Professional Documents
Culture Documents
Assessment
Caitlyn Raymond International Registry
April 2012
Contents
Page
Executive Summary
Environment Overview
Findings Overview
Detailed Findings
11
Appendix
26
Executive Summary
Grant Thornton, LLP was engaged by the Caitlin Raymond International Registry (CRIR) to perform
an information technology risk assessment based on the ISO 27002 security standard. This assessment
was conducted between February and April 2012 and was intended to provide CRIR with information
about risks that could affect the availability of its technology and information systems or the
confidentiality and integrity of the information contained within them. During this assessment Grant
Thornton conducted:
Our assessment determined that CRIR has done a good job developing and maintaining proprietary
applications to that support the organizations business operations. However, we identified a number
of issues within the underlying technology infrastructure that prevent a significant risk to the
organization. These issues stem from recent staffing changes that have left the organization with
inadequate internal resources to support the network or server infrastructure. Specifically, CRIRs
application development team is attempting to perform server and network administration tasks that
they do not have the skillset or time to complete effectively.
As a result, CRIRs technology infrastructure is aging and not well maintained. Some of the hardware,
software and operating systems supporting critical applications are over ten years old and are no longer
supported by the manufacturers. Servers or network devices have been not been built with secure
configurations and are susceptible to common vulnerabilities. Regular maintenance activities including
patching, backups and vulnerability management are either not being performed or are being
performed ineffectively.
To address these issues with the technology infrastructure, we suggest that Caitlyn Raymond takes
action immediately. First, the organization should look to hire a minimum or one, but ideally two
network / system administrators whose sole focus is to support the technology infrastructure. Next,
the organization should plan a technology refresh, replacing unsupported hardware, software and
operating systems with updated technology.
2|P a g e
As an alternative to hiring new staff to support the technology infrastructure, Caitlyn Raymond could
also look to outsource its data center and support functions to a 3rd party hosting and managed services
provider. The organization could also look to merge these functions with UMass Memorial, and allow
the technology teams at the hospital handle these critical tasks.
3|P a g e
In the spring of 2012, Grant Thornton was contracted by the Caitlyn Raymond International Registry
to conduct a risk assessment of its technology infrastructure and applications based on the ISO 27002
information security standard. The focus of the assessment was the infrastructure and core functionality
of CRIR with an emphasis on the Intranet application and supporting technologies including web
based services, databases and communications technology, as these govern the majority of CRIR
business functions including its Donor and Patient transactions.
ISO 27002 is an internationally recognized standard for information security that evaluates risks to the
confidentiality, integrity and availability of information assets. The standard is comprised of a number
of high-level sections, as described below:
Grant Thornton conducted its assessment of Caitlyn Raymonds technology infrastructure through a
combination of the following activities:
4|P a g e
Environment Overview
CRIR Overview
CRIR is a nonprofit organization affiliated with UMass Memorial Medical Center in Massachusetts.
CRIR was originally established in 1986 as a unit within the Division of Hematology-Oncology of the
Department of Pediatrics at the University of Massachusetts Medical Center specifically as a
coordinating center for conducting national and international searches for unrelated donors.
CRIR maintains Hub Status in Bone Marrow Donors Worldwide and the European Marrow Donor
Information System, maintains an affiliation with the National Marrow Donor Program, and is a
member registry of the World Marrow Donor Association (WMDA).
Today, The Caitlin Raymond International Registry accesses 89 bone marrow donor registries and cord
blood banks worldwide and has performed a search for more than 64,000 patients. Since its inception,
the Caitlin Raymond International Registry has remained a comprehensive resource for patients and
physicians conducting a search for unrelated bone marrow or cord blood donors.
Information Technology Overview
Caitlyn Raymonds information technology department has built a proprietary application that allows
employees to administer patients and donors in an efficient and effective manner.
This system was originally developed in the 1980s using RBase. In the late 1990s, MS Access was
introduced as a front-end and patient and donor data was moved into a MS SQL database. Recently, a
web-based front-end has replaced Access as the primary application interface providing a more flexible
and secure framework.
