security assessment tools

7/31/2019 Security Assessment Tools

1/46

Item HIPAA Citation HIPAA Security Rule Standard

Implementation Specification

Implementation Requirement Description

SECURITY STANDARDS: GENERAL RULES

1 164.306(a) Ensure Confidentiality, Integrity and Availability - Ensure CIA and protect against threats

2 164.306(b) Flexibility of Approach - Reasonably consider factors in security complia

3 164.306(c) Standards - CEs must comply with standards

4 164.306(d) Implementation Specifications - Required and Addressable Implementation

5 164.306(e) Maintenance - Ongoing review and modification of security

ADMINISTRATIVE SAFEGUARDS6 164.308(a)(1)(i) Security Management Process - P&P to manage security violations

7 164.308(a)(1)(ii)(A) Risk Analysis Required Conduct vulnerability assessment

8 164.308(a)(1)(ii)(B) Risk Management Required Implement security measures to reduce risk of

9 164.308(a)(1)(ii)(C)Sanction Policy Required

Worker sanction for P&P violations

10 164.308(a)(1)(ii)(D) Information System Activity Review Required Procedures to review system activity

11 164.308(a)(2) Assigned Security Responsibility - Identify security official responsible for P&P

12 164.308(a)(3)(i) Workforce Security - Implement P&P to ensure appropriate PHI acce

13 164.308(a)(3)(ii)(A) Authorization and/or Supervision Addressable Authorization/supervision for PHI access

14 164.308(a)(3)(ii)(B) Workforce Clearance Procedure Addressable Procedures to ensure appropriate PHI access

15 164.308(a)(3)(ii)(C) Termination Procedures Addressable Procedures to terminate PHI access

16 164.308(a)(4)(i) Information Access Management - P&P to authorize access to PHI

17 164.308(a)(4)(ii)(A) Isolation Health Clearinghouse Functions Required P&P to separate PHI from other operations

18 164.308(a)(4)(ii)(B) Access Authorization Addressable P&P to authorize access to PHI19 164.308(a)(4)(ii)(C) Access Establishment and Modification Addressable P&P to grant access to PHI

20 164.308(a)(5)(i) Security Awareness Training - Training program for workers and managers

21 164.308(a)(5)(ii)(A) Security Reminders Addressable Distribute periodic security updates

22 164.308(a)(5)(ii)(B) Protection from Malicious Software Addressable Procedures to guard against malicious software

23 164.308(a)(5)(ii)(C) Log-in Monitoring Addressable Procedures and monitoring of log-in attempts

24 164.308(a)(5)(ii)(D) Password Management Addressable Procedures for password management

25 164.308(a)(6)(i) Security Incident Procedures - P&P to manage security incidents

26 164.308(a)(6)(ii) Response and Reporting Required Mitigate and document security incidents

27 164.308(a)(7)(i) Contingency Plan - Emergency response P&P28 164.308(a)(7)(ii)(A) Data Backup Plan Required Data backup planning & procedures

29 164.308(a)(7)(ii)(B) Disaster Recovery Plan Required Data recovery planning & procedures

30 164.308(a)(7)(ii)(C) Emergency Mode Operation Plan Required Business continuity procedures

31 164.308(a)(7)(ii)(D) Testing and Revision Procedures Addressable Contingency planning periodic testing procedur

32 164.308(a)(7)(ii)(E) Applications and Data Criticality Analysis Addressable Prioritize data and system criticality for continge

33 164.308(a)(8) Evaluation - Periodic security evaluation

34 164.308(b)(1) Business Associate Contracts and Other Arrangements - CE implement BACs to ensure safeguards

35 164.308(b)(4) Written Contract Required Implement compliant BACs

PHYSICAL SAFEGUARDS


2/46


3/46

180 Days - Later (High Risk and Low Urgency)

Not applicable - No action required

Done

100 75 50 25 N/A


4/46

Full Regulatory Text Finding Rating Criteria Impact & Analysis Risk Re

(a) General requirements. Covered entities must do

(b) Flexibility of approach.

(c) Standards. A covered entity must comply with the

(d) Implementation specifications.

(e) Maintenance. Security measures implemented to

Implement policies and procedures to prevent,

Conduct an accurate and thorough assessment of

Implement security measures sufficient to reduce

Apply appropriate sanctions against workforce

Implement procedures to regularly review records of

Identify the security official who is responsible for theImplement policies and procedures to ensure that all

Implement procedures for authorization and/or

Implement procedures to determine that the access

Implement procedures for termination access to

Implement policies and procedures for authorizing

If a health care clearinghouse is part of a larger

Implement policies and procedures for granting

Implement policies and procedures that, based upon

Implement a security awareness and training

Periodic security updates.Procedures for guarding against, detecting, and

Procedures for monitoring log-in attempts and

Procedures for creating, changing, and safeguarding

Implement policies and procedures to address

Identify and respond to suspected or known security

Establish (and implement as needed) policies and

Establish and implement procedures to create and

Establish (and implement as needed) procedures to

Establish (and implement as needed) procedures to

Implement procedures for periodic testing and

Assess the relative criticality of specific applications

Perform a periodic technical and nontechnical

A covered entity, in accordance with 164.306, may

Document the satisfactory assurances required by

Implement policies and procedures to limit physical

Establish (and implement as needed) procedures that

Implement policies and procedures to safeguard the

Implement procedures to control and validate a


5/46

Implement policies and procedures that govern the

Implement policies and procedures to address the

Implement procedures for removal of electronic

Maintain a record of the movements of hardware and

Create a retrievable, exact copy of electronic

Implement technical policies and procedures for

Assign a unique name and/or number for identifying

Establish (and implement as needed) procedures for

Implement electronic procedures that terminate an

Implement a mechanism to encrypt and decrypt

Implement hardware, software, and/or procedural

Implement policies and procedures to protect

Implement electronic mechanisms to corroborate that

Implement procedures to verify that a person or entity

Implement technical security measures to guard

Implement security measures to ensure that

Implement a mechanism to encrypt electronic

(i) The contract or other arrangement between the

(i) Business associate contracts. The contract

Except when the only electronic protected health

The plan documents of the group health plan must be

Ensure that the adequate separation required by

Ensure that any agent, including a subcontractor, to

Report to the group health plan any security incident

A covered entity must, in accordance with 164.306:

Documentation.

Retain the documentation required by paragraph

Make documentation available to those persons

Review documentation periodically, and update as


6/46

HIPAA Citation HIPAA Security Rule Standard

Implementation Specification

Privacy Officer Compliance

Office

Security Officer IT Managers Networ

Admini

164.306(a) Ensure Confidentiality, Integrity and Availability

164.306(b) Flexibility of Approach164.306(c) Standards

164.306(d) Implementation Specifications164.306(e) Maintenance

ADMINISTRATIVE SAFEGUARDS164.308(a)(1)(i) Security Management Process Awareness Notification Policy Procedures Proced

164.308(a)(1)(ii)(A) Risk Analysis Awareness Notification Oversee Assessment Assess

164.308(a)(1)(ii)(B) Risk Management Awareness Notification Policy Procedures Measu

164.308(a)(1)(ii)(C) Sanction Policy Records Policy Management

164.308(a)(1)(ii)(D)Information System Activity Review Event Rept. Event Rept. Sys Au

164.308(a)(2) Assigned Security Responsibility Authority

164.308(a)(3)(i) Workforce Security Policy Manage

164.308(a)(3)(ii)(A) Authorization and/or Supervision Policy Authorize Superv

164.308(a)(3)(ii)(B) Workforce Clearance Procedure Policy Clearance

164.308(a)(3)(ii)(C) Termination Procedures Policy Manage

164.308(a)(4)(i) Information Access Management Awareness Job Desp Awareness Awareness

