MedStack Technology Compliance Policies
- Use cloud providers for operational systems
- They have world-leading protections for information security continuity.
- Delegate responsibility for physical infrastructure to them.
- Use geographic redundancy where appropriate to reduce the impact of the loss of a data centre.
- Maintain information security protection
- Protect data during emergencies, even as it is protected during normal operations.
- the expected length of the emergency
- the scale of the emergency
- Ensure customer access to information
- Restore systems in order of criticality.
- Re-create operational systems from backups and images as needed.
- Use alternative data centres and geographic regions as appropriate and as permitted.
- Communicate with affected customers
- Alert them to the expected length, scale, and actions that will be taken.
- Update them immediately as systems are restored or re-created.
- If systems still cannot be accessed for eight hours, update them.
- Update them daily until the data is restored or is deemed to be permanently lost.
- Update them if information is permanently lost.
- Protect employees
- Prioritize the safety of employees in adverse situations.
- In a dangerous emergency, evacuating personnel has priority over preserving information assets.
- Follow standard emergency procedures and notify authorities as necessary.
- Restore availability
- Notify other employees of the situation and emergency protocols.
- Travel and transport essential equipment to a location that is not affected.
- Replace essential equipment as necessary.
- Re-establish connections with the internet in order to resume technical activities.
- Continue business operations
- Enable continuation of critical business processes for the protection of information.
- Notify third parties, such as insurance carriers and damage restoration suppliers.
- Acquire alternative facilities if necessary.
- Roles and responsibilities
- Information and communications technology
- Physical Security
- Mail and couriers
- Contact with customers
- Business records
- Legal issues
- Supplier and partner relations
- Media relations
- during prolonged adverse conditions
- after eight hours of
- non-availability of employee facilities
- non-availability of cloud infrastructure
- due to
- electrical power failure
- earthquake, fire, flood, storm or other natural disaster
- sabotage, terrorism, vandalism
- any other adverse condition
- after eight hours of
- Restore in order of customer criticality
- Follow documented criticality.
- Reprioritize in case of customers who have communicated an emergency with immediate health consequences.
- Restore in order of system criticality
- 1: customer access to backups
- 2: production systems
- 3: staging systems
- 4: development systems
- Train employees in disaster preparation and recovery, and knowledge of responsibilities in the event of a disaster.
- Periodically test, and revise as necessary, all emergency preparedness plans, including emergency and contingency plans.
|ISO||A.17.1.3||Verify, review and evaluate information security continuity|
|SOC2||A1.3||The entity tests recovery plan procedures supporting system recovery to meet its objectives.|
- Responsible party: All managers and supervisors
- sanctions: standard
|ISO||A.17.1||Information security continuity|
|ISO||A.17.1.1||Planning information security continuity|
|ISO||A.17.1.2||Implementing information security continuity|
|CHI||SR86||Testing Business Continuity Plans|
|HIPAA||164.312(a)(2)(ii)||Emergency access procedure|
|SOC2||CC7.5||The entity identifies, develops, and implements activities to recover from identified security incidents.|
|SOC2||A1.2||The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data back-up processes, and recovery infrastructure to meet its objectives.|