HIPAA compliance is complicated but it doesn’t have to be. Cloudticity helps relieve the technical burden with our HIPAA-compliant cloud computing platform and solutions for healthcare.
In an effort to make compliance as easy as possible for companies working with protected health information (PHI), we decided to open source our company policies.
Do you handle PHI and not yet have your own company policies in place? Then you’ll find our content useful.
Policy is licensed under CC BY-SA 4.0.
| Document Control | | |–|–| |Document Owner: | Jerry Shaffer | —
Version History
| Date | Details of Amendment | Type of Amendment | Responsible party or revision initiator |
|---|---|---|---|
| 02/01/2021 | Document origination | Information Security Policy | Jerry Shaffer, Senior Project Manager |
| 02/03/2021 | Document reviewed, HITRUST requirement updates made | Revised for HITRUST alignment to v9.3 | Jerry Shaffer, Senior Project Manager |
| 08/30/2021 | Added New Section 15.1 and moved prior sections 15.1 and 15.2 to Sections 15.2 and 15.3, respectively | Addresses Security Issue discovered in Client’s environment | Jerry Shaffer, Senior Project Manager |
This Security Policy is intended to provide management direction and defines what is expected with respect to Information Security within Cloudticity ("company"). The overall objective is to control and/or guide human behavior to reduce the risk to information assets by accidental or deliberate actions. This policy, as well as all policies, standards, and guidelines are designed to secure access to and use of information assets owned, operated, or provided by the company and all its clients.
This policy applies to all company operating units and entities with direct, indirect, or implied access to assets owned by or entrusted to the company
Chief Technology Officer (CTO)
Contact Information: Gerry Miller,gerry@cloudticity.com
Senior Project Manager
Contact Information: Jerry Shaffer, jerry.shaffer@cloudticity.com
All employees are responsible for becoming familiar and compliant with this policy and related standards, guidelines, and procedures. The policy is made available on the company's intranet and/or shared file storage location(s) at all times. Additionally, personnel are responsible for reporting any known or observed deficiencies in this policy's control mechanisms. Such deficiencies must be documented and reported to their supervisor, manager, or another officer of the company for improvement.
Information assets are vital company resources that require protection commensurate with their value. Cloudticity's direction is to align with industry best practices and applicable laws. Cloudticity's security framework is based on the HITRUST CSF industry standard and framework. As such, mechanisms are in place to protect these assets from accidental or deliberate modification, destruction, unauthorized disclosure, or other malfeasance to ensure confidentiality, integrity, and availability. This policy, and all pertinent standards, guidelines, and procedures that reinforce this policy shall serve as criteria to be employed by management for compliance review processes.
A breach of standards, procedures, and/or guidelines established in support of this policy shall be directed to the CTO for action that could result in employee termination and/or legal action.
Table of Contents
1 Information Protection Program (Domain 1)
2 Endpoint Protection (Domain 2)
3 Portable Media Security (Domain 3)
4 Mobile Device Security (Domain 4)
5 Wireless Security (Domain 5)
6 Configuration Management (Domain 6)
7 Vulnerability Management (Domain 7)
8 Network Protection (Domain 8)
9 Transmission Protection (Domain 9)
10 Password Management (Domain 10)
12 Audit Logging & Monitoring (Domain 12)
13 Education, Training and Awareness (Domain 13)
15 Incident Management (Domain 15)
16 Business Continuity & Disaster Recovery (Domain 16)
17 Risk Management (Domain 17)
18 Physical & Environmental Security (Domain 18)
19 Data Protection & Privacy (Domain 19)
The Cloudticity Information Security Management Program ("ISMP" hereafter) identifies and controls risks to Cloudticity's infrastructure, applications and data.
The scope of this Policy applies to all computing systems within Cloudticity that are supported by the Information Technology Department ("IT" hereafter). This body of networks, systems, and applications are referred to as IT supported systems. The ISMP is the sum of the organizational structure, policies, planning, responsibilities, procedures, and systems that accomplish the security of the IT supported systems. The ISMP utilizes results of risk assessments and penetration tests conducted on business-critical applications and infrastructure components as the basis for mitigation efforts. The controls selected to address the identified risks drive the creation of the procedures and technical standards required by the ISMP.
The Cloudticity ISMP will be based on an accepted industry framework that is reviewed and updated as needed. The Cloudticity ISMP is based on the HITRUST CSF Framework (0101.00a1Organizational.123) and HIPAA requirements.
The ISMP strategy shall be formally documented and actively monitored, reviewed and updated to ensure program objectives continue to be met (0102.00a2Organizational.123).
Internal independent audits will be conducted at least annually to determine whether the ISMP strategy is approved by executive management, communicated to stakeholders, adequately resourced, conforms to relevant legislation or regulations and other business requirements, and adjusted as needed to ensure the program continues to meet defined objectives (0103.00a3Organizational.1234567).
The ISMP strategy will include the Information Security objectives, approach, scope, importance, goals and principles for the Cloudticity Information Security Management Program. The ISMP strategy will be communicated throughout the company to users in a form that is relevant, accessible and understandable to the intended reader, and supported by the HITRUST CSF Framework, HIPAA and other identified security controls to ensure consideration for legislative, regulatory, contractual requirements and other policy-related requirements (0113.04a1Organizational.123).
The ISMP will include methods and tools to monitor the effectiveness of the implementation of controls described in the previous section. Cloudticity shall conduct independent reviews of the ISMP to ensure the continuing suitability, adequacy, and effectiveness of the organization's approach to managing information security (0177.05h1Organizational.12).
The results of such independent ISMP reviews will be recorded and reported to the management official/office initiating the review; and the results must be maintained for no less than three (3) years (0178.05h1Organizational.3).
If the independent reviews identify that Cloudticity's approach and implementation to managing information security is inadequate or not compliant with the direction for information security stated within the ISMP Policy, management will take corrective action (0179.05h1Organizational.4).
Capital planning and investment requests will include the resources needed to implement the security program, employ a business case, and will include Cloudticity executive management support in ensuring that the resources are available for expenditure as planned (0120.05a1Organizational.4). Security is included in the Cloudticity Standard Operating Procedures (SOP) Manual, Section Security and Privacy.
The information security capital planning and investment plan (budget) will include resources for an information security workforce improvement program that may include but is not limited to hands-on training, certifications, seminars and/or conferences (0107.02d1Organizational.1).
Cloudticity shall ensure that plans for security testing, training and monitoring activities are developed, implemented, maintained and reviewed for consistency within the Risk Management Program (0108.02d1Organizational.23).
A qualified senior-level information security official shall be appointed and is responsible for ensuring security processes are in place, communicated to all stakeholders, and addresses all requirements within the ISMP. If the senior-level information security official is employed by the organization, one of its affiliates, or a third-party service, the company retains responsibility for its cybersecurity program, designate a senior member of the company responsible for direction and oversight, and require the third-party service to maintain an appropriate cybersecurity program of its own (01110.05a1Organizational.5, 0117.05a1Organizational.1).
