IT administrators homes
No disaster recovery plan / business continuity management
UPS devices not properly configured / maintained
Network diagram does not exist
Insecure wireless networking configuration
No centralized logging / monitoring system
No network segmentation
Changes to Windows systems are made directly in production
No change control process
Insecure administrative access to 3rd party hosted web application server
Use of insecure protocols for data transfer / system management
Desktop operating systems used to support server functions
Access to financial system controlled by Access Database front-end
Sensitive data not encrypted

High
High
High
High
Med
High
High
High
Low
Med
High
High
Med
Low
Med
High
Med
Med
Low
Med
High
Med
Med
Med
Med

People Issues

Risk

IT personnel lack server and network administration skills


Understaffed

High
High

10 | P a g e

Information Technology Risk Assessment-Caitlyn Raymond International Registry

11

Risk vs. Mitigation Effort

In the chart below we have mapped each of the findings in a three by three matrix based on risk and
mitigation effort. We recommend that Caitlyn Raymond address the high-risk findings with a low
mitigation effort first. These findings are located in the upper-left hand corner of the chart.
From there, we suggest working through the findings starting in the upper-left corner and working
down to the lower-right.

LOW

HIGH

MEDIUM

Broken process for identity and


authentication management
Network diagram does not exist
No change control process
Use of insecure protocols for data
transfer / system management
Sensitive data not encrypted

LOW

Risk

MEDIUM

Use of administrator or root


account to manage systems
Remote access to Linux systems
with root account is enabled
Use of weak / default passwords
No system state backups are taken
Backup tapes stored in IT
administrators homes
Insecure wireless configuration
Insecure administrative access to
3rd party / hosed web applications

IT administrators unable to access


network devices
UPS devices not properly
configured / maintained
Changes to Windows systems are
made directly in production

HIGH

Use of consumer based products


in an enterprise environment
No patch of vulnerability
management for operating systems
or applications
No server configuration standards
/ system hardening

No Information Security Policy


Information Security Processes,
Standards and Guidelines not
Established
Desktop operating systems used to
support server functions
Use of unnecessary or
undocumented services and
applications
No network segmentation

Use of out-of warranty or


unsupported hardware, software
and operating systems
IT personnel lack server and
network administration skills
Understaffed

No disaster recovery plan /


business continuity management
No centralized logging /
monitoring system
Access to financial system
controlled by Access Database
front-end

Information security
responsibilities not defined

Mitigation Effort

11 | P a g e

Information Technology Risk Assessment-Caitlyn Raymond International Registry

12

Detailed Findings
The detailed findings below list the findings categories in detail. The intention is to call out the
underlying cause for vulnerability in the CRIR environment and present remediation options along with
estimated cost and manpower associations for remediation.

Policy, Process and Organizational Issues

1. No Information Security Policy

Medium

Description

Caitlyn Raymond does not have an information security policy


that describes:
Its approach to addressing information security issues
Organizational roles and responsibilities as they relate to
information security
Acceptable use of information technology systems and
assets
Other

Risk Analysis

Policies are the corner stone for information security and


compliance in any organization. Without an information security
policy, an organization does not have a basis for identifying,
assessing and managing risks.

Remediation Cost/Effort

Medium

Recommendations

CRIR can look to leverage the information security policies that


has already been developed for the UMass Memorial Medical
Center to build a security policy of its own and distribute it to all
employees.

Ongoing Effort

The security policy will need to be reviewed on an annual basis to


ensure it remains applicable to new technologies and emerging
threats.

2. Information Security Responsibilities not Defined

Low

Description

Caitlyn Raymond does not define information security roles and


responsibilities for all members of the organization. Typically,
these roles and responsibilities are defined in an information
security policy as described in Finding #1 above.

Risk Analysis

Without clearly defined roles and responsibilities for information


security within the CRIR environment there are several critical
security and administration tasks that are not taking place.

Remediation Cost/Effort

Medium
12 | P a g e

Information Technology Risk Assessment-Caitlyn Raymond International Registry

13

Recommendations

CRIR needs to define information security roles and respon


sibilities for all employees

Ongoing Effort

Information security roles should be periodically reviewed and


updated to ensure they remain consistent with changes in
organizational technology as well as new and emerging threats.

