Please use the latest version of a supported browser with JavaScript enabled: Got it - don't show me this again
SUPPORTED MOBILE BROWSERS | |
---|---|
ANDROID AND IOS |
|
ANDROID ONLY |
|
IOS ONLY |
|
WINDOWS 10 MOBILE |
|
SUPPORTED DESKTOP BROWSERS | |
WINDOWS AND MAC |
|
MAC ONLY |
|
WINDOWS ONLY |
|
Classification | Public |
Location | https://www.medcrowd.com/compliance/iso27001/policies/OperationsSecurity |
Author | Paul Gardner |
Approver | Felix Jackson |
Approved | 14th December 2016 |
Date | Author | Changes |
19th June 2023 | Paul Gardner | Periodic review |
6th June 2022 | Paul Gardner | Periodic review |
16th February 2021 | Paul Gardner | Periodic review |
12th February 2020 | Paul Gardner | Periodic review |
20th November 2019 | Paul Gardner | All web applications must be protected by a web application firewall with logging |
21st June 2018 | Paul Gardner | Update location of vulnerability scans and penetration tests. |
15th May 2018 | Paul Gardner | Periodic review |
5th December 2016 | Paul Gardner |
Documented the NTP requirement |
15th November 2016 | Paul Gardner |
Moved to the web |
31st May 2016 | Paul Gardner |
Expand on database backups |
17th May 2016 | Paul Gardner |
Change document location Explicitly state that the Change Management System sends Change Requests out for approval and the approval happens within that system Explicitly state the type of AV software in use and its configuration Add section relating to port scanning & security testing of applications |
29th July 2015 | Paul Gardner | Periodic review |
8th September 2014 | Paul Gardner | Rebranding |
2nd July 2014 | Paul Gardner | Initial revision |
This policy is part of the medDigital ISMS and must be fully complied with.
The purpose of this policy is to detail the requirements for the secure use of our information processing facilities to ensure the protection of information through the implementation of an Information Systems Management System (ISMS).
All operating procedures must be documented to an appropriate level of detail for individuals using them and should include the following areas:
Changes to infrastructure and the configuration of production systems must be controlled by a formal change control procedure. The change control procedure should reference:
Change controls should be submitted electronically via the Change Management System.
The CMS automatically notifies relevant parties and handles approvals/rejections electronically.
The CMS stores changes requests indefinitely.
Development and test environments must be separated from the production environments in order to reduce the risk of accidental change, incompatibility and outages.
Access to development and test environments must be protected by authentication. If the application requires a database, then each environment must use its own.
Environment | Naming Convention | Reachable by | Access Controlled |
Development | name.<developer> | Local only | No |
Integration | integration.domain.com | Global | Yes (Internal) |
Staging | staging.domain.com | Global | Yes (Internal & Client) |
Production | www.domain.com | Global | No |
All laptops & desktops contain a configured installation of Windows Defender with real-time scanning, a weekly full scan, and automatic updates. This is enforced by Active Directory Group Policy.
The M drive is backed up in real-time with unlimited retention, and this is the only repository of company data in use by laptops and desktops.
Database servers are backed up in real-time with a 30 day retention period. Backups are stored off-site, are AES-256 encrypted, and include transaction logs for point in time recovery.
Applications that contain a user authentication mechanism must store event logs recording user activity. If suspicious activity occurs, the application should send an email to security@meddigital.com for review.
Applications that generate exceptions must log those exceptions for review by the development team.
OSSEC must be installed on all servers, with alerts delivered to security@meddigital.com. Any alerts must be reviewed in the Security shared mailbox and categorised accordingly once reviewed.
All web applications must be protected by a web application firewall (WAF). This can be achieved by ensuring traffic can only reach the application via the medDigital Elastic Load Balancer (ELB). The WAF must be configured to log all accepted and rejected requests to the md-fw-logs S3 bucket with a minimum retention of 14 days.
Logging data must be protected against unauthorised access and tampering.
The installation or updating of software on a production system, with the exception of security updates, must be controlled via the Change Management System.
OSSEC must be configured to take a snapshot of key binaries, libraries and configuration files, and to report any changes to security@meddigital.com.
Any alert carrying a CVSS score of 7.0 or higher must be evaluated as soon as the alert is received.
All servers should be configured to automatically apply security updates and all servers should be rebooted on a weekly basis.
An external port scan should be carried out of all servers on a daily basis. The scan results should be stored in the Security shared mailbox. If any open ports are discovered, this should be investigated. Once the scan has been reviewed, it should be categorised as checked.
Prior to the production release of any application, the application must be subjected to an OWASP vulnerability scan. Any alerts higher than informational must be passed to the appropriate development team for investigation and remedy. The output of the scan should be stored in the M:\IT\Security\Vulnerability Scans folder.
All servers must include the system monitoring agent so that vital server components can be monitored to allow the visibility of usage trends.
Where possible, servers should be a member of the auto-scaling group setup which will automatically spin up new compute resources as and when required.