Continuity

MedStack Confidential

Metadata

responsible officer: CTO
approved by: CTO
date
- effective: 2018-06-20
- revised: 2020-06-18
- reviewed: 2022-08-31

Use cloud providers for operational systems
- They have world-leading protections for information security continuity.
- Delegate responsibility for physical infrastructure to them.
- Use geographic redundancy where appropriate to reduce the impact of the loss of a data centre.
Maintain information security protection
- Protect data during emergencies, even as it is protected during normal operations.
Evaluate
- the expected length of the emergency
- the scale of the emergency
Ensure customer access to information
- Restore systems in order of criticality.
- Re-create operational systems from backups and images as needed.
- Use alternative data centres and geographic regions as appropriate and as permitted.
Communicate with affected customers
- Alert them to the expected length, scale, and actions that will be taken.
- Update them immediately as systems are restored or re-created.
- If systems still cannot be accessed for eight hours, update them.
- Update them daily until the data is restored or is deemed to be permanently lost.
- Update them if information is permanently lost.

Protect employees
- Prioritize the safety of employees in adverse situations.
- In a dangerous emergency, evacuating personnel has priority over preserving information assets.
- Follow standard emergency procedures and notify authorities as necessary.
Restore availability
- Notify other employees of the situation and emergency protocols.
- Travel and transport essential equipment to a location that is not affected.
- Replace essential equipment as necessary.
- Re-establish connections with the internet in order to resume technical activities.
Continue business operations
- Enable continuation of critical business processes for the protection of information.
- Notify third parties, such as insurance carriers and damage restoration suppliers.
- Acquire alternative facilities if necessary.
Roles and responsibilities
- CTO
  - Information and communications technology
  - Physical Security
  - Utilities
- CEO
  - Mail and couriers
  - Contact with customers
  - Transportation
  - Business records
  - Legal issues
  - Supplier and partner relations
  - Media relations

Code	Section	Title
HIPAA	164.308(a)(7)(ii)(C)	Emergency mode operation plan (Required)

Restore in order of customer criticality
- Follow documented criticality.
- Reprioritize in case of customers who have communicated an emergency with immediate health consequences.
Restore in order of system criticality
- 1: customer access to backups
- 2: production systems
- 3: staging systems
- 4: development systems

Train employees in disaster preparation and recovery, and knowledge of responsibilities in the event of a disaster.
Periodically test, and revise as necessary, all emergency preparedness plans, including emergency and contingency plans.

Code	Section	Title
ISO	A.17.1.3	Verify, review and evaluate information security continuity
HIPAA	164.308(a)(7)(ii)(D)	Testing and revision procedures (Addressable)
SOC2	A1.3	The entity tests recovery plan procedures supporting system recovery to meet its objectives.

Code	Section	Title
ISO	A.17.1	Information security continuity
ISO	A.17.1.1	Planning information security continuity
ISO	A.17.1.2	Implementing information security continuity
CHI	SR86	Testing Business Continuity Plans
HIPAA	164.308(a)(7)(i)	Standard: Contingency plan
HIPAA	164.312(a)(2)(ii)	Emergency access procedure (Required)
SOC2	CC7.5	The entity identifies, develops, and implements activities to recover from identified security incidents.
SOC2	A1.2	The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data back-up processes, and recovery infrastructure to meet its objectives.