The security officer ensures the effectiveness of the ISMP through program oversight, establishes and communicates the ISMP priorities, reviews and updates the ISMP strategy, monitors compliance to the ISMP by the workforce, and evaluates and accepts security risks on behalf of Cloudticity (0118.05a1Organizational.2, 0110.02d2Organizational.1). The responsibility for auditing information system access and activity is assigned to the security officer.
The security officer will charter aninformation security management committee that includes documented security contacts that are assigned from each major business unit (0119.05a1Organizational.3).
User security roles and responsibilities shall be clearly defined and communicated to all employees throughout Cloudticity (0104.02a1Organizational.12).
Cloudticity's management will ensure users are briefed on their security role(s)/responsibilities and conform with the terms and conditions of employment prior to obtaining access to Cloudticity's information systems. Such terms will include guidelines regarding the security expectations of their roles; principals to motivate users to comply with security policies (0109.02d1Organizational.4).
The pre-employment process shall be reviewed by recruitment to ensure security roles/responsibilities are specifically defined (in writing) and clearly communicated to job candidates (0106.02a2Organizational.23).
Risk designations shall be assigned for all positions within Cloudticity as appropriate, with commensurate screening criteria, and reviewed/revised every three hundred and sixty-five (365) days (0105.02a2Organizational.1).
ISMP Security Policy (this document) must always present the Cloudticity CTO's policy direction to be in line with business objectives and demonstrate management's support for, and commitment to, Information Security across the supported Cloudticity systems. The leaders responsible for the execution of the functional topics addressed in this policy must annually review and approve those sections of this policy. These reviews must be documented.
Cloudticity's Information Security Policy shall be regularly reviewed and updated to ensure they reflect leading practices (e.g., for systems and services development and acquisition), and all reviews/changes will be communicated throughout the company (0114.04b1Organizational.1).
The company will formally address the purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities and compliance requirements for its human resources security protection program (e.g., through policy, standards, guidelines, and procedures; 0137.02a1Organizational.3).
Cloudticity will employ a formal sanctions process for personnel failing to comply with established information security policies and procedures. Such a sanctions process will notify defined personnel (e.g., supervisors) within two (2) business days. Further, the sanction process shall include specific procedures for license, registration, and certification denial or revocation and other disciplinary action (0135.02f1Organizational.56). Details on policy and procedure sanctions can be found in the Roles Process 5.1.5.
Cloudticity will ensure that individuals are capable of making complaints concerning the information security policies, procedures, or the organization's compliance with its policies and procedures. Such complaints will be documented and may include requests for changes, and records the user's disposition, if applicable (0162.04b1Organizational.2).
Such policy requirements shall include acceptable use of systems (0112.02d2Organizational.3). Additionally, mobile computing security requirements specific to BYOD usage including identifying approved applications, eligibility requirements, privacy expectations, data wipe, and usage shall be included (0197.02d2Organizational.4).
Employees and Non-employees will be provided Cloudticity's data privacy and security policy requirements prior to accessing any system resources and data (0111.02d2Organizational.2).
All servers and workstations shall run malware software configured for automatic updates such that latest versions of the malware software and malicious code definition tables are installed as promptly as possible (0207.09j2Organizational.56). A schedule for complete, automated malware scans of servers and workstations shall be documented (0201.09j1Organizational.124).
Protection against malicious code will be based on malicious code detection and repair software, security awareness, and appropriate system access and change management controls (0214.09j1Organizational.6). The company addresses the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the information system (0215.09j2Organizational.8).
The company will configure malicious code and spam protection mechanisms to perform periodic scans of the information system according to company guidelines and real-time scans of files from external sources at endpoints and network entry/exit points as the files are downloaded, opened, or executed in accordance with organizational security policy; and block malicious code, quarantine malicious code, or send an alert to the administrator in response to malicious code detection (0217.09j2Organizational.10).
The information system implements safeguards to protect its memory from unauthorized code execution (0219.09j2Organizational.12).
For systems considered not commonly affected by malicious software, the company shall perform periodic assessments to identify and evaluate evolving malware threats to confirm whether such systems continue to not require anti-virus software (0216.09j2Organizational.9).
The anti-malware solution will be centrally managed and cannot be disabled by the users (0206.09j2Organizational.34). Scans for malicious software will be performed on boot and every twelve (12) hours (0204.09j2Organizational.1). The anti-malware solution shall retain audit logs of scans and activity (0202.09j1Organizational.3).
Malicious code that is identified will be blocked, quarantined, and an alert is sent to the administrators of threats requiring immediate attention. A malware escalation procedure will be documented to adequately control any detected malicious code (0205.09j2Organizational.2).
Automated controls (e.g., browser settings) shall be in place to authorize and restrict the use of mobile code (e.g., Java, ActiveX, PDF, postscript, Shockwave, and Flash) (0225.09k1Organizational.1). File sharing shall be disabled on all wireless enabled devices (0209.09m3Organizational.7).
Cloudticity shall implement and regularly update mobile code protection, including malware protection (0226.09k1Organizational.2). Cloudticity shall take specific actions to protect against mobile code performing unauthorized actions (0227.09k2Organizational.12).
User functionality (including user interface services [e.g., Web services]) shall be separated from information system management functionality (e.g., database management systems) (0208.09j2Organizational.7).
Rules for the migration of software from development to operational status will be defined and documented by the affected application(s) owners. Development, test, and operational systems will be separated (physically or virtually) to reduce the risks of unauthorized access, malware infections or changes to the operational system (0228.09k2Organizational.3).
Cloudticity will restrict the use of writable removable media and personally-owned removable media in all systems (0304.09o3Organizational.1). All portable media (including laptops) shall be registered prior to use and include security protections based on the data classification level. The data classification level, documents the reasonable restrictions on how such media may be used, labeled, and provides an appropriate level of physical and logical protection (including encryption) for media containing covered information until properly destroyed or sanitized (0301.09o1Organizational.123, 0305.09q1Organizational.12).
The status and location of unencrypted covered information will be maintained and monitored (0306.09q1Organizational.3).
Digital and non-digital media requiring restricted use and the specific safeguards used to restrict their use shall be identified (0303.09o2Organizational.2).
Cloudticity shall protect and control all media containing sensitive information during transport outside of controlled areas (0302.09o2Organizational.1). Data transfers outside of controlled areas will be approved and records of the transfers shall be maintained (0307.09q2Organizational.12).
Mobile computing devices shall be protected at all times by access controls, usage restrictions, connection requirements, encryption, virus protections, host-based firewalls or equivalent functionality, secure configurations, and physical protections (0401.01x1System.124579).
Cloudticity shall monitor for unauthorized connections of mobile devices (0403.01x1System.8).
If it is determined that encryption is not reasonable and appropriate, the rationale and acceptance of risk shall be documented and approved by management (0410.01x1System.12).