164.308(a)(4)(ii)(A) Isolation Health Clearinghouse Functions

164.308(a)(4)(ii)(B) Access Authorization

164.308(a)(4)(ii)(C) Access Establishment and Modification Change Form

164.308(a)(5)(i) Security Awareness Training

164.308(a)(5)(ii)(A) Security Reminders

164.308(a)(5)(ii)(B) Protection from Malicious Software

164.308(a)(5)(ii)(C) Log-in Monitoring

164.308(a)(5)(ii)(D) Password Management

164.308(a)(6)(i) Security Incident Procedures

164.308(a)(6)(ii) Response and Reporting Incident Rep. Incident Rep. Monito

164.308(a)(7)(i) Contingency Plan BCP Recov

164.308(a)(7)(ii)(A) Data Backup Plan Planning

164.308(a)(7)(ii)(B) Disaster Recovery Plan Planning164.308(a)(7)(ii)(C) Emergency Mode Operation Plan Plan

164.308(a)(7)(ii)(D) Testing and Revision Procedures Policy Oversight Test. P

164.308(a)(7)(ii)(E) Applications and Data Criticality Analysis Awareness Notification Oversee Assessment Assess

164.308(a)(8) Evaluation Awareness Notification Oversee Assessment Assess

164.308(b)(1) Business Associate Contracts and Other Arrangements BAC Mgmt.

164.308(b)(4) Written Contract

PHYSICAL SAFEGUARDS

164.310 (a)(1) Facility Access Controls Policy Policy

164 310(a)(2)(i) Contingency Operations Notification Notification


7/46

164.310(c) Workstation Security

164.310(d)(1) Device and Media Controls

164.310(d)(2)(i) Disposal

164.310(d)(2)(ii) Media Re-use

164.310(d)(2)(iii) Accountability

164.310(d)(2)(iv) Data Backup and Storage Notification Oversight Mgmt. Administ

TECHNICAL SAFEGUARDS164.312(a)(1) Access Control164.312(a)(2)(i) Unique User Identification Administ

164.312(a)(2)(ii) Emergency Access Procedure Policy Mgmt. Administ

164.312(a)(2)(iii) Automatic Logoff Policy Mgmt. Administ

164.312(a)(2)(iv) Encryption and Decryption Notification Policy Mgmt. Administ

164.312(b) Audit Controls Notification Policy Mgmt. Administ

164.312(c)(1) Integrity Notification Policy Mgmt. Administ

164.312(c)(2) Mechanism to Authenticate Electronic Protected Health Information Plan Mgmt. Administ

164.312(d) Person or Entity Authentication Policy Mgmt. Administ

164.312(e)(1) Transmission Security Policy Mgmt. Administ164.312(e)(2)(i) Integrity Controls Policy Mgmt. Administ

164.312(e)(2)(ii) Encryption Awareness Policy Policy Mgmt. Administ

ORGANIZATIONAL REQUIREMENTS

164.314(a)(1) Business Associate Contracts or Other Arrangements Awareness Oversight Oversight Mgmt.164.314(a)(2) Business Associate Contracts

164.314(b)(1) Requirements for Group Health Plans

164.314(b)(2)(i) Implement Safeguards

164.314(b)(2)(ii) Ensure Adequate Separation

164.314(b)(2)(iii)Ensure Agents Safeguard164.314(b)(2)(iv) Report Security Incidents Awareness Notification Oversight Mgmt.

164.316(a) Policies and Procedures Policy Procedures Mgmt. Administ

164.316(b)(1) Documentation

164.316(b)(2)(i) Time Limit

164.316(b)(2)(ii) Availability

164.316(b)(2)(iii) Updates


8/46

End Users with

PHI Access

Human

Resources

Implementati

on

Requirement Description

- Ensure CIA and protect against threats- Reasonably consider factors in security com

- CEs must comply with standards

- Required and Addressable Implementation

- Ongoing review and modification of security

- P&P to manage security violations

Required Conduct vulnerability assessment

Required Implement security measures to reduce risk

Records Required Worker sanction for P&P violations

Required Procedures to review system activity

- Identify security official responsible for P&P

- Implement P&P to ensure appropriate PHI

Addressable Authorization/supervision for PHI access

Addressable Procedures to ensure appropriate PHI acce

Procedures Addressable Procedures to terminate PHI access

Awareness - P&P to authorize access to PHI

Required P&P to separate PHI from other operationsAddressable P&P to authorize access to PHI

Addressable P&P to grant access to PHI

- Training program for workers and manager

Sec. Training Addressable Distribute periodic security updates

Sec. Training Addressable Procedures to guard against malicious soft

Sec. Training Addressable Procedures and monitoring of log-in attemp

Sec. Training Addressable Procedures for password management

- P&P to manage security incidents

Incident Rep. Required Mitigate and document security incidents

- Emergency response P&P

Required Data backup planning & procedures

Required Data recovery planning & procedures

Required Business continuity procedures

Addressable Contingency planning periodic testing proce

Addressable Prioritize data and system criticality for cont

- Periodic security evaluation

CE implement BACs to ensure safeguards


9/46

Sec. Training - Physical safeguards for workstation access

Sec. Training - P&P to govern receipt and removal of hardw

Sec. Training Required P&P to manage media and equipment dispo

Sec. Training Required P&P to remove PHI from media and equipm

Sec. Training Addressable Document hardware and media movement

Addressable Backup PHI before moving equipment

- Technical (administrative) P&P to manage P

Sec. Training Required Assign unique IDs to support tracking

Awareness Required Procedures to support emergency access

Sec. Training Addressable Session termination mechanisms

Addressable Mechanism for encryption of stored PHI

- Procedures and mechanisms for monitoring

- P&P to safeguard PHI unauthorized alteratioAddressable Mechanisms to corroborate PHI not altered

- Procedures to verify identities

- Measures to guard against unauthorized ac

Addressable Measures to ensure integrity of PHI on trans

Sec. Training Addressable Mechanism for encryption of transmitted PH

- CE must ensure BA safeguards PHI

Required BACs must contain security language

- Plan documents must reflect security safegu

Required Plan sponsor to implement safeguards as a

Required Security measures to separate PHI from pla

Required Ensure subcontractors safeguard PHI

Required Plan sponsors report breaches to health pla

- P&P to ensure safeguards to PHI

Required Document P&P and actions & activities

Required Retain documentation for 6 years

Required Documentation available to system adminis


10/46

Full Regulatory Text

(a) General requirements. Covered entities must do the following:

(b) Flexibility of approach.

(c) Standards. A covered entity must comply with the standards as provided in this section and in 164.308,

(d) Implementation specifications.

(e) Maintenance. Security measures implemented to comply with standards and implementation specifications adopted under 164.105 and this subpart must be reviewed and modified as needed to co

Implement policies and procedures to prevent, detect, contain and correct security violations

Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health informatio

Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with Sec 164.206(a).

Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity.

Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.

Identify the security official who is responsible for the development and implementation of the policies and procedures required by this subpart for the entity.Implement policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information, as provided under paragra

Implement procedures for authorization and/or supervision of workforce members who work with electronic protected health information or in locations where it might be acce

Implement procedures to determine that the access of a workforce member to electronic protected health information is appropriate.

Implement procedures for termination access to electronic protected health information when the employment of a workforce member ends or as required by determination m

Implement policies and procedures for authorizing access to electronic protected health information that are consistent with the applicable requirements of subpart E of this p

If a health care clearinghouse is part of a larger organization, the clearinghouse must implement polices and procedures that protect the electronic protected health informatio

Implement policies and procedures for granting access to electronic protected health information, for example, through access to a workstation, transaction, program, proces

Implement policies and procedures that, based upon the entity's access authorization policies, establish, document, review, and modify a user's right of access to a workstati

Implement a security awareness and training program for all members of its workforce (including management).

Periodic security updates.

Procedures for guarding against, detecting, and reporting malicious software.

