Download - Security Assessment Tools
-
7/31/2019 Security Assessment Tools
1/46
Item HIPAA Citation HIPAA Security Rule Standard
Implementation Specification
Implementation Requirement Description
SECURITY STANDARDS: GENERAL RULES
1 164.306(a) Ensure Confidentiality, Integrity and Availability - Ensure CIA and protect against threats
2 164.306(b) Flexibility of Approach - Reasonably consider factors in security complia
3 164.306(c) Standards - CEs must comply with standards
4 164.306(d) Implementation Specifications - Required and Addressable Implementation
5 164.306(e) Maintenance - Ongoing review and modification of security
ADMINISTRATIVE SAFEGUARDS6 164.308(a)(1)(i) Security Management Process - P&P to manage security violations
7 164.308(a)(1)(ii)(A) Risk Analysis Required Conduct vulnerability assessment
8 164.308(a)(1)(ii)(B) Risk Management Required Implement security measures to reduce risk of
9 164.308(a)(1)(ii)(C)Sanction Policy Required
Worker sanction for P&P violations
10 164.308(a)(1)(ii)(D) Information System Activity Review Required Procedures to review system activity
11 164.308(a)(2) Assigned Security Responsibility - Identify security official responsible for P&P
12 164.308(a)(3)(i) Workforce Security - Implement P&P to ensure appropriate PHI acce
13 164.308(a)(3)(ii)(A) Authorization and/or Supervision Addressable Authorization/supervision for PHI access
14 164.308(a)(3)(ii)(B) Workforce Clearance Procedure Addressable Procedures to ensure appropriate PHI access
15 164.308(a)(3)(ii)(C) Termination Procedures Addressable Procedures to terminate PHI access
16 164.308(a)(4)(i) Information Access Management - P&P to authorize access to PHI
17 164.308(a)(4)(ii)(A) Isolation Health Clearinghouse Functions Required P&P to separate PHI from other operations
18 164.308(a)(4)(ii)(B) Access Authorization Addressable P&P to authorize access to PHI19 164.308(a)(4)(ii)(C) Access Establishment and Modification Addressable P&P to grant access to PHI
20 164.308(a)(5)(i) Security Awareness Training - Training program for workers and managers
21 164.308(a)(5)(ii)(A) Security Reminders Addressable Distribute periodic security updates
22 164.308(a)(5)(ii)(B) Protection from Malicious Software Addressable Procedures to guard against malicious software
23 164.308(a)(5)(ii)(C) Log-in Monitoring Addressable Procedures and monitoring of log-in attempts
24 164.308(a)(5)(ii)(D) Password Management Addressable Procedures for password management
25 164.308(a)(6)(i) Security Incident Procedures - P&P to manage security incidents
26 164.308(a)(6)(ii) Response and Reporting Required Mitigate and document security incidents
27 164.308(a)(7)(i) Contingency Plan - Emergency response P&P28 164.308(a)(7)(ii)(A) Data Backup Plan Required Data backup planning & procedures
29 164.308(a)(7)(ii)(B) Disaster Recovery Plan Required Data recovery planning & procedures
30 164.308(a)(7)(ii)(C) Emergency Mode Operation Plan Required Business continuity procedures
31 164.308(a)(7)(ii)(D) Testing and Revision Procedures Addressable Contingency planning periodic testing procedur
32 164.308(a)(7)(ii)(E) Applications and Data Criticality Analysis Addressable Prioritize data and system criticality for continge
33 164.308(a)(8) Evaluation - Periodic security evaluation
34 164.308(b)(1) Business Associate Contracts and Other Arrangements - CE implement BACs to ensure safeguards
35 164.308(b)(4) Written Contract Required Implement compliant BACs
PHYSICAL SAFEGUARDS
-
7/31/2019 Security Assessment Tools
2/46
-
7/31/2019 Security Assessment Tools
3/46
180 Days - Later (High Risk and Low Urgency)
Not applicable - No action required
Done
100 75 50 25 N/A
-
7/31/2019 Security Assessment Tools
4/46
Full Regulatory Text Finding Rating Criteria Impact & Analysis Risk Re
(a) General requirements. Covered entities must do
(b) Flexibility of approach.
(c) Standards. A covered entity must comply with the
(d) Implementation specifications.
(e) Maintenance. Security measures implemented to
Implement policies and procedures to prevent,
Conduct an accurate and thorough assessment of
Implement security measures sufficient to reduce
Apply appropriate sanctions against workforce
Implement procedures to regularly review records of
Identify the security official who is responsible for theImplement policies and procedures to ensure that all
Implement procedures for authorization and/or
Implement procedures to determine that the access
Implement procedures for termination access to
Implement policies and procedures for authorizing
If a health care clearinghouse is part of a larger
Implement policies and procedures for granting
Implement policies and procedures that, based upon
Implement a security awareness and training
Periodic security updates.Procedures for guarding against, detecting, and
Procedures for monitoring log-in attempts and
Procedures for creating, changing, and safeguarding
Implement policies and procedures to address
Identify and respond to suspected or known security
Establish (and implement as needed) policies and
Establish and implement procedures to create and
Establish (and implement as needed) procedures to
Establish (and implement as needed) procedures to
Implement procedures for periodic testing and
Assess the relative criticality of specific applications
Perform a periodic technical and nontechnical
A covered entity, in accordance with 164.306, may
Document the satisfactory assurances required by
Implement policies and procedures to limit physical
Establish (and implement as needed) procedures that
Implement policies and procedures to safeguard the
Implement procedures to control and validate a
-
7/31/2019 Security Assessment Tools
5/46
Implement policies and procedures that govern the
Implement policies and procedures to address the
Implement procedures for removal of electronic
Maintain a record of the movements of hardware and
Create a retrievable, exact copy of electronic
Implement technical policies and procedures for
Assign a unique name and/or number for identifying
Establish (and implement as needed) procedures for
Implement electronic procedures that terminate an
Implement a mechanism to encrypt and decrypt
Implement hardware, software, and/or procedural
Implement policies and procedures to protect
Implement electronic mechanisms to corroborate that
Implement procedures to verify that a person or entity
Implement technical security measures to guard
Implement security measures to ensure that
Implement a mechanism to encrypt electronic
(i) The contract or other arrangement between the
(i) Business associate contracts. The contract
Except when the only electronic protected health
The plan documents of the group health plan must be
Ensure that the adequate separation required by
Ensure that any agent, including a subcontractor, to
Report to the group health plan any security incident
A covered entity must, in accordance with 164.306:
Documentation.
Retain the documentation required by paragraph
Make documentation available to those persons
Review documentation periodically, and update as
-
7/31/2019 Security Assessment Tools
6/46
HIPAA Citation HIPAA Security Rule Standard
Implementation Specification
Privacy Officer Compliance
Office
Security Officer IT Managers Networ
Admini
164.306(a) Ensure Confidentiality, Integrity and Availability
164.306(b) Flexibility of Approach164.306(c) Standards
164.306(d) Implementation Specifications164.306(e) Maintenance
ADMINISTRATIVE SAFEGUARDS164.308(a)(1)(i) Security Management Process Awareness Notification Policy Procedures Proced
164.308(a)(1)(ii)(A) Risk Analysis Awareness Notification Oversee Assessment Assess
164.308(a)(1)(ii)(B) Risk Management Awareness Notification Policy Procedures Measu
164.308(a)(1)(ii)(C) Sanction Policy Records Policy Management
164.308(a)(1)(ii)(D)Information System Activity Review Event Rept. Event Rept. Sys Au
164.308(a)(2) Assigned Security Responsibility Authority
164.308(a)(3)(i) Workforce Security Policy Manage
164.308(a)(3)(ii)(A) Authorization and/or Supervision Policy Authorize Superv
164.308(a)(3)(ii)(B) Workforce Clearance Procedure Policy Clearance
164.308(a)(3)(ii)(C) Termination Procedures Policy Manage
164.308(a)(4)(i) Information Access Management Awareness Job Desp Awareness Awareness
164.308(a)(4)(ii)(A) Isolation Health Clearinghouse Functions
164.308(a)(4)(ii)(B) Access Authorization
164.308(a)(4)(ii)(C) Access Establishment and Modification Change Form
164.308(a)(5)(i) Security Awareness Training
164.308(a)(5)(ii)(A) Security Reminders
164.308(a)(5)(ii)(B) Protection from Malicious Software
164.308(a)(5)(ii)(C) Log-in Monitoring
164.308(a)(5)(ii)(D) Password Management
164.308(a)(6)(i) Security Incident Procedures
164.308(a)(6)(ii) Response and Reporting Incident Rep. Incident Rep. Monito
164.308(a)(7)(i) Contingency Plan BCP Recov
164.308(a)(7)(ii)(A) Data Backup Plan Planning
164.308(a)(7)(ii)(B) Disaster Recovery Plan Planning164.308(a)(7)(ii)(C) Emergency Mode Operation Plan Plan
164.308(a)(7)(ii)(D) Testing and Revision Procedures Policy Oversight Test. P
164.308(a)(7)(ii)(E) Applications and Data Criticality Analysis Awareness Notification Oversee Assessment Assess
164.308(a)(8) Evaluation Awareness Notification Oversee Assessment Assess
164.308(b)(1) Business Associate Contracts and Other Arrangements BAC Mgmt.