A documented list of approved application stores shall be defined as acceptable for mobile devices accessing or storing entity (client) or cloud service provider-managed client data, and the use of unapproved application stores will be prohibited for company-owned and BYOD mobile devices. Non-approved applications or approved applications not obtained through approved application stores will be prohibited (0425.01x1System.13).
Cloudticity will prohibit the circumvention of built-in security controls on mobile devices such as jailbreaking or rooting (0429.01x1System.14).
Teleworking activities will only be authorized if security arrangements and controls comply with relevant Cloudticity security policies (0405.01y1Organizational.12345678).
Suitable protections of the teleworking site must be in place to protect against the theft of equipment and information, the unauthorized disclosure of information, and unauthorized remote access to the company's internal systems or misuse of facilities (0415.01y1Organizational.10).
Quarterly scans will be performed to identify unauthorized wireless access points, and appropriate action shall be taken if any unauthorized access points are discovered. (0505.09m2Organizational.3).
Firewalls shall be configured to deny or control any traffic from a wireless environment into the covered data environment (0504.09m2Organizational.5).
Cloudticity shall develop a continuous monitoring strategy which will include a continuous monitoring program (0604.06g2Organizational.2).
Annual compliance reviews shall be conducted by security or audit individuals using manual or automated tools; if non-compliance is found, appropriate action will be taken (0601.06g1Organizational.124). The results and recommendations of the reviews shall be documented and approved by management (0602.06g1Organizational.3).
Automated compliance tools shall be used when possible (0603.06g2Organizational.1). Cloudticity will implement automated mechanisms to (i) centrally manage, apply, and verify configuration settings; (ii) respond to unauthorized changes to network and system security-related configuration settings; and (iii) enforce access restrictions and auditing of the enforcement actions (0644.10k3Organizational.4).
Technical compliance checks will be performed by an experienced specialist with the assistance of industry standard automated tools, which generate a technical report for subsequent interpretation. These checks shall be performed annually, but more frequently where needed, based on risk as part of an official risk assessment process and will help support technical inoperability (0614.06h2Organizational.12, 0615.06h2Organizational.3).
Cloudticity shall perform annual checks on the technical security configuration of systems, either manually by an individual with experience with the systems and/or with the assistance of automated software tools and will take appropriate action if non-compliance is found (0613.06h1Organizational.12).
The company will employ assessors or assessment teams with a level of independence appropriate to its continuous monitoring strategy to monitor the security controls in the information system on an ongoing basis (068.06g2Organizational.34).
The internal security team will review and maintain records of compliance results (e.g., company-defined metrics) in order to better track security trends within the organization, respond to the results of correlation and analysis, and to address longer term areas of concern as part of its formal risk assessment process (069.06g2Organizational.56).
All changes to production systems, networks and network services must follow a formal change management process in order to minimize the corruption of information systems. The process will include (0638.10k2Organizational.34569, 0618.09b1System.1):
• Applications and operating systems shall be successfully tested for usability, security and impact prior to production (0606.10h2System.1)
• Fallback procedures shall be defined and implemented, including procedures and responsibilities for aborting and recovering from unsuccessful changes and unforeseen events (0620.09b2System.3)
• Changes to mobile device operating systems, patch levels, and/or applications go through the change management process (0671.10k1System.1)
Changes to equipment, software and procedures will be strictly and consistently managed (0619.09b2System.12).
Only authorized administrators will be allowed to implement approved upgrades to software, applications, and program libraries, based on business requirements and the security implications of the release (0605.10h1System.12).
Managers responsible for application systems will also be responsible for the strict control (security) of the project or support environment and ensure that all proposed system changes are reviewed to check that they do not compromise the security of either the system or the operating environment (0635.10k1Organizational.12).
The integrity of all virtual machine images shall be maintained at all times by (i) logging and raising an alert for any changes made to virtual machine images; and (ii) making available to the business owner(s) and/or customer(s) through electronic methods (e.g., portals or alerts) the results of a change or move and the subsequent validation of the image's integrity (0672.10k3System.5).
A formal configuration management program will be developed, documented and implemented that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, the configuration management plan and compliance for configuration management (e.g., through policies, standards, processes; 0637.10k2Organizational.2, 0636.10k2Organizational.1).
Standardized, secure configuration build images or baselines will be established and deployed onto all servers, desktops, laptops and other portable devices within the organization. Such baselines will be reviewed and updated as required (0642.10k3Organizational.12).
The company must (i) establish and document mandatory configuration settings for information technology products employed within the information system using the latest security configuration baselines; (ii) identify, document, and approve exceptions from the mandatory established configuration settings for individual components based on explicit operational requirements; and (iii) monitor and control changes to the configuration settings in accordance with the company's policies and procedures. (0643.10k3Organizational.3).
The company will not use automated updates on critical systems (0641.10k2Organizational.11).
The operating system shall have in place supporting technical controls such as antivirus, file integrity monitoring, host-based (personal) firewalls or port filtering tools, and logging as part of its baseline (0663.10h1System.7).
Installation checklists and vulnerability scans shall be used to validate the configuration of servers, workstations, devices and appliances and ensure the configuration meets minimum standards (0639.10k2Organizational.78).
The company will prevent program execution in accordance with the list of unauthorized (blacklisted) software programs and rules authorizing the terms and conditions of software program usage (0663.10h2Organizational.9).
Such identified unauthorized (blacklisted) software on the information system, including servers, workstations and laptops, shall employ an allow-all, deny-by-exception policy to prohibit the execution of known unauthorized (blacklisted) software on the information system, with reviews and updates conducted against the list of unauthorized (blacklisted) software periodically but no less than annually (0664.10h2Organizational.10).
Operational systems will only hold approved programs or executable code (0626.10h1System.3).
The company must maintain information systems according to a current baseline configuration and configures system security parameters to prevent misuse. Vendor supplied software used in operational systems is maintained at a level supported by the supplier, and uses the latest version of Web browsers on operational systems to take advantage of the latest security functions in the application (0627.10h1System.45).
If systems or system components in production are no longer supported by the developer, vendor, or manufacturer, the company must show evidence of a formal migration plan approved by management to replace the system or system components (0628.10h1System.6).
A rollback strategy will be in place before changes are implemented, and an audit log is maintained of all updates to operational program libraries (0629.10h2System.45).
Physical or logical access will only be given to suppliers for support purposes when necessary, with management approval, and such access will be monitored (0630.10h2System.6).
Cloudticity shall use a configuration control program to maintain control of all implemented software and its system documentation as well as archive prior versions and associated system documentation (0607.10h2System.23).
Where development is outsourced, change control procedures shall be developed to address security that will be included in the contract(s) and specifically require the developer to track security flaws and flaw resolution within the system, component, or service and report findings to company-defined personnel or roles (0640.10k2Organizational.1012).
A reliable and comprehensive asset management system will identify all assets associated with information and information system processing is to be implemented. The ability to identify and validate required security configurations that can be traced to specific hardware or software IT assets connected to or within the network is vital to protecting the enterprise and quantifying the security program's overall effectiveness.