Procedures for monitoring log-in attempts and reporting discrepancies.

Procedures for creating, changing, and safeguarding passwords.

Implement policies and procedures to address security incidents.

Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity; an

Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural d

Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information.

Establish (and implement as needed) procedures to restore loss of data.

Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of electronic protected health information Implement procedures for periodic testing and revision of contingency plans.

Assess the relative criticality of specific applications and data in support of other contingency plan components.

Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or o

A covered entity, in accordance with 164.306, may permit a business associate to create, receive, maintain, or transmit electronic protected health information on the cover

Document the satisfactory assurances required by paragraph (b)(1) of this section through a written contract or other arrangement with the business associate that meets the

Implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that prop

Establish (and implement as needed) procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operat

Implement policies and procedures to safeguard the facility and the equipment there in from unauthorized physical access, tampering, and theft.

I l t d t t l d lid t ' t f iliti b d th i l f ti i l di i it t l d t l f t ft


11/46

Implement physical safeguards for all workstations that access electronic protected health information, to restrict access to authorized users.

Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a fac

Implement policies and procedures to address the final disposition of electronic protected health information, and/or the hardware or electronic media on which it is stored.

Implement procedures for removal of electronic protected health information from electronic media before the media are made available for re-use.

Maintain a record of the movements of hardware and electronic media and any person responsible therefore.

Create a retrievable, exact copy of electronic protected health information, when needed, before movement of equipment.

Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or softAssign a unique name and/or number for identifying and tracking user identity.

Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency.

Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.

Implement a mechanism to encrypt and decrypt electronic protected health information.

Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information

Implement policies and procedures to protect electronic protected health information from improper alteration or destruction.

Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner.

Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.

Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communicatio

Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of.Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.

(i) The contract or other arrangement between the covered entity and its business associate required by

(i) Business associate contracts. The contract between a covered entity and a business associate must provide that the business associate will--

Except when the only electronic protected health information disclosed to a plan sponsor is disclosed pursuant to 164.504(f)(1)(ii) or (iii), or as authorized under 164.508, a gr

The plan documents of the group health plan must be amended to incorporate provisions to require the plan sponsor to--

Ensure that the adequate separation required by

Ensure that any agent, including a subcontractor, to whom it provides this information agrees to implement reasonable and appropriate security measures to protect the informat

Report to the group health plan any security incident of which it becomes aware.

A covered entity must, in accordance with 164.306: Implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications

Documentation.

Retain the documentation required by paragraph (b)(1) of this section for 6 years from the date of its creation or the date when it last was in effect, whichever is later.

Make documentation available to those persons responsible for implementing the procedures to which the documentation pertains.

Review documentation periodically, and update as needed, in response to environmental or operational changes affecting the security of the electronic protected health informati


12/46

Applicable ISO 17799 Standard(s)

& ReferencesHIPAA Citation Standard Implementation Specification Implementation

SECURITY STANDARDS: GENERAL RULES

12.1.4 164.306(a) Ensure Confidentiality, Integrity and Availability En

164.306(b) Flexibility of Approach

Re

co

12.1.1, 10.1.1 164.306(c) Standards CE

164.306(d) Implementation SpecificationsRe

Sp

164.306(e) MaintenanceOn

me

ADMINISTRATIVE SAFEGUARDS

10.1.1 164.308(a)(1)(i) Security Management Process P&

7.1.5, 10.3.1, 10.2.3, 11.1.2,9.4.1, 9.4.2, 3.1.2, 5.1.1, 6.3.4,

8.2.1, 9.4.3, 9.4.3, 9.4.5, 9.4.6,

9.4.7, 9.4.8, 9.4.9, 9.6.2, 10.1.1,

10.4.3

164.308(a)(1)(ii)(A) Risk Analysis Required Co

6.3.4, 8.1.1, 4.1.2, 3.1.1, 3.1.2,

4.1.1, 5.1.1, 8.1.4, 8.2.1, 8.5.1,

8.6.4, 9.4.4-9.4.9, 9.6.2, 9.7.1,

10.1.1, 11.1.1, 10.4.3, 12.2.2,

12.1.9

164.308(a)(1)(ii)(B) Risk Management RequiredIm

ris

6.3.5,11.1.2 164.308(a)(1)(ii)(C) Sanction Policy Required Wo

6.3.5, 9.7.1, 9.7.2, 12.2.1, 12.2.2,

12.3.1, 12.3.2, 6.3.4, 8.1.1, 8.2.2,

10.4.3, 10.5.4, 10.3.4, 10.5.1-

10.5.5, 12.2.1, 12.1.5,12.2.2

164.308(a)(1)(ii)(D) Information System Activity Review Required Pro

3.1.2, 4.1.3, 4.1.5, 4.1.1, 4.1.2 164.308(a)(2) Assigned Security Responsibility Ide

9.6.1 164.308(a)(3)(i) Workforce SecurityIm

ac

8.1.4, 9.2.1, 9.2.2, 9.4.2, 9.8.2,

10.4.3164.308(a)(3)(ii)(A) Authorization and/or Supervision Addressable Au

6.1.2, 6.1.4 164.308(a)(3)(ii)(B) Workforce Clearance Procedure AddressablePro

ac

6.1.2, 6.1.4 164.308(a)(3)(ii)(C) Termination Procedures Addressable Pro

9.6.1, 9.5.3, 9.2.2, 10.4.3 164.308(a)(4)(i) Information Access Management P&

4.2.1 164.308(a)(4)(ii)(A) Isolation Health Clearinghouse Functions RequiredP&

op

9.1.1, 9.2.2, 9.4.1, 9.6.2, 9.2.1,

8 1 4 5 2 1 164 308( )(4)(ii)(B) A A th i ti P&


13/46

8.1.4, 9.1.1, 9.2.2, 9.2.4, 9.4.1,

9.5.2, 9.5.3, 9.6.2, 8.6.4, 5.2.1,

9.4.2, 9.4.3, 9.4.4, 9.4.5, 12.1.5

164.308(a)(4)(ii)(C) Access Establishment and Modification Addressable P&

6.2.1, 8.7.7, 9.2.1, 9.2.2, 9.3.2,

9.8.1, 8.7.7, 8.7.4, 12.1.5, 6.1.1,6.1.3

164.308(a)(5)(i) Security Awareness Training Tra

6.2.1, 9.3.2, 6.1.1, 6.1.3 164.308(a)(5)(ii)(A) Security Reminders Addressable Dis

8.3.1, 8.7.4, 4.1.4, 10.4.1, 10.4.2,

10.5.1-10.5.5164.308(a)(5)(ii)(B) Protection from Malicious Software Addressable

Pro

sof

8.4.2, 9.7.1, 9.7.2, 8.4.3 164.308(a)(5)(ii)(C) Log-in Monitoring AddressablePro

att

9.2.3, 9.3.1, 9.5.4 164.308(a)(5)(ii)(D) Password Management Addressable Pro

8.1.3, 4.1.6 164.308(a)(6)(i) Security Incident Procedures P&

6.3.1,6.3.2,6.3.4,8.1.3 164.308(a)(6)(ii) Response and Reporting Required Mi

11.1.1, 8.6.3, 4.1.6, 8.1.2 164.308(a)(7)(i) Contingency Plan Em

8.1.1, 8.4.1, 11.1.3, 11.1.2, 8.6.3 164.308(a)(7)(ii)(A) Data Backup Plan Required Da

