Health Check Policy
Security Classification: Public
Version: 1.1 (May 2025)
Overview
This policy defines the Security Health Check Process and identifies its scope.
The Security Health Check is an assurance process to check that only the health check specific settings have been implemented according to relevant security policies and ensure that any deviations have been formally logged with actions to meet deviation fix timeframes.
Security Health checks are performed on the security asset inventory. The health checking process must be conducted:
- Quarterly (or more frequently) on Internet systems, systems subject to Disaster Recovery, and system which provide Inter-Enterprise Services
- Semi-annually (or more frequently) on all other systems and network infrastructure components
Evidence that the process has been conducted must be retained for a 12-month period.
Below is a list of Security Health Check tools and Health Check Goals: Note that many of these health checks will be covered as output of regular Operational Security activities.
| Health Check Tool | Health Check Goal |
|---|---|
| User Access Control Tool | Health check assessment of User Access Controls |
| Security Configuration Benchmarks (CIS or equivalent security compliance baselines) | Health check for security compliance based on a defined set of security configuration baselines |
| Patch management tool | Health check for known vulnerabilities which require patching |
| Vulnerability Scanning Tool (Nessus or equivalent) | Health check scanning for internal network and software vulnerabilities |
Business Risk
Inconsistent Health Checking and unresolved deviations could result in:
- Systems and / or Services which could be exploited to expose KX intellectual information or be made vulnerable to denial-of-service attacks
- Systems and / or Service failures or outages
- Systems and / or Services providing unauthorized access to Systems
According to classification (business scope), systems must undergo the remediation of health check vulnerabilities with urgency.
NOTE: Not every health check issue is a vulnerability. Some health check findings are incidents to be recorded and fixed.
Refer to the Application Vulnerability Management Standard and the Infrastructure Vulnerability Management Standard for details on remediation of vulnerabilities.
Health Checks
The Health Checking process applies to systems in the Security Asset Inventory, and to related Cloud assets.
The process must ensure that:
- All mandatory access control system options are set in accordance with the Technical Specification documents
- Only approved users hold security administrative or system authority. NOTE: this requirement may be satisfied by the tooling implementing access authorization if it manages all access and reconciles any discrepancies found on managed systems.
- All operating system resource (OSR) access controls are set in accordance with the detailed Technical Specifications documents
- The required harmful code detection programs are installed and operational
- The required system or application access and activity logs exist
- Reference other items on the Security Readiness Checklist
- KX management is advised of any deviations
- Correct action is taken for deviations found
- Corrective actions adhere to the time limit requirements for high-risk severity for resolution of deviations