An inventory of assets and services shall be maintained (0701.07a1Organizational.12). The inventory of all authorized assets shall include the owner of the information asset, custodianship, categorization of the information asset according to criticality and information classification and identifies protection and sustainment requirements commensurate with the asset's categorization (0703.07a2Organizational.1).
The asset inventory will be updated during installations, removals, and system changes, with full physical inventories performed for capital assets (at least annually) and for non-capital assets (0704.07a3Organizational.12).
The organization's asset inventory will not duplicate other inventories unnecessarily and ensures their respective content is aligned (0720.07a1Organizational.4).
The company will provide an updated inventory identifying assets with sensitive information (e.g., ePHI, PII) to the CTO or information security official, and the senior privacy official on a company-defined basis, but no less than annually (0725.07a3Organizational.5).
The IT Asset Lifecycle Program will include details regarding the secure use, transfer, exchange, and disposal of IT-related assets (0702.07a1Organizational.3). The program shall be regularly reviewed and updated (0705.07a3Organizational.3).
If the company will assign assets to contractors, ensures that the procedures for assigning and monitoring the use of the property are included in the contract; and, if assigned to volunteer workers, there is a written agreement specifying how and when the property will be inventoried and how it will be returned upon completion of the volunteer assignment (0722.07a1Organizational.67).
The company will create and document the process/procedure the company intends to use for deleting data from hard-drives prior to property transfer, exchange, or disposal/surplus (0723.07a1Organizational.8).
The company shall employ automated mechanisms to scan the network, no less than weekly, to detect the presence of unauthorized components/devices (including hardware, firmware and software) in the environment; and disables network access by such components/devices or notify designated organizational officials (0724.07a3Organizational.4).
The information system must check the validity of company-defined information inputs for accuracy, completeness, validity, and authenticity as close to the point of origin as possible. For in-house developed software, the company ensures that explicit error checking is performed and documented for all input, including for size, data type, and acceptable ranges or formats (0733.10b2System.4).
In support of Secure Configuration Management (section 6.3), a hardened configuration standard shall exist for all system and network components (0710.10m2Organizational.1).
Such systems and network components shall be appropriately hardened such as but not limited to the necessary and secure services required, with ports and protocols enabled (0715.10m2Organizational.8).
Hardening standards shall support all system and information integrity requirements to ensure that they will be developed, documented, disseminated, reviewed and updated annually (0708.10b2System.2).
Patching of servers and workstations at the operating system, database, and application level for security-related patches shall be managed to reduce critical and high security vulnerabilities.Software patches and updates will be applied to all systems in a timely manner. Automation should be used when available. Automation is used to ensure monitoring agents are up-to-date on production systems. Regular reviews of the patch cycle shall be conducted and server or workstations not in compliance shall be patched unless justified and approved by management.
A prioritization process shall be implemented to determine which patches are applied across the organizations systems (0786.10m2Organizational.13). Critical security patches are applied within 30 days from testing and all security patches are applied within 90 days after testing.
Patches shall be tested and evaluated before they are installed (0713.10m2Organizational.5).
Patches installed in the production environment will also be installed in the organization's disaster recovery environment in a timely manner (0787.10m2Organizational.14).
Critical network access points, internal systems that store sensitive data, and Internet facing systems shall be tested for vulnerabilities periodically. A technical vulnerability management program shall be implemented to monitor, assess, rank, and remediate vulnerabilities identified in systems (0711.10m2Organizational.23).
Technical vulnerabilities identified shall be evaluated for risk and corrected in a timely manner (0709.10m1Organizational.1). The technical vulnerability management program will be evaluated on a quarterly basis (0714.10m2Organizational.7).
Scans for vulnerabilities shall be conducted regularly to ensure that the information system and hosted applications are able to determine the state of flaw remediation monthly (automatically). Such systems are then scanned again (manually or automatically) when new vulnerabilities potentially affecting the systems and network environments are identified (0718.10m3Organizational.34).
Vulnerability scanning tools shall include the capability to readily update the information system vulnerabilities scanned (0717.10m3Organizational.2). Historic audit logs to determine if high vulnerability scan findings identified in the information system have been previously exploited shall be maintained (0790.10m3Organizational.22).
Vulnerability scanning procedures shall include the depth of coverage required (i.e., information system components scanned and vulnerabilities checked) (0789.10m3Organizational.21). Vulnerability scanning procedures shall include updating the list of information system vulnerabilities scanned within every thirty (30) days or when new vulnerabilities are identified and reported (0719.10m3Organizational.5).
An enterprise security posture review shall be conducted as needed to support the program effectiveness but no less than once within every three-hundred-sixty-five (365) days (0716.10m3Organizational.1).
Internal and external vulnerability assessments of covered information systems, virtualized environments, and networked environments, including both network- and application-layer tests, shall be performed by a qualified individual on a quarterly basis or after significant changes (0712.10m2Organizational.4).
Information resources that will be used to identify relevant technical vulnerabilities and to maintain awareness will be identified for software and other technology, and the information resources identified are updated based on changes in the inventory, or when other new or useful resources are found (0737.10m2Organizational.9).
Regular penetration testing shall be conducted by an independent agent or team, at least every three hundred and sixty-five (365) days, on defined information systems or system components; conducts such testing from outside as well as inside the network perimeter; and such testing shall include tests for the protection of unprotected system information that would be useful to attackers (0788.10m3Organizational.20).
Cloudticity currently does not access, store, transmit, or process electronic protected health information (ePHI). If Cloudticity were to implement services where ePHI would be stored, transmitted, or processed, the organization shall audit access by vulnerability testing.Specifically, applications that store, process or transmit covered information shall undergo automated application vulnerability testing by a qualified party on an annual basis (0707.10b2System.1).
Exploitable vulnerabilities identified during penetration testing shall be corrected, and an adequate retest performed to demonstrate that the identified exploit is addressed.
Applications developed by Cloudticity shall be based on secure coding guidelines to prevent common vulnerabilities or will undergo appropriate vulnerability and penetration testing (0706.10b1System.12).
Procedures, guidelines, and standards for the development of applications must be periodically reviewed, assessed and updated as necessary by the appointed senior-level information security official of the company (0791.10b2Organizational.4).
Cloudticity shall keep up to date and current diagrams which include all networks including wireless networks, system architecture, and data flow diagrams. Diagrams shall be updated whenever there are network changes and no less than every six months (0819.09m1Organizational.23).
The impact of the loss of network service to the business must be defined (0824.09m3Organizational.1). Formal agreements with external information system providers shall include specific obligations for security and privacy (0837.09n2Organizational.2). Agreed services provided by a network service provider/manager will be formally managed and monitored to ensure they are provided securely (0835.09n1Organizational.1).
Cloudticity's network shall be logically and physically segmented with a defined security perimeter and a graduated set of controls, including: subnetworks for publicly accessible system components that will be logically separated from the internal network, based on the company's requirements; traffic is controlled based on functionality required; and classification of the data/systems based on a risk assessment and their respective security requirements (0806.01m2Organizational.12356).
