This was a big area of fail for the Healthcare.gov website. It turned out that a database hub failure at hosting provider Verizon Terremark caused a series of intermittent outages and even website downtime. The BSIMM-V study found that nearly all of the firms observed in the study ensured that host and network security basics were in place. This kind of thorough testing also covers the rest of the security operation teams' duties, including patching and firewall maintenance.
Can the website handle high traffic loads? Is denial-of-service protection in place and tested? Are all systems properly configured? "Doing software security before network security is like putting on your pants before putting on your underwear," according to the BSIMM study.