3. Information security processes, standards, and guidelines not


established

Medium

Description

Caitlyn Raymond has not defined operational procedures to be


executed by information technology that support information
security. Examples of policies and procedures that should be
developed include:
Acceptable Use Policy
Backup and Restoration Procedures
Patch Management Procedures
Vulnerability Management Procedures
Identity and Authentication Management Procedures
Password Policy and Reset Procedures
Incident Response Policy
Others

Risk Analysis

Without defined Processes, standards and guidelines the


administration of servers and the network is conducted in a way
in which security and risk within the environment can not be
measured or controlled by CRIR staff.

Remediation Cost/Effort

Medium

Recommendations

Security Processes, standards and guidelines should be


documented in the sites policies and procedures and staff should
be made aware of their responsibilities. All areas of administration
should be documented for example, patch management, server
updates, creating and deleting new users. It is very likely that
UHMV already has this done CRIR should use this as a go by for
their own environment.

Ongoing Effort

This should be reviewed anytime updates are made to the sites


security policy.

13 | P a g e

Information Technology Risk Assessment-Caitlyn Raymond International Registry

14

Technical Issues

4. Use of out-of warranty, out-of date or unsupported hardware and


software

High

Description

Caitlyn Raymond is utilizing hardware, software and operating


systems that are no longer supported by the manufacturers. This
includes numerous out-of-warranty servers and network devices
as well as the use of the Windows 2000 / Ubuntu 8.1 operating
systems.

Risk Analysis

Using out-of-date hardware not only affects system performance,


but also leaves the organization susceptible to a sustained outage
in the event that a system component fails and replacement parts
are not readily available.
Using out-of-support operating systems leaves the organization
susceptible to newly discovered vulnerabilities which are no
longer patched by the vendor.

Remediation Cost/Effort

High

Recommendations

CRIR should develop a plan to replace the hardware, software


and operating systems that are no longer under warranty or are no
longer supported by their vendors.

Ongoing Effort

In addition, we recommend that CRIR builds a formalized


process for system lifecycle management that plans for regular
hardware, software and operating system upgrades to ensure that
they do not fall out of support in the future.

5. Use of consumer based products in an enterprise environment


Description

High

Remediation Cost/Effort

CRIR has deployed a consumer grade Linksys device as its core


router / edge firewall. Linksys is intended for home use and is
not robust enough for a corporate environment
Consumer grade networking equipment does not have the
granular security features needed for a corporate environment.
Medium

Recommendations

Replace network equipment with business class devices.

Ongoing Effort

Once replaced CRIR should make sure only business class


devices are used moving forward.

Risk Analysis

14 | P a g e

Information Technology Risk Assessment-Caitlyn Raymond International Registry

6. No patch or vulnerability management for operating systems or


applications
Description
Risk Analysis

Remediation Cost/Effort
Recommendations
Ongoing Effort

15

High

Patches and updates are not being applied to servers,


workstations and other devices
By not applying patches, Caitlyn Raymond is leaving itself
vulnerable to exploits from internal and external sources that
could result in a breach of sensitive patient or donor data or
system unavailability.
Medium
Develop a formal patch and vulnerability management plan,
defining when and how patches will be tested and deployed.
The patch management and vulnerability management program
should be periodically reviewed to make sure it is functioning
correctly.

7. No server configuration standards / system hardening

High

Description

CRIR has not developed system configuration standards for


servers or network devices that harden them to prevent most
common information security vulnerabilities.

Risk Analysis

Servers that are installed out of the box without going through
a formal hardening procedure could enter the network missing
critical software of firmware patches or even anti-virus definitions
increasing the threat to the network

Remediation Cost/Effort

Medium

Recommendations

Create a checklist of security requirements that needs to be


followed and use it when setting up any new equipment.

Ongoing Effort

Hardening procedures should be periodically evaluated to ensure


they are current and best fit the organization.

8. Use of unnecessary or undocumented services and applications

Medium

Description

Servers and network devices on the Caitlyn Raymond network


have numerous services enabled and configured that are not
being utilized, including FTP, telnet, HTTP and many others.

Risk Analysis

Services are access points to your network, when no longer


required they are often left unmonitored and vulnerable creating a
larger threat footprint for compromise. Services not in use also
take up valuable system resources.
As an example in we included the output of open services for the
domain controller which had a large amount of services in use
including Gopher and Pop2 which have not been required
services for several years.

