Security Assessment Tools

Item
HIPAA Citation
HIPAA Security Rule Standard Implementation Specification
Implementation
Requirement Description
Solution
Compliance Risk Percent Planned Rating Percent Start Days
SECURITY STANDARDS: GENERAL RULES
Ensure Confidentiality, Integrity and Availability Flexibility of Approach 3 164.306(c) Standards 4 164.306(d) Implementation Specifications 5 164.306(e) Maintenance ADMINISTRATIVE SAFEGUARDS 6 164.308(a)(1)(i) Security Management Process 7 164.308(a)(1)(ii)(A) Risk Analysis 8 164.308(a)(1)(ii)(B) Risk Management 9 164.308(a)(1)(ii)(C) Sanction Policy 10 164.308(a)(1)(ii)(D) Information System Activity Review 11 164.308(a)(2) Assigned Security Responsibility 12 164.308(a)(3)(i) Workforce Security 13 164.308(a)(3)(ii)(A) Authorization and/or Supervision 14 164.308(a)(3)(ii)(B) Workforce Clearance Procedure 15 164.308(a)(3)(ii)(C) Termination Procedures 16 164.308(a)(4)(i) Information Access Management 17 164.308(a)(4)(ii)(A) Isolation Health Clearinghouse Functions 18 164.308(a)(4)(ii)(B) Access Authorization 19 164.308(a)(4)(ii)(C) Access Establishment and Modification 20 164.308(a)(5)(i) Security Awareness Training 21 164.308(a)(5)(ii)(A) Security Reminders 22 164.308(a)(5)(ii)(B) Protection from Malicious Software 23 164.308(a)(5)(ii)(C) Log-in Monitoring 24 164.308(a)(5)(ii)(D) Password Management 25 164.308(a)(6)(i) Security Incident Procedures 26 164.308(a)(6)(ii) Response and Reporting 27 164.308(a)(7)(i) Contingency Plan 28 164.308(a)(7)(ii)(A) Data Backup Plan 29 164.308(a)(7)(ii)(B) Disaster Recovery Plan 30 164.308(a)(7)(ii)(C) Emergency Mode Operation Plan 31 164.308(a)(7)(ii)(D) Testing and Revision Procedures 32 164.308(a)(7)(ii)(E) Applications and Data Criticality Analysis 33 164.308(a)(8) Evaluation 34 164.308(b)(1) Business Associate Contracts and Other Arrangements 35 164.308(b)(4) Written Contract PHYSICAL SAFEGUARDS 36 164.310(a)(1) Facility Access Controls 37 164.310(a)(2)(i) Contingency Operations 38 164.310(a)(2)(ii) Facility Security Plan 39 164.310(a)(2)(iii) Access Control Validation Procedures 40 164.310(a)(2)(iv) Maintenance Records 41 164.310(b) Workstation Use 42 164.310(c) Workstation Security
2 164.306(b)
164.306(a)
Required Required Required Required Addressable Addressable Addressable Required Addressable Addressable Addressable Addressable Addressable Addressable Required Required Required Required Addressable Addressable Required Addressable Addressable Addressable Addressable -
Ensure CIA and protect against threats Reasonably consider factors in security compliance CEs must comply with standards Required and Addressable Implementation Specification requirements Ongoing review and modification of security measures P&P to manage security violations Conduct vulnerability assessment Implement security measures to reduce risk of security breaches Worker sanction for P&P violations Procedures to review system activity Identify security official responsible for P&P Implement P&P to ensure appropriate PHI access Authorization/supervision for PHI access Procedures to ensure appropriate PHI access Procedures to terminate PHI access P&P to authorize access to PHI P&P to separate PHI from other operations P&P to authorize access to PHI P&P to grant access to PHI Training program for workers and managers Distribute periodic security updates Procedures to guard against malicious software Procedures and monitoring of log-in attempts Procedures for password management P&P to manage security incidents Mitigate and document security incidents Emergency response P&P Data backup planning & procedures Data recovery planning & procedures Business continuity procedures Contingency planning periodic testing procedures Prioritize data and system criticality for contingency planning security evaluation Periodic CE implement BACs to ensure safeguards Implement compliant BACs P&P to limit access to systems and facilities Procedures to support emergency operations and recovery P&P to safeguard equipment and facilities Facility access procedures for personnel P&P to document security-related repairs and modifications workstation environment & use P&P to specify Physical safeguards for workstation access
P&P Assessment Measures P&P Procedures Assignment P&P Procedures Procedures Procedures P&P P&P P&P P&P Program Reminders Procedures Procedures Procedures P&P Measures P&P Procedures Procedures Procedures Procedures Analysis Evaluation Contracts P&P Procedures P&P Procedures P&P P&P Controls
100 100 100 100 100 100 100 100 100 100 100 100 100 100 100 100 100 100 100 100 100 100 100 100 100 100 100 100 100 100 100 100 100 100 100 100 100
60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
43 44 45 46 47 48 49
164.310(d)(1) 164.310(d)(2)(i) 164.310(d)(2)(ii) 164.310(d)(2)(iii) 164.310(d)(2)(iv) 164.312(a)(1) 164.312(a)(2)(i)
Device and Media Controls Disposal Media Re-use Accountability Data Backup and Storage
Required Required Addressable Addressable
P&P to govern receipt and removal of hardware and media P&P to manage media and equipment disposal P&P to remove PHI from media and equipment Document hardware and media movement Backup PHI before moving equipment Technical (administrative) P&P to manage PHI access unique IDs to support tracking Assign Procedures to support emergency access Session termination mechanisms Mechanism for encryption of stored PHI Procedures and mechanisms for monitoring system activity P&P to safeguard PHI unauthorized alteration Mechanisms to corroborate PHI not altered Procedures to verify identities Measures to guard against unauthorized access to transmitted PHI Measures to ensure integrity of PHI on transmission Mechanism for encryption of transmitted PHI CE must ensure BA safeguards PHI BACs must contain security language Plan documents must reflect security safeguards Plan sponsor to implement safeguards as appropriate Security measures to separate PHI from plan sponsorsubcontractors safeguard PHI Ensure and plan Plan sponsors report breaches to health plan P&P to ensure safeguards to PHI Document P&P and actions & activities Retain documentation for 6 years Documentation available to system administrators Periodic review and updates to changing needs
P&P P&P P&P Documentation Procedures P&P Procedures Procedures Mechanism Mechanism Controls P&P Mechanism Procedures Controls Controls Mechanism Process Contracts Plan Doc P&P P&P Contracts Process P&P Documentation Procedures Procedures Process
100 100 100 100 100 100 100 100 100 100 100 100 100 100 100 100 100 100 100 100 100 100 100 100 100 100 100 100 100 Score 66 0 0 0 0 66 Score 0 66 0 0 Score 1 63
60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 Percent 100.0% 0.0% 0.0% 0.0% 100.0% Percent 0.0% 100.0% 0.0% 0.0% Percent 1.5% 95.5%
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 N/A 180 30
TECHNICAL SAFEGUARDS
Access Control Unique User Identification Required 50 164.312(a)(2)(ii) Emergency Access Procedure Required 51 164.312(a)(2)(iii) Automatic Logoff Addressable 52 164.312(a)(2)(iv) Encryption and Decryption Addressable 53 164.312(b) Audit Controls 54 164.312(c)(1) Integrity 55 164.312(c)(2) Mechanism to Authenticate Electronic Protected Health Information Addressable 56 164.312(d) Person or Entity Authentication 57 164.312(e)(1) Transmission Security 56 164.312(e)(2)(i) Integrity Controls Addressable 55 164.312(e)(2)(ii) Encryption Addressable ORGANIZATIONAL REQUIREMENTS 56 164.314(a)(1) Business Associate Contracts or Other Arrangements 57 164.314(a)(2) Business Associate Contracts Required 58 164.314(b)(1) Requirements for Group Health Plans 59 164.314(b)(2)(i) Implement Safeguards Required 60 164.314(b)(2)(ii) Ensure Adequate Separation Required 61 164.314(b)(2)(iii) Ensure Agents Safeguard Required 62 164.314(b)(2)(iv) Report Security Incidents Required 63 164.316(a) Policies and Procedures 64 164.316(b)(1) Documentation Required 65 164.316(b)(2)(i) Time Limit Required 66 164.316(b)(2)(ii) Availability Required 67 164.316(b)(2)(iii) Required Updates
70 60 50 40 30 20 10
66
Compliance Rating Excellent - Fully HIPAA Compliant for policy and practice Good - Partially HIPAA Compliant for policy or practice Fair - Minimally HIPAA Compliant for policy or practice Poor - Not HIPAA Compliant for policy or practice N/A - Not apply Effective Total (less N/A) Risk Rating High (80% or Higher) Medium (50% to 80%) Low (20% to 50%) Minimal (20% or LESS) Urgency Rating 30 Days - Now (High Risk and High Urgency) 90 Days - Soon (Low Risk and High Urgency)
0 0
0 0 100 75 50
0 25
0 N/A
180 Days - Later (High Risk and Low Urgency) Not applicable - No action required Done 1 1 66 1.5% 1.5% 100.0%
Full Regulatory Text
Finding
Rating Criteria
Impact & Analysis
Risk
Recommendation
(a) General requirements. Covered entities must do the Flexibility of approach. (b) following: (1) Standards. A covered use any security measures (c) Covered entities may entity must comply with the standards as provided in this section and in (d) Implementation specifications. In this subpart: Security measures implemented to (e) Maintenance. comply with standards and implementation Implement policies and procedures to prevent, detect, contain and correct security assessment of Conduct an accurate and thorough violations the potential risks and vulnerabilities to thereduce Implement security measures sufficient to risks and vulnerabilities to a reasonable and Apply appropriate sanctions against workforce members who fail to comply with the security policies Implement procedures to regularly review records of information security activity,who isas audit logs,for the Identify the system official such responsible development and implementation ofto ensure that all Implement policies and procedures the policies and members of its workforce have appropriate access to Implement procedures for authorization and/or supervisionprocedures tomembers who work access Implement of workforce determine that the with of a workforce memberfor electronic protectedto Implement procedures to termination access health electronic protectedand procedures for when the Implement policies health information authorizing access to electronic protected is part of a larger that If a health care clearinghouse health information organization, the clearinghouse must implement Implement policies and procedures for granting access to electronicand procedures that, based upon Implement policies protected health information, for the entity's a security awareness policies, establish, Implement access authorization and training program security updates. its workforce (including Periodic for all members of Procedures for guarding against, detecting, and reporting malicious software. Procedures for monitoring log-in attempts and reporting discrepancies. changing, and safeguarding Procedures for creating, passwords.policies and procedures to address Implement security and respond to suspected or known security Identify incidents. incidents; (and implement extent practicable, harmful Establish mitigate, to the as needed) policies and procedures forimplement procedures to create and Establish and responding to an emergency or other maintain retrievable exact as needed) procedures to Establish (and implement copies of electronic restore loss of data. Establish (and implement as needed) procedures to enable continuation of critical business processes for Implement procedures for periodic testing and revision thecontingency plans. specific applications Assess of relative criticality of and dataa periodic technical contingency plan Perform in support of other and nontechnical evaluation,entity, in accordancethe standards may A covered based initially upon with 164.306, permit a business associate to create, receive, by Document the satisfactory assurances required paragraph (b)(1) of this section through a written Implement policies and procedures to limit physical Establish (and implement as needed) procedures that allow facility accessandsupport of restoration of lost Implement policies in procedures to safeguard the facility and procedures to controlin from unauthorized Implement the equipment there and validate a person's access to facilities based on their role or Implement policies and procedures to document repairs andpolicies and procedures that specify the Implement modifications to the physical components proper functions to be performed, the manner in Implement physical safeguards for all workstations that access electronic protected health information, to
Implement policies and procedures that govern the receipt and policies andhardware and electronicthe Implement removal of procedures to address final disposition of electronic protected health Implement procedures for removal of electronic protectedahealth information from electronic media Maintain record of the movements of hardware and electronicretrievable, exact copy of electronic Create a media and any person responsible protected health information, when needed, before Implement technical policies and procedures for Assign a unique name and/or number for identifying and tracking user identity. as needed) procedures for Establish (and implement obtaining necessary electronic protected health an Implement electronic procedures that terminate electronic session after a to encrypt and decrypt Implement a mechanism predetermined time of electronic protected health information.procedural Implement hardware, software, and/or mechanisms that recordprocedures to protect in Implement policies and and examine activity electronic protected health information from improper Implement electronic mechanisms to corroborate that electronic protected health informationperson or entity Implement procedures to verify that a has not been seeking access to electronic protected health Implement technical security measures to guard against unauthorized access to electronic protected Implement security measures to ensure that electronically mechanism to encrypt protected health Implement a transmitted electronic electronic protected health information whenever deemed (i) The contract or other arrangement between the (i) Business associate contracts. The contract between a covered entity and a business associate Except when the only electronic protected health information disclosedof the group healthis disclosed The plan documents to a plan sponsor plan must be amended to the adequate separation requiredthe plan Ensure that incorporate provisions to require by 164.504(f)(2)(iii) is supported by reasonable andto Ensure that any agent, including a subcontractor, whom itto the group health plan any security incident Report provides this information agrees to of covered becomes aware. A which it entity must, in accordance with 164.306: Implement reasonable and appropriate policies and Documentation. (i) Maintaindocumentation required by paragraph Retain the the policies and procedures implemented (b)(1) of this section for 6 yearsto those persons its Make documentation available from the date of responsible for implementing the procedures to which Review documentation periodically, and update as needed, in response to environmental or operational
HIPAA Citation
HIPAA Security Rule Standard Implementation Specification
Privacy Officer Compliance Office
Security Officer IT Managers
Network or System Administrator
DB Administrator Developer
Help Desk or Tech Support
Facilities Managers
