Policies, Agreements, Terms & Conditions
MedStack Technology Compliance Policies
Asset management
Maintain an asset inventory
- Automatically identify all assets
- Use automated tools to detect assets and to maintain and update the asset inventory.
- Link each asset to an internal or customer owner and responsible party.
Code | Section | Title |
---|---|---|
ISO | A.8.1.1 | Inventory of assets |
SOC2 | CC6.1 | The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity’s objectives. |
Use company-owned assets
- The company must own all production systems and employee workstations.
Code | Section | Title |
---|---|---|
ISO | A.8.1.2 | Ownership of assets |
Acceptable Use for employees
- Assets may only be used as defined in these policies.
- Access PHI only in aggregate form as needed to fulfill work duties.
- Do not read individual PHI records.
Code | Section | Title |
---|---|---|
ISO | A.8.1.3 | Acceptable use of assets |
Return organizational assets upon
- termination of employee
- change of role, where employee no longer requires assets
Code | Section | Title |
---|---|---|
ISO | A.8.1.4 | Return of assets |
Manage the installation of software
- Production systems
- Install software programmatically and manage what software is installed in source control.
- Workstations and mobile devices
- Install software only from trusted sources.
Code | Section | Title |
---|---|---|
ISO | A.12.6.2 | Restrictions on software installation |
SOC2 | CC6.8 | The entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entity’s objectives. |
Enforcement
- Responsible party: All managers and supervisors
- sanctions: standard
References
Code | Section | Title |
---|---|---|
ISO | A.8.1 | Responsibility for assets |
CHI | SR8 | Responsibility for information assets |
Life Support Mental Health Inc. @ 2023
All Rights Reserved