×
  •  
  •  

Vulnerability

16.0 Vulnerability Scanning Policy

iDialogs is proactive about information security and understands that vulnerabilities need to be monitored on an ongoing basis. iDialogs primarily utilizes  Lynis to consistently scan, identify, and address vulnerabilities on our systems. We also utilize OSSEC on all systems, including logs, for file integrity checking and intrusion detection.

16.1 Applicable Standards

16.1.1 Applicable Standards from the HITRUST Common Security Framework

  • 10.m - Control of Technical Vulnerabilities

16.1.2 Applicable Standards from the HIPAA Security Rule

  • CFR ยง 164.308(a)(8) - Evaluation

16.2 Vulnerability Scanning Policy

  1. Lynis, Nmap, ZAP, SSL Labs, and several other tools (the security suite is known as Seccubus) are used in unison for scanning and management. Operation of these tools is performed and managed by the iDialogs Security Officer with assistance from the VP of Engineering if required.
  2. The Seccubus suite is used to scan and test for known vulnerabilities and HIPAA/HITRUST/HISECURE compliance status on all host machines for production and development environments.
  3. Frequency of scanning is as follows:
    1. On a bi-weekly basis;
    2. After every production deployment.
  4. Reviewing Seccubus reports and findings, as well as any further investigation into discovered vulnerabilities, are the responsibility of the iDialogs Security Officer. The process for reviewing Seccubus reports is outlined below:
    1. The Security Officer initiates the review of a Seccubus Report by creating an Issue in the JIRA Compliance Review Activity (CRA) Project.
    2. The Security Officer, or a iDialogs Security Engineer assigned by the Security Officer, is assigned to review the Seccubus Report.
    3. If new vulnerabilities are found during review, the process below is used to test those vulnerabilities is outlined below. Once those steps are completed, the Issue is then reviewed again.
    4. Once the review is completed, the Security Officer approves or rejects the Issue. If the Issue is rejected, it goes back for further review.
    5. If the review is approved, the Security Officer then marks the Issue as Done, adding any pertinent notes required.
  5. In the case of new vulnerabilities, the following steps are taken:
    1. All new vulnerabilities are verified manually to assure they are repeatable. Those not found to be repeatable are manually tested after the next vulnerability scan, regardless of if the specific vulnerability is discovered again.
    2. Vulnerabilities that are repeatable manually are documented and reviewed by the Security Officer, VP of Engineering, and Privacy Officer to see if they are part of the current risk assessment performed by iDialogs.
    3. Those that are a part of the current risk assessment are checked for mitigations.
    4. Those that are not part of the current risk assessment trigger a new risk assessment, and this process is outlined in detail in the iDialogs Risk Assessment Policy.
  6. All vulnerability scanning reports are retained for 6 years by iDialogs. Vulnerability report review is monitored on a quarterly basis using JIRA reporting to assess compliance with above policy.
  7. Penetration testing is performed regularly as part of the iDialogs vulnerability management policy.
    1. External penetration testing is performed bi-annually by a third party.
    2. Internal penetration testing is performed quarterly. Below is the process used to conduct internal penetration tests.
      1. The Security Officer initiates the penetration test by creating an Issue in the JIRA Compliance Review Activity (CRA) Project.
      2. The Security Officer, or a iDialogs Security Engineer assigned by the Security Officer, is assigned to conduct the penetration test.
      3. Gaps and vulnerabilities identified during penetration testing are reviewed, with plans for correction and/or mitigation, by the iDialogs Security Officer before the Issue can move to be approved.
      4. Once the testing is completed, the Security Officer approves or rejects the Issue. If the Issue is rejected, it goes back for further testing and review.
      5. If the Issue is approved, the Security Officer then marks the Issue as Done, adding any pertinent notes required.
    3. Penetration tests results are retained for 6 years by iDialogs.
    4. Internal penetration testing is monitored on an annual basis using JIRA reporting to assess compliance with above policy.
  8. This vulnerability policy is reviewed on a quarterly basis by the Security Officer and Privacy Officer.