11.1.3 164.308(a)(7)(ii)(B) Disaster Recovery Plan Required Da

11.1.3 164.308(a)(7)(ii)(C) Emergency Mode Operation Plan Required Bu

7.2.2, 11.1.3, 11.1.5, 8.1.5, 7.2.3,

10.5.1-10.5.5164.308(a)(7)(ii)(D) Testing and Revision Procedures Addressable

Co

pro

11.1.2, 11.1.4, 8.1.5, 5.2.2, 8.1.2 164.308(a)(7)(ii)(E) Applications and Data Criticality Analysis AddressablePri

co

4.1.5, 9.7.2, 12.2.1, 12.2.2, 3.1.2,

6.3.4, 8.1.1, 8.2.2164.308(a)(8) Evaluation Pe

4.2.1, 4.2.2, 4.3.1, 8.1.6, 12.1.1,

4.1.6, 8.2.1, 8.7.4164.308(b)(1) Business Associate Contracts and Other Arrangements CE

8.71,4.3.1,12.1.1 164.308(b)(4) Written Contract Required Im

PHYSICAL SAFEGUARDS

7.1.1-7.1.5, 12.1.3, 9.3.2 164.310 (a)(1) Facility Access Controls P&

7.2.2, 11.1.1, 11.1.3, 12.1.3,

4.1.7, 7.2.3, 7.2.4, 8.1.1164.310(a)(2)(i) Contingency Operations Addressable

Pro

op

7.1.1, 7.1.3 164.310(a)(2)(ii) Facility Security Plan Addressable P&

7.1.2, 7.1.4, 9.1.1 164.310(a)(2)(iii) Access Control Validation Procedures Addressable Fa

7.2.4, 12.1.3 164.310(a)(2)(iv) Maintenance Records AddressableP&

an

2.2.4, 7.2.1, 8.6.1, 7.1.4, 7.2.4,

( ) P&


14/46

7.2.1, 7.2.4, 8.6.2, 9.3.2, 7.3.2 164.310(c) Workstation Security Ph

5.1.1, 7.2.5, 7.3.2, 8.7.2, 8.6.7,

9.8.1, 8.5.1, 6.3.3164.310(d)(1) Device and Media Controls

P&

ha

7.2.6, 8.6.2 164.310(d)(2)(i) Disposal RequiredP&

dis

7.2.6, 8.6.2 164.310(d)(2)(ii) Media Re-use RequiredP&

eq

5.1.1, 7.3.2, 7.2.5, 8.7.2, 9.8.1 164.310(d)(2)(iii) Accountability Addressable Do

8.1.1, 8.4.1, 8.6.3, 12.1.3 164.310(d)(2)(iv) Data Backup and Storage Addressable Ba

TECHNICAL SAFEGUARDS

9.1.1, 9.4.1, 9.6.1, 12.1.3 164.312(a)(1) Access ControlTe

PH

9.2.1, 9.2.2 164.312(a)(2)(i) Unique User Identification Required As

11.1.3 164.312(a)(2)(ii) Emergency Access Procedure Required Pro

9.5.7, 9.5.8, 7.3.1 164.312(a)(2)(iii) Automatic Logoff Addressable Se

8.5.1, 8.7.4, 10.3.1, 10.3.2,

10.3.3, 12.1.6164.312(a)(2)(iv) Encryption and Decryption Addressable Me

8.1.3, 8.6.2, 9.7.1, 9.7.2, 12.3.1,

12.3.2, 10.3.4, 9.7.3, 4.1.6, 4.1.7164.312(b) Audit Controls

Pro

sys

12.1.3, 10.2.1, 10.4.2 164.312(c)(1) Integrity

P&

alt

10.2.3, 8.1.6 164.312(c)(2) Mechanism to Authenticate Electronic Protected Health Information Addressable Me

9.4.3, 9.5.3, 8.76, 4.2.1, 9.2.1,

9.2.2, 10.2.1, 10.3.3164.312(d) Person or Entity Authentication Pro

10.3.1, 10.3.4, 10.2.4, 4.2.1 164.312(e)(1) Transmission SecurityMe

ac

12.1.3, 10.3.4, 8.7.4, 7.2.3, 8.7.6,

9.4.3, 9.4.3-9.4.9, 9.6.2,10.2.2,

10.2.4, 10.4.3

164.312(e)(2)(i) Integrity Controls AddressableMe

tra

8.5.1, 8.7.4, 10.3.1, 10.3.2,

10.3.3, 10.4.2, 12.1.6164.312(e)(2)(ii) Encryption Addressable Me

ORGANIZATIONAL REQUIREMENTS

4.2.2, 4.3.1, 8.1.6, 12.1.1, 4.2.1,

8.2.1, 4.1.6164.314(a)(1) Business Associate Contracts or Other Arrangements CE

4.2.2, 4.3.1, 8.1.6, 8.7.1, 12.1.1,

8.7.4164.314(a)(2) Business Associate Contracts BA

N/A 164.314(b)(1) Requirements for Group Health PlansPla

sa

Pl


15/46

N/A 164.314(b)(2)(ii) Ensure Adequate SeparationSe

pla

N/A 164.314(b)(2)(iii) Ensure Agents Safeguard En

N/A 164.314(b)(2)(iv) Report Security IncidentsPla

pla

3.1.1, 8.1.1, 12.1.4 (Privacy 6.1.3,

7.3.1, 8.7.4, 8.7.7), 12.1.1, 9.8.2,

12.1.2, 12.2.1, 12.1.4

164.316(a) Policies and Procedures P&

8.1.1, 12.1.1, 12.2.1 164.316(b)(1) Documentation Do

164.316(b)(2)(i) Time Limit Re

164.316(b)(2)(ii) AvailabilityDo

ad

4.1.7, 12.1.1 164.316(b)(2)(iii) Updates Pene


16/46

Administrative Safeguards

Standards CFR Sections Implementation Specifications

Security Management Process 164.308(a)(1) Risk Analysis (R)

Risk Management (R)

Sanction Policy (R)

Information System Activity Review (R)

Assigned Security Responsibility 164.308(a)(2) none (R)

Workforce Security 164.308(a)(3) Authorization and/or Supervision (A)

Workforce Clearance Procedure (A)

Termination Procedures (A)

Information Access Management 164.308(a)(4) Isolating Healthcare Clearinghouse Function (R)

Access Authorization (A)

Access Establishment and Modification (A)

Security Awareness and Training 164.308(a)(5) Security Reminders (A)

Protection from Malicious Software (A)

Log-in Monitoring (A)

Password Management (A)

Security Incident Procedures 164.308(a)(6) Response and Reporting (R)

Contingency Plan 164.308(a)(7) Data Backup Plan (R)

Disaster Recovery Plan (R)

Emergency Mode Operation Plan (R)

Testing and Revision Procedure (A)

Applications and Data Criticality Analysis (A)


17/46

Workstation Use 164.310(b) none (R)

Workstation Security 164.310(c) none (R)

Device and Media Controls 164.310(d)(1) Media Disposal (R)

Media Re-use (R)

Media Accountability (A)

Data Backup and Storage (during transfer) (A)

Technical Safeguards

Access Control 164.312(a)(1) Unique User Identification (R)

Emergency Access Procedure (R)

Automatic Logoff (A)

Encryption and Decryption (data at rest) (A)

Audit Controls 164.312(b) none (R)

Integrity 164.312(c)(1) Protection Against Improper Alteration or Destruction (A)

Person or Entity Authentication 164.312(d) none (R)

Transmission Security 164.312(e)(1) Integrity Controls (A)

Encryption (FTP and Email over Internet) (A)


18/46

NIST Resource Guide for Implementing HIPAA (DRAFT NIST SP 800-66 http://csrc.nist.gov/publications/drafts/DRAFT-sp800-66.

