Current State Assessment¶
Last updated: 2026-04-04 — reflects DA-11 (NVS baseline), DA-15 (NHC baseline + app servers + ALB/WAF), DA-18 (HA/DR + ElastiCache + docs hosting)
NVS Account¶
PHI Status: NVS is not currently handling PHI. The screenshot feature that will bring it into full HIPAA scope is not yet implemented. Controls below are deployed proactively — they will be required once the feature goes live.
| Control | Status | Notes |
|---|---|---|
| AWS BAA | ✅ Done | Covers all AWS services used |
| KMS CMKs (EBS, S3, CloudTrail, RDS) | ✅ Done | tofu/modules/kms — all with 30-day deletion window + auto-rotation |
| S3 SSE-KMS + block public access | ✅ Done | Screenshot + access logs buckets deployed |
| S3 HTTPS-only bucket policy | ✅ Done | DenyHTTP + DenyUnencryptedUploads on all buckets |
| CloudTrail (multi-region, encrypted) | ✅ Done | nvs-trail — KMS encrypted, log validation enabled |
| GuardDuty | ✅ Done | SNS alerts on High/Critical findings |
| Security Hub | ✅ Done | AWS Foundational + NIST 800-53 Rev 5 (HIPAA standard N/A in ap-southeast-1) |
| AWS Config + conformance pack | ✅ Done | 21-rule HIPAA conformance pack deployed |
| IAM baseline (SSM role, Access Analyzer) | ✅ Done | tofu/modules/iam |
| IAM Identity Center (SSO) | ✅ Done | Entra ID SAML 2.0 — see iam-identity-center.md |
| RDS MariaDB (encrypted, private) | ✅ Done | prod-nvs-hris in Singapore — KMS, no public access, 7-day backups |
| EBS encryption (existing volumes) | ❌ Pending | DA-14 — requires snapshot + volume swap maintenance window |
| VPC (private subnets, flow logs) | ⏳ Deferred | DA-13 — new VPC planned alongside EC2 migration to Singapore |
| EC2 in private subnet | ⏳ Deferred | DA-13 — EC2 still in Tokyo on public IP |
| S3 remote state backend | ❌ Pending | DA-15 — local state only, single point of failure |
| Laravel S3 file storage | ❌ Blocked | DA-12 — requires app code refactor + PHI audit first |
| WAF on Laravel ALB | ❌ Pending | Phase 3 |
| MFA enforcement SCP | ❌ Pending | Org-level SCP not yet deployed |
| RDS data migration | ❌ Pending | DA-11 — hris dump from Tokyo Podman → Singapore RDS |
NHC Account¶
| Control | Status | Notes |
|---|---|---|
| AWS BAA | ✅ Done | Covers all AWS services used |
| KMS CMKs (EBS, S3, CloudTrail, Backup, RDS) | ✅ Done | All deployed — tofu/accounts/nhc/ |
| CloudTrail (multi-region, encrypted) | ✅ Done | nhc-trail deployed |
| GuardDuty | ✅ Done | SNS alerts on High/Critical findings |
| Security Hub | ✅ Done | AWS Foundational + NIST 800-53 Rev 5 |
| AWS Config + conformance pack | ✅ Done | HIPAA conformance pack deployed |
| IAM baseline (SSM role, Access Analyzer) | ✅ Done | |
| VPC (private subnets, flow logs, NAT) | ✅ Done | prod-nhc VPC in us-east-2 |
| AWS Backup vault | ✅ Done | 30-day retention; cross-region backup vault in us-west-2 |
| S3 logging bucket | ✅ Done | SSE-KMS, versioned |
| EC2 app + EC2 Django | ✅ Done | DA-15 Phase 2 — bootstrapped via Ansible (Docker CE, GitLab Runner, deploy user) |
| EC2 Foursites + EC2 Runner | ✅ Done | All 4 EC2 instances deployed and operational |
| RDS MySQL 8.0 (Django API) | ✅ Done | Encrypted, private subnet, PHI-tagged, Multi-AZ enabled (DA-18) |
| RDS MariaDB 10.11 (WP CMS) | ✅ Done | Encrypted, private subnet, Multi-AZ enabled (DA-18) |
| ElastiCache Redis | ✅ Done | DA-18 — managed cluster, encrypted at-rest (KMS) + in-transit (TLS) |
| ALB + WAF (Django) | ✅ Done | DA-15 Phase 3 — HTTPS (TLS 1.2+1.3), WAF rate limiting, host/path routing |
| ALB + WAF (Foursites) | ✅ Done | DA-15 — HTTPS + WAF with host-based routing for 4 sites |
| ALB (WordPress/Gatsby) | ✅ Done | HTTPS + host-based routing |
| EC2 Auto-Recovery | ✅ Done | DA-18 — CloudWatch alarms on all 4 instances |
| Cross-Region DR | ✅ Done | DA-18 — backup vault nhc-dr-backup-vault in us-west-2 with KMS key |
| Portals | ✅ Done | Deployed on Django EC2 + ALB, HIPAA-compliant (no Netlify) |
| All 5 apps deployed | ✅ Done | Django API, Portal, WP CMS, Gatsby, Foursites — all live on staging |
| Documentation site | ✅ Done | DA-18 — MkDocs on GitLab Pages at docs.novavirtual.site |
Policies & Process¶
| Control | Status | Notes |
|---|---|---|
| Incident response plan | ✅ Draft | docs/policies/incident-response.md |
| Breach notification procedure | ✅ Draft | docs/policies/breach-notification.md |
| Contingency plan | ✅ Draft | docs/policies/contingency-plan.md |
| Data retention policy | ✅ Draft | docs/policies/data-retention.md |
| Workforce training program | ✅ Draft | docs/policies/workforce-training.md |
| Formal security risk assessment | ❌ Pending | Draft docs exist; formal sign-off required |
| Third-party BAA audit | ❌ Unknown | SaaS tools not fully inventoried |
Infrastructure¶
| Item | Status |
|---|---|
| OpenTofu IaC (terraform → tofu) | ✅ Done — DA-10 |
| IaC state backend (S3 + DynamoDB) | ❌ Pending — DA-15 |
| NVS account baseline applied | ✅ Done — DA-11 |
| NHC account baseline | ✅ Done — DA-15 Phase 1 |
| NHC HA/DR (Multi-AZ, auto-recovery) | ✅ Done — DA-18 |
| Cross-region DR backup vault | ✅ Done — DA-18 |
| ASG module (gated for migration) | ✅ Done — DA-18 |