Mainstay Enterprises, Inc. Elliot Schlanger April 18, 2014 Director of Cybersecurity and Corporate: Chief Information Security Of?cer State of Maryland ggizg? 31* Director of Information Technology Annapolis, MD 21401 45 Calvert Sheet? (301) 261-2655 Annapolis, Md. 21401-1907 Fax: (410) 280-3675 . Mamstay Enterprises, Inc. was engaged to perform an Independent Auth Review of the Security Review and Assessment performed by State Board of Elections incumbent security consultant, Unatek, Inc. The On the We], at: Security Review and Assessment by Unatck, Inc. was completed on December 30, 2013. The purpose of this Audit Review was to determine if the completed Security Review and Assessment was reasonable and consistent with best practices and industry standards for conducting a security review of the Voter Services Application. Our Audit Review was limited to the process and personnel performing the review and the results availability. We did not perform any technical tests, and did not interview UH?eIi?s cd?tantf? or attempt to substantiate or refute the accuracy of the information 0 included in the Security Review and Assessment. This Audit Review involved obtaining evidence about the Security Review and Assessment conducted by Unatek, Inc. The process for selecting and obtaining evidence depend on the auditors' judgment and required project tasks as identi?ed in Unatek?s Technical Plan, utilized as the Statement of Work (SOW) dated October 15, 2013. We conducted our Audit Review in accordance with the National Institute of Technology guidance and best practices. We completed the required Audit Review on April 18, 2014. We believe that the Audit Review evidence we have obtained is su?icient and appropriate to provide a basis for our audit opinion. In our opinion, the Security Review, including the assessments performed by incumbent security consultant, Unatek, Inc., were reasonable and consistent with best practices and industry standards for conducting a security review of the Voter Services Application. SIGNATURE Valeria James INDEPENDENT REPORT Summon; Observations Contract Procurement The State Board of Elections (SBE) provided Mainstay Enterprises, Inc. with the Request for Resume (RF R) 02/7/11 document that relates to the procurement of the CATS II Master Contract. From our review of this document, we determined that SBE employed a competitive RFR processes to obtain a consultant and technical services for the Voter Services Application (V SA) Security Review and Assessment. Nikki Charlson and Vincent Omenka stated during the Mainstay and SBE kickoff meeting, that Unatek?s Technical Plan was considered as the Statement of Work (SOW) for this task. As such, the task performed by Unatek for the security review and assessment were documented in this plan and included the following task: Review of the systems? architecture Determine the systems? ability to withstand a denial of service Review SBE procedures to identify ?'audulent activities Develop a detailed report to include discovered weaknesses and recommendations for mitigations - Develop an Executive Summary of the assessment suitable for public display. SBE interviewed 16 vendors including Unatek, Inc. to perform this task. Likewise; SBE established a panel of 3 highly quali?ed individuals to dispense a technical evaluation questionnaire to each candidate. It was detemiined that Unatek?s candidate met the minimum quali?cations of the Computer Security Systems Specialist, in terms of the experience, knowledge and skill categories of the RFR, as well as. the stipulated certifi cations, Computer Information System Security Professional and Certi?ed Ethical Hacker. Mainstay Enterprise, Inc. revealed the certi?cations were current. Unatek?s consultant met the additional criteria stipulated as: Demonstrated all aspects of proper communication skills, both verbal and non-verbal. Articulated clear and concise responses to the interview questions. Possessed good interpersonal communication skills and proper attire. Was detailed oriented and had a strong technical background. Mainstay Enterprise, Inc. Auditor reviewed the SBE RF which describes nine overall tasks for the Master Project. SBE awarded the Voter Services Application Security Review and Assessment task to Unatek, Inc, as they were currently performing other tasks from the CATS INDEPENDENT REPORT Master Contract. Unatek?s consultant was knowledgeable of the infrastructure environment, and as a result of this experience, the learning curve was eliminated that another vendor would have experienced, given the current environment. Unatek, Inc. has demonstrated their capability on previous engagements of the same type and at a higher level of performance than that of the VSA award. Therefore, award to Unatek, Inc. was a good business decision. Securitv Review and Assessment of the VSA Mainstay Enterprise, Inc. evaluated Unatek?s Security Review and Assessment methodology in accordance with The National Institute of Technology guidance and best practices and The Open Web Application Security Project (OWASP) Testing Guide 3.0 Unatek?s phased approach included examinations that primarily involve the review of documents such as policies, procedures, security plans, security requirements, standard operating procedures, architecture diagrams, engineering documentation, asset inventories, system con?gurations, rulesets, and system logs. They were conducted to determine whether a system is properly documented, and to gain insight on aspects of security that are only available through documentation. tests to identify weaknesses and/or vulnerabilities. The use of seaming and penetration techniques and tools provide valuable information on potential vulnerabilities and predict the likelihood that an adversary or intruder would be able to exploit them. Testing also allows organizations to measure levels of compliance in areas such as patch management, password policy, and con?guration management. In many cases, combining testing and examination techniques can provide a more accurate view of security. NIST best practices indicate that there are numerous techniques that can be used to support a security posture and as such, organizations should determine their acceptable levels of intrusiveness when deciding which techniques to use. Unatek?s review of the security controls on the VSA including access control policies and procedures was performed with due diligence for conducting a security review of a web-based application such as VSA. Unatek provided the ?nal Security Report to SBE, issued October, 2013 through December. 2013. The Voter Security Assessment Report, December 30, 2013 reviewed by Mainstay Enterprise, Inc., indicated that Unatek?s consultant identi?ed vulnerabilities as part of the security review and assessment and included recommendations to mitigate those risks according to industry best practices.