NutriAdmin is proactive about information security and understands that vulnerabilities need to be monitored on an ongoing basis. NutriAdmin utilizes Tinfoil Security Scanner (or an equivalent tool) to consistently scan, identify, and address vulnerabilities on our systems. We also utilize OSSEC on all systems, including logs, for file integrity checking and intrusion detection.
The NutriAdmin team periodically runs npm audit, which detects known vulnerabilities in npm packages used in the application. When vulnerabilities are detected, steps are taken to evaluate their impact and to remediate them if appropriate and reasonable.
In addition to the above, the NutriAdmin team proactively researchs known vulnerabilities when implementing new systems, or when new knowledge about potential vulnerabilities is obtained.
- 164.308(a)(8) - Evaluation
- Tinfoil management is performed by the NutriAdmin Security Officer, or an authorized delegate of the Security Officer.
- Frequency of scanning is as follows:
- on a yearly basis;
- after every production deployment of new features or systems that are evaluated by the Security Officer to potentially expose new vulnerabilities.
- Reviewing Tinfoil reports and findings, as well as any further investigation into discovered vulnerabilities, are the responsibility of the NutriAdmin Security Officer. The process for reviewing Tinfoil reports is outlined below:
- The Security Officer initiates the review of a Tinfoil Report by creating a Task in the Compliance Review Activity (CRA) Spreadsheet with ID #CRA-14.
- The Security Officer, or a NutriAdmin Security Engineer assigned by the Security Officer, is assigned to review the Tinfoil Report.
- If new vulnerabilities are found during review, the process below is used to test those vulnerabilities is outlined below. Once those steps are completed, the Task is then reviewed again.
- Once the review is completed, the Security Officer approves or rejects the Task. If the Task is rejected, it goes back for further review.
- If the review is approved, the Security Officer then marks the Task as Closed, adding any pertinent notes required.
- Compliance with the vulnerability scanning policy is monitored on a yearly basis using the Compliance Review Activity (CRA) Spreadsheet to assess compliance with above policy. This monitoring activity is recorded using ID #CRA-15.
- In the case of new vulnerabilities, the following steps are taken:
- All new vulnerabilities are verified manually to assure they are repeatable. Those not found to be repeatable are manually tested after the next vulnerability scan, regardless of if the specific vulnerability is discovered again.
- Vulnerabilities that are repeatable manually are documented and reviewed by the Security Officer and Privacy Officer to see if they are part of the current risk assessment performed by NutriAdmin.
- Those that are a part of the current risk assessment are checked for mitigations.
- Those that are not part of the current risk assessment trigger a new risk assessment, and this process is outlined in detail in the NutriAdmin Risk Assessment Policy.
- All vulnerability scanning reports are retained for 6 years by NutriAdmin.