SlideShare a Scribd company logo

LISTA DE CHECKLIST DE NORMATIVA HIPAA-ISO 27001

C
CarlosMartinSantos1

CUMPLIMIENTO ISO27001 FRAMEWORK COMPLIANCE HIPPAA

Technology
1 of 13
Download to read offline
HIPAA –ISO 27001 COMPLIANCE MAPPING FRAMEWORK HIPAA Security Standard HIPAA Security Implementation Specification ISO 27001:2013 Organisation Response Compliance Security Management Process 164.308(a)(1) Risk Analysis 6.1.2 Information security risk assessment 8.2 Information security risk assessment Organisation has defined risk management program in line with ISO 31000 & ISO 27001. Organisation on periodic basis perform risk assessment and monitor the risks. Risk Management 6.1.3 Information security risk treatment 8.3 Information security risk treatment Organisation has defined risk management program in line with ISO 31000 & ISO 27001. Organisation on periodic basis perform risk assessment and monitor the risks. Sanction Policy A.7.2.3 Disciplinary process Organisation has defined process for information security disciplinary process. The formal disciplinary process is established to ensure correct and fair treatment for employees who are suspected of committing breaches of information security. Information System Activity Review A.12.4.1 Event logging A.12.4.3 Administrator and operator logs A.16.1.2 Reporting information security events A.16.1.3 Reporting security weaknesses Organisation have defined and documented policies and controls for incident management including the following documented aspects: • Definition of an incident (e.g. security breaches, data loss, system downtime, malicious activity) • Incident reporting timelines and procedures • Root cause analysis and reporting to avoid recurrence. Evidence of incident management activities including incident logging and root cause analysis be maintained according to regulatory and contractual requirements Assigned Security A. 6.1.1 Information Responsibilities for the protection of individual assets and for carrying out
Responsibility 164.308(a)(2) security roles and responsibilities specific information security processes is identified. Responsibilities for information security risk management activities and in particular for acceptance of residual risks is defined. Workforce Security 164.308(a)(3) Authorization and/or Supervision A.9.2.2 User access provisioning The process for managing user IDs include: a) using unique user IDs to enable users to be linked to and held responsible for their actions; the use of shared IDs only be permitted where they are necessary for business or operational reasons and be approved and documented; b) immediately disabling or removing user IDs of users who have left the Organisation; c) periodically identifying and removing or disabling redundant user IDs; d) ensuring that redundant user IDs are not issued to other users. Workforce Clearance Procedure A.9.2.5 Review of user access rights The review of access rights consider the following: a) users' access rights be reviewed at regular intervals and after any changes, such as promotion, demotion or termination of employment; b) user access rights be reviewed and re-allocated when moving from one role to another within the same Organisation; c) authorizations for privileged access rights be reviewed at more frequent intervals; d) privilege allocations be checked at regular intervals to ensure that unauthorized privileges have not been obtained; e) changes to privileged accounts be logged for periodic review. Termination Procedures A.7.3.1 Termination or change of employment responsibilities A process is established to ensure that all the exit formalities are performed, the assets provided to the employees have been collected and all the accesses provided have been removed. Evidences
A.9.2.6 Removal or adjustment of access rights be maintained for the same Information Access Management 164.308(a)(4) Isolated Health Clearinghouse Functions N/A Not Applicable Access Authorization A.9.2.2 User access provisioning The process for managing user IDs include: a) using unique user IDs to enable users to be linked to and held responsible for their actions; the use of shared IDs only be permitted where they are necessary for business or operational reasons and be approved and documented; b) immediately disabling or removing user IDs of users who have left the Organisation; c) periodically identifying and removing or disabling redundant user IDs; d) ensuring that redundant user IDs are not issued to other users. Access Establishment and Modification A.9.2.2 User access provisioning The process for managing user IDs include: a) using unique user IDs to enable users to be linked to and held responsible for their actions; the use of shared IDs only be permitted where they are necessary for business or operational reasons and be approved and documented; b) immediately disabling or removing user IDs of users who have left the Organisation; c) periodically identifying and removing or disabling redundant user IDs; d) ensuring that redundant user IDs are not issued to other users. Security Awareness Security Reminders A.12.6.1 Management of technical vulnerabilities Information about technical vulnerabilities of information systems being used be obtained in a timely fashion, the Organisation's exposure to such
and Training 164.308(a)(5) vulnerabilities evaluated and appropriate measures taken to address the associated risk Protection from Malicious Software A.12.2.1 Controls against malware Policy & Procedures are established for protection against malware using malware detection and repair software, information security awareness and appropriate system access and change management controls. Log-in Monitoring A.12.4.1 Event logging Event logs recording user activities, exceptions, faults and information security events is produced, kept and regularly reviewed. Event logs include, when relevant: a) user IDs; b) system activities; c) dates, times and details of key events, e.g. log-on and log-off; d) device identity or location if possible and system identifier; e) records of successful and rejected system access attempts; Password Management A.9.4.3 Password management system Organisation has a password management system : a) enforce the use of individual user IDs and passwords to maintain accountability; b) allow users to select and change their own passwords and include a confirmation procedure to allow for input errors; c) enforce a choice of quality passwords; d) force users to change their passwords at the first log-on; e) enforce regular password changes and as needed; f) maintain a record of previously used passwords and prevent re-use; g) not display passwords on the screen when being entered;
h) store password files separately from application system data; i) store and transmit passwords in protected form. Security Incident Procedures 164.308(a)(6) Response and Reporting A.16.1.1 Responsibilities and procedures A.16.1.2 Reporting is A.16.1.3 Reporting security weaknesses A.16.1.4 Response to information security incidents Organisation have defined and documented policies and controls for incident management including the following documented aspects: • Definition of an incident (e.g. security breaches, data loss, system downtime, malicious activity) • Incident reporting timelines and procedures • Root cause analysis and reporting to avoid recurrence. Evidence of incident management activities including incident logging and root cause analysis be maintained according to regulatory and contractual requirements Contingency Plan 164.308(a)(7) Data Backup Plan A.12.3.1 Information backup A documented backup and restoration policy is defined and communicated. The policy document outline the backup and restoration procedures followed including frequency, schedule, retention requirements, and recovery/restore testing. Disaster Recovery Plan A.17.1.1 Planning information security continuity A.17.1.2 Implementing information security continuity There is a defined and documented method for determining the impact of any disruption to the Organisation which incorporate the following: • Identify critical products and services • Identify all dependencies, including processes, applications, business partners and third party service providers • Understand threats to critical products and services • Determine impacts resulting from planned or unplanned disruptions and how these vary over time • Establish the maximum tolerable period for