164.308(b)(4) Written Contract
PHYSICAL SAFEGUARDS
164.310 (a)(1) Facility Access Controls Policy Policy
164 310(a)(2)(i) Contingency Operations Notification Notification
-
7/31/2019 Security Assessment Tools
7/46
164.310(c) Workstation Security
164.310(d)(1) Device and Media Controls
164.310(d)(2)(i) Disposal
164.310(d)(2)(ii) Media Re-use
164.310(d)(2)(iii) Accountability
164.310(d)(2)(iv) Data Backup and Storage Notification Oversight Mgmt. Administ
TECHNICAL SAFEGUARDS164.312(a)(1) Access Control164.312(a)(2)(i) Unique User Identification Administ
164.312(a)(2)(ii) Emergency Access Procedure Policy Mgmt. Administ
164.312(a)(2)(iii) Automatic Logoff Policy Mgmt. Administ
164.312(a)(2)(iv) Encryption and Decryption Notification Policy Mgmt. Administ
164.312(b) Audit Controls Notification Policy Mgmt. Administ
164.312(c)(1) Integrity Notification Policy Mgmt. Administ
164.312(c)(2) Mechanism to Authenticate Electronic Protected Health Information Plan Mgmt. Administ
164.312(d) Person or Entity Authentication Policy Mgmt. Administ
164.312(e)(1) Transmission Security Policy Mgmt. Administ164.312(e)(2)(i) Integrity Controls Policy Mgmt. Administ
164.312(e)(2)(ii) Encryption Awareness Policy Policy Mgmt. Administ
ORGANIZATIONAL REQUIREMENTS
164.314(a)(1) Business Associate Contracts or Other Arrangements Awareness Oversight Oversight Mgmt.164.314(a)(2) Business Associate Contracts
164.314(b)(1) Requirements for Group Health Plans
164.314(b)(2)(i) Implement Safeguards
164.314(b)(2)(ii) Ensure Adequate Separation
164.314(b)(2)(iii)Ensure Agents Safeguard164.314(b)(2)(iv) Report Security Incidents Awareness Notification Oversight Mgmt.
164.316(a) Policies and Procedures Policy Procedures Mgmt. Administ
164.316(b)(1) Documentation
164.316(b)(2)(i) Time Limit
164.316(b)(2)(ii) Availability
164.316(b)(2)(iii) Updates
-
7/31/2019 Security Assessment Tools
8/46
End Users with
PHI Access
Human
Resources
Implementati
on
Requirement Description
- Ensure CIA and protect against threats- Reasonably consider factors in security com
- CEs must comply with standards
- Required and Addressable Implementation
- Ongoing review and modification of security
- P&P to manage security violations
Required Conduct vulnerability assessment
Required Implement security measures to reduce risk
Records Required Worker sanction for P&P violations
Required Procedures to review system activity
- Identify security official responsible for P&P
- Implement P&P to ensure appropriate PHI
Addressable Authorization/supervision for PHI access
Addressable Procedures to ensure appropriate PHI acce
Procedures Addressable Procedures to terminate PHI access
Awareness - P&P to authorize access to PHI
Required P&P to separate PHI from other operationsAddressable P&P to authorize access to PHI
Addressable P&P to grant access to PHI
- Training program for workers and manager
Sec. Training Addressable Distribute periodic security updates
Sec. Training Addressable Procedures to guard against malicious soft
Sec. Training Addressable Procedures and monitoring of log-in attemp
Sec. Training Addressable Procedures for password management
- P&P to manage security incidents
Incident Rep. Required Mitigate and document security incidents
- Emergency response P&P
Required Data backup planning & procedures
Required Data recovery planning & procedures
Required Business continuity procedures
Addressable Contingency planning periodic testing proce
Addressable Prioritize data and system criticality for cont
- Periodic security evaluation
CE implement BACs to ensure safeguards
-
7/31/2019 Security Assessment Tools
9/46
Sec. Training - Physical safeguards for workstation access
Sec. Training - P&P to govern receipt and removal of hardw
Sec. Training Required P&P to manage media and equipment dispo
Sec. Training Required P&P to remove PHI from media and equipm
Sec. Training Addressable Document hardware and media movement
Addressable Backup PHI before moving equipment
- Technical (administrative) P&P to manage P
Sec. Training Required Assign unique IDs to support tracking
Awareness Required Procedures to support emergency access
Sec. Training Addressable Session termination mechanisms
Addressable Mechanism for encryption of stored PHI
- Procedures and mechanisms for monitoring
- P&P to safeguard PHI unauthorized alteratioAddressable Mechanisms to corroborate PHI not altered
- Procedures to verify identities
- Measures to guard against unauthorized ac
Addressable Measures to ensure integrity of PHI on trans
Sec. Training Addressable Mechanism for encryption of transmitted PH
- CE must ensure BA safeguards PHI
Required BACs must contain security language
- Plan documents must reflect security safegu
Required Plan sponsor to implement safeguards as a
Required Security measures to separate PHI from pla
Required Ensure subcontractors safeguard PHI
Required Plan sponsors report breaches to health pla
- P&P to ensure safeguards to PHI
Required Document P&P and actions & activities
Required Retain documentation for 6 years
Required Documentation available to system adminis
-
7/31/2019 Security Assessment Tools
10/46
Full Regulatory Text
(a) General requirements. Covered entities must do the following:
(b) Flexibility of approach.
(c) Standards. A covered entity must comply with the standards as provided in this section and in 164.308,
(d) Implementation specifications.
(e) Maintenance. Security measures implemented to comply with standards and implementation specifications adopted under 164.105 and this subpart must be reviewed and modified as needed to co
Implement policies and procedures to prevent, detect, contain and correct security violations
Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health informatio
Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with Sec 164.206(a).
Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity.
Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.
Identify the security official who is responsible for the development and implementation of the policies and procedures required by this subpart for the entity.Implement policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information, as provided under paragra
Implement procedures for authorization and/or supervision of workforce members who work with electronic protected health information or in locations where it might be acce
Implement procedures to determine that the access of a workforce member to electronic protected health information is appropriate.
Implement procedures for termination access to electronic protected health information when the employment of a workforce member ends or as required by determination m
Implement policies and procedures for authorizing access to electronic protected health information that are consistent with the applicable requirements of subpart E of this p
If a health care clearinghouse is part of a larger organization, the clearinghouse must implement polices and procedures that protect the electronic protected health informatio
Implement policies and procedures for granting access to electronic protected health information, for example, through access to a workstation, transaction, program, proces
Implement policies and procedures that, based upon the entity's access authorization policies, establish, document, review, and modify a user's right of access to a workstati
Implement a security awareness and training program for all members of its workforce (including management).
Periodic security updates.
Procedures for guarding against, detecting, and reporting malicious software.
Procedures for monitoring log-in attempts and reporting discrepancies.
Procedures for creating, changing, and safeguarding passwords.
Implement policies and procedures to address security incidents.
Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity; an
Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural d
Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information.
Establish (and implement as needed) procedures to restore loss of data.
Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of electronic protected health information Implement procedures for periodic testing and revision of contingency plans.
Assess the relative criticality of specific applications and data in support of other contingency plan components.
Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or o
A covered entity, in accordance with 164.306, may permit a business associate to create, receive, maintain, or transmit electronic protected health information on the cover
Document the satisfactory assurances required by paragraph (b)(1) of this section through a written contract or other arrangement with the business associate that meets the
Implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that prop
Establish (and implement as needed) procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operat
Implement policies and procedures to safeguard the facility and the equipment there in from unauthorized physical access, tampering, and theft.
I l t d t t l d lid t ' t f iliti b d th i l f ti i l di i it t l d t l f t ft
-
7/31/2019 Security Assessment Tools
11/46
Implement physical safeguards for all workstations that access electronic protected health information, to restrict access to authorized users.
Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a fac
Implement policies and procedures to address the final disposition of electronic protected health information, and/or the hardware or electronic media on which it is stored.
Implement procedures for removal of electronic protected health information from electronic media before the media are made available for re-use.
Maintain a record of the movements of hardware and electronic media and any person responsible therefore.
Create a retrievable, exact copy of electronic protected health information, when needed, before movement of equipment.
Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or softAssign a unique name and/or number for identifying and tracking user identity.
Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency.
Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.
Implement a mechanism to encrypt and decrypt electronic protected health information.
Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information
Implement policies and procedures to protect electronic protected health information from improper alteration or destruction.
Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner.
Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.
Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communicatio
Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of.Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.
(i) The contract or other arrangement between the covered entity and its business associate required by
(i) Business associate contracts. The contract between a covered entity and a business associate must provide that the business associate will--
Except when the only electronic protected health information disclosed to a plan sponsor is disclosed pursuant to 164.504(f)(1)(ii) or (iii), or as authorized under 164.508, a gr
The plan documents of the group health plan must be amended to incorporate provisions to require the plan sponsor to--
Ensure that the adequate separation required by
Ensure that any agent, including a subcontractor, to whom it provides this information agrees to implement reasonable and appropriate security measures to protect the informat
Report to the group health plan any security incident of which it becomes aware.
