OP.EXT.2 Gestión diaria
☑️Aplicación de la medida
De acuerdo al ANEXO II, 2 Selección de medidas de seguridad, la medida de seguridad OP.EXT.2 Gestión diaria sí aplica dada la categoría de seguridad del sistema.
Documentos de referencia
- ISO/IEC 27000:
- 27002:2013:
- 15.2.1 - Monitoring and review of supplier services
- 15.2.2 - Managing changes to supplier services
- 27002:2013:
- NIST SP 800-53 rev4:
- [SA-9] External Information System Services
- [CA-7] Continuous Monitoring
- Otras referencias:
- FDA Cybersecurity in Medical Devices: Supply Chain Considerations
- ISO 13485:2016 - Supplier monitoring requirements
Guía de implantación
- Se establecerán los mecanismos necesarios para la supervisión diaria de los servicios prestados por terceros y el control del cumplimiento de los acuerdos establecidos.
Incluirá al menos:
- Procedimientos de supervisión de los servicios externalizados
- Procedimientos de gestión de incidentes con terceros
- Procedimientos de gestión de cambios en servicios externalizados
- Mecanismos de comunicación y coordinación con proveedores
Implementación en Legit Health Plus
1. Marco de supervisión diaria
La supervisión diaria de servicios externos críticos para Legit Health Plus requiere monitorización continua, alertas proactivas y respuesta coordinada para mantener la continuidad del servicio de diagnóstico médico.
1.1 Dashboard de supervisión de proveedores
class DailySupplierMonitoring:
def __init__(self):
self.critical_suppliers = [
'aws_infrastructure',
'crowdstrike_security',
'notified_body_certification',
'legal_compliance_firm'
]
self.monitoring_metrics = {}
self.alert_thresholds = self.load_alert_thresholds()
def generate_daily_supplier_report(self):
"""Genera reporte diario de estado de proveedores críticos"""
report = {
'date': datetime.now().date(),
'overall_status': 'GREEN',
'supplier_status': {},
'alerts': [],
'recommendations': []
}
for supplier in self.critical_suppliers:
supplier_metrics = self.collect_supplier_metrics(supplier)
supplier_status = self.evaluate_supplier_status(supplier, supplier_metrics)
report['supplier_status'][supplier] = supplier_status
# Generar alertas si es necesario
if supplier_status['health_score'] < 8.0:
report['alerts'].append({
'supplier': supplier,
'severity': 'HIGH' if supplier_status['health_score'] < 6.0 else 'MEDIUM',
'description': supplier_status['issues'],
'recommended_action': supplier_status['recommended_action']
})
# Actualizar estado general
if supplier_status['health_score'] < 7.0:
report['overall_status'] = 'YELLOW' if report['overall_status'] == 'GREEN' else 'RED'
# Distribuir reporte
self.distribute_daily_report(report)
return report
def collect_supplier_metrics(self, supplier_id):
"""Recolecta métricas diarias del proveedor"""
if supplier_id == 'aws_infrastructure':
return self.collect_aws_metrics()
elif supplier_id == 'crowdstrike_security':
return self.collect_security_metrics()
# ... otros proveedores
def collect_aws_metrics(self):
"""Métricas específicas de AWS para servicios médicos"""
import boto3
cloudwatch = boto3.client('cloudwatch')
metrics = {
'ec2_health': self.get_ec2_instance_health(),
'rds_performance': self.get_rds_performance_metrics(),
's3_availability': self.get_s3_bucket_metrics(),
'api_latency': self.get_api_gateway_latency(),
'cost_variance': self.get_cost_anomaly_detection()
}
return metrics
2. Monitorización continua por categoría
2.1 Infraestructura cloud (AWS)
AWS_Daily_Monitoring:
Health_Checks:
- "EC2 instance status checks"
- "RDS database connectivity and performance"
- "S3 bucket availability and access"
- "CloudFront distribution health"
- "VPC network connectivity"
Performance_Metrics:
- "API Gateway latency (< 2 seconds P95)"
- "Database query performance (< 100ms average)"
- "Storage IOPS utilization (< 80%)"
- "Network throughput monitoring"
- "CPU/Memory utilization trends"
Security_Monitoring:
- "CloudTrail log analysis"
- "GuardDuty threat detection"
- "Config compliance checks"
- "IAM policy changes review"
- "Security group modifications"
Cost_Management:
- "Daily spend vs. budget"
- "Resource utilization efficiency"
- "Reserved instance optimization"
- "Unused resource identification"
2.2 Ciberseguridad (CrowdStrike)
Security_Daily_Monitoring:
Endpoint_Protection:
- "Agent health status (>= 99% online)"
- "Threat detections and responses"
- "Policy compliance across endpoints"
- "Update status and version consistency"
Threat_Intelligence:
- "New threat indicators received"
- "Hunting query results"
- "Behavioral analysis alerts"
- "Custom IOC matching"
Incident_Response:
- "Open security incidents status"