disruption that aligns with SLA • Establish priorities for recovery • Establish recovery time objectives for resumption of critical products and services within their maximum tolerable period of disruption that aligns with SLA • Estimate the resources required for resumption Emergency Mode Operation Plan A.17.1.1 Planning information security continuity A.17.1.2 Implementing information security continuity There is a defined and documented method for determining the impact of any disruption to the Organisation which must incorporate the following: • Identify critical products and services • Identify all dependencies, including processes, applications, business partners and third party service providers • Understand threats to critical products and services • Determine impacts resulting from planned or unplanned disruptions and how these vary over time • Establish the maximum tolerable period for disruption that aligns with SLA • Establish priorities for recovery • Establish recovery time objectives for resumption of critical products and services within their maximum tolerable period of disruption that aligns with SLA • Estimate the resources required for resumption Testing and Revision Procedures A.17.1.3 Verify, review and evaluate information security continuity Organisation ensure that the BCP / DR reviewed and approved at least annually. Distribute the BCP / DR to authorized individuals including all personnel. Applications and Data Criticality 14.1.1 Information security requirements Organisation ensure that the BCP / DR reviewed and approved at least annually. Distribute the BCP / DR to authorized
Analysis analysis and specification A.17.1.1 Planning information security continuity individuals including all personnel. Evaluation 164.308(a)(8) A.18.2.3 Technical compliance checking Technical compliance is reviewed preferably with the assistance of automated tools, which generate technical reports for subsequent interpretation by a technical specialist. Business Associate Contracts and Other Arrangements 164.308(b)(1) Written contract or other arrangement A.15.1.2 Addressing security within supplier agreements Supplier agreements is established and documented to ensure that all relevant information security requirements to be implemented by the supplier are covered. Facility Access Controls 164.310(a)(1) Contingency Operations A.17.2.1 Availability of information processing facilities Organisation has identified and implemented sufficient redundancies for servers, network components, ISPs, from outages (such as power failure, network disruption) Facility Security Plan A.11.1.3 Securing offices, rooms and facilities A.11.1.4 Protecting against external and environmental threats Secure areas are protected by appropriate entry controls to ensure that only authorized personnel are allowed access. Access Control and Validation Procedures A.11.1.1 Physical security perimeter A.11.1.2 Physical entry controls Organisation ensure that a defined physical security policy containing Organisation guidelines for physical security of personnel, equipment, and information systems is developed, approved and communicated. Maintenance Records A.11.2.4 Equipment maintenance The following guidelines for equipment maintenance be considered: a) equipment be maintained in accordance with the supplier's recommended service intervals and specifications; b) only authorized maintenance personnel carry
out repairs and service equipment; c) records be kept to fall suspected or actual faults, and of all preventive and corrective maintenance; Workstation Use 164.310(b) A.8.1.3 Acceptable use of assets A.11.1.5 Working in secure areas A. 12.1.1 Documented operating procedures Employees and external party users using or having access to the Organisation's assets are made aware of the information security requirements of the Organisation's assets associated with information and information processing facilities and resources. They are responsible for their use of any information processing resources and of any such use carried out under their responsibility. Workstation Security 164.310(c) A.11.1.5 Working in secure areas The following controls are considered: a) personnel only be aware of the existence of, or activities within, a secure area on a need- to-know basis; b) unsupervised working in secure areas be avoided both for safety reasons and to prevent opportunities for malicious activities; c) vacant secure areas be physically locked and periodically reviewed; Device and Media Controls 164.310(d)(1) Disposal A.8.3.2 Disposal of media Formal procedures for the secure disposal of media are established to minimize the risk of confidential information leakage to unauthorized persons. The procedures for secure disposal of media containing confidential information is proportional to the sensitivity of that information. Media Reuse A.8.3.1 Management of removable media Management of removal media process is defined for controlled use of removable media devices to store and transfer information by all users who have access to information, information systems and IT equipment. Accountability A.8.3.3 Physical media transfer A.11.2.6 Security of Procedures is implemented to the protect the media containing information against unauthorized access, misuse or corruption during transportation.
equipment and assets off- premises Data Backup and Storage A.12.3.1 Information backup A documented backup and restoration policy is defined and communicated. The policy document outline the backup and restoration procedures followed including frequency, schedule, retention requirements, and recovery/restore testing. Access Control 164.312(a)(1) Unique User Identification A.9.2.1 User registration and de- registration The process for managing user IDs include: a) using unique user IDs to enable users to be linked to and held responsible for their actions; the use of shared IDs only be permitted where they are necessary for business or operational reasons and be approved and documented; b) immediately disabling or removing user IDs of users who have left the Organisation; c) periodically identifying and removing or disabling redundant user IDs; d) ensuring that redundant user IDs are not issued to other users. Emergency Access Procedure A.9.2.2 User access provisioning The process for managing user IDs include: a) using unique user IDs to enable users to be linked to and held responsible for their actions; the use of shared IDs only be permitted where they are necessary for business or operational reasons and be approved and documented; b) immediately disabling or removing user IDs of users who have left the Organisation; c) periodically identifying and removing or disabling redundant user IDs; d) ensuring that redundant user IDs are not issued
to other users. Automatic Logoff A.11.2.8 Unattended user equipment All users are made aware of the security requirements and procedures for protecting unattended equipment, as well as their responsibilities for implementing such protection. Users be advised to: a) terminate active sessions when finished, unless they can be secured by an appropriate locking mechanism, e.g. a password protected screen saver; b) log-off from applications or network services when no longer needed; c) secure computers or mobile devices from unauthorized use by a key lock or an equivalent control, e.g. password access, when not in use. Encryption and Decryption A. 10.1.1 Policy on the use of cryptographic controls Cryptography policy is defined to set out principles and expectations about when and how encryption of Organisation digital information (or not) be used. Audit Controls 164.312(b) A.12.4.1 Event logging A.12.4.2 Protection of log information A.12.4.3 Administrator and operator logs Event logs recording user activities, exceptions, faults and is be produced, kept and regularly reviewed. Event logs include, when relevant: a) user IDs; b) system activities; c) dates, times and details of key events, e.g. log-on and log-off; d) device identity or location if possible and system identifier; e) records of successful and rejected system access attempts; Integrity Mechanism to Authenticate A.18.1.3 Protection of Records are protected from loss, destruction,
164.312(c)(1) Electronic Protected Health Information records falsification, unauthorized access and unauthorized release, in accordance with legislator, regulatory, contractual and business requirements. Person or Entity Authentication 164.312(d) A.9.2.4 Management of secret authentication information of users The process include the following requirements: a) users are required to sign a statement to keep personal secret authentication information confidential and to keep group (i.e. shared] secret authentication information solely within the members of the group; this signed statement may be included in the terms and conditions of employment; Transmission Security 164.312(e)(1) Integrity Controls A.13.1.1 Network controls Controls are implemented to ensure the security of information in networks and the protection of connected services from unauthorized access. Encryption A.10.1.1 Policy on the use of cryptographic controls Cryptography policy is defined to set out principles and expectations about when and how encryption of Organisation digital information (or not) be used.
LISTA DE CHECKLIST DE NORMATIVA HIPAA-ISO 27001