Ensure Confidentiality, Integrity and Availability Flexibility of Approach 164.306(c) Standards 164.306(d) Implementation Specifications 164.306(e) Maintenance ADMINISTRATIVE SAFEGUARDS 164.308(a)(1)(i) Security Management Process 164.308(a)(1)(ii)(A) Risk Analysis 164.308(a)(1)(ii)(B) Risk Management 164.308(a)(1)(ii)(C) Sanction Policy 164.308(a)(1)(ii)(D) Information System Activity Review 164.308(a)(2) Assigned Security Responsibility 164.308(a)(3)(i) Workforce Security 164.308(a)(3)(ii)(A) Authorization and/or Supervision 164.308(a)(3)(ii)(B) Workforce Clearance Procedure 164.308(a)(3)(ii)(C) Termination Procedures 164.308(a)(4)(i) Information Access Management 164.308(a)(4)(ii)(A) Isolation Health Clearinghouse Functions 164.308(a)(4)(ii)(B) Access Authorization 164.308(a)(4)(ii)(C) Access Establishment and Modification 164.308(a)(5)(i) Security Awareness Training 164.308(a)(5)(ii)(A) Security Reminders 164.308(a)(5)(ii)(B) Protection from Malicious Software 164.308(a)(5)(ii)(C) Log-in Monitoring 164.308(a)(5)(ii)(D) Password Management 164.308(a)(6)(i) Security Incident Procedures 164.308(a)(6)(ii) Response and Reporting 164.308(a)(7)(i) Contingency Plan 164.308(a)(7)(ii)(A) Data Backup Plan 164.308(a)(7)(ii)(B) Disaster Recovery Plan 164.308(a)(7)(ii)(C) Emergency Mode Operation Plan 164.308(a)(7)(ii)(D) Testing and Revision Procedures 164.308(a)(7)(ii)(E) Applications and Data Criticality Analysis 164.308(a)(8) Evaluation 164.308(b)(1) Business Associate Contracts and Other Arrangements 164.308(b)(4) Written Contract PHYSICAL SAFEGUARDS 164.310 (a)(1) Facility Access Controls 164.310(a)(2)(i) Contingency Operations 164.310(a)(2)(ii) Facility Security Plan 164.310(a)(2)(iii) Access Control Validation Procedures 164.310(a)(2)(iv) Maintenance Records 164.310(b) Workstation Use
164.306(b)
164.306(a)
Awareness Awareness Awareness
Notification Notification Notification Records
Policy Oversee Policy Policy Event Rept. Authority Policy Policy Policy Awareness
Procedures Assessment Procedures Management Event Rept. Manage Authorize Clearance Manage Awareness
Procedures Assessment Measures Sys Auditing
Procedures
Procedures Measures
Supervise
Awareness
Policy Job Desp
Manage Supervise Clearance Manage Awareness
Change Form
Change Form Sec. Training Sec. Training Sec. Training Sec. Training
Change Form
Awareness Awareness
Notification Notification
Incident Rep. Incident Rep. BCP Planning Planning Plan Policy Oversight Oversee Assessment Oversee Assessment BAC Mgmt.
Monitor Recovery
Incident Rep. Recovery
Monitor
Test. Proc. Assessment Assessment
Test. Proc.
Policy Notification Notification Notification
Policy Notification Notification Notification Sec. Training
Oversight Planning Mgmt. Oversight Sec. Training
Workstation Security Device and Media Controls 164.310(d)(2)(i) Disposal 164.310(d)(2)(ii) Media Re-use 164.310(d)(2)(iii) Accountability 164.310(d)(2)(iv) Data Backup and Storage TECHNICAL SAFEGUARDS 164.312(a)(1) Access Control 164.312(a)(2)(i) Unique User Identification 164.312(a)(2)(ii) Emergency Access Procedure 164.312(a)(2)(iii) Automatic Logoff 164.312(a)(2)(iv) Encryption and Decryption 164.312(b) Audit Controls 164.312(c)(1) Integrity 164.312(c)(2) Mechanism to Authenticate Electronic Protected Health Information 164.312(d) Person or Entity Authentication 164.312(e)(1) Transmission Security 164.312(e)(2)(i) Integrity Controls 164.312(e)(2)(ii) Encryption ORGANIZATIONAL REQUIREMENTS 164.314(a)(1) Business Associate Contracts or Other Arrangements 164.314(a)(2) Business Associate Contracts 164.314(b)(1) Requirements for Group Health Plans 164.314(b)(2)(i) Implement Safeguards 164.314(b)(2)(ii) Ensure Adequate Separation 164.314(b)(2)(iii) Ensure Agents Safeguard 164.314(b)(2)(iv) Report Security Incidents 164.316(a) Policies and Procedures 164.316(b)(1) Documentation 164.316(b)(2)(i) Time Limit 164.316(b)(2)(ii) Availability 164.316(b)(2)(iii) Updates
164.310(d)(1)
164.310(c)
Sec. Training Sec. Training Sec. Training Sec. Training Sec. Training Notification Oversight Mgmt. Administration Administration
Sec. Training Sec. Training Sec. Training Sec. Training Sec. Training Mgmt.
Notification Notification Notification
Awareness Awareness
Policy Oversight
Policy Policy Policy Policy Policy Plan Policy Policy Policy Policy Oversight
Mgmt. Mgmt. Mgmt. Mgmt. Mgmt. Mgmt. Mgmt. Mgmt. Mgmt. Mgmt. Mgmt.
Administration Administration Administration Administration Administration Administration Administration Administration Administration Administration Administration
Sec. Training Administration Sec. Training
Sec. Training Mgmt. Sec. Training
Administration
Sec. Training
Sec. Training
Awareness
Notification Policy
Oversight Procedures
Mgmt. Mgmt.
Administration
End Users with PHI Access
Human Resources
Implementati Requirement Description on Required Required Ensure CIA and protect against threats Reasonably consider factors in security compliance CEs must comply with standards Required and Addressable Implementation Specification requirements Ongoing review and modification of security measures P&P to manage security violations Conduct vulnerability assessment Implement security measures to reduce risk of security breaches Worker sanction for P&P violations Procedures to review system activity Identify security official responsible for P&P Implement P&P to ensure appropriate PHI access Authorization/supervision for PHI access Procedures to ensure appropriate PHI access Procedures to terminate PHI access P&P to authorize access to PHI P&P to separate PHI from other operations P&P to authorize access to PHI P&P to grant access to PHI Training program for workers and managers Distribute periodic security updates Procedures to guard against malicious software Procedures and monitoring of log-in attempts Procedures for password management P&P to manage security incidents Mitigate and document security incidents Emergency response P&P Data backup planning & procedures Data recovery planning & procedures Business continuity procedures Contingency planning periodic testing procedures Prioritize data and system criticality for contingency planning Periodic security evaluation CE implement BACs to ensure safeguards Implement compliant BACs P&P to limit access to systems and facilities Procedures to support emergency operations and recovery P&P to safeguard equipment and facilities Facility access procedures for personnel P&P to document security-related repairs and modifications P&P to specify workstation environment & use
Records
Required Required Addressable Addressable
Procedures Awareness
Addressable Required Addressable Addressable -
Sec. Training Sec. Training Sec. Training Sec. Training Incident Rep.
Addressable Addressable Addressable Addressable Required Required Required Required Addressable Addressable Required Addressable Addressable Addressable Addressable
Sec. Training
Sec. Training Sec. Training Sec. Training Sec. Training Sec. Training
Required Required Addressable Addressable -
Physical safeguards for workstation access P&P to govern receipt and removal of hardware and media P&P to manage media and equipment disposal P&P to remove PHI from media and equipment Document hardware and media movement Backup PHI before moving equipment Technical (administrative) P&P to manage PHI access Assign unique IDs to support tracking Procedures to support emergency access Session termination mechanisms Mechanism for encryption of stored PHI Procedures and mechanisms for monitoring system activity P&P to safeguard PHI unauthorized alteration Mechanisms to corroborate PHI not altered Procedures to verify identities Measures to guard against unauthorized access to transmitted PHI Measures to ensure integrity of PHI on transmission Mechanism for encryption of transmitted PHI CE must ensure BA safeguards PHI BACs must contain security language Plan documents must reflect security safeguards Plan sponsor to implement safeguards as appropriate Security measures to separate PHI from plan sponsor and plan Ensure subcontractors safeguard PHI Plan sponsors report breaches to health plan P&P to ensure safeguards to PHI Document P&P and actions & activities Retain documentation for 6 years Documentation available to system administrators Periodic review and updates to changing needs
Sec. Training Awareness Sec. Training
Required Required Addressable Addressable Addressable Addressable
Sec. Training
Addressable Required Required Required Required Required Required Required Required Required
Full Regulatory Text
(a) General requirements. Covered entities must do the following: (1) Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity creates, receives, maintains, or transmits. (b) Flexibility of approach. (1) Standards. A covered use any security measures that allow the covered entity tosection and in 164.308, (c) Covered entities may entity must comply with the standards as provided in this reasonably and appropriately implement the standards and implementation specifications as specified in this subpart. 164.310, 164.312, 164.314, (d) Implementation specifications. and 164.316 with respect to all electronic protected health information. In this subpart: Security measures implemented to comply with standards and implementation specifications adopted under 164.105 and this subpart must be reviewed and modified as needed to continue provision of reasonable and appropriate protection of electronic protected health (e) Maintenance. information as described at 164.316.
Implement policies and procedures to prevent, detect, contain and correct security violations Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity. Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with Sec 164.206(a). Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity. Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. Identify the security official who is responsible for the development and implementation of the policies and procedures required by this subpart for the entity. Implement policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information, as provided under paragraph (a)(4) of this section, and to prevent those workforce members who do not have access under for authorization and/or supervision ofobtaining access to electronic protected healthprotected health information or in locations where it might be accessed. Implement procedures paragraph (a))(4) of this section from workforce members who work with electronic information. Implement procedures to determine that the access of a workforce member to electronic protected health information is appropriate. Implement procedures for termination access to electronic protected health information when the employment of a workforce member ends or as required by determination made as specified in paragraph (a)(3)(ii)(B) of this section. Implement policies and procedures for authorizing access to electronic protected health information that are consistent with the applicable requirements of subpart E of this part. If a health care clearinghouse is part of a larger organization, the clearinghouse must implement polices and procedures that protect the electronic protected health information of the clearinghouse from unauthorized access by the larger organization. Implement policies and procedures for granting access to electronic protected health information, for example, through access to a workstation, transaction, program, process or other mechanism. Implement policies and procedures that, based upon the entity's access authorization policies, establish, document, review, and modify a user's right of access to a workstation, transaction, program, or process. Implement a security awareness and training program for all members of its workforce (including management). Periodic security updates. Procedures for guarding against, detecting, and reporting malicious software. Procedures for monitoring log-in attempts and reporting discrepancies. Procedures for creating, changing, and safeguarding passwords. Implement policies and procedures to address security incidents. Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity; and document security incidents and their outcomes. Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information. implement procedures to create and maintain retrievable exact copies of electronic protected health information. Establish and Establish (and implement as needed) procedures to restore loss of data. Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operation in emergency mode. Implement procedures for periodic testing and revision of contingency plans. Assess the relative criticality of specific applications and data in support of other contingency plan components. Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, that established thewith 164.306, may permitsecurity policies and procedures receive, maintain, or transmit electronic protected health information on the covered entity's behalf only if the covered entity obtains satisfactory assurances, A covered entity, in accordance extent to which an entity's a business associate to create, meet the requirements of this subpart. in accordance with 164.314(a) that the business associate will appropriately safeguard the information. Document the satisfactory assurances required by paragraph (b)(1) of this section through a written contract or other arrangement with the business associate that meets the applicable requirements of 164.314(a). Implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed. Establish (and implement as needed) procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency. Implement policies and procedures to safeguard the facility and the equipment there in from unauthorized physical access, tampering, and theft. Implement procedures to control and validate a person's access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision. Implement policies and procedures to document repairs and modifications to the physical components of a facility that are related to security (for example, hardware, walls, doors, and locks). Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic protected health information.
