6. Security and Technical Stability Standards
Navigation
Criteria |
Criteria Origin |
|
| 6a — Q1 | Does the application connect to an internet-based application programming interface (API) (e.g., an application developer web service, social media, advertisements)? | ORCHA |
| 6a — Q2 | List the APIs. | ORCHA |
| 6a — Q3 | Does the application integrate with a device? | ORCHA |
| 6a — Q4 | Does the application integrate with any of the following: electronic medical record (EMR), electronic health-care record (EHR), personal health record (PHR), or clinical specialty system (CSS)? | MHCC |
| 6a — Q5 | Does the application operate without Wi-Fi? | ORCHA |
| 6a — Q6 | Does the application operate without a cellular network? | ORCHA |
| 6a — Q7 | Does the application access, process, or store personal and/or sensitive data? | ORCHA |
| 6a — Q8 | Is sensitive data persisted[1] to the mobile device? | ORCHA |
| 6a — Q9 | Does the application access, process, or store personal and/or sensitive data? | ORCHA |
| 6a — Q10 | What permissions does the application request? | ORCHA |
| 6a — Q11 | Does the application provide alerts or notifications? | ORCHA |
| 6a — Q12 | Does the application provide suggestions? | ORCHA |
| 6a — Q13 | Does the application undertake calculations? | ORCHA |
| 6a — Q14 | Is the source code and any configuration items for the product version-controlled with all changes audited? | ORCHA |
| 6a — Q15 |
|
ORCHA |
| 6a — Q16 | Do you have the capacity to roll back to previous versions of your product? | ORCHA |
| 6a — Q17 |
|
ORCHA |
| 6a — Q18 | Describe your processes for accepting and responding to technical faults from end-users. | ORCHA |
| 6a — Q19 | Do you provide online support for user queries? | ORCHA |
| 6a — Q20 | Do you proactively monitor the running of systems and system components to automatically identify faults and technical issues? | ORCHA |
| 6a — Q21 |
|
ORCHA |
| 6a — Q22 | Do you have a documented roadmap for future development of your product? | ORCHA |
| 6a — Q23 |
|
ORCHA |
| 6a — Q24 | Provide details of how you will ensure the continued availability of your product. | ORCHA |
| 6a — Q25 | Do you have a plan for decommissioning your product? | ORCHA |
| 6a — Q26 | Describe your processes for decommissioning your product and dealing with any identifiable data. | ORCHA |
| 6a — Q27 | Do you have a plan for dealing with any identifiable data in the event that an individual stops using your product (e.g., by uninstalling or unsubscribing)? | ORCHA |
| 6a — Q28 |
|
ORCHA |
| 6a — Q29 | Does the organization follow any formal testing standards? | ORCHA |
| 6a — Q30 |
|
ORCHA |
| 6a — Q31 | For each of the following that are carried out, please describe the people/roles involved and the processes they work on, even if they are informal. | ORCHA |
| 6a — Q32 |
|
ORCHA |
| 6a — Q33 |
|
ORCHA |
| 6a — Q34 |
|
ORCHA |
| 6a — Q35 |
|
ORCHA |
| 6a — Q36 | A/B Guidance: A form of UX testing in which two variants of something (A and B) are tested to determine the better of the two variants. | ORCHA |
| 6a — Q37 |
|
ORCHA |
| 6a — Q38 |
|
ORCHA |
| 6a — Q39 |
|
ORCHA |
| 6a — Q40 |
|
ORCHA |
| 6a — Q41 |
|
ORCHA |
| 6a — Q42 |
|
ORCHA |
| Criteria | Criteria Origin |
6b — Q1 | Is the application a native application for a mobile device? | ORCHA |
6b — Q2 | Is the application a web application? | ORCHA |
6b — Q3 | Are web APIs accessed? | ORCHA |
6b — Q4 | Does the application access, process, or store personal and/or sensitive data? | ORCHA |
6b — Q5 | Is sensitive data persisted to the mobile device? | ORCHA |
6b — Q6 | What permissions does the application request? | ORCHA |
6b — Q7 | What OWASP level is the app categorized as? Guidance: The assessor should use the information below to determine the app’s OWASP level. IF Mobile = Y IF “personal and/or sensitive data is accessed, processed, or stored” = Y OWASP level then MASVS = 2 IF sensitive data is persisted to the device then MASVS = 2+R ELSE OWASP level then MASVS = 1 IF Web = Y IF “personal and/or sensitive data is accessed, processed, or stored” = Y OWASP level then ASVS = 2 ELSE OWASP level then ASVS = 1 | ORCHA |
6b — Q8 | Does the application connect to national/regional EHRs? | ORCHA |
6b — Q9 | Does the application provide alerts or notifications? | ORCHA |
6b — Q10 | Does the application provide suggestions? | ORCHA |
6b — Q11 | Does the application undertake calculations? | ORCHA |
6b — Q12 | Does the application support in-application purchases? | ORCHA |
6b — Q13 | Has a security assessment been undertaken by an accredited external third party? | ORCHA |
6b — Q14 | Is the external third party a CREST/APMG/CHECK registered supplier? | ORCHA |
6b — Q15 | Does the scope of the report cover the full technical architecture of the application? | ORCHA |
6b — Q16 | Has an industry standard been used for the risk model in the associated PEN/vulnerability testing? | ORCHA |
6b — Q17 | Have all medium risks/issues identified been mitigated and resolved, and can this be demonstrated through retesting within six weeks of the original PEN/vulnerability testing? | ORCHA |
6b — Q18 | Has the PEN testing been undertaken within the last 12 months? | ORCHA |
6b — Q19 | Has the code-level security assessment been undertaken against the correct OWASP level? | ORCHA |
6b — Q20 | Is the methodology for the security review proportional to the attack service and risk of the application? | ORCHA |
6b — Q21 | Does the organization have CyberSecure Canada certification? | MHCC |
6b — Q22 | Does the organization have CIS Top 20 Compliance? | US DHAF |
6b — Q23 | Does the organization have SOC-2 certification? | US DHAF |
6b — Q24 | Does the organization have ISO 27001 certification? | ORCHA |