Security
Understanding security risk scores and the controls required to be in place.
Pātiki and Waharua Kōpito patterns
Risk score matrix
Assessed differently to clinical and privacy and done via a different process.
Security minimum mandatory controls for API risk scores.
|
Requirements |
Low |
Medium |
High |
Extreme |
|
It must be mandatory for employees to sign an employment agreement which requires compliance with relevant organisational policies, such as non-disclosure of confidential information, information security policies, and acceptable use policies, prior to being granted access to organisational information systems, resources, and assets. |
YES
|
YES
|
YES
|
YES
|
|
Critical data, including all security logs, is identified and regularly backed up |
YES |
YES |
YES |
YES |
|
Outside of your application, your staff should always send patient information using secure means. |
YES
|
YES |
YES |
YES |
|
All new users must have formal approval prior to being granted access to information systems. All leavers have their access revoked immediately upon exiting the organisation. Regular audits are done to demonstrate this. |
YES |
YES |
YES |
YES |
|
User access reviews for all applications and systems which will consume API data will be conducted on a regular basis. |
YES |
YES
|
YES
|
YES
|
|
All endpoints and servers in your organisation that will access API consumed data have anti-malware software installed, running and updated regularly. |
YES |
YES |
YES |
YES |
|
Your organisation has the capability to monitor user access to systems and applications that will hold information gathered from your chosen API. |
YES
|
YES
|
YES
|
YES
|
|
You have alternative methods to operate your service should the API fail. |
YES
|
YES
|
YES
|
YES
|
|
If you share the data with third parties we will ensure the quality of data is not impaired in any way. |
YES |
YES |
YES |
YES |