Developing a documented and ongoing TVM assessment and monitoring program to reduce risk exposure, increase toolset capabilities, and resolve audit issues for a CMS managed healthcare organization
SITUATION
Apex worked with one of the largest Managed Care Organizations in the U.S. The client is considered a leader in the Medicare and Medicaid Services industry with a well-known reputation of excellence. The client was at risk of falling out of compliance from a cybersecurity audit conducted by the State. The audit resulted in a mitigation plan that mandated they would need to be compliant using industry standards and best practices within their Threat and Vulnerability Management (TVM) Program within six months to continue to provide services or risk having a substantial loss of business revenue. The largest uplift towards remediation included enhancing and updating their vulnerability management scanning tools, specifically for audit files and CIS Benchmarks used to ensure security compliance with system hardening standards.
Accelerated the timeline to remediate critical risk audit findings before the deadline across a set of complex multi-environment systems
Our experienced team of TVM engineers assessed the State’s audit report and worked with our client to methodically create a sprint-based approach for enhancing their TVM tools’ capabilities and scanning processes, especially within Tenable.io/sc, Prisma, and Nessus. The project plan prioritized the most critical assets that would help ensure remediation of the finding occurred before the deadline. Our TVM team customized and updated a total of fifty (50) audit security files that were used to scan against our client’s hardened images and CIS benchmarks. The team ensured that our client’s customized security configurations were considered, false positives were removed, and used their established change and configuration management process was leveraged. Our team also created playbooks and hosted multiple training sessions to ensure our client’s internal TVM team was ready and comfortable managing the new processes going forward, resulting in a documented and sustainable TVM benchmark and scanning program.
RESULT
By reconciling security with operational agility, our work meaningfully improved the client’s risk posture, enhanced their toolset’s capabilities, and remediated the State’s audit finding, thus allowing them to continue to conduct business delivering managed care for millions of beneficiaries. The Apex team delivered the following tangible results before the state’s deadline including:
-
Accelerated the timeline to remediate critical risk audit findings before the deadline across a set of complex multi-environment systems
-
Reduced complexity and enabled our client’s confidence in building a well-rounded TVM program
-
Enhanced TVM tool capabilities in Tenable.io/.sc, Nessus, and Prisma Cloud
-
Worked through a complex business and IT environment with 5 different organizational domains
-
Provided accurate and updated real-time visibility into the TVM program for leadership
-
Built customized playbooks and training that led to a sustainable and well-governed TVM program
These critical improvements enabled our client to satisfy their audit findings resulting in the ability to continue to provide medical care services, uphold rigorous cybersecurity standards, enhance their TVM program, and transfer knowledge back to the internal team.