Implement physical safeguards for all workstations that access electronic protected health information, to restrict access to authorized users. Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a facility, and the movement of these items within the facility. Implement policies and procedures to address the final disposition of electronic protected health information, and/or the hardware or electronic media on which it is stored. Implement procedures for removal of electronic protected health information from electronic media before the media are made available for re-use. Maintain a record of the movements of hardware and electronic media and any person responsible therefore. Create a retrievable, exact copy of electronic protected health information, when needed, before movement of equipment. Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in Assign a unique name and/or number for identifying and tracking user identity. Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency. Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity. Implement a mechanism to encrypt and decrypt electronic protected health information. Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information. Implement policies and procedures to protect electronic protected health information from improper alteration or destruction. Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner. Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed. Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network. Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of. Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate. (i) The contract or other arrangement between the covered entity and its business associate required by (i) Business associate contracts. The contract between a covered entity and a business associate must provide that the business associate will-(A) Implement administrative, physical, and technical safeguards that reasonablysponsor is disclosed pursuant confidentiality, integrity,(iii), or as authorized under 164.508, a group health plan must ensure that its plan documents provide that the Except when the only electronic protected health information disclosed to a plan and appropriately protect the to 164.504(f)(1)(ii) or and availability of the electronic protected health information that it creates, receives, maintains, or transmits on plan plan documents of the group appropriately safeguard electronic protected health information created, received, maintained, or transmitted to or by the plan sponsor on behalf of the group health plan. The sponsor will reasonably and health plan must be amended to incorporate provisions to require the plan sponsor to-(i) Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic protected health information that it creates, receives, maintains, or transmits on Ensure that the adequate separation required by 164.504(f)(2)(iii) is supported by reasonable andto whom it provides this information agrees to implement reasonable and appropriate security measures to protect the information; and Ensure that any agent, including a subcontractor, appropriate security measures; Report to the group health plan any security incident of which it becomes aware. A covered entity must, in accordance with 164.306: Implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of this subpart, taking into account those factors specified in 164.306(b)(2)(i), (ii), (iii), and (iv). This standard is not to be construed to permit or excuse an action that violates any other standard, implementation specification, or other requirements of this subpart. A covered entity may change its Documentation. (i) Maintaindocumentation required by paragraph (b)(1) of this section for subpart in writtendate of its creation or the date when it last was in effect, whichever is later. Retain the the policies and procedures implemented to comply with this 6 years from the (which may be electronic) form; and Make documentation available to those persons responsible for implementing the procedures to which the documentation pertains. Review documentation periodically, and update as needed, in response to environmental or operational changes affecting the security of the electronic protected health information.
Applicable ISO 17799 Standard(s) HIPAA Citation & References SECURITY STANDARDS: GENERAL RULES 12.1.4 164.306(a) 164.306(b) 12.1.1, 10.1.1 164.306(c) 164.306(d)
Standard Implementation Specification
Implementation
Requirement Description
Ensure Confidentiality, Integrity and Availability Flexibility of Approach Standards Implementation Specifications
Ensure CIA and protect against threats Reasonably consider factors in security compliance CEs must comply with standards Required and Addressable Implementation Specification requirements Ongoing review and modification of security measures P&P to manage security violations
164.306(e) ADMINISTRATIVE SAFEGUARDS 10.1.1 7.1.5, 10.3.1, 10.2.3, 11.1.2, 9.4.1, 9.4.2, 3.1.2, 5.1.1, 6.3.4, 8.2.1, 9.4.3, 9.4.3, 9.4.5, 9.4.6, 9.4.7, 9.4.8, 9.4.9, 9.6.2, 10.1.1, 10.4.3 6.3.4, 8.1.1, 4.1.2, 3.1.1, 3.1.2, 4.1.1, 5.1.1, 8.1.4, 8.2.1, 8.5.1, 8.6.4, 9.4.4-9.4.9, 9.6.2, 9.7.1, 10.1.1, 11.1.1, 10.4.3, 12.2.2, 12.1.9 6.3.5,11.1.2 6.3.5, 9.7.1, 9.7.2, 12.2.1, 12.2.2, 12.3.1, 12.3.2, 6.3.4, 8.1.1, 8.2.2, 10.4.3, 10.5.4, 10.3.4, 10.5.110.5.5, 12.2.1, 12.1.5,12.2.2 3.1.2, 4.1.3, 4.1.5, 4.1.1, 4.1.2 9.6.1 8.1.4, 9.2.1, 9.2.2, 9.4.2, 9.8.2, 10.4.3 6.1.2, 6.1.4 6.1.2, 6.1.4 9.6.1, 9.5.3, 9.2.2, 10.4.3 4.2.1 9.1.1, 9.2.2, 9.4.1, 9.6.2, 9.2.1, 8.1.4, 5.2.1 164.308(a)(1)(i)
Maintenance Security Management Process
164.308(a)(1)(ii)(A)
Risk Analysis
Required
Conduct vulnerability assessment
164.308(a)(1)(ii)(B)
Risk Management
Required
Implement security measures to reduce risk of security breaches
164.308(a)(1)(ii)(C)
Sanction Policy
Required
Worker sanction for P&P violations
164.308(a)(1)(ii)(D)
Information System Activity Review
Required
Procedures to review system activity
164.308(a)(2) 164.308(a)(3)(i) 164.308(a)(3)(ii)(A) 164.308(a)(3)(ii)(B) 164.308(a)(3)(ii)(C) 164.308(a)(4)(i) 164.308(a)(4)(ii)(A) 164.308(a)(4)(ii)(B)
Assigned Security Responsibility Workforce Security Authorization and/or Supervision Workforce Clearance Procedure Termination Procedures Information Access Management Isolation Health Clearinghouse Functions Access Authorization Addressable Addressable Addressable
Identify security official responsible for P&P Implement P&P to ensure appropriate PHI access Authorization/supervision for PHI access Procedures to ensure appropriate PHI access Procedures to terminate PHI access P&P to authorize access to PHI P&P to separate PHI from other operations P&P to authorize access to PHI
Required
8.1.4, 9.1.1, 9.2.2, 9.2.4, 9.4.1, 9.5.2, 9.5.3, 9.6.2, 8.6.4, 5.2.1, 9.4.2, 9.4.3, 9.4.4, 9.4.5, 12.1.5 6.2.1, 8.7.7, 9.2.1, 9.2.2, 9.3.2, 9.8.1, 8.7.7, 8.7.4, 12.1.5, 6.1.1, 6.1.3 6.2.1, 9.3.2, 6.1.1, 6.1.3 8.3.1, 8.7.4, 4.1.4, 10.4.1, 10.4.2, 10.5.1-10.5.5 8.4.2, 9.7.1, 9.7.2, 8.4.3 9.2.3, 9.3.1, 9.5.4 8.1.3, 4.1.6 6.3.1,6.3.2,6.3.4,8.1.3 11.1.1, 8.6.3, 4.1.6, 8.1.2 8.1.1, 8.4.1, 11.1.3, 11.1.2, 8.6.3 11.1.3 11.1.3 7.2.2, 11.1.3, 11.1.5, 8.1.5, 7.2.3, 10.5.1-10.5.5 11.1.2, 11.1.4, 8.1.5, 5.2.2, 8.1.2 4.1.5, 9.7.2, 12.2.1, 12.2.2, 3.1.2, 6.3.4, 8.1.1, 8.2.2 4.2.1, 4.2.2, 4.3.1, 8.1.6, 12.1.1, 4.1.6, 8.2.1, 8.7.4 8.71,4.3.1,12.1.1 PHYSICAL SAFEGUARDS 7.1.1-7.1.5, 12.1.3, 9.3.2 7.2.2, 11.1.1, 11.1.3, 12.1.3, 4.1.7, 7.2.3, 7.2.4, 8.1.1 7.1.1, 7.1.3 7.1.2, 7.1.4, 9.1.1 7.2.4, 12.1.3 2.2.4, 7.2.1, 8.6.1, 7.1.4, 7.2.4, 8.6.1, 12.1.5, 9.3.2, 8.1.5, 4.1.4, 5.2.1
164.308(a)(4)(ii)(C)
Access Establishment and Modification
Addressable
P&P to grant access to PHI
164.308(a)(5)(i) 164.308(a)(5)(ii)(A) 164.308(a)(5)(ii)(B) 164.308(a)(5)(ii)(C) 164.308(a)(5)(ii)(D) 164.308(a)(6)(i) 164.308(a)(6)(ii) 164.308(a)(7)(i) 164.308(a)(7)(ii)(A) 164.308(a)(7)(ii)(B) 164.308(a)(7)(ii)(C) 164.308(a)(7)(ii)(D) 164.308(a)(7)(ii)(E) 164.308(a)(8) 164.308(b)(1) 164.308(b)(4)
Security Awareness Training Security Reminders Protection from Malicious Software Log-in Monitoring Password Management Security Incident Procedures Response and Reporting Contingency Plan Data Backup Plan Disaster Recovery Plan Emergency Mode Operation Plan Testing and Revision Procedures Applications and Data Criticality Analysis Evaluation Business Associate Contracts and Other Arrangements Written Contract Required Required Required Required Addressable Addressable Addressable Addressable Addressable Addressable
Training program for workers and managers Distribute periodic security updates Procedures to guard against malicious software Procedures and monitoring of log-in attempts Procedures for password management P&P to manage security incidents Mitigate and document security incidents Emergency response P&P Data backup planning & procedures Data recovery planning & procedures Business continuity procedures Contingency planning periodic testing procedures Prioritize data and system criticality for contingency planning Periodic security evaluation CE implement BACs to ensure safeguards Implement compliant BACs
Required
164.310 (a)(1) 164.310(a)(2)(i) 164.310(a)(2)(ii) 164.310(a)(2)(iii) 164.310(a)(2)(iv)
Facility Access Controls Contingency Operations Facility Security Plan Access Control Validation Procedures Maintenance Records Addressable Addressable Addressable Addressable
P&P to limit access to systems and facilities Procedures to support emergency operations and recovery P&P to safeguard equipment and facilities Facility access procedures for personnel P&P to document security-related repairs and modifications P&P to specify workstation environment & use
164.310(b)
Workstation Use
7.2.1, 7.2.4, 8.6.2, 9.3.2, 7.3.2 5.1.1, 7.2.5, 7.3.2, 8.7.2, 8.6.7, 9.8.1, 8.5.1, 6.3.3 7.2.6, 8.6.2 7.2.6, 8.6.2 5.1.1, 7.3.2, 7.2.5, 8.7.2, 9.8.1 8.1.1, 8.4.1, 8.6.3, 12.1.3 TECHNICAL SAFEGUARDS 9.1.1, 9.4.1, 9.6.1, 12.1.3 9.2.1, 9.2.2 11.1.3 9.5.7, 9.5.8, 7.3.1 8.5.1, 8.7.4, 10.3.1, 10.3.2, 10.3.3, 12.1.6 8.1.3, 8.6.2, 9.7.1, 9.7.2, 12.3.1, 12.3.2, 10.3.4, 9.7.3, 4.1.6, 4.1.7 12.1.3, 10.2.1, 10.4.2 10.2.3, 8.1.6 9.4.3, 9.5.3, 8.76, 4.2.1, 9.2.1, 9.2.2, 10.2.1, 10.3.3 10.3.1, 10.3.4, 10.2.4, 4.2.1 12.1.3, 10.3.4, 8.7.4, 7.2.3, 8.7.6, 9.4.3, 9.4.3-9.4.9, 9.6.2,10.2.2, 10.2.4, 10.4.3
164.310(c) 164.310(d)(1) 164.310(d)(2)(i) 164.310(d)(2)(ii) 164.310(d)(2)(iii) 164.310(d)(2)(iv)
Workstation Security Device and Media Controls Disposal Media Re-use Accountability Data Backup and Storage Required Required Addressable Addressable
Physical safeguards for workstation access P&P to govern receipt and removal of hardware and media P&P to manage media and equipment disposal P&P to remove PHI from media and equipment Document hardware and media movement Backup PHI before moving equipment Technical (administrative) P&P to manage PHI access Assign unique IDs to support tracking Procedures to support emergency access Session termination mechanisms Mechanism for encryption of stored PHI Procedures and mechanisms for monitoring system activity P&P to safeguard PHI unauthorized alteration Addressable Mechanisms to corroborate PHI not altered Procedures to verify identities Measures to guard against unauthorized access to transmitted PHI Addressable Measures to ensure integrity of PHI on transmission Mechanism for encryption of transmitted PHI
164.312(a)(1) 164.312(a)(2)(i) 164.312(a)(2)(ii) 164.312(a)(2)(iii) 164.312(a)(2)(iv)
Access Control Unique User Identification Emergency Access Procedure Automatic Logoff Encryption and Decryption Required Required Addressable Addressable
164.312(b)
Audit Controls
164.312(c)(1) 164.312(c)(2) 164.312(d) 164.312(e)(1)
Integrity Mechanism to Authenticate Electronic Protected Health Information Person or Entity Authentication Transmission Security
164.312(e)(2)(i)
Integrity Controls
8.5.1, 8.7.4, 10.3.1, 10.3.2, 164.312(e)(2)(ii) 10.3.3, 10.4.2, 12.1.6 ORGANIZATIONAL REQUIREMENTS 4.2.2, 4.3.1, 8.1.6, 12.1.1, 4.2.1, 164.314(a)(1) 8.2.1, 4.1.6 4.2.2, 4.3.1, 8.1.6, 8.7.1, 12.1.1, 8.7.4 N/A N/A 164.314(a)(2) 164.314(b)(1) 164.314(b)(2)(i)
Encryption
Addressable
Business Associate Contracts or Other Arrangements Business Associate Contracts Requirements for Group Health Plans Implement Safeguards
CE must ensure BA safeguards PHI BACs must contain security language Plan documents must reflect security safeguards Plan sponsor to implement safeguards as appropriate
N/A N/A N/A 3.1.1, 8.1.1, 12.1.4 (Privacy 6.1.3, 7.3.1, 8.7.4, 8.7.7), 12.1.1, 9.8.2, 12.1.2, 12.2.1, 12.1.4 8.1.1, 12.1.1, 12.2.1
164.314(b)(2)(ii) 164.314(b)(2)(iii) 164.314(b)(2)(iv)
Ensure Adequate Separation Ensure Agents Safeguard Report Security Incidents
Security measures to separate PHI from plan sponsor and plan Ensure subcontractors safeguard PHI Plan sponsors report breaches to health plan
164.316(a)
Policies and Procedures
P&P to ensure safeguards to PHI
164.316(b)(1) 164.316(b)(2)(i) 164.316(b)(2)(ii)
Documentation Time Limit Availability Updates
Document P&P and actions & activities Retain documentation for 6 years Documentation available to system administrators Periodic review and updates to changing needs
4.1.7, 12.1.1
164.316(b)(2)(iii)
Administrative Safeguards Standards Security Management Process
CFR Sections 164.308(a)(1)
Implementation Specifications Risk Analysis Risk Management Sanction Policy Information System Activity Review
(R) (R) (R) (R)
Assigned Security Responsibility
164.308(a)(2)
none
(R)
Workforce Security
164.308(a)(3)
Authorization and/or Supervision Workforce Clearance Procedure Termination Procedures Isolating Healthcare Clearinghouse Function Access Authorization Access Establishment and Modification
(A) (A) (A) (R) (A) (A)
Information Access Management
164.308(a)(4)
Security Awareness and Training
164.308(a)(5)
Security Reminders Protection from Malicious Software Log-in Monitoring Password Management
(A) (A) (A) (A)
Security Incident Procedures
164.308(a)(6)
Response and Reporting
(R)
Contingency Plan
164.308(a)(7)
Data Backup Plan Disaster Recovery Plan Emergency Mode Operation Plan Testing and Revision Procedure Applications and Data Criticality Analysis
(R) (R) (R) (A) (A)
Evaluation
164.308(a)(8)
none
(R)
Business Associate Contracts
164.308(b)(1)
Written Contract or Other Arrangement
(R)
Physical Safeguards Facility Access Controls
164.310(a)(1)
Contingency Operations Facility Security Plan Access Control and Validation Procedures Maintenance Records
(A) (A) (A) (A)
Workstation Use
164.310(b)
none
(R)
Workstation Security
164.310(c)
none
(R)
Device and Media Controls
164.310(d)(1)
Media Disposal Media Re-use Media Accountability Data Backup and Storage (during transfer) Unique User Identification Emergency Access Procedure Automatic Logoff Encryption and Decryption (data at rest)
(R) (R) (A) (A) (R) (R) (A) (A)
Technical Safeguards Access Control
164.312(a)(1)
Audit Controls
164.312(b)
none
(R)
Integrity
164.312(c)(1)
Protection Against Improper Alteration or Destruction of(A) Data
Person or Entity Authentication
164.312(d)
none
(R)
Transmission Security
164.312(e)(1)
Integrity Controls Encryption (FTP and Email over Internet)
(A) (A)
NIST Resource Guide for Implementing HIPAA (DRAFT NIST SP 800-66 http://csrc.nist.gov/publications/drafts/DRAFT-sp800-66.pdf )
NIST Publication # NIST SP 800-14 NIST SP 800-18 NIST SP 800-26 NIST SP 800-27 NIST SP 800-30 NIST SP 800-37 NIST SP 800-53 NIST SP 800-60 FIPS 199 NIST SP 800-12 chapter 5 NIST SP 800-14 NIST SP 800-26 NIST SP 800-53 NIST SP 800-12 chapter 3 NIST SP 800-14 NIST SP 800-26 NIST SP 800-53 NIST SP 800-12 chapter 17 NIST SP 800-14 NIST SP 800-18 NIST SP 800-53 NIST SP 800-63 NIST SP 800-12 chapter 17 NIST SP 800-14 NIST SP 800-16
Publication Title Generally Accepted Principles and Practices for Securing Information Technology Systems Guide for Developing Security Plans for Information Technology Systems Security Self-Assessment Guide for Information Technology Systems Engineering Principles for Information Technology Security (Baseline for Achieving Security) Risk Management Guide for Information Technology Systems Guide for the Security Certification and Accreditation of Federal Information Systems Recommended Security Controls for Federal Information Systems Guide for Mapping Types of Information and Information Systems to Security Categories Standards for Security Categorization of Federal Information and Information Systems An Introduction to Computer Security: The NIST Handbook Generally Accepted Principles and Practices for Securing Information Technology Systems Security Self-Assessment Guide for Information Technology Systems Recommended Security Controls for Federal Information Systems An Introduction to Computer Security: The NIST Handbook Generally Accepted Principles and Practices for Securing Information Technology Systems Security Self-Assessment Guide for Information Technology Systems Recommended Security Controls for Federal Information Systems An Introduction to Computer Security: The NIST Handbook Generally Accepted Principles and Practices for Securing Information Technology Systems Guide for Developing Security Plans for Information Technology Systems Recommended Security Controls for Federal Information Systems Recommendation for Electronic Authentication An Introduction to Computer Security: The NIST Handbook Generally Accepted Principles and Practices for Securing Information Technology Systems IT Security Training Requirements: Role and Performance Based Model
