Village Software. Security Assessment Report

Similar documents
TRACKVIA SECURITY OVERVIEW

A Checklist for Compliance in the Cloud 1. A Checklist for Compliance in the Cloud

Secure Messaging Mobile App Privacy Policy. Privacy Policy Highlights

Twilio cloud communications SECURITY

Our Data Protection Officer is Andrew Garrett, Operations Manager

HIPAA / HITECH Overview of Capabilities and Protected Health Information

ecare Vault, Inc. Privacy Policy

Janie Appleseed Network Privacy Policy

VERSION 1.3 MAY 1, 2018 SNOWFLY PRIVACY POLICY SNOWFLY PERFORMANCE INC. P.O. BOX 95254, SOUTH JORDAN, UT

Google Cloud & the General Data Protection Regulation (GDPR)

DLB Privacy Policy. Why we require your information

Layer Security White Paper

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

NOTICE OF PERSONAL DATA PROCESSING

The simplified guide to. HIPAA compliance

DROPBOX.COM - PRIVACY POLICY

Privacy Policy. Optimizely, Inc. 1. Information We Collect

DATA PROTECTION AND PRIVACY POLICY

Our Privacy Policy gives you detailed information on when and why we collect your personal information, how we use it and how we keep it secure.

FACTS WHAT DOES FARMERS STATE BANK DO WITH YOUR PERSONAL INFORMATION? WHY? WHAT? HOW? L QUESTIONS?

KantanMT.com. Security & Infra-Structure Overview

Accelerate GDPR compliance with the Microsoft Cloud

Five Ways to Improve Electronic Patient Record Handling for HIPAA/HITECH with Managed File Transfer

OnlineNIC PRIVACY Policy

Revision History. Revision # Date Author Sections Altered Rev 1.0 2/15/15 Ben Price New Document

GDPR Compliant. Privacy Policy. Updated 24/05/2018

General Data Protection Regulation (GDPR) and the Implications for IT Service Management

In this policy, whenever you see the words we, us, our, it refers to Ashby Concert Band Registered Charity Number

How icims Supports. Your Readiness for the European Union General Data Protection Regulation

Getting ready for GDPR

Privacy Policy. Effective date: 21 May 2018

efolder White Paper: HIPAA Compliance

Compliance of Panda Products with General Data Protection Regulation (GDPR) Panda Security

What options NETIM offers, including those related to gaining of access to and updating of information.

EU General Data Protection Regulation (GDPR) Achieving compliance

A company built on security

A Checklist for Cybersecurity and Data Privacy Diligence in TMT Transactions

How to implement NIST Cybersecurity Framework using ISO WHITE PAPER. Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved.

Synchronoss Website Privacy Statement

CERT Symposium: Cyber Security Incident Management for Health Information Exchanges

Therapy Provider Portal. User Guide

EU GDPR and . The complete text of the EU GDPR can be found at What is GDPR?

VETDATA PRIVACY POLICY

Swedish bank overcomes regulatory hurdles and embraces the cloud to foster innovation

AUTOTASK ENDPOINT BACKUP (AEB) SECURITY ARCHITECTURE GUIDE

Workday s Robust Privacy Program

Chapter 12. Information Security Management

Plan a Pragmatic Approach to the new EU Data Privacy Regulation

Privacy Policy for Scholaric.com

What is the website's privacy policy?

SURGICAL REVIEW CORPORATION Privacy Policy

Grand Orange Lodge of Ireland Privacy Notice

ETSY.COM - PRIVACY POLICY

General Data Protection Regulation (GDPR)

GDPR Update and ENISA guidelines

PS Mailing Services Ltd Data Protection Policy May 2018

etouches, Inc. Privacy Policy

PCI DSS Compliance. White Paper Parallels Remote Application Server

Security Information & Policies

Cloud Communications for Healthcare

MASTERCARD PRICELESS SPECIALS INDIA PRIVACY POLICY

SECURITY AND DATA REDUNDANCY. A White Paper

PRIVACY POLICY QUICK GUIDE TO CONTENTS

Version 1/2018. GDPR Processor Security Controls

GDPR Compliance. Clauses

A1 Complete Plumbing and Heating Limited Job Applicant Privacy Notice

BISHOP GROSSETESTE UNIVERSITY. Document Administration. This policy applies to staff, students, and relevant data subjects

ngenius Products in a GDPR Compliant Environment

Putting It All Together:

Trusted Identities. Foundational to Cloud Services LILA KEE CHIEF PRODUCT OFFICER GLOBALSIGN

Privacy Policy May 2018

Efficient, broad-based solution for a Swiss digital ID

Conjure Network LLC Privacy Policy

Cybersecurity in Higher Ed

Blue Alligator Company Privacy Notice (Last updated 21 May 2018)

Mobile Application Privacy Policy

Privacy Policy. 1. Introduction and Purpose. 2. What we do not do. 3. How we use your information

