Sm8rtHealth utilises the independent services of Phew, a New Zealand-based, highly certified cyber-security specialist, serving clients across multiple industries including finance and technology, primarily in New Zealand and Australia.
| Service | Assurance measures (Internal & External) |
| Annual Penetration testing | Phew will provide a comprehensive, annual web application and API penetration testing using the full suite of evolving, industry-leading testing standards and mechanisms to identify, prove and demonstrate vulnerabilities and risks. The web-facing components of Sm8rtHealth will be evaluated against the OWASP Top-10 web application vulnerabilities, as well as the CWE/SANS Top-25 categories, with reference to the OWASP ASVS v4 on level-1 hybrid. Testing will be conducted manually (with automatic tools used only for basic tasks) and vulnerabilities will be categorised and reported as follows: * Architecture, design and threat modelling * Authentication Session Management * Access Control Malicious input handling * Cryptography Error handling and logging * Data protection Communications security * HTTP security configuration * Business logic Files and resources * Web app * Rule and construct configuration |
| Continuous IaaS security assessment | Phew will provide an initial baseline, and then an ongoing assessment of AWS organisational security relative to best practice and other applicable compliance standards, and access to ongoing, real-time reporting. |
| Test report | Following penetration testing, Phew will provide a test report setting out the full context of the testing program and comprehensive details of any vulnerabilities discovered, including: * Overall results with a risk assessment for each vulnerability using the ‘DREAD’ evaluation framework * Categories of vulnerability; * High-level advice for remediation * Further service hardening recommendations. Full details will be provided on each individual vulnerability, including a comprehensive description, specific recommendations for mitigation and remediation, and a standardised risk assessment and rating to assist with prioritisation. ‘Proof-of-concept’ demonstrations will also be provided for each vulnerability. |
| Re-testing & re-test report | Subject to Sm8rtHealth’s remediation of all vulnerabilities catalogued in a test report, re-testing will be performed by Phew. On completion of re-testing Phew will produce a re-test report showing which vulnerabilities have been fully or partially addressed, and which remain outstanding. Re-testing and re-test reports will be distinguishable from the initial testing and test report, the aim of the latter being to discover new vulnerabilities that may have emerged or been introduced subsequent to the initial test. |
| Risk Assessment (‘DREAD’) | Where Sm8rtHealth identifies ‘high’ risks during the vulnerability assessment, Phew may be engaged to provides a more in-depth vulnerability assessment utilising the ‘DREAD Risk Analysis’ framework. This framework scores each vulnerability using the following dimensions: (i) Damage potential, (ii) Reproducibility, (iii) Exploitability, (iv) Affected assets and (v) Discoverability. Each dimension is scored between 1 (low) and 3 (high) to create an overall, quantitative risk score. Advice may then be sought from Phew regarding best practice defensive measures to be adopted in the design phase. |
| Monthly port scanning | Phew will provide monthly port scanning services and will provide Sm8rtHealth with a report regarding any new publicly-exposed services as and when detected. |
| Quarterly email phish-testing | Phew will carry out quarterly email phish-testing and provides a phishing risk prone score (report) for all Sm8rtHealth personnel. |
| Assurance report | Once systems are tested (and re-tested as needed) and all security vulnerabilities have been confirmed as remediated, Phew issues an ‘assurance report’ for the purpose of providing ‘point-in-time’ assurance to all stakeholders. The report demonstrates to all stakeholders that comprehensive, independent pen-testing has been undertaken, according to a globally-recognised standard, and that most or all discovered vulnerabilities have been addressed. The report is intended to confirm that Sm8rtHealth has taken the penetration testing and security seriously and is following a program of periodic testing. |
| Cyber security consulting | Cyber-security specialist services and advice are provided to Sm8rtHealth on an ‘as needed’ basis covering any/all aspects of defensive cyber security design, risk assessments and application of ‘best practice’ across all phases of the SDLC. |
| Software updates & security patches | Sm8rtHealth will periodically scan for latest software versions and security patches in relation to software used by Sm8rtHealth, including the third-party components, to assess vulnerability and schedule timely upgrades and/or implementation of patches. The objective of this internal service is to ensure that required software updates and patches are as up-to-date as required to ensure security. |
