MedStack Technology Compliance Policies

Continuity

Ensure continuity of operational systems during adverse situations

• Use cloud providers for operational systems
  • They have world-leading protections for information security continuity.
  • Delegate responsibility for physical infrastructure to them.
  • Use geographic redundancy where appropriate to reduce the impact of the loss of a data centre.
• Maintain information security protection
  • Protect data during emergencies, even as it is protected during normal operations.
• Evaluate
  • the expected length of the emergency
  • the scale of the emergency
• Ensure customer access to information
  • Restore systems in order of criticality.
  • Re-create operational systems from backups and images as needed.
  • Use alternative data centres and geographic regions as appropriate and as permitted.
• Communicate with affected customers
  • Alert them to the expected length, scale, and actions that will be taken.
  • Update them immediately as systems are restored or re-created.
  • If systems still cannot be accessed for eight hours, update them.
  • Update them daily until the data is restored or is deemed to be permanently lost.
  • Update them if information is permanently lost.

Ensure continuity of employee operations during adverse situations

• Protect employees
  • Prioritize the safety of employees in adverse situations.
  • In a dangerous emergency, evacuating personnel has priority over preserving information assets.
  • Follow standard emergency procedures and notify authorities as necessary.
• Restore availability
  • Notify other employees of the situation and emergency protocols.
  • Travel and transport essential equipment to a location that is not affected.
  • Replace essential equipment as necessary.
  • Re-establish connections with the internet in order to resume technical activities.
• Continue business operations
  • Enable continuation of critical business processes for the protection of information.
  • Notify third parties, such as insurance carriers and damage restoration suppliers.
  • Acquire alternative facilities if necessary.
• Roles and responsibilities
  • CTO
    • Information and communications technology
    • Physical Security
    • Utilities
  • CEO
    • Mail and couriers
    • Contact with customers
    • Transportation
    • Business records
    • Legal issues
    • Supplier and partner relations
    • Media relations

Activate Emergency Mode

• during prolonged adverse conditions
  • after eight hours of
    • non-availability of employee facilities
    • non-availability of cloud infrastructure
  • due to
    • electrical power failure
    • earthquake, fire, flood, storm or other natural disaster
    • sabotage, terrorism, vandalism
    • any other adverse condition

Treat systems in order of criticality

• Restore in order of customer criticality
  • Follow documented criticality.
  • Reprioritize in case of customers who have communicated an emergency with immediate health consequences.
• Restore in order of system criticality
  • 1: customer access to backups
  • 2: production systems
  • 3: staging systems
  • 4: development systems

Train, test and revise continuity plans

• Train employees in disaster preparation and recovery, and knowledge of responsibilities in the event of a disaster.
• Periodically test, and revise as necessary, all emergency preparedness plans, including emergency and contingency plans.

Enforcement

• Responsible party: All managers and supervisors
• sanctions: standard

References