16. Vulnerability Scanning Policy#
WayToHealth is proactive about information security and understands that vulnerabilities need to be monitored on an ongoing basis. WayToHealth utilizes Nessus Scanner from Tenable to consistently scan, identify, and address vulnerabilities on our systems.
16.1 Applicable Standards#
16.1.1 Applicable Standards from the HITRUST Common Security Framework#
- 10.m - Control of Technical Vulnerabilities
16.1.2 Applicable Standards from the HIPAA Security Rule#
- 164.308(a)(8) - Evaluation
16.2 Vulnerability Scanning Policy#
- Nessus management is performed by the WayToHealth Security Officer, or an authorized delegate of the Security Officer.
- Nessus is used to monitor all internal IP addresses (servers, VMs, etc) on WayToHealth networks.
- Frequency of scanning is as follows:
- at least on a monthly basis;
- after every production deployment.
- Reviewing Nessus reports and findings, as well as any further investigation into discovered vulnerabilities, is the responsibility of the WayToHealth Security Officer. The process for reviewing Nessus reports is outlined below:
- The Security Officer initiates the review of a Nessus Report by creating an Ticket in the WayToHealth TQMS.
- The Security Officer, or designated personnel, is assigned to review the Nessus Report.
- If new vulnerabilities are found during review, the process outlined below is used to test those vulnerabilities. Once those steps are completed, the Ticket is then reviewed again.
- Once the review is completed, the Security Officer approves or rejects the Ticket. If the Ticket is rejected, it goes back for further review.
- If the review is approved, the Security Officer then marks the Ticket as Done, adding any pertinent notes required.
- In the case of new vulnerabilities, the following steps are taken:
- All new vulnerabilities are verified manually to assure they are repeatable. Those not found to be repeatable are manually tested after the next vulnerability scan, regardless of if the specific vulnerability is discovered again.
- Vulnerabilities that are repeatable manually are documented and reviewed by the Security Officer and Privacy Officer to see if they are part of the current risk assessment performed by WayToHealth.
- Those that are a part of the current risk assessment are checked for mitigations.
- Those that are not part of the current risk assessment trigger a new risk assessment, and this process is outlined in detail in the WayToHealth Risk Assessment Policy.
- All vulnerability scanning reports are retained for 6 years by WayToHealth. Vulnerability report review is monitored on a quarterly basis using the TQMS reporting to assess compliance with above policy.
- Penetration testing is performed regularly as part of the WayToHealth vulnerability management policy.
- External penetration testing is performed annually by a third party.
- Internal penetration testing is performed bi-annually. Below is the process used to conduct internal penetration tests.
- The Security Officer initiates the penetration test by creating an Ticket in the WayToHealth TQMS.
- The Security Officer, or a WayToHealth Security Engineer assigned by the Security Officer, is assigned to conduct the penetration test.
- Gaps and vulnerabilities identified during penetration testing are reviewed, with plans for correction and/or mitigation, by the WayToHealth Security Officer before the Ticket can move to be approved.
- Once the testing is completed, the Security Officer approves or rejects the Ticket. If the Ticket is rejected, it goes back for further testing and review.
- If the Ticket is approved, the Security Officer then marks the Ticket as Done, adding any pertinent notes required.
- Penetration tests results are retained for 6 years by WayToHealth.
- Internal penetration testing is monitored on an annual basis using the TQMS reporting to assess compliance with above policy.
- This vulnerability policy is reviewed on an annual basis by the Security Officer and Privacy Officer.