NIST Publication # Publication TitleNIST SP 800-14 General ly Accepted Principles and Practices for Securing Information Technology Systems

NIST SP 800-18 Guide for Developing Security Plans for Information Technology Systems

NIST SP 800-26 Security Self-Assessment Guide for Information Technology Systems

NIST SP 800-27 Engineering Principles for Information Technology Security (Baseline for Achieving Security)

NIST SP 800-30 Risk Management Guide for Information Technology Systems

NIST SP 800-37 Guide for the Securi ty Certification and Accreditation of Federal Information Systems

NIST SP 800-53 Recommended Security Controls for Federal Information Systems

NIST SP 800-60 Guide for Mapping Types of Information and Information Systems to Security Categories

FIPS 199 Standards for Security Categorization of Federal Information and Information Systems

NIST SP 800-12 chapter 5 An Introduction to Computer Security: The NIST Handbook

NIST SP 800-14 General ly Accepted Principles and Practices for Securing Information Technology Systems







NIST SP 800-12 chapter 17 An Introduction to Computer Security: The NIST HandbookNIST SP 800-14 General ly Accepted Principles and Practices for Securing Information Technology Systems



NIST SP 800-63 Recommendation for Electronic Authentication



NIST SP 800-16 IT Security Training Requirements: Role and Performance Based Model

NIST SP 800-53 Recommended Security Controls for Federal Information SystemsNIST SP 800-12 chapter 13 An Introduction to Computer Security: The NIST Handbook







NIST SP 800-30 Risk Management Guide for Information Technology Systems



19/46

NIST SP 800-34 Contingency Planning Guide for Information Technology Systems



NIST SP 800-14 General ly Accepted Principles and Practices for Securing Information Technology SystemsNIST SP 800-53 Recommended Security Controls for Federal Information Systems

NIST SP 800-12 chapter 15 & 16 An Introduction to Computer Security: The NIST Handbook





NIST SP 800-34 Contingency Planning Guide for Information Technology Systems





NIST SP 800-56 Recommendation on Key Establishment Schemes

NIST SP 800-57 Recommendation on Key Management


FIPS 140-2 Security Requirements for Cryptographic Modules



NIST SP 800-53 Recommended Security Controls for Federal Information SystemsNIST SP 800-12 chapter 18 An Introduction to Computer Security: The NIST Handbook

NIST SP 800-42 Guideline on Network Security Testing

NIST SP 800-44 Guidelines on Securing Public Web Servers







NIST SP 800-14 General ly Accepted Principles and Practices for Securing Information Technology SystemsNIST SP 800-42 Guideline on Network Security Testing



FIPS 140-2 Security Requirements for Cryptographic Modules

NIST SP 800-12 chapter 16 & 19 An Introduction to Computer Security: The NIST Handbook


20/46

pdf )

URLhttp://csrc.nist.gov/publications/nistpubs/800-14/800-14.pdf

http://csrc.nist.gov/publications/nistpubs/800-18/Planguide.PDF

http://csrc.nist.gov/publications/nistpubs/800-26/sp800-26.pdf



http://csrc.nist.gov/publications/nistpubs/800-37/SP800-37-final.pdf

http://csrc.nist.gov/publications/drafts/draft-SP800-53.pdf

http://csrc.nist.gov/publications/drafts/800-60v1f.pdf (Vol. 1)

http://csrc.nist.gov/publications/drafts/sp800-60V2f.pdf (Vol. 2)

http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf

http://csrc.nist.gov/publications/nistpubs/800-12/handbook.pdf

http://csrc.nist.gov/publications/nistpubs/800-14/800-14.pdf







http://csrc.nist.gov/publications/nistpubs/800-12/handbook.pdfhttp://csrc.nist.gov/publications/nistpubs/800-14/800-14.pdf



http://csrc.nist.gov/publications/drafts/draft-sp800-63.pdf



http://csrc.nist.gov/publications/nistpubs/800-16/800-16.pdf (part 1)

http://csrc.nist.gov/publications/nistpubs/800-16/AppendixA-D.pdf (part 2)

http://csrc.nist.gov/publications/nistpubs/800-16/Appendix_E.pdf (part 3)

http://csrc.nist.gov/publications/drafts/draft-SP800-53.pdfhttp://csrc.nist.gov/publications/nistpubs/800-12/handbook.pdf










21/46




http://csrc.nist.gov/publications/nistpubs/800-14/800-14.pdfhttp://csrc.nist.gov/publications/drafts/draft-SP800-53.pdf











http://csrc.nist.gov/CryptoToolkit/tkkeymgmt.html

http://csrc.nist.gov/CryptoToolkit/tkkeymgmt.html


http://csrc.nist.gov/cryptval/140-2.htm



http://csrc.nist.gov/publications/drafts/draft-SP800-53.pdfhttp://csrc.nist.gov/publications/nistpubs/800-12/handbook.pdf

http://csrc.nist.gov/publications/nistpubs/800-42/NIST-SP800-42.pdf








http://csrc.nist.gov/publications/nistpubs/800-14/800-14.pdfhttp://csrc.nist.gov/publications/nistpubs/800-42/NIST-SP800-42.pdf



http://csrc.nist.gov/cryptval/140-2.htm



22/46

Standard Section ISO Audit Question

Possible HIPAA

Privacy Policy

Impact

Practice in Place?

Procedure or

Control

Documented?

3.1

3.1.1Information security

policy documentWhether there exists an Information security policy,which is approved by the management, published and

communicated as appropriate to all employees.

Privacy Protections,Safeguards

Whether it states the management commitment and

set out the organizational approach to managing

information security.

3.1.2Review and

evaluation

Whether the Security policy has an owner, who is

responsible for its maintenance and review according

to a defined review process.

Whether the process ensures that a review takes place

in response to any changes affecting the basis of the

original assessment, example: significant securityincidents, new vulnerabilities or changes to

organizational or technical infrastructure.

Privacy Protections

4.1

4.1.1

Management

information security

forum

Whether there is a management forum to ensure there

is a clear direction and visible management support for

security initiatives within the organization.

4.1.2 Information securitycoordination

Whether there is a cross-functional forum of

management representatives from relevant parts of theorganization to coordinate the implementation of

information security controls.

Privacy Official

4.1.3

Allocation of


responsibilities

Whether responsibilities for the protection of individual

assets and for carrying out specific security processes

were clearly defined.

4.1.4

Authorization

process for

information

processing facilities

Whether there is a management authorization process

in place for any new information processing facility.

This should include all new facilities such as hardware

and software.

Privacy Protections

4.1.5

Specialist


advise

Whether specialist information security advice is

obtained where appropriate.

A specific individual may be identified to co-ordinate in-

house knowledge and experiences to ensure

consistency, and provide help in security decision

making.

Privacy Official

Organizational Security

Security PolicyInformation security policy

Information security infrastructure

ISO 17799 Audit Check List to Information Security & Privacy Management


23/46


Possible HIPAA

Privacy Policy

Impact

Practice in Place?

Procedure or

Control

Documented?


4.1.6

Co-operation

betweenorganizations

Whether appropriate contacts with law enforcement

authorities, regulatory bodies, information service

providers and telecommunication operators were

maintained to ensure that appropriate action can be

quickly taken and advice obtained, in the event of a

security incident.

Business Associate

Agreements

4.1.7

Independent review

of information

security

Whether the implementation of security policy is

reviewed independently on regular basis. This is to

provide assurance that organizational practices

properly reflect the policy, and that it is feasible and

effective.

4.2

4.2.1

Identification of

risks from thirdparty access

Whether risks from third party access are identified and

appropriate security controls implemented.

Business Associate

Agreements

Whether the types of accesses are identified, classified

and reasons for access are justified.

Business Associate

Agreements

4.2.2

Security

requirements in

third party contracts

Whether there is a formal contract containing, or

referring to, all the security requirements to ensure

compliance with the organizations security policies and

standards.

Business Associate

Agreements

Security of third party access


24/46


Possible HIPAA

Privacy Policy

Impact

Practice in Place?

Procedure or

Control

Documented?


4.3

4.3.1

Security

requirements in

outsourcing

contracts

Whether security requirements are addressed in the

contract with the third party, when the organization has

outsourced the management and control of all or some

of its information systems, networks and/ or desktop

environments.

