Procedures
| Procedure ID | Name | Description | Status | ||
|---|---|---|---|---|---|
PR01 | User Onboarding and Offboarding | Describes how accounts are created, modified, deactivated, and verified across all SaaS platforms. Includes and platform-by-platform offboarding checklist. Includes I-9 verification and client requested background screening. | Done | ||
PR02 | Quarterly Access Review | Ensures access rights are reviewed and validated quarterly across all platforms including privileged accounts. | Done | ||
PR03 | Security Incident Response | Defines the end-to-end process for detecting, triaging, containing, and resolving security incidents. Covers incident confirmation, severity classification (P1 Critical through P4 Low), escalation routing, communication requirements, and post-incident review. Includes specific handling for AI-related incident types including harmful outputs, hallucinations, model drift, adversarial exploitation, and data quality failures. | Done | ||
PR04 | Security Awareness Training | Describes how security awareness training and ongoing communications are delivered and tracked. | Done | ||
PR05 | Vendor Due Diligence and BAA Management | Governs the process for evaluating, onboarding, and managing third-party vendors and service providers. Includes security due diligence assessments, risk tiering, ongoing monitoring, and annual re-assessment. Covers Business Associate Agreement (BAA) requirements for vendors that handle PHI under HIPAA, including identification of vendors requiring BAAs, negotiation and execution of BAA terms, and maintenance of an active BAA inventory. | Done | ||
PR06 | Annual Risk Assessment | Describes how annual and change-triggered risk assessments are conducted, documented, and tracked to remediation. | Done | ||
PR07 | Change Management and Deployment | Defines the approval, testing, and deployment process for production changes including emergency changes. | Done | ||
PR08 | Log Review and Alert Handling | Describes how audit logs are reviewed and alerts triaged across AWS CloudTrail, GitHub, Vercel, and Supabase. | Done | ||
PR09 | Business Continuity, Backup and Recovery Procedure | Defines Phase2's approach to ensuring operational resilience across cloud-hosted and SaaS systems. Covers backup configuration and verification for critical data stores and services, recovery point objectives (RPO) and recovery time objectives (RTO), and procedures for restoring operations following an outage or disaster. Includes business continuity testing requirements—annual tabletop exercises and periodic recovery drills—to validate that recovery procedures work as documented and personnel are prepared. | Done | ||
PR10 | Policy Review and Approval | Describes the process for reviewing, updating, approving policies and capturing re-acknowledgment from workforce. | Done | ||
PR11 | PHI Access Request Handling | Defines the process for responding to data subject access and amendment requests. | Done | ||
PR12 | Privacy Incident Identification and Escalation | Defines how privacy incidents are identified, logged, and escalated to resolution. | Done | ||
PR13 | Secure Software Development Lifecycle | Describes secure coding, peer review via PRs, secret scanning, dependency scanning, and environment separation. | Done | ||
PR14 | Device and Media Handling Procedure | Covers the lifecycle management of endpoint devices and storage media used by Phase2 personnel. Includes device provisioning standards, MDM enrollment requirements, screen lock and encryption configuration, and the process for reporting lost or stolen devices. Addresses secure handling of storage media including laptops and portable drives, sanitization requirements prior to reuse or disposal, and documentation of media destruction to support compliance with data retention and disposal obligations. | Done | ||
PR15 | Management Review Procedure | Governs formal periodic leadership review of ISMS control effectiveness, risk posture, findings, and remediation status. | Done | ||
PR16 | SaaS Inventory Management Procedure | Defines how the authorized SaaS platform inventory is maintained, classified, and periodically reconciled. | Done | ||
PR17 | SaaS Configuration, Data Classification and Encryption Review | Defines Phase2's process for reviewing and hardening the configuration of SaaS and cloud platforms in scope for ISMS. Covers baseline configuration standards, periodic review cadence, and approval workflow for configuration changes. Incorporates data classification requirements—how Phase2 categorizes data by sensitivity (Public, Internal, Confidential, Restricted/PHI)—and encryption standards for data at rest and in transit across all in-scope systems, ensuring appropriate controls are applied based on data type and sensitivity tier. | Done | ||
PR18 | Endpoint Security Procedure | Defines minimum endpoint security configurations, and non-compliance response. | Done | ||
PR19 | Employee Acknowledgments Procedure | Governs the collection and recordkeeping of required employee acknowledgments for ISMS policies and compliance obligations. Covers annual re-acknowledgment of the Information Security Policy, Code of Conduct, and Acceptable Use Policy. Defines the acknowledgment workflow—distribution, completion tracking, escalation for overdue responses, and storage of signed acknowledgment records. Acknowledgments are required at onboarding and annually thereafter, with records retained to support audit evidence. | Done | ||
PR20 | SaaS Data Retention and Disposal | Defines how retention periods are applied to Phase2-managed data across SaaS platforms, including verification of vendor-side retention configurations and execution of authorized disposal at end of retention. | Done | ||
PR21 | Breach Notification and External Reporting | Defines the escalation process from confirmed breach identification to external notification, covering covered entity notification timelines, HHS reporting obligations, and media notification thresholds under HIPAA. | Done | ||
PR22 | Vulnerability Management Procedure | Defines how vulnerabilities are identified through scanning, prioritized by severity tier, assigned to owners, and tracked to remediation within defined SLAs; covers both endpoint patch compliance and dependency vulnerability management in the CI/CD pipeline. | Done | ||
PR23 | AI Risk Assessment Procedure | Describes how AI-specific risk assessments are conducted for each AI system in scope, including identification of AI-specific risk factors (bias, hallucination, adversarial vulnerability, harmful outputs), integration into the organizational risk register, treatment decision documentation, and annual review cadence. | Done | ||
PR24 | AI System Onboarding, Lifecycle and Validation Procedure | Defines the process for evaluating, approving, and managing AI systems used by Phase2 or integrated into client deliverables. Covers the AI intake review—risk classification, data handling assessment, and stakeholder approval before deployment. Addresses ongoing lifecycle management including monitoring, periodic re-evaluation, and decommissioning. Incorporates AI validation and testing requirements: pre-deployment testing for accuracy, bias, safety, and adversarial robustness; documentation of test methodologies and results; and criteria for acceptable performance thresholds before AI systems enter production. | Done | ||
PR25 | AI Monitoring and Governance Review Procedure | Defines how deployed AI systems are monitored for performance degradation, drift, safety threshold adherence, and anomalous behavior. Covers monitoring cadence by risk tier, alert review and escalation, finding documentation, and integration with the annual AI governance management review. | Done | ||
PR26 | Background Screening Procedure | Defines the pre-employment and periodic background screening process for employees and contractors with access to company systems or sensitive data, including identity verification, criminal background checks, and employment history review. Screening must be completed prior to granting system access. | Not Started |