Security review and auditing

The following policy governs how HeartAI policies and procedures are routinely reviewed and audited. This policy describes corresponding governance structures, provides specifications for reviews and audits, and details the expected outcomes of these processes.

Policy

  1. In relation to organisational and administrative governance:
    1.1. HeartAI must meet a high-level of organisational and administrative rigour to maintain a standard of compliance with respect to organisational and administrative governance. To ensure this, routine reviews and audits should be performed to assess that HeartAI governance, policies, processes, and technical solutions are appropriately managed.
    1.2. HeartAI administrators should regularly meet with governing authorities to ensure that organisational, strategic, and operational processes are appropriate.
    1.3. At least every 12 months, a formal security review and audit should be performed. This review and audit should provide a holistic assessment of HeartAI security and processes, and should align this assessment with SA Health and SA Government policy.
  2. In relation to technical governance:
    2.1. HeartAI technical development must consider security as a central concern, and should implement mature and well-managed solutions to ensure a high-standard of technical security.
    2.2. To support routine security review and auditing, monitoring and logging of the system should be collected. These system events should capture information relating to, but not limited to:
    2.2.1. Changes to system state, including: modifications to the HeartAI source code repository and modifications to the HeartAI production environment deployment.
    2.2.2. Access control events, including: logins and logouts, authentication and authorisation events, requests for identity or access tokens, processing of identity or access tokens, calls to persistent data stores, and calls to service endpoints.
    2.2.3. System monitoring events, including: resource usage, changes to system state, alert triggers and event rules, and user-driven eventing.
    2.3. Records for monitoring and logging of the system should be well-managed and readily available, and should be prepared as part of routine security review and auditing.
    2.4. Records for monitoring and logging should also be integratable with external event management systems.
  3. In relation to the expected outcomes of security review and auditing:
    3.1. Routine security reviews and audits should be performed to assess HeartAI governance, policies, processes, and technical solutions are appropriately managed.
    3.2. Routine security reviews and audits may be performed in conjunction with an independent third-party where appropriate. The independent third-party should have proven capability and appropriate certification to perform the security review and audit.
    3.3. As a result of performing a security review and audit, an appropriate report should be created detailing the findings of the review and audit. This report should contain, but is not limited to:
    3.3.1. Organisational security.
    3.3.2. Operational security.
    3.3.3. Technical security.
    3.3.4. Compliance with SA Health and SA Government policy.
    3.3.5. Any outstanding risks or system deficits.
    3.4. The outcomes of security review and auditing should be considered with governing authorities to determine any actions of system change of security remediation.
    3.5. The outcomes and artefacts of security review and auditing, including reports, forms, tables, and data, should be documented and stored securely
  4. In relation to the ongoing review of this policy:
    4.1. This policy should be reviewed at least every 6 months. This review should assess the appropriateness of the existing policy, and should propose any modifications or extensions to the policy where needed.
    4.2. Modifications or extensions to this policy should be reviewed and approved by corresponding governing authorities.
    4.3. This policy welcomes suggestions and feedback.
  5. In relation to the governance and compliance of this policy:
    5.1. This policy must be understood and agreed to by HeartAI administrators and developers before the approval of access to HeartAI platform components.
    5.2. Where this policy does not provide a specification to, or conflicts with, a mandated SA Health or SA Government policy, the existing SA Health or SA Government policy will take precedence. HeartAI administrators will resolve policy deficits by approved modification or extension to HeartAI policy.
    5.3. HeartAI administrators are responsible for ensuring that this policy is compliant with SA Health and SA Government policies.