• Awareness, training, and reminders
  • Metadata
  • Foster awareness of compliance
  • Notify users of their responsibilities
  • Provide compliance training that is clear and complete
  • Run simulated tabletop information security incident training
  • Third-party resources
  • Enforcement
  • References

Awareness, training, and reminders

MedStack Confidential

Metadata

• responsible officer: CTO
• approved by: CTO
• date
  • effective: 2018-06-20
  • revised: 2020-06-18
  • reviewed: 2022-08-31
• Applicability: standard

Foster awareness of compliance

• Provide security reminders based on compliance training materials.
• Attend privacy and security conferences.
• Maintain awareness of new and evolving security threats.

Code	Section	Title
ISO	A.6.1.4	Contact with special interest groups
HIPAA	164.308(a)(5)(ii)(A)	Security reminders (Addressable)

Notify users of their responsibilities

• to protect their credentials (passwords)
• to apply information security in accordance with our policies

Code	Section	Title
ISO	A.7.2.1	Management responsibilities

Provide compliance training that is clear and complete

• To
  • all employees
• When
  • during the new employee orientation period
  • before access is permitted to production systems
  • annually
• Train on
  • what is compliance and what compliance frameworks we follow
  • third party regulations on health data privacy and security
  • our internal information privacy and security policies and procedures
  • the duties and responsibilities of specific individuals, workgroups, departments, and divisions
  • security basics such as password management, malware protection, social engineering and phishing
• Maintain training records
  • including the training done and when it was done

Code	Section	Title
ISO	A.7.2.2	Information security awareness, education and training
CHI	SR15	Training users and raising security awareness
SOC2	CC1.1	Establishes Standards of Conduct
SOC2	CC1.4	COSO Principle 4: The entity demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.

Run simulated tabletop information security incident training

• annually or when the threat environment changes significantly
• for employees with operational PHI access

Third-party resources

• Use recognized independent third-party resources where possible.

Enforcement

• Responsible party: All managers and supervisors
• sanctions: standard

References

Code	Section	Title
ISO	A.7.2	During employment
HIPAA	164.308(a)(5)(i)	Standard: Security awareness and training
SOC2	CC1.4	COSO Principle 4: The entity demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.
SOC2	CC2.2	COSO Principle 14: The entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.
SOC2	CC1.4	COSO Principle 4: The entity demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.

August 30, 2022

Powered by