NIST SP 800-53 NIST SP 800-12 chapter 13 NIST SP 800-14 NIST SP 800-53 NIST SP 800-12 chapter 12 NIST SP 800-14 NIST SP 800-18 NIST SP 800-26 NIST SP 800-30 NIST SP 800-53 NIST SP 800-34 NIST SP 800-12 chapter 11 NIST SP 800-14 NIST SP 800-37 NIST SP 800-55 NIST SP 800-12 chapter 9 NIST SP 800-14 NIST SP 800-36 NIST SP 800-53 NIST SP 800-64 NIST SP 800-12 chapter 8 NIST SP 800-14 NIST SP 800-18 NIST SP 800-26 NIST SP 800-30
Recommended Security Controls for Federal Information Systems An Introduction to Computer Security: The NIST Handbook Generally Accepted Principles and Practices for Securing Information Technology Systems Recommended Security Controls for Federal Information Systems An Introduction to Computer Security: The NIST Handbook Generally Accepted Principles and Practices for Securing Information Technology Systems Guide for Developing Security Plans for Information Technology Systems Security Self-Assessment Guide for Information Technology Systems Risk Management Guide for Information Technology Systems Recommended Security Controls for Federal Information Systems Contingency Planning Guide for Information Technology Systems An Introduction to Computer Security: The NIST Handbook Generally Accepted Principles and Practices for Securing Information Technology Systems Guide for the Security Certification and Accreditation of Federal Information Systems Security Metrics Guide for Information Technology Systems An Introduction to Computer Security: The NIST Handbook Generally Accepted Principles and Practices for Securing Information Technology Systems Guide to Selecting Information Security Products Recommended Security Controls for Federal Information Systems Security Considerations in the Information Systems Development Life Cycle An Introduction to Computer Security: The NIST Handbook Generally Accepted Principles and Practices for Securing Information Technology Systems Guide for Developing Security Plans for Information Technology Systems Security Self-Assessment Guide for Information Technology Systems Risk Management Guide for Information Technology Systems
NIST SP 800-34 NIST SP 800-53 NIST SP 800-12 chapter 15 NIST SP 800-14 NIST SP 800-53 NIST SP 800-12 chapter 15 & 16 NIST SP 800-14 NIST SP 800-53 NIST SP 800-12 chapter 15 NIST SP 800-14 NIST SP 800-34 NIST SP 800-53 NIST SP 800-12 chapter 14 NIST SP 800-14 NIST SP 800-53 NIST SP 800-56 NIST SP 800-57 NIST SP 800-63 FIPS 140-2 NIST SP 800-12 chapter 17 NIST SP 800-14 NIST SP 800-53 NIST SP 800-12 chapter 18 NIST SP 800-42 NIST SP 800-44 NIST SP 800-53 NIST SP 800-12 chapter 5 NIST SP 800-14 NIST SP 800-53 NIST SP 800-63 NIST SP 800-12 chapter 16 NIST SP 800-14 NIST SP 800-42 NIST SP 800-53 NIST SP 800-63 FIPS 140-2 NIST SP 800-12 chapter 16 & 19
Contingency Planning Guide for Information Technology Systems Recommended Security Controls for Federal Information Systems An Introduction to Computer Security: The NIST Handbook Generally Accepted Principles and Practices for Securing Information Technology Systems Recommended Security Controls for Federal Information Systems An Introduction to Computer Security: The NIST Handbook Generally Accepted Principles and Practices for Securing Information Technology Systems Recommended Security Controls for Federal Information Systems An Introduction to Computer Security: The NIST Handbook Generally Accepted Principles and Practices for Securing Information Technology Systems Contingency Planning Guide for Information Technology Systems Recommended Security Controls for Federal Information Systems An Introduction to Computer Security: The NIST Handbook Generally Accepted Principles and Practices for Securing Information Technology Systems Recommended Security Controls for Federal Information Systems Recommendation on Key Establishment Schemes Recommendation on Key Management Recommendation for Electronic Authentication Security Requirements for Cryptographic Modules An Introduction to Computer Security: The NIST Handbook Generally Accepted Principles and Practices for Securing Information Technology Systems Recommended Security Controls for Federal Information Systems An Introduction to Computer Security: The NIST Handbook Guideline on Network Security Testing Guidelines on Securing Public Web Servers Recommended Security Controls for Federal Information Systems An Introduction to Computer Security: The NIST Handbook Generally Accepted Principles and Practices for Securing Information Technology Systems Recommended Security Controls for Federal Information Systems Recommendation for Electronic Authentication An Introduction to Computer Security: The NIST Handbook Generally Accepted Principles and Practices for Securing Information Technology Systems Guideline on Network Security Testing Recommended Security Controls for Federal Information Systems Recommendation for Electronic Authentication Security Requirements for Cryptographic Modules An Introduction to Computer Security: The NIST Handbook
RAFT-sp800-66.pdf )
URL http://csrc.nist.gov/publications/nistpubs/800-14/800-14.pdf http://csrc.nist.gov/publications/nistpubs/800-18/Planguide.PDF http://csrc.nist.gov/publications/nistpubs/800-26/sp800-26.pdf http://csrc.nist.gov/publications/nistpubs/800-27/sp800-27.pdf http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf http://csrc.nist.gov/publications/nistpubs/800-37/SP800-37-final.pdf http://csrc.nist.gov/publications/drafts/draft-SP800-53.pdf http://csrc.nist.gov/publications/drafts/800-60v1f.pdf (Vol. 1) http://csrc.nist.gov/publications/drafts/sp800-60V2f.pdf (Vol. 2) http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf http://csrc.nist.gov/publications/nistpubs/800-12/handbook.pdf http://csrc.nist.gov/publications/nistpubs/800-14/800-14.pdf http://csrc.nist.gov/publications/nistpubs/800-26/sp800-26.pdf http://csrc.nist.gov/publications/drafts/draft-SP800-53.pdf http://csrc.nist.gov/publications/nistpubs/800-12/handbook.pdf http://csrc.nist.gov/publications/nistpubs/800-14/800-14.pdf http://csrc.nist.gov/publications/nistpubs/800-26/sp800-26.pdf http://csrc.nist.gov/publications/drafts/draft-SP800-53.pdf http://csrc.nist.gov/publications/nistpubs/800-12/handbook.pdf http://csrc.nist.gov/publications/nistpubs/800-14/800-14.pdf http://csrc.nist.gov/publications/nistpubs/800-18/Planguide.PDF http://csrc.nist.gov/publications/drafts/draft-SP800-53.pdf http://csrc.nist.gov/publications/drafts/draft-sp800-63.pdf http://csrc.nist.gov/publications/nistpubs/800-12/handbook.pdf http://csrc.nist.gov/publications/nistpubs/800-14/800-14.pdf http://csrc.nist.gov/publications/nistpubs/800-16/800-16.pdf (part 1) http://csrc.nist.gov/publications/nistpubs/800-16/AppendixA-D.pdf (part 2) http://csrc.nist.gov/publications/nistpubs/800-16/Appendix_E.pdf (part 3) http://csrc.nist.gov/publications/drafts/draft-SP800-53.pdf http://csrc.nist.gov/publications/nistpubs/800-12/handbook.pdf http://csrc.nist.gov/publications/nistpubs/800-14/800-14.pdf http://csrc.nist.gov/publications/drafts/draft-SP800-53.pdf http://csrc.nist.gov/publications/nistpubs/800-12/handbook.pdf http://csrc.nist.gov/publications/nistpubs/800-14/800-14.pdf http://csrc.nist.gov/publications/nistpubs/800-18/Planguide.PDF http://csrc.nist.gov/publications/nistpubs/800-26/sp800-26.pdf http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf http://csrc.nist.gov/publications/drafts/draft-SP800-53.pdf http://csrc.nist.gov/publications/nistpubs/800-34/sp800-34.pdf http://csrc.nist.gov/publications/nistpubs/800-12/handbook.pdf http://csrc.nist.gov/publications/nistpubs/800-14/800-14.pdf http://csrc.nist.gov/publications/nistpubs/800-37/SP800-37-final.pdf http://csrc.nist.gov/publications/nistpubs/800-55/sp800-55.pdf http://csrc.nist.gov/publications/nistpubs/800-12/handbook.pdf http://csrc.nist.gov/publications/nistpubs/800-14/800-14.pdf http://csrc.nist.gov/publications/nistpubs/800-36/NIST-SP800-36.pdf http://csrc.nist.gov/publications/drafts/draft-SP800-53.pdf http://csrc.nist.gov/publications/nistpubs/800-64/NIST-SP800-64.pdf http://csrc.nist.gov/publications/nistpubs/800-12/handbook.pdf http://csrc.nist.gov/publications/nistpubs/800-14/800-14.pdf http://csrc.nist.gov/publications/nistpubs/800-18/Planguide.PDF http://csrc.nist.gov/publications/nistpubs/800-26/sp800-26.pdf http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf
http://csrc.nist.gov/publications/nistpubs/800-34/sp800-34.pdf http://csrc.nist.gov/publications/drafts/draft-SP800-53.pdf http://csrc.nist.gov/publications/nistpubs/800-12/handbook.pdf http://csrc.nist.gov/publications/nistpubs/800-14/800-14.pdf http://csrc.nist.gov/publications/drafts/draft-SP800-53.pdf http://csrc.nist.gov/publications/nistpubs/800-12/handbook.pdf http://csrc.nist.gov/publications/nistpubs/800-14/800-14.pdf http://csrc.nist.gov/publications/drafts/draft-SP800-53.pdf http://csrc.nist.gov/publications/nistpubs/800-12/handbook.pdf http://csrc.nist.gov/publications/nistpubs/800-14/800-14.pdf http://csrc.nist.gov/publications/nistpubs/800-34/sp800-34.pdf http://csrc.nist.gov/publications/drafts/draft-SP800-53.pdf http://csrc.nist.gov/publications/nistpubs/800-12/handbook.pdf http://csrc.nist.gov/publications/nistpubs/800-14/800-14.pdf http://csrc.nist.gov/publications/drafts/draft-SP800-53.pdf http://csrc.nist.gov/CryptoToolkit/tkkeymgmt.html http://csrc.nist.gov/CryptoToolkit/tkkeymgmt.html http://csrc.nist.gov/publications/drafts/draft-sp800-63.pdf http://csrc.nist.gov/cryptval/140-2.htm http://csrc.nist.gov/publications/nistpubs/800-12/handbook.pdf http://csrc.nist.gov/publications/nistpubs/800-14/800-14.pdf http://csrc.nist.gov/publications/drafts/draft-SP800-53.pdf http://csrc.nist.gov/publications/nistpubs/800-12/handbook.pdf http://csrc.nist.gov/publications/nistpubs/800-42/NIST-SP800-42.pdf http://csrc.nist.gov/publications/nistpubs/800-44/sp800-44.pdf http://csrc.nist.gov/publications/drafts/draft-SP800-53.pdf http://csrc.nist.gov/publications/nistpubs/800-12/handbook.pdf http://csrc.nist.gov/publications/nistpubs/800-14/800-14.pdf http://csrc.nist.gov/publications/drafts/draft-SP800-53.pdf http://csrc.nist.gov/publications/drafts/draft-sp800-63.pdf http://csrc.nist.gov/publications/nistpubs/800-12/handbook.pdf http://csrc.nist.gov/publications/nistpubs/800-14/800-14.pdf http://csrc.nist.gov/publications/nistpubs/800-42/NIST-SP800-42.pdf http://csrc.nist.gov/publications/drafts/draft-SP800-53.pdf http://csrc.nist.gov/publications/drafts/draft-sp800-63.pdf http://csrc.nist.gov/cryptval/140-2.htm http://csrc.nist.gov/publications/nistpubs/800-12/handbook.pdf
ISO 17799 Audit Check List to Information Security & Privacy Management
Standard Section ISO Audit Question Possible HIPAA Privacy Policy Impact Practice in Place? Procedure or Control Documented?
Security Policy
3.1 3.1.1 Information security policy Whether there exists an Information security policy, Information security which is approved by the management, published and policy document communicated as appropriate to all employees. Whether it states the management commitment and set out the organizational approach to managing information security. Whether the Security policy has an owner, who is Review and responsible for its maintenance and review according evaluation to a defined review process. Whether the process ensures that a review takes place in response to any changes affecting the basis of the original assessment, example: significant security incidents, new vulnerabilities or changes to organizational or technical infrastructure. Information security infrastructure Management Whether there is a management forum to ensure there information security is a clear direction and visible management support for forum security initiatives within the organization. Whether there is a cross-functional forum of Information security management representatives from relevant parts of the coordination organization to coordinate the implementation of information security controls. Allocation of Whether responsibilities for the protection of individual information security assets and for carrying out specific security processes responsibilities were clearly defined. Authorization process for information processing facilities Whether there is a management authorization process in place for any new information processing facility. This should include all new facilities such as hardware and software. Privacy Protections, Safeguards
3.1.2
Privacy Protections
Organizational Security
4.1 4.1.1
4.1.2
Privacy Official
4.1.3
4.1.4
Privacy Protections
4.1.5
Specialist Whether specialist information security advice is information security obtained where appropriate. advise A specific individual may be identified to co-ordinate inhouse knowledge and experiences to ensure consistency, and provide help in security decision making.
Privacy Official
Security Policy
4.1.6
4.1.7
4.2 4.2.1
4.2.2
Whether appropriate contacts with law enforcement authorities, regulatory bodies, information service Co-operation providers and telecommunication operators were between maintained to ensure that appropriate action can be organizations quickly taken and advice obtained, in the event of a security incident. Whether the implementation of security policy is Independent review reviewed independently on regular basis. This is to of information provide assurance that organizational practices security properly reflect the policy, and that it is feasible and effective. Security of third party access Identification of Whether risks from third party access are identified and risks from third appropriate security controls implemented. party access Whether the types of accesses are identified, classified and reasons for access are justified. Whether there is a formal contract containing, or Security referring to, all the security requirements to ensure requirements in compliance with the organizations security policies and third party contracts standards.
Business Associate Agreements
Business Associate Agreements Business Associate Agreements Business Associate Agreements
Outsourcing 4.3 Security Policy Security requirements in outsourcing contracts Whether security requirements are addressed in the contract with the third party, when the organization has outsourced the management and control of all or some of its information systems, networks and/ or desktop environments. The contract should address how the legal requirements are to be met, how the security of the organizations assets are maintained and tested, and the right of audit, physical security issues and how the availability of the services is to be maintained in the event of disaster. Business Associate Agreements
4.3.1
Business Associate Agreements
Asset classification and control

