medCrowd requires JavaScript - please enable JavaScript in your browser if you wish to use App.

Skip to Content

  Please use the latest version of a supported browser with JavaScript enabled:     Got it - don't show me this again


SUPPORTED MOBILE BROWSERS
ANDROID AND IOS
  • Chrome
  • Firefox
ANDROID ONLY
  • Android v5.0+
IOS ONLY
  • Safari
WINDOWS 10 MOBILE
  • Edge
SUPPORTED DESKTOP BROWSERS
WINDOWS AND MAC
  • Chrome 12+
  • Firefox 16+
  • Opera 15+
MAC ONLY
  • Safari 6+
WINDOWS ONLY
  • Edge
  • Internet Explorer 10+

Operations Security Policy

Classification Public
Location https://www.medcrowd.com/compliance/iso27001/policies/OperationsSecurity
Author Paul Gardner
Approver Felix Jackson
Approved 14th December 2016
Date Author Changes
19th June 2023 Paul Gardner Periodic review
6th June 2022 Paul Gardner Periodic review
16th February 2021 Paul Gardner Periodic review
12th February 2020 Paul Gardner Periodic review
20th November 2019 Paul Gardner All web applications must be protected by a web application firewall with logging
21st June 2018 Paul Gardner Update location of vulnerability scans and penetration tests.
15th May 2018 Paul Gardner Periodic review
5th December 2016 Paul Gardner Documented the NTP requirement
15th November 2016 Paul Gardner Moved to the web
31st May 2016 Paul Gardner Expand on database backups
17th May 2016 Paul Gardner Change document location
Explicitly state that the Change Management System sends Change Requests out for approval and the approval happens within that system
Explicitly state the type of AV software in use and its configuration
Add section relating to port scanning & security testing of applications
29th July 2015 Paul Gardner Periodic review
8th September 2014 Paul Gardner Rebranding
2nd July 2014 Paul Gardner Initial revision

Introduction

This policy is part of the medDigital ISMS and must be fully complied with.

The purpose of this policy is to detail the requirements for the secure use of our information processing facilities to ensure the protection of information through the implementation of an Information Systems Management System (ISMS).

Documented operating procedures

All operating procedures must be documented to an appropriate level of detail for individuals using them and should include the following areas:

  • Information classification
  • Confidentiality requirements
  • Backup and Restore procedures
  • Housekeeping procedures
  • Procedures for audit review

Change Management

Changes to infrastructure and the configuration of production systems must be controlled by a formal change control procedure. The change control procedure should reference:

  • A description of the change being proposed
  • The priority of the change being proposed
  • Information and evidence of testing
  • Impact assessment
  • Formal approval process from relevant teams
  • Communication to all relevant parties to include:
    • Advance communication
    • Schedule
  • Rollback procedure
  • Risk assessment, analysis and consideration of controls

Change controls should be submitted electronically via the Change Management System.

The CMS automatically notifies relevant parties and handles approvals/rejections electronically.

The CMS stores changes requests indefinitely.

Separation of Development, Test & Production

Development and test environments must be separated from the production environments in order to reduce the risk of accidental change, incompatibility and outages.

Access to development and test environments must be protected by authentication. If the application requires a database, then each environment must use its own.

Environment Naming Convention Reachable by Access Controlled
Development name.<developer> Local only No
Integration integration.domain.com Global Yes (Internal)
Staging staging.domain.com Global Yes (Internal & Client)
Production www.domain.com Global No

Protection from malware

All laptops & desktops contain a configured installation of Windows Defender with real-time scanning, a weekly full scan, and automatic updates. This is enforced by Active Directory Group Policy.

Backups

The M drive is backed up in real-time with unlimited retention, and this is the only repository of company data in use by laptops and desktops.

Database servers are backed up in real-time with a 30 day retention period. Backups are stored off-site, are AES-256 encrypted, and include transaction logs for point in time recovery.

Logging and monitoring

Applications that contain a user authentication mechanism must store event logs recording user activity. If suspicious activity occurs, the application should send an email to security@meddigital.com for review.

Applications that generate exceptions must log those exceptions for review by the development team.

OSSEC must be installed on all servers, with alerts delivered to security@meddigital.com. Any alerts must be reviewed in the Security shared mailbox and categorised accordingly once reviewed.

All web applications must be protected by a web application firewall (WAF). This can be achieved by ensuring traffic can only reach the application via the medDigital Elastic Load Balancer (ELB). The WAF must be configured to log all accepted and rejected requests to the md-fw-logs S3 bucket with a minimum retention of 14 days.

Logging data must be protected against unauthorised access and tampering.

Control of operational software

The installation or updating of software on a production system, with the exception of security updates, must be controlled via the Change Management System.

OSSEC must be configured to take a snapshot of key binaries, libraries and configuration files, and to report any changes to security@meddigital.com.

Technical vulnerability management

All IT staff must subscribe to:
  • United States Computer Emergency Response Team (CERT) at https://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/new
  • AWS Security Bulletins RSS at https://aws.amazon.com/security/security-bulletins/

Any alert carrying a CVSS score of 7.0 or higher must be evaluated as soon as the alert is received.

All servers should be configured to automatically apply security updates and all servers should be rebooted on a weekly basis.

An external port scan should be carried out of all servers on a daily basis. The scan results should be stored in the Security shared mailbox. If any open ports are discovered, this should be investigated. Once the scan has been reviewed, it should be categorised as checked.

Prior to the production release of any application, the application must be subjected to an OWASP vulnerability scan. Any alerts higher than informational must be passed to the appropriate development team for investigation and remedy. The output of the scan should be stored in the M:\IT\Security\Vulnerability Scans folder.

Restrictions on software installation

Users are not permitted to install software onto their workstations. Software installation must only be performed by IT and only from the list of approved software. Installations should be performed by Active Directory Group Policy where possible.

Capacity management

All servers must include the system monitoring agent so that vital server components can be monitored to allow the visibility of usage trends.

Where possible, servers should be a member of the auto-scaling group setup which will automatically spin up new compute resources as and when required.

Clock synchronisation

All servers and workstations must have their clock synchronised with an appropriate time source.