Software development and operations

MedStack Confidential

Metadata

responsible officer: CTO
approved by: CTO
date
- effective: 2018-06-20
- revised: 2020-06-18
- reviewed: 2022-08-31

Applicability

people: This policy applies to all employees, contractors, suppliers and vendors who develop software that interacts with PHI.

To conduct software development and operations

Perform these activities
- Define operational procedures and responsibilities
- Control operational software and authorize changes
- Acquire, develop, test, document and maintain systems
- Implement security requirements for information systems
- Protect data used for testing
On these entities
- configurations
- infrastructure
- data
- software

Code	Section	Title
ISO	A.12.1	Operational procedures and responsibilities
ISO	A.12.5	Control of operational software
ISO	A.14	System acquisition, development and maintenance
ISO	A.14.2	Security in development and support processes

Implement all operations activities as software development

Make all changes to operational systems by
- modifying source code
- executing the source code
- using automated tools
Use software development methods to
- test development, staging and operational systems
- ensure that performance matches expectations
- document software and processes (where they are not self-documenting)
- log modifications to the systems

Code	Section	Title
ISO	A.12.1.1	Documented operating procedures
ISO	A.12.1.2	Change management
ISO	A.12.5.1	Installation of software on operational systems
SOC2	CC2.1	COSO Principle 13: The entity obtains or generates and uses relevant, quality information to support the functioning of internal control.
SOC2	CC2.2	COSO Principle 14: The entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.
SOC2	CC2.2	COSO Principle 14: The entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.
SOC2	CC3.4	COSO Principle 9: The entity identifies and assesses changes that could significantly impact the system of internal control.
SOC2	CC6.8	The entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entity’s objectives.
SOC2	CC8.1	The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives.
SOC2	PI1.1	The entity obtains or generates, uses, and communicates relevant, quality information regarding the objectives related to processing, including definitions of data processed and product and service specifications, to support the use of products and services.
SOC2	PI1.1	The entity obtains or generates, uses, and communicates relevant, quality information regarding the objectives related to processing, including definitions of data processed and product and service specifications, to support the use of products and services.

Make security a key part of software development and operations

Design and develop systems to be secure
- Design using Privacy by Design and Security by Design.
- Develop using security best-practices (e.g. OWASP).
- Use secure development environments.
- Avoid unnecessary changes.
- Design systems to be continuously auditable and testable.
Scan and test operational systems applications for vulnerabilities
- Scan operational systems for security flaws.
- Commission third-party network scans.
- Commission third-party penetration tests.
Manage vulnerabilities
- Document, review and manage vulnerabilities.
- Monitor security news for new vulnerabilities.

Code	Section	Title
ISO	A.12.6.1	Management of technical vulnerabilities
ISO	A.12.7.1	Information systems audit controls
ISO	A.14.1	Security requirements of information systems
ISO	A.14.1.1	Information security requirements analysis and specification
ISO	A.14.1.2	Securing application services on public networks
ISO	A.14.1.3	Protecting application services transactions
ISO	A.14.2.1	Secure development policy
ISO	A.14.2.4	Restrictions on changes to software packages
ISO	A.14.2.5	Secure system engineering principles
ISO	A.14.2.6	Secure development environment
Privacy by Design
OWASP Security by Design Principles
SOC2	CC6.7	The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity’s objectives.
SOC2	CC6.8	The entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entity’s objectives.
SOC2	CC7.1	To meet its objectives, the entity uses detection and monitoring procedures to identify (1) changes to configurations that result in the introduction of new vulnerabilities, and (2) susceptibilities to newly discovered vulnerabilities.
SOC2	CC8.1	The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives.
SOC2	CC8.1	The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives.
SOC2	CC8.1	The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives.

Control changes to software and systems

Use a source control system
- to control changes to software
- to manage access to source code
Control and automate the deployment of software to production
- Peer review new and modified software before deployment to production.
- Use a continuous deployment system.
In case of emergency changes outside of the normal process
- document the changes made
- incorporate the changes back into the normal process
Use the principle of least privilege
- Grant software the minimum necessary access to perform its function.
- Limit only production engineers to have access to production systems.

Code	Section	Title
ISO	A.14.2.2	System change control procedures

Operate reliable systems with appropriate redundancy and availability

Code	Section	Title
ISO	A.12.1.3	Capacity management
ISO	A.17.2.1	Availability of information processing facilities
SOC2	A1.1	The entity maintains, monitors, and evaluates current processing capacity and use of system components (infrastructure, data, and software) to manage capacity demand and to enable the implementation of additional capacity to help meet its objectives.
SOC2	A1.2	The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data back-up processes, and recovery infrastructure to meet its objectives.

Perform testing of software

Automate testing in a secure manner
- Implement automated tests of systems.
- Perform testing primarily on non-production systems.
- Do not use real data or PHI for testing or demonstrations.
Test for
- regressions
- security flaws
- acceptance criteria

Code	Section	Title
ISO	A.12.1.4	Separation of development, testing and operational environments
ISO	A.14.2.3	Technical review of applications after operating platform changes
ISO	A.14.2.8	System security testing
ISO	A.14.2.9	System acceptance testing
ISO	A.14.3	Test data
ISO	A.14.3.1	Protection of test data
SOC2	CC8.1	The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives.
SOC2	CC8.1	The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives.
SOC2	CC8.1	The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives.

Have PHI only on production systems

Do not copy PHI to non-production systems
- only production systems are secured and managed correctly to handle PHI
If PHI is on a non-production system
- Evaluate the security of the non-production system (e.g. a secure workstation).
- Securely delete the data as soon as possible.
- Report the incident.

Do not outsource software development and operations

All development and operations is performed by employees or contractors directly managed by employees.

Code	Section	Title
ISO	A.14.2.7	Outsourced development
SOC2	CC2.3	COSO Principle 15: The entity communicates with external parties regarding matters affecting the functioning of internal control.

Respect Intellectual Property Rights and licenses

Identify and comply with IPR for source code of external origin (including open source software).
Identify and comply with IPR for software tools (including open source software).

Code	Section	Title
ISO	A.18.1.2	Intellectual property rights
SOC2	CC3.1	COSO Principle 6: The entity specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.

Enforcement

Responsible party: All managers and supervisors
sanctions: standard

References

Code	Section	Title
ISO	A.9.4.5	Access control to program source code
ISO	A.12.6	Technical vulnerability management
ISO	A.17.2	Redundancies
CHI	SR80	Implementing Software and Upgrades in the EHRi
CHI	SR81	Protecting EHRi Software
CHI	SR82	Managing Known Vulnerabilities
SOC 2	CC8.1	The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives.