Vulnerability Management
Healthy.io maintains an inventory of assets and services. The information lifecycle manages the secure use, transfer, exchange, and disposal of IT-related assets. The inventory of all authorized assets includes the owner of the information asset, asset category according to criticality, and information classification. It identifies protection requirements commensurate with the asset’s categorization. The IT Asset inventory is regularly reviewed and updated. Healthy.io maintains an inventory of system components that are in scope for ISO 27001, which also identifies all personnel authorized to use the system components and devices.
Healthy.io bases its applications on secure coding guidelines to prevent common vulnerabilities or undergo appropriate testing. It develops, documents, disseminates, reviews, and updates its system and information integrity requirements annually. Applications that store, process, or transmit covered information undergo application vulnerability testing by a qualified party annually. The testing identifies technical vulnerabilities, evaluates them for risk, and corrects them quickly. A hardened configuration standard exists for all system and network components. Healthy.io implements a prioritization process to determine which patches to apply across its systems.
A technical vulnerability management program is in place to monitor, assess, rank, and remediate vulnerabilities identified in the systems. A qualified individual performs internal and external vulnerability assessments of covered information systems, virtualized environments, and networked environments, including network and application-layer tests quarterly or after significant changes. Healthy.io tests and evaluates patches before it installs them. It evaluates the technical vulnerability management program quarterly and appropriately hardens systems. Healthy.io conducts an enterprise security posture review as needed, but no less than once within every 365 days, in accordance with organizational IS procedures.
Vulnerability scanning tools include the capability to update the information system vulnerabilities scanned readily.
Healthy.io undergoes regular penetration testing by an independent agent or team, at least every 365 days, on defined information systems or system components. It conducts such testing from outside and inside the network perimeter, and it includes tests for the protection of unprotected system information that would be useful to attackers. Healthy.io employs vulnerability scanning procedures to identify the breadth and depth of coverage. It reviews historic audit logs to determine if the information system identifies previously exploited high vulnerability scan findings. Healthy.io scans for vulnerabilities in the information system and hosts applications to assess the state of flaw remediation monthly (automatically) and again (manually or automatically) when it identifies and reports new vulnerabilities potentially affecting the systems and networked environments.
Healthy.io updates the list of information system vulnerabilities scanned every 30 days or when it identifies and reports new vulnerabilities. Healthy.io conducts quarterly internal and external scans and rescans when a qualified entity needs. Healthy.io uses a formal penetration testing methodology. It uses segmentation to isolate the management network environment from other networks. Healthy.io performs penetration tests at least annually and after any changes to segmentation controls/methods to verify that the segmentation methods are operational and effective and isolate all out-of-scope systems from in-scope systems.