PRIVACY COMMITMENT. Information We Collect and How We Use It. Effective Date: July 2, 2018

Project Better Energy Limited s registered office is Witan Gate House, Witan Gate West, Milton Keynes, Buckinghamshire, MK9 1SH

OUR PRIVACY POLICY. 1. Our Privacy Principles. 2. Information that We Collect from You. Last Updated: May 25, 2018

Magento GDPR Frequently Asked Questions

CAREERBUILDER.COM - PRIVACY POLICY

It s still very important that you take some steps to help keep up security when you re online:

Consolidated Privacy Notice

Enhancing Security With SQL Server How to balance the risks and rewards of using big data

2. The Information we collect and how we use it: Individuals and Organisations: We collect and process personal data from individuals and organisation

IDENTITY ASSURANCE PRINCIPLES

The West End Community Trust Privacy Policy

Cyber Risks in the Boardroom Conference

Beam Technologies Inc. Privacy Policy

Best Practices in Securing a Multicloud World

PRIVACY STATEMENT +41 (0) Rue du Rhone , Martigny, Switzerland.

Website Privacy Notice

Depending on the Services or information you request from us, we may ask you to provide the following personal information:

African Theatre Association (AfTA) PRIVACY POLICY

You can find a brief summary of this Privacy Policy in the chart below.

6 Tips to Find the Right Colocation Center for You

Security Information for SAP Asset Strategy and Performance Management

HIPAA Federal Security Rule H I P A A

WHITE PAPER. The General Data Protection Regulation: What Title It Means and How SAS Data Management Can Help

Transcription:

Village Software Security Assessment Report Version 1.0 January 25, 2019 Prepared by Manuel Acevedo Helpful Village Security Assessment Report! 1 of! 11 Version 1.0

Table of Contents Executive Summary 3 1. Overview 4 2. Physical Infrastructure 4 3. Communications Security and Encryption 4 4. Online Security Auditing 5 5. Online Security Analysis Results 5 6. The Information Security Chain 7 7. Privacy & GDPR 8 8. HIPAA & Healthcare Industry Security Standards 9 9. Conclusion 11 Security Assessment Report! 2 of! 11 Version 1.0

Executive Summary Privacy and security are increasingly important elements of digital information systems. Helpful Village is attentive to these concerns and seeks to foster stronger safeguards for these qualities by focusing on the following aspects of our product design and development: Physical Infrastructure (platform security): HV uses Amazon s AWS data-centers to establish the most secure platform possible. Communications Security: Applied multiple data-encryption levels and SSL certificates. Independent Security Auditing: Use of Mozilla s online security analysis resulted in excellent security grade (see section 5 for results and analysis). Best practices guide for training village administrators in identifying, classifying, and recording categories of protected information. Clearly defined administrative roles and responsibilities: built-in and extensible definition of role classification and authorization for defined data categories. Establishment of a security work group to build awareness and consensus in handling security issues. Updated Privacy Policy and Terms of Service in support of General Data Protection Regulation (GDPR). Health Insurance Portability and Accountability Act (HIPAA) compatibility and future development in progress to ensure privacy and security of Protected Health Information. We have evaluated our product and practices in each of these areas and continue to take steps to ensure that Helpful Village achieves the highest level of privacy and security. Our security assessment in each of these areas follows. Security Assessment Report! 3 of! 11 Version 1.0

1. Overview This document represents our self-assessment for security as of January 2019. This report contains the results of the comprehensive security test and evaluation of Helpful Village. We are happy to support the development of independent security and privacy assessment standards and participate in audits as Villages develop. The goal of this document is to provide information to our customers and prospects about the security measures we implement to keep their Village s data safe. 2. Physical Infrastructure Helpful Village is an online service that physically resides on secure Amazon Web Services (AWS) data-centers. The AWS infrastructure puts strong safeguards in place to help protect customer privacy. Rather than using a standard account with AWS, Helpful Village has established a HIPAA account with AWS to ensure the highest level of security. Amazon s AWS data centers are built to meet the requirements of the most security-sensitive organizations including NASA, Adobe, Airbnb, Time Inc., and more. 3. Communications Security and Encryption Helpful Village uses an SSL (Secure Sockets Layer) certificate to encrypt ALL communications between the client s web browser and the server hosting the Village s website. SSL certificates create a foundation of trust by establishing a secure connection between users brokers and the application server. To ensure visitors that their connection is secure, browsers provide visual cues, such as a lock icon or a green bar. SSL certificates have two keys: a public key and a private key. These keys work together to establish an encrypted connection. All browsers have the capability to interact with secured web servers using the SSL protocol. SSL allows sensitive information such as full name, addresses, phone numbers, and login credentials to be transmitted securely. Encryption is not only used to communicate between the client s browser and the server, but Helpful Village also encrypts information in transit and at rest 1. All communications within the Helpful Village Virtual Private Cloud are encrypted (end-toend encryption) and all storage units are also encrypted. 1 Data protection in transit is the guarding of data while it is moving from network to network or transferring from a local storage device to a cloud storage device. Data protection at rest aims to protect inactive data stored on any device or network. Security Assessment Report! 4 of! 11 Version 1.0

