Information classification
MedStack Confidential
Metadata
- responsible officer: CTO
- date
- effective: 2018-06-20
- revised: 2018-04-23
- reviewed: 2018-06-20
Document customer criticality
- Evaluate the criticality of each system
- Rank each customer based on the negative impact on their users if an emergency occurs.
- Rank each system based on its criticality to the customer (e.g. production, staging, test or development).
- Document the criticality of each system.
- Update the criticality of a system when the customer makes significant changes to their operations.
Enforcement
- Responsible party: All managers and supervisors
- sanctions: standard
References
| Code | Section | Title | Text |
|---|---|---|---|
| ISO | A.8.2 | Information classification | Objective: To ensure that information receives an appropriate level of protection in accordance with its importance to the organization. |
| ISO | A.8.2.1 | Classification of information | Information shall be classified in terms of legal requirements, value, criticality and sensitivity to unauthorised disclosure or modification. |
| ISO | A.8.2.2 | Labelling of information | An appropriate set of procedures for information labelling shall be developed and implemented in accordance with the information classification scheme adopted by the organization. |
| ISO | A.8.2.3 | Handling of assets | Procedures for handling assets shall be developed and implemented in accordance with the information classification scheme adopted by the organization. |
| HIPAA | 164.308(a)(7) | Contingency plan | (i) Standard: Contingency plan. Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information. (ii) Implementation specifications: (A) Data backup plan (Required). Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information. (B) Disaster recovery plan (Required). Establish (and implement as needed) procedures to restore any loss of data. (C) Emergency mode operation plan (Required). Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operating in emergency mode. (D) Testing and revision procedures (Addressable). Implement procedures for periodic testing and revision of contingency plans. (E) Applications and data criticality analysis (Addressable). Assess the relative criticality of specific applications and data in support of other contingency plan components. |