Empowering a Secure and Private Wellness Journey

Application Security

• Implements robust source code analysis and security scanning protocols on a daily basis to detect and rectify security vulnerabilities before deployment. This includes a comprehensive review process for applications to address security concerns, ensuring a secure product release.

Customer Access Requirements

• Strictly manages customer access to data and systems by thoroughly assessing and resolving all security, contractual, and regulatory requirements beforehand, ensuring secure and compliant access.

Data Integrity

• Maintains data integrity through regular, automated audits, verifying the accuracy and consistency of stored data, thereby safeguarding against unauthorized modifications.

Independent Audits

• Engages with external auditors to conduct thorough assessments of network and application security, providing transparency through access to audit reports and conducting regular penetration testing in line with best industry practices.

Information System Regulatory Mapping

• Proactively reviews and adjusts security documentation and policies on a quarterly basis to remain aligned with evolving regulatory requirements, ensuring continuous compliance.

Business Continuity Testing

• Regularly tests and updates contingency plans to guarantee organizational resilience and the continuous delivery of services under various scenarios.

Policy

• Develops and maintains comprehensive policies supporting the roles essential for service operations, ensuring readiness and response efficiency.

Retention Policy

• Implements strict data retention and backup policies, using tools to enforce and test data preservation and recovery protocols annually for robustness.

Unauthorized Software Installations

• Enforces strict controls to prevent unauthorized software installations, including rigorous approval processes and monitoring protocols to ensure software integrity and security.

E-commerce Transactions

• Secures e-commerce transactions using standardized, high-grade encryption methods for data transmission over public networks, ensuring the protection of sensitive information.

Nonproduction Data

• Adopts strict policies to prevent the copying or use of actual customer data in non-production environments, emphasizing the secure handling and deletion of data.

Asset Management

• Maintains an accurate inventory of all critical assets with defined ownership, employing automated tools for inventory management to ensure asset integrity and security.

Controlled Access Points

• Implements comprehensive physical security measures, including controlled access points to secure sensitive data and system areas, suitable for organizations handling high volumes of sensitive information.

User Access

• Adheres to stringent physical access controls for data center environments, ensuring only authorized personnel can access critical infrastructure, thereby protecting against unauthorized entry.

Key Generation

• Facilitates secure encryption practices by allowing for the generation of unique encryption keys per tenant, ensuring that customer data is safeguarded with individualized keys.

Encryption

• Applies strong encryption standards for protecting sensitive customer data at rest, employing industry-recognized encryption protocols to ensure data confidentiality and integrity.

Baseline Requirements

• Regularly reviews and updates all security policies and procedures, ensuring they reflect current best practices and compliance with regulatory requirements, fostering a secure and compliant operational environment.

Policy

• Ensures that all personnel are aware of and understand the security policies through comprehensive distribution and mandatory acknowledgment, reinforcing a culture of security and compliance.

Training / Awareness

• Mandates annual security awareness training for all employees, emphasizing the importance of security best practices and compliance with company policies to maintain a vigilant and informed workforce.

Background Screening

• Conducts comprehensive background checks for all new hires in compliance with legal standards, ensuring the integrity and reliability of the workforce.

Employment Agreements

• Incorporates confidentiality and data protection clauses in employment contracts, reinforcing the commitment to secure handling of information.

Employment Termination

• Has established protocols for addressing changes in employment status, including secure termination procedures to protect information and assets.

Audit Tools Access

• Implements strict policies and logging mechanisms to regulate and monitor access to security management systems, ensuring controlled and recorded usage.

User Access Policy

• Enforces a policy of removing unnecessary business access to maintain a secure and minimal access environment, adhering to the principle of least privilege.

Policies and Procedures

• Maintains robust policies and procedures for managing user access levels, ensuring that access is granted based on authorization and necessity.

Source Code Access Restriction

• Restricts access to source code to authorized personnel only, maintaining strict control over who can view and modify the codebase.

User Access Restriction / Authorization

• Implements stringent procedures to document and enforce user access restrictions, ensuring that access is granted based on the principle of least privilege.

User Access Reviews

• Conducts regular reviews and validations of user entitlements to ensure ongoing compliance and alignment with access policies.

User Access Revocation

• Ensures timely de-provisioning of user access rights upon employment termination or role change, maintaining security and control over access rights.

Audit Logging / Intrusion Detection

• Utilizes advanced intrusion detection systems (IDS) and restricts access to audit logs to ensure the integrity and confidentiality of log data.

Clock Synchronization

• Adheres to protocols for uniform time synchronization across systems using Network Time Protocol (NTP), ensuring accurate and consistent time-stamping.

OS Hardening and Base Controls

• Maintains and reviews operating system hardening standards annually to ensure a secure and robust infrastructure against potential vulnerabilities.

Production / Non-Production Environments

• Enforces strict segregation between production and non-production environments, maintaining formal inventories and access controls.

Segmentation

• Implements network segmentation and regular reviews of firewall rulesets to ensure secure and controlled network access.

VMM Security – Hypervisor Hardening

• Applies rigorous security controls for virtual machine monitors (VMMs) and hypervisors, enforcing access controls and technical safeguards.

Wireless Security

• Establishes secure wireless network protocols with strong encryption standards to protect against unauthorized access and data breaches.

Incident Management

• Regularly tests and updates the incident response plan to ensure effective management and mitigation of security incidents.

Incident Reporting

• Requires prompt reporting of security events by all personnel, fostering a culture of vigilance and immediate response.

Incident Response Legal Preparation

• Incorporates confidentiality and data protection clauses in employment contracts, preparing legally for potential incidents and data breaches.

Incident Reporting

• Facilitates electronic logging and communication of security incidents, ensuring prompt and accurate incident documentation.

Network / Infrastructure Services

• Monitors the capacity and usage of cloud hosting services to maintain operational efficiency and security.

Third Party Agreements

• Integrates security commitments into third-party agreements, ensuring vendors adhere to the same high standards of security.

Supply Chain Metrics

• Provides transparency on operational performance and service level agreements (SLAs) to tenants, ensuring accountability in the supply chain.

Third Party Audits

• Conducts annual reviews and audits of third-party providers to ensure compliance with security standards and practices.

Antivirus / Malicious Software

• Installs and maintains robust antivirus and anti-malware solutions across the infrastructure to protect against malicious software threats.

Vulnerability / Patch Management

• Implements a proactive vulnerability and patch management program to identify and address security vulnerabilities in a timely manner.

Mobile Code

• Manages and controls the use of mobile code to prevent unauthorized or harmful code execution on the organization’s systems.