- "Response time metrics"
- "Containment effectiveness"
- "Forensic data collection status"
3. Procedimientos de escalado y comunicación
3.1 Matriz de escalado por severidad
Escalation_Matrix:
Severity_1_Critical:
Definition: "Service affecting patient diagnosis capability"
Initial_Response: "15 minutes"
Escalation_Path:
- "0 min: Supplier technical contact + our DevOps Lead"
- "15 min: Supplier Account Manager + our CTO"
- "30 min: Supplier Senior Management + our CEO"
- "60 min: Legal involvement + contract review"
Severity_2_High:
Definition: "Performance degradation >20% or security concern"
Initial_Response: "1 hour"
Escalation_Path:
- "0 min: Supplier support team + our technical team"
- "4 hours: Supplier management + our management"
- "24 hours: Contract review if not resolved"
Severity_3_Medium:
Definition: "Non-critical issues or minor performance impact"
Initial_Response: "4 hours"
Escalation_Path:
- "0 min: Standard support channels"
- "48 hours: Management notification if not resolved"
3.2 Scripts de comunicación automatizada
class SupplierCommunicationManager:
def __init__(self):
self.communication_channels = {
'aws': {
'primary': 'enterprise_support_portal',
'emergency': '+1-206-266-4064',
'account_manager': 'aws-tam@amazon.com'
},
'crowdstrike': {
'primary': 'support_portal',
'emergency': '1-855-840-9073',
'technical': 'tech-support@crowdstrike.com'
}
}
def initiate_supplier_incident(self, supplier, severity, description):
"""Inicia comunicación de incidente con proveedor"""
incident_data = {
'timestamp': datetime.now().isoformat(),
'supplier': supplier,
'severity': severity,
'description': description,
'contact_info': self.communication_channels[supplier],
'legit_health_incident_id': self.generate_incident_id()
}
# Crear caso en el sistema del proveedor
if supplier == 'aws':
case_id = self.create_aws_support_case(incident_data)
elif supplier == 'crowdstrike':
case_id = self.create_crowdstrike_ticket(incident_data)
# Notificar internamente
self.notify_internal_team(incident_data, case_id)
# Programar seguimiento automático
self.schedule_followup(incident_data, case_id)
return {
'internal_incident_id': incident_data['legit_health_incident_id'],
'supplier_case_id': case_id,
'status': 'initiated'
}
def create_aws_support_case(self, incident_data):
"""Crea caso de soporte en AWS"""
import boto3
support = boto3.client('support', region_name='us-east-1')
case_attributes = {
'subject': f"Medical Device Critical Issue - {incident_data['description'][:50]}",
'serviceCode': 'amazon-ec2' if 'ec2' in incident_data['description'].lower() else 'general-info',
'severityCode': 'critical' if incident_data['severity'] == 'Severity_1' else 'high',
'categoryCode': 'technical',
'communicationBody': f"""
Legit Health Plus Medical Device Emergency
Internal Incident ID: {incident_data['legit_health_incident_id']}
Severity: {incident_data['severity']}
Description:
{incident_data['description']}
Impact: This issue affects our Class IIa medical device providing dermatological diagnosis.
Patient safety may be impacted if not resolved quickly.
Required Response Time: {self.get_required_response_time(incident_data['severity'])}
Technical Contact: DevOps Team - devops@legit.health
Medical Contact: CMO - alfonso@legit.health
"""
}
response = support.create_case(**case_attributes)
return response['caseId']
4. Gestión de cambios en servicios externos
4.1 Proceso de notificación de cambios
Change_Management_Process:
Notification_Requirements:
Critical_Changes:
- "90 days advance notice minimum"
- "Detailed impact assessment required"
- "Mitigation plan mandatory"
- "Rollback procedure documented"
Standard_Changes:
- "30 days advance notice"
- "Basic impact assessment"
- "Change window coordination"
Emergency_Changes:
- "Immediate notification"
- "Post-change impact assessment"
- "Expedited approval process"
Approval_Workflow:
Technical_Review:
- "DevOps Team assessment"
- "Security impact evaluation"
- "Performance impact analysis"
Medical_Review:
- "CMO approval for clinical impact"
- "Patient safety assessment"
- "Regulatory compliance review"
Management_Approval:
- "CTO sign-off for technical changes"
- "CEO approval for high-risk changes"
4.2 Tracking de cambios de proveedores
class SupplierChangeTracker:
def __init__(self):
self.change_database = SupplierChangeDB()
self.approval_workflow = ChangeApprovalWorkflow()
self.notification_system = NotificationSystem()
def process_supplier_change_notification(self, change_data):
"""Procesa notificación de cambio de proveedor"""
change_record = {
'change_id': self.generate_change_id(),
