26. HealthSafe Technical Vulnerability Management Policy


TECHNICAL VULNERABILITY MANAGEMENT POLICY



Document Identification 

HSNZ/POL/26

Document Name

Technical Vulnerability Policy

Master Copy

CISO

Version Number

1.3

Date Of Release 

15 Aug 2023

Prepared By

Eparama Tuibenau

CISO

Approved by

Kevin McAfee

Managing Director


 


VERSION HISTORY


Sl No

Version No.

Prepared by

Approved by

Description of Version

Date

Reason for Version Change

From

To

1

1.0

-

CISO

MD

First Release

14 Apr 2020 

No changes made

1

1.0

1.1

CISO

MD

Updated

2 Aug 2021 

Modifications due to changes in HealthSafe

1

1.1

1.2

CISO

MD

Reviewed

28 Jul 2022

Annual review

1

1.2

1.3

CISO

MD

Reviewed

15 Aug 2023

Annual review


DOCUMENT STATUS


Date

Document Status

14 Apr 2020

Modified

2 Aug 2021

Reviewed

28 Jul 2022

Current

15 Aug 2023

Current


Table of Contents

1 Purpose


2 Scope


3 Input


4 Output


5 Interacting Process


6 Abbreviations, Acronyms and Definitions


7 Procedure


8 Monitoring the Process


9 Records




  1. PURPOSE
    The purpose of this document is to establish and maintain a policy for technical vulnerability management for HealthSafe NZ.

  2. SCOPE
    These procedures applies to all aspects of technical vulnerability management etc

  3. ABBREVIATIONS, ACRONYMS AND DEFINITIONS

Abbreviation

Description

FH

Functional Head

IT

Information Technology Department

TL

Team Lead

CISO

Chief Information Security Officer

QA

Quality Assurance


4 INPUT

To ensure that all proposed system changes are reviewed to check that they do not compromise the security of either the system or the operating environment


5 OUTPUT

Technical Vulnerability Report 


6 INTERACTING PROCESS

The operations team notify QA who then notify the developers


7 PROCEDURE

  • CISO and Team Lead are responsible for application systems are also responsible for the security of the project or support environment. 
  • To ensure that all proposed system changes are reviewed to check that they do not compromise the security of either the system or the operating environment.
  • Technical vulnerability tests/penetration tests are also carried out in case of any major changes as and when applicable.
  • Information and data in motion between systems are managed by third-party encryption tools.

8 MONITORING PROCESS

  • The IT Department Monitors these process

9 RECORDS

  • JIRA bug reporting
  • Penetration testing from third-party auditors