The sensitivity of Cloudticity applications/systems shall be explicitly identified and documented by the application/system owner (0816.01w1System.1).
Cloudticity's security gateways (e.g., firewalls) shall enforce security policies and will be configured to filter traffic between domains, block unauthorized access, and will be used to maintain segregation between internal wired, internal wireless, and external network segments (e.g., the Internet) including DMZs, and will enforce access control policies for each of the domains (0805.01m1Organizational.12).
A DMZ shall be implemented between all database(s), servers and other system components storing or processing covered information (0830.09m3Organizational.1012).
Cloudticity shall ensure that the security of information in networks, availability of network services and information services using the network are protected from unauthorized access (0859.09m1Organizational.78). The company ensures information systems protect the confidentiality and integrity of transmitted information, including during preparation for transmission and during reception (0862.09m2Organizational.8).
At least two DNS servers shall be located on different subnets, which are geographically separated and perform different roles (internal and external) to eliminate single points of failure and enhance redundancy (0832.09m3Organizational.14). Authoritative DNS servers are segregated into internal and external roles (0871.09m3Organizational.22).
Networks shall be segregated from production-level networks when migrating physical servers, applications or data to virtualized servers (0894.01m2Organizational.7). Secure and encrypted communication channels will be used migrating physical servers, applications or data to virtualized servers (08101.09m2Organizational.14).
The company must describe the groups, roles, and responsibilities for the logical management of network components and ensures coordination of and consistency in the elements of the network infrastructure (0866.09m3Organizational.1516).
Requirements for network routing control shall be based on the Access Control Policy, including positive source and destination checking mechanisms, such as firewall validation of source/destination addresses, and the hiding of internal directory services and IP addresses.
Network perimeters will be implemented in such that all outgoing network traffic to the Internet must pass through at least one application layer filtering proxy server. The proxy shall support decrypting network traffic, logging individual TCP sessions, blocking specific URLs, domain names, and IP addresses to implement a black list, and applying whitelists of allowed sites that can be accessed through the proxy while blocking all other sites. All outbound traffic to the Internet shall be forced to go through the authenticated proxy server on the enterprise perimeter (0815.01o2Organizational.123).
Technical tools such as an IDS/IPS shall be implemented and operating on the network perimeter and other key points to identify vulnerabilities, monitor traffic, and detect attack attempts and successful compromises, and mitigate threats; these tools will be updated on a regular basis (0825.09m3Organizational.23).
All network devices shall require authentication mechanisms before establishing a connection and at a minimum, use shared information (i.e., MAC or IP address) and access control lists to control remote network access (0820.09m2Organizational.1). Any device that connects to Cloudticity's network must have Trend Micro Worry Free Security installed.
MAC address authentication and static IP addresses shall be implemented (0827.09m3Organizational.6). Quarterly network scans shall be performed to identify unauthorized components/devices (0828.09m3Organizational.8).
Usage restrictions and implementation guidance must be formally defined for VoIP, including the authorization and monitoring of the service (0864.09m2Organizational.12). Phone usage and configuration process found in document _______
Access to all proxies will be denied, except for those hosts, ports, and services that are explicitly required (0870.09m3Organizational.20).
The company will formally manage equipment on the network, including equipment in user areas (0860.09m1Organizational.9).
Routing controls shall be implemented through security gateways (e.g., firewalls) used between internal and external networks such as the Internet and 3rd party networks (0850.01o1Organizational.12). Firewalls will restrict inbound and outbound traffic to the minimum necessary (0822.09m2Organizational.4).
The ability of users to connect to the internal network will be restricted using a deny-by-default and allow-by-exception policy at managed interfaces according to the Access Control Policy and the requirements of clinical and business applications (0814.01n1Organizational.12).
Network traffic shall be controlled in accordance with the company's Access Control Policy through firewall and other network-related restrictions for each network access point or external telecommunication service's managed interface (0809.01n2Organizational.1234).
Exceptions to the traffic flow policy will be documented with a supporting mission/business need, duration of the exception, and shall be reviewed at least annually. Traffic flow policy exceptions will be removed when no longer supported by an explicit mission/business need (0811.01n2Organizational.6).
For any public-facing web applications, application-level firewalls will be implemented to control traffic. For public-facing applications that are not web-based, a network-based firewall specific to the application type will be implemented. If the traffic to the public-facing application is encrypted, the device either sits behind the encryption or shall be capable of decrypting the traffic prior to analysis (0808.10b2System.3).
Security appliances such as Firewalls, IDS/IPS, WAF's, etc. will be from at least two different vendors that employ stateful packet inspection will be deployed (0829.09m3Organizational.911).
Firewall and router configuration standards shall be defined and implemented and will be reviewed every six months (0826.09m3Organizational.45).
All network connections and firewall, router, and switch configuration changes prior to implementation shall be tests and approved prior to the change. Any deviations from the standard configuration or updates to the standard configuration will be documented and shall be approved in a change control system. Router configuration files will be secured and synchronized (0869.09m3Organizational.19).
All new configuration rules beyond a baseline-hardened configuration that allow traffic to flow through network security devices, such as firewalls and network-based IPS, will be also documented and recorded, with a specific business reason for each change, a specific individual name responsible for that business need, and an expected duration of the need will be required (0821.09m2Organizational.2).
The company must monitor for all authorized and unauthorized wireless access to the information system and prohibits installation of wireless access points (WAPs) unless explicitly authorized in writing by the CTO or his/her designated representative (0858.09m1Organizational.4).
To identify and authenticate devices on local and/or wide area networks, including wireless networks, the information system must use either a (i) shared known information solution or (ii) the company's authentication solution, the exact selection and strength of which is dependent on the security categorization of the information system. (0861.09m2Organizational.67).
The company shall build a firewall configuration that restricts connections between un-trusted networks and any system components in the covered information environment; and any changes to the firewall configuration are updated in the network diagram (0863.09m2Organizational.910).
The company must (i) authorize connections from the information system to other information systems outside of the company through the use of interconnection security agreements or other formal agreement; (ii) document each connection, the interface characteristics, security requirements, and the nature of the information communicated; (iii) employ a deny all, permit by exception policy for allowing connections from the information system to other information systems outside of the company; and (iv) apply a default-deny rule that drops all traffic via host-based firewalls or port filtering tools on its endpoints (workstations, servers, etc.), except those services and ports that are explicitly allowed (0865.09m2Organizational.13).
The company must build a firewall configuration to restrict inbound and outbound traffic to that which is necessary for the covered data environment (0868.09m3Organizational.18).
The company must review and update the interconnection security agreements on an ongoing basis verifying enforcement of security requirements (0885.09n2Organizational.3).
The company will employ and document in a formal agreement or other document, either i) allow-all, deny-by-exception, or, ii) deny-all, permit-by-exception (preferred), policy for allowing specific information systems to connect to external information systems (0886.09n2Organizational.4).
The company must require external/outsourced service providers to identify the specific functions, ports, and protocols used in the provision of the external/outsourced services (0887.09n2Organizational.5).