Remediation Cost/Effort

Medium
15 | P a g e

Information Technology Risk Assessment-Caitlyn Raymond International Registry

16

Recommendations

Disable unnecessary services and if possible determine why the


service was enabled to begin with.

Ongoing Effort

Periodic review of open services should be conducted

9. Use of administrator/ root account to manage systems


Description

Risk Analysis

Remediation Cost/Effort
Recommendations

Ongoing Effort

High

Caitlyn Raymond uses the root and / or administrator account to


manage systems instead of using unique usernames attributable to
each individual.
Administrator and Root accounts are generic accounts that are
not traceable back to an individual system administrator and often
grant much higher levels of access than needed for basic
administration.
Low
Admins should have personal accounts set up to log in and do
basic administrative tasks. The password to the root and / or
administrator accounts should be long, complex and should only
be accessed in the event of a disaster / emergency.
Once in place no follow on effort should be required

10. Remote access to Linux systems with root account is enabled

High

Description

Linux systems at Caitlyn Raymond are configured to allow remote


access using the root account. This configuration enables an
attacker who has compromised the system to gain full control.

Risk Analysis

The Root account should be restricted to prevent system


compromise and damage to system. The Root account has access
to modify all aspects of the operating system any mistakes made
will modify the system.

Remediation Cost/Effort

Low

Recommendations

Authorized users should use sudo to run operations that require


root level privileges. Use of sudo allows accountability for
changes to the system. Since the user needs to take and log in to
the part of the system they wish to change the chance for
mistaken modifications is greatly reduced.

Ongoing Effort

Once in place CRIR should ensure sudo is used for all remote
administration.

11. Use of weak / or default passwords

High

Description

Many systems on the Caitlyn Raymond network have been


configured with weak or default administrative passwords.

Risk Analysis

Weak and or default passwords are easily compromised by


16 | P a g e

Information Technology Risk Assessment-Caitlyn Raymond International Registry

17

malicious users granting them unauthorized access to systems and


network resources.
Remediation Cost/Effort

Low

Recommendations

CRIR should change all default passwords, and require all


accounts including service accounts require strong passwords of
at least 8 characters and a mix of capital, lower case, number and
special character

Ongoing Effort

Once in place CRIR should remain enforce password


requirements.

12. IT administrators unable to access network devices

Low

Description

IT administrators at Caitlyn Raymond have no understanding of


how to access switches and other network devices. Not only
were the management IP addresses unknown, but usernames,
passwords and console access were unavailable as well.

Risk Analysis

With no level of access for the current staff the devices are
completely unmanaged and are not being administered in any
way.

Remediation Cost/Effort

Low

Recommendations

Network staff should have full access and control over all
network devices. The staff should console into each device, view
the configuration , note management IP addresses and set up
user-level access as appropriate.

Ongoing Effort

Moving forward when anything is added to the network staff


should have appropriate access levels.

13. Broken processes for identity and authentication management

Medium

Description

Formalized processes for adding and removing system accounts


have not been developed. In some instances, system
administrators no longer with the company have accounts
enabled.

Risk Analysis

Without strong identity and authentication management


processes in place, an organization leaves itself susceptible to a
compromise of information by a former employee.

Remediation Cost/Effort

Low

Recommendations

Remove or archive accounts from users that are no longer needed


make sure all files and data that is saved has proper permissions
set.

Ongoing Effort

Periodic review should be conducted to prevent this from


building up in the future. This should be defined in processes and
procedures.

17 | P a g e

Information Technology Risk Assessment-Caitlyn Raymond International Registry

18

14. No system-state backups being taken


Description

High

Caitlyn Raymond only backs up data residing on critical systems,


but not the system state.
In addition, no backups are being taken of the configurations of
key network devices.

Risk Analysis

Without system state backups, systems and applications will need


to be re-built from scratch in the event of a disaster or failure of a
critical system component, greatly elongating recovery
timeframes.

Remediation Cost/Effort

Low

Recommendations

CRIR should develop a plan backing up the system state of all


servers. In addition, copies of network device configurations
should be backed up.

Ongoing Effort

Once an appropriate backup solution is in place it will need to be


periodically updated to ensure it meets CRIR requirements.

