MedStack Technology Compliance Policies

Workstation

Automatically manage workstation computers using Mobile Device Management (MDM) software

  • Require and enforce device protections
    • full-disk encryption of data on all devices (such as phones and laptops)
    • strong authentication
    • automatic screen lock for unattended devices
    • software and firmware updates from the vendor
    • remote wipe

Protect information from unauthorized view

  • Papers and removable media
    • store out of site when they are unattended
  • When working in a public environment such as a coffee shop
    • Shield the screen and keyboard from view when entering or viewing secrets.

Enforcement

  • Responsible party: All managers and supervisors
  • sanctions: standard

References

CodeSectionTitle
ISOA.11.2.8Unattended user equipment
ISOA.11.2.9Clear desk and clear screen policy
HIPAA164.310(b)Workstation use
HIPAA164.310(c)Workstation security
SOC2CC6.4The entity restricts physical access to facilities and protected information assets (for example, data center facilities, back-up media storage, and other sensitive locations) to authorized personnel to meet the entity’s objectives.
SOC2CC6.5The entity discontinues logical and physical protections over physical assets only after the ability to read or recover data and software from those assets has been diminished and is no longer required to meet the entity’s objectives.
SOC2CC6.5The entity discontinues logical and physical protections over physical assets only after the ability to read or recover data and software from those assets has been diminished and is no longer required to meet the entity’s objectives.
SOC2A1.2The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data back-up processes, and recovery infrastructure to meet its objectives.