In support of our cyber resilience mission, the Medical Specialist Group (MSG) has selected the NIST Cyber Security Framework as the foundational framework against which we measure the scope and maturity of our information security program. The people, process and technology capabilities we build are aligned to this framework and support industry leading security program maturity.
NIST Cybersecurity Framework Version 1.1 – Credit: N. Hanacek/NIST
Staff receive security education and training upon hire, annually and on an as-needed basis. Training covers a broad set of subjects including safe computing, acceptable use, ransomware, endpoint security, safe browsing, credential security, social engineering and phishing, amongst other topics relevant to the workforce. Specialised staff receive additional role-specific training as appropriate.
Employees are frequently tested to assess awareness of and susceptibility to social engineering and phishing attacks. If a staff member engages with a simulated phishing message, additional training will be provided to improve awareness and reinforce security best practices.
As the risks posed by threat actors who exploit weaknesses in business relationships and technology supply chains become greater, companies must maintain a strong security posture and requirements for critical vendors, suppliers and business partners.
The MSG assesses the security practices of the company’s network of new and existing third-party providers with the goal of creating a network of suppliers that possess reasonable and verifiable security postures and strong contractual security requirements that govern our relationships.
The security of the MSG and its activities is dependent on trusted internal and external parties. MSG employees are subject to background checks during the hiring process, where jurisdictionally permitted, and as needed based on job level, role, and responsibility. In addition to reviewing and acknowledging security policies and the business code of conduct prior to commencing employment, staff also receive training related to company security policies and information security expectations.
Account creation and termination, access permissions and removal processes are linked to onboarding and offboarding procedures that govern hiring and termination.
The MSG maintains physical security policies and procedures that govern corporate offices. The IT and Facilities team are responsible for overseeing that adequate logical and physical access controls are deployed for each facility in accordance with policy. Teams periodically audit facilities and controls capabilities to verify they are being adequately tested, maintained and monitored. Controls capabilities include access control systems, cameras and recordings, temperature and humidity sensor management, visitor procedures amongst others. These validation activities provide confidence that facilities are resilient to failure and only accessible to appropriate, authorised individuals.
The MSG leverages its internal IT team and its Managed Service Provider (MSP) Calligos security operations centre (SOC) to manage all activities that relate to intrusion monitoring. This is accomplished by using third party managed detection and response (MDR) providers.
This layered approach allows us to analyse for intrusions across clouds, networks, endpoints and SaaS logs for a comprehensive view into cyber attacks.
Should a security event be deemed valid and significant, then an Incident is declared in accordance with the MSG and Calligos Incident Management and Response policies.
The MSG maintains an Incident Management and Response policy and procedures that are modelled on the best practices guidance for handling the lifecycle of an incident response efficiently and effectively as documented by NIST in special publication 800-61.
The MSG maintains documented response procedures and playbooks for incident declaration, escalation, containment and recovery to assure efficient and effective handling and remediation of security incidents. We assure that staff most likely to identify and initially respond to potential security incidents receive first-responder training.
The MSG maintains inventories of production assets, including data, software, and both physical and virtual network connected devices. Maintenance of these inventories permits us to maintain constant awareness of the scope of assets that must be monitored and protected.
Assets are classified and inventoried in accordance with company policies. Asset inventories are maintained and periodically audited to assure relevancy and accuracy, given their critical nature, and constant reliance on them for critical protection processes that assure essential cyber hygiene is maintained for systems and data, that we own, or are custodians of.
The MSG and Calligo maintain policies and procedures that assure security patches to system, software, and network assets are effectively identified, tracked and applied. Patches are qualified, tested and released in a manner that assures both security and availability of the assets, and critical business process or IT Complete modules they support.
We leverage a set of solutions to help automate the safe deployment of patches to managed endpoints. Regular patching processes are designed to assure timely distribution to applicable assets. We also maintain an emergency patching process which allows us to prioritise the distribution and application of patches in exceptional circumstances.
The MSG and Calligo maintain policies and procedures that assure changes to system, software and network assets are documented, reviewed, authorised, planned, deployed and monitored. Changes are tested and released in a manner that assures both security and availability of the critical business process or customer products they support. They are governed by formal change management processes and procedures that adhere to the change management policy.
Changes are classified based on factors, such as the change scope, assets affected, duration of maintenance, impact to service, security implications, complexity of implementation or recovery and more.
Classification dictates when a change can be made, stakeholder notification requirements and whether the change requires review and approval.
The MSG maintains endpoint protection and security protection capabilities that assure secure configuration, operation, maintenance, and monitoring of corporate and production computing assets.
Technology and process capabilities include use of endpoint protection solutions (e.g., anti-malware or endpoint detection and response) configuration management solutions and data encryption.
The MSG ensures that staff systems accounts follow a formal process for access provisioning and decommissioning that is tied to Human Resources hiring and termination processes. Each user is given a unique credential and required to set up both a strong password and Multi-Factor Authentication (MFA). Access is provided on a need-to-know basis enforcing least privilege and is based on role. Strong Passphrase passwords are required by all MSG employees to access business data and systems.
Email protection controls include, but are not limited to, email in transit encryption (e.g., STARTTLS and SSL/TLS), commonly malicious attachment type blocking, MFA for email platform access, disabling less secure mail access protocols (e.g., IMAP, etc.), anti-spoofing solutions (e.g., SPF, DKIM, and DMARC) and deploying additional layers of email security filtering to reduce email-borne threats (e.g., phishing, spam, etc.).
The MSG utilises its MSP Calligo to deploy and maintain network security controls and processes that assure threat prevention and reliable access control. They maintain a fleet of modern user-context and application-aware firewalls that are capable of advanced threat detection and prevention in encrypted and unencrypted traffic to protect our corporate networks and users.
Production networks use a mix of physical, virtual and cloud networking capabilities to implement a network security architecture that designates distinct security zones to control access to and from key infrastructure systems.
Network vulnerability and patch management processes are maintained.
The MSG undertakes Monthly internal and external penetration testing.