A covered entity must, in accordance with 164.306: Implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications
Documentation.
Retain the documentation required by paragraph (b)(1) of this section for 6 years from the date of its creation or the date when it last was in effect, whichever is later.
Make documentation available to those persons responsible for implementing the procedures to which the documentation pertains.
Review documentation periodically, and update as needed, in response to environmental or operational changes affecting the security of the electronic protected health informati
-
7/31/2019 Security Assessment Tools
12/46
Applicable ISO 17799 Standard(s)
& ReferencesHIPAA Citation Standard Implementation Specification Implementation
SECURITY STANDARDS: GENERAL RULES
12.1.4 164.306(a) Ensure Confidentiality, Integrity and Availability En
164.306(b) Flexibility of Approach
Re
co
12.1.1, 10.1.1 164.306(c) Standards CE
164.306(d) Implementation SpecificationsRe
Sp
164.306(e) MaintenanceOn
me
ADMINISTRATIVE SAFEGUARDS
10.1.1 164.308(a)(1)(i) Security Management Process P&
7.1.5, 10.3.1, 10.2.3, 11.1.2,9.4.1, 9.4.2, 3.1.2, 5.1.1, 6.3.4,
8.2.1, 9.4.3, 9.4.3, 9.4.5, 9.4.6,
9.4.7, 9.4.8, 9.4.9, 9.6.2, 10.1.1,
10.4.3
164.308(a)(1)(ii)(A) Risk Analysis Required Co
6.3.4, 8.1.1, 4.1.2, 3.1.1, 3.1.2,
4.1.1, 5.1.1, 8.1.4, 8.2.1, 8.5.1,
8.6.4, 9.4.4-9.4.9, 9.6.2, 9.7.1,
10.1.1, 11.1.1, 10.4.3, 12.2.2,
12.1.9
164.308(a)(1)(ii)(B) Risk Management RequiredIm
ris
6.3.5,11.1.2 164.308(a)(1)(ii)(C) Sanction Policy Required Wo
6.3.5, 9.7.1, 9.7.2, 12.2.1, 12.2.2,
12.3.1, 12.3.2, 6.3.4, 8.1.1, 8.2.2,
10.4.3, 10.5.4, 10.3.4, 10.5.1-
10.5.5, 12.2.1, 12.1.5,12.2.2
164.308(a)(1)(ii)(D) Information System Activity Review Required Pro
3.1.2, 4.1.3, 4.1.5, 4.1.1, 4.1.2 164.308(a)(2) Assigned Security Responsibility Ide
9.6.1 164.308(a)(3)(i) Workforce SecurityIm
ac
8.1.4, 9.2.1, 9.2.2, 9.4.2, 9.8.2,
10.4.3164.308(a)(3)(ii)(A) Authorization and/or Supervision Addressable Au
6.1.2, 6.1.4 164.308(a)(3)(ii)(B) Workforce Clearance Procedure AddressablePro
ac
6.1.2, 6.1.4 164.308(a)(3)(ii)(C) Termination Procedures Addressable Pro
9.6.1, 9.5.3, 9.2.2, 10.4.3 164.308(a)(4)(i) Information Access Management P&
4.2.1 164.308(a)(4)(ii)(A) Isolation Health Clearinghouse Functions RequiredP&
op
9.1.1, 9.2.2, 9.4.1, 9.6.2, 9.2.1,
8 1 4 5 2 1 164 308( )(4)(ii)(B) A A th i ti P&
-
7/31/2019 Security Assessment Tools
13/46
8.1.4, 9.1.1, 9.2.2, 9.2.4, 9.4.1,
9.5.2, 9.5.3, 9.6.2, 8.6.4, 5.2.1,
9.4.2, 9.4.3, 9.4.4, 9.4.5, 12.1.5
164.308(a)(4)(ii)(C) Access Establishment and Modification Addressable P&
6.2.1, 8.7.7, 9.2.1, 9.2.2, 9.3.2,
9.8.1, 8.7.7, 8.7.4, 12.1.5, 6.1.1,6.1.3
164.308(a)(5)(i) Security Awareness Training Tra
6.2.1, 9.3.2, 6.1.1, 6.1.3 164.308(a)(5)(ii)(A) Security Reminders Addressable Dis
8.3.1, 8.7.4, 4.1.4, 10.4.1, 10.4.2,
10.5.1-10.5.5164.308(a)(5)(ii)(B) Protection from Malicious Software Addressable
Pro
sof
8.4.2, 9.7.1, 9.7.2, 8.4.3 164.308(a)(5)(ii)(C) Log-in Monitoring AddressablePro
att
9.2.3, 9.3.1, 9.5.4 164.308(a)(5)(ii)(D) Password Management Addressable Pro
8.1.3, 4.1.6 164.308(a)(6)(i) Security Incident Procedures P&
6.3.1,6.3.2,6.3.4,8.1.3 164.308(a)(6)(ii) Response and Reporting Required Mi
11.1.1, 8.6.3, 4.1.6, 8.1.2 164.308(a)(7)(i) Contingency Plan Em
8.1.1, 8.4.1, 11.1.3, 11.1.2, 8.6.3 164.308(a)(7)(ii)(A) Data Backup Plan Required Da
11.1.3 164.308(a)(7)(ii)(B) Disaster Recovery Plan Required Da
11.1.3 164.308(a)(7)(ii)(C) Emergency Mode Operation Plan Required Bu
7.2.2, 11.1.3, 11.1.5, 8.1.5, 7.2.3,
10.5.1-10.5.5164.308(a)(7)(ii)(D) Testing and Revision Procedures Addressable
Co
pro
11.1.2, 11.1.4, 8.1.5, 5.2.2, 8.1.2 164.308(a)(7)(ii)(E) Applications and Data Criticality Analysis AddressablePri
co
4.1.5, 9.7.2, 12.2.1, 12.2.2, 3.1.2,
6.3.4, 8.1.1, 8.2.2164.308(a)(8) Evaluation Pe
4.2.1, 4.2.2, 4.3.1, 8.1.6, 12.1.1,
4.1.6, 8.2.1, 8.7.4164.308(b)(1) Business Associate Contracts and Other Arrangements CE
8.71,4.3.1,12.1.1 164.308(b)(4) Written Contract Required Im
PHYSICAL SAFEGUARDS
7.1.1-7.1.5, 12.1.3, 9.3.2 164.310 (a)(1) Facility Access Controls P&
7.2.2, 11.1.1, 11.1.3, 12.1.3,
4.1.7, 7.2.3, 7.2.4, 8.1.1164.310(a)(2)(i) Contingency Operations Addressable
Pro
op
7.1.1, 7.1.3 164.310(a)(2)(ii) Facility Security Plan Addressable P&
7.1.2, 7.1.4, 9.1.1 164.310(a)(2)(iii) Access Control Validation Procedures Addressable Fa
7.2.4, 12.1.3 164.310(a)(2)(iv) Maintenance Records AddressableP&
an
2.2.4, 7.2.1, 8.6.1, 7.1.4, 7.2.4,
( ) P&
-
7/31/2019 Security Assessment Tools
14/46
7.2.1, 7.2.4, 8.6.2, 9.3.2, 7.3.2 164.310(c) Workstation Security Ph
5.1.1, 7.2.5, 7.3.2, 8.7.2, 8.6.7,
9.8.1, 8.5.1, 6.3.3164.310(d)(1) Device and Media Controls
P&
ha
7.2.6, 8.6.2 164.310(d)(2)(i) Disposal RequiredP&
dis
7.2.6, 8.6.2 164.310(d)(2)(ii) Media Re-use RequiredP&
eq
5.1.1, 7.3.2, 7.2.5, 8.7.2, 9.8.1 164.310(d)(2)(iii) Accountability Addressable Do
8.1.1, 8.4.1, 8.6.3, 12.1.3 164.310(d)(2)(iv) Data Backup and Storage Addressable Ba
TECHNICAL SAFEGUARDS
9.1.1, 9.4.1, 9.6.1, 12.1.3 164.312(a)(1) Access ControlTe
PH
9.2.1, 9.2.2 164.312(a)(2)(i) Unique User Identification Required As
11.1.3 164.312(a)(2)(ii) Emergency Access Procedure Required Pro
9.5.7, 9.5.8, 7.3.1 164.312(a)(2)(iii) Automatic Logoff Addressable Se
8.5.1, 8.7.4, 10.3.1, 10.3.2,
10.3.3, 12.1.6164.312(a)(2)(iv) Encryption and Decryption Addressable Me
8.1.3, 8.6.2, 9.7.1, 9.7.2, 12.3.1,
12.3.2, 10.3.4, 9.7.3, 4.1.6, 4.1.7164.312(b) Audit Controls
Pro
sys
12.1.3, 10.2.1, 10.4.2 164.312(c)(1) Integrity
P&
alt
10.2.3, 8.1.6 164.312(c)(2) Mechanism to Authenticate Electronic Protected Health Information Addressable Me
9.4.3, 9.5.3, 8.76, 4.2.1, 9.2.1,
9.2.2, 10.2.1, 10.3.3164.312(d) Person or Entity Authentication Pro
10.3.1, 10.3.4, 10.2.4, 4.2.1 164.312(e)(1) Transmission SecurityMe
ac
12.1.3, 10.3.4, 8.7.4, 7.2.3, 8.7.6,
9.4.3, 9.4.3-9.4.9, 9.6.2,10.2.2,
10.2.4, 10.4.3
164.312(e)(2)(i) Integrity Controls AddressableMe
tra
8.5.1, 8.7.4, 10.3.1, 10.3.2,
10.3.3, 10.4.2, 12.1.6164.312(e)(2)(ii) Encryption Addressable Me
ORGANIZATIONAL REQUIREMENTS
4.2.2, 4.3.1, 8.1.6, 12.1.1, 4.2.1,
8.2.1, 4.1.6164.314(a)(1) Business Associate Contracts or Other Arrangements CE
4.2.2, 4.3.1, 8.1.6, 8.7.1, 12.1.1,
8.7.4164.314(a)(2) Business Associate Contracts BA
N/A 164.314(b)(1) Requirements for Group Health PlansPla
sa
Pl
-
7/31/2019 Security Assessment Tools
15/46
N/A 164.314(b)(2)(ii) Ensure Adequate SeparationSe
pla
N/A 164.314(b)(2)(iii) Ensure Agents Safeguard En
N/A 164.314(b)(2)(iv) Report Security IncidentsPla
pla
3.1.1, 8.1.1, 12.1.4 (Privacy 6.1.3,
7.3.1, 8.7.4, 8.7.7), 12.1.1, 9.8.2,
12.1.2, 12.2.1, 12.1.4
164.316(a) Policies and Procedures P&
8.1.1, 12.1.1, 12.2.1 164.316(b)(1) Documentation Do
164.316(b)(2)(i) Time Limit Re
164.316(b)(2)(ii) AvailabilityDo
ad
4.1.7, 12.1.1 164.316(b)(2)(iii) Updates Pene
-
7/31/2019 Security Assessment Tools
16/46
Administrative Safeguards
Standards CFR Sections Implementation Specifications
Security Management Process 164.308(a)(1) Risk Analysis (R)
Risk Management (R)
Sanction Policy (R)
Information System Activity Review (R)
Assigned Security Responsibility 164.308(a)(2) none (R)
Workforce Security 164.308(a)(3) Authorization and/or Supervision (A)
Workforce Clearance Procedure (A)
Termination Procedures (A)
