Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
LISTA DE CHECKLIST DE NORMATIVA HIPAA-ISO 27001
1.
2. HIPAA –ISO 27001 COMPLIANCE MAPPING FRAMEWORK
HIPAA Security
Standard
HIPAA
Security
Implementation
Specification
ISO 27001:2013 Organisation Response Compliance
Security
Management
Process
164.308(a)(1)
Risk Analysis
6.1.2 Information security
risk assessment
8.2 Information security
risk assessment
Organisation has defined risk management program
in line with ISO 31000 & ISO 27001. Organisation on
periodic basis perform risk assessment and monitor
the risks.
Risk Management
6.1.3 Information security
risk treatment
8.3 Information security
risk treatment
Organisation has defined risk management program
in line with ISO 31000 & ISO 27001. Organisation on
periodic basis perform risk assessment and monitor
the risks.
Sanction Policy A.7.2.3 Disciplinary
process
Organisation has defined process for information
security disciplinary process. The formal
disciplinary process is established to ensure correct
and fair treatment for employees who are suspected
of committing breaches of information security.
Information
System Activity
Review
A.12.4.1 Event logging
A.12.4.3 Administrator
and operator logs
A.16.1.2 Reporting
information security
events
A.16.1.3 Reporting
security weaknesses
Organisation have defined and documented policies
and controls for incident management including the
following documented aspects:
• Definition of an incident (e.g. security breaches,
data loss, system downtime, malicious activity)
• Incident reporting timelines and procedures
• Root cause analysis and reporting to avoid
recurrence.
Evidence of incident management activities
including incident logging and root cause analysis
be maintained according to regulatory and
contractual requirements
Assigned Security
A. 6.1.1
Information
Responsibilities for the protection of
individual assets and for carrying out
3. Responsibility
164.308(a)(2)
security roles and
responsibilities
specific information security processes is
identified. Responsibilities for information
security risk management activities and in
particular for acceptance of residual risks is
defined.
Workforce Security
164.308(a)(3)
Authorization
and/or
Supervision
A.9.2.2 User access
provisioning
The process for managing user IDs include:
a) using unique user IDs to enable users to be
linked to and held responsible for their actions;
the use of shared IDs only be permitted where they
are necessary for business or operational reasons
and be approved and documented;
b) immediately disabling or removing user IDs of
users who have left the Organisation;
c) periodically identifying and removing or
disabling redundant user IDs;
d) ensuring that redundant user IDs are not issued
to other users.
Workforce
Clearance
Procedure
A.9.2.5 Review of user
access rights
The review of access rights consider the following:
a) users' access rights be reviewed at regular
intervals and after any changes, such as promotion,
demotion or termination of employment;
b) user access rights be reviewed and re-allocated
when moving from one role to another within the
same Organisation;
c) authorizations for privileged access rights be
reviewed at more frequent intervals;
d) privilege allocations be checked at regular
intervals to ensure that unauthorized privileges
have not been obtained;
e) changes to privileged accounts be logged for
periodic review.
Termination
Procedures
A.7.3.1 Termination or
change of employment
responsibilities
A process is established to ensure that all the exit
formalities are performed, the assets provided to
the employees have been collected and all the
accesses provided have been removed. Evidences
4. A.9.2.6 Removal or
adjustment of access
rights
be maintained for the same
Information Access
Management
164.308(a)(4)
Isolated Health
Clearinghouse
Functions
N/A Not Applicable
Access
Authorization
A.9.2.2 User access
provisioning
The process for managing user IDs include:
a) using unique user IDs to enable users to be
linked to and held responsible for their actions;
the use of shared IDs only be permitted where they
are necessary for business or operational reasons
and be approved and documented;
b) immediately disabling or removing user IDs of
users who have left the Organisation;
c) periodically identifying and removing or
disabling redundant user IDs;
d) ensuring that redundant user IDs are not issued
to other users.
Access
Establishment and
Modification
A.9.2.2 User access
provisioning
The process for managing user IDs include:
a) using unique user IDs to enable users to be
linked to and held responsible for their actions;
the use of shared IDs only be permitted where they
are necessary for business or operational reasons
and be approved and documented;
b) immediately disabling or removing user IDs of
users who have left the Organisation;
c) periodically identifying and removing or
disabling redundant user IDs;
d) ensuring that redundant user IDs are not issued
to other users.
Security Awareness
Security
Reminders
A.12.6.1 Management of
technical vulnerabilities
Information about technical vulnerabilities of
information systems being used be obtained in a
timely fashion, the Organisation's exposure to such
5. and Training
164.308(a)(5)
vulnerabilities evaluated and appropriate measures
taken to address the associated risk
Protection from
Malicious
Software
A.12.2.1 Controls against
malware
Policy & Procedures are established for protection
against malware using malware detection and
repair software, information security awareness
and appropriate system access and change
management controls.
Log-in Monitoring A.12.4.1 Event logging Event logs recording user activities, exceptions,
faults and information security events is produced,
kept and regularly reviewed.
