Versions Compared

Old Version 10

changes.mady.by.user Steffan Stringer

Saved on

compared with

New Version 11

changes.mady.by.user Alex Quail

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Note that AWS RDS policies and mechanisms for physical and environmental security, media disposal and backup procedures are audited on a periodic basis. AWS SOC audit reports are available for customer review upon request.

Business Continuity

ClinSpark The application was designed to be inherently resilient and to maximize availability and to minimize downtime. Much of this resilience is owed to the hosting infrastructure, the Amazon Web Services (AWS)cloud. The design requirements that determine this level of resilience are specified in the Infrastructure Architecture document and to a lesser degree in the ClinSpark Application Architecture document. These documents are updated and revised from time to time as required and are available to customers upon request. ClinSpark The application is designed to:

  • Maintain high availability –single points of failure are eliminated

  • Have high fault tolerance –application and database servers fail. Service to the customer must not be interrupted and recovery time must be quick

  • Survive a full datacenter disaster without data loss or significant inconvenience to a customer

...

We use Detectify to perform OWASP 10 security scanning for against each ClinSpark functional release build. The results of these scans are recorded and made available in the Technical File.

...

We use intruder.io to perform monthly scheduled vulnerability scans on a representative set of ClinSpark application instances. intruder.io also performs proactive scans for emerging threat scans’ on an ad-hoc basis.

Manual Penetration Testing

On a yearly basis ClinSpark the application is subjected to manual penetration testing. We Currently, we use industry leading Cobolt.io for this service. A summary of findings is available for customer review upon requestfrom the pentest vendor is produced and reviewed by the product team. Findings are summarized into four classifications that are aligned with the OWASP Risk Rating Methodology.

  • Critical = Address immediately via hotfix release.

  • High = Address in the current functional release in development.

  • Medium = Prioritized into the next functional release.

  • Low = Added to backlog, to be prioritized into an upcoming release.

Info

We evaluate all findings and remediation approach based on the criticalities assigned; subject to risk/impact analysis. Findings that require significant changes may span multiple releases.

Security Code Reviews - SDLC

ClinSpark Application enhancement tickets are categorized by security risk, and appropriate reviews are conducted as part of our SDLC process. Evidence of this is provided in the Technical File.

...

AWS Hosting Infrastructure

All ClinSpark application instances are hosted within Foundry Health’s AWS account.

...

Infrastructure as Code is used for build-outs of PROD Main ClinSpark instances. This ensures that key configurations such as TLS levels, load balancer settings, patching configurations and other security-related configurations are applied in a repeatable and secure fashion.

...

All server instances receive regular and automated security and bug-fix patching. This is done using AWS Patch Manager.

Malware

ClinSpark The application is deployed to an Amazon Linux image provided by Amazon Web Services for use on Amazon Elastic Compute Cloud (Amazon EC2).

...

Due to the backup processes described above, the Engineering team does not formally test restore procedures.

...

Application Development and Support Staff

User Workstations

User workstations are provided by our parent company, IQVIA. These machines are fully managed and monitored and equipped with regularly updated anti-malware measures.

...