Information Access Management 164.308(a)(4) Isolating Healthcare Clearinghouse Function (R)
Access Authorization (A)
Access Establishment and Modification (A)
Security Awareness and Training 164.308(a)(5) Security Reminders (A)
Protection from Malicious Software (A)
Log-in Monitoring (A)
Password Management (A)
Security Incident Procedures 164.308(a)(6) Response and Reporting (R)
Contingency Plan 164.308(a)(7) Data Backup Plan (R)
Disaster Recovery Plan (R)
Emergency Mode Operation Plan (R)
Testing and Revision Procedure (A)
Applications and Data Criticality Analysis (A)
-
7/31/2019 Security Assessment Tools
17/46
Workstation Use 164.310(b) none (R)
Workstation Security 164.310(c) none (R)
Device and Media Controls 164.310(d)(1) Media Disposal (R)
Media Re-use (R)
Media Accountability (A)
Data Backup and Storage (during transfer) (A)
Technical Safeguards
Access Control 164.312(a)(1) Unique User Identification (R)
Emergency Access Procedure (R)
Automatic Logoff (A)
Encryption and Decryption (data at rest) (A)
Audit Controls 164.312(b) none (R)
Integrity 164.312(c)(1) Protection Against Improper Alteration or Destruction (A)
Person or Entity Authentication 164.312(d) none (R)
Transmission Security 164.312(e)(1) Integrity Controls (A)
Encryption (FTP and Email over Internet) (A)
-
7/31/2019 Security Assessment Tools
18/46
NIST Resource Guide for Implementing HIPAA (DRAFT NIST SP 800-66 http://csrc.nist.gov/publications/drafts/DRAFT-sp800-66.
NIST Publication # Publication TitleNIST SP 800-14 General ly Accepted Principles and Practices for Securing Information Technology Systems
NIST SP 800-18 Guide for Developing Security Plans for Information Technology Systems
NIST SP 800-26 Security Self-Assessment Guide for Information Technology Systems
NIST SP 800-27 Engineering Principles for Information Technology Security (Baseline for Achieving Security)
NIST SP 800-30 Risk Management Guide for Information Technology Systems
NIST SP 800-37 Guide for the Securi ty Certification and Accreditation of Federal Information Systems
NIST SP 800-53 Recommended Security Controls for Federal Information Systems
NIST SP 800-60 Guide for Mapping Types of Information and Information Systems to Security Categories
FIPS 199 Standards for Security Categorization of Federal Information and Information Systems
NIST SP 800-12 chapter 5 An Introduction to Computer Security: The NIST Handbook
NIST SP 800-14 General ly Accepted Principles and Practices for Securing Information Technology Systems
NIST SP 800-26 Security Self-Assessment Guide for Information Technology Systems
NIST SP 800-53 Recommended Security Controls for Federal Information Systems
NIST SP 800-12 chapter 3 An Introduction to Computer Security: The NIST Handbook
NIST SP 800-14 General ly Accepted Principles and Practices for Securing Information Technology Systems
NIST SP 800-26 Security Self-Assessment Guide for Information Technology Systems
NIST SP 800-53 Recommended Security Controls for Federal Information Systems
NIST SP 800-12 chapter 17 An Introduction to Computer Security: The NIST HandbookNIST SP 800-14 General ly Accepted Principles and Practices for Securing Information Technology Systems
NIST SP 800-18 Guide for Developing Security Plans for Information Technology Systems
NIST SP 800-53 Recommended Security Controls for Federal Information Systems
NIST SP 800-63 Recommendation for Electronic Authentication
NIST SP 800-12 chapter 17 An Introduction to Computer Security: The NIST Handbook
NIST SP 800-14 General ly Accepted Principles and Practices for Securing Information Technology Systems
NIST SP 800-16 IT Security Training Requirements: Role and Performance Based Model
NIST SP 800-53 Recommended Security Controls for Federal Information SystemsNIST SP 800-12 chapter 13 An Introduction to Computer Security: The NIST Handbook
NIST SP 800-14 General ly Accepted Principles and Practices for Securing Information Technology Systems
NIST SP 800-53 Recommended Security Controls for Federal Information Systems
NIST SP 800-12 chapter 12 An Introduction to Computer Security: The NIST Handbook
NIST SP 800-14 General ly Accepted Principles and Practices for Securing Information Technology Systems
NIST SP 800-18 Guide for Developing Security Plans for Information Technology Systems
NIST SP 800-26 Security Self-Assessment Guide for Information Technology Systems
NIST SP 800-30 Risk Management Guide for Information Technology Systems
NIST SP 800-53 Recommended Security Controls for Federal Information Systems
-
7/31/2019 Security Assessment Tools
19/46
NIST SP 800-34 Contingency Planning Guide for Information Technology Systems
NIST SP 800-53 Recommended Security Controls for Federal Information Systems
NIST SP 800-12 chapter 15 An Introduction to Computer Security: The NIST Handbook
NIST SP 800-14 General ly Accepted Principles and Practices for Securing Information Technology SystemsNIST SP 800-53 Recommended Security Controls for Federal Information Systems
NIST SP 800-12 chapter 15 & 16 An Introduction to Computer Security: The NIST Handbook
NIST SP 800-14 General ly Accepted Principles and Practices for Securing Information Technology Systems
NIST SP 800-53 Recommended Security Controls for Federal Information Systems
NIST SP 800-12 chapter 15 An Introduction to Computer Security: The NIST Handbook
NIST SP 800-14 General ly Accepted Principles and Practices for Securing Information Technology Systems
NIST SP 800-34 Contingency Planning Guide for Information Technology Systems
NIST SP 800-53 Recommended Security Controls for Federal Information Systems
NIST SP 800-12 chapter 14 An Introduction to Computer Security: The NIST Handbook
NIST SP 800-14 General ly Accepted Principles and Practices for Securing Information Technology Systems
NIST SP 800-53 Recommended Security Controls for Federal Information Systems
NIST SP 800-56 Recommendation on Key Establishment Schemes
NIST SP 800-57 Recommendation on Key Management
NIST SP 800-63 Recommendation for Electronic Authentication
FIPS 140-2 Security Requirements for Cryptographic Modules
NIST SP 800-12 chapter 17 An Introduction to Computer Security: The NIST Handbook
NIST SP 800-14 General ly Accepted Principles and Practices for Securing Information Technology Systems
NIST SP 800-53 Recommended Security Controls for Federal Information SystemsNIST SP 800-12 chapter 18 An Introduction to Computer Security: The NIST Handbook
NIST SP 800-42 Guideline on Network Security Testing
NIST SP 800-44 Guidelines on Securing Public Web Servers
NIST SP 800-53 Recommended Security Controls for Federal Information Systems
NIST SP 800-12 chapter 5 An Introduction to Computer Security: The NIST Handbook
NIST SP 800-14 General ly Accepted Principles and Practices for Securing Information Technology Systems
NIST SP 800-53 Recommended Security Controls for Federal Information Systems
NIST SP 800-63 Recommendation for Electronic Authentication
NIST SP 800-12 chapter 16 An Introduction to Computer Security: The NIST Handbook
NIST SP 800-14 General ly Accepted Principles and Practices for Securing Information Technology SystemsNIST SP 800-42 Guideline on Network Security Testing
NIST SP 800-53 Recommended Security Controls for Federal Information Systems
NIST SP 800-63 Recommendation for Electronic Authentication