Recommended

Security Audits of Electronic Health I.docx
Security Audits of Electronic Health I.docxSecurity Audits of Electronic Health I.docx
Security Audits of Electronic Health I.docxkenjordan97598
 
Security Audits of Electronic Health I.docx
Security Audits of Electronic Health I.docxSecurity Audits of Electronic Health I.docx
Security Audits of Electronic Health I.docxbagotjesusa
 
ISO Cloud Security add-on & PCI DSS mapping 【Continuous Study】
ISO Cloud Security add-on & PCI DSS mapping 【Continuous Study】ISO Cloud Security add-on & PCI DSS mapping 【Continuous Study】
ISO Cloud Security add-on & PCI DSS mapping 【Continuous Study】Jerimi Soma
 
A Monitor System in Data Redundancy in Information System
A Monitor System in Data Redundancy in Information SystemA Monitor System in Data Redundancy in Information System
A Monitor System in Data Redundancy in Information Systemijsrd.com
 
Solution managment and monitoring services.docx
Solution managment and monitoring services.docxSolution managment and monitoring services.docx
Solution managment and monitoring services.docxsaadatali65
 
Ch06 Policy
Ch06 PolicyCh06 Policy
Ch06 Policyphanleson
 
27001.pptx
27001.pptx27001.pptx
27001.pptxAvniJain836319
 
Hitachi ID Access Certifier
Hitachi ID Access CertifierHitachi ID Access Certifier
Hitachi ID Access CertifierHitachi ID Systems, Inc.
 