This application, referred to internally as The Intranet is a complex system with numerous modules
and acts like as an ERP (enterprise resource planning system) system for the organization. The intranet
supports both front-office operations --- i.e. managing donor and patient registration and matching -as well as back-office functions such as the general ledger, AP / AR and an IT ticketing system. The S
full list of modules can be found below:
IS Module:
Recruitment:
Report Tracker:
Sample Processing:
Ticketing System:
Finance Modules:
Users of The Intranet are only allowed to access particular modules based on their logon credentials.
During our assessment, we walked through the user authentication process and evaluated the security
controls in place to prevent unauthorized access. A high-level description of the authentication process
can be found below:
At Login:
At Session Close:
6|P a g e
In our opinion, the controls that Caitlyn Raymonds application development team has implemented to
prevent users from accessing data without authorization are adequate. In general, CRIR has taken the
best practice of using a layered authentication and multiple techniques to mitigate misuse and this has
significantly reduced risk of compromise to the Intranet application.
Network Diagram
To support this application, Caitlyn Raymond operates a single data center located within its office
facility in Worcester, Mass. A network diagram can be found below:
As can be seen in the diagram above, Caitlyn Raymonds network is a flat, layer-2 network. Users,
servers and publicly accessible systems all reside on the same logical network and route by default to a
Linksys edge / core firewall / router.
Caitlyn Raymonds public website is not hosted out of the Worcester, Mass data center, but instead is
hosted at Rackspace, a 3rd party hosting provider. Email services are also outsourced to a cloud-based
provider.
Caitlyn Raymonds VoIP phone system is provided by and managed by the UMass Memorial Medical
Center and utilizes a separate layer two switched network.
7|P a g e
Server Inventory
The table below provides an inventory of servers supported by Caitlyn Raymonds information technology team:
Host Name
Operating
System
Warranty?
Purchase
Date
Server Type
CPU
Memory
Disk
Function
Comedian
WinXP
Aug-10
HP Compaq
dc5850
AMD Phenom II
X4 810
1.75GB
220GB
EMDIS Application
Marvin
Suse Linux
Aug-05
DELL
PowerEdge
2800
2GB
DDR2
36GB, 36GB,
73GB, 73GB,
73GB, 73GB SCSI
Minerva
WinXP
2003
DealDepot
Intel Celeron
512MB
40GB
Mycroft
Ubuntu
Linux
Jun-08
Vision
2GB
DDR2
3x250GB
Nagasaki
Ubuntu
Linux
Jun-08
Vision
2GB
DDR2
3x250GB
Jul-09
ReadyNAS
512 MB
SDRAM
2GB
DDR2
3x250GB
Not running
2GB
DDR2
3x250GB
Live Intranet
NAS
Server1
Win2K
Server
Sep-02
DELL
PowerEdge
1500SC
Terminator
Ubuntu
Linux
Apr-08
Vision
Terminator2
Ubuntu
Linux
Apr-08
Vision
(2) AMD
Athlon(tm) 64
X2 Dual Core
Processor 4400
(2) AMD
Athlon(tm) 64
X2 Dual Core
Processor 4400
8|P a g e
Findings Overview
Risk categories
Based upon our review of the overall the control environment of the company, we have identified
number of findings. Each of these findings has been classified as high, medium or low risk based on
the following definitions:
High A high risk finding is assigned to vulnerabilities that have a high threat or impact
potential and could allow unauthorized privileged access, grant the ability to alter systems in
some way or leave the organization vulnerable to losses of sensitive information and the
potential financial penalties in the event of a breach. It is recommended that these findings are
corrected immediately.
Medium A medium risk finding is assigned to vulnerabilities that pose a moderate level of
risk to the organization and could allow a threat access to systems with unprivileged access.
Medium risk findings generally represent systematic organizational problems that often lead to
the introduction of new high risk technical findings if they are not corrected.