FIPS 140-2 Security Requirements for Cryptographic Modules
NIST SP 800-12 chapter 16 & 19 An Introduction to Computer Security: The NIST Handbook
-
7/31/2019 Security Assessment Tools
20/46
pdf )
URLhttp://csrc.nist.gov/publications/nistpubs/800-14/800-14.pdf
http://csrc.nist.gov/publications/nistpubs/800-18/Planguide.PDF
http://csrc.nist.gov/publications/nistpubs/800-26/sp800-26.pdf
http://csrc.nist.gov/publications/nistpubs/800-27/sp800-27.pdf
http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf
http://csrc.nist.gov/publications/nistpubs/800-37/SP800-37-final.pdf
http://csrc.nist.gov/publications/drafts/draft-SP800-53.pdf
http://csrc.nist.gov/publications/drafts/800-60v1f.pdf (Vol. 1)
http://csrc.nist.gov/publications/drafts/sp800-60V2f.pdf (Vol. 2)
http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf
http://csrc.nist.gov/publications/nistpubs/800-12/handbook.pdf
http://csrc.nist.gov/publications/nistpubs/800-14/800-14.pdf
http://csrc.nist.gov/publications/nistpubs/800-26/sp800-26.pdf
http://csrc.nist.gov/publications/drafts/draft-SP800-53.pdf
http://csrc.nist.gov/publications/nistpubs/800-12/handbook.pdf
http://csrc.nist.gov/publications/nistpubs/800-14/800-14.pdf
http://csrc.nist.gov/publications/nistpubs/800-26/sp800-26.pdf
http://csrc.nist.gov/publications/drafts/draft-SP800-53.pdf
http://csrc.nist.gov/publications/nistpubs/800-12/handbook.pdfhttp://csrc.nist.gov/publications/nistpubs/800-14/800-14.pdf
http://csrc.nist.gov/publications/nistpubs/800-18/Planguide.PDF
http://csrc.nist.gov/publications/drafts/draft-SP800-53.pdf
http://csrc.nist.gov/publications/drafts/draft-sp800-63.pdf
http://csrc.nist.gov/publications/nistpubs/800-12/handbook.pdf
http://csrc.nist.gov/publications/nistpubs/800-14/800-14.pdf
http://csrc.nist.gov/publications/nistpubs/800-16/800-16.pdf (part 1)
http://csrc.nist.gov/publications/nistpubs/800-16/AppendixA-D.pdf (part 2)
http://csrc.nist.gov/publications/nistpubs/800-16/Appendix_E.pdf (part 3)
http://csrc.nist.gov/publications/drafts/draft-SP800-53.pdfhttp://csrc.nist.gov/publications/nistpubs/800-12/handbook.pdf
http://csrc.nist.gov/publications/nistpubs/800-14/800-14.pdf
http://csrc.nist.gov/publications/drafts/draft-SP800-53.pdf
http://csrc.nist.gov/publications/nistpubs/800-12/handbook.pdf
http://csrc.nist.gov/publications/nistpubs/800-14/800-14.pdf
http://csrc.nist.gov/publications/nistpubs/800-18/Planguide.PDF
http://csrc.nist.gov/publications/nistpubs/800-26/sp800-26.pdf
http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf
http://csrc.nist.gov/publications/drafts/draft-SP800-53.pdf
-
7/31/2019 Security Assessment Tools
21/46
http://csrc.nist.gov/publications/nistpubs/800-34/sp800-34.pdf
http://csrc.nist.gov/publications/drafts/draft-SP800-53.pdf
http://csrc.nist.gov/publications/nistpubs/800-12/handbook.pdf
http://csrc.nist.gov/publications/nistpubs/800-14/800-14.pdfhttp://csrc.nist.gov/publications/drafts/draft-SP800-53.pdf
http://csrc.nist.gov/publications/nistpubs/800-12/handbook.pdf
http://csrc.nist.gov/publications/nistpubs/800-14/800-14.pdf
http://csrc.nist.gov/publications/drafts/draft-SP800-53.pdf
http://csrc.nist.gov/publications/nistpubs/800-12/handbook.pdf
http://csrc.nist.gov/publications/nistpubs/800-14/800-14.pdf
http://csrc.nist.gov/publications/nistpubs/800-34/sp800-34.pdf
http://csrc.nist.gov/publications/drafts/draft-SP800-53.pdf
http://csrc.nist.gov/publications/nistpubs/800-12/handbook.pdf
http://csrc.nist.gov/publications/nistpubs/800-14/800-14.pdf
http://csrc.nist.gov/publications/drafts/draft-SP800-53.pdf
http://csrc.nist.gov/CryptoToolkit/tkkeymgmt.html
http://csrc.nist.gov/CryptoToolkit/tkkeymgmt.html
http://csrc.nist.gov/publications/drafts/draft-sp800-63.pdf
http://csrc.nist.gov/cryptval/140-2.htm
http://csrc.nist.gov/publications/nistpubs/800-12/handbook.pdf
http://csrc.nist.gov/publications/nistpubs/800-14/800-14.pdf
http://csrc.nist.gov/publications/drafts/draft-SP800-53.pdfhttp://csrc.nist.gov/publications/nistpubs/800-12/handbook.pdf
http://csrc.nist.gov/publications/nistpubs/800-42/NIST-SP800-42.pdf
http://csrc.nist.gov/publications/nistpubs/800-44/sp800-44.pdf
http://csrc.nist.gov/publications/drafts/draft-SP800-53.pdf
http://csrc.nist.gov/publications/nistpubs/800-12/handbook.pdf
http://csrc.nist.gov/publications/nistpubs/800-14/800-14.pdf
http://csrc.nist.gov/publications/drafts/draft-SP800-53.pdf
http://csrc.nist.gov/publications/drafts/draft-sp800-63.pdf
http://csrc.nist.gov/publications/nistpubs/800-12/handbook.pdf
http://csrc.nist.gov/publications/nistpubs/800-14/800-14.pdfhttp://csrc.nist.gov/publications/nistpubs/800-42/NIST-SP800-42.pdf
http://csrc.nist.gov/publications/drafts/draft-SP800-53.pdf
http://csrc.nist.gov/publications/drafts/draft-sp800-63.pdf
http://csrc.nist.gov/cryptval/140-2.htm
http://csrc.nist.gov/publications/nistpubs/800-12/handbook.pdf
-
7/31/2019 Security Assessment Tools
22/46
Standard Section ISO Audit Question
Possible HIPAA
Privacy Policy
Impact
Practice in Place?
Procedure or
Control
Documented?
3.1
3.1.1Information security
policy documentWhether there exists an Information security policy,which is approved by the management, published and
communicated as appropriate to all employees.
Privacy Protections,Safeguards
Whether it states the management commitment and
set out the organizational approach to managing
information security.
3.1.2Review and
evaluation
Whether the Security policy has an owner, who is
responsible for its maintenance and review according
to a defined review process.
Whether the process ensures that a review takes place
in response to any changes affecting the basis of the
original assessment, example: significant securityincidents, new vulnerabilities or changes to
organizational or technical infrastructure.
Privacy Protections
4.1
4.1.1
Management
information security
forum
Whether there is a management forum to ensure there
is a clear direction and visible management support for
security initiatives within the organization.
4.1.2 Information securitycoordination
Whether there is a cross-functional forum of
management representatives from relevant parts of theorganization to coordinate the implementation of
information security controls.
Privacy Official
4.1.3
Allocation of
information security
responsibilities
Whether responsibilities for the protection of individual
assets and for carrying out specific security processes
were clearly defined.
4.1.4
Authorization
process for
information
processing facilities
Whether there is a management authorization process
in place for any new information processing facility.
This should include all new facilities such as hardware
and software.
Privacy Protections
4.1.5
Specialist
information security
advise
Whether specialist information security advice is
obtained where appropriate.
A specific individual may be identified to co-ordinate in-
house knowledge and experiences to ensure
consistency, and provide help in security decision
making.
Privacy Official
Organizational Security
Security PolicyInformation security policy
Information security infrastructure
ISO 17799 Audit Check List to Information Security & Privacy Management
-
7/31/2019 Security Assessment Tools
23/46
Standard Section ISO Audit Question
Possible HIPAA
Privacy Policy
Impact
Practice in Place?
Procedure or
Control
Documented?
