Specifications include, but are not limited to: 1. Annual Security Risk Assessment (SRA) and Remediation Progress Assessment (RPA) Purpose: • Conduct an annual Security Risk Assessment (SRA) of policies, controls and procedures within the District’s information security governance framework that may not adhere to regulatory and third-party requirements or “best practices”, as noted in Section II of this exhibit. ; • Conduct an SRA Risk Remediation Progress Assessment within 6 months of the SRA. Desired Elements: • Review relevant documentation including (but not limited to) policies and procedures, training and educational programs, technical documents (network diagrams, hardware and application technical standards), and evidence of monitoring activities (reports, corrective action plans, et. al.); • Interview key stakeholders across multiple departments and specialties including (but not limited to) information technology, clinical/ambulatory care, ancillary services, compliance, human resources, law enforcement, and facility maintenance; and • Evaluate gathered evidence via transaction testing, observation, document review, or other appropriate analytical method(s).; 2. Semi-Annual Penetration Testing Purpose: • Perform a technical penetration test of the District’s internal and external network IP address ranges and selected business critical systems and components.; • Identify, evaluate, and prioritize exploitable vulnerabilities capable of allowing unauthorized access or causing a denial-of-service. Subject to the Qualifying Conditions as stated below, the following information assets are candidates for technical penetration testing: o Infrastructure (network routers, switches, firewalls, DNS servers, load balancers, wireless controllers, and access points); o Servers (authentication, file/print, application, and database servers); and o Endpoints (stationary desktop workstations, mobile devices (laptops, tablets, smartphones), and network-connected medical devices). ; Desired Elements: • Conduct scheduled scans to identify potential vulnerabilities, using suitable network vulnerability scanning tools; • Deploy hardware and/or software data packet analysis tools to capture and analyze network traffic; o Perform simulated exploitations to confirm actual vulnerabilities and eliminate “false positives”; 3. Medical Device Security Program Development –and- Annual Medical Device Security Program Risk Assessment (Years 2 & 3); Purpose: • Develop a Medical Device Security Program component within the District’s overall Information Security Program which includes the development of documented policies, standards, and processes for assessing, managing and remediating risks associated with the District’s connected medical devices.; • Perform an annual Medical Device Security Risk Assessment of the new program (years 2 and 3).; Desired Elements: • The Medical Device Security Program component will establish and document perpetual risk assessment processes, and supporting risk management, remediation and mitigation processes and procedures designed to avoid disruption of patient care.; • An annual Medical Device Security Risk Assessment will be conducted in service years 2 and 3.
