The Maryland Health Benefit Exchange will contract an assessor to verify the implementation status and effectiveness of the security and privacy controls. The assessor’s role is to provide an independent security and privacy assessment of the HBX and to maintain the integrity of the audit process. The assessor will work in conjunction with the Maryland Health Benefit Exchange to complete the CMS Administering Entity Security and Privacy Plan for the Maryland Health Benefit Exchange (MHBE), Health Benefit Exchange (HBX). The assessment methods include examining documentation, logs, and configurations, interviewing personnel, and testing technical controls. The assessment will provide the independent assessor with an accurate understanding of the security and privacy controls in place by identifying the following: ● Application or system vulnerabilities, the associated business and system risks, and potential impact ● Weaknesses in the configuration management process, such as weak system configuration settings that may compromise the confidentiality, integrity, and availability of the system ● Security and Privacy policies and control implementation not followed ● Major documentation omissions and/or discrepancies...
