MedStack Technology Compliance Policies

Information classification

Document customer criticality

  • Evaluate the criticality of each system
    • Rank each customer based on the negative impact on their users if an emergency occurs.
    • Rank each system based on its criticality to the customer (e.g. production, staging, test or development).
  • Document the criticality of each system.
  • Update the criticality of a system when the customer makes significant changes to their operations.

Enforcement

  • Responsible party: All managers and supervisors
  • sanctions: standard

References

CodeSectionTitle
ISOA.8.2Information classification
ISOA.8.2.1Classification of information
ISOA.8.2.2Labelling of information
ISOA.8.2.3Handling of assets
HIPAA164.308(a)(7)Contingency plan
SOC2CC3.2COSO Principle 7: The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.
SOC2P6.7The entity provides data subjects with an accounting of the personal information held and disclosure of the data subjects’ personal information, upon the data subjects’ request, to meet the entity’s objectives related to privacy.
SOC2C1.1The entity identifies and maintains confidential information to meet the entity’s objectives related to confidentiality.