User Group 2015

Security Best Practices

Presenters

Steve Kelley, COO31 years experience building and managing operations and service delivery organizations in industrial robotics, medical devices, software development and IT services consulting businesses. Steve has extensive experience in networking, quality assurance, software development, disaster recovery services, and project management. He has worked with FDA GMP/GCP, FDA 21 CFR 820, SOX/SSAE16, FISMA, and HIPAA regulatory environments. Steve and Rob have worked together for over 20 years in several successful entrepreneurial ventures.

Glen Balestrieri, Director of Managed ServicesWith 26 years of management experience in Information Technology and Direct Sales allows, Glen is directly responsible for regulatory compliance, information systems security, systems engineering, systems maintenance and customer service. Glen holds a degree from American International College, with concentrations in networking, Linux, and Microsoft systems.

Security Best Practices

• Session Directives• To discuss the security, speed and usability of the PopMedNet Private Cloud

hosted at Lincoln Peak Partners.• Session length is 35-45 minutes including introductions, overview,

presentation and Q&A.• Q&A session will start 15 minutes before session ending

Presentation Overview• In this presentation we will discuss:

• Securing the cloud.• The Infrastructure behind the curtain• Encryption systems in play, both at rest and in transit• Compliance and what that means to PopMedNet• Redundancy• Application Data Flow and its Security

PMN Infrastructure and Security

Code Security Assessment

July 2, 2015 In June of 2015, Pivot Point Security conducted a static code review of Lincoln Peak Partner’s PopMedNet applications as part of their software assurance process to provide assurance that the source code follows secure coding practices. Our code review methodology follows the testing approach recommended by the OWASP Application Security Verification Standard (ASVS). Findings are mapped to both the OWASP Top 10 and the Common Weakness Enumeration (CWE) project. We determined that the applications are secured in a manner consistent with secure coding practices and on par with similar applications that we have tested. While we did not identify any critical vulnerabilities during our testing, we did identify two areas of concern. After reviewing the issues with Lincoln Peak Partners, they indicated that these issues are actually mitigated by outside controls. Pivot Point Security has been architected to provide maximum levels of independent and objective information security expertise to our varied client base. The team responsible for conducting security assessments of this nature is led by a Certified Information Security Auditor/IRCA ISO 27001 Auditor and includes personnel appropriately qualified to render this opinion (e.g., Certified Information System Security Professionals, Microsoft Certified System Engineers, Certified Ethical Hackers, etc.)

John Verry, 27001-CLA/CISA/CRISCPrincipal Enterprise Security Consultant

Security Overview Examples

• Redundant Firewalls• Intrusion Detection Systems• 24/7 Live Monitoring and Response• Endpoint Security Antivirus and Malware• Encryption in Use, at Rest and in Transit• Vulnerability Scans Manual and Automatic• Weekly Log File Auditing• Third Party Pen Testing

Application Redundancy

Dulles Vault DCLincoln Peak Primary

INTERNETSSL Remote VPN Access

Lincoln Peak Admins

10Mbps Commit

(Burstable GB Segment)

Lincoln Peak Partners FISMA Compliant Private CloudBlock Diagram

Lincoln Peak Partners partners with Carpathia Hosting to provide high reliability, secure managed services solution. Lincoln Peak is certified FISMA compliant and in process on SAS-70/SSAE-16. Carpathia Hosting is FISMA, SAS-70/SSAE-16, and SysTrust certified.

Phoenix DCDisaster Recovery SiteCold or Warm available

1Mbps Commit

(Burstable GB Segment)

Asynchronous Replication on Carpathia Backbone with RPO=15 minutes

SSL VPN Site to Site Tunnel

SSL/TLS

SSL/TLS

SSL Remote VPN Access

MDPHnet /PopMedNet Users

Backup with Redundancy

Backup PoliciesLincoln Peak Standard Operation Policy Backup and retention outlines the follow in the flow chart.

Redundant backups assure your data remains intact during crisis situations.

Lincoln Peak recognizes the need to customize policies for each individual customer. We can provide the flexibility you need to feel secure.

All database backup are encrypted at rest and all data is encrypted in transit.

This is an automated and monitored process.

Carpathia Hosting

VLAN 2

VLAN 1

PMNWeb Service

Single Sign On Option

PMN Database

PopMedNet Portal

Firewall Firewall

Overview of Data Flow

Inte

rnet

Ask a question Response

Internet

PMN

Web Browser

Administrators

End User

Web Browser

Investigators

Data Provider

DataMart Desktop

Client

Model Adaptors

Data Mart Administrators

Internet

Firewall

Firewall

Firewall

ResponseAsk a question

Ask

a qu

estio

nRe

spon

se

https/TLS 1.0-1.2

https

/TLS

1.0

-1.2

https/TLS 1.0-1.2

https/TLS 1.2 https/TLS 1.2

https/TLS 1.0- 1.2

User Group 2015

Security Best Practices