Orange County NC Website
Browse       Search
DocuSign Envelope ID:24BBAFA9-CD81-4144-ACEF-E9036E703739 <br /> deployed to alert security personnel if the "running" configuration of any device does not align to <br /> the approved "stored" configuration. <br /> • All external network connections rules must be approved by the Chief Information Security <br /> Officer, and submitted to the Security/IT Steering Committee for review. Changes to the network <br /> control ruleset may not be implemented until written approval from the Chief Information Security <br /> Officer is obtained. <br /> • Network administrators are responsible for maintaining a set of logical and physical network <br /> diagrams that fully document all connections to PHI and PII data, including any wireless <br /> networks. <br /> • Network controls must be installed at each Internet connection and between any DMZ and the <br /> Intranet. <br /> • The network controls must restrict connections between publicly accessible servers and any <br /> system component storing sensitive(I.e. PHI, PII) data, including any connections from wireless <br /> networks. As part of the firewall configuration program, all connections between the DMZ and <br /> internal networks must be fully documented. <br /> • The DMZ must be considered a semi-public network. As such, all connections carrying <br /> confidential data within the DMZ (including those originating from trusted, internal networks) must <br /> be encrypted. <br /> • The network controls must restrict inbound Internet traffic to IP addresses within the DMZ. No <br /> direct connections between the Internet and the internal virtual network is allowed. <br /> • The network controls must be configured so that RFC 1918 cannot pass from the Internet into the <br /> DMZ\externally. Additionally, dynamic packet filtering will be performed to ensure that only <br /> established connections are allowed into the network. <br /> • Databases with sensitive information will be placed in an internal network zone, segregated from <br /> the DMZ.All inbound and outbound Internet traffic will be monitored. <br /> • All Internet traffic passing into the DMZ will be limited to ports included in documented business <br /> justification that has been approved by the Chief Information Security Officer. <br /> • Jende Solutions considers all wireless networks to be public networks. As such, perimeter <br /> network controls must be installed between any wireless networks and the internal network. The <br /> configuration of these network controls will be set up to deny or control (if such traffic is <br /> necessary for business purposes) any traffic from the wireless environment. <br /> • Personal firewall software must be installed on any mobile and/or employee-owned computers <br /> with direct connectivity to the Internet (e.g., laptops used by employees), which are used to <br /> access the Jende Solutions's network. <br /> • The network controls must use network address translation (NAT) to mask internal addresses <br /> from the Internet. <br /> • Direct connections are not allowed between the Internet and the sensitive data (i.e. PII/PHI) <br /> environment. <br /> • Disclosure of internal IP addressing and routing information to unauthorized third parties is not <br /> permitted. <br /> • The network controls must limit inbound and outbound traffic to specifically what is necessary for <br /> the sensitive data (i.e. PII/PHI)environment and be reviewed on a semi-annually basis. <br /> • Network control rules and router access lists will be reviewed and approved every six (6) months <br /> by the CISO. <br /> 32. What system hardening strategies are employed by the cloud provider? <br /> See answer to question#31 <br /> 33. How does the cloud provider perform security testing, including logging, correlation, <br /> intrusion detection, intrusion prevention, file integrity monitoring, time synchronization, <br />