4. Online Security Auditing Helpful Village test online security through use of independent auditing tools. The Mozilla Foundation analysis tool, Observatory, is widely used for this purpose as exceptionally trusted and reputable. This tool assigns a security score, from A+ to F, and explains which security measures need to be improved. More than a dozen security measures are tested, including the site s SSL/TLS configuration, HTTP headers, use of secure cookies, public key pinning (HPKP), Content Security Policy (CSP), and more. Mozilla is a well-known organization that makes Firefox and other products with a mission to keep the power of the Web in the hands of users. The Mozilla Developer Network is a community-driven Web resource that provides documentation, tutorials, and tools available to more than 2 million visitors each month. The Observatory tool is publicly available and Villages can test the security of their own websites for free entering their URL (website) on this website: https://observatory.mozilla.org 5. Online Security Analysis Results We performed tests for three different Helpful Village services. All three services received excellent security-grades and the following table contains the results for each one of them. The paragraph following the results table provides explanations for the grades received in each service. Security Assessment Report! 5 of 11! Version 1.0

www.helpfulvillage.com HV Village Platform 2018 HV Village Platform 2019 A+ B A+ 5.1 Security Analysis of www.helpfulvillage.com This is our corporate website, it describes the Helpful Village service and contains our blog posts and contact form. www.helpfulvillage.com has an A+ grade, our corporate website is smaller and less complex than our Village platform that includes multiple Village Management modules. This report shows that we know how to implement Security measures that result in an A+ Security grade. 5.2 Security Analysis of the Village Management Platform 2018 This version of our HV Village Management Platform is being used by dozens of Villages nationwide. Our current HV Village platform has a B security grade, which is an excellent grade within the field. 5.3 Security Analysis of the Village Management Platform 2019 This last site we analyzed is the new version of the Village Management Platform that includes additional security improvements that we are currently deploying to our customers. The new version of the Helpful Village platform has an A+ security grade as a result of the security upgrade that is underway. 5.4 Our Security Grade Compared to Industry Standards Villages that are using Helpful Village have the highest security ratings compared to all other providers we tested. Many Villages across the nation unfortunately have a low security-grade. Our goal for this report is to encourage Villages to run an online security analysis to ensure all their Village data remains safe. Security Assessment Report! 6 of! 11 Version 1.0

6. The Information Security Chain In addition to using a secure Amazon AWS infrastructure, we implement a wide range of security measures at every level, including the source code we write. Security can be thought of as a chain where each security measure makes up a link, and if any of these links are weak, the chain can break. These links are related to infrastructure, source code, human behavior, and more. Advanced technology and security practices, no matter how sophisticated, will always be constrained by a human factor. Villages that don t give priority to proactive security awareness or risk assessment are at risk of social engineering attacks. 6.1 Training for Villages Helpful Village has been raising awareness about the importance of security and offers Villages that are inclined to learn about security training, the option to join a Security Interest Group. This service can be found on our website and is free for users to raise awareness about security and share tips and resources that anyone can use to improve their security levels. https://www.helpfulvillage.com/security-group-registration 6.2 Helpful Village Security Training Manuel Acevedo (Helpful Village founder) has a Master's degree in Communication Systems (Computer Science) and has received advanced security training. Furthermore, in his early career, Manuel served as project manager for high-security projects including the e-voting system in the State of Geneva (Switzerland). Voting on the Internet requires an extremely secure service which Manuel had to provide to prevent hackers from altering the result of an election. During this time, the Geneva government hired white hat hackers to try to attack the system and made suggestions to Manuel about ways improve the security of the Geneva online voting service. These experiences have provided Manuel with valuable security training and knowledge. When starting Helpful Village, Manuel used the extended security training he received to make sure the Village data stored in Helpful Village was protected with the highest security standards. Helpful Village has raised awareness about the risks associated with the hacking of Village websites that don t have the same security standards. We advocate for establishing a set of minimum security standards that Villages should aim to define and ensure that their providers are fulfilling these requirements. Security Assessment Report! 7 of 11! Version 1.0

