Security Procedures
Operational security procedures for HealthTalk.
Change Management
Standard Changes
Pre-approved changes with established process:
- Change request submitted
- Automated validation
- Deployment to staging
- Production deployment
Normal Changes
Changes requiring CAB approval:
- Change request with impact analysis
- CAB review and approval
- Testing and validation
- Scheduled deployment
- Post-implementation review
Emergency Changes
Expedited process for critical fixes:
- Verbal approval from CAB member
- Implementation with monitoring
- Retrospective change record
- Root cause analysis
Vulnerability Management
Scanning
- Automated scans: Daily
- Penetration testing: Quarterly
- Code scanning: Every commit
Remediation
| Severity | SLA |
|---|---|
| Critical | 24 hours |
| High | 7 days |
| Medium | 30 days |
| Low | 90 days |
Backup and Recovery
Backup Schedule
- Database: Continuous (point-in-time recovery)
- Files: Daily incremental, weekly full
- Configuration: On change
Recovery Testing
- Quarterly recovery tests
- Documented recovery procedures
- Recovery time objectives verified
Security Monitoring
Log Review
- Security logs reviewed daily
- Automated alerting for anomalies
- Monthly trend analysis
Security Metrics
- Failed login attempts
- Privilege escalations
- Policy violations
- Incident count
Last updated on