The contract with the external/outsourced service provider must include the specification that the service provider is responsible for the protection of covered information shared (0888.09n2Organizational.6).
All external connections shall be formally authorized and documented which will include the characteristics of each connection from an information system to other information systems outside the company (0836.09n2Organizational.1).
All transmitted information over such connections shall be secured and, at a minimum, encrypted over open, public networks (0810.01n2Organizational.5).
Remote devices establishing a non-remote connection will not be allowed to communicate with external (remote) resources (0812.01n2Organizational.8).
Multiple safeguards shall be addressed before allowing the use of information systems for information exchange (0901.09s1Organizational.1).
Communication protection requirements, including the security of exchanges of information, shall include policy development and compliance audits (0914.09s1Organizational.6).
Approvals shall be obtained prior to using external public services, including instant messaging or file sharing (0926.09v1Organizational.2).
Data involved in electronic commerce and online transactions must be checked to determine if it contains covered information (0943.09y1Organizational.1).
Security will be maintained through all aspects of the transaction (0944.09y1Organizational.2).
Terms and conditions shall be established with any company owning, operating, and/or maintaining external information systems, allowing authorized individuals to (i) access the information system from external information systems; and (ii) process, store or transmit company-controlled information using external information systems (0911.09s1Organizational.2).
Cryptography will be used to protect the confidentiality and integrity of remote access sessions to the internal network and to external systems (0912.09s1Organizational.4).
Strong cryptography protocols will be used to safeguard covered information during transmission over less trusted/open public networks (0913.09s1Organizational.5). Stronger levels of authentication will be implemented to control access from publicly accessible networks (0927.09v1Organizational.3).
Encryption shall be used to protect covered information on mobile/removable media and across communication lines based on predetermined criteria (0903.10f1Organizational.1).
Stronger controls will be implemented to protect certain electronic messages. Electronic messages shall be protected throughout the duration of its end-to-end transport path using cryptographic mechanisms unless protected by alternative measures (0928.09v1Organizational.45).
Unencrypted sensitive information shall never be sent through end-user messaging technologies such as email, instant messaging, and chat (0929.09v1Organizational.6). Protocols used to communicate between all involved parties will be secured using cryptographic techniques such as SSL/TLS (0945.09y1Organizational.3).
The company must use FIPS-validated cryptographic mechanisms during transmission to prevent unauthorized disclosure of information and detect changes to information unless otherwise protected by company-defined alternative physical measures (099.09m2Organizational.11). All data transmission is encrypted end to end using encryption keys managed by Cloudticity, in conjunction with AWS.
Legal considerations, including requirements for electronic signatures, shall be addressed (0925.09v1Organizational.1).
Persons using electronic signatures, prior to or at the time of such use, must certify to the agency that the electronic signatures in their system, use on or after August 20, 1997, are intended to be the legally binding equivalent of traditional handwritten signatures as required (0963.10fCFRPart11Organizational.1).
Covered information shall be encrypted when stored in non-secure areas and, if not encrypted at rest, the company must document its rationale (1132.01v2System.3).
Identity verification of the individual shall be required prior to establishing, assigning, or certifying an individual's electronic signature or any element of such signature (11200.01b2Organizational.3).
Electronic signatures and handwritten signatures executed to electronic records shall be linked to their respective electronic records (11210.01q2Organizational.10). Signed electronic records shall contain information associated with the signing in human-readable format (11211.01q2Organizational.11). Identification codes used in conjunction with passwords for electronic signatures shall be protected (1010.01d2System.5). Electronic signatures shall be unique to one individual, cannot be reused by, or reassigned to, anyone else (11208.01q1Organizational.8).
Electronic signatures based upon biometrics shall be designed to ensure that they cannot be used by any individual other than their genuine owners (11209.01q2Organizational.9). Electronic signatures that are not based upon biometrics shall employ at least two distinct identification components that will be administered and executed (1027.01d2System.6).
Passwords shall not be displayed when entered (1002.01d1System.1). Passwords will not be included in automated log-on processes (1006.01d2System.1). User identities will be verified prior to performing password resets (1003.01d1System.3). Temporary passwords will be unique and not guessable (1009.01d2System.4).
A password list shall be maintained that identifies commonly-used, expected or compromised passwords, and updates the list at least every 180 days and when the company's passwords are suspected to have been compromised, either directly or indirectly. This list will verify when users create or update passwords, that the passwords are not found on the company-defined list of commonly-used, expected or compromised passwords. Password Management allows users to select long passwords and passphrases, including spaces and all printable characters; and employs automated tools to assist the user in selecting strong passwords and authenticators (1004.01d1System.8913).
All passwords shall be transmitted only when cryptographically-protected and will store passwords using an approved hash algorithm (1005.01d1System.1011). Passwords shall be encrypted during transmission and storage on all system components (1007.01d2System.2).
Password policies, applicable to mobile devices, will be documented and enforced through technical controls on all company devices or devices approved for BYOD usage, and prohibit the changing of password/PIN lengths and authentication requirements (1022.01d1System.15). Bring Your Own Device (BYOD) and/or company-owned devices shall be configured to require an automatic lockout screen, and the requirement is enforced through technical controls (11190.01t1Organizational.3).
Cloudticity shall avoid the use of third parties or unprotected (clear text) electronic mail messages for the dissemination of passwords (1014.01d1System.12).
The company will change passwords for default system accounts, whenever there is any indication of password compromise, at first logon following the issuance of a temporary password, and requires immediate selection of a new password upon account recovery (1031.01d1System.34510).
Users shall acknowledge receipt of passwords (1015.01d1System.14) and sign a statement acknowledging their responsibility to keep passwords confidential (1008.01d2System.3).
User registration and de-registration, at a minimum, shall communicate relevant policies to users and require acknowledgement (e.g. signed or captured electronically), check authorization and minimum level of access necessary prior to granting access, ensure access is appropriate to the business and/or clinical needs (consistent with sensitivity/risk and does not violate segregation of duties requirements), address termination and transfer, ensure default accounts are removed and/or renamed, remove or block critical access rights of users who have changed roles or jobs, and automatically remove or disable inactive accounts (1109.01b1System.479).
In addition to assigning a unique ID and password, token devices (e.g., SecureID, certificates, public key), biometrics or both methods will be employed to authenticate all users (1140.01b3System.4).
Account managers will be notified when users' access rights change (e.g., termination, change in position) and modify the user's account accordingly (1108.01b1System.3).
Upon termination or changes in employment for employees, contractors, third-party users or other workforce arrangements, physical and logical access rights and associated materials such as passwords, keycards, keys, documentation that identify them as current members of the company shall be removed or modified to restrict access within 24 hours. Further, old accounts shall be closed after 90 days of opening new accounts (1135.02i1Organizational.1234).
Automated mechanisms will support the management of information system accounts, including the disabling of emergency accounts within 24 hours and temporary accounts within a fixed duration not to exceed 365 days (1113.01b3System.123).