'supplier': change_data['supplier'],
'change_type': change_data['type'],
'description': change_data['description'],
'proposed_date': change_data['proposed_implementation_date'],
'impact_assessment': self.assess_change_impact(change_data),
'approval_status': 'pending',
'stakeholder_notifications': []
}
# Evaluar impacto
impact = self.assess_change_impact(change_data)
change_record['impact_level'] = impact['level']
# Iniciar flujo de aprobación
if impact['level'] == 'HIGH' or impact['affects_patient_safety']:
self.initiate_high_impact_approval(change_record)
else:
self.initiate_standard_approval(change_record)
# Guardar en base de datos
self.change_database.save_change_record(change_record)
return change_record
def assess_change_impact(self, change_data):
"""Evalua el impacto de un cambio de proveedor"""
impact_factors = {
'affects_diagnosis_service': False,
'affects_patient_data': False,
'affects_security': False,
'affects_compliance': False,
'requires_downtime': False
}
# Analizar descripción del cambio
description_lower = change_data['description'].lower()
if any(keyword in description_lower for keyword in ['database', 'api', 'compute', 'network']):
impact_factors['affects_diagnosis_service'] = True
if any(keyword in description_lower for keyword in ['encryption', 'security', 'authentication']):
impact_factors['affects_security'] = True
# Calcular nivel de impacto
high_impact_factors = sum(1 for factor in impact_factors.values() if factor)
if high_impact_factors >= 3:
impact_level = 'HIGH'
elif high_impact_factors >= 1:
impact_level = 'MEDIUM'
else:
impact_level = 'LOW'
return {
'level': impact_level,
'factors': impact_factors,
'affects_patient_safety': impact_factors['affects_diagnosis_service'] or impact_factors['affects_patient_data'],
'recommended_actions': self.generate_impact_recommendations(impact_factors)
}
5. Reportes y métricas diarias
5.1 Dashboard ejecutivo de proveedores
Executive_Supplier_Dashboard:
Daily_KPIs:
Overall_Supplier_Health:
- "Green: 95%+ suppliers meeting SLA"
- "Yellow: 85-94% suppliers meeting SLA"
- "Red: <85% suppliers meeting SLA"
Critical_Services_Status:
- "Infrastructure uptime: 99.99% target"
- "Security service effectiveness: >90%"
- "Compliance status: 100% target"
Financial_Impact:
- "SLA credits earned this month"
- "Cost variance vs. budget"
- "ROI of supplier relationships"
Weekly_Trends:
- "Supplier performance trending"
- "Incident volume by supplier"
- "Response time improvements"
- "New risks or opportunities identified"
5.2 Automated reporting
class DailySupplierReportGenerator:
def generate_executive_summary(self):
"""Genera resumen ejecutivo diario"""
summary = {
'date': datetime.now().date(),
'overall_status': self.calculate_overall_supplier_status(),
'critical_issues': self.identify_critical_issues(),
'sla_performance': self.calculate_sla_performance(),
'cost_impact': self.calculate_cost_impact(),
'upcoming_changes': self.get_upcoming_supplier_changes(),
'recommendations': self.generate_recommendations()
}
# Generar reporte HTML
html_report = self.format_html_report(summary)
# Enviar por email a stakeholders
self.send_executive_email(html_report, summary['overall_status'])
# Actualizar dashboard
self.update_realtime_dashboard(summary)
return summary
6. Integración con gestión de incidentes
6.1 Workflow de incidentes con proveedores
7. Métricas de rendimiento
7.1 KPIs de gestión diaria
Daily_Management_KPIs:
Responsiveness:
- "Average supplier response time to incidents: < 15 min (critical)"
- "First contact resolution rate: > 60%"
- "Escalation rate: < 10% of total incidents"
Quality:
- "SLA compliance rate: > 98%"
- "Customer satisfaction with supplier management: > 4.5/5"
- "Proactive issue identification rate: > 70%"
Efficiency:
- "Cost per incident managed: trending down"
- "Time spent on supplier management: < 20% of IT time"
- "Automation rate of routine tasks: > 80%"
8. Referencias cruzadas
- OP.EXT.1: SLA y contratos base para gestión diaria
- OP.EXT.3: Protección de cadena de suministro
- OP.EXP.7: Integración con gestión de incidentes interno
- OP.MON.2: Métricas de proveedores integradas en sistema general
- T-024-008: Procedimiento de gestión diaria de terceros
Signature meaning
The signatures for the approval process of this document can be found in the verified commits at the repository for the QMS. As a reference, the team members who are expected to participate in this document and their roles in the approval process, as defined in Annex I Responsibility Matrix of the GP-001, are:
- Author: Team members involved
- Reviewer: JD-003, JD-004
- Approver: JD-001