Recommended

Security Audits of Electronic Health I.docx
Security Audits of Electronic Health I.docxSecurity Audits of Electronic Health I.docx
Security Audits of Electronic Health I.docxkenjordan97598
 
Security Audits of Electronic Health I.docx
Security Audits of Electronic Health I.docxSecurity Audits of Electronic Health I.docx
Security Audits of Electronic Health I.docxbagotjesusa
 
ISO Cloud Security add-on & PCI DSS mapping 【Continuous Study】
ISO Cloud Security add-on & PCI DSS mapping 【Continuous Study】ISO Cloud Security add-on & PCI DSS mapping 【Continuous Study】
ISO Cloud Security add-on & PCI DSS mapping 【Continuous Study】Jerimi Soma
 
A Monitor System in Data Redundancy in Information System
A Monitor System in Data Redundancy in Information SystemA Monitor System in Data Redundancy in Information System
A Monitor System in Data Redundancy in Information Systemijsrd.com
 
Solution managment and monitoring services.docx
Solution managment and monitoring services.docxSolution managment and monitoring services.docx
Solution managment and monitoring services.docxsaadatali65
 
Ch06 Policy
Ch06 PolicyCh06 Policy
Ch06 Policyphanleson
 
27001.pptx
27001.pptx27001.pptx
27001.pptxAvniJain836319
 
Hitachi ID Access Certifier
Hitachi ID Access CertifierHitachi ID Access Certifier
Hitachi ID Access CertifierHitachi ID Systems, Inc.
 
Hitachi ID Access Certifier
Hitachi ID Access CertifierHitachi ID Access Certifier
Hitachi ID Access CertifierHitachi ID Systems, Inc.
 
Iso 27001 isms presentation
Iso 27001 isms presentationIso 27001 isms presentation
Iso 27001 isms presentationMidhun Nirmal
 
ISO/IEC 27001:2005 naar ISO 27001:2013 Checklist
ISO/IEC 27001:2005 naar ISO 27001:2013 ChecklistISO/IEC 27001:2005 naar ISO 27001:2013 Checklist
ISO/IEC 27001:2005 naar ISO 27001:2013 ChecklistLloyd's Register Quality Assurance Nederland
 
AnnexIX1302.pdf
AnnexIX1302.pdfAnnexIX1302.pdf
AnnexIX1302.pdfssuserb0af37
 
Cybersecurity Assessment Framework - Slideshare.pptx
Cybersecurity Assessment Framework - Slideshare.pptxCybersecurity Assessment Framework - Slideshare.pptx
Cybersecurity Assessment Framework - Slideshare.pptxAzra'ee Mamat
 
Personally Identifiable Information (ISO27701) on cloud and PCI DSS Conformit...
Personally Identifiable Information (ISO27701) on cloud and PCI DSS Conformit...Personally Identifiable Information (ISO27701) on cloud and PCI DSS Conformit...
Personally Identifiable Information (ISO27701) on cloud and PCI DSS Conformit...Jerimi Soma
 
File000169
File000169File000169
File000169Desmond Devendran
 
DIACAP IA CONTROLS Requirements Document
DIACAP IA CONTROLS Requirements DocumentDIACAP IA CONTROLS Requirements Document
DIACAP IA CONTROLS Requirements DocumentNicole Gaehle, MSIST
 
SOC 2 (Service Organization Control) Type 2 Checklist Part - 2.pdf
SOC 2 (Service Organization Control) Type 2 Checklist Part - 2.pdfSOC 2 (Service Organization Control) Type 2 Checklist Part - 2.pdf
SOC 2 (Service Organization Control) Type 2 Checklist Part - 2.pdfinfosecTrain
 
𝐒𝐎𝐂𝟐.pdf
𝐒𝐎𝐂𝟐.pdf𝐒𝐎𝐂𝟐.pdf
𝐒𝐎𝐂𝟐.pdfInfosec train
 
SOC 2 Type 2 Checklist.pdf
SOC 2 Type 2 Checklist.pdfSOC 2 Type 2 Checklist.pdf
SOC 2 Type 2 Checklist.pdfinfosec train
 
SOC2 Compliance
SOC2 ComplianceSOC2 Compliance
SOC2 Compliancepriyanshamadhwal2
 
Overview of ISO 27001 [null Bangalore] [Dec 2013 meet]
Overview of ISO 27001 [null Bangalore] [Dec 2013 meet]Overview of ISO 27001 [null Bangalore] [Dec 2013 meet]
Overview of ISO 27001 [null Bangalore] [Dec 2013 meet]n|u - The Open Security Community
 
ISO / IEC 27001:2005 – An Intorduction
ISO / IEC 27001:2005 – An IntorductionISO / IEC 27001:2005 – An Intorduction
ISO / IEC 27001:2005 – An Intorductionn|u - The Open Security Community
 
CISA Domain- 1 - InfosecTrain
CISA Domain- 1 - InfosecTrainCISA Domain- 1 - InfosecTrain
CISA Domain- 1 - InfosecTrainInfosecTrain
 
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMSCISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMSShivamSharma909
 
RiskWatch for Credit Unions™
RiskWatch for Credit Unions™RiskWatch for Credit Unions™
RiskWatch for Credit Unions™CPaschal
 
Information systems and its components iii
Information systems and its components iiiInformation systems and its components iii
Information systems and its components iiiAshish Desai
 
IT ASSET DECOMMISSIONING POLICY AND PROCEDURES
IT ASSET DECOMMISSIONING POLICY AND PROCEDURESIT ASSET DECOMMISSIONING POLICY AND PROCEDURES
IT ASSET DECOMMISSIONING POLICY AND PROCEDURESSpas Computers Pvt Ltd
 
