MediSavant Inc

Network Audit

Scope of work

The scope of the project is the analyze the software and hardware footprint and reduce or eliminate the ransomware or other types of attacks on the state infrastructure. Identify all websites and apps that are covered in the scope.


The project will require working with various state agencies and the Cyber Security Commission to provide Security Assessment Report and to improve the current security policies.


Detailed Work

ItemDescription
Application Security
Infrastructure Security
Security Assessment Report.
Remediation Plan
Cost benefit analysis


Target Audience.

This project is intended to serve all state agencies and:
  • Individuals with information system development responsibilities (e.g., program managers, system designers and developers, systems integrators, information security engineers)
  • Individuals with information security assessment and monitoring responsibilities (e.g., Inspectors General, system evaluators, assessors, independent verifiers/validators, auditors, analysts, information system owners, common control providers)
  • Individuals with information system, security, privacy, and risk management and oversight responsibilities (e.g., authorizing officials, chief information officers, senior information
    security officers,12 senior agency officials for privacy/chief privacy officers, information system managers, information security managers)
  • Individuals with information security implementation and operational responsibilities (e.g., information system owners, common control providers, information owners/stewards, mission/business owners, systems administrators, information system security officers).


Application Audit

Inventory of Application Systems:-

A comprehensive effort is needed to document the state-wide applications that are used. We need a list of all vendors and key contacts for each application provider. Establish appropriate organizational points of contact needed to carry out the assessments.



Application Security Enhancement.
Make sure applications are PCI compliant.
Healthcare-related apps should be HIPPA compliant.
The high-level architecture of each app should be available. The enterprise architecture and the information security architecture will help to ensure that the applications are categorized based on the mission and business objectives of the organization.
A backup and logging mechanisms should be identified. The document the frequency, consistent with recovery time objectives and recovery point objectives. Part of the process is to protect the confidentiality, integrity, and availability of backup information at the defined storage locations Identify Operating Systems that are used across all deployments.
Periodic application and systems audits are required.



Security Assessments during the system development lifecycle.
Implement important common controls across the state-wide infrastructure. Maximizing the number of common controls employed across the state infrastructure.
(i) reduces the cost of development, implementation, and assessment of security and privacy controls;
(ii) allows organizations to centralize and automate control assessments and to amortize the cost of those assessments across all information systems organization-wide; and (iii) increases the consistency of security and privacy controls. This will help build a more global strategy for assessing security controls and sharing essential assessment results with information system owners and authorizing officials.


Infrastructure Security Assessment

Comprehensive effort is needed to document the state wide Infrastructure that is used. We need a list of all exposed IP's that are used, a list of all internal IPs.



Nessus \ Qualys tools
Internal Audit
External Audit
Network Scan will be scanned in 2 ways. Internal Network scan, External Network scan.
Internal Network scan: Network sharing protocol Samba was the reason for the disaster.


Offline access prevention for workstations, laptops and servers when necessary.
Log centralization should be implemented to make it easier to detect hacks in real time.
Network Segmentation to have militarized and demilitarized zones.
Perform Periodical Pen Tests.




Maintenance: Backup implementation and regular updating (vendor-specific solutions, WSUS, etc.). Review of the services’ settings running on servers and workstations (examples: using the accounts that are not built in, that are too privileged, reviewing service files locations, changing permissions where necessary – Security Description Definition Language, changing accounts to gMSAs where possible, limitation of the number of services running on the servers (SCW and manual activities). Implementation of the anti-exploit solutions (EMET etc.) and anti-virus solutions (McAfee, Symantec, NOD32 etc.). Reviewing the configuration of the client-side firewall and enabling the programs that can communicate through the network only. Currently, in most of the companies, outgoing traffic from workstations is all allowed. Management of the local administrator’s password (Local Administrator Password Management etc.). Identity management (example: smart card logon) and centralization, password management (Public Key Infrastructure, Microsoft Identity Manager, etc.). In approx. ½ of the companies there is a PKI implemented but almost everywhere it is not done according to the best practices (to be sincere – we have never seen it done well) and not in alignment with the business needs. Almost every company we have cooperated with expressed the need of using certificates somewhere and technically it was a reasonable need. Implementation of the Security Awareness Program among employees and technical training for administrators. Implementation of scoping (role management) for permissions and employee roles (SQL Admins, Server Admins, etc.). Implementation of the network segmentation (VLANs, IPSec Isolation, 802.1x, etc.). Implementation of the data protection (ADRMS etc.). Periodical configuration reviews and penetration tests (internal and external) performed by the internal team and 3rd party company.

Security Assessment Report

Security Assessment report has to be provided once the application and network security has been analysed.



Remediation Plan

Establish time frames for fixing the security concerns found in the SAR and key milestone decision points required by the organization to effectively manage the assessments;



Cost Benefit Analysis

Building a controlled state-wide architecture for enhanced security and privacy control effectiveness is a process that will evolve over time. This will require compiling evidence from a variety of activities conducted during the system development, understanding the motivation for system attacks, and the risk of losing sensitive information or having system downtimes.
Cost-benefit analysis has to be done over a long period of time but we have ensured security enhancements are being implemented every quarter and the state of software deployment moves from a ad hoc state to a more state wide controlled and a better engaged system.