Risk Management

2025.04.16

This policy establishes the scope, objectives, and procedures of ClearHealth’s information security risk management process. The risk management process is intended to support and protect the organization and its ability to fulfill its mission.

Policy Statements

ClearHealth policy requires that:

(a) A thorough risk assessment must be conducted to evaluate the potential threats and vulnerabilities to the confidentiality, integrity, and availability of sensitive, confidential, and proprietary electronic information it stores, transmits, and/or processes.

(b) Risk assessments must be performed with any major change to ClearHealth’s business or technical operations and/or supporting infrastructure, no less than once per year.

(c) Strategies shall be developed to mitigate or accept the risks identified in the risk assessment process.

(d) Maintain documentation of all risk assessment, risk management, and risk mitigation efforts for a minimum of seven years.

(e) Security analysis must be performed for any open source software and/or third-party components and dependencies included in ClearHealth’s software products. Any software or service not meeting the requirements must be disabled, have additional controls mitigating against vulnerabilities, or an alternative must be used.