Business Associate

Agreements

The contract should address how the legal

requirements are to be met, how the security of theorganizations assets are maintained and tested, and

the right of audit, physical security issues and how the

availability of the services is to be maintained in the

event of disaster.

Business Associate

Agreements

5.1

5.1.1 Inventory of assets

Whether an inventory or register is maintained with the

important assets associated with each information

system.

Whether each asset identified has an owner, thesecurity classification defined and agreed and the

location identified.

5.2

5.2.1Classification

guidelines

Whether there is an Information classification scheme

or guideline in place; which will assist in determining

how the information is to be handled and protected.

Minimum Necessary,

Use and Disclosure

5.2.2Information labeling

and handling

Whether an appropriate set of procedures are defined

for information labeling and handling in accordance

with the classification scheme adopted by the

organization.

Minimum Necessary,

Use and Disclosure

Outsourcing

Accountability of assets

Information classification

Asset classification and control


25/46


Possible HIPAA

Privacy Policy

Impact

Practice in Place?

Procedure or

Control

Documented?


6.1

6.1.1Including security in

job responsibilities

Whether security roles and responsibilities as laid in

Organizations information security policy is

documented where appropriate.

Workforce

This should include general responsibilities for

implementing or maintaining security policy as well asspecific responsibilities for protection of particular

assets, or for extension of particular security processes

or activities.

Workforce

6.1.2

Personnel

screening and

policy

Whether verification checks on permanent staff were

carried out at the time of job applications.Workforce

This should include character reference, confirmation

of claimed academic and professional qualifications

and independent identity checks.

Workforce

6.1.3Confidentiality

agreements

Whether employees are asked to sign Confidentiality ornon-disclosure agreement as a part of their initial terms

and conditions of the employment.

Workforce

Whether this agreement covers the security of the

information processing facility and organization assets.Workforce

6.1.4

Terms and

conditions of

employment

Whether terms and conditions of the employment

covers the employees responsibility for information

security. Where appropriate, these responsibilities

might continue for a defined period after the end of the

employment.

Workforce

Security in job definition and Resourcing

Personnel Security


26/46


Possible HIPAA

Privacy Policy

Impact

Practice in Place?

Procedure or

Control

Documented?


6.2

6.2.1

Information security

education and

training

Whether all employees of the organization and third

party users (where relevant) receive appropriate

Information Security training and regular updates in

organizational policies and procedures.

Workforce

6.3

6.3.1Reporting security

incidents

Whether a formal reporting procedure exists, to report

security incidents through appropriate management

channels as quickly as possible.

Incident Reporting

6.3.2Reporting security

weaknesses

Whether a formal reporting procedure or guideline

exists for users, to report security weakness in, or

threats to, systems or services.

Safeguards, Incident

Reporting

6.3.3Reporting software

malfunctions

Whether procedures were established to report any

software malfunctions.

6.3.4Learning from

incidents

Whether there are mechanisms in place to enable thetypes, volumes and costs of incidents and malfunctions

to be quantified and monitored.

Safeguards, Incident

Reporting

6.3.5Disciplinary

process

Whether there is a formal disciplinary process in place

for employees who have violated organizational

security policies and procedures. Such a process can

act as a deterrent to employees who might otherwise

be inclined to disregard security procedures.

Workforce

User training

Responding to security incidents and malfunctions


27/46


Possible HIPAA

Privacy Policy

Impact

Practice in Place?

Procedure or

Control

Documented?


7.1

7.1.1Physical Security

Perimeter

What physical border security facility has been

implemented to protect the Information processing

service.

Safeguards

Some examples of such security facility are cardcontrol entry gate, walls, manned reception etc.,

Safeguards

7.1.2Physical entry

Controls

What entry controls are in place to allow only

authorized personnel into various areas within

organization.

Safeguards

7.1.3Securing Offices,

rooms and facilities

Whether the rooms, which have the Information

processing service, are locked or have lockable

cabinets or safes.

Safeguards

Whether the Information processing service is

protected from natural and man-made disaster.Safeguards

Whether there is any potential threat from neighboring

premises. Safeguards

7.1.4Working in Secure

Areas

The information is only on need to know basis.

Whether there exists any security control for third

parties or for personnel working in secure area.

Minimum Necessary,

Use and Disclosure,

Workforce

7.1.5Isolated delivery

and loading areas

Whether the delivery area and information processing

area are isolated from each other to avoid any

unauthorized access.

Safeguards

Whether a risk assessment was conducted to

determine the security in such areas.Safeguards

Secure Area

Physical and Environmental Security


28/46


Possible HIPAA

Privacy Policy

Impact

Practice in Place?

Procedure or

Control

Documented?


7.2

7.2.1Equipment siting

protection

Whether the equipment was located in appropriate

place to minimize unnecessary access into work areas.Safeguards

Whether the items requiring special protection were

isolated to reduce the general level of protection

required.

Safeguards

Whether controls were adopted to minimize risk from

potential threats such as theft, fire, explosives, smoke,

water, dust, vibration, chemical effects, electricalsupply interfaces, electromagnetic radiation, and flood.

Safeguards

Whether there is a policy towards eating, drinking and

smoking on in proximity to information processing

services.

Whether environmental conditions are monitored which

would adversely affect the information processing

facilities.

7.2.2 Power Supplies

Whether the equipment is protected from power

failures by using permanence of power supplies such

as multiple feeds, uninterruptible power supply (ups),backup generator etc.,

7.2.3 Cabling Security

Whether the power and telecommunications cable

carrying data or supporting information services is

protected from interception or damage.

Safeguards

Whether there is any additional security controls in

place for sensitive or critical information.Safeguards

7.2.4Equipment

Maintenance

Whether the equipment is maintained as per the

suppliers recommended service intervals and

specifications.

Whether the maintenance is carried out only by

authorized personnel.Whether logs are maintained with all suspected or

actual faults and all preventive and corrective

measures.

Equipment Security


29/46


Possible HIPAA

Privacy Policy

Impact

Practice in Place?

Procedure or

Control

Documented?


Whether appropriate controls are implemented while

sending equipment off premises.

If the equipment is covered by insurance, whether the

insurance requirements are satisfied.

7.2.5

Securing of

equipment off-

premises

Whether any equipment usage outside an

organizations premises for information processing has

to be authorized by the management.

Safeguards

Whether the security provided for these equipments

while outside the premises are on par with or more than

the security provided inside the premises.

Safeguards

7.2.6

Secure disposal or

re-use of

equipment

Whether storage device containing sensitive

information are physically destroyed or securely over

written.

7.3

7.3.1Clear Desk and

clear screen policy

Whether automatic computer screen locking facility is

enabled. This would lock the screen when the

computer is left unattended for a period.

Safeguards

Whether employees are advised to leave any

confidential material in the form of paper documents,

media etc., in a locked manner while unattended.

Safeguards

7.3.2Removal of

property

Whether equipment, information or software can be

taken offsite without appropriate authorization.Safeguards

Whether spot checks or regular audits were conducted

to detect unauthorized removal of property.Safeguards

Whether individuals are aware of these types of spot

checks or regular audits.

Safeguards,

Workforce

General Controls


30/46


Possible HIPAA

Privacy Policy

Impact

Practice in Place?

Procedure or

Control

Documented?


8.1

8.1.1

Documented

Operating

procedures

Whether the Security Policy has identified any

Operating procedures such as Back-up, Equipment

maintenance etc.,

Whether such procedures are documented and used.

8.1.2Operational

Change Control

Whether all programs running on production systems

are subject to strict change control i.e., any change to

be made to those production programs need to go

through the change control authorization.

Whether audit logs are maintained for any change

made to the production programs.

8.1.3

Incident

management

procedures

Whether an Incident Management procedure exist to

handle security incidents.Privacy Incident

Whether the procedure addresses the incident

management responsibilities, orderly and quick

response to security incidents.

