Security or audit individuals conduct annual compliance reviews using manual or automated tools; if they find non-compliance, they take appropriate action. They document the results and recommendations of the reviews, and management approves them. They use automated compliance tools when possible. Healthy.io has developed a continuous monitoring strategy and implements an ongoing monitoring program.
When being assessed as a service provider, Healthy.io minimally performs quarterly reviews to confirm personnel are following security policies and operational procedures.
Reviews must cover the following processes:
Daily log reviews
Firewall rule-set reviews
Applying configuration standards to new systems
Responding to security alerts
Change management processes
When being assessed as a service provider, Healthy.io maintains documentation of the quarterly review process to include: (i) documenting results of the reviews, and (ii) review and sign-off of results by personnel assigned responsibility for the Information Security and Compliance program.
Healthy.io maintains information systems according to a current baseline configuration and configures system security parameters to prevent misuse. It keeps the vendor-supplied software used in operational systems at a level supported by the supplier and uses the latest version of web browsers on operational systems to take advantage of the latest security functions in the application.
Healthy.io performs annual checks on the technical security configuration of systems, either manually by an individual with experience with the systems and/or with the assistance of automated software tools. An experienced specialist performs technical compliance checks with industry-standard automated tools, which generate a technical report for subsequent interpretation. If it finds non-compliance, it takes appropriate action. It conducts these checks annually, but more frequently where needed, based on risk as part of an official risk assessment process.
Healthy.io uses technical compliance checks to help support technical interoperability. It controls and archives changes to information assets, including systems, networks, and network services. It strictly and consistently manages changes to equipment, software, and procedures. It defines and implements Fallback Procedures, including procedures and responsibilities for aborting and recovering from unsuccessful changes and unforeseen events. It only allows authorized administrators to implement approved upgrades to software, applications, and program libraries, based on business requirements and the security implications of the release. The operating system supports technical controls such as antivirus, file integrity monitoring, host-based (personal) firewalls or port filtering tools, and logging as part of its baseline.
When Healthy.io identifies unauthorized (blacklisted) software on the information system, including servers, workstations, and laptops, it employs an allow-all, deny-by-exception policy to prohibit the execution of known unauthorized (blacklisted) software on the information system. It reviews and updates the list of unauthorized (blacklisted) software periodically, but no less than annually. Healthy.io prevents program execution in accordance with the list of unauthorized (blacklisted) software programs and rules authorizing the terms and conditions of software program usage. Before production, it tests applications and operating systems for usability, security, and impact.
Healthy.io uses its configuration control program to maintain control of all implemented software and its system documentation and archives prior versions of implemented software and associated system documentation.
Managers responsible for application systems are also responsible for the strict control (security) of the project or support environment and ensure review of all proposed system changes to check that they do not compromise the security of either the system or the operating environment. Before it implements changes, Healthy.io puts a rollback strategy in place and maintains an audit log of all updates to operational program libraries.
Healthy.io manages changes to mobile device operating systems, patch levels, and/or applications through a formal change management process. Healthy.io formally addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance for configuration management.
Healthy.io does not use automated updates on critical systems. It formally controls, documents and enforces changes to minimize information, systems' corruption. It develops, documents, and maintains, under configuration control, a current baseline configuration of the information system and reviews and updates the baseline as required, and:
Establishes and documents mandatory configuration settings for information technology products employed within the information system using the latest security configuration baselines.
Identifies, documents, and approves exceptions from the mandatory established configuration settings for individual components based on explicit operational requirements.
Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures.
Upon completing a significant change, Healthy.io must implement all relevant ISMS requirements on all new or changed systems and networks and update documentation as applicable.
Operational systems only hold approved programs or executable code. With management approval, physical or logical access is only given to suppliers for support purposes when necessary and monitors such access.