5.1 5.1.1 Accountability of assets Whether an inventory or register is maintained with the Inventory of assets important assets associated with each information system. Whether each asset identified has an owner, the security classification defined and agreed and the location identified. Information classification Classification guidelines Whether there is an Information classification scheme or guideline in place; which will assist in determining how the information is to be handled and protected. Minimum Necessary, Use and Disclosure
5.2 5.2.1
5.2.2
Whether an appropriate set of procedures are defined Information labeling for information labeling and handling in accordance and handling with the classification scheme adopted by the organization.
Minimum Necessary, Use and Disclosure
Security Policy Personnel Security

6.1 6.1.1 Security in job definition and Resourcing Whether security roles and responsibilities as laid in Including security in Organizations information security policy is job responsibilities documented where appropriate. This should include general responsibilities for implementing or maintaining security policy as well as specific responsibilities for protection of particular assets, or for extension of particular security processes or activities. Personnel Whether verification checks on permanent staff were screening and carried out at the time of job applications. policy This should include character reference, confirmation of claimed academic and professional qualifications and independent identity checks. Confidentiality agreements Whether employees are asked to sign Confidentiality or non-disclosure agreement as a part of their initial terms and conditions of the employment. Whether this agreement covers the security of the information processing facility and organization assets. Terms and conditions of employment Whether terms and conditions of the employment covers the employees responsibility for information security. Where appropriate, these responsibilities might continue for a defined period after the end of the employment.
Workforce
Workforce
6.1.2
Workforce
Workforce
6.1.3
Workforce
Workforce
6.1.4
Workforce
User training 6.2 Security Policy 6.2.1 6.3 6.3.1 Whether all employees of the organization and third Information security party users (where relevant) receive appropriate education and Workforce Information Security training and regular updates in training organizational policies and procedures. Responding to security incidents and malfunctions Whether a formal reporting procedure exists, to report Reporting security security incidents through appropriate management Incident Reporting incidents channels as quickly as possible. Whether a formal reporting procedure or guideline Reporting security Safeguards, Incident exists for users, to report security weakness in, or weaknesses Reporting threats to, systems or services. Reporting software Whether procedures were established to report any malfunctions software malfunctions. Whether there are mechanisms in place to enable the Learning from Safeguards, Incident types, volumes and costs of incidents and malfunctions incidents Reporting to be quantified and monitored. Whether there is a formal disciplinary process in place for employees who have violated organizational security policies and procedures. Such a process can act as a deterrent to employees who might otherwise be inclined to disregard security procedures.
6.3.2 6.3.3 6.3.4
6.3.5
Disciplinary process
Workforce
Security Policy Physical and Environmental Security

