WellnessLiving’s security framework

WellnessLiving’s security framework uses policies and practices based on the industry standard National Institute of Standards and Technology (NIST) framework and our entire Amazon Web Services (AWS) infrastructure is secured using best practices as outlined by AWS. Our dedicated security team is responsible for overseeing the various aspects of the company’s defense-in-depth strategy and security program.

The following list represents some components of our security program that we use to protect customer data:

Cloud Security

Web Application Firewall

Our web application firewall (WAF) secures incoming traffic to our site by proactively blocking malicious traffic, including attempts at illegal access and attacks such as cross-site scripting (XSS), and SQL injection.

Distributed denial-of-service (DDoS) Protection

WellnessLiving employs an industry-leading provider of DDoS mitigation solutions to protect our infrastructure at the edge. Our infrastructure has been built to be resilient against any form of DDoS attack.

Network Segmentation

WellnessLiving networks are segmented into different security zones and communications between zones are restricted to authorized traffic.

Logging and Monitoring

WellnessLiving employs a security information and event management (SIEM) system that continuously monitors and analyzes all log activity for any anomalous traffic. Our security operations center (SOC) team provides 24/7 monitoring, investigation, and response to any potential threats detected by our systems.

Threat Intelligence

WellnessLiving works with its security partners to transform aggregated security data and collective security knowledge into actionable strategies. Our threat intelligence allows us to make quick and well-informed security decisions to proactively respond to cyber threats and attacks by enacting the appropriate preventative measures before these threats and attacks occur.

Organizational Security

Security Awareness Program

As the last line of defense, all staff members at WellnessLiving are properly educated when it comes to protecting our organization against security threats that are present in our day-to-day operations. All staff members are required to complete a comprehensive security training program at least once a year, with all new hires required to complete this training program when starting at WellnessLiving. Simulated phishing tests modelled to replicate real-life phishing attacks are sent periodically to ensure our staff members are constantly alert and that phishing report processes are functional.

Identity and Access Control

WellnessLiving incorporates the principle of least privilege (PoLP) when provisioning access, only authorizing access to staff members as needed for their job roles and responsibilities. Password policies for systems accessed by employees are configured to follow best practices outlined in NIST 800-63B.

Endpoint Protection

All servers and workstations are protected by endpoint detection and response (EDR) solutions to automatically stop and remediate threats. In addition, servers and workstations are hardened using security best practices, such as requiring passwords to log in and encryption of hard drives.

Data Protection

Data Centers

WellnessLiving products and data use AWS data centers to host our infrastructure. AWS, which also provides hosting services to some of the most highly regulated industries in the world, possesses various compliance certifications including ISO27001, PCI-DSS, and SOC2. For more information about AWS data center controls, see Amazon Web Service’s Data Center Controls.

Data encryption

All communications with WellnessLiving services are encrypted in transit by default. Encryption at rest is performed for all databases and file storage containing sensitive data. All data encryption operations performed at WellnessLiving are required to follow NIST-approved cryptographic standards and configurations such as TLS1.2/1.3, AES and SHA3.

Backups

Customer data backups are performed daily using incremental backups that support point-in-time recovery for up to 30 days. Weekly long-term snapshots are performed and retained for up to one year.

Disaster Recovery and Business Continuity Plan

The availability and resiliency of the platform is of the upmost importance at WellnessLiving. We have an in-depth disaster recovery and business continuity plan (DRBCP) to prevent/minimize the loss of data and to ensure that critical services can recover within an appropriate period of time in the event of any significant service disruption. The DRBCP includes several components including an infrastructure built following AWS reliability pillar guidelines, classification of data, testing of backups, and business impact assessments (BIA).

Exposure Management

Security Scanning and Monitoring

WellnessLiving uses reputable security tools to conduct regular dynamic web application vulnerability scans and to provide 24/7 monitoring of all internet-facing assets. Our internal systems are continuously monitored for vulnerabilities and for compliance against Center for Internet Security (CIS) best practices.

Vulnerability Management

All vulnerability findings are reviewed, logged into our tracking system, and prioritized according to risk. To assist with prioritization, WellnessLiving compares recent announcements, releases, and information with existing inventory and vulnerability data. Remediation of vulnerabilities are tracked until fixed.

System Patching

WellnessLiving incorporates a weekly patching cycle to remediate all vulnerability-related findings across all systems. To address critical threats and vulnerabilities, an emergency patching procedure is in place to ensure the identified risks are remediated as soon as possible.

Incident Management

Incident Response Plan

WellnessLiving has an in-depth Incident Response Plan (IRP) based on the guidelines outlined in NIST SP 800-61 Rev 2. Using documented response playbooks for different incident types, we ensure our response to security incidents is efficient, repeatable, and always improving.

Incident Response Team

WellnessLiving has a dedicated security team available to respond to any incidents that occur. Working with our security partners, our security team is supported by a team of knowledgeable and accomplished incident managers who are available 24/7 to assist when needed.

Breach Notification

In the event of an information breach, WellnessLiving will take measures to notify all individuals in accordance with applicable privacy laws such as HIPAA, PIPEDA, GDPR, and CCPA.

Was this article helpful?
(13 out of 13 people found this article helpful)
Cancel