Government is becoming more accessible and convenient to its constituents as a result of the Internet and the world-wide communication infrastructure, coined e-Government. As more and more of the State systems include a public facing presence on the Internet, it also becomes more and more essential that State computer systems are routinely tested ensuring that only the appropriate information is presented and personal information is protected.
Protection of sensitive and personal information held within State computer systems requires a uniform and consistent approach to routine security assessments. BCCS brings years of experience and training to the area of securing technology. Supporting over 2,000 custom applications and systems, BCCS staff maintains a diverse and complex network of both legacy and current technology.
BCCS offers an ala carte approach to assessing the environment of a particular system. This approach is offered and tailored primarily to the needs of the agencies, boards and commissions under the authority of the governor.
Routine security assessments are included in the standard hosting service if your application is hosted by BCCS. Additional specialized testing of BCCS hosted systems can be arranged if required by regulation or mandate.
Whatever your information technology needs might be BCCS can help you in making the right choices to keep you connected.
||An evaluation of network security from an internal perspective. BCCS will perform a vulnerability assessment of Customer systems and networks including servers and routers. BCCS will generally try to find ways of minimizing security risks and avoid potential security breaches within the network.
||An evaluation of network security from an external perspective. BCCS will perform a vulnerability assessment of Customer systems and networks including web sites, servers, firewalls, switches, and routers from the outside world.
|Wireless Access Scan
|| An evaluation of the Customer's wireless access network. BCCS will perform a wireless assessment to detect the presence of wireless devices. BCCS will verify that wireless devices meet the Customer's wireless security policies and standards.
System Security Assessments Rates (August 2012)
What is Included?
Based upon the needs and requested services, CMS BCCS can conduct an assessment and provide recommendations focusing on:
- Network Vulnerability
- Penetration Testing
- Application Vulnerability
- Industry Best Practices
BCCS Security and Compliance Solutions has developed a line of services to provide quality security-related vulnerability assessment services for state agencies, boards, and commissions in Illinois at inexpensive rates. These services have been developed by the Technical Safeguards Unit to help ensure the confidentiality, integrity, and availability of information in your IT environment.
What Should You Expect?
Upon request to BCCS for a security assessment engagement, BCCS will determine whether the potential customer is eligible for the services. Once eligibility has been determined, there will be a preliminary meeting scheduled to define the scope of the project. Once the initial scope is defined and agreed upon, an information gathering effort is undertaken to establish and verify the scope and possible additional tests that might be recommended to provide a comprehensive review.
Thereafter, a draft agreement will be emailed to the customer. A signed, final agreement will be required in order to initiate system security assessment services from BCCS. Following a signed, final agreement,the assessment is conducted and a report is prepared for customer review. Questions and possible additional recommended testing may result from this initial review culminating in a final report assessing the current health of the environment and possible recommendations.
Elements of a security assessment agreement:
- All information provided, discovered or reported by either party remains the property of the customer and is considered confidential and protected.
- Terms of the engagement do not include assumption of liability by CMS BCCS. No warranties expressed or implied apply to such security assessments. New vulnerabilities and exploits are discovered on an on-going basis. Assessments are a "snap-shot" of the environment and limited to the vulnerabilities tested and identified. Security assessments are conducted as preventative due diligence and best practice. Suggested follow-up and periodic reviews are always recommended.
- A list of hardware and software to be tested, along with an explanation of the testing, its scope and limitations, will be provided to establish and verify what will be included in the final report.
- An agreed upon scope of work statement will be provided. Modifications to the initial agreement will follow standard change management practices.
- A final confidential report outlining findings, level of risk and suggested follow-up actions will be provided to the customer.
How Can You Help?
The scope and duration of the engagement is reduced if up to date system and hardware inventories and documentation are available to BCCS security assessment staff during the information gathering phase of their work.