Operations & Infrastructure Security
Control
Status
Change Management Policy
Neuro+ has a Change Management Policy that demonstrates compliance with Standard Operating Procedures for changes to Information Assets. The Change Advisory Board (CAB) meets to review standard changes, with provisions for emergency meetings as needed. The policy establishes a framework where both scheduled and failed changes are reviewed and reported. The CAB's composition includes permanent members from IT and the CISO, along with relevant system owners and stakeholders. Changes undergo risk assessment and require appropriate approvals based on their categorisation (Standard, Normal, Emergency, or Major). Failed changes receive particular attention, requiring root cause analysis, remediation planning, and approval from both System Owners and the CAB before any reattempt. The policy included notification procedures for both internal and external stakeholders.
Malicious Software Detection
All Neuro+ devices are installed with malicious software detection and we use a unified password management system with RBAC. Our MDM also lets us blacklist applications and restrict use of unauthorised software.
Backup & Restoration
Neuro+'s backup and restoration framework ensures critical data protection through a clearly defined schedule of backups based on data classification. The policy establishes that critical systems receive full backups with incremental backups and transaction logs, while important systems undergo weekly full backups. All backup data is stored across multiple secure locations, including a primary data centre and a geographically separate secondary location, with optional cloud storage for tertiary backups. Strict access controls are implemented, including multi-factor authentication for backup administrators, and all backup data is encrypted both at rest and in transit using approved algorithms.
System Hardening
Neuro+ implements comprehensive system hardening, event logging, and time synchronisation measures. Our frontend provision includes built-in DDoS protection and firewall, mandatory HTTPS/SSL encryption, edge network security, and secure environment variable management, complemented by detailed deployment, build, and runtime logs accessible through our internal frontend dashboard. Time synchronisation is maintained via NTP across our provider's infrastructure, with all timestamps standardised to UTC. Our backend server enhances security through Row Level Security (RLS) policies, PostgreSQL security features, JWT-based API authentication, and database encryption at rest. Our backend's logging capabilities include comprehensive database audit logs, API request logs, authentication logs, and SQL query logs, while maintaining accurate time synchronisation through PostgreSQL's robust timestamp handling and timezone management. Our database servers also maintain comprehensive access, modification and query audit logs, with RBAC flagging. Please refer to our SOPs for further documentation.
Segregation of Environments
Neuro+ maintains complete server separation between development, test, and production environments for both frontend and database infrastructure with distinct access controls. Each environment has its own authentication systems, access keys and configurations, with no production data allowed in non-production environments. Non production environments are completely segregated from production environments. A standardised code promotion process ensures proper testing and validation before any changes reach production systems. Furthermore, production systems are restricted only to the highest access levels. Please refer to our policies for our stance on segregation of duties and access management policies.
Audit Trail Logs
Neuro+ implements comprehensive logging across all systems with centralized management and automated analysis tools. Our logs are stored in tamper-proof storage with strict access controls and regular integrity verification. Automated alerting flags suspicious activities for immediate review, with retention periods well within compliance requirements and regular log reviews conducted as part of our security operations.
Vulnerability Management
Neuro+'s Vulnerability Management SOP outlines a systematic approach to safeguarding information systems through vulnerability control measures. The policy defines specific scanning frequencies - daily checks for internet-facing systems, weekly reviews of critical applications, and fortnightly assessments of other systems - while implementing strict remediation deadlines from 48 hours for critical issues to one month for lower-risk vulnerabilities. Clear accountability is distributed across key teams including the CISO, System Owners, IT Department, Development Team, and Vulnerability Management Team, with each role having distinct responsibilities in the security process. The procedure employs a risk-based prioritisation method, considering factors such as CVSS scores, exploitation potential, and business impact, alongside comprehensive patch management protocols and alternative mitigation strategies, all supported by thorough documentation and verification requirements.