Information security
MedStack Confidential
Metadata
- responsible officer: CTO
- approved by: CTO
- date
- effective: 2018-06-20
- revised: 2020-06-18
- reviewed: 2022-08-31
- Applicability: standard
Guide ourselves using an Information Security Management Program based on ISO/IEC 27002:2013
- The purpose of the ISMP is to
- to develop and deploy our Information Security Management Program
- to implement security controls as required based on an assessment of security risk
- to mitigate risks
- to have a safe and secure working environment
- to protect ourselves and our customers from liability and damage
- The ISMP is for everyone
- leadership
- employees
- contractors
Meet our responsibilities for protecting data
- Comply with and be aware of all applicable privacy or data protection rules and regulations
- all laws and associated regulations or rules
- in all jurisdictions where we conduct business
- Specifically comply with
- HIPAA (USA)
- PIPEDA (Canada)
- Canadian provincial regulations
- GDPR (Europe)
- Maintain awareness of current and relevant security and privacy laws as they change.
Protect and secure all of our information system assets
- Information system assets include
- computers
- mobile devices
- networking equipment
- software
- data (including PHI)
- Information protection categories includes
- privacy
- confidentiality
- availability
- integrity
Align the ISMP with our goals and processes
- make it compatible with our strategic direction
- integrate it into our processes
- ensure that the resources needed are available
Continuously improve our policies
- respond to feedback
- review whether they meet their intended goals
- update them as appropriate
Verify compliance to this policy
- Use various methods, including but not limited to, business tool reports, internal and external audits, and feedback to the policy owner.
- Implement automated regular information system activity reviews
- audit logs
- access reports
- security incident tracking reports
- Implement automated regular information system activity reviews
Report problems
- If you detect a problem, report it immediately and include
- narrative of the problem
- how long the problem has existed
- suggested solutions
- If a problem is reported
- Do not take action against the employee who reported the problem.
- Document the problem.
- Assess the problem’s severity.
- Implement mitigations and solutions as appropriate.
- Priority problems
- include network security and data integrity problems
- should be reported directly to the CPSO in addition to normal reporting channels
- should be acted on immediately
Exceptions
- Any exception to this policy must be approved by the Security Officer in advance.
Enforcement
- Responsible party: All managers and supervisors
Non-compliance
- employees: Any violation of this Information Security policy by an employee is subject to disciplinary sanctions, up to and including dismissal.
- customers: Any violation of this policy by an employee or agent of a customer organization will be reported to the customer organization and handled in accordance with the customer organization’s sanctions policy. Where the violation poses a threat to us or other customers, we may take appropriate action to protect PHI and other sensitive assets. This could include suspension of access privileges for individuals who violate this policy.
- vendors: Any violation of this Information Security policy by a supplier, vendor or contractor or their respective employees and agents, is subject to remedies identified in the agreement or contract. We may request the removal of a supplier, vendor or contractor employee who has violated this Information Security policy.
References
| Code | Section | Title |
|---|---|---|
| ISO | A.6 | Organization of information security |
| ISO | A.6.1 | Internal organization |
| ISO | A.6.1.1 | Information security roles and responsibilities |
| ISO | A.6.1.2 | Segregation of duties |
| ISO | A.6.1.5 | Information security in project management |
| CHI | SR2 | Security Policy |
| CHI | SR3 | Information security management, coordination and allocation of responsibilities |
| SOC2 | CC1.3 | COSO Principle 3: Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives. |
| SOC2 | CC1.3 | COSO Principle 3: Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives. |
| SOC2 | CC1.4 | COSO Principle 4: The entity demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives. |
| SOC2 | CC1.5 | COSO Principle 5: The entity holds individuals accountable for their internal control responsibilities in the pursuit of objectives. |
| SOC2 | CC5.1 | COSO Principle 10: The entity selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels. |
| SOC2 | CC6.3 | The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes, giving consideration to the concepts of least privilege and segregation of duties, to meet the entity’s objectives. |