15. Backup tapes stored in IT administrators homes

High

Description

Backup tapes are being stored offsite in the network


administrators house, car , etc.

Risk Analysis

While backup tapes should be stored offsite so that they may be


accessed in the event of a disaster, they should never be stored in
an employees home because the risk of theft or other
compromise is greatly increased.

Remediation Cost/Effort

Low

Recommendations

Tapes should be kept in a fireproof safe in a secure offsite facility


such as Iron Mountain or in a bank safety deposit box.
Alternatively, CRIR could store tapes in another facility that is a
part of the UMass Memorial Medical Center network.

Ongoing Effort

Tape management should be periodically reviewed for


effectiveness.

16. No disaster recovery plan / business continuity management

Medium

Description

Caitlyn Raymond does not have a formal disaster recovery or


business continuity plan.

Risk Analysis

If a situation occurred in which staff where unable to get to the


CRIR office or the office was destroyed the network and data
18 | P a g e

Information Technology Risk Assessment-Caitlyn Raymond International Registry

19

would experience an extended outage.


Remediation Cost/Effort

High

Recommendations

CRIR should work with UHMV to determine if there is an


existing location that CRIR could restore their servers and critical
data to and that staff could work from until the primary site was
available again.

Ongoing Effort

Once developed the plan should be reviewed by IT and executive


management at least yearly to ensure it covers all CRIR recovery
needs.

17. UPS devices not properly configured / maintained

Low

Description

The UPS devices in the Caitlyn Raymond data center are not
configured properly and have not had regular annual maintenance
done since their implementation.

Risk Analysis

Improper configuration / maintenance could cause UPS units to


fail at time of incident. There is currently no generator backup for
the CRIR environment.

Remediation Cost/Effort

Medium

Recommendations

Work to properly configure the UPS systems to failover to


generator power or do a graceful takedown of the network once
battery power has dropped. If it is determined that outages due to
power must be prevented, CRIR should work to have the
network place on a generator backup system.

Ongoing Effort

Power management will need to be re-evaluated whenever


network changes occur

18. Detailed documentation of the network and communications links


do not exist

Medium

Description

Caitlyn Raymond does not have a network diagram or


documentation of network device configuration.

Risk Analysis

Without documentation of the network and the communication


links it would be very difficult for CRIR to trouble shoot any
communication/networking issues with the network.

Remediation Cost/Effort

Low

Recommendations

Grant Thornton has provided a detailed Visio diagram as part of


this assessment

Ongoing Effort

The Visio diagram should be updated anytime change takes place

19 | P a g e

Information Technology Risk Assessment-Caitlyn Raymond International Registry

19. Insecure wireless networking configuration


Description

20

High

Caitlyn Raymond has a wireless access point on its network but


has not applied basic system security parameters that would
prevent unauthorized access.
Note: This device is currently unused by CRIR personnel.

Risk Analysis

The wireless implementation was a commercial wireless router


using WPA for authentication. WPA is easily cracked using
readily available free utilities, which could allow unauthorized
access to the network.

Remediation Cost/Effort

Low

Recommendations

It was determined that wireless was no longer needed by the staff


at CRIR and powered off. If the device is not required it should
be permanently removed from the network.

Ongoing Effort

If it is determined in the future that wireless is needed a business


class device that uses more robust security should be purchased
and used.

20. No centralized logging / monitoring system


Description

Medium

Caitlyn Raymond has not deployed a centralized system for


logging system access or event logs.
Further, no process for reviewing system access or event logs
stored locally on individual servers or network devices has been
put in place.

Risk Analysis

Without centralized event logging and monitoring, IT


administrators will not be able to detect malicious activity on the
CRIR network or easily determine the root cause of system and
network issues.

Remediation Cost/Effort

High

Recommendations

Deploy centralized logging and monitoring system that will alert


IT administrators when key events occur and provide access
reports to management on a regular basis.
Alternatively, Caitlyn Raymond could leverage any logging and
monitoring system already deployed by the UMass Memorial
Medical Center or turn to a 3rd party service to provide this
functionality.