Access rights to information assets and facilities shall be reduced or removed before the employment or other workforce arrangement terminates or changes, depending on the evaluation of risk factors (11154.02i1Organizational.5).
User registration and de-registration shall formally address establishing, activating, modifying, reviewing, disabling and removing accounts (11220.01b1System.10). User access rights will be reviewed after any changes and reallocated as necessary (1166.01e1System.12).
The company will review critical system accounts and privileged access rights every 60 days; all other accounts, including user access and changes to access authorizations, are reviewed every 90 days (1168.01e2System.2).
Acceptable use agreements shall be signed by all employees before being allowed access to information assets (1137.06e1Organizational.1).
Users will be given a written statement of their access rights, which they will be required to sign stating they understand the conditions of access. Guest/anonymous, shared/group, emergency/ temporary accounts shall specifically be authorized and use will be monitored (1110.01b1System.5).
Contractors shall be provided with minimal system and physical access only after the company assesses the contractor's ability to comply with its security requirements and the contractor agrees to comply (1154.01c3System.4).
The company will maintain a documented list of authorized users of information assets (1167.01e2System.1).
User identities shall be verified prior to establishing accounts (1106.01b1System.1). Help desk support shall require user identification for any transaction that has information security implications (1128.01q2System.5).
Where tokens are provided for multi-factor authentication, in-person verification shall be required prior to granting access (1127.01q2System.3). User identities will be verified in person in front of a designated registration authority with authorization by a designated company official (e.g., a supervisor or other individual defined in an applicable security plan) prior to receiving a hardware token (1112.01b2System.2).
Cloudticity shall maintain a current listing of all workforce members (individuals, contractors, vendors, business partners, etc.) with access to sensitive information (e.g. PHI, and/or PII) (11219.01b1Organizational.10). Unique IDs that can be used to trace activities to the responsible individual will be required for all types of the company's and non-the company's users (1122.01q1System.1). Actions that can be performed without identification and authentication will be permitted by exception (1133.01v2System.4).
Account types will be identified (individual, shared/group, system, application, guest/anonymous, emergency and temporary), conditions for group and role membership are established, and, if used, shared/group account credentials are modified when users are removed from the group (1139.01b1System.68). User IDs assigned to vendors shall be reviewed in accordance with the company's access review policy, at a minimum annually (1177.01j2Organizational.6).
Role-based access control will be implemented and is capable of mapping each user to one or more roles, and each role to one or more system functions (1145.01c2System.1). Privileges will be formally authorized and controlled, allocated to users on a need-to-use and event-by-event basis for their functional role (e.g., user or administrator), and documented for each system product/element (1143.01c1System.123).
All file system access not explicitly required shall be disabled, and only authorized users will be permitted access to only that which is expressly required for the performance of the users' job duties (1153.01c3System.35).
Access rights from an application to other applications shall be controlled (1130.01v2System.1). Access rights to applications and application functions shall be limited to the minimum necessary using menus (1129.01v1System.12). Outputs from application systems handling covered information shall be limited to the minimum necessary and sent only to authorized terminals/locations (1131.01v2System.2).
Cloudticity shall facilitate information sharing by enabling authorized users to determine a business partner's access when discretion is allowed as defined by the company and by employing manual processes or automated mechanisms to assist users in making information sharing/collaboration decisions (1149.01c2System.9).
The access control system for the system components storing, processing or transmitting covered information shall be set with a default "deny-all" setting (1150.01c2System.10).
Group, shared or generic accounts and passwords (e.g., for first-time log-on) will not be used (1111.01b2System.1). Shared/group and generic user IDs shall only be used in exceptional circumstances where there is a clear business benefit, when user functions do not need to be traced, additional accountability controls are implemented, and after approval by management (1124.01q1System.34).
Redundant user IDs will not be issued to other users and shall require that all users are uniquely identified and authenticated for both local and remote access to information systems (11109.01q1Organizational.57).
Non-Cloudticity users (all information system users other than the company's users, such as patients, customers, contractors, or foreign nationals), or processes acting on behalf of non-the company's users, determined to need access to information residing on the company's information systems, shall be uniquely identified and authenticated (11110.01q1Organizational.6).
Cloudticity shall limit authorization to privileged accounts on information systems to a pre-defined subset of users (1151.01c3System.1). Users who performed privileged functions (e.g., system administration) shall use separate accounts when performing those privileged functions (1123.01q1System.2). Elevated privileges will be assigned to a different user ID from those used for normal business use, all users access privileged services in a single role, and such privileged access is minimized (1147.01c2System.456).
Replay-resistant authentication mechanisms shall be implemented such as one-time passwords, or time stamps to secure network access for privileged accounts; and, for hardware token-based authentication, employs mechanisms that satisfy minimum token requirements discussed in NIST SP 800-63-2, Electronic Authentication Guideline (11112.01q2Organizational.67).
Restriction shall apply to all access to privileged functions and all security-relevant information (1148.01c2System.78). Authorization to access specific security relevant functions (deployed in hardware, software, and firmware) and security-relevant information shall be addressed (1144.01c1System.4).
Use of programs that avoid the need to run with elevated privileges and system routines to avoid the need to grant privileges to users shall be implemented (1146.01c2System.23).
Default and unnecessary system accounts shall be removed, disabled, or otherwise secured such that the passwords are changed and privileges are reduced to the lowest levels of access. (1107.01b1System.2). Ports, services, and similar applications installed on a computer or network systems, which are not specifically required for business functionality, shall be disabled or removed (1194.01l2Organizational.2).
Cloudticity shall audit the execution of privileged functions on information systems and ensure information systems prevent non-privileged users from executing privileged functions (1152.01c3System.2).
Access to management functions or administrative consoles for systems hosting virtualized systems shall be restricted to personnel based upon the principle of least privilege and supported through technical controls (11180.01c3System.6).
Network equipment will be checked for unanticipated dial-up capabilities (1119.01j2Organizational.3).
Controls for the access to diagnostic and configuration ports shall include the use of a key lock and the implementation of supporting procedures to control physical access to the port (1193.01l2Organizational.13).
When PKI-based authentication shall include validation of certificates by constructing and verifying a certification path to an accepted trust anchor, including checking certificate status information; enforces access to the corresponding private key; maps the identity to the corresponding account of the individual or group; and implements a local cache of revocation data to support path discovery and validation in case of an inability to access revocation information via the network (11111.01q2System.4).
Strong authentication methods such as multi-factor, Radius or Kerberos (for privileged access) and CHAP (for encryption of credentials for dialup methods) shall be implemented for all external connections to the company's network (1116.01j1Organizational.145). Multi-factor authentication methods shall be used in accordance with the company's policy, (e.g., for remote network access) (1125.01q2System.1).
All remote access shall use encryption (e.g., VPN solutions or private lines) and log remote access activity on the network by employees, contractors or third-party (e.g., vendors) (1118.01j2Organizational.124).
