Addendum and References

The following is a list of policy addendum and references.

Controls and Procedures

Key Definitions

2023.1

• Application: An application hosted by Vihanti, either maintained and created by Vihanti, or maintained and created by a Customer or Partner.

• Application Level: Controls and security associated with an Application. In the case of PaaS Customers, Vihanti does not have access to and cannot assure compliance with security standards and policies at the Application Level.

• Audit: Internal process of reviewing information system access and activity (e.g., log-ins, file accesses, and security incidents). An audit may be done as a periodic event, as a result of a customer complaint, or suspicion of employee wrongdoing.

• Audit Controls: Technical mechanisms that track and record computer/system activities.

• Audit Logs: Encrypted records of activity maintained by the system which provide: 1) date and time of activity; 2) origin of activity (app); 3) identification of user doing activity; and 4) data accessed as part of activity.

• Access: Means the ability or the means necessary to read, write, modify, or communicate data/ information or otherwise use any system resource.

• BaaS: Backend-as-a-Service. A set of APIs, and associated SDKs, for rapid mobile and web application development. APIs offer the ability to create users, do authentication, store data, and store files.

• Backup: The process of making an electronic copy of data stored in a computer system. This can either be complete, meaning all data and programs, or incremental, including just the data that changed from the previous backup.

• Backup Service: A logging service for unifying system and application logs, encrypting them, and providing a dashboard for them. Offered with all Vihanti Add-ons and as an option for PaaS Customers.

• Breach: A data breach is the intentional or unintentional release of secure or sensitive information to an untrusted environment or individual. A data breach often involves an incident where information is stolen or taken from a system without the knowledge or authorization of the system’s owner.

• De-identification: The process of removing identifiable information so that data is rendered to not be personally identifiable .

• Disaster Recovery: The ability to recover a system and data after being made unavailable.

• Disaster Recovery Service: A disaster recovery service for disaster recovery in the case of system unavailability. This includes both the technical and the non-technical (process) required to effectively stand up an application after an outage. Offered with all Vihanti Add-ons and as an option for PaaS Customers.

• Disclosure: Disclosure means the release, transfer, provision of, access to, or divulging in any other manner of information outside the entity holding the information.

• Customers: Contractually bound users of Vihanti Platform and/or services.

• Environment: The overall technical environment, including all servers, network devices, and applications.

• Event: An event is defined as an occurrence that does not constitute a serious adverse effect on Vihanti, its operations, or its Customers, though it may be less than optimal. Examples of events include, but are not limited to:

• A hard drive malfunction that requires replacement;
• Systems become unavailable due to power outage that is non-hostile in nature, with redundancy to assure ongoing availability of data;

• Accidental lockout of an account due to incorrectly entering a password multiple times.

• Hardware (or hard drive): Any computing device able to create and store sensitive data .

• IaaS: Infrastructure-as-a-Service.

• Individually Identifiable Health Information: That information that is a subset of health information, including demographic information collected from an individual, and is created or received by a health care provider, health plan, employer, or health care clearinghouse; and relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and identifies the individual; or with respect to which there is a reasonable basis to believe the information can be used to identify the individual.

• Indication: A sign that an Incident may have occurred or may be occurring at the present time. Examples of indications include:

• The network intrusion detection sensor alerts when a known exploit occurs against an FTP server. Intrusion detection is generally reactive, looking only for footprints of known attacks. It is important to note that many IDS “hits” are also false positives and are neither an event nor an incident;
• The antivirus software alerts when it detects that a host is infected with a worm;
• Users complain of slow access to hosts on the Internet;
• The system administrator sees a filename with unusual characteristics;
• Automated alerts of activity from log monitors like OSSEC;

• An alert from OSSEC about file system integrity issues.

• Intrusion Detection System (IDS): A software tool use to automatically detect and notify in the event of possible unauthorized network and/or system access.

• IDS Service: An Intrusion Detection Service for providing IDS notification to customers in the case of suspicious activity. Offered with all Vihanti Add-ons and as an option for PaaS Customers.

• Law Enforcement Official: Any officer or employee of an agency or authority of the United States, a State, a territory, a political subdivision of a State or territory, or an Indian tribe, who is empowered by law to investigate or conduct an official inquiry into a potential violation of law; or prosecute or otherwise conduct a criminal, civil, or administrative proceeding arising from an alleged violation of law.

• Logging Service: A logging service for unifying system and application logs, encrypting them, and providing a dashboard for them. Offered with all Vihanti Add-ons and as an option for PaaS Customers.

• Messaging: API-based services to deliver and receive SMS messages.

• Minimum Necessary Information: Protected health information that is the minimum necessary to accomplish the intended purpose of the use, disclosure, or request. The “minimum necessary” standard applies to all protected health information in any form.

