Sail bridges the gap between practitioners, patients and regulated vendors as a trusted medical resource. Sail simplifies the cannabis journey by providing secure, clinical and peer-to-peer data-driven solutions. The solution is developed and operated by mvc technologies inc.
The Management Team at MVC is committed to maintaining a mature information security program, and its key priority is always protecting patient information and continuously maintaining the highest level of security and protection. This Security White Paper gives an overview of security safeguards MVC maintains as part of its Security Risk Management Program.
MVC Information Security Program complies with the international ISO/IEC 27001:2013 standard. Security assessments are periodically performed throughout the organization to ensure the mitigation of any emerging security risks. MVC defines the security processes, roles, and responsibilities for implementing information security management as an integral part of its business and operations.
Sail Application Services are developed, operated, and maintained by skilled and certified personnel that are committed to maintaining a comprehensive Information Security control objective. Continuous security education and training supports them to maintain security awareness in the organization. Sail Application Services are designed to meet customers' strict security requirements and industry best practices. The application goes under Annual Vulnerability Assessment & Penetration Testing to ensure security controls are effective.
Security controls are implemented with comprehensive cloud architecture defense in depth security principles. The architecture is based on well-proven and widely used secure products, methods, and protocols, and it has been defined to protect data both in-transit and at rest, and to ensure its confidentiality, integrity, and availability. Strict access control allows only authorized users to access the data.
Secure Operation of the Platform follows documented processes and plans. Continuous monitoring of information security and system performance ensures that all deviations and incidents can be responded to in a timely manner by trained and competent personnel in accordance with the incident response process.
Due to the evolving security threat landscape , the MVC’s Technical team closely monitors security updates, alerts, and advisories from applicable system and software vendors as well as various security organizations and authorities. Based on risk analysis, the security team deploys applicable mitigation methods and security controls. Periodic security audits and technical tests performed by independent third-party information security companies ensure that information security meets the highest standards. A recent Threat Risk Assessment (TRA) along with a Technical Vulnerability Assessment (TVA) and Penetration test was recently conducted by a Third Party. “iSecurity Consulting” validated that all technical security vulnerabilities identified as part of their assessment were addressed. MVC is committed to conducting security assessments and validating the controls strength of the application and infrastructure services. In addition, ongoing retainer-based services are in place with iSecurity Consulting.
Security Controls Summary
In relation to Sail Application services the following key security controls are defined:
Sail Portal Reference Security Architecture
MVC Technologies has developed a secure reference architecture for its Azure cloud services and well-defined security control framework has been defined.
The resources needed to provide services to Sail Portal clients have been distributed into layers to facilitate management and enforce security controls. The proposed layers are:
MVC Technologies Information Security Management System
The information security management system is of strategic importance to MVC Technologies. Its information security management system is an integrated part of our operations and governance covering technical, administrative and physical controls.
Policies for Information Security
MVC Technologies has internal information security Framework, policies and standards defining its security requirements and controls.
MVC Technologies conducts periodic assessments on its security program along with annual Technical Vulnerability Assessment & Penetration testing conducted on Application Services.
MVC is responsible for defining its architecture standards and validating controls for Third Parties. External facing services include Web Application and Network Firewall along with Distributed Denial of Services (DDoS) protection from Azure.
Administrative Zone (Privilege users)
The dedicated Administrative Zone consists of a segmented network along with Administrator workstation which is used to configure and manage Sail Portal Application services virtual servers.
Sail Portal Security
Anti-Virus and malware prevention services are deployed on all the servers.
Software Development, Testing, and Release
MVC Technologies has defined policies and procedures for software development, testing, and release management. Development and testing are performed in an environment that is separated from the production environment. Software developers are continuously trained and follow OWASP top 10 vulnerabilities checklist to validate the controls of Sail Portal Applications.
MVC closely monitors security updates, alerts, and advisories from various security organizations and authorities to monitor security threats and possible vulnerabilities to its infrastructure services deployed in Azure. This service is provided by iSecurity Consulting. Based on risk analysis results, MVC deploys applicable mitigation methods and security controls when required.
MVC maintains a detailed Security Incident plan. All reported incidents for assets deployed in Azure cloud services are logged and the remedial action indicated. Critical security incidents and data breaches will be promptly reported to the affected customers upon discovery.