7.1 7.1.1 Secure Area What physical border security facility has been Physical Security implemented to protect the Information processing Perimeter service. Some examples of such security facility are card control entry gate, walls, manned reception etc., What entry controls are in place to allow only Physical entry authorized personnel into various areas within Controls organization. Whether the rooms, which have the Information Securing Offices, processing service, are locked or have lockable rooms and facilities cabinets or safes. Whether the Information processing service is protected from natural and man-made disaster. Whether there is any potential threat from neighboring premises. The information is only on need to know basis. Working in Secure Whether there exists any security control for third Areas parties or for personnel working in secure area. Whether the delivery area and information processing Isolated delivery area are isolated from each other to avoid any and loading areas unauthorized access. Whether a risk assessment was conducted to determine the security in such areas. Safeguards Safeguards Safeguards
7.1.2
7.1.3
Safeguards Safeguards Safeguards Minimum Necessary, Use and Disclosure, Workforce Safeguards Safeguards
7.1.4
7.1.5
Equipment Security 7.2 Security Policy 7.2.1 Equipment siting protection Whether the equipment was located in appropriate place to minimize unnecessary access into work areas. Whether the items requiring special protection were isolated to reduce the general level of protection required. Whether controls were adopted to minimize risk from potential threats such as theft, fire, explosives, smoke, water, dust, vibration, chemical effects, electrical supply interfaces, electromagnetic radiation, and flood. Whether there is a policy towards eating, drinking and smoking on in proximity to information processing services. Whether environmental conditions are monitored which would adversely affect the information processing facilities. Whether the equipment is protected from power failures by using permanence of power supplies such as multiple feeds, uninterruptible power supply (ups), backup generator etc., Whether the power and telecommunications cable carrying data or supporting information services is protected from interception or damage. Whether there is any additional security controls in place for sensitive or critical information. Whether the equipment is maintained as per the suppliers recommended service intervals and specifications. Whether the maintenance is carried out only by authorized personnel. Whether logs are maintained with all suspected or actual faults and all preventive and corrective measures. Safeguards
Safeguards
Safeguards
7.2.2
Power Supplies
7.2.3
Cabling Security
Safeguards Safeguards
7.2.4
Equipment Maintenance
Security Policy
7.2.5
7.2.6 7.3 7.3.1
7.3.2
Whether appropriate controls are implemented while sending equipment off premises. If the equipment is covered by insurance, whether the insurance requirements are satisfied. Securing of Whether any equipment usage outside an equipment offorganizations premises for information processing has premises to be authorized by the management. Whether the security provided for these equipments while outside the premises are on par with or more than the security provided inside the premises. Secure disposal or Whether storage device containing sensitive re-use of information are physically destroyed or securely over equipment written. General Controls Whether automatic computer screen locking facility is Clear Desk and enabled. This would lock the screen when the clear screen policy computer is left unattended for a period. Whether employees are advised to leave any confidential material in the form of paper documents, media etc., in a locked manner while unattended. Removal of Whether equipment, information or software can be property taken offsite without appropriate authorization. Whether spot checks or regular audits were conducted to detect unauthorized removal of property. Whether individuals are aware of these types of spot checks or regular audits.
Safeguards
Safeguards
Safeguards
Safeguards Safeguards Safeguards Safeguards, Workforce
Security Policy and Operations Management Communications