Ongoing Effort

Monitoring and logging will need to be periodically evaluated and


updated to ensure it is best meeting the organizations needs

20 | P a g e

Information Technology Risk Assessment-Caitlyn Raymond International Registry

21. No network segmentation

21

Medium

Description

Caitlyn Raymond has deployed a flat, layer two network without


VLANs. Regular users have not been placed in a different
segment than IT administrators, servers or publicly accessible
systems.

Risk Analysis

Without network level segmentation, IT administrators are


control which systems users on the internal network have access
to. Effectively all users have the ability to access all CRIR systems
using any available service.

Remediation Cost/Effort

Medium

Recommendations

Implement multiple VLANs to separate traffic. At a minimum, a


donor, patient, server, IT and DMZ VLAN should be deployed
along with the associated access control lists.

Ongoing Effort

Network segmentation will need to be evaluated anytime an


organizational or network change takes place.

22. Changes to Windows systems are made directly in production

Medium

Description

Caitlyn Raymond updates its Microsoft Windows environment


without first testing changes in a development environment.

Risk Analysis

Updating systems in production prior to testing could cause


systems instability or failure. If a mistake is made or a patch does
not install correctly it will directly affect the production network.

Remediation Cost/Effort

Low

Recommendations

Test all changes to the production systems in a lab environment


before applying. Use of VMware or other virtualization
technologies can simplify this effort.

Ongoing Effort

Once a test environment is in place, CRIR should ensure testing


prior to deployment to the production network is done moving
forward.

23. No change control process


Description

Medium

Remediation Cost/Effort

A formal change control is not in place for server, operating


systems, network devices or applications.
Network systems need periodic updates and configuration
changes for proper operations. Without an appropriate process in
governing how and when systems and network changes can take
place changes that are needed could be missed or changes that are
implemented incorrectly could damage the network.
Low

Recommendations

Develop a change control program listing how and when changes

Risk Analysis

21 | P a g e

Information Technology Risk Assessment-Caitlyn Raymond International Registry

Ongoing Effort

22

can take place on the network including documentation for


approval and back out procedures in case the change needs to be
undone.
Change control should be periodically reviewed and modified to
best fit CRIR operations.

24. Insecure administrative access to 3rd party hosted web application


server

High

Description

Caitlyn Raymond has not set up secure access to applications


hosted with 3rd parties, including its email system and public web
site.

Risk Analysis

Insecure communication protocols used for remote


administration can be intercepted by an attacker. Use of any clear
text or unencrypted protocols over the internet provides an open
attack vector for compromise.

Remediation Cost/Effort

Low

Recommendations

Administrator should use a secure protocol such as SSH for


secure remote administration

Ongoing Effort

CRIR should periodically review communication protocols and


make certain they are providing appropriate security

25. Use of insecure protocols for data transfer / system management

Medium

Description

Caitlyn Raymond uses telnet, FTP, HTTP and other unencrypted


protocols to manage server and network resources.

Risk Analysis

Weak encryption protocols such as older versions of SSL and


weak communications protocols such as Telnet and FTP are in
use throughout the CRIR network. Weak encryption can be easily
intercepted and monitored.

Remediation Cost/Effort

Low

Recommendations

Insecure management protocols should be disabled. Only


encrypted communication protocols should be used to manage
server and network devices.

Ongoing Effort

CRIR should periodically review what is being used for network


traffic encryption and communications and make sure it is bot up
to date and secure.

26. Desktop operating systems used to support server functions

Medium

Description

The MDIS and Terminal Server systems at Caitlyn Raymond


utilize Windows XP to support a server based function.

Risk Analysis

Desktop software does not have the security or stability of server


class software and has a higher risk of compromise or failure
22 | P a g e

Information Technology Risk Assessment-Caitlyn Raymond International Registry

23

Remediation Cost/Effort

Medium

Recommendations

Desktop operating systems should be replaced with server


software.

Ongoing Effort

When services are deployed CRIR should make sure that the
system they are on supports it.

27. Access to financial system controlled by Access Database front-end

Medium

Description

Caitlyn Raymonds financial system has not been converted to a


web-based format and is still accessible using an Access Database.

Risk Analysis

Access is not scalable or secure enough to be deployed as a front


end solution. The version of Access being used is no longer
supported by the vendor.

Remediation Cost/Effort

High

Recommendations

CRIR should continue moving forward with plans to replace the


access front end with the solution they are using for the rest of
the Internet application.