What's New in BRC Food Safety Issue 8
What's New in BRC Food Safety Issue 8What's New in BRC Food Safety Issue 8
What's New in BRC Food Safety Issue 8Ahmed Gamal Abd Elhamid
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbuapidays
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 

More Related Content

Similar to LISTA DE CHECKLIST DE NORMATIVA HIPAA-ISO 27001

Iso 27001 isms presentation
Iso 27001 isms presentationIso 27001 isms presentation
Iso 27001 isms presentationMidhun Nirmal
 
Cybersecurity Assessment Framework - Slideshare.pptx
Cybersecurity Assessment Framework - Slideshare.pptxCybersecurity Assessment Framework - Slideshare.pptx
Cybersecurity Assessment Framework - Slideshare.pptxAzra'ee Mamat
 
Personally Identifiable Information (ISO27701) on cloud and PCI DSS Conformit...
Personally Identifiable Information (ISO27701) on cloud and PCI DSS Conformit...Personally Identifiable Information (ISO27701) on cloud and PCI DSS Conformit...
Personally Identifiable Information (ISO27701) on cloud and PCI DSS Conformit...Jerimi Soma
 
DIACAP IA CONTROLS Requirements Document
DIACAP IA CONTROLS Requirements DocumentDIACAP IA CONTROLS Requirements Document
DIACAP IA CONTROLS Requirements DocumentNicole Gaehle, MSIST
 
SOC 2 (Service Organization Control) Type 2 Checklist Part - 2.pdf
SOC 2 (Service Organization Control) Type 2 Checklist Part - 2.pdfSOC 2 (Service Organization Control) Type 2 Checklist Part - 2.pdf
SOC 2 (Service Organization Control) Type 2 Checklist Part - 2.pdfinfosecTrain
 
𝐒𝐎𝐂𝟐.pdf
𝐒𝐎𝐂𝟐.pdf𝐒𝐎𝐂𝟐.pdf
𝐒𝐎𝐂𝟐.pdfInfosec train
 
SOC 2 Type 2 Checklist.pdf
SOC 2 Type 2 Checklist.pdfSOC 2 Type 2 Checklist.pdf
SOC 2 Type 2 Checklist.pdfinfosec train
 
CISA Domain- 1 - InfosecTrain
CISA Domain- 1 - InfosecTrainCISA Domain- 1 - InfosecTrain
CISA Domain- 1 - InfosecTrainInfosecTrain
 
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMSCISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMSShivamSharma909
 
RiskWatch for Credit Unions™
RiskWatch for Credit Unions™RiskWatch for Credit Unions™
RiskWatch for Credit Unions™CPaschal
 
Information systems and its components iii
Information systems and its components iiiInformation systems and its components iii
Information systems and its components iiiAshish Desai
 
IT ASSET DECOMMISSIONING POLICY AND PROCEDURES
IT ASSET DECOMMISSIONING POLICY AND PROCEDURESIT ASSET DECOMMISSIONING POLICY AND PROCEDURES
IT ASSET DECOMMISSIONING POLICY AND PROCEDURESSpas Computers Pvt Ltd
 

Similar to LISTA DE CHECKLIST DE NORMATIVA HIPAA-ISO 27001 (20)

Hitachi ID Access Certifier
Hitachi ID Access CertifierHitachi ID Access Certifier
Hitachi ID Access Certifier
 
Iso 27001 isms presentation
Iso 27001 isms presentationIso 27001 isms presentation
Iso 27001 isms presentation
 
ISO/IEC 27001:2005 naar ISO 27001:2013 Checklist
ISO/IEC 27001:2005 naar ISO 27001:2013 ChecklistISO/IEC 27001:2005 naar ISO 27001:2013 Checklist
ISO/IEC 27001:2005 naar ISO 27001:2013 Checklist
 
AnnexIX1302.pdf
AnnexIX1302.pdfAnnexIX1302.pdf
AnnexIX1302.pdf
 
Cybersecurity Assessment Framework - Slideshare.pptx
Cybersecurity Assessment Framework - Slideshare.pptxCybersecurity Assessment Framework - Slideshare.pptx
Cybersecurity Assessment Framework - Slideshare.pptx
 
Personally Identifiable Information (ISO27701) on cloud and PCI DSS Conformit...
Personally Identifiable Information (ISO27701) on cloud and PCI DSS Conformit...Personally Identifiable Information (ISO27701) on cloud and PCI DSS Conformit...
Personally Identifiable Information (ISO27701) on cloud and PCI DSS Conformit...
 
