Skip to content

Latest commit

 

History

History
35 lines (27 loc) · 2.79 KB

16-vulnerability_scanning_policy.md

File metadata and controls

35 lines (27 loc) · 2.79 KB

16. Vulnerability Scanning Policy

Wally is proactive about information security and understands that vulnerabilities need to be monitored on an ongoing basis. Wally utilizes automated tools to consistently scan, identify, and address vulnerabilities on our systems. We also utilize tools that perform file integrity checking and intrusion detection.

16.1 Applicable Standards

16.1.1 Applicable Standards from the HITRUST Common Security Framework

  • 10.m - Control of Technical Vulnerabilities

16.1.2 Applicable Standards from the HIPAA Security Rule

  • 164.308(a)(8) - HIPAA Security Rule Evaluation

16.2 Vulnerability Scanning Policy

  1. Vulnerability scanning tool management is performed by the Wally Security Officer, or an authorized delegate of the Security Officer.
  2. Frequency of scanning is as follows:
  3. on a weekly basis;
  4. after every production deployment.
  5. Reviewing vulnerability reports and findings, as well as any further investigation into discovered vulnerabilities, is the responsibility of the Wally Security Officer. The process for reviewing reports is outlined below:
  6. The Security Officer initiates the review of a report by creating a ticket in the Wally QMS.
  7. The Security Officer is assigned to review the report.
  8. If new vulnerabilities are found during review, the process outlined below is used to test those vulnerabilities.
  9. Once the review is completed, the Security Officer approves or rejects the ticket. If the ticket is rejected, it goes back for further review.
  10. If the review is approved, the Security Officer then marks the ticket as Done, adding any pertinent notes required.
  11. In the case of new vulnerabilities, the following steps are taken:
  • All new vulnerabilities are verified manually to assure they are repeatable. Those not found to be repeatable are manually tested after the next vulnerability scan, regardless of if the specific vulnerability is discovered again.
  • Vulnerabilities that are repeatable manually are documented and reviewed by the Security Officer and Privacy Officer to see if they are part of the current risk assessment performed by Wally.
    • Those that are a part of the current risk assessment are checked for mitigations.
    • Those that are not part of the current risk assessment trigger a new risk assessment, and this process is outlined in detail in the Wally Risk Assessment Policy.
  1. All vulnerability scanning reports are retained for 6 years by Wally. Vulnerability report review is monitored on a quarterly basis using the QMS reporting to assess compliance with above policy.
  2. Penetration testing is performed regularly as part of the Wally vulnerability management policy.
  • External penetration testing is performed annually by a third party.
  • Penetration tests results are retained for 6 years by Wally.