Privacy Policy
Executive Summary

Sail bridges the gap between practitioners, patients and regulated vendors as a trusted medical resource. Sail simplifies the cannabis journey by providing secure, clinical and peer-to-peer data-driven solutions. The solution is developed and operated by mvc technologies inc.

The Management Team at MVC is committed to maintaining a mature information security program, and its key priority is always protecting patient information and continuously maintaining the highest level of security and protection. This Security White Paper gives an overview of security safeguards MVC maintains as part of its Security Risk Management Program.

MVC Information Security Program complies with the international ISO/IEC 27001:2013 standard. Security assessments are periodically performed throughout the organization to ensure the mitigation of any emerging security risks. MVC defines the security processes, roles, and responsibilities for implementing information security management as an integral part of its business and operations.

Sail Application Services are developed, operated, and maintained by skilled and certified personnel that are committed to maintaining a comprehensive Information Security control objective. Continuous security education and training supports them to maintain security awareness in the organization. Sail Application Services are designed to meet customers' strict security requirements and industry best practices. The application goes under Annual Vulnerability Assessment & Penetration Testing to ensure security controls are effective.

Security controls are implemented with comprehensive cloud architecture defense in depth security principles. The architecture is based on well-proven and widely used secure products, methods, and protocols, and it has been defined to protect data both in-transit and at rest, and to ensure its confidentiality, integrity, and availability. Strict access control allows only authorized users to access the data.

Secure Operation of the Platform follows documented processes and plans. Continuous monitoring of information security and system performance ensures that all deviations and incidents can be responded to in a timely manner by trained and competent personnel in accordance with the incident response process.

Due to the evolving security threat landscape , the MVC’s Technical team closely monitors security updates, alerts, and advisories from applicable system and software vendors as well as various security organizations and authorities. Based on risk analysis, the security team deploys applicable mitigation methods and security controls. Periodic security audits and technical tests performed by independent third-party information security companies ensure that information security meets the highest standards. A recent Threat Risk Assessment (TRA) along with a Technical Vulnerability Assessment (TVA) and Penetration test was recently conducted by a Third Party. “iSecurity Consulting” validated that all technical security vulnerabilities identified as part of their assessment were addressed. MVC is committed to conducting security assessments and validating the controls strength of the application and infrastructure services. In addition, ongoing retainer-based services are in place with iSecurity Consulting.
(www.isecurityconsulting.com)

Security Controls Summary

In relation to Sail Application services the following key security controls are defined:

Cloud services Virtual Networks use a combination of robust security framework including, logical isolation, firewalls, access controls, authentication, and encryption to protect data in-transit. Microsoft’s Azure datacenter operations implement comprehensive information security policies and processes using standardized industry control frameworks such as ISO 27001, SOC 1, and SOC 2. Third-party auditors regularly certify Microsoft’s adherence to these standards for both the physical and virtual aspects of Azure infrastructure.
Security threat monitoring controls are defined to protect Sail Portal assets in Azure cloud services.
Web Application Firewall controls are in place to protect Sail external facing application services from external attacks or zero-day vulnerabilities.
Technical controls in the application and network architecture include the use of application security framework, intrusion detection system (IDS), malware prevention and encryption of data at rest and in transit.
Network perimeter is well-defined and protected with restrictive firewall rules; IP filtering rules restrict access to Sail integration services to specific client networks.
Encryption and authentication controls are defined for protecting sensitive information in transit between hospital sites and Sail application services.
Documented user guide, procedures and training material for Sail Portal application services are created by MVC Technologies.
MVC Technologies has developed a well-defined and sustainable Information Security Program Plan which continuously evaluates technical, administrative and physical controls of its assets either deployed internally or with third parties.
MVC Technologies corporate network security controls are well defined MVC Technologies corporate network security controls are well defined including protection of end-point assets and local network.
MVC staff are required to conduct an annual MVC staff are required to conduct an annual privacy and security training refresh.

Sail Portal Reference Security Architecture

MVC Technologies has developed a secure reference architecture for its Azure cloud services and well-defined security control framework has been defined.

The resources needed to provide services to Sail Portal clients have been distributed into layers to facilitate management and enforce security controls. The proposed layers are:

Data Layer – holds database servers that store Personal Health Information (PHI). Resources do not have public IP addresses and are not directly accessible over the Internet. Accessible only from networks internal to the virtual network, or over virtual private network (VPN) tunnels with data at rest encrypted.
Application Layer – holds the application servers where actual code execution takes place. Resources do not have public IP addresses and are only accessible over the Internet through inspection of a Web Application Firewall (WAF). Accessible only from networks internal to the virtual network, or over virtual private network (VPN) tunnels.
Threat Protection Layer – holds the security gateways and any servers that need to have public IP addresses. Directly accessible over the Internet.

MVC Technologies Information Security Management System
The information security management system is of strategic importance to MVC Technologies. Its information security management system is an integrated part of our operations and governance covering technical, administrative and physical controls.

Policies for Information Security
MVC Technologies has internal information security Framework, policies and standards defining its security requirements and controls.

Risk Management
MVC Technologies conducts periodic assessments on its security program along with annual Technical Vulnerability Assessment & Penetration testing conducted on Application Services.

Network Architecture
MVC is responsible for defining its architecture standards and validating controls for Third Parties. External facing services include Web Application and Network Firewall along with Distributed Denial of Services (DDoS) protection from Azure.

Administrative Zone (Privilege users)
The dedicated Administrative Zone consists of a segmented network along with Administrator workstation which is used to configure and manage Sail Portal Application services virtual servers.

Sail Portal Security
Anti-Virus and malware prevention services are deployed on all the servers.

IDS/IPS and Packet Filtering FW is deployed for any inbound traffic inspection.
Patch and Vulnerability Management services are deployed on Internal zones for Sail Portal Application security operations services.

Software Development, Testing, and Release
MVC Technologies has defined policies and procedures for software development, testing, and release management. Development and testing are performed in an environment that is separated from the production environment. Software developers are continuously trained and follow OWASP top 10 vulnerabilities checklist to validate the controls of Sail Portal Applications.

Vulnerability Management
MVC closely monitors security updates, alerts, and advisories from various security organizations and authorities to monitor security threats and possible vulnerabilities to its infrastructure services deployed in Azure. This service is provided by iSecurity Consulting. Based on risk analysis results, MVC deploys applicable mitigation methods and security controls when required.

Incident Management
MVC maintains a detailed Security Incident plan. All reported incidents for assets deployed in Azure cloud services are logged and the remedial action indicated. Critical security incidents and data breaches will be promptly reported to the affected customers upon discovery.