• Asset management
  • Metadata
  • Maintain an asset inventory
  • refs
  • Use company-owned assets
  • Acceptable Use for employees
  • Return organizational assets upon
  • Manage the installation of software
  • Enforcement
  • References

Asset management

MedStack Confidential

Metadata

• responsible officer: CTO
• date
  • effective: 2018-06-20
  • revised: 2019-10-12
  • reviewed: 2018-06-20
• Applicability: standard

Maintain an asset inventory

• Automatically identify all assets
  • Use automated tools to detect assets and to maintain and update the asset inventory.
  • Link each asset to an internal or customer owner and responsible party.

refs

• code: ISO
• section: A.8.1.1
• title: Inventory of assets
• Assets associated with information and information processing facilities shall be identified and an inventory of these assets shall be drawn up and maintained.
  • _metadata
    • maturity: 3
    • threat
      • agents
        • authorized_internal
        • unauthorized_internal
        • authorized_external
      • assets: hardware

Use company-owned assets

• The company must own all production systems and employee workstations.

  Code	Section	Title	Text
  ISO	A.8.1.2	Ownership of assets	Assets maintained in the inventory shall be owned.

Acceptable Use for employees

• Assets may only be used as defined in these policies.
• Access PHI only in aggregate form as needed to fulfill work duties.
• Do not read individual PHI records.

  Code	Section	Title	Text
  ISO	A.8.1.3	Acceptable use of assets	Rules for the acceptable use of information and of assets associated with information and information processing facilities shall be identified, documented and implemented.

Return organizational assets upon

• termination of employee
• change of role, where employee no longer requires assets

  Code	Section	Title	Text
  ISO	A.8.1.4	Return of assets	All employees and external party users shall return all of the organizational assets in their possession upon termination of their employment, contract or agreement.

Manage the installation of software

• Production systems
  • Install software programmatically and manage what software is installed in source control.
• Workstations and mobile devices
  • Install software only from trusted sources.

    Code	Section	Title	Text
    ISO	A.12.6.2	Restrictions on software installation	Rules governing the installation of software by users shall be established and implemented.

Enforcement

• Responsible party: All managers and supervisors
• sanctions: standard

References

Code	Section	Title	Text
ISO	A.8.1	Responsibility for assets	To identify organizational assets and define appropriate protection responsibilities.
CHI	SR8	Responsibility for information assets	Organizations hosting components of the EHRi must: a) Account for all health information assets available via the hosted component (inventory of assets); b) Have a nominated custodian of these health information assets; and c) Have rules governing the acceptable use of these assets that are identified, documented, and put into practice.

November 13, 2019

Powered by