Information classification
MedStack Confidential
Metadata
- responsible officer: CTO
- approved by: CTO
- date
- effective: 2018-06-20
- revised: 2020-06-18
- reviewed: 2022-08-31
Document customer criticality
- Evaluate the criticality of each system
- Rank each customer based on the negative impact on their users if an emergency occurs.
- Rank each system based on its criticality to the customer (e.g. production, staging, test or development).
- Document the criticality of each system.
- Update the criticality of a system when the customer makes significant changes to their operations.
Enforcement
- Responsible party: All managers and supervisors
- sanctions: standard
References
| Code | Section | Title |
|---|---|---|
| ISO | A.8.2 | Information classification |
| ISO | A.8.2.1 | Classification of information |
| ISO | A.8.2.2 | Labelling of information |
| ISO | A.8.2.3 | Handling of assets |
| HIPAA | 164.308(a)(7)(ii)(E) | Contingency plan |
| SOC2 | CC3.2 | COSO Principle 7: The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed. |
| SOC2 | P6.7 | The entity provides data subjects with an accounting of the personal information held and disclosure of the data subjects’ personal information, upon the data subjects’ request, to meet the entity’s objectives related to privacy. |
| SOC2 | C1.1 | The entity identifies and maintains confidential information to meet the entity’s objectives related to confidentiality. |