IT Security Policy

Veridian Corp — Information Technology Security Standards

Document IDIT-SEC-001
Version4.2
Effective DateJanuary 15, 2026
OwnerIT Security Team
FrameworksNIST CSF 2.0, HIPAA Security Rule, ISO 27001, SOC 2

Password Management

All passwords must be a minimum of 14 characters and include uppercase, lowercase, numbers, and special characters.

Passwords must be changed every 90 days; reuse of the last 12 passwords is prohibited.

Multi-factor authentication (MFA) is mandatory for all user accounts accessing company systems.

Passwords must never be shared, written down, or stored in unencrypted files.

All privileged account passwords must be stored in the company-approved password manager; no exceptions.

Device Security

All company-issued laptops and workstations must have full disk encryption enabled using BitLocker or FileVault.

Screens must automatically lock after 5 minutes of inactivity on all company devices.

All company devices must be enrolled in the Mobile Device Management (MDM) system before being used to access company data.

Personal devices must not be used to access, process, or store Confidential company data without explicit IT Security approval and MDM enrollment.

Network Access

Remote access to company systems requires a company-approved VPN connection at all times.

Wi-Fi networks used to transmit company data must use WPA3 encryption; use of open or WPA2 networks for company work is prohibited.

Production network segments must be segregated from development and corporate networks using firewall rules and VLANs.

Network access logs must be retained for a minimum of 12 months and reviewed monthly for unauthorized access attempts.

Incident Reporting

All suspected security incidents must be reported to the IT Security team within 1 hour of discovery.

The IT Security team must open a formal incident log within 2 hours of any reported incident.

Severity 1 incidents (active breach, ransomware, data exfiltration) must be escalated to the CISO within 4 hours.

All security incidents must have a completed Post-Incident Review document within 5 business days of containment.

Patch Management

Critical severity patches (CVSS 9.0+) must be applied to all affected systems within 24 hours of release.

High severity patches (CVSS 7.0–8.9) must be applied within 7 calendar days of release.

All other patches must be applied within 30 calendar days; systems with outstanding patches beyond SLA must be reported to the CISO monthly.

Access Control

All system access must follow the principle of least privilege; users must be granted only the minimum access required to perform their role.

Access permissions must be reviewed and revalidated on a quarterly basis by the relevant system owner.

All user access must be revoked within 1 hour of employee termination or role change.

Privileged access (administrator rights) requires manager approval, documented business justification, and full audit logging.

Service account credentials must be rotated at least annually and must not be shared between systems or users.

Systems storing PHI must implement role-based access control with automatic session timeout after 15 minutes of inactivity.

All FDA Part 11 systems must maintain immutable audit trails capturing user ID, timestamp, action, and reason for change.

Critical System Inventory

SystemClassificationData TypesMFAEncryptionPart 11Owner
CloudHealth PHI PlatformCriticalPHI, glucose dataYesAES-256 / TLS 1.3YesIT Security
MasterControl QMSCriticalFDA records, DHFYesAES-256 / TLS 1.2+YesQuality Assurance
Active Directory / Azure ADCriticalEmployee PIIYesTLS 1.3NoIT Operations
Device OTA Update ServerCriticalFirmware, device IDsYesCode signing + TLS 1.3YesEngineering
Veridian Care PortalCriticalPHI, patient accountsYesAES-256 / TLS 1.3YesProduct
GitHub EnterpriseHighSource code, IPYesAt rest + TLS 1.3NoEngineering

Security Control Mapping — HIPAA Safeguards

HIPAA StandardImplementationVeridian ControlEvidenceLast Tested
§164.312(a) Access ControlUnique user ID, emergency access, auto logoff, encryptionAzure AD RBAC + MFAAccess review Q1 2026Jan 2026
§164.312(b) Audit ControlsRecord and examine activity in PHI systemsSIEM + CloudHealth audit logsSIEM report Jan 2026Jan 2026
§164.312(c) IntegrityProtect PHI from alteration/destructionChecksums, code signing, WORM storageIntegrity test Q4 2025Dec 2025
§164.312(d) AuthenticationVerify identity of persons/entitiesMFA mandatory, SSOMFA enrollment 100%Mar 2026
§164.312(e) Transmission SecurityGuard against unauthorized access during transmissionTLS 1.2+ on all PHI channelsSSL scan Feb 2026Feb 2026

Related: HIPAA Assessment PDF · Privacy Policy — PHI Section

2025 Vulnerability Remediation Summary

Severity (CVSS)SLAIdentified 2025RemediatedOutstandingCompliance Rate
Critical (9.0+)24 hours770100%
High (7.0–8.9)7 days3433197.1%
Medium (4.0–6.9)30 days128121794.5%
Low (<4.0)90 days2562401693.8%