ISO 17799 Audit Check List to Information Security & Privacy Management
4.1.6
Co-operation
betweenorganizations
Whether appropriate contacts with law enforcement
authorities, regulatory bodies, information service
providers and telecommunication operators were
maintained to ensure that appropriate action can be
quickly taken and advice obtained, in the event of a
security incident.
Business Associate
Agreements
4.1.7
Independent review
of information
security
Whether the implementation of security policy is
reviewed independently on regular basis. This is to
provide assurance that organizational practices
properly reflect the policy, and that it is feasible and
effective.
4.2
4.2.1
Identification of
risks from thirdparty access
Whether risks from third party access are identified and
appropriate security controls implemented.
Business Associate
Agreements
Whether the types of accesses are identified, classified
and reasons for access are justified.
Business Associate
Agreements
4.2.2
Security
requirements in
third party contracts
Whether there is a formal contract containing, or
referring to, all the security requirements to ensure
compliance with the organizations security policies and
standards.
Business Associate
Agreements
Security of third party access
-
7/31/2019 Security Assessment Tools
24/46
Standard Section ISO Audit Question
Possible HIPAA
Privacy Policy
Impact
Practice in Place?
Procedure or
Control
Documented?
ISO 17799 Audit Check List to Information Security & Privacy Management
4.3
4.3.1
Security
requirements in
outsourcing
contracts
Whether security requirements are addressed in the
contract with the third party, when the organization has
outsourced the management and control of all or some
of its information systems, networks and/ or desktop
environments.
Business Associate
Agreements
The contract should address how the legal
requirements are to be met, how the security of theorganizations assets are maintained and tested, and
the right of audit, physical security issues and how the
availability of the services is to be maintained in the
event of disaster.
Business Associate
Agreements
5.1
5.1.1 Inventory of assets
Whether an inventory or register is maintained with the
important assets associated with each information
system.
Whether each asset identified has an owner, thesecurity classification defined and agreed and the
location identified.
5.2
5.2.1Classification
guidelines
Whether there is an Information classification scheme
or guideline in place; which will assist in determining
how the information is to be handled and protected.
Minimum Necessary,
Use and Disclosure
5.2.2Information labeling
and handling
Whether an appropriate set of procedures are defined
for information labeling and handling in accordance
with the classification scheme adopted by the
organization.
Minimum Necessary,
Use and Disclosure
Outsourcing
Accountability of assets
Information classification
Asset classification and control
-
7/31/2019 Security Assessment Tools
25/46
Standard Section ISO Audit Question
Possible HIPAA
Privacy Policy
Impact
Practice in Place?
Procedure or
Control
Documented?
ISO 17799 Audit Check List to Information Security & Privacy Management
6.1
6.1.1Including security in
job responsibilities
Whether security roles and responsibilities as laid in
Organizations information security policy is
documented where appropriate.
Workforce
This should include general responsibilities for
implementing or maintaining security policy as well asspecific responsibilities for protection of particular
assets, or for extension of particular security processes
or activities.
Workforce
6.1.2
Personnel
screening and
policy
Whether verification checks on permanent staff were
carried out at the time of job applications.Workforce
This should include character reference, confirmation
of claimed academic and professional qualifications
and independent identity checks.
Workforce
6.1.3Confidentiality
agreements
Whether employees are asked to sign Confidentiality ornon-disclosure agreement as a part of their initial terms
and conditions of the employment.
Workforce
Whether this agreement covers the security of the
information processing facility and organization assets.Workforce
6.1.4
Terms and
conditions of
employment
Whether terms and conditions of the employment
covers the employees responsibility for information
security. Where appropriate, these responsibilities
might continue for a defined period after the end of the
employment.
Workforce
Security in job definition and Resourcing
Personnel Security
-
7/31/2019 Security Assessment Tools
26/46
Standard Section ISO Audit Question
Possible HIPAA
Privacy Policy
Impact
Practice in Place?
Procedure or
Control
Documented?
ISO 17799 Audit Check List to Information Security & Privacy Management
6.2
6.2.1
Information security
education and
training
Whether all employees of the organization and third
party users (where relevant) receive appropriate
Information Security training and regular updates in
organizational policies and procedures.
Workforce
6.3
6.3.1Reporting security
incidents
Whether a formal reporting procedure exists, to report
security incidents through appropriate management
channels as quickly as possible.
Incident Reporting
6.3.2Reporting security
weaknesses
Whether a formal reporting procedure or guideline
exists for users, to report security weakness in, or
threats to, systems or services.
Safeguards, Incident
Reporting
6.3.3Reporting software
malfunctions
Whether procedures were established to report any
software malfunctions.
6.3.4Learning from
incidents
Whether there are mechanisms in place to enable thetypes, volumes and costs of incidents and malfunctions
to be quantified and monitored.
Safeguards, Incident
Reporting
6.3.5Disciplinary
process
Whether there is a formal disciplinary process in place
for employees who have violated organizational
security policies and procedures. Such a process can
act as a deterrent to employees who might otherwise
be inclined to disregard security procedures.
Workforce
User training
Responding to security incidents and malfunctions
-
7/31/2019 Security Assessment Tools
27/46
Standard Section ISO Audit Question
Possible HIPAA
Privacy Policy
Impact
Practice in Place?
Procedure or
Control
Documented?
ISO 17799 Audit Check List to Information Security & Privacy Management
7.1
7.1.1Physical Security
Perimeter
What physical border security facility has been
implemented to protect the Information processing
service.
Safeguards
Some examples of such security facility are cardcontrol entry gate, walls, manned reception etc.,
Safeguards
7.1.2Physical entry
Controls
What entry controls are in place to allow only
authorized personnel into various areas within
organization.
Safeguards
7.1.3Securing Offices,
rooms and facilities
Whether the rooms, which have the Information
processing service, are locked or have lockable
cabinets or safes.
Safeguards
Whether the Information processing service is
protected from natural and man-made disaster.Safeguards
Whether there is any potential threat from neighboring
premises. Safeguards
7.1.4Working in Secure
Areas
The information is only on need to know basis.
Whether there exists any security control for third
parties or for personnel working in secure area.
Minimum Necessary,
Use and Disclosure,
Workforce
7.1.5Isolated delivery
and loading areas
Whether the delivery area and information processing
area are isolated from each other to avoid any
unauthorized access.
Safeguards
Whether a risk assessment was conducted to
determine the security in such areas.Safeguards
Secure Area
Physical and Environmental Security
-
7/31/2019 Security Assessment Tools
28/46
Standard Section ISO Audit Question
Possible HIPAA
Privacy Policy
Impact
Practice in Place?
Procedure or
Control
Documented?
ISO 17799 Audit Check List to Information Security & Privacy Management
7.2
7.2.1Equipment siting
protection
Whether the equipment was located in appropriate
place to minimize unnecessary access into work areas.Safeguards
Whether the items requiring special protection were
isolated to reduce the general level of protection
required.
Safeguards
Whether controls were adopted to minimize risk from
potential threats such as theft, fire, explosives, smoke,
water, dust, vibration, chemical effects, electricalsupply interfaces, electromagnetic radiation, and flood.
Safeguards
Whether there is a policy towards eating, drinking and
smoking on in proximity to information processing
services.
Whether environmental conditions are monitored which
would adversely affect the information processing
facilities.
7.2.2 Power Supplies
Whether the equipment is protected from power
failures by using permanence of power supplies such
as multiple feeds, uninterruptible power supply (ups),backup generator etc.,
7.2.3 Cabling Security
Whether the power and telecommunications cable
carrying data or supporting information services is
protected from interception or damage.
Safeguards
Whether there is any additional security controls in
place for sensitive or critical information.Safeguards
7.2.4Equipment
Maintenance
Whether the equipment is maintained as per the
suppliers recommended service intervals and
specifications.
Whether the maintenance is carried out only by
authorized personnel.Whether logs are maintained with all suspected or
actual faults and all preventive and corrective
measures.
Equipment Security
-
7/31/2019 Security Assessment Tools
29/46
Standard Section ISO Audit Question
Possible HIPAA
Privacy Policy
Impact
Practice in Place?
Procedure or
Control
Documented?
ISO 17799 Audit Check List to Information Security & Privacy Management
Whether appropriate controls are implemented while
sending equipment off premises.
If the equipment is covered by insurance, whether the
insurance requirements are satisfied.
7.2.5
Securing of
equipment off-
premises
Whether any equipment usage outside an
organizations premises for information processing has
to be authorized by the management.
Safeguards
Whether the security provided for these equipments
while outside the premises are on par with or more than
the security provided inside the premises.
Safeguards
7.2.6
Secure disposal or
re-use of
equipment
Whether storage device containing sensitive
information are physically destroyed or securely over
written.
7.3
7.3.1Clear Desk and
clear screen policy
Whether automatic computer screen locking facility is
enabled. This would lock the screen when the
computer is left unattended for a period.
Safeguards
Whether employees are advised to leave any
confidential material in the form of paper documents,
media etc., in a locked manner while unattended.
Safeguards
7.3.2Removal of
property
Whether equipment, information or software can be
taken offsite without appropriate authorization.Safeguards
Whether spot checks or regular audits were conducted
to detect unauthorized removal of property.Safeguards
Whether individuals are aware of these types of spot
checks or regular audits.
