Policies, Agreements, Terms & Conditions
MedStack Technology Compliance Policies
Continuity
Ensure continuity of operational systems during adverse situations
- Use cloud providers for operational systems
- They have world-leading protections for information security continuity.
- Delegate responsibility for physical infrastructure to them.
- Use geographic redundancy where appropriate to reduce the impact of the loss of a data centre.
- Maintain information security protection
- Protect data during emergencies, even as it is protected during normal operations.
- Evaluate
- the expected length of the emergency
- the scale of the emergency
- Ensure customer access to information
- Restore systems in order of criticality.
- Re-create operational systems from backups and images as needed.
- Use alternative data centres and geographic regions as appropriate and as permitted.
- Communicate with affected customers
- Alert them to the expected length, scale, and actions that will be taken.
- Update them immediately as systems are restored or re-created.
- If systems still cannot be accessed for eight hours, update them.
- Update them daily until the data is restored or is deemed to be permanently lost.
- Update them if information is permanently lost.
Ensure continuity of employee operations during adverse situations
- Protect employees
- Prioritize the safety of employees in adverse situations.
- In a dangerous emergency, evacuating personnel has priority over preserving information assets.
- Follow standard emergency procedures and notify authorities as necessary.
- Restore availability
- Notify other employees of the situation and emergency protocols.
- Travel and transport essential equipment to a location that is not affected.
- Replace essential equipment as necessary.
- Re-establish connections with the internet in order to resume technical activities.
- Continue business operations
- Enable continuation of critical business processes for the protection of information.
- Notify third parties, such as insurance carriers and damage restoration suppliers.
- Acquire alternative facilities if necessary.
- Roles and responsibilities
- CTO
- Information and communications technology
- Physical Security
- Utilities
- CEO
- Mail and couriers
- Contact with customers
- Transportation
- Business records
- Legal issues
- Supplier and partner relations
- Media relations
- CTO
Activate Emergency Mode
- during prolonged adverse conditions
- after eight hours of
- non-availability of employee facilities
- non-availability of cloud infrastructure
- due to
- electrical power failure
- earthquake, fire, flood, storm or other natural disaster
- sabotage, terrorism, vandalism
- any other adverse condition
- after eight hours of
Treat systems in order of criticality
- Restore in order of customer criticality
- Follow documented criticality.
- Reprioritize in case of customers who have communicated an emergency with immediate health consequences.
- Restore in order of system criticality
- 1: customer access to backups
- 2: production systems
- 3: staging systems
- 4: development systems
Train, test and revise continuity plans
- Train employees in disaster preparation and recovery, and knowledge of responsibilities in the event of a disaster.
- Periodically test, and revise as necessary, all emergency preparedness plans, including emergency and contingency plans.
Code | Section | Title |
---|---|---|
ISO | A.17.1.3 | Verify, review and evaluate information security continuity |
SOC2 | A1.3 | The entity tests recovery plan procedures supporting system recovery to meet its objectives. |
Enforcement
- Responsible party: All managers and supervisors
- sanctions: standard
References
Code | Section | Title |
---|---|---|
ISO | A.17.1 | Information security continuity |
ISO | A.17.1.1 | Planning information security continuity |
ISO | A.17.1.2 | Implementing information security continuity |
CHI | SR86 | Testing Business Continuity Plans |
HIPAA | 164.308(a)(7) | Contingency plan |
HIPAA | 164.310(a)(2)(i) | Contingency operations |
HIPAA | 164.312(a)(2)(ii) | Emergency access procedure |
SOC2 | CC7.5 | The entity identifies, develops, and implements activities to recover from identified security incidents. |
SOC2 | A1.2 | The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data back-up processes, and recovery infrastructure to meet its objectives. |
Life Support Mental Health Inc. @ 2023
All Rights Reserved