Low A low risk finding are areas that do not meet the best practicies put forth in the ISO
standard but do at the same time pose little to no imdediate risk to the environement. If low
risk findings are not corrected, they often lead to the introduction of new medium and high
risk technical and administrative findings.
9|P a g e
10
Summary of Findings
Grant Thornton identified numerous issues within the Caitlyn Raymond technology infrastructure. A
summary can be found in the tables below:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
Risk
Med
Low
Med
Technical Issues
Risk
High
High
High
High
Med
High
High
High
Low
Med
High
High
Med
Low
Med
High
Med
Med
Low
Med
High
Med
Med
Med
Med
People Issues
Risk
High
High
10 | P a g e
11
In the chart below we have mapped each of the findings in a three by three matrix based on risk and
mitigation effort. We recommend that Caitlyn Raymond address the high-risk findings with a low
mitigation effort first. These findings are located in the upper-left hand corner of the chart.
From there, we suggest working through the findings starting in the upper-left corner and working
down to the lower-right.
LOW
HIGH
MEDIUM
LOW
Risk
MEDIUM
HIGH
Information security
responsibilities not defined
Mitigation Effort
11 | P a g e
12
Detailed Findings
The detailed findings below list the findings categories in detail. The intention is to call out the
underlying cause for vulnerability in the CRIR environment and present remediation options along with
estimated cost and manpower associations for remediation.
Medium
Description
Risk Analysis
Remediation Cost/Effort
Medium
Recommendations
Ongoing Effort
Low
Description
Risk Analysis
Remediation Cost/Effort
Medium
12 | P a g e
13
Recommendations
Ongoing Effort
Medium
Description
Risk Analysis
Remediation Cost/Effort
Medium
Recommendations
Ongoing Effort
13 | P a g e
14
Technical Issues
High
Description
Risk Analysis
Remediation Cost/Effort
High
Recommendations
Ongoing Effort
High
Remediation Cost/Effort
Recommendations
Ongoing Effort
Risk Analysis
14 | P a g e
Remediation Cost/Effort
Recommendations
Ongoing Effort
15
High
High
Description
Risk Analysis
Servers that are installed out of the box without going through
a formal hardening procedure could enter the network missing
critical software of firmware patches or even anti-virus definitions
increasing the threat to the network
Remediation Cost/Effort
Medium
Recommendations
Ongoing Effort
Medium
Description
Risk Analysis
Remediation Cost/Effort
Medium
15 | P a g e
16
Recommendations
Ongoing Effort
Risk Analysis
Remediation Cost/Effort
Recommendations
Ongoing Effort
High
High
Description
Risk Analysis
Remediation Cost/Effort
Low
Recommendations
Ongoing Effort
Once in place CRIR should ensure sudo is used for all remote
administration.
High
Description
Risk Analysis
17
Low
Recommendations
Ongoing Effort
Low
Description
Risk Analysis
With no level of access for the current staff the devices are
completely unmanaged and are not being administered in any
way.
Remediation Cost/Effort
Low
Recommendations
Network staff should have full access and control over all
network devices. The staff should console into each device, view
the configuration , note management IP addresses and set up
user-level access as appropriate.
Ongoing Effort
Medium
Description
Risk Analysis
Remediation Cost/Effort
Low
Recommendations
Ongoing Effort
17 | P a g e
18
High
Risk Analysis
Remediation Cost/Effort
Low
Recommendations
Ongoing Effort
High
Description
Risk Analysis
Remediation Cost/Effort
Low
Recommendations
Ongoing Effort
Medium
Description
Risk Analysis
19
High
Recommendations
Ongoing Effort
Low
Description
The UPS devices in the Caitlyn Raymond data center are not
configured properly and have not had regular annual maintenance
done since their implementation.