Privacy Incident

Whether the procedure addresses different types of

incidents ranging from denial of service to breach of

confidentiality etc., and ways to handle them.

Privacy Incident

Whether the audit trails and logs relating to the

incidents are maintained and proactive action taken in

a way that the incident doesnt reoccur.

Privacy Incident

Operational Procedure and responsibilities

Communications and Operations Management


31/46


Possible HIPAA

Privacy Policy

Impact

Practice in Place?

Procedure or

Control

Documented?


8.1.4Segregation of

duties

Whether duties and areas of responsibility are

separated in order to reduce opportunities for

unauthorized modification or misuse of information or

services.

Workforce

8.1.5

Separation of

development and

operational

facilities

Whether the development and testing facilities are

isolated from operational facilities. For example

development software should run on a different

computer to that of the computer with production

software. Where necessary development andproduction network should be separated from each

other.

8.1.6External facilities

management

Whether any of the Information processing facility is

managed by external company or contractor (third

party).

Business Associate

Agreements

Whether the risks associated with such management is

identified in advance, discussed with the third party and

appropriate controls were incorporated into the

contract.

Business Associate

Agreements

Whether necessary approval is obtained from business

and application owners.

Business Associate

Agreements8.2

8.2.1 Capacity Planning

Whether the capacity demands are monitored and

projections of future capacity requirements are made.

This is to ensure that adequate processing power and

storage is available.

Example: Monitoring Hard disk space, RAM, CPU on

critical servers.

8.2.2 System acceptance

Whether System acceptance criteria are established

for new information systems, upgrades and new

versions.

Whether suitable tests were carried out prior to

acceptance.

System planning and acceptance


32/46


Possible HIPAA

Privacy Policy

Impact

Practice in Place?

Procedure or

Control

Documented?


8.3

8.3.1Control against

malicious software

Whether there exists any control against malicious

software usage.Whether the security policy does address software-

licensing issues such as prohibiting usage of

unauthorized software.

Whether there exists any Procedure to verify all

warning bulletins are accurate and informative with

regards to the malicious software usage.

Whether Antiviral software is installed on the

computers to check and isolate or remove any viruses

from computer and media.

Safeguards

Whether this software signature is updated on a

regular basis to check any latest viruses.Whether all the traffic originating from un-trusted

network in to the organization is checked for viruses.

Example: Checking for viruses on email email

attachments and on the web, FTP traffic.

8.4

8.4.1 Information backup

Whether Backup of essential business information

such as production server, critical network

components, configuration backup etc., were taken

regularly.

Example: Mon-Thu: Incremental Backup and Fri: FullBackup.

Whether the backup media along with the procedure to

restore the backup are stored securely and well away

from the actual site.

Whether the backup media are regularly tested to

ensure that they could be restored within the time

frame allotted in the operational procedure for

recovery.

8.4.2 Operator logs

Whether Operational staffs maintain a log of their

activities such as name of the person, errors, corrective

action etc.,Whether Operator logs are checked on regular basis

against the Operating procedures.

8.4.3 Fault Logging

Whether faults are reported and well managed. This

includes corrective action being taken, review of the

fault logs and checking the actions taken

8.5

Protection against malicious software

Housekeeping

Network Management


33/46


Possible HIPAA

Privacy Policy

Impact

Practice in Place?

Procedure or

Control

Documented?


8.5.1 Network Controls

Whether effective operational controls such as

separate network and system administration facilitieswere be established where necessary.

Whether responsibilities and procedures for

management of remote equipment, including

equipment in user areas were established.

Workforce,

Safeguards

Whether there exist any special controls to safeguard

confidentiality and integrity of data processing over the

public network and to protect the connected systems.

Example: Virtual Private Networks, other encryption

and hashing mechanisms etc.,

8.6

8.6.1

Management of

removable

computer media

Whether there exists a procedure for management of

removable computer media such as tapes disks

cassettes, memory cards and reports.

Safeguards

8.6.2 Disposal of MediaWhether the media that are no longer required are

disposed off securely and safely.Safeguards

Whether disposal of sensitive items are logged where

necessary in order to maintain an audit trail.

8.6.3

Information

handling

procedures

Whether there exists a procedure for handling the

storage of information. Does this procedure address

issues such as information protection fromunauthorized disclosure or misuse.

Use and Disclosure,

Minimum Necessary,

Safeguards

8.6.4Security of system

documentation

Whether the system documentation is protected from


Whether the access list for the system documentation

is kept to minimum and authorized by the application

owner. Example: System documentation need to be

kept on a shared drive for specific purposes, the

document need to have Access Control Lists enabled

(to be accessible only by limited users.)

8.7

8.7.1

Information and

software exchange

agreement

Whether there exists any formal or informal agreement

between the organizations for exchange of information

and software.

Designated Record

Set (Data Use

Agreement),

Business Associate

Contracts

Media handling and Security

Exchange of Information and software


34/46


Possible HIPAA

Privacy Policy

Impact

Practice in Place?

Procedure or

Control

Documented?


Whether the agreement does addresses the security

issues based on the sensitivity of the business

information involved.

Designated Record

Set (Data Use

Agreement),

Business Associate

Contracts

8.7.2Security of Media in

transit

Whether security of media while being transported

taken into account.Safeguards

Whether the media is well protected from unauthorized

access, misuse or corruption.Safeguards

8.7.3Electronic

Commerce security

Whether Electronic commerce is well protected and

controls implemented to protect against fraudulent

activity, contract dispute and disclosure or modificationof information.

Whether Security controls such as Authentication,

Authorization are considered in the ECommerce

environment.


35/46


Possible HIPAA

Privacy PolicyImpact

Practice in Place?

Procedure or

ControlDocumented?


Whether electronic commerce arrangements between

trading partners include a documented agreement,

which commits both parties to the agreed terms of

trading, including details of security issues.

Business Associate

Agreements

8.7.4Security of

Electronic email

Whether there is a policy in place for the acceptable

use of electronic mail or does security policy does

address the issues with regards to use of electronic

mail.

Safeguards

Whether controls such as antivirus checking, isolatingpotentially unsafe attachments, spam control, anti

relaying etc., are put in place to reduce the risks

created by electronic email.

Safeguards

8.7.5

Security of

Electronic office

systems

Whether there is an Acceptable use policy to address

the use of Electronic office systems.Safeguards

Whether there are any guidelines in place to effectively

control the business and security risks associated with

the electronic office systems.

Safeguards

8.7.6Publicly available

systems

Whether there is any formal authorization process in

place for the information to be made publicly available.

Such as approval from Change Control which includes

Business, Application owner etc.,

Workforce

Whether there are any controls in place to protect the

integrity of such information publicly available from any


Workforce,

Safeguards

This might include controls such as firewalls, Operating

system hardening, any Intrusion detection type of tools

used to monitor the system etc.,

8.7.7

Other forms of

informationexchange

Whether there are any policies, procedures or controls

in place to protect the exchange of information throughthe use of voice, facsimile and video communication

facilities.

Safeguards, Use andDisclosure


36/46


Possible HIPAA

Privacy Policy

Impact

Practice in Place?

Procedure or

Control

Documented?


Whether staffs are reminded to maintain the

confidentiality of sensitive information while using such

forms of information exchange facility.

Workforce,

Safeguards

9.1

9.1.1Access Control

Policy

Whether the business requirements for access control

have been defined and documented.

Safeguards,

Workforce, Business

Associate

Agreements

Whether the Access control policy does address the

rules and rights for each user or a group of user.

Safeguards,

Workforce, Business

Associate

Agreements

Whether the users and service providers were given a

clear statement of the business requirement to be met

by access controls.

Safeguards,

Workforce, Business

Associate

Agreements,

Designated Record

Sets

9.2

9.2.1 User Registration

Whether there is any formal user registration and de-

registration procedure for granting access to multi-user

information systems and services.

