Policies, Agreements, Terms & Conditions
MedStack Technology Compliance Policies
Software development and operations
Applicability
- people: This policy applies to all employees, contractors, suppliers and vendors who develop software that interacts with PHI.
To conduct software development and operations
- Perform these activities
- Define operational procedures and responsibilities
- Control operational software and authorize changes
- Acquire, develop, test, document and maintain systems
- Implement security requirements for information systems
- Protect data used for testing
- On these entities
- configurations
- infrastructure
- data
- software
| Code | Section | Title |
|---|---|---|
| ISO | A.12.1 | Operational procedures and responsibilities |
| ISO | A.12.5 | Control of operational software |
| ISO | A.14 | System acquisition, development and maintenance |
| ISO | A.14.2 | Security in development and support processes |
Implement all operations activities as software development
- Make all changes to operational systems by
- modifying source code
- executing the source code
- using automated tools
- Use software development methods to
- test development, staging and operational systems
- ensure that performance matches expectations
- document software and processes (where they are not self-documenting)
- log modifications to the systems
| Code | Section | Title |
|---|---|---|
| ISO | A.12.1.1 | Documented operating procedures |
| ISO | A.12.1.2 | Change management |
| ISO | A.12.5.1 | Installation of software on operational systems |
| SOC2 | CC2.1 | COSO Principle 13: The entity obtains or generates and uses relevant, quality information to support the functioning of internal control. |
| SOC2 | CC2.2 | COSO Principle 14: The entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control. |
| SOC2 | CC2.2 | COSO Principle 14: The entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control. |
| SOC2 | CC3.4 | COSO Principle 9: The entity identifies and assesses changes that could significantly impact the system of internal control. |
| SOC2 | CC6.8 | The entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entity’s objectives. |
| SOC2 | CC8.1 | The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives. |
| SOC2 | PI1.1 | The entity obtains or generates, uses, and communicates relevant, quality information regarding the objectives related to processing, including definitions of data processed and product and service specifications, to support the use of products and services. |
| SOC2 | PI1.1 | The entity obtains or generates, uses, and communicates relevant, quality information regarding the objectives related to processing, including definitions of data processed and product and service specifications, to support the use of products and services. |
Make security a key part of software development and operations
- Design and develop systems to be secure
- Design using Privacy by Design and Security by Design.
- Develop using security best-practices (e.g. OWASP).
- Use secure development environments.
- Avoid unnecessary changes.
- Design systems to be continuously auditable and testable.
- Scan and test operational systems applications for vulnerabilities
- Scan operational systems for security flaws.
- Commission third-party network scans.
- Commission third-party penetration tests.
- Manage vulnerabilities
- Document, review and manage vulnerabilities.
- Monitor security news for new vulnerabilities.
| Code | Section | Title |
|---|---|---|
| ISO | A.12.6.1 | Management of technical vulnerabilities |
| ISO | A.12.7.1 | Information systems audit controls |
| ISO | A.14.1 | Security requirements of information systems |
| ISO | A.14.1.1 | Information security requirements analysis and specification |
| ISO | A.14.1.2 | Securing application services on public networks |
| ISO | A.14.1.3 | Protecting application services transactions |
| ISO | A.14.2.1 | Secure development policy |
| ISO | A.14.2.4 | Restrictions on changes to software packages |
| ISO | A.14.2.5 | Secure system engineering principles |
| ISO | A.14.2.6 | Secure development environment |
| Privacy by Design | ||
| OWASP Security by Design Principles | ||
| SOC2 | CC6.7 | The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity’s objectives. |
| SOC2 | CC6.8 | The entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entity’s objectives. |
| SOC2 | CC7.1 | To meet its objectives, the entity uses detection and monitoring procedures to identify (1) changes to configurations that result in the introduction of new vulnerabilities, and (2) susceptibilities to newly discovered vulnerabilities. |
| SOC2 | CC8.1 | The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives. |
| SOC2 | CC8.1 | The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives. |
| SOC2 | CC8.1 | The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives. |
Control changes to software and systems
- Use a source control system
- to control changes to software
- to manage access to source code
- Control and automate the deployment of software to production
- Peer review new and modified software before deployment to production.
- Use a continuous deployment system.
- In case of emergency changes outside of the normal process
- document the changes made
- incorporate the changes back into the normal process
- Use the principle of least privilege
- Grant software the minimum necessary access to perform its function.
- Limit only production engineers to have access to production systems.
| Code | Section | Title |
|---|---|---|
| ISO | A.14.2.2 | System change control procedures |
Operate reliable systems with appropriate redundancy and availability
| Code | Section | Title |
|---|---|---|
| ISO | A.12.1.3 | Capacity management |
| ISO | A.17.2.1 | Availability of information processing facilities |
| SOC2 | A1.1 | The entity maintains, monitors, and evaluates current processing capacity and use of system components (infrastructure, data, and software) to manage capacity demand and to enable the implementation of additional capacity to help meet its objectives. |
| SOC2 | A1.2 | The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data back-up processes, and recovery infrastructure to meet its objectives. |
Perform testing of software
- Automate testing in a secure manner
- Implement automated tests of systems.
- Perform testing primarily on non-production systems.
- Do not use real data or PHI for testing or demonstrations.
- Test for
- regressions
- security flaws
- acceptance criteria
| Code | Section | Title |
|---|---|---|
| ISO | A.12.1.4 | Separation of development, testing and operational environments |
| ISO | A.14.2.3 | Technical review of applications after operating platform changes |
| ISO | A.14.2.8 | System security testing |
| ISO | A.14.2.9 | System acceptance testing |
| ISO | A.14.3 | Test data |
| ISO | A.14.3.1 | Protection of test data |
| SOC2 | CC8.1 | The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives. |
| SOC2 | CC8.1 | The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives. |
| SOC2 | CC8.1 | The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives. |
Have PHI only on production systems
- Do not copy PHI to non-production systems
- only production systems are secured and managed correctly to handle PHI
- If PHI is on a non-production system
- Evaluate the security of the non-production system (e.g. a secure workstation).
- Securely delete the data as soon as possible.
- Report the incident.
Do not outsource software development and operations
- All development and operations is performed by employees or contractors directly managed by employees.
| Code | Section | Title |
|---|---|---|
| ISO | A.14.2.7 | Outsourced development |
| SOC2 | CC2.3 | COSO Principle 15: The entity communicates with external parties regarding matters affecting the functioning of internal control. |
Respect Intellectual Property Rights and licenses
- Identify and comply with IPR for source code of external origin (including open source software).
- Identify and comply with IPR for software tools (including open source software).
| Code | Section | Title |
|---|---|---|
| ISO | A.18.1.2 | Intellectual property rights |
| SOC2 | CC3.1 | COSO Principle 6: The entity specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives. |
Enforcement
- Responsible party: All managers and supervisors
- sanctions: standard
References
| Code | Section | Title |
|---|---|---|
| ISO | A.9.4.5 | Access control to program source code |
| ISO | A.12.6 | Technical vulnerability management |
| ISO | A.17.2 | Redundancies |
| CHI | SR80 | Implementing Software and Upgrades in the EHRi |
| CHI | SR81 | Protecting EHRi Software |
| CHI | SR82 | Managing Known Vulnerabilities |
| SOC 2 | CC8.1 | The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives. |
Life Support Mental Health Inc. @ 2023
All Rights Reserved