8.1 8.1.1 Operational Procedure and responsibilities Documented Whether the Security Policy has identified any Operating Operating procedures such as Back-up, Equipment procedures maintenance etc., Whether such procedures are documented and used. Whether all programs running on production systems are subject to strict change control i.e., any change to be made to those production programs need to go through the change control authorization. Whether audit logs are maintained for any change made to the production programs. 8.1.3 Incident management procedures Whether an Incident Management procedure exist to handle security incidents. Whether the procedure addresses the incident management responsibilities, orderly and quick response to security incidents. Whether the procedure addresses different types of incidents ranging from denial of service to breach of confidentiality etc., and ways to handle them. Whether the audit trails and logs relating to the incidents are maintained and proactive action taken in a way that the incident doesnt reoccur. Privacy Incident
8.1.2
Operational Change Control
Privacy Incident
Privacy Incident
Privacy Incident
Standard Section ISO Audit Question Possible HIPAA Privacy Policy Impact Workforce Practice in Place? Procedure or Control Documented?
Security Policy
8.1.4
8.1.5
8.1.6
8.2 8.2.1
8.2.2
Whether duties and areas of responsibility are separated in order to reduce opportunities for unauthorized modification or misuse of information or services. Whether the development and testing facilities are isolated from operational facilities. For example Separation of development software should run on a different development and computer to that of the computer with production operational software. Where necessary development and facilities production network should be separated from each other. Whether any of the Information processing facility is External facilities managed by external company or contractor (third management party). Whether the risks associated with such management is identified in advance, discussed with the third party and appropriate controls were incorporated into the contract. Whether necessary approval is obtained from business and application owners. System planning and acceptance Whether the capacity demands are monitored and projections of future capacity requirements are made. Capacity Planning This is to ensure that adequate processing power and storage is available. Example: Monitoring Hard disk space, RAM, CPU on critical servers. Whether System acceptance criteria are established System acceptance for new information systems, upgrades and new versions. Whether suitable tests were carried out prior to acceptance. Segregation of duties
Business Associate Agreements Business Associate Agreements Business Associate Agreements
Protection against malicious software 8.3 Security Policy 8.3.1 Control against Whether there exists any control against malicious malicious software software usage. Whether the security policy does address softwarelicensing issues such as prohibiting usage of unauthorized software. Whether there exists any Procedure to verify all warning bulletins are accurate and informative with regards to the malicious software usage. Whether Antiviral software is installed on the computers to check and isolate or remove any viruses from computer and media. Whether this software signature is updated on a regular basis to check any latest viruses. Whether all the traffic originating from un-trusted network in to the organization is checked for viruses. Example: Checking for viruses on email email attachments and on the web, FTP traffic. Housekeeping Whether Backup of essential business information such as production server, critical network Information backup components, configuration backup etc., were taken regularly. Example: Mon-Thu: Incremental Backup and Fri: Full Backup. Whether the backup media along with the procedure to restore the backup are stored securely and well away from the actual site. Whether the backup media are regularly tested to ensure that they could be restored within the time frame allotted in the operational procedure for recovery. Whether Operational staffs maintain a log of their Operator logs activities such as name of the person, errors, corrective action etc., Whether Operator logs are checked on regular basis against the Operating procedures. Whether faults are reported and well managed. This Fault Logging includes corrective action being taken, review of the fault logs and checking the actions taken Network Management
Safeguards
8.4 8.4.1
8.4.2
8.4.3 8.5
Security Policy
8.5.1
Whether effective operational controls such as Network Controls separate network and system administration facilities were be established where necessary. Whether responsibilities and procedures for management of remote equipment, including equipment in user areas were established. Whether there exist any special controls to safeguard confidentiality and integrity of data processing over the public network and to protect the connected systems. Example: Virtual Private Networks, other encryption and hashing mechanisms etc.,
Workforce, Safeguards
8.6 8.6.1 8.6.2
8.6.3
8.6.4
Media handling and Security Management of Whether there exists a procedure for management of removable removable computer media such as tapes disks computer media cassettes, memory cards and reports. Whether the media that are no longer required are Disposal of Media disposed off securely and safely. Whether disposal of sensitive items are logged where necessary in order to maintain an audit trail. Whether there exists a procedure for handling the Information storage of information. Does this procedure address handling issues such as information protection from procedures unauthorized disclosure or misuse. Security of system Whether the system documentation is protected from documentation unauthorized access. Whether the access list for the system documentation is kept to minimum and authorized by the application owner. Example: System documentation need to be kept on a shared drive for specific purposes, the document need to have Access Control Lists enabled (to be accessible only by limited users.)
Use and Disclosure, Minimum Necessary, Safeguards
8.7
Exchange of Information and software Information and Whether there exists any formal or informal agreement software exchange between the organizations for exchange of information agreement and software. Designated Record Set (Data Use Agreement), Business Associate Contracts
8.7.1
Standard Section ISO Audit Question Possible HIPAA Privacy Policy Impact Designated Record Set (Data Use Agreement), Business Associate Contracts Safeguards Safeguards Practice in Place? Procedure or Control Documented?
Security Policy
Whether the agreement does addresses the security issues based on the sensitivity of the business information involved. 8.7.2 Security of Media in Whether security of media while being transported transit taken into account. Whether the media is well protected from unauthorized access, misuse or corruption. Whether Electronic commerce is well protected and Electronic controls implemented to protect against fraudulent Commerce security activity, contract dispute and disclosure or modification of information. Whether Security controls such as Authentication, Authorization are considered in the ECommerce environment.
8.7.3
Standard Section ISO Audit Question Whether electronic commerce arrangements between trading partners include a documented agreement, which commits both parties to the agreed terms of trading, including details of security issues. Whether there is a policy in place for the acceptable use of electronic mail or does security policy does address the issues with regards to use of electronic mail. Whether controls such as antivirus checking, isolating potentially unsafe attachments, spam control, anti relaying etc., are put in place to reduce the risks created by electronic email. Whether there is an Acceptable use policy to address the use of Electronic office systems. Possible HIPAA Privacy Policy Impact Business Associate Agreements Practice in Place? Procedure or Control Documented?
Security Policy
8.7.4
Security of Electronic email
Safeguards
Safeguards
8.7.5
Security of Electronic office systems
Safeguards
8.7.6
8.7.7
Whether there are any guidelines in place to effectively Safeguards control the business and security risks associated with the electronic office systems. Whether there is any formal authorization process in Publicly available place for the information to be made publicly available. Workforce systems Such as approval from Change Control which includes Business, Application owner etc., Whether there are any controls in place to protect the Workforce, integrity of such information publicly available from any Safeguards unauthorized access. This might include controls such as firewalls, Operating system hardening, any Intrusion detection type of tools used to monitor the system etc., Whether there are any policies, procedures or controls Other forms of in place to protect the exchange of information through Safeguards, Use and information Disclosure the use of voice, facsimile and video communication exchange facilities.
Standard Section ISO Audit Question Whether staffs are reminded to maintain the confidentiality of sensitive information while using such forms of information exchange facility. Possible HIPAA Privacy Policy Impact Workforce, Safeguards Practice in Place? Procedure or Control Documented?
Security Policy
Access Control Business Requirements for Access Control 9.1 9.1.1 Access Control Policy Whether the business requirements for access control have been defined and documented. Safeguards, Workforce, Business Associate Agreements Safeguards, Workforce, Business Associate Agreements Safeguards, Workforce, Business Associate Agreements, Designated Record Sets
Whether the Access control policy does address the rules and rights for each user or a group of user.
Whether the users and service providers were given a clear statement of the business requirement to be met by access controls. 9.2 9.2.1
9.2.2
9.2.3
9.2.4 9.3 9.3.1
User Access Management Whether there is any formal user registration and deMinimum Necessary, User Registration registration procedure for granting access to multi-user Workforce information systems and services. Whether the allocation and use of any privileges in multi-user information system environment is restricted Privilege Minimum Necessary, and controlled i.e., Privileges are allocated on need-toManagement Workforce use basis; privileges are allocated only after formal authorization process. User Password The allocation and reallocation of passwords should be Safeguards Management controlled through a formal management process. Whether the users are asked to sign a statement to Workforce keep the password confidential. Whether there exists a process to review user access Review of user rights at regular intervals. Example: Special privilege access rights review every 3 months, normal privileges every 6 moths. User Responsibilities Password use Whether there are any guidelines in place to guide users in selecting and maintaining secure passwords. Safeguards
Security Policy
9.3.2
9.4 9.4.1
9.4.2
Whether the users and contractors are made aware of Business Associate the security requirements and procedures for protecting Agreements, unattended equipment, as well as their responsibility to Workforce implement such protection. Example: Logoff when session is finished or set up auto log off, terminate sessions when finished etc., Network Access Control Whether there exists a policy that does address Policy on use of concerns relating to networks and network services network services such as: Parts of network to be accessed, Authorization services to determine who is allowed to do what, Procedures to Minimum Necessary, Workforce protect the access to network connections and network services. Whether there is any control that restricts the route between the user terminal and the designated Enforced path Safeguards computer services the user is authorized to access example: enforced path to reduce the risk. Unattended user equipment User authentication Whether there exist any authentication mechanism for for external challenging external connections. Examples: connections Cryptography based technique, hardware tokens, software tokens, challenge/ response protocol etc., Whether connections to remote computer systems that are outside organization security management are Node authenticated. Node authentication can serve as an Authentication alternate means of authenticating groups of remote users where they are connected to a secure, shared computer facility. Remote diagnostic Whether accesses to diagnostic ports are securely port protection controlled i.e., protected by a security mechanism. Whether the network (where business partners and/ or Segregation in third parties need access to information system) is networks segregated using perimeter security mechanisms such as firewalls. Whether there exists any network connection control Network connection for shared networks that extend beyond the protocols organizational boundaries. Example: electronic mail, web access, file transfers, etc.,
9.4.3
9.4.4
9.4.5
9.4.6
9.4.7
Standard Section ISO Audit Question Whether there exist any network control to ensure that computer connections and information flows do not breach the access control policy of the business applications. This is often essential for networks shared with non-organizations users. Whether the routing controls are based on the positive source and destination identification mechanism. Example: Network Address Translation (NAT). 9.4.9 9.5 9.5.1 9.5.2 Whether the organization, using public or private Security of network network service does ensure that a clear description of services security attributes of all services used is provided. Operating system access control Automatic terminal Whether automatic terminal identification mechanism is identification used to authenticate connections. Terminal log-on Whether access to information system is attainable procedures only via a secure log-on process. Whether there is a procedure in place for logging in to an information system. This is to minimize the opportunity of unauthorized access. Whether unique identifier is provided to every user User identification such as operators, system administrators and all other and authorization staff including technical. The generic user accounts should only be supplied under exceptional circumstances where there is a clear business benefit. Additional controls may be necessary to maintain accountability. Whether the authentication method used does substantiate the claimed identity of the user; commonly used method: Password that only the user knows. Whether there exists a password management system that enforces various password controls such as: individual password for accountability, enforce password changes, store passwords in encrypted form, not display passwords on screen etc., Whether the system utilities that come with computer installations, but may override system and application control is tightly controlled. Whether provision of a duress alarm is considered for users who might be the target of coercion. Possible HIPAA Privacy Policy Impact Practice in Place? Procedure or Control Documented?
Security Policy
9.4.8 Network routing control
9.5.3
9.5.4
Password management system
9.5.5 9.5.6
Use of system utilities Duress alarm to safeguard users
Standard Section ISO Audit Question Possible HIPAA Privacy Policy Impact Safeguards Practice in Place? Procedure or Control Documented?
Security Policy
9.5.7
Inactive terminal in public areas should be configured Terminal time-out to clear the screen or shut down automatically after a defined period of inactivity. Limitation of connection time Whether there exist any restriction on connection time for high-risk applications. This type of set up should be considered for sensitive applications for which the terminals are installed in high-risk locations.
9.5.8
Safeguards
Application Access Control 9.6 Security Policy Whether access to application by various groups/ personnel within the organization should be defined in Minimum Necessary, Information access the access control policy as per the individual business Workforce, restriction application requirement and is consistent with the Safeguards organizations Information access policy. Whether sensitive systems are provided with isolated Minimum Necessary, Sensitive system computing environment such as running on a dedicated Workforce, isolation computer, share resources only with trusted application Safeguards systems, etc., Monitoring system access and use Whether audit logs recording exceptions and other security relevant events are produced and kept for an Event logging agreed period to assist in future investigations and access control monitoring. Monitoring system Whether procedures are set up for monitoring the use use of information processing facility. The procedure should ensure that the users are performing only the activities that are explicitly authorized. Whether the results of the monitoring activities are reviewed regularly. Whether the computer or communication device has Clock the capability of operating a real time clock, it should be synchronization set to an agreed standard such as Universal coordinated time or local standard time. The correct setting of the computer clock is important to ensure the accuracy of the audit logs. Mobile computing and tele-working Whether a formal policy is adopted that takes into account the risks of working with computing facilities Mobile computing such as notebooks, palmtops etc., especially in unprotected environments. Whether training were arranged for staff to use mobile computing facilities to raise their awareness on the additional risks resulting from this way of working and controls that need to be implemented to mitigate the risks. Whether there is any policy, procedure and/ or Teleworking standard to control teleworking activities, this should be consistent with organizations security policy. Minimum Necessary, Workforce, Safeguards
9.6.1
9.6.2 9.7 9.7.1
9.7.2
9.7.3
9.8 9.8.1
9.8.2
Standard Section ISO Audit Question Possible HIPAA Privacy Policy Impact Workforce, Safeguards Practice in Place? Procedure or Control Documented?
Whether suitable protection of teleworking site is in place against threats such as theft of equipment, unauthorized disclosure of information etc., System development and maintenance Security requirements of systems 10.1 Security Whether security requirements are incorporated as part requirements 10.1.1 of business requirement statement for new systems or analysis and for enhancement to existing systems. specification Security requirements and controls identified should reflect business value of information assets involved and the consequence from failure of Security. Whether risk assessments are completed prior to commencement of system development. Security in application systems 10.2 Input data Whether data input to application system is validated to 10.2.1 validation ensure that it is correct and appropriate. Whether the controls such as: Different type of inputs to check for error messages, Procedures for responding to validation errors, defining responsibilities of all personnel involved in data input process etc., are considered. Whether areas of risks are identified in the processing cycle and validation checks were included. In some Control of internal 10.2.2 cases the data that has been correctly entered can be processing corrupted by processing errors or through deliberate acts. Whether appropriate controls are identified for applications to mitigate from risks during internal processing. The controls will depend on nature of application and business impact of any corruption of data. Whether an assessment of security risk was carried out Message to determine if Message authentication is required; and 10.2.3 authentication to identify most appropriate method of implementation if it is necessary. Message authentication is a technique used to detect unauthorized changes to, or corruption of, the contents of the transmitted electronic message. Whether the data output of application system is Output data validated to ensure that the processing of stored 10.2.4 validation information is correct and appropriate to circumstances.
Security Policy
Safeguards
Cryptographic controls 10.3 Security Policy 10.3.1 Policy on use of cryptographic controls Whether there is a Policy in use of cryptographic controls for protection of information is in place. Whether a risk assessment was carried out to identify the level of protection the information should be given. 10.3.2 Encryption Safeguards
Safeguards
10.3.3 10.3.4
10.3.5
10.4 10.4.1
10.4.2
10.4.3 10.5
Whether encryption techniques were used to protect Safeguards the data. Whether assessments were conducted to analyze the Safeguards sensitivity of the data and the level of protection needed. Whether Digital signatures were used to protect the Digital Signatures Safeguards authenticity and integrity of electronic documents. Whether non-repudiation services were used, where it Non-repudiation might be necessary to resolve disputes about services occurrence or non-occurrence of an event or action. Example: Dispute involving use of a digital signature on an electronic payment or contract. Whether there is a management system is in place to support the organizations use of cryptographic Key management techniques such as Secret key technique and Public key technique. Whether the Key management system is based on agreed set of standards, procedures and secure methods. Security of system files Whether there are any controls in place for the Control of implementation of software on operational systems. operational Safeguards This is to minimize the risk of corruption of operational software systems. Whether system test data is protected and controlled. De-identification, The use of operational database containing personal Business Associate Protection of information should be avoided for test purposes. If such Agreements, system test data information is used, the data should be depersonalized Incidental before use. Disclosures Access Control to Whether strict controls are in place over access to program source program source libraries. This is to reduce the potential library for corruption of computer programs. Security in development and support process
Security Policy
10.5.1
10.5.2
10.5.3
10.5.4
Whether there are strict control procedures in place over implementation of changes to the information system. This is to minimize the corruption of information system. Technical review of Whether there are process or procedure in place to operating system ensure application system is reviewed and tested after changes change in operating system. Periodically it is necessary to upgrade operating system i.e., to install service packs, patches, hot fixes etc., Technical review of Whether there are any restrictions in place to limit operating system changes to software packages. changes As far as possible the vendor supplied software packages should be used without modification. If changes are deemed essential the original software should be retained and the changes applied only to a clearly identified copy. All changes should be clearly tested and documented, so they can be reapplied if necessary to future software upgrades. Whether there are controls in place to ensure that the Covert channels covert channels and Trojan codes are not introduced and Trojan code into new or upgraded system. Change control procedures A covert channel can expose information by some indirect and obscure means. Trojan code is designed to affect a system in a way that is not authorized.
10.5.5
Outsourced software development
Whether there are controls in place over outsourcing software.
Business Associate Agreements Business Associate Agreements
The points to be noted includes: Licensing arrangements, escrow arrangements, contractual requirement for quality assurance, testing before installation to detect Trojan code etc., Business Continuity Management Aspects of Business Continuity Management 11.1 11.1.1 Business continuity Whether there is a managed process in place for management developing and maintaining business continuity process throughout the organization.
Security Policy
11.1.2
11.1.3
This might include Organization wide Business continuity plan, regular testing and updating of the plan, formulating and documenting a business continuity strategy etc., Whether events that could cause interruptions to Business continuity business process were identified example: equipment and impact analysis failure, flood and fire. Whether a risk assessment was conducted to determine impact of such interruptions. Whether a strategy plan was developed based on the risk assessment results to determine an overall approach to business continuity. Writing and Whether plans were developed to restore business implementing operations within the required time frame following an continuity plan interruption or failure to business process. Whether the plan is regularly tested and updated. Business continuity Whether there is a single framework of Business planning framework continuity plan. Whether this framework is maintained to ensure that all plans are consistent and identify priorities for testing and maintenance. Whether this identifies conditions for activation and individuals responsible for executing each component of the plan. Testing, maintaining and re- Whether Business continuity plans are tested regularly assessing business to ensure that they are up to date and effective. continuity plan Whether Business continuity plans were maintained by regular reviews and updates to ensure their continuing effectiveness. Whether procedures were included within the organizations change management program to ensure that Business continuity matters are appropriately addressed.
Safeguards Safeguards Safeguards
Safeguards Safeguards Safeguards
11.1.4
Safeguards
Safeguards
11.1.5
Safeguards
Safeguards
Safeguards
Compliance Compliance with legal requirements 12.1 Identification of Whether all relevant statutory, regulatory and 12.1.1 applicable contractual requirements were explicitly defined and legislation documented for each information system.
Privacy Protections, Safeguards
Standard Section Possible HIPAA Privacy Policy Impact Whether specific controls and individual responsibilities Privacy Protections, to meet these requirements were defined and Safeguards, documented. Workforce ISO Audit Question Practice in Place? Procedure or Control Documented?
Security Policy
12.1.2
Whether there exist any procedures to ensure Intellectual property compliance with legal restrictions on use of material in rights (IPR) respect of which there may be intellectual property rights such as copyright, design rights, trade marks. Whether the procedures are well implemented. Whether proprietary software products are supplied under a license agreement that limits the use of the products to specified machines. The only exception might be for making own back-up copies of the software.
Privacy Protections
Privacy Protections
12.1.3
Safeguarding of organizational records
Whether important records of the organization is protected from loss destruction and false function.
Safeguards Privacy Official, Privacy Protections, Safeguards
12.1.4
Data protection and Whether there is a management structure and control privacy of personal in place to protect data and privacy of personal information information. Prevention of misuse of information processing facility Whether use of information processing facilities for any non-business or unauthorized purpose, without management approval is treated as improper use of the facility. Whether at the log-on a warning message is presented on the computer screen indicating that the system being entered is private and that unauthorized access is not permitted. Whether the regulation of cryptographic control is as per the sector and national agreement.
12.1.5
Safeguards
12.1.6
Regulation of cryptographic controls Collection of evidence
12.1.7 12.2 12.2.1
12.2.2
Whether the process involved in collecting the evidence is in accordance with legal and industry best practice. Reviews of Security Policy and technical compliance Whether all areas within the organization are Compliance with considered for regular review to ensure compliance security policy with security policy, standards and procedures. Technical Whether information systems were regularly checked compliance for compliance with security implementation standards. checking
Safeguards
Safeguards
Standard Section ISO Audit Question Possible HIPAA Privacy Policy Impact Safeguards Practice in Place? Procedure or Control Documented?
Security Policy
12.3 12.3.1
12.3.2
Whether the technical compliance check is carried out by, or under the supervision of, competent, authorized persons. System audit considerations Whether audit requirements and activities involving System audit checks on operational systems should be carefully controls planned and agreed to minimize the risk of disruptions to business process. Whether access to system audit tools such as software Protection of or data files are protected to prevent any possible system audit tools misuse or compromise.
Safeguards
Safeguards

