Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

On a yearly basis the ClinSpark web application, supporting applications (such as SparkPlug), and certain infrastructure components are subjected to manual penetration testing , conducted by an external vendor. The testing takes place in a controlled environment setting created specifically for purpose. Penetration testing is not performed on any customer environments or environments that contain sensitive data.

A summary of findings from the pentest vendor is produced and reviewed by the product team. Findings are summarized into four classifications that are aligned with the OWASP Risk Rating Methodology. We take review and action based on the classifications.

...

Centralized Security Infrastructure Monitoring

Datadog is our primary observability platform, providing security monitoring and investigation capabilities. In addition, AWS Security Hub is configured to monitor and alert upon a wide variety of infrastructure security aspects. AWS GuardDuty provides active AI-driven real-time intrusion detection. AWS Macie constantly monitors the environment for PHI leaks or unusual privileged activity in AWS CloudTrail, which audits all AWS user activity. AWS Detective provides tool-assisted investigation capabilities for rapid root-cause analysis of potential security issues.

...

Application Logs are centrally stored in AWS CloudWatch Datadog . VPC Flow Logs are stored in S3 to support investigation of security incidents as required.

...

All server instances receive regular and automated security and bug-fix patching. This is done using AWS Patch Managerour Infrastructure as Code platforms.

Malware

The application is deployed to an Amazon Linux image provided by Amazon Web Services for use on Amazon Elastic Compute Cloud (Amazon EC2).

...

User workstations are provided by IQVIA. These machines are fully managed and monitored and equipped with regularly updated anti-malware measures.

Bring Your Own Device (BYOD) Policy

Some BYOD workstations may be used for development and support purposes and are monitored by Kolide for endpoint security. This provides visibility into our requirements for security patching, anti-malware measures, use of an approved password manager, hard drive encryption and other security configurations appropriate for the specific workstation. Violation notifications and a review process are in place.

Periodic Review of Access Privileges

Support ('superadministratorSuperadmin') access to customer environments is reviewed and documented quarterly.

...