Risk Analysis
Remediation Cost/Effort
Medium
Recommendations
Ongoing Effort
Medium
Description
Risk Analysis
Remediation Cost/Effort
Low
Recommendations
Ongoing Effort
19 | P a g e
20
High
Risk Analysis
Remediation Cost/Effort
Low
Recommendations
Ongoing Effort
Medium
Risk Analysis
Remediation Cost/Effort
High
Recommendations
Ongoing Effort
20 | P a g e
21
Medium
Description
Risk Analysis
Remediation Cost/Effort
Medium
Recommendations
Ongoing Effort
Medium
Description
Risk Analysis
Remediation Cost/Effort
Low
Recommendations
Ongoing Effort
Medium
Remediation Cost/Effort
Recommendations
Risk Analysis
21 | P a g e
Ongoing Effort
22
High
Description
Risk Analysis
Remediation Cost/Effort
Low
Recommendations
Ongoing Effort
Medium
Description
Risk Analysis
Remediation Cost/Effort
Low
Recommendations
Ongoing Effort
Medium
Description
Risk Analysis
23
Remediation Cost/Effort
Medium
Recommendations
Ongoing Effort
When services are deployed CRIR should make sure that the
system they are on supports it.
Medium
Description
Risk Analysis
Remediation Cost/Effort
High
Recommendations
Ongoing Effort
Medium
Description
Risk Analysis
Remediation Cost/Effort
Low
Recommendations
Ongoing Effort
23 | P a g e
24
People Issues
High
Description
Risk Analysis
Remediation Cost/Effort
High
Recommendations
Ongoing Effort
30. Understaffed
High
Description
Risk Analysis
Remediation Cost/Effort
High
Recommendations
Ongoing Effort
24 | P a g e
25
Assessment Tools
Function
Burp Suite is an integrated
platform for performing
security testing of web
applications.
OWASP-ZAP
(Open Web Application
Security Project Zed Attack
Proxy)
Nmap
(Network Mapper)
TCPView
CRIR Service
Burp Suite was used to test
security of the Internet
application at CRIR. The results of
testing did not uncover any
notable findings.
OWASP-ZAP was used to test the
Internet application at CRIR for
security and security bypass
vulnerabilities. The results of
testing did not uncover any
notable findings.
25 | P a g e
26
Even if Caitlyn Raymond migrates its technology infrastructure into UMasss datacenters, the
underlying technology infrastructure will still need to be refreshed. This will include upgrading
hardware, software and operating systems as well applying secure configurations to all devices.
As a part of this process, Caitlyn Raymond will need to evaluate different options for their technology
including the use of physical vs. virtual servers, directly attached storage vs. NAS / SAN, utilization of
cloud based technologies, shared vs. stand-alone database structures and a host of other key design
choices.
If this exercise is not completed, Caitlyn Raymond will be essentially picking up a problem and moving
it to another location without addressing the underlying issues.
Requirements Definition
While it is expected that UMass would take on the responsibility of managing and maintaining Caitlyn
Raymonds technology infrastructure in this outsourced model, the registry will still be responsible for
defining requirements for key IT processes for the hospital. For example, backup and patching
schedules, system access policies, data classification systems, system configuration standards and
numerous other items will still need to be developed by Caitlyn Raymond and communicated to
UMass.
Responsibility Matrix
If Caitlyn Raymond does choose this model for IT management, the responsibility for addressing each
of the findings in this report will be split between itself and the UMass Memorial Medical Center. In
the chart below, weve assessed which entity will be responsible for addressing each finding:
26 | P a g e
Technical Issues
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
People Issues
29
30
27
Responsibility
CRIR / UMASS
CRIR / UMASS
UMASS
Responsibility
CRIR
CRIR
UMASS
CRIR / UMASS
CRIR
CRIR / UMASS
CRIR / UMASS
UMASS
UMASS
UMASS
UMASS
UMASS
CRIR / UMASS
UMASS
UMASS
UMASS
UMASS
UMASS
UMASS
UMASS
UMASS
CRIR / UMASS
CRIR
CRIR
CRIR
Responsibility
UMASS
UMASS
27 | P a g e