MedStack Technology Compliance Policies

Asset management

Maintain an asset inventory

  • Automatically identify all assets
    • Use automated tools to detect assets and to maintain and update the asset inventory.
    • Link each asset to an internal or customer owner and responsible party.
CodeSectionTitle
ISOA.8.1.1Inventory of assets
SOC2CC6.1The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity’s objectives.

Use company-owned assets

  • The company must own all production systems and employee workstations.
CodeSectionTitle
ISOA.8.1.2Ownership of assets

Acceptable Use for employees

  • Assets may only be used as defined in these policies.
  • Access PHI only in aggregate form as needed to fulfill work duties.
  • Do not read individual PHI records.
CodeSectionTitle
ISOA.8.1.3Acceptable use of assets

Return organizational assets upon

  • termination of employee
  • change of role, where employee no longer requires assets
CodeSectionTitle
ISOA.8.1.4Return of assets

Manage the installation of software

  • Production systems
    • Install software programmatically and manage what software is installed in source control.
  • Workstations and mobile devices
    • Install software only from trusted sources.
CodeSectionTitle
ISOA.12.6.2Restrictions on software installation
SOC2CC6.8The entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entity’s objectives.

Enforcement

  • Responsible party: All managers and supervisors
  • sanctions: standard

References

CodeSectionTitle
ISOA.8.1Responsibility for assets
CHISR8Responsibility for information assets