MedStack Technology Compliance Policies

Backup

Create and maintain integrous backups

  • Why
    • Protect data against accidental or malicious deletion and media and access failure.
    • Provide a basis for restoration in case of system failure.
  • Make complete, exact copies
    • Dump entire database servers using official tools.
    • Encrypt and sign backup archives.
    • Restrict the ability to modify backup files (for example, use write-only access for servers creating backups).
  • Maintain confidentiality in backups
    • Restrict access to backup files to superadmins and customer administrators.
    • Ensure that temporary files are on encrypted drives.
  • Maximize availability, durability and retrievabilty
    • Protect backups against media failure, power spikes or outages, fire, flood, or other natural disaster, viruses, hackers, and improper acts by employees and others.
    • Store backups in a separate physical environment to mitigate loss of an environment.
    • Make redundant copies of backups to mitigate the loss of physical media.

Automatically create point-in-time backups

  • For virtual machines
    • hourly (expires after one day)
    • daily (expires after one week)
    • weekly (expires after 4 weeks)
    • monthly (never expires)
    • After a backup expires, permanently delete it.
  • For managed databases
    • based on the schedule and retention time provided by the cloud service provider

Automatically validate backup management

  • Monitor the backup lifecycle automatically.
  • Test backup restoration.
  • Log all backup activity.

Restrict access to backups

  • Our employees
    • superadmins
  • Customers
    • The customer is responsible for restricting the access of their personnel and systems to the backups and keys.

Enforcement

  • Responsible party: All information technology managers and supervisors
  • sanctions: standard

References

CodeSectionTitle
ISOA.12.3Backup
ISOA.12.3.1Information backup
CHISR29Securely Backing Up Data
HIPAA164.308(a)(7)(ii)(A)Data backup plan
HIPAA164.310(d)(2)(iv)Data backup and storage
HIPAA164.312(c)Integrity
SOC2A1.2The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data back-up processes, and recovery infrastructure to meet its objectives.
SOC2A1.2The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data back-up processes, and recovery infrastructure to meet its objectives.
SOC2A1.3The entity tests recovery plan procedures supporting system recovery to meet its objectives.
SOC2PI1.5The entity implements policies and procedures to store inputs, items in processing, and outputs completely, accurately, and timely in accordance with system specifications to meet the entity’s objectives.