7. Privacy & GDPR Security is about the safeguarding of data, whereas privacy is about the safeguarding of user identity. The specific differences, however, are more complex, and there can certainly be areas of overlap between the two. Security refers to protection against the unauthorized access of data. We put security controls in place to limit who can access the information. Privacy can be thought of as personally identifiable information. Which allows someone to identify a specific person based on data. This data includes information such as a phone number, street address, date of birth, email address, etc. Helpful Village recognizes that standards are promulgated by independent organizations and we comply with those standards drafted by the European Union under the General Data Protection Regulation (GDPR), as well as those drafted by the United States Government for the purpose of the Health Insurance Portability and Accountability Act (HIPAA). We are concerned with information relating to the health and wellbeing of village members and recognize that it is essential to the mission of villages. 7.1 What is GDPR? The General Date Protection Regulation (GDPR) regulates data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA). It also addresses the export of personal data outside the EU and EEA areas. It aims to simplify the regulatory environment for business so both citizens and businesses can fully benefit from the digital economy. Even though GDPR was initiated by the European Union, it also applies to charities and nonprofit organizations that collect information from individuals in the EU. This is why companies with online services like Helpful Village, need to comply with GDPR. 7.2 The Helpful Village GDPR Implementation Helpful Village is committed to helping Village s grow and create a lasting impact in their community. As part of our growth and in support of the General Data Protection Regulation (GDPR), we have updated our Privacy Policy and Terms of Service. Please review to learn more about changes in our policy as a result of GDPR. Security Assessment Report! 8 of! 11 Version 1.0

Here s what we ve been working on: Improved GDPR Privacy Policy. The General Data Protection Regulation places new obligations on organizations that process EU personal data. As a result, we re updating our Privacy Policy and Terms of Service to better explain our relationship with our users. We re making our Privacy Policy clearer by defining key terms, describing our data processing practices and including examples showing how Helpful Village implements this Policy. Helping users towards compliance on their Helpful Village platform. We have provided a Privacy Policy acceptance process for Organization s users that will also ask them to assign a Data Protection Officer. Another measure we have provided is an updated cookie banner to display on the HV platform, a process to help Helpful Village respond to data subject rights requests, and for deletion requests. 8. HIPAA & Healthcare Industry Security Standards HIPAA is the acronym for the Health Insurance Portability and Accountability Act of 1996, it was enacted by the United States Congress and signed by President Bill Clinton in 1996. It was created primarily to modernize the flow of healthcare information, and to stipulate how Personally Identifiable Information is maintained by the healthcare industry. Protected Health Information (PHI) under the US law is any information about health status, provision of health care, or payment for health care that is created or collected by a Covered Entity (or a Business Associate of a Covered Entity), and can be linked to a specific individual. Data shows that many Village services are related to Healthcare including rides to healthcare services, post-hospitalization care, MedPals, etc. We have been contacted by Healthcare providers that are interested in partnering with Villages. When Villages Security Assessment Report! 9 of! 11 Version 1.0

interact with Healthcare services, it is crucial to apply technology that is legally compliant with Healthcare Security standards. Security is such a top-priority for our company that we have raised our security level to HIPAA standards. As the Village Movement grows, Villages will likely need to upgrade their technology standards to HIPAA compliant systems. Data security is always a key consideration, but the sensitive nature of protected health information (PHI) makes security and privacy even more important. Businesses need to meet a whole list of requirements to demonstrate HIPAA compliance. They must commit to maintaining technical, physical, and administrative safeguards. We have implemented many of these requirements already and are the leading Village platform in pursuing HIPAA compliance. 8.1 Helpful Village s HIPAA account Rather than a standard Amazon AWS account, we have established a HIPAA account with Amazon AWS. We have also signed a Business Associate Addendum, which guarantees that Amazon will apply restrictions and conditions to the way they handle our technical infrastructure in compliance with HIPAA regulations. Several Helpful Village customers have requested additional services related to Health Information. Although we don t currently offer such possibility, we are currently in conversations with established Healthcare Providers that are interested in partnering with Villages to offer health-related services, and/or funding to Villages. Even though we apply many security measures required by HIPAA regulation, Villages should not store any PHI information on Helpful Village before we have established a three-way partnership with a Village, a Healthcare provider, and Helpful Village, which we are in the process of doing. If you are already a Helpful Village Customer and you are building a partnership with your local Hospital, insurance company, or Healthcare provider, we are interested in joining the conversation to help you offer additional services to your Village members. Security Assessment Report! 10 of 11! Version 1.0

9. Conclusion At Helpful Village, we believe protecting the Village s data is our number one priority. Since day one, we have focused on our customers data protection and applied the highest security standards to our services. The Helpful Village team regularly monitors the security rating with independent third party security tools, such as Observatory by Mozilla. As a result of our focus on security, our website and database are rated as the most secure Village Management Platform in the industry. Despite currently being the most secure Village Management Platform, we want to focus on continuing to be the most protected and secure platform in the future as well. As a result, Helpful Village is continuing to build a robust platform while applying Healthcare Industry security standards to ensure that Villages can maintain strong, secure, and compliant services in support of members and their quality-of-life. Security Assessment Report! 11 of 11! Version 1.0

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback