Risk Management
Healthy.io consistently performs risk assessments at planned intervals or when there are significant changes to Healthy.io’s environment and reviews the risk assessment results annually. While risk assessments include evaluating multiple factors that may impact security and the likelihood and impact of the loss of confidentiality, integrity, and availability of information and systems, Healthy.io updates the results of a formal, comprehensive risk assessment every year. A significant change to the information system or operational environment necessitates evaluating a subset of the security controls every 365 days during continuous monitoring and reviewing the risk assessment results annually.
Healthy.io conducts formal risk assessments that identify critical assets, threats, and vulnerabilities at least annually and when significant changes to the environment occur. Healthy.io documents remedial information security actions necessary to mitigate risk to organizational operations, assets, individuals, and other organizations. It uses an established methodology with defined criteria for determining risk treatments and ensures that it prioritizes and maintains corrective action plans for the security program and associated organizational information systems.
Healthy.io implements an integrated control system characterized by different control types that mitigate identified risks. The risk management program requires the re-evaluation of risk assessments at least annually or when there are significant changes in the environment. Healthy.io integrates the risk management process with the change management process. It conducts risk assessments whenever there is a significant change in the environment or a change that could significantly impact the assessments’ results. The change management processes guide decisions and the decision-makers. Healthy.io risk assessment updates occur before issuing a new formal authorization to operate. In some cases, within three years, or whichever comes first. When conditions impact the security or authorization state of the system, Healthy.io puts the privacy, security, and risk management program(s) updates into action to reflect changes in risks and thus mitigates the situation.
Healthy.io formally addresses the purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance with system and information integrity requirements/controls and facilitates their implementation. Information system specifications for security control requirements state that security controls are to be incorporated in the information system, supplemented by manual controls as needed. The company applies these considerations when evaluating developed or purchased software packages.
Security requirements and controls reflect the business value of the information assets involved and the potential business damage that might result from a failure or absence of security. The company follows a formal acquisition process for purchased commercial products, and supplier contracts include the identified security requirements.
When the security functionality in a proposed product does not satisfy the specified requirement, the company reconsiders the introduced risk and associated controls before purchasing the product. When it supplies additional functionality and causes a security risk, they disable functionality or mitigate it by applying additional controls. Updates require developers of information systems, components, and developers or providers of services to identify (document) functions, ports, protocols, and services intended for organizational use early in the system development life cycle. They address information security and privacy in all phases of the project management methodology.
When developing software or systems, Healthy.io performs thorough testing and verification during the development process. Commercial products other than operating system software used to store and/or process covered information undergo security assessment and/or security certification by a qualified assessor before implementation.
Healthy.io applies information system security engineering principles in the specification, design, development, implementation, and modification of security requirements and controls in developed and acquired information systems. Healthy.io includes business requirements for the availability of information systems when specifying the security requirements; and where availability cannot be guaranteed using existing architectures. It also considers redundant components or architectures and the risks associated with implementing such redundancies.
Specifications for the security control requirements state automated controls will be incorporated in the information system, supplemented by manual controls as needed, as evidenced throughout the SDLC. The company integrates information security risk management into the SDLC and defines all SDLC phases’ information security roles and responsibilities.
The requirement definition phase includes:
Consideration of system requirements for information security and the processes for implementing security
Management assigns and approves (signed-off) data classification and risk to information assets to ensure consideration of appropriate controls and the involvement of the correct project team members.
Healthy.io develops enterprise architecture with concern for information security and the resulting risk to Healthy.io’s operations, assets, individuals, and other organizations.
Healthy.io has developed an information security architecture for the information system. Healthy.io reviews and updates (as necessary) the information security architecture whenever changes are made to the enterprise architecture, ensuring that the company reflects planned information security architecture changes in the security plan and organizational procurements and acquisitions. Healthy.io includes specific security-related requirements in information system acquisition contracts based on applicable laws, policies, standards, guidelines, and business needs. Healthy.io mitigates any harmful effect using or disclosing sensitive information by Healthy.io or its vendors, contractors, or similar third parties in violation of its policies and procedures.