Security Assessment Tools

Încărcat de

Informații document

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Security Assessment Tools

Încărcat de

Drepturi de autor:

Formate disponibile

Item

HIPAA Security Rule Standard Implementation Specification

Compliance Risk Percent Planned Rating Percent Start Days

SECURITY STANDARDS: GENERAL RULES

164.310(d)(1) 164.310(d)(2)(i) 164.310(d)(2)(ii) 164.310(d)(2)(iii) 164.310(d)(2)(iv) 164.312(a)(1) 164.312(a)(2)(i)

Required Required Addressable Addressable

Full Regulatory Text

Impact & Analysis

HIPAA Security Rule Standard Implementation Specification

Privacy Officer Compliance Office

Security Officer IT Managers

Network or System Administrator

Help Desk or Tech Support

Awareness Awareness Awareness

Notification Notification Notification Records

Procedures Assessment Measures Sys Auditing

Policy Job Desp

Manage Supervise Clearance Manage Awareness

Incident Rep. Recovery

Test. Proc. Assessment Assessment

Policy Notification Notification Notification

Policy Notification Notification Notification Sec. Training

Oversight Planning Mgmt. Oversight Sec. Training

Notification Notification Notification

Sec. Training Administration Sec. Training

Sec. Training Mgmt. Sec. Training

End Users with PHI Access

Required Required Addressable Addressable

Addressable Required Addressable Addressable -

Required Required Addressable Addressable -

Sec. Training Awareness Sec. Training

Required Required Addressable Addressable Addressable Addressable

Full Regulatory Text

Standard Implementation Specification

Maintenance Security Management Process

Conduct vulnerability assessment

Implement security measures to reduce risk of security breaches

Worker sanction for P&P violations

Information System Activity Review

Procedures to review system activity

164.308(a)(2) 164.308(a)(3)(i) 164.308(a)(3)(ii)(A) 164.308(a)(3)(ii)(B) 164.308(a)(3)(ii)(C) 164.308(a)(4)(i) 164.308(a)(4)(ii)(A) 164.308(a)(4)(ii)(B)

Access Establishment and Modification

P&P to grant access to PHI

164.310 (a)(1) 164.310(a)(2)(i) 164.310(a)(2)(ii) 164.310(a)(2)(iii) 164.310(a)(2)(iv)

164.310(c) 164.310(d)(1) 164.310(d)(2)(i) 164.310(d)(2)(ii) 164.310(d)(2)(iii) 164.310(d)(2)(iv)

164.312(a)(1) 164.312(a)(2)(i) 164.312(a)(2)(ii) 164.312(a)(2)(iii) 164.312(a)(2)(iv)

164.312(c)(1) 164.312(c)(2) 164.312(d) 164.312(e)(1)

164.314(b)(2)(ii) 164.314(b)(2)(iii) 164.314(b)(2)(iv)

Ensure Adequate Separation Ensure Agents Safeguard Report Security Incidents

Policies and Procedures

P&P to ensure safeguards to PHI

164.316(b)(1) 164.316(b)(2)(i) 164.316(b)(2)(ii)

Documentation Time Limit Availability Updates

Administrative Safeguards Standards Security Management Process

CFR Sections 164.308(a)(1)

(R) (R) (R) (R)

Assigned Security Responsibility

(A) (A) (A) (R) (A) (A)

Information Access Management

Security Awareness and Training

(A) (A) (A) (A)

Security Incident Procedures

Response and Reporting

(R) (R) (R) (A) (A)