Ongoing Effort

Application staff should continue to replace solutions as they


become obsolete.

28. Sensitive data not encrypted

Medium

Description

Donor and patient data stored in databases and flat files


throughout the Caitlyn Raymond network is not encrypted.

Risk Analysis

Sensitive data especially sensitive data containing PII (personally


identifiable information) and financial data will be the primary
target if systems are compromised.

Remediation Cost/Effort

Low

Recommendations

Sensitive data should be stored in encrypted folders or be


encrypted at the file level. This will add an additional layer of
security should a system compromise take place. There are several
free solutions available to CRIR for example Truecrypt for
encrypted storage or GPG for file level encryption

Ongoing Effort

CRIR should periodically review where sensitive data resides on


the network and ensure it is being secured.

23 | P a g e

Information Technology Risk Assessment-Caitlyn Raymond International Registry

24

People Issues

29. IT personnel lack server and network administration skills

High

Description

CRIR Servers are not being adequately supported due to lack of


systems expertise and training of the staff. Servers at CRIR are
showing signs of failure due to years of being run by staff that
was not trained on systems administration and what is required to
maintain server functionality.

Risk Analysis

Almost all of the findings identified earlier in this report are


attributable to a lack of system / network administration skills
with the IT function at CRIR.

Remediation Cost/Effort

High

Recommendations

Staff needs to be either be properly trained on server


administration or additional staff will need to be brought in to
manage the network. A second option is to allow the UMass
Memorial Medical Center or 3rd party service providerto take over
the responsibility for server and network management.

Ongoing Effort

As technology changes, training, will need to be conducted to


ensure staff remains knowledgeable on operations and
administration of servers.

30. Understaffed

High

Description

There are not enough resources available to adequately manage


the network. The current structure has two staff members
splitting their time between network and server operations and
their primary assignment of managing the Intranet application

Risk Analysis

Almost all of the findings identified earlier in this report are


attributable to a lack of system / network administration skills
with the IT function at CRIR.

Remediation Cost/Effort

High

Recommendations

CRIR should consider hiring at least one additional resource that


is trained in network and server administration. A second option
for CRIR to consider is to outsource the network and server
administration roles this can be done within the UMass Memorial
Medical Center system or with a 3rd party service provider.

Ongoing Effort

Staffing size should complement the size of CRIR operations and


will need to be assessed whenever organizational changes take
place.

24 | P a g e

Information Technology Risk Assessment-Caitlyn Raymond International Registry

25

Appendix A: Tools Utilized


Tool
Burp Suite

Assessment Tools
Function
Burp Suite is an integrated
platform for performing
security testing of web
applications.

OWASP-ZAP
(Open Web Application
Security Project Zed Attack
Proxy)

The Zed Attack Proxy (ZAP) is


an integrated testing tool for
finding vulnerabilities in web
applications. ZAP contains
automated scanners as well as
a set of manual tools to find
security vulnerabilities.

Data Collection Scripts

Basic system scripts used to


automate the collection
process for gathering system
configurations. System
configurations are reviewed for
vulnerabilities and compliance.

Nessus Vulnerability Scanner

Nmap
(Network Mapper)
TCPView

CRIR Service
Burp Suite was used to test
security of the Internet
application at CRIR. The results of
testing did not uncover any
notable findings.
OWASP-ZAP was used to test the
Internet application at CRIR for
security and security bypass
vulnerabilities. The results of
testing did not uncover any
notable findings.

Data collection scripts were


provided to CRIR to collect data
from the Windows and Linux
systems on the CRIR network. The
data returned from the scripts was
used to perform systems
configuration review of the CRIR
systems.
Nessus is a network
Nessus was used to scan the CRIR
vulnerability scanner used to
network. The scan uncovered 163
identify possible vulnerabilities unique vulnerabilities related to
on computer networks.
outdated systems and software as
well as missing system patches
and maintenance.
Nmap is a scanning tool used
Nmap was used to identify
to discover hosts and services unmanaged switches on the CRIR
on a computer network.
network.
TCPView is a Windows
TCPView was run to identify
program that will show you
running services on the CRIR
detailed listings of all TCP and network. TCPView was able to
UDP endpoints on your system, identify an excessive number of
including the local and remote services running on the CRIR
addresses and state of TCP
network.
connections.