Safeguards,
Workforce
General Controls
-
7/31/2019 Security Assessment Tools
30/46
Standard Section ISO Audit Question
Possible HIPAA
Privacy Policy
Impact
Practice in Place?
Procedure or
Control
Documented?
ISO 17799 Audit Check List to Information Security & Privacy Management
8.1
8.1.1
Documented
Operating
procedures
Whether the Security Policy has identified any
Operating procedures such as Back-up, Equipment
maintenance etc.,
Whether such procedures are documented and used.
8.1.2Operational
Change Control
Whether all programs running on production systems
are subject to strict change control i.e., any change to
be made to those production programs need to go
through the change control authorization.
Whether audit logs are maintained for any change
made to the production programs.
8.1.3
Incident
management
procedures
Whether an Incident Management procedure exist to
handle security incidents.Privacy Incident
Whether the procedure addresses the incident
management responsibilities, orderly and quick
response to security incidents.
Privacy Incident
Whether the procedure addresses different types of
incidents ranging from denial of service to breach of
confidentiality etc., and ways to handle them.
Privacy Incident
Whether the audit trails and logs relating to the
incidents are maintained and proactive action taken in
a way that the incident doesnt reoccur.
Privacy Incident
Operational Procedure and responsibilities
Communications and Operations Management
-
7/31/2019 Security Assessment Tools
31/46
Standard Section ISO Audit Question
Possible HIPAA
Privacy Policy
Impact
Practice in Place?
Procedure or
Control
Documented?
ISO 17799 Audit Check List to Information Security & Privacy Management
8.1.4Segregation of
duties
Whether duties and areas of responsibility are
separated in order to reduce opportunities for
unauthorized modification or misuse of information or
services.
Workforce
8.1.5
Separation of
development and
operational
facilities
Whether the development and testing facilities are
isolated from operational facilities. For example
development software should run on a different
computer to that of the computer with production
software. Where necessary development andproduction network should be separated from each
other.
8.1.6External facilities
management
Whether any of the Information processing facility is
managed by external company or contractor (third
party).
Business Associate
Agreements
Whether the risks associated with such management is
identified in advance, discussed with the third party and
appropriate controls were incorporated into the
contract.
Business Associate
Agreements
Whether necessary approval is obtained from business
and application owners.
Business Associate
Agreements8.2
8.2.1 Capacity Planning
Whether the capacity demands are monitored and
projections of future capacity requirements are made.
This is to ensure that adequate processing power and
storage is available.
Example: Monitoring Hard disk space, RAM, CPU on
critical servers.
8.2.2 System acceptance
Whether System acceptance criteria are established
for new information systems, upgrades and new
versions.
Whether suitable tests were carried out prior to
acceptance.
System planning and acceptance
-
7/31/2019 Security Assessment Tools
32/46
Standard Section ISO Audit Question
Possible HIPAA
Privacy Policy
Impact
Practice in Place?
Procedure or
Control
Documented?
ISO 17799 Audit Check List to Information Security & Privacy Management
8.3
8.3.1Control against
malicious software
Whether there exists any control against malicious
software usage.Whether the security policy does address software-
licensing issues such as prohibiting usage of
unauthorized software.
Whether there exists any Procedure to verify all
warning bulletins are accurate and informative with
regards to the malicious software usage.
Whether Antiviral software is installed on the
computers to check and isolate or remove any viruses
from computer and media.
Safeguards
Whether this software signature is updated on a
regular basis to check any latest viruses.Whether all the traffic originating from un-trusted
network in to the organization is checked for viruses.
Example: Checking for viruses on email email
attachments and on the web, FTP traffic.
8.4
8.4.1 Information backup
Whether Backup of essential business information
such as production server, critical network
components, configuration backup etc., were taken
regularly.
Example: Mon-Thu: Incremental Backup and Fri: FullBackup.
Whether the backup media along with the procedure to
restore the backup are stored securely and well away
from the actual site.
Whether the backup media are regularly tested to
ensure that they could be restored within the time
frame allotted in the operational procedure for
recovery.
8.4.2 Operator logs
Whether Operational staffs maintain a log of their
activities such as name of the person, errors, corrective
action etc.,Whether Operator logs are checked on regular basis
against the Operating procedures.
8.4.3 Fault Logging
Whether faults are reported and well managed. This
includes corrective action being taken, review of the
fault logs and checking the actions taken
8.5
Protection against malicious software
Housekeeping
Network Management
-
7/31/2019 Security Assessment Tools
33/46
Standard Section ISO Audit Question
Possible HIPAA
Privacy Policy
Impact
Practice in Place?
Procedure or
Control
Documented?
ISO 17799 Audit Check List to Information Security & Privacy Management
8.5.1 Network Controls
Whether effective operational controls such as
separate network and system administration facilitieswere be established where necessary.
Whether responsibilities and procedures for
management of remote equipment, including
equipment in user areas were established.
Workforce,
Safeguards
Whether there exist any special controls to safeguard
confidentiality and integrity of data processing over the
public network and to protect the connected systems.
Example: Virtual Private Networks, other encryption
and hashing mechanisms etc.,
8.6
8.6.1
Management of
removable
computer media
Whether there exists a procedure for management of
removable computer media such as tapes disks
cassettes, memory cards and reports.
Safeguards
8.6.2 Disposal of MediaWhether the media that are no longer required are
disposed off securely and safely.Safeguards
Whether disposal of sensitive items are logged where
necessary in order to maintain an audit trail.
8.6.3
Information
handling
procedures
Whether there exists a procedure for handling the
storage of information. Does this procedure address
issues such as information protection fromunauthorized disclosure or misuse.
Use and Disclosure,
Minimum Necessary,
Safeguards
8.6.4Security of system
documentation
Whether the system documentation is protected from
unauthorized access.
Whether the access list for the system documentation
is kept to minimum and authorized by the application
owner. Example: System documentation need to be
kept on a shared drive for specific purposes, the
document need to have Access Control Lists enabled
(to be accessible only by limited users.)
8.7
8.7.1
Information and
software exchange
agreement
Whether there exists any formal or informal agreement
between the organizations for exchange of information
and software.
Designated Record
Set (Data Use
Agreement),
Business Associate
Contracts
Media handling and Security
Exchange of Information and software
-
7/31/2019 Security Assessment Tools
34/46
Standard Section ISO Audit Question
Possible HIPAA
Privacy Policy
Impact
Practice in Place?
Procedure or
Control
Documented?
ISO 17799 Audit Check List to Information Security & Privacy Management
Whether the agreement does addresses the security
issues based on the sensitivity of the business
information involved.
Designated Record
Set (Data Use
Agreement),
Business Associate
Contracts
8.7.2Security of Media in
transit
Whether security of media while being transported
taken into account.Safeguards
Whether the media is well protected from unauthorized
access, misuse or corruption.Safeguards
8.7.3Electronic
Commerce security
Whether Electronic commerce is well protected and
controls implemented to protect against fraudulent
activity, contract dispute and disclosure or modificationof information.
Whether Security controls such as Authentication,
Authorization are considered in the ECommerce
environment.
-
7/31/2019 Security Assessment Tools
35/46
Standard Section ISO Audit Question
Possible HIPAA
Privacy PolicyImpact
Practice in Place?
Procedure or
ControlDocumented?
ISO 17799 Audit Check List to Information Security & Privacy Management
Whether electronic commerce arrangements between
trading partners include a documented agreement,
which commits both parties to the agreed terms of
trading, including details of security issues.
Business Associate
Agreements
8.7.4Security of
Electronic email
Whether there is a policy in place for the acceptable
use of electronic mail or does security policy does
address the issues with regards to use of electronic
mail.
Safeguards
Whether controls such as antivirus checking, isolatingpotentially unsafe attachments, spam control, anti
relaying etc., are put in place to reduce the risks
created by electronic email.
Safeguards
8.7.5
Security of
Electronic office
systems
Whether there is an Acceptable use policy to address
the use of Electronic office systems.Safeguards
Whether there are any guidelines in place to effectively
control the business and security risks associated with
the electronic office systems.
Safeguards
8.7.6Publicly available
systems
Whether there is any formal authorization process in
place for the information to be made publicly available.
Such as approval from Change Control which includes
Business, Application owner etc.,
Workforce
Whether there are any controls in place to protect the
integrity of such information publicly available from any
unauthorized access.
Workforce,
Safeguards
This might include controls such as firewalls, Operating
system hardening, any Intrusion detection type of tools
used to monitor the system etc.,
8.7.7
Other forms of
informationexchange
Whether there are any policies, procedures or controls
in place to protect the exchange of information throughthe use of voice, facsimile and video communication
facilities.
Safeguards, Use andDisclosure
-
7/31/2019 Security Assessment Tools
36/46
Standard Section ISO Audit Question
Possible HIPAA
Privacy Policy
Impact
Practice in Place?
Procedure or
Control
Documented?
ISO 17799 Audit Check List to Information Security & Privacy Management
Whether staffs are reminded to maintain the
confidentiality of sensitive information while using such
forms of information exchange facility.