File000169
File000169File000169
File000169
 
DIACAP IA CONTROLS Requirements Document
DIACAP IA CONTROLS Requirements DocumentDIACAP IA CONTROLS Requirements Document
DIACAP IA CONTROLS Requirements Document
 
SOC 2 (Service Organization Control) Type 2 Checklist Part - 2.pdf
SOC 2 (Service Organization Control) Type 2 Checklist Part - 2.pdfSOC 2 (Service Organization Control) Type 2 Checklist Part - 2.pdf
SOC 2 (Service Organization Control) Type 2 Checklist Part - 2.pdf
 
𝐒𝐎𝐂𝟐.pdf
𝐒𝐎𝐂𝟐.pdf𝐒𝐎𝐂𝟐.pdf
𝐒𝐎𝐂𝟐.pdf
 
SOC 2 Type 2 Checklist.pdf
SOC 2 Type 2 Checklist.pdfSOC 2 Type 2 Checklist.pdf
SOC 2 Type 2 Checklist.pdf
 
SOC2 Compliance
SOC2 ComplianceSOC2 Compliance
SOC2 Compliance
 
Overview of ISO 27001 [null Bangalore] [Dec 2013 meet]
Overview of ISO 27001 [null Bangalore] [Dec 2013 meet]Overview of ISO 27001 [null Bangalore] [Dec 2013 meet]
Overview of ISO 27001 [null Bangalore] [Dec 2013 meet]
 
ISO / IEC 27001:2005 – An Intorduction
ISO / IEC 27001:2005 – An IntorductionISO / IEC 27001:2005 – An Intorduction
ISO / IEC 27001:2005 – An Intorduction
 
CISA Domain- 1 - InfosecTrain
CISA Domain- 1 - InfosecTrainCISA Domain- 1 - InfosecTrain
CISA Domain- 1 - InfosecTrain
 
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMSCISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
 
RiskWatch for Credit Unions™
RiskWatch for Credit Unions™RiskWatch for Credit Unions™
RiskWatch for Credit Unions™
 
Information systems and its components iii
Information systems and its components iiiInformation systems and its components iii
Information systems and its components iii
 
IT ASSET DECOMMISSIONING POLICY AND PROCEDURES
IT ASSET DECOMMISSIONING POLICY AND PROCEDURESIT ASSET DECOMMISSIONING POLICY AND PROCEDURES
IT ASSET DECOMMISSIONING POLICY AND PROCEDURES
 
What's New in BRC Food Safety Issue 8
What's New in BRC Food Safety Issue 8What's New in BRC Food Safety Issue 8
What's New in BRC Food Safety Issue 8
 

Recently uploaded

Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbuapidays
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024The Digital Insurer
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024The Digital Insurer
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 

Recently uploaded (20)

Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 

LISTA DE CHECKLIST DE NORMATIVA HIPAA-ISO 27001

  • 1.
  • 2. HIPAA –ISO 27001 COMPLIANCE MAPPING FRAMEWORK HIPAA Security Standard HIPAA Security Implementation Specification ISO 27001:2013 Organisation Response Compliance Security Management Process 164.308(a)(1) Risk Analysis 6.1.2 Information security risk assessment 8.2 Information security risk assessment Organisation has defined risk management program in line with ISO 31000 & ISO 27001. Organisation on periodic basis perform risk assessment and monitor the risks. Risk Management 6.1.3 Information security risk treatment 8.3 Information security risk treatment Organisation has defined risk management program in line with ISO 31000 & ISO 27001. Organisation on periodic basis perform risk assessment and monitor the risks. Sanction Policy A.7.2.3 Disciplinary process Organisation has defined process for information security disciplinary process. The formal disciplinary process is established to ensure correct and fair treatment for employees who are suspected of committing breaches of information security. Information System Activity Review A.12.4.1 Event logging A.12.4.3 Administrator and operator logs A.16.1.2 Reporting information security events A.16.1.3 Reporting security weaknesses Organisation have defined and documented policies and controls for incident management including the following documented aspects: • Definition of an incident (e.g. security breaches, data loss, system downtime, malicious activity) • Incident reporting timelines and procedures • Root cause analysis and reporting to avoid recurrence. Evidence of incident management activities including incident logging and root cause analysis be maintained according to regulatory and contractual requirements Assigned Security A. 6.1.1 Information Responsibilities for the protection of individual assets and for carrying out
  • 3. Responsibility 164.308(a)(2) security roles and responsibilities specific information security processes is identified. Responsibilities for information security risk management activities and in particular for acceptance of residual risks is defined. Workforce Security 164.308(a)(3) Authorization and/or Supervision A.9.2.2 User access provisioning The process for managing user IDs include: a) using unique user IDs to enable users to be linked to and held responsible for their actions; the use of shared IDs only be permitted where they are necessary for business or operational reasons and be approved and documented; b) immediately disabling or removing user IDs of users who have left the Organisation; c) periodically identifying and removing or disabling redundant user IDs; d) ensuring that redundant user IDs are not issued to other users. Workforce Clearance Procedure A.9.2.5 Review of user access rights The review of access rights consider the following: a) users' access rights be reviewed at regular intervals and after any changes, such as promotion, demotion or termination of employment; b) user access rights be reviewed and re-allocated when moving from one role to another within the same Organisation; c) authorizations for privileged access rights be reviewed at more frequent intervals; d) privilege allocations be checked at regular intervals to ensure that unauthorized privileges have not been obtained; e) changes to privileged accounts be logged for periodic review. Termination Procedures A.7.3.1 Termination or change of employment responsibilities A process is established to ensure that all the exit formalities are performed, the assets provided to the employees have been collected and all the accesses provided have been removed. Evidences
  • 4. A.9.2.6 Removal or adjustment of access rights be maintained for the same Information Access Management 164.308(a)(4) Isolated Health Clearinghouse Functions N/A Not Applicable Access Authorization A.9.2.2 User access provisioning The process for managing user IDs include: a) using unique user IDs to enable users to be linked to and held responsible for their actions; the use of shared IDs only be permitted where they are necessary for business or operational reasons and be approved and documented; b) immediately disabling or removing user IDs of users who have left the Organisation; c) periodically identifying and removing or disabling redundant user IDs; d) ensuring that redundant user IDs are not issued to other users. Access Establishment and Modification A.9.2.2 User access provisioning The process for managing user IDs include: a) using unique user IDs to enable users to be linked to and held responsible for their actions; the use of shared IDs only be permitted where they are necessary for business or operational reasons and be approved and documented; b) immediately disabling or removing user IDs of users who have left the Organisation; c) periodically identifying and removing or disabling redundant user IDs; d) ensuring that redundant user IDs are not issued to other users. Security Awareness Security Reminders A.12.6.1 Management of technical vulnerabilities Information about technical vulnerabilities of information systems being used be obtained in a timely fashion, the Organisation's exposure to such
  • 5. and Training 164.308(a)(5) vulnerabilities evaluated and appropriate measures taken to address the associated risk Protection from Malicious Software A.12.2.1 Controls against malware Policy & Procedures are established for protection against malware using malware detection and repair software, information security awareness and appropriate system access and change management controls. Log-in Monitoring A.12.4.1 Event logging Event logs recording user activities, exceptions, faults and information security events is produced, kept and regularly reviewed. Event logs include, when relevant: a) user IDs; b) system activities; c) dates, times and details of key events, e.g. log-on and log-off; d) device identity or location if possible and system identifier; e) records of successful and rejected system access attempts; Password Management A.9.4.3 Password management system Organisation has a password management system : a) enforce the use of individual user IDs and passwords to maintain accountability; b) allow users to select and change their own passwords and include a confirmation procedure to allow for input errors; c) enforce a choice of quality passwords; d) force users to change their passwords at the first log-on; e) enforce regular password changes and as needed; f) maintain a record of previously used passwords and prevent re-use; g) not display passwords on the screen when being entered;
  • 6. h) store password files separately from application system data; i) store and transmit passwords in protected form. Security Incident Procedures 164.308(a)(6) Response and Reporting A.16.1.1 Responsibilities and procedures A.16.1.2 Reporting is A.16.1.3 Reporting security weaknesses A.16.1.4 Response to information security incidents Organisation have defined and documented policies and controls for incident management including the following documented aspects: • Definition of an incident (e.g. security breaches, data loss, system downtime, malicious activity) • Incident reporting timelines and procedures • Root cause analysis and reporting to avoid recurrence. Evidence of incident management activities including incident logging and root cause analysis be maintained according to regulatory and contractual requirements Contingency Plan 164.308(a)(7) Data Backup Plan A.12.3.1 Information backup A documented backup and restoration policy is defined and communicated. The policy document outline the backup and restoration procedures followed including frequency, schedule, retention requirements, and recovery/restore testing. Disaster Recovery Plan A.17.1.1 Planning information security continuity A.17.1.2 Implementing information security continuity There is a defined and documented method for determining the impact of any disruption to the Organisation which incorporate the following: • Identify critical products and services • Identify all dependencies, including processes, applications, business partners and third party service providers • Understand threats to critical products and services • Determine impacts resulting from planned or unplanned disruptions and how these vary over time • Establish the maximum tolerable period for