25 | P a g e

Information Technology Risk Assessment-Caitlyn Raymond International Registry

26

Appendix B: Outsourcing Analysis


One potential solution that will address many of the issues uncovered during this assessment is to
outsource the data center and management of the technology infrastructure to the UMass Memorial
Medical Center. In this model, Caitlyn Raymonds existing IT team will be able to focus on doing what
they do best developing and managing applications and databases to support the international
registry. Server, network and data center support will be the responsible of UMasss infrastructure
team and be folded into their existing processes.
While Grant Thornton absolutely recommends this model for IT management as a solution for Caitlyn
Raymond, there are a number of caveats that must be considered.
Technology Refresh Still Required

Even if Caitlyn Raymond migrates its technology infrastructure into UMasss datacenters, the
underlying technology infrastructure will still need to be refreshed. This will include upgrading
hardware, software and operating systems as well applying secure configurations to all devices.
As a part of this process, Caitlyn Raymond will need to evaluate different options for their technology
including the use of physical vs. virtual servers, directly attached storage vs. NAS / SAN, utilization of
cloud based technologies, shared vs. stand-alone database structures and a host of other key design
choices.
If this exercise is not completed, Caitlyn Raymond will be essentially picking up a problem and moving
it to another location without addressing the underlying issues.
Requirements Definition

While it is expected that UMass would take on the responsibility of managing and maintaining Caitlyn
Raymonds technology infrastructure in this outsourced model, the registry will still be responsible for
defining requirements for key IT processes for the hospital. For example, backup and patching
schedules, system access policies, data classification systems, system configuration standards and
numerous other items will still need to be developed by Caitlyn Raymond and communicated to
UMass.
Responsibility Matrix

If Caitlyn Raymond does choose this model for IT management, the responsibility for addressing each
of the findings in this report will be split between itself and the UMass Memorial Medical Center. In
the chart below, weve assessed which entity will be responsible for addressing each finding:

26 | P a g e

Information Technology Risk Assessment-Caitlyn Raymond International Registry

Policy, Process and Organizational Issues


1
2
3

No Information security policy


Information security responsibilities not defined
Information security processes, standards, and guidelines not established

Technical Issues
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28

Use of out-of warranty, out-of date or unsupported hardware


Use of consumer based products in an enterprise environment
No patch or vulnerability management for operating systems or
applications
No server configuration standards / system hardening
Use of unnecessary or undocumented services and applications
Use of administrator/ root account to manage systems
Remote access to Linux systems with root account is enabled
Use of weak / or default passwords
IT administrators unable to access network devices
Broken processes for identity and authentication management
No system-state backups being taken
Backup tapes stored in IT administrators homes
No disaster recovery plan / business continuity management
UPS devices not properly configured / maintained
Network diagram does not exist
Insecure wireless networking configuration
No centralized logging / monitoring system
No network segmentation
Changes to Windows systems are made directly in production
No change control process
Insecure administrative access to 3rd party hosted web application server
Use of insecure protocols for data transfer / system management
Desktop operating systems used to support server functions
Access to financial system controlled by Access Database front-end
Sensitive data not encrypted

People Issues
29
30

IT personnel lack server and network administration skills


Understaffed

27

Responsibility

CRIR / UMASS
CRIR / UMASS
UMASS

Responsibility

CRIR
CRIR
UMASS
CRIR / UMASS
CRIR
CRIR / UMASS
CRIR / UMASS
UMASS
UMASS
UMASS
UMASS
UMASS
CRIR / UMASS
UMASS
UMASS
UMASS
UMASS
UMASS
UMASS
UMASS
UMASS
CRIR / UMASS
CRIR
CRIR
CRIR

Responsibility

UMASS
UMASS

27 | P a g e

Grant Thornton LLP


All rights reserved.
U.S. member firm of Grant Thornton International Ltd.
This proposal is the work of Grant Thornton LLP, the U.S. member firm of Grant Thornton
International Ltd, and is in all respects subject to negotiation, agreement and signing of specific
contracts. The information contained within this document is intended only for the entity or person to
which it is addressed and contains confidential and/or proprietary material. Dissemination to third
parties, copying or use of this information is strictly prohibited without the prior written consent of
Grant Thornton LLP.