Minimum Necessary,

Workforce

9.2.2Privilege

Management

Whether the allocation and use of any privileges inmulti-user information system environment is restricted

and controlled i.e., Privileges are allocated on need-to-

use basis; privileges are allocated only after formal

authorization process.

Minimum Necessary,

Workforce

9.2.3User Password

Management

The allocation and reallocation of passwords should be

controlled through a formal management process.Safeguards

Whether the users are asked to sign a statement to

keep the password confidential.Workforce

9.2.4Review of user

access rights

Whether there exists a process to review user access

rights at regular intervals. Example: Special privilege

review every 3 months, normal privileges every 6

moths.

9.3

9.3.1 Password useWhether there are any guidelines in place to guide

users in selecting and maintaining secure passwords.Safeguards

Business Requirements for Access Control

Access Control

User Responsibilities

User Access Management


37/46


Possible HIPAA

Privacy Policy

Impact

Practice in Place?

Procedure or

Control

Documented?


9.3.2

Unattended user

equipment

Whether the users and contractors are made aware of

the security requirements and procedures for protecting

unattended equipment, as well as their responsibility to

implement such protection.

Business Associate

Agreements,Workforce

Example: Logoff when session is finished or set up

auto log off, terminate sessions when finished etc.,

9.4

9.4.1Policy on use of

network services

Whether there exists a policy that does address

concerns relating to networks and network services

such as:

Parts of network to be accessed, Authorization services

to determine who is allowed to do what, Procedures to

protect the access to network connections and networkservices.

Minimum Necessary,

Workforce

9.4.2 Enforced path

Whether there is any control that restricts the route

between the user terminal and the designated

computer services the user is authorized to access

example: enforced path to reduce the risk.

Safeguards

9.4.3

User authentication

for external

connections

Whether there exist any authentication mechanism for

challenging external connections. Examples:

Cryptography based technique, hardware tokens,

software tokens, challenge/ response protocol etc.,

9.4.4Node

Authentication

Whether connections to remote computer systems that

are outside organization security management are

authenticated. Node authentication can serve as an

alternate means of authenticating groups of remote

users where they are connected to a secure, shared

computer facility.

9.4.5Remote diagnostic

port protection

Whether accesses to diagnostic ports are securely

controlled i.e., protected by a security mechanism.

9.4.6

Segregation in

networks

Whether the network (where business partners and/ or

third parties need access to information system) is

segregated using perimeter security mechanisms such

as firewalls.

9.4.7Network connection

protocols

Whether there exists any network connection control

for shared networks that extend beyond the

organizational boundaries. Example: electronic mail,

web access, file transfers, etc.,

Network Access Control



38/46


Possible HIPAA

Privacy Policy

Impact

Practice in Place?

Procedure or

Control

Documented?


9.4.8Network routing

control

Whether there exist any network control to ensure that

computer connections and information flows do not

breach the access control policy of the business

applications. This is often essential for networks shared

with non-organizations users.

Whether the routing controls are based on the positive

source and destination identification mechanism.

Example: Network Address Translation (NAT).

9.4.9Security of network

services

Whether the organization, using public or private

network service does ensure that a clear description of

security attributes of all services used is provided.

9.5

9.5.1 Automatic terminalidentification

Whether automatic terminal identification mechanism isused to authenticate connections.

9.5.2Terminal log-on

procedures

Whether access to information system is attainable

only via a secure log-on process.Safeguards

Whether there is a procedure in place for logging in to

an information system. This is to minimize the

opportunity of unauthorized access.

Safeguards

9.5.3User identification

and authorization

Whether unique identifier is provided to every user

such as operators, system administrators and all other

staff including technical.

The generic user accounts should only be supplied

under exceptional circumstances where there is a clearbusiness benefit. Additional controls may be necessary

to maintain accountability.

Whether the authentication method used does

substantiate the claimed identity of the user; commonly

used method: Password that only the user knows.

9.5.4

Password

management

system

Whether there exists a password management system

that enforces various password controls such as:

individual password for accountability, enforce

password changes, store passwords in encrypted form,not display passwords on screen etc.,

9.5.5Use of system

utilities

Whether the system utilities that come with computer

installations, but may override system and application

control is tightly controlled.

9.5.6Duress alarm to

safeguard users

Whether provision of a duress alarm is considered for

users who might be the target of coercion.

Operating system access control


39/46

Standard Section ISO Audit QuestionPossible HIPAAPrivacy Policy

Impact

Practice in Place?Procedure or

Control

Documented?


9.5.7 Terminal time-out

Inactive terminal in public areas should be configured

to clear the screen or shut down automatically after a

defined period of inactivity.

Safeguards

9.5.8Limitation of

connection time

Whether there exist any restriction on connection time

for high-risk applications. This type of set up should be

considered for sensitive applications for which the

terminals are installed in high-risk locations.

Safeguards



40/46


Possible HIPAA

Privacy Policy

Impact

Practice in Place?

Procedure or

Control

Documented?

9.6

9.6.1 Information accessrestriction

Whether access to application by various groups/

personnel within the organization should be defined in

the access control policy as per the individual businessapplication requirement and is consistent with the

organizations Information access policy.

Minimum Necessary,

Workforce,Safeguards

9.6.2Sensitive system

isolation

Whether sensitive systems are provided with isolated

computing environment such as running on a dedicated

computer, share resources only with trusted application

systems, etc.,

Minimum Necessary,

Workforce,

Safeguards

9.7

9.7.1 Event logging

Whether audit logs recording exceptions and other

security relevant events are produced and kept for an

agreed period to assist in future investigations andaccess control monitoring.

9.7.2Monitoring system

use

Whether procedures are set up for monitoring the use

of information processing facility.

The procedure should ensure that the users are

performing only the activities that are explicitly

authorized.

Minimum Necessary,

Workforce,

Safeguards

Whether the results of the monitoring activities are

reviewed regularly.

9.7.3 Clocksynchronization

Whether the computer or communication device has

the capability of operating a real time clock, it should beset to an agreed standard such as Universal

coordinated time or local standard time.

The correct setting of the computer clock is important

to ensure the accuracy of the audit logs.

9.8

9.8.1 Mobile computing

Whether a formal policy is adopted that takes into

account the risks of working with computing facilities

such as notebooks, palmtops etc., especially in

unprotected environments.

Workforce,

Safeguards

Whether training were arranged for staff to use mobile

computing facilities to raise their awareness on the

additional risks resulting from this way of working and

controls that need to be implemented to mitigate the

risks.

Workforce,

Safeguards

9.8.2 Teleworking

Whether there is any policy, procedure and/ or

standard to control teleworking activities, this should be

consistent with organizations security policy.

Workforce,

Safeguards

Mobile computing and tele-working

Application Access Control

Monitoring system access and use

Possible HIPAA Procedure or



41/46


Possible HIPAA

Privacy Policy

Impact

Practice in Place?

Procedure or

Control

Documented?

Whether suitable protection of teleworking site is inplace against threats such as theft of equipment,

unauthorized disclosure of information etc.,

Workforce,

Safeguards

10.1

10.1.1

Security

requirements

analysis and

specification

Whether security requirements are incorporated as part

of business requirement statement for new systems or

for enhancement to existing systems.

Safeguards

Security requirements and controls identified should

reflect business value of information assets involved

and the consequence from failure of Security.

Safeguards

Whether risk assessments are completed prior to

commencement of system development.Safeguards

10.2

10.2.1Input data

validation

Whether data input to application system is validated to

ensure that it is correct and appropriate.

Whether the controls such as: Different type of inputs

to check for error messages, Procedures for

responding to validation errors, defining responsibilities

of all personnel involved in data input process etc., are

considered.

10.2.2

Control of internal

processing

Whether areas of risks are identified in the processing

cycle and validation checks were included. In some

cases the data that has been correctly entere

security assessment tools

Documents