• Off-Site: For the purpose of storage of Backup media, off-site is defined as any location separate from the building in which the backup was created. It must be physically separate from the creating site.

• Organization: For the purposes of this policy, the term “organization” shall mean Vihanti.

• PaaS: Platform-as-a-Service.

• Partner: Contractual bound 3rd party vendor with integration with the Vihanti Platform. May offer Add-on services.

• PMP or Platform: Vihanti Precision Medicine Platform and its overall technical environment.

• Role: The category or class of person or persons doing a type of job, defined by a set of similar or identical responsibilities.

• Sanitization: Removal or the act of overwriting data to a point of preventing the recovery of the data on the device or media that is being sanitized. Sanitization is typically done before re-issuing a device or media, donating equipment that contained sensitive information or returning leased equipment to the lending company.

• Trigger Event: Activities that may be indicative of a security breach that require further investigation (See Appendix).

• Restricted Area: Those areas of the building(s) where protected health information and/or sensitive organizational information is stored, utilized, or accessible at any time.

• Role: The category or class of person or persons doing a type of job, defined by a set of similar or identical responsibilities.

• Precursor: A sign that an Incident may occur in the future. Examples of precursors include:

• Suspicious network and host-based IDS events/attacks;
• Alerts as a result of detecting malicious code at the network and host levels;
• Alerts from file integrity checking software;

• Audit log alerts.

• Risk: The likelihood that a threat will exploit a vulnerability, and the impact of that event on the confidentiality, availability, and integrity of sensitive data, other confidential or proprietary electronic information, and other system assets.

• Risk Management Team: Individuals who are knowledgeable about the Organization’s Privacy, Security and Compliance policies, procedures, training program, computer system set up, and technical security controls, and who are responsible for the risk management process and procedures outlined below.

• Risk Assessment:

• Identifies the risks to information system security and determines the probability of occurrence and the resulting impact for each threat/vulnerability pair identified given the security controls in place;

• Prioritizes risks; and

• Results in recommended possible actions/controls that could reduce or offset the determined risk.

• Risk Management: Within this policy, it refers to two major process components: risk assessment and risk mitigation.

• Risk Mitigation:

A process that prioritizes, evaluates, and implements security controls that will reduce or offset the risks determined in the risk assessment process to satisfactory levels within an organization given its mission and available resources.

• SaaS: Software-as-a-Service.

• Security Incident (or just Incident): A security incident is an occurrence that exercises a significant adverse effect on people, process, technology, or data. Security incidents include, but are not limited to:

• A system or network breach accomplished by an internal or external entity; this breach can be inadvertent or malicious;
• Unauthorized disclosure;
• Unauthorized change or destruction of sensitive data (i.e. deletion or alterations not following Vihanti’s procedures);
• Denial of service not attributable to identifiable physical, environmental, human or technology causes;
• Disaster or enacted threat to business continuity;
• Information Security Incident: A violation or imminent threat of violation of information security policies, acceptable use policies, or standard security practices. Examples of information security incidents may include, but are not limited to, the following:
• Denial of Service: An attack that prevents or impairs the authorized use of networks, systems, or applications by exhausting resources;
• Malicious Code: A virus, worm, Trojan horse, or other code-based malicious entity that infects a host;
• Unauthorized Access/System Hijacking: A person gains logical or physical access without permission to a network, system, application, data, or other resource. Hijacking occurs when an attacker takes control of network devices or workstations;
• Inappropriate Usage: A person violates acceptable computing use policies;

• Other examples of observable information security incidents may include, but are not limited to:

  • Use of another person’s individual password and/or account to login to a system;
  • Failure to protect passwords and/or access codes (e.g., posting passwords on equipment);
  • Installation of unauthorized software;
  • Terminated workforce member accessing applications, systems, or network.

• Threat: The potential for a particular threat-source to successfully exercise a particular vulnerability. Threats are commonly categorized as:

• Environmental - external fires, HVAC failure/temperature inadequacy, water pipe burst, power failure/fluctuation, etc.
• Human - hackers, data entry, workforce/ex-workforce members, impersonation, insertion of malicious code, theft, viruses, SPAM, vandalism, etc.
• Natural - fires, floods, electrical storms, tornados, etc.
• Technological - server failure, software failure, ancillary equipment failure, etc. and environmental threats, such as power outages, hazardous material spills.

• Other - explosions, medical emergencies, misuse or resources, etc.

• Threat Source: Any circumstance or event with the potential to cause harm (intentional or unintentional) to an IT system. Common threat sources can be natural, human or environmental which can impact the organization’s ability to protect sensitive data.

• Threat Action: The method by which an attack might be carried out (e.g., hacking, system intrusion, etc.).

• Unrestricted Area: Those areas of the building(s) where protected health information and/or sensitive organizational information is not stored or is not utilized or is not accessible there on a regular basis.

