Level 2 Supporting Policies
      Back to home
      1. HealthSafe Help Center
      2. HS ISO27001 Documents
      3. Level 2 Supporting Policies

      08. Healthsafe Compliance Management Policy





      COMPLIANCE MANAGEMENT POLICY




      Document Identification 

      HSNZ/POL/08

      Document Name

      Compliance Management Policy

      Master Copy

      CISO

      Version Number

      1.4

      Date Of Release 

      15 Aug 2023

      Prepared By

      Eparama Tuibenau

      CISO

      Approved by

      Kevin McAfee

      Managing Director


       

       


      VERSION HISTORY


      Sl No

      Version No.

      Prepared by

      Approved by

      Description of Version

      Date

      Reason for Version Change

      From

      To

      1

      1.0

      -

      CISO

      MD

      First Release

      14 Apr 2020 

      No changes made

      1

      1.0

      1.1

      CISO

      MD

      Updated

      31 Jul 2020 

      Format update

      1

      1.1

      1.2

      CISO

      MD

      Updated

      21 Jun 2021 

      Modifications due to changes in HealthSafe

      1

      1.2

      1.3

      CISO

      MD

      Reviewed

      27 Jul 2022

      Annual review

      1

      1.3

      1.4

      CISO

      MD

      Reviewed

      15 Aug 2023

      Annual review

      DOCUMENT STATUS


      Date

      Document Status

      14 Apr 2020

      Modified

      31 Jul 2020

      Modified

      21 Jun 2021

      Reviewed

      27 Jul 2022

      Current

      15 Aug 2023

      Current



      Table of Contents

      1 Purpose


      2 Scope


      3 Input


      4 Output


      5 Interacting Process


      6 Abbreviations, Acronyms and Definitions


      7 Procedure


      8 Monitoring the Process


      9 Records




      1 PURPOSE


      To facilitate the documented procedure for all relevant laws, statutory, regulatory, and contractual requirements for HealthSafe NZ.  


      2 SCOPE


      All the processes in HealthSafe NZ include designs, operations, use, and management of information systems subjected to legal, statutory, regulatory, and contractual security requirements.


      3 INPUT


      Regulatory requirements for business operations


      4 OUTPUT


      Use of applicable legal and statutory requirements 


      5 INTERACTING PROCESS


      Finance, Functional Head, Employee, Vendors


      6 ABBREVIATIONS, ACRONYMS AND DEFINITIONS


      Abbreviation

      Description

      FH

      Functional Head

      IT

      Information Technology Department

      TL

      Team Lead

      CISO

      Chief Information Security Officer

      7 PROCEDURE


      Identification of Applicable Legislation


      The relevant asset owners as mentioned in the Compliance Checklist hereunder will keep up to date all relevant statutory, regulatory and contractual requirements and HealthSafe NZ’s approach to meet these requirements for each information system and the organisation.


      Intellectual Property Rights


      The relevant asset owners as mentioned in the annexure hereunder will ensure compliance with legislative, regulatory and contractual requirements on the use of the material in respect of which there may be intellectual property rights and on the use of proprietary software products. 


      HealthSafe NZ ensures that only original licensed software products are used and all such subscription licenses are kept and monitored appropriate employees.

      Protection of Organisational Rights


      The relevant asset owners as mentioned in the annexe hereunder will ensure that all documents and records are protected from loss, destruction and falsification, in accordance with statutory, regulatory, contractual, and business requirements and retained for a minimum period of years or as required by the law.


      Data Protection and Personal Information


      The relevant asset owners as mentioned in the Compliance Checklist hereunder will ensure that personal data and privacy are protected as required in relevant legislation, regulations, and if applicable, contractual clauses. 



      Prevention of misuse of processing facility


      All the Employees, contractors, and third-party users will be advised that no access will be permitted except that which is authorised. 


      The Management will ensure that employees are deterred from using information processing facilities for unauthorized purposes by implementing management authorisation procedures, acceptable usage policy, access control procedures and disciplinary action procedures.


