Finding 2022-004 Bridges Security Management and Access Controls Management Views MDHHS agrees with parts a., b., and d. through g. of the finding. MDHHS and DTMB disagree with part c. of the finding. For part c., although MDHHS and DTMB had not fully documented all database specific configuratio...
Finding 2022-004 Bridges Security Management and Access Controls Management Views MDHHS agrees with parts a., b., and d. through g. of the finding. MDHHS and DTMB disagree with part c. of the finding. For part c., although MDHHS and DTMB had not fully documented all database specific configuration standards until after the audit period, DTMB disagrees that during the audit period the system contained potentially vulnerable database configurations and disagrees that DTMB cannot ensure the security of the data. DTMB has been and continues to implement the manufacturer?s recommendations regarding security configurations. In addition, the databases reside in restricted trusted internal security zones, protected by firewalls, which are specific to each application and database, in conjunction with intrusion protection, antivirus software, and SOM standard security safeguards. Planned Corrective Action For parts a., d., and e., MDHHS will implement the Database Security Application (DSA) Bridges form which establishes a method to document user access request approval electronically and includes a semi-annual review of privileged users and an annual review of all users that is required to prevent automatic removal of access. For part b., MDHHS will prioritize updates to Bridges that will require the local office security coordinator (LOSC) to document security monitoring reports within Bridges alerts and generate a reminder to the LOSC and their manager to reconcile the report. Before the alert can be closed, the LOSC will be required to enter comments for actions taken and approve the report. For part c., DTMB developed an organization-wide framework for database security configuration management. For part f., MDHHS?s Economic Stability Administration (ESA) issued a revised memo on October 3, 2022, to Business Service Centers (BSCs) and local offices to reiterate the need for reviewing, documenting, and completing the required high-risk transaction reports timely. For part g., during February 2022, MDHHS?s Bridges Resource Center (BRC) revised their reconciliation process of high-risk transactions to comply with the changed policy requirements and ensure separate reviews are performed for each type of high-risk transaction. MDHHS?s ESA issued a revised memo on July 11, 2022, to address changes made for non-BRC Central Office staff transactions to reiterate the need for reviewing, documenting, and completing the required high-risk transactions timely. Also, an email reminder is sent out two days prior to the high-risk transaction report due date to help ensure timeliness of the reviews. Anticipated Completion Date a, d., and e. MDHHS anticipates the first phase of the DSA Bridges form will be implemented by October 2023 as a pilot and then roll out statewide with full automation by September 2024. Semi-annual and annual reviews will begin 6 months and 12 months, respectively, from the time each DSA Bridges form is implemented for each respective user. b. August 2024 c. DTMB anticipates having compliance documentation by September 30, 2023. f. Completed with ongoing monitoring. g. Completed Responsible Individual(s) a., b., d., and e. Deon Nelson, MDHHS c. Nathan Buckwalter, DTMB f. MDHHS ESA and BSC Directors g. Todd Gore and Russell Gruber, MDHHS