MedStack Technology Compliance Policies
- Automatically identify all assets
- Use automated tools to detect assets and to maintain and update the asset inventory.
- Link each asset to an internal or customer owner and responsible party.
|ISO||A.8.1.1||Inventory of assets|
|SOC2||CC6.1||The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity’s objectives.|
- The company must own all production systems and employee workstations.
|ISO||A.8.1.2||Ownership of assets|
- Assets may only be used as defined in these policies.
- Access PHI only in aggregate form as needed to fulfill work duties.
- Do not read individual PHI records.
|ISO||A.8.1.3||Acceptable use of assets|
- termination of employee
- change of role, where employee no longer requires assets
|ISO||A.8.1.4||Return of assets|
- Production systems
- Install software programmatically and manage what software is installed in source control.
- Workstations and mobile devices
- Install software only from trusted sources.
|ISO||A.12.6.2||Restrictions on software installation|
|SOC2||CC6.8||The entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entity’s objectives.|
- Responsible party: All managers and supervisors
- sanctions: standard
|ISO||A.8.1||Responsibility for assets|
|CHI||SR8||Responsibility for information assets|