      Compliance with Security Policies and Standards


      The relevant asset owners as mentioned in the Compliance Checklist hereunder will ensure all security procedures within their area of responsibility are carried out correctly to achieve compliance with security policies and standards. 


      CISO will supervise and take necessary action in case of any deviation observed. 


      HealthSafe NZ management will ensure that all the employees, Third Party contractors are adequately knowledgeable and aware of information security management system policies and procedures through their induction/onboarding process and deterred from deviation of ISMS Policies by implementing Disciplinary Action Procedure. 


      Technical Compliance Checking


      Technical Compliance Assessment will be conducted for all the information systems of HealthSafe NZ once in 12 months or whenever new systems are introduced or as required by the Management.


      An experienced Information Security Consultancy Agency or a qualified external vulnerability assessor (under proper NDA and contract terms) or a qualified independent Manager/ HealthSafe NZ Security Division / Administrator of HealthSafe under the supervision of or TL will conduct technical compliance checking.


      Technical Compliance Checking will be conducted either manually or with the assistance of automated tools, which generate a technical report for subsequent interpretation by a technical specialist. (Including vulnerability assessment and penetration testing)


      The TL will initiate a regular check and inform of any vulnerabilities to CISO.


      Based on the results of the findings, the CISO will identify or modify and implement new controls and get it approved by the Management.


      The TL will maintain checks.


      Information System Audit Controls


      CISO will carefully plan any audit to minimise the risk of disruptions to business processes by following the procedures laid down in Internal Audit Procedure.


      Protection of Information System Audit Tools


      CISO will carefully plan that access to information systems audit tools is protected to prevent any possible misuse or compromise by following the procedures laid down in Internal Audit Procedures.


      Client Data Handling Guidelines


      HealthSafe NZ works extensively with clients in New Zealand and Australia.  The applications developed by HealthSafe NZ deal with confidential client data.  According to Government laws, this confidential data is not supposed to leave the country under any circumstances unless authorised which NZ clients are notified and accept that HealthSafe's data centre is situated in Sydney Australia.


      HealthSafe NZ being a product development and support organisation, has the necessity to deal with client data which might include confidential data.  The following are the guidelines/policy to be followed by the employees when viewing, modifying or obtaining clients’ data.


      The scenarios in which HealthSafe employees interact with clients’ data are;

      • Customer Support Desk staff viewing customer data in the event of a complaint.
      • Development and testing staff viewing or modifying client’s data for debugging or fixing an issue.
      • Data conversion team obtaining clients' databases for migration or conversion purposes.
      • Integrate with third-party technology partners who also hold confidential client information.

      Guidelines and Process - Customer Support Desk


      • Inform the client that the conversation is being recorded (if required)
      • Inform and get the client's approval before showing their data
      • Inform and get the approval before modifying anything in the client's environment.  Take all necessary precautions to create backups at each stage to ensure actions can be reverted.
      • Inform and get approval before performing irrevocable changes or modifications (when applicable).

      Guidelines and Process - Development, Data Conversion and Testing Teams:


      • Data should not be taken out of the respective countries and any activity should be performed only on machines located in that country/region without approval
      • Inform and get the client's consent on data acquisition when necessary




      COMPLIANCE CHECKLIST


      Process Owners

      Compliance Requirement

      Procedure Defined

      Records/ Formats

      Retention Period

      CISO

      Information Security Management System

      Annual Review

      ISMS Manual

      7 Years

      CISO

      Security Incident management

      Security Incident Management Procedure

      Incident Management Reporting Forms

      7 Years

      FH

      Disciplinary proceedings

      Disciplinary Action procedure

      Disciplinary Proceedings Records

      7 Years or as required by Law

      FH

      Background Verification

      Background verification procedure

      Background Verification Records

      7 Years or as required by Law

      FH

      Confidentiality Agreement/NDA Background Screening Process

      Enter with Employees, Trainees & Contractors

      NDA Format

      Screening Form

      7 yrs


      8 MONITORING THE PROCESS


      • License usage, timely removal of unused license from the systems/operations

      9 RECORDS


      • Compliance Register