IT Security Policy
Veridian Corp — Information Technology Security Standards
| Document ID | IT-SEC-001 |
| Version | 4.2 |
| Effective Date | January 15, 2026 |
| Owner | IT Security Team |
| Frameworks | NIST CSF 2.0, HIPAA Security Rule, ISO 27001, SOC 2 |
Password Management
All passwords must be a minimum of 14 characters and include uppercase, lowercase, numbers, and special characters.
Passwords must be changed every 90 days; reuse of the last 12 passwords is prohibited.
Multi-factor authentication (MFA) is mandatory for all user accounts accessing company systems.
Passwords must never be shared, written down, or stored in unencrypted files.
All privileged account passwords must be stored in the company-approved password manager; no exceptions.
Device Security
All company-issued laptops and workstations must have full disk encryption enabled using BitLocker or FileVault.
Screens must automatically lock after 5 minutes of inactivity on all company devices.
All company devices must be enrolled in the Mobile Device Management (MDM) system before being used to access company data.
Personal devices must not be used to access, process, or store Confidential company data without explicit IT Security approval and MDM enrollment.
Network Access
Remote access to company systems requires a company-approved VPN connection at all times.
Wi-Fi networks used to transmit company data must use WPA3 encryption; use of open or WPA2 networks for company work is prohibited.
Production network segments must be segregated from development and corporate networks using firewall rules and VLANs.
Network access logs must be retained for a minimum of 12 months and reviewed monthly for unauthorized access attempts.
Incident Reporting
All suspected security incidents must be reported to the IT Security team within 1 hour of discovery.
The IT Security team must open a formal incident log within 2 hours of any reported incident.
Severity 1 incidents (active breach, ransomware, data exfiltration) must be escalated to the CISO within 4 hours.
All security incidents must have a completed Post-Incident Review document within 5 business days of containment.
Patch Management
Critical severity patches (CVSS 9.0+) must be applied to all affected systems within 24 hours of release.
High severity patches (CVSS 7.0–8.9) must be applied within 7 calendar days of release.
All other patches must be applied within 30 calendar days; systems with outstanding patches beyond SLA must be reported to the CISO monthly.
Access Control
All system access must follow the principle of least privilege; users must be granted only the minimum access required to perform their role.
Access permissions must be reviewed and revalidated on a quarterly basis by the relevant system owner.
All user access must be revoked within 1 hour of employee termination or role change.
Privileged access (administrator rights) requires manager approval, documented business justification, and full audit logging.
Service account credentials must be rotated at least annually and must not be shared between systems or users.
Systems storing PHI must implement role-based access control with automatic session timeout after 15 minutes of inactivity.
All FDA Part 11 systems must maintain immutable audit trails capturing user ID, timestamp, action, and reason for change.
Critical System Inventory
| System | Classification | Data Types | MFA | Encryption | Part 11 | Owner |
|---|---|---|---|---|---|---|
| CloudHealth PHI Platform | Critical | PHI, glucose data | Yes | AES-256 / TLS 1.3 | Yes | IT Security |
| MasterControl QMS | Critical | FDA records, DHF | Yes | AES-256 / TLS 1.2+ | Yes | Quality Assurance |
| Active Directory / Azure AD | Critical | Employee PII | Yes | TLS 1.3 | No | IT Operations |
| Device OTA Update Server | Critical | Firmware, device IDs | Yes | Code signing + TLS 1.3 | Yes | Engineering |
| Veridian Care Portal | Critical | PHI, patient accounts | Yes | AES-256 / TLS 1.3 | Yes | Product |
| GitHub Enterprise | High | Source code, IP | Yes | At rest + TLS 1.3 | No | Engineering |
Security Control Mapping — HIPAA Safeguards
| HIPAA Standard | Implementation | Veridian Control | Evidence | Last Tested |
|---|---|---|---|---|
| §164.312(a) Access Control | Unique user ID, emergency access, auto logoff, encryption | Azure AD RBAC + MFA | Access review Q1 2026 | Jan 2026 |
| §164.312(b) Audit Controls | Record and examine activity in PHI systems | SIEM + CloudHealth audit logs | SIEM report Jan 2026 | Jan 2026 |
| §164.312(c) Integrity | Protect PHI from alteration/destruction | Checksums, code signing, WORM storage | Integrity test Q4 2025 | Dec 2025 |
| §164.312(d) Authentication | Verify identity of persons/entities | MFA mandatory, SSO | MFA enrollment 100% | Mar 2026 |
| §164.312(e) Transmission Security | Guard against unauthorized access during transmission | TLS 1.2+ on all PHI channels | SSL scan Feb 2026 | Feb 2026 |
Related: HIPAA Assessment PDF · Privacy Policy — PHI Section
2025 Vulnerability Remediation Summary
| Severity (CVSS) | SLA | Identified 2025 | Remediated | Outstanding | Compliance Rate |
|---|---|---|---|---|---|
| Critical (9.0+) | 24 hours | 7 | 7 | 0 | 100% |
| High (7.0–8.9) | 7 days | 34 | 33 | 1 | 97.1% |
| Medium (4.0–6.9) | 30 days | 128 | 121 | 7 | 94.5% |
| Low (<4.0) | 90 days | 256 | 240 | 16 | 93.8% |