Event logs include, when relevant:
a) user IDs;
b) system activities;
c) dates, times and details of key events, e.g. log-on
and log-off;
d) device identity or location if possible and system
identifier;
e) records of successful and rejected system access
attempts;
Password
Management
A.9.4.3 Password
management system
Organisation has a password management system :
a) enforce the use of individual user IDs and
passwords to maintain accountability;
b) allow users to select and change their own
passwords and include a confirmation procedure to
allow for input errors;
c) enforce a choice of quality passwords;
d) force users to change their passwords at the first
log-on;
e) enforce regular password changes and as needed;
f) maintain a record of previously used passwords
and prevent re-use;
g) not display passwords on the screen when being
entered;
6. h) store password files separately from application
system data;
i) store and transmit passwords in protected form.
Security Incident
Procedures
164.308(a)(6)
Response and
Reporting
A.16.1.1 Responsibilities
and procedures
A.16.1.2 Reporting is
A.16.1.3 Reporting
security weaknesses
A.16.1.4 Response to
information security
incidents
Organisation have defined and documented policies
and controls for incident management including the
following documented aspects:
• Definition of an incident (e.g. security breaches,
data loss, system downtime, malicious activity)
• Incident reporting timelines and procedures
• Root cause analysis and reporting to avoid
recurrence.
Evidence of incident management activities
including incident logging and root cause analysis
be maintained according to regulatory and
contractual requirements
Contingency Plan
164.308(a)(7)
Data Backup Plan A.12.3.1 Information
backup
A documented backup and restoration policy is
defined and communicated. The policy document
outline the backup and restoration procedures
followed including frequency, schedule, retention
requirements, and recovery/restore testing.
Disaster Recovery
Plan
A.17.1.1 Planning
information security
continuity
A.17.1.2 Implementing
information security
continuity
There is a defined and documented method for
determining the impact of any disruption to the
Organisation which incorporate the following:
• Identify critical products and services
• Identify all dependencies, including processes,
applications, business partners and third party
service providers
• Understand threats to critical products and
services
• Determine impacts resulting from planned or
unplanned disruptions and how these vary over
time
• Establish the maximum tolerable period for
7. disruption that aligns with SLA
• Establish priorities for recovery
• Establish recovery time objectives for resumption
of critical products and services within their
maximum tolerable period of disruption that aligns
with SLA
• Estimate the resources required for resumption
Emergency Mode
Operation Plan
A.17.1.1 Planning
information security
continuity
A.17.1.2 Implementing
information security
continuity
There is a defined and documented method for
determining the impact of any disruption to the
Organisation which must incorporate the following:
• Identify critical products and services
• Identify all dependencies, including processes,
applications, business partners and third party
service providers
• Understand threats to critical products and
services
• Determine impacts resulting from planned or
unplanned disruptions and how these vary over
time
• Establish the maximum tolerable period for
disruption that aligns with SLA
• Establish priorities for recovery
• Establish recovery time objectives for resumption
of critical products and services within their
maximum tolerable period of disruption that aligns
with SLA
• Estimate the resources required for resumption
Testing and
Revision
Procedures
A.17.1.3 Verify, review
and evaluate information
security continuity
Organisation ensure that the BCP / DR reviewed
and approved at least annually. Distribute the BCP
/ DR to authorized individuals including all
personnel.
Applications and
Data Criticality
14.1.1 Information
security
requirements
Organisation ensure that the BCP / DR
reviewed and approved at least annually.
Distribute the BCP / DR to authorized
8. Analysis analysis and
specification
A.17.1.1 Planning
information security
continuity
individuals including all personnel.
Evaluation
164.308(a)(8)
A.18.2.3 Technical
compliance checking
Technical compliance is reviewed preferably with
the assistance of automated tools, which generate
technical reports for subsequent interpretation by a
technical specialist.
Business
Associate
Contracts and
Other
Arrangements
164.308(b)(1)
Written contract
or other
arrangement
A.15.1.2 Addressing
security within
supplier agreements
Supplier agreements is established and
documented to ensure that all relevant
information security requirements to be
implemented by the supplier are covered.
Facility Access
Controls
164.310(a)(1)
Contingency
Operations
A.17.2.1 Availability of
information processing
facilities
Organisation has identified and implemented
sufficient redundancies for servers, network
components, ISPs, from outages (such as power
failure, network disruption)
Facility Security
Plan
A.11.1.3 Securing offices,
rooms and facilities
A.11.1.4 Protecting against
external and
environmental threats
Secure areas are protected by appropriate entry
controls to ensure that only authorized personnel
are allowed access.
Access Control and
Validation
Procedures
A.11.1.1 Physical security
perimeter
A.11.1.2 Physical entry
controls
Organisation ensure that a defined physical security
policy containing Organisation guidelines for
physical security of personnel, equipment, and
information systems is developed, approved and
communicated.
