Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Procedural Controls

Expand
titleSecurity Policies policies and Proceduresprocedures

Acceptable Use Policyuse policy: Patients Know Best’s Acceptable Use Policy outlines the expected standards of all who have access to PKB systems and information ensuring that services are used responsibly and in compliance with legal and ethical standards. It prohibits any misuse, abuse, or unauthorised activities, safeguarding the integrity and security of the platform.

Business Continuity Policycontinuity policy: Patients Know Best has implemented a comprehensive Business Continuity and Disaster Recovery plan with measures to ensure data resilience, disaster recovery, and service continuity which is reviewed and approved annually.

Data Retention retention and Disposal Policydisposal policy: Patients Know Best maintain a Data Retention and Disposal Policy to ensure data is retained only for the required duration, as per the Data Controller’s instruction, to support patient care and meet legal obligations. Secure disposal methods are employed when records reach the end of their retention period. These policies are reviewed at least annually.

Incident Response Policyresponse policy: Patients Know Best maintains an Incident Response Plan that describes the process for identifying and addressing potential security incidents. The policy details steps to take if an incident is suspected. Plans for detecting, responding to, and recovering from incidents are included in the policy and post-incident activity requirements are defined.

Information Security Policysecurity policy: Patients Know Best have a documented Information Security Policy to help ensure that employees understand their roles and responsibilities related to security. This includes security procedures to ensure that employee workstations have proper virus protection software, the most recent operating system and security patches installed.

Risk Management Policymanagement policy: Patients Know Best has established a risk assessment process to identify, analyse, mitigate, and manage risks relevant to its services and organisation. Various types of risks are considered, including, but not limited to, operational, strategic, technological, compliance, security, and vendor risks.

Expand
titleIncident Response Plan

Patients Know Best Incident Response response plan is intended to establish controls to ensure detection of security vulnerabilities and incidents, as well as quick reaction and response to security breaches. The plan also provides implementing instructions for security incident response, to include definitions, procedures, responsibilities, and performance measures (metrics and reporting mechanisms).

...

Expand
titleBackup and recovery

Patients Know Best’s database is encrypted with industry standard AES 256-bit algorithms. The database is stored off-site and backed up nightly for system-wide recovery purposes. All UK customer data is kept in the UK.

Incremental backups between full backups also take place, archiving changes to the data set.

...