• Vendor: External individuals or organizations marketing or selling products or services, or providing services to Vihanti.

• Vulnerability: A weakness or flaw in an information system that can be accidentally triggered or intentionally exploited by a threat and lead to a compromise in the integrity of that system, i.e., resulting in a security breach or violation of policy.

• Workstation: An electronic computing device, such as a laptop or desktop computer, or any other device that performs similar functions, used to create, receive, maintain, or transmit sensitive data. Workstation devices may include, but are not limited to: laptop or desktop computers, smart phones, tablet PCs, and other handheld devices. For the purposes of this policy, “workstation” also includes the combination of hardware, operating system, application software, and network connection.

• Workforce: Means employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity, is under the direct control of such entity, whether or not they are paid by the covered entity.

Employee Handbook and Policy Quick Reference

2023.1

This is an abridged version of Vihanti’s security policy that all workforce members are required to be familiar with and comply with.

You are assumed to have read and fully understood the corporate security and privacy policies, standards, guidelines, controls and procedures even if you haven’t. So, it’s probably best you still go through the whole thing at some point.

• You are required to follow detailed procedures defined in certain policies related to your job role.

Security is everyone’s responsibility. If this is not your first job, don’t do anything that might get you in trouble at your previous workplace. When in doubt, stop and ask.

Acknowledgement

As a Vihanti employee, I acknowledge that

• I have reviewed and will comply with company security policies and procedures, acceptable use, and sanction policies.
• I accept that my work devices, including approved BYOD devices, and activities on such devices are subject to security monitoring.
• I will protect my work devices at remote locations and will not leave devices unattended.
• I will ensure my laptops and workstations are securely configured with whole disk encryption, endpoint security agent, malware protection, local firewall, password protected screensaver, and latest security patches.
• I will follow documented policies and procedures to protect sensitive and confidential data.
• I understand that customer data and sensitive data may only be stored in approved production environments.

• I understand company and regulatory requirements to protect critical data and will NOT

  • store critical data such as customer data and passwords on online file shares (such as Google Drive, SharePoint, Dropbox), in logs and source codes;
  • send critical data such as customer data and passwords by email, chat, or similar public communication channels;
  • post critical data such as customer data and passwords in blogs, support tickets or other public forums; and
  • discuss customer information in public.

• I understand that use of paper records and fax transmission for sensitive customer data is not allowed.

• I will keep my passwords confidential and will NOT share my individual user passwords with other users.
• I will NOT use shared/generic, guest/anonymous, emergency or temporary accounts without explicit approval.
• I will regularly back up business data on my user devices to approved data storage media/repositories such as the company SharePoint site.
• I will report any incident and suspicious activity to Security and/or my manager.

Training

You will be prompted as part of onboarding, and periodically going forward, to complete the following security training:

• General security policy and procedures training, including

  • Roles, Responsibilities and Training
  • HR and Personnel Security
  • Data Classification and Handling

• Ongoing security awareness training (a monthly series, currently provided by )

• Role-based security training

  • all members of the Development/Engineering team must carefully review the following policies and procedures

    • Product Security and Secure Software Development
    • Data Management
    • Data Protection
    • Configuration and Change Management

  • all members of the Administrative, Marketing and Procurement teams must review the following policies and procedures

    • Third Party Security, Vendor Risk Management and Systems/Services Acquisition

  • all members of the Administrative and Senior Leadership/Executive teams must review the following policies and procedures

    • Business Continuity and Disaster Recovery
    • Compliance Audits and External Communications
    • Risk Management

  • all members of the HR and Facilities teams must review the following policies and procedures

    • HR and Personnel Security
    • Facility Access and Physical Security

  • all team members responsible for Product Management and Business Development must review the following policies and procedures

    • Privacy and Consent

  • all members of the Security, Compliance and IT teams must review all policies and procedures in its entirety

Acceptable use policy for end-user computing

Vihanti policy requires that:

(a) Per Vihanti security architecture, all workforce members are primarily considered as remote users and therefore must follow all system access controls and procedures for remote access.

(b) Use of Vihanti computing systems is subject to monitoring by Vihanti IT and/or Security team.

(c) Employees may not leave computing devices (including laptops and smart devices) used for business purpose, including company-provided and BYOD devices, unattended in public.

(d) Device encryption must be enabled for all mobile devices accessing company data, such as whole-disk encryption for all laptops.

(e) Use only legal, approved software with a valid license. Do not use personal software for business purposes and vice versa.

(f) Encrypt all email messages containing sensitive or confidential data.

(g) Employees may not post any sensitive or confidential data in public forums or chat rooms. If a posting is needed to obtain technical support, data must be sanitized to remove any sensitive or confidential information prior to posting.

