I am looking for a checklist for the key points for a secure design for a system based in the UK dealing with UK data that does the following:
1. Allows 3rd party companies (CO) to store very sensitive (medical) information about their customers.
2. Provides a web interface for supervisors from CO to access, read and modify that data which is owned by CO. This web interface is to be accessed by the public internet. Data is held in a relational database.
3. The system is provided under a SAAS model and hosted in its entirety by a hosting service.
4. Retains (for compliance, auditing and disaster contingency) an audit trail of the stored data as text documents.
I have tried to be deliberately simple in the description.
Separately, does this position vary significantly for the USA?