  • 7. disruption that aligns with SLA • Establish priorities for recovery • Establish recovery time objectives for resumption of critical products and services within their maximum tolerable period of disruption that aligns with SLA • Estimate the resources required for resumption Emergency Mode Operation Plan A.17.1.1 Planning information security continuity A.17.1.2 Implementing information security continuity There is a defined and documented method for determining the impact of any disruption to the Organisation which must incorporate the following: • Identify critical products and services • Identify all dependencies, including processes, applications, business partners and third party service providers • Understand threats to critical products and services • Determine impacts resulting from planned or unplanned disruptions and how these vary over time • Establish the maximum tolerable period for disruption that aligns with SLA • Establish priorities for recovery • Establish recovery time objectives for resumption of critical products and services within their maximum tolerable period of disruption that aligns with SLA • Estimate the resources required for resumption Testing and Revision Procedures A.17.1.3 Verify, review and evaluate information security continuity Organisation ensure that the BCP / DR reviewed and approved at least annually. Distribute the BCP / DR to authorized individuals including all personnel. Applications and Data Criticality 14.1.1 Information security requirements Organisation ensure that the BCP / DR reviewed and approved at least annually. Distribute the BCP / DR to authorized
  • 8. Analysis analysis and specification A.17.1.1 Planning information security continuity individuals including all personnel. Evaluation 164.308(a)(8) A.18.2.3 Technical compliance checking Technical compliance is reviewed preferably with the assistance of automated tools, which generate technical reports for subsequent interpretation by a technical specialist. Business Associate Contracts and Other Arrangements 164.308(b)(1) Written contract or other arrangement A.15.1.2 Addressing security within supplier agreements Supplier agreements is established and documented to ensure that all relevant information security requirements to be implemented by the supplier are covered. Facility Access Controls 164.310(a)(1) Contingency Operations A.17.2.1 Availability of information processing facilities Organisation has identified and implemented sufficient redundancies for servers, network components, ISPs, from outages (such as power failure, network disruption) Facility Security Plan A.11.1.3 Securing offices, rooms and facilities A.11.1.4 Protecting against external and environmental threats Secure areas are protected by appropriate entry controls to ensure that only authorized personnel are allowed access. Access Control and Validation Procedures A.11.1.1 Physical security perimeter A.11.1.2 Physical entry controls Organisation ensure that a defined physical security policy containing Organisation guidelines for physical security of personnel, equipment, and information systems is developed, approved and communicated. Maintenance Records A.11.2.4 Equipment maintenance The following guidelines for equipment maintenance be considered: a) equipment be maintained in accordance with the supplier's recommended service intervals and specifications; b) only authorized maintenance personnel carry
  • 9. out repairs and service equipment; c) records be kept to fall suspected or actual faults, and of all preventive and corrective maintenance; Workstation Use 164.310(b) A.8.1.3 Acceptable use of assets A.11.1.5 Working in secure areas A. 12.1.1 Documented operating procedures Employees and external party users using or having access to the Organisation's assets are made aware of the information security requirements of the Organisation's assets associated with information and information processing facilities and resources. They are responsible for their use of any information processing resources and of any such use carried out under their responsibility. Workstation Security 164.310(c) A.11.1.5 Working in secure areas The following controls are considered: a) personnel only be aware of the existence of, or activities within, a secure area on a need- to-know basis; b) unsupervised working in secure areas be avoided both for safety reasons and to prevent opportunities for malicious activities; c) vacant secure areas be physically locked and periodically reviewed; Device and Media Controls 164.310(d)(1) Disposal A.8.3.2 Disposal of media Formal procedures for the secure disposal of media are established to minimize the risk of confidential information leakage to unauthorized persons. The procedures for secure disposal of media containing confidential information is proportional to the sensitivity of that information. Media Reuse A.8.3.1 Management of removable media Management of removal media process is defined for controlled use of removable media devices to store and transfer information by all users who have access to information, information systems and IT equipment. Accountability A.8.3.3 Physical media transfer A.11.2.6 Security of Procedures is implemented to the protect the media containing information against unauthorized access, misuse or corruption during transportation.
  • 10. equipment and assets off- premises Data Backup and Storage A.12.3.1 Information backup A documented backup and restoration policy is defined and communicated. The policy document outline the backup and restoration procedures followed including frequency, schedule, retention requirements, and recovery/restore testing. Access Control 164.312(a)(1) Unique User Identification A.9.2.1 User registration and de- registration The process for managing user IDs include: a) using unique user IDs to enable users to be linked to and held responsible for their actions; the use of shared IDs only be permitted where they are necessary for business or operational reasons and be approved and documented; b) immediately disabling or removing user IDs of users who have left the Organisation; c) periodically identifying and removing or disabling redundant user IDs; d) ensuring that redundant user IDs are not issued to other users. Emergency Access Procedure A.9.2.2 User access provisioning The process for managing user IDs include: a) using unique user IDs to enable users to be linked to and held responsible for their actions; the use of shared IDs only be permitted where they are necessary for business or operational reasons and be approved and documented; b) immediately disabling or removing user IDs of users who have left the Organisation; c) periodically identifying and removing or disabling redundant user IDs; d) ensuring that redundant user IDs are not issued
  • 11. to other users. Automatic Logoff A.11.2.8 Unattended user equipment All users are made aware of the security requirements and procedures for protecting unattended equipment, as well as their responsibilities for implementing such protection. Users be advised to: a) terminate active sessions when finished, unless they can be secured by an appropriate locking mechanism, e.g. a password protected screen saver; b) log-off from applications or network services when no longer needed; c) secure computers or mobile devices from unauthorized use by a key lock or an equivalent control, e.g. password access, when not in use. Encryption and Decryption A. 10.1.1 Policy on the use of cryptographic controls Cryptography policy is defined to set out principles and expectations about when and how encryption of Organisation digital information (or not) be used. Audit Controls 164.312(b) A.12.4.1 Event logging A.12.4.2 Protection of log information A.12.4.3 Administrator and operator logs Event logs recording user activities, exceptions, faults and is be produced, kept and regularly reviewed. Event logs include, when relevant: a) user IDs; b) system activities; c) dates, times and details of key events, e.g. log-on and log-off; d) device identity or location if possible and system identifier; e) records of successful and rejected system access attempts; Integrity Mechanism to Authenticate A.18.1.3 Protection of Records are protected from loss, destruction,
  • 12. 164.312(c)(1) Electronic Protected Health Information records falsification, unauthorized access and unauthorized release, in accordance with legislator, regulatory, contractual and business requirements. Person or Entity Authentication 164.312(d) A.9.2.4 Management of secret authentication information of users The process include the following requirements: a) users are required to sign a statement to keep personal secret authentication information confidential and to keep group (i.e. shared] secret authentication information solely within the members of the group; this signed statement may be included in the terms and conditions of employment; Transmission Security 164.312(e)(1) Integrity Controls A.13.1.1 Network controls Controls are implemented to ensure the security of information in networks and the protection of connected services from unauthorized access. Encryption A.10.1.1 Policy on the use of cryptographic controls Cryptography policy is defined to set out principles and expectations about when and how encryption of Organisation digital information (or not) be used.