(h) Anti-malware or equivalent protection and monitoring must be installed and enabled on all endpoint systems that are commonly affected by malware, including workstations, laptops and servers.

(i) All data storage devices and media must be managed according to the Vihanti Data Classification specifications and Data Handling procedures.

(j) Mobile devices are not allowed to connect directly to Vihanti production environments.

Your responsibilities for computing devices

Vihanti provides company-issued laptops and workstations to all employees. Vihanti currently does not require or support employees bringing their own computing devices.

The laptops and/or workstations assigned to you are yours to configure and manage according to company security policy and standards. You are responsible to

• configure the system to meeting the configuration and management requirements, including password policy, screen protection timeout, host firewall, etc.;

• ensure the required anti-malware protection and security monitoring agent is installed and running; and

• install the latest security patches timely or enable auto-update.

IT and Security provides automated scripts for end-user system configurations and/or technical assistance as needed.

You are also responsible for maintaining a backup copy of the business files local on your laptop/workstation to the appropriate location on Vihanti file sharing / team site (e.g. SharePoint). Examples of business files include, but are not limited to:

• Documents (e.g. product specs, business plans)
• Presentations
• Reports and spreadsheets
• Design files/images/diagrams
• Meeting notes/recordings
• Important records (e.g. approval notes)

Important

DO NOT backup critical data such as customer data or PII to file sharing sites. If you have such critical data locally on your device, contact IT and Security for the appropriate data management and protection solution.

Unless the local workstation/device has access to Critical data, backups of user workstations/devices are self managed by the device owner. Backups may be stored on an external hard drive or using a cloud service such as iCloud if and only if the data is both encrypted and password protected (passwords must meet Vihanti requirements).

Getting help

Support for most of our business applications are self-service, such as password reset via JumpCloud.

If needed, users may use our internal service desk to request IT and Security support. Common requests include:

• Password reset and access requests
• Request new software and hardware
• Technical support
• Recommend changes to policies and processes

How to report an incident or suspicious activity

You are responsible to report all suspicious activities and security-related incidents immediately to the Information Security team, by one of the following channels:

• (preferred) “Report a security incident” by creating an issue on Jira.

• If access to the ticketing system is not available, employees may send an email to [email protected].

• Additionally, employees may report the incident to their direct manager.

• To report a concern under the Whistleblower Policy, you may first discuss the concerns with your immediate manager, or report it directly to the CEO or COO. See the Whistleblower Policy section in the HR Security Policy for additional details.

Approved Software

2023.1

Software approved for use at Vihanti includes, but is not limited to:

• Affinity suite
• Atlassian suite
• Code editors (Atom, Emacs, Vim, VS Code, etc)
• Docker
• Google suite
• Node/NPM
• JumpCloud (and any apps/services managed by JumpCloud)
• Paw
• Whereby
• Zoom

Reputable and well documented open source / free software may be used for development purposes at the discretion of the Engineering team. Cb Defense agents must be active to monitor the behavior of all application processes. Additional periodic audit may be conducted to review the usage of open source tools. Examples of such software include, but are not limited to:

• Chrome and various browser extensions
• Firefox and various browser extensions
• Homebrew

Software not in the list above may be installed if it is necessary for a business purpose, legal, with a valid license, and approved on a case-by-case basis by your manager or the Security Officer.

Approved Vendors

2023.1

For confidentiality reasons, the list of approved vendors is maintained internally at company Wiki / SharePoint site.

NIST Mappings to Vihanti Policies and Controls

2023.1

Below is a list of NIST SP 800-53 Controls Families and the mappings to Vihanti policies and controls in place.

ID	NIST SP 800-53 Control Family	Vihanti Policies and Controls
AC	Access Control	Access
AT	Awareness and Training	Roles and Responsibilities
AU	Audit and Accountability	Roles and Responsibilities; Compliance Audits
CA	Security Assessment and Authorization	Risk Management; Access
CM	Configuration Management	Configuration and Change Management
CP	Contingency Planning	Business Continuity and Disaster Recovery
IA	Identification and Authentication	Access
IR	Incident Response	Incident Response; Breach Notification
MA	Maintenance	Configuration and Change Management
PE	Physical and Environmental Protection	Facility and Physical Security
PL	Planning	Security Program Overview; Security Architecture & Operating Model
PS	Personnel Security	HR & Personnel Security
RA	Risk Assessment	Risk Management
SA	System and Services Acquisition	Third Party Security, Vendor Risk Management and Systems/Services Acquisition
SC	System and Communications Protection	Data Management; Data Protection; and Threat Detection & Prevention
SI	System and Information Integrity	Data Management; Data Protection; Product Security & Secure Software Development; Vulnerability Management;and System Audits, Monitoring & Assessments
PM	Program Management	Security Program Overview; Roles and Responsibilities; and Policy Management