Secure areas
MedStack Confidential
Metadata
- responsible officer: CTO
- date
- effective: 2018-06-20
- revised: 2019-06-21
- reviewed: 2018-06-20
- Applicability: standard
Use cloud providers facility security
- Secure all operational systems by hosting them at cloud providers.
- Rely on cloud providers to implement and carry out emergency facility access.
Code Section Title Text HIPAA 164.310(a)(2)(ii) Contingency operations (i) Contingency operations (Addressable). Establish (and implement as needed) procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency.
Secure offices and home office (teleworking) facilities
- Secure the following factors
- Windows and doors
- Roofs and the potential for roof access
- Employee, partner, vendor and guest access
- Vehicle parking security
- Routine and non-routine deliveries
- Use the following factors as appropriate
- Locks and keys
- Electronic access control systems
- Electronic alarms and related systems
- Prepare for emergencies
- Provide for appropriate protection against emergencies such as fire.
Code Section Title Text HIPAA 164.310(a)(2)(ii) Facility security plan (ii) Facility security plan (Addressable). Implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft. HIPAA 164.310(a)(2)(iii) Access control and validation procedures (iii) Access control and validation procedures (Addressable). Implement procedures to control and validate a person’s access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision.
- Provide for appropriate protection against emergencies such as fire.
We do not manage facility maintenance
- All operational facilities are managed by suppliers.
Code Section Title Text HIPAA 164.310(a)(2)(iv) Maintenance records (iv) Maintenance records (Addressable). Implement policies and procedures to document repairs and modifications to the physical components of a facility which are related to security (for example, hardware, walls, doors, and locks).
Enforcement
- Responsible party: All managers and supervisors
- sanctions: standard
References
| Code | Section | Title | Text |
|---|---|---|---|
| ISO | A.11.1 | Secure areas | To prevent unauthorized physical access, damage and interference to the organization’s information and information processing facilities. |
| ISO | A.11.1.1 | Physical security perimeter | Security perimeters shall be defined and used to protect areas that contain either sensitive or critical information and information processing facilities. |
| ISO | A.11.1.2 | Physical entry controls | Secure areas shall be protected by appropriate entry controls to ensure that only authorized personnel are allowed access. |
| ISO | A.11.1.3 | Securing offices, rooms and facilities | Physical security for offices, rooms and facilities shall be designed and applied. |
| ISO | A.11.1.4 | Protecting against external and environmental threats | Physical protection against natural disasters, malicious attack or accidents shall be designed and applied. |
| ISO | A.11.1.5 | Working in secure areas | Procedures for working in secure areas shall be designed and applied. |
| ISO | A.11.1.6 | Delivery and loading areas | Access points such as delivery and loading areas and other points where unauthorized persons could enter the premises shall be controlled and, if possible, isolated from information processing facilities to avoid unauthorized access. |
| CHI | SR17 | Physically securing EHRi systems | All organizations hosting components of the EHRi must use security perimeters to protect areas that contain information processing facilities supporting EHRi servers, applications or data. These secure areas must be protected by appropriate entry controls to ensure that only authorized personnel are allowed access. |
| HIPAA | 164.310(a) | Facility access controls | (1) Standard: Facility access controls. Implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed. (2) Implementation specifications: (i) Contingency operations (Addressable). Establish (and implement as needed) procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency. (ii) Facility security plan (Addressable). Implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft. (iii) Access control and validation procedures (Addressable). Implement procedures to control and validate a person's access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision. (iv) Maintenance records (Addressable). Implement policies and procedures to document repairs and modifications to the physical components of a facility which are related to security (for example, hardware, walls, doors, and locks). |