Workforce,
Safeguards
9.1
9.1.1Access Control
Policy
Whether the business requirements for access control
have been defined and documented.
Safeguards,
Workforce, Business
Associate
Agreements
Whether the Access control policy does address the
rules and rights for each user or a group of user.
Safeguards,
Workforce, Business
Associate
Agreements
Whether the users and service providers were given a
clear statement of the business requirement to be met
by access controls.
Safeguards,
Workforce, Business
Associate
Agreements,
Designated Record
Sets
9.2
9.2.1 User Registration
Whether there is any formal user registration and de-
registration procedure for granting access to multi-user
information systems and services.
Minimum Necessary,
Workforce
9.2.2Privilege
Management
Whether the allocation and use of any privileges inmulti-user information system environment is restricted
and controlled i.e., Privileges are allocated on need-to-
use basis; privileges are allocated only after formal
authorization process.
Minimum Necessary,
Workforce
9.2.3User Password
Management
The allocation and reallocation of passwords should be
controlled through a formal management process.Safeguards
Whether the users are asked to sign a statement to
keep the password confidential.Workforce
9.2.4Review of user
access rights
Whether there exists a process to review user access
rights at regular intervals. Example: Special privilege
review every 3 months, normal privileges every 6
moths.
9.3
9.3.1 Password useWhether there are any guidelines in place to guide
users in selecting and maintaining secure passwords.Safeguards
Business Requirements for Access Control
Access Control
User Responsibilities
User Access Management
-
7/31/2019 Security Assessment Tools
37/46
Standard Section ISO Audit Question
Possible HIPAA
Privacy Policy
Impact
Practice in Place?
Procedure or
Control
Documented?
ISO 17799 Audit Check List to Information Security & Privacy Management
9.3.2
Unattended user
equipment
Whether the users and contractors are made aware of
the security requirements and procedures for protecting
unattended equipment, as well as their responsibility to
implement such protection.
Business Associate
Agreements,Workforce
Example: Logoff when session is finished or set up
auto log off, terminate sessions when finished etc.,
9.4
9.4.1Policy on use of
network services
Whether there exists a policy that does address
concerns relating to networks and network services
such as:
Parts of network to be accessed, Authorization services
to determine who is allowed to do what, Procedures to
protect the access to network connections and networkservices.
Minimum Necessary,
Workforce
9.4.2 Enforced path
Whether there is any control that restricts the route
between the user terminal and the designated
computer services the user is authorized to access
example: enforced path to reduce the risk.
Safeguards
9.4.3
User authentication
for external
connections
Whether there exist any authentication mechanism for
challenging external connections. Examples:
Cryptography based technique, hardware tokens,
software tokens, challenge/ response protocol etc.,
9.4.4Node
Authentication
Whether connections to remote computer systems that
are outside organization security management are
authenticated. Node authentication can serve as an
alternate means of authenticating groups of remote
users where they are connected to a secure, shared
computer facility.
9.4.5Remote diagnostic
port protection
Whether accesses to diagnostic ports are securely
controlled i.e., protected by a security mechanism.
9.4.6
Segregation in
networks
Whether the network (where business partners and/ or
third parties need access to information system) is
segregated using perimeter security mechanisms such
as firewalls.
9.4.7Network connection
protocols
Whether there exists any network connection control
for shared networks that extend beyond the
organizational boundaries. Example: electronic mail,
web access, file transfers, etc.,
Network Access Control
ISO 17799 Audit Check List to Information Security & Privacy Management
-
7/31/2019 Security Assessment Tools
38/46
Standard Section ISO Audit Question
Possible HIPAA
Privacy Policy
Impact
Practice in Place?
Procedure or
Control
Documented?
ISO 17799 Audit Check List to Information Security & Privacy Management
9.4.8Network routing
control
Whether there exist any network control to ensure that
computer connections and information flows do not
breach the access control policy of the business
applications. This is often essential for networks shared
with non-organizations users.
Whether the routing controls are based on the positive
source and destination identification mechanism.
Example: Network Address Translation (NAT).
9.4.9Security of network
services
Whether the organization, using public or private
network service does ensure that a clear description of
security attributes of all services used is provided.
9.5
9.5.1 Automatic terminalidentification
Whether automatic terminal identification mechanism isused to authenticate connections.
9.5.2Terminal log-on
procedures
Whether access to information system is attainable
only via a secure log-on process.Safeguards
Whether there is a procedure in place for logging in to
an information system. This is to minimize the
opportunity of unauthorized access.
Safeguards
9.5.3User identification
and authorization
Whether unique identifier is provided to every user
such as operators, system administrators and all other
staff including technical.
The generic user accounts should only be supplied
under exceptional circumstances where there is a clearbusiness benefit. Additional controls may be necessary
to maintain accountability.
Whether the authentication method used does
substantiate the claimed identity of the user; commonly
used method: Password that only the user knows.
9.5.4
Password
management
system
Whether there exists a password management system
that enforces various password controls such as:
individual password for accountability, enforce
password changes, store passwords in encrypted form,not display passwords on screen etc.,
9.5.5Use of system
utilities
Whether the system utilities that come with computer
installations, but may override system and application
control is tightly controlled.
9.5.6Duress alarm to
safeguard users
Whether provision of a duress alarm is considered for
users who might be the target of coercion.
Operating system access control
-
7/31/2019 Security Assessment Tools
39/46
Standard Section ISO Audit QuestionPossible HIPAAPrivacy Policy
Impact
Practice in Place?Procedure or
Control
Documented?
ISO 17799 Audit Check List to Information Security & Privacy Management
9.5.7 Terminal time-out
Inactive terminal in public areas should be configured
to clear the screen or shut down automatically after a
defined period of inactivity.
Safeguards
9.5.8Limitation of
connection time
Whether there exist any restriction on connection time
for high-risk applications. This type of set up should be
considered for sensitive applications for which the
terminals are installed in high-risk locations.
Safeguards
ISO 17799 Audit Check List to Information Security & Privacy Management
-
7/31/2019 Security Assessment Tools
40/46
Standard Section ISO Audit Question
Possible HIPAA
Privacy Policy
Impact
Practice in Place?
Procedure or
Control
Documented?
9.6
9.6.1 Information accessrestriction
Whether access to application by various groups/
personnel within the organization should be defined in
the access control policy as per the individual businessapplication requirement and is consistent with the
organizations Information access policy.
Minimum Necessary,
Workforce,Safeguards
9.6.2Sensitive system
isolation
Whether sensitive systems are provided with isolated
computing environment such as running on a dedicated
computer, share resources only with trusted application
systems, etc.,
Minimum Necessary,
Workforce,
Safeguards
9.7
9.7.1 Event logging
Whether audit logs recording exceptions and other
security relevant events are produced and kept for an
agreed period to assist in future investigations andaccess control monitoring.
9.7.2Monitoring system
use
Whether procedures are set up for monitoring the use
of information processing facility.
The procedure should ensure that the users are
performing only the activities that are explicitly
authorized.
Minimum Necessary,
Workforce,
Safeguards
Whether the results of the monitoring activities are
reviewed regularly.
9.7.3 Clocksynchronization
Whether the computer or communication device has
the capability of operating a real time clock, it should beset to an agreed standard such as Universal
coordinated time or local standard time.
The correct setting of the computer clock is important
to ensure the accuracy of the audit logs.
9.8
9.8.1 Mobile computing
Whether a formal policy is adopted that takes into
account the risks of working with computing facilities
such as notebooks, palmtops etc., especially in
unprotected environments.
Workforce,
Safeguards
Whether training were arranged for staff to use mobile
computing facilities to raise their awareness on the
additional risks resulting from this way of working and
controls that need to be implemented to mitigate the
risks.
Workforce,
Safeguards
9.8.2 Teleworking
Whether there is any policy, procedure and/ or
standard to control teleworking activities, this should be
consistent with organizations security policy.
Workforce,
Safeguards
Mobile computing and tele-working
Application Access Control
Monitoring system access and use
Possible HIPAA Procedure or
ISO 17799 Audit Check List to Information Security & Privacy Management
-
7/31/2019 Security Assessment Tools
41/46
Standard Section ISO Audit Question
Possible HIPAA
Privacy Policy
Impact
Practice in Place?
Procedure or
Control
Documented?
Whether suitable protection of teleworking site is inplace against threats such as theft of equipment,
unauthorized disclosure of information etc.,
Workforce,
Safeguards
10.1
10.1.1
Security
requirements
analysis and
specification
Whether security requirements are incorporated as part
of business requirement statement for new systems or
for enhancement to existing systems.
Safeguards
Security requirements and controls identified should
reflect business value of information assets involved
and the consequence from failure of Security.
Safeguards
Whether risk assessments are completed prior to
commencement of system development.Safeguards
10.2
10.2.1Input data
validation
Whether data input to application system is validated to
ensure that it is correct and appropriate.
Whether the controls such as: Different type of inputs
to check for error messages, Procedures for
responding to validation errors, defining responsibilities
of all personnel involved in data input process etc., are
considered.
10.2.2
Control of internal
processing
Whether areas of risks are identified in the processing
cycle and validation checks were included. In some
cases the data that has been correctly entere