Maintenance
Records
A.11.2.4 Equipment
maintenance
The following guidelines for equipment
maintenance be considered:
a) equipment be maintained in accordance with the
supplier's recommended service intervals and
specifications;
b) only authorized maintenance personnel carry
9. out repairs and service equipment;
c) records be kept to fall suspected or actual faults,
and of all preventive and corrective maintenance;
Workstation Use
164.310(b)
A.8.1.3 Acceptable use of
assets
A.11.1.5 Working in secure
areas
A. 12.1.1 Documented
operating procedures
Employees and external party users using or having
access to the Organisation's assets are made aware
of the information security requirements of the
Organisation's assets associated with information
and information processing facilities and resources.
They are responsible for their use of any
information processing resources and of any such
use carried out under their responsibility.
Workstation
Security 164.310(c)
A.11.1.5 Working in secure
areas
The following controls are considered:
a) personnel only be aware of the existence of, or
activities within, a secure area on a need- to-know
basis;
b) unsupervised working in secure areas be
avoided both for safety reasons and to prevent
opportunities for malicious activities;
c) vacant secure areas be physically locked and
periodically reviewed;
Device and Media
Controls
164.310(d)(1)
Disposal A.8.3.2 Disposal of media Formal procedures for the secure disposal of media
are established to minimize the risk of confidential
information leakage to unauthorized persons. The
procedures for secure disposal of media containing
confidential information is proportional to the
sensitivity of that information.
Media Reuse A.8.3.1 Management of
removable media
Management of removal media process is defined
for controlled use of removable media devices to
store and transfer information by all users who
have access to information, information systems
and IT equipment.
Accountability
A.8.3.3 Physical media
transfer
A.11.2.6 Security of
Procedures is implemented to the protect the
media containing information against unauthorized
access, misuse or corruption during transportation.
10. equipment and assets
off- premises
Data Backup and
Storage
A.12.3.1 Information
backup
A documented backup and restoration policy is
defined and communicated. The policy document
outline the backup and restoration procedures
followed including frequency, schedule, retention
requirements, and recovery/restore testing.
Access Control
164.312(a)(1)
Unique User
Identification
A.9.2.1
User
registration
and de-
registration
The process for managing user IDs
include:
a) using unique user IDs to enable
users to be linked to and held
responsible for their actions; the
use of shared IDs only be permitted
where they are necessary for
business or operational reasons and
be approved and documented;
b) immediately disabling or
removing user IDs of users who have
left the Organisation;
c) periodically identifying and
removing or disabling redundant
user IDs;
d) ensuring that redundant user IDs
are not issued to other users.
Emergency Access
Procedure
A.9.2.2 User access
provisioning
The process for managing user IDs include:
a) using unique user IDs to enable users to be
linked to and held responsible for their actions;
the use of shared IDs only be permitted where they
are necessary for business or operational reasons
and be approved and documented;
b) immediately disabling or removing user IDs of
users who have left the Organisation;
c) periodically identifying and removing or
disabling redundant user IDs;
d) ensuring that redundant user IDs are not issued
11. to other users.
Automatic Logoff A.11.2.8 Unattended user
equipment
All users are made aware of the security
requirements and procedures for protecting
unattended equipment, as well as their
responsibilities for implementing such protection.
Users be advised to:
a) terminate active sessions when finished, unless
they can be secured by an appropriate locking
mechanism, e.g. a password protected screen
saver;
b) log-off from applications or network services
when no longer needed;
c) secure computers or mobile devices from
unauthorized use by a key lock or an equivalent
control,
e.g. password access, when not in use.
Encryption and
Decryption
A. 10.1.1 Policy on
the use of
cryptographic
controls
Cryptography policy is defined to set out
principles and expectations about when and
how encryption of Organisation digital
information (or not) be used.
Audit Controls
164.312(b)
A.12.4.1 Event logging
A.12.4.2 Protection of log
information
A.12.4.3 Administrator and
operator logs
Event logs recording user activities, exceptions,
faults and is be produced, kept and regularly
reviewed.
Event logs include, when relevant:
a) user IDs;
b) system activities;
c) dates, times and details of key events, e.g. log-on
and log-off;
d) device identity or location if possible and system
identifier;
e) records of successful and rejected system access
attempts;
Integrity Mechanism to
Authenticate
A.18.1.3 Protection of Records are protected from loss, destruction,
12. 164.312(c)(1) Electronic
Protected
Health
Information
records falsification, unauthorized access and unauthorized
release, in accordance with legislator, regulatory,
contractual and business requirements.
Person or Entity
Authentication
164.312(d)
A.9.2.4 Management of
secret authentication
information of users
The process include the following requirements:
a) users are required to sign a statement to keep
personal secret authentication information
confidential and to keep group (i.e. shared] secret
authentication information solely within the
members of the group; this signed statement may
be included in the terms and conditions of
employment;
Transmission
Security
164.312(e)(1)
Integrity Controls A.13.1.1 Network controls Controls are implemented to ensure the security of
information in networks and the protection of
connected services from unauthorized access.
Encryption
A.10.1.1 Policy on
the use of
cryptographic
controls
Cryptography policy is defined to set out
principles and expectations about when and
how encryption of Organisation digital
information (or not) be used.