MedStack Technology Compliance Policies

Continuity

Ensure continuity of operational systems during adverse situations

  • Use cloud providers for operational systems
    • They have world-leading protections for information security continuity.
    • Delegate responsibility for physical infrastructure to them.
    • Use geographic redundancy where appropriate to reduce the impact of the loss of a data centre.
  • Maintain information security protection
    • Protect data during emergencies, even as it is protected during normal operations.
  • Evaluate
    • the expected length of the emergency
    • the scale of the emergency
  • Ensure customer access to information
    • Restore systems in order of criticality.
    • Re-create operational systems from backups and images as needed.
    • Use alternative data centres and geographic regions as appropriate and as permitted.
  • Communicate with affected customers
    • Alert them to the expected length, scale, and actions that will be taken.
    • Update them immediately as systems are restored or re-created.
    • If systems still cannot be accessed for eight hours, update them.
    • Update them daily until the data is restored or is deemed to be permanently lost.
    • Update them if information is permanently lost.

Ensure continuity of employee operations during adverse situations

  • Protect employees
    • Prioritize the safety of employees in adverse situations.
    • In a dangerous emergency, evacuating personnel has priority over preserving information assets.
    • Follow standard emergency procedures and notify authorities as necessary.
  • Restore availability
    • Notify other employees of the situation and emergency protocols.
    • Travel and transport essential equipment to a location that is not affected.
    • Replace essential equipment as necessary.
    • Re-establish connections with the internet in order to resume technical activities.
  • Continue business operations
    • Enable continuation of critical business processes for the protection of information.
    • Notify third parties, such as insurance carriers and damage restoration suppliers.
    • Acquire alternative facilities if necessary.
  • Roles and responsibilities
    • CTO
      • Information and communications technology
      • Physical Security
      • Utilities
    • CEO
      • Mail and couriers
      • Contact with customers
      • Transportation
      • Business records
      • Legal issues
      • Supplier and partner relations
      • Media relations

Activate Emergency Mode

  • during prolonged adverse conditions
    • after eight hours of
      • non-availability of employee facilities
      • non-availability of cloud infrastructure
    • due to
      • electrical power failure
      • earthquake, fire, flood, storm or other natural disaster
      • sabotage, terrorism, vandalism
      • any other adverse condition

Treat systems in order of criticality

  • Restore in order of customer criticality
    • Follow documented criticality.
    • Reprioritize in case of customers who have communicated an emergency with immediate health consequences.
  • Restore in order of system criticality
    • 1: customer access to backups
    • 2: production systems
    • 3: staging systems
    • 4: development systems

Train, test and revise continuity plans

  • Train employees in disaster preparation and recovery, and knowledge of responsibilities in the event of a disaster.
  • Periodically test, and revise as necessary, all emergency preparedness plans, including emergency and contingency plans.
CodeSectionTitle
ISOA.17.1.3Verify, review and evaluate information security continuity
SOC2A1.3The entity tests recovery plan procedures supporting system recovery to meet its objectives.

Enforcement

  • Responsible party: All managers and supervisors
  • sanctions: standard

References

CodeSectionTitle
ISOA.17.1Information security continuity
ISOA.17.1.1Planning information security continuity
ISOA.17.1.2Implementing information security continuity
CHISR86Testing Business Continuity Plans
HIPAA164.308(a)(7)Contingency plan
HIPAA164.310(a)(2)(i)Contingency operations
HIPAA164.312(a)(2)(ii)Emergency access procedure
SOC2CC7.5The entity identifies, develops, and implements activities to recover from identified security incidents.
SOC2A1.2The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data back-up processes, and recovery infrastructure to meet its objectives.