The company will employ multifactor authentication for network access to privileged and non-privileged accounts, such that one of the factors is provided by a device separate from the system gaining access, and for local access to privileged accounts (including those used for non-local maintenance and diagnostic sessions, 11113.01q3Organizational.1).
Remote administration sessions shall be authorized, encrypted, and employ increased security measures (1121.01j3Organizational.2). Additionally, Cloudticity shall monitor and control remote access methods (1179.01j3Organizational.1).
Unauthorized remote connections shall be monitored and reviewed at least quarterly, and appropriate action is taken if an unauthorized connection is discovered (1120.09ab3System.9).
Remote access by vendors and business partners (e.g., for remote maintenance) shall be disabled/deactivated when not in use (1117.01j1Organizational.23). Remote access to business information across public networks will only take place after successful identification and authentication (1175.01j1Organizational.8).
Node authentication, including cryptographic techniques (e.g., machine certificates), will be used as an alternative means of authenticating groups of remote users where they are connected to a secure, shared computer facility (1178.01j2Organizational.7).
Copy (including print screen), move, print, and storage of sensitive data will be prohibited when accessed remotely without a defined business need (1134.01v3System.1).
A time-out system (e.g., a screen saver) shall pause the session screen after 2 minutes of inactivity, close network sessions after 30 minutes of inactivity, and require the user to reestablish authenticated access once the session has been paused or closed; or, if the system cannot be modified, a limited form of time-out that clears the screen but does not close down the application or network sessions is used (11126.01t1Organizational.12, 11127.01t2Organizational.1).
Computer login banners will be displayed outlining the terms and conditions of access and must be accepted before access is granted (1138.06e2Organizational.12).
Covered or critical business information shall not be left unattended or available for unauthorized individuals to access, including on desks, printers, copiers, fax machines, and computer monitors (1114.01h1Organizational.123).
A secure audit record shall be created for all activities on the system (create, read, update, delete) involving covered information (1202.09aa1System.1). Audit records will include the unique user ID, unique data subject ID, function performed, and date/time the event was performed (1203.09aa1System.2).
Audit records containing the following detailed information: (i) filename accessed; (ii) program or command used to initiate the event; and (iii) source and destination addresses shall be generated (1209.09aa3System.2).
Auditing shall always be available while the system is active and tracks key events, success/failed data access, system security configuration changes, privileged or utility use, alarms raised, activation and de-activation of protection systems (e.g., A/V and IDS), activation and deactivation of identification and authentication mechanisms, and creation and deletion of system-level objects (1206.09aa2System.23).All access to production systems must be logged.
Audit logs shall be maintained for management activities, system and application startup/shutdown/errors, file changes, and security policy changes (1208.09aa3System.1).
Audit logging shall be enabled in order to audit administrator activities; and reviews system administrator and operator logs on a regular basis (1270.09ad1System.12).
Logs of messages sent and received shall be maintained including the date, time, origin and destination of the message, but not its contents (1205.09aa2System.1).
Audit records will be retained for 90 days and older audit records are archived for one year (1207.09aa2System.4). Information collected from multiple sources shall be aggregated for review (12103.09ab1Organizational.5). The initiation of an event will be separated from its authorization to reduce the possibility of collusion (1277.09c2Organizational.4).
Audit logging procedures shall specify how often audit logs are reviewed, how the reviews are documented, and the specific roles and responsibilities of the personnel conducting the reviews, including the professional certifications or other qualifications required (12101.09ab1Organizational.3).
Retention for audit logs will be specified by the company and the logs retained accordingly (1239.09aa1System.4). Reports summarizing audit activities shall be retained for a period of six years.
Cloudticity shall provide notice that the employee's actions may be monitored, and that the employee consents to such monitoring (1201.06e1Organizational.2).
All applicable legal requirements related to monitoring authorized access and unauthorized access attempts will be met (1212.09ab1System.1).
Cloudticity shall analyze and correlate audit records across different repositories using a security information and event management (SIEM) tool or log analytics tool for log aggregation and consolidation from multiple systems/machines/devices and correlates this information with input from non-technical sources to gain and enhance company-wide situational awareness. Using the SIEM tool, the company (system administrators and security personnel) devise profiles of common events from given systems/machines/devices so that it can tune detection to focus on unusual activity, avoid false positives, more rapidly identify anomalies, and prevent overwhelming analyst with insignificant alerts (1222.09ab3System.8).
Such automated systems shall support near real-time analysis and alerting of events (e.g., malicious code, potential intrusions) and integrate intrusion detection into access and flow control mechanisms (1218.09ab3System.47).
Additionally, the SIEM shall be deployed to monitor key events and anomalous activity, and analyze system logs, the results of which are reviewed regularly (1213.09ab2System.128). The SIEM shall support audit reduction and report generation (1215.09ab2System.7). The SIEM shall be able to automatically process audit records for events of interest based on selectable criteria (1219.09ab3System.10).
The activities of privileged users (administrators, operators, etc.) shall include the success/failure of the event, time the event occurred, the account involved, the processes involved, and additional information about the event (1204.09aa1System.3).
Monitoring shall include privileged operations, authorized access or unauthorized access attempts, including attempts to access deactivated accounts, and system alerts or failures (1214.09ab2System.3456).
Monitoring shall include inbound and outbound communications and file integrity monitoring (1220.09ab3System.56).
Monitoring shall identify irregularities or anomalies that are indicators of a system malfunction or compromise and help confirm the system is functioning in an optimal, resilient and secure state (12100.09ab2System.15).
Alerts shall be generated for technical personnel to analyze and investigate suspicious activity or suspected violations (1217.09ab3System.3).
The information security team shall periodically test its monitoring and detection processes, remediate deficiencies, and improve its processes (12102.09ab1Organizational.4).
Automated systems will be used to review monitoring activities of security systems (e.g., IPS/IDS) and system records on a daily basis and identify and document anomalies (1216.09ab3System.12).
All disclosures of covered information within or outside of the company shall be logged including type of disclosure, date/time of the event, recipient, and sender (1210.09aa3System.3). Every ninety (90) days each extract of covered information recorded shall have the data is erased unless its use is still required (1211.09aa3System.4).
The company will provide a rationale for why the auditable events are deemed adequate to support after the fact investigations of security incidents and which events require auditing on a continuous basis in response to specific situations; and the listing of auditable events and supporting rational are reviewed and updated periodically within 365 days (1240.09aa2System.56).
The company will respond to physical security incidents and coordinate results of reviews and investigations with the company's incident response capability (1259.09ab2System.9).
Separation of duties shall be used to limit the risk of unauthorized or unintentional modification of information and systems (1229.09c1Organizational.1). Duties shall require separation and will define the information system access authorizations to support separation of duties; and incompatible duties are segregated across multiple users to minimize the opportunity for misuse or fraud (1278.09c2Organizational.56).
No single person will be allowed to access, modify, or use information systems without authorization or detection (1230.09c2Organizational.1). Additionally, all security audit activities shall be independent (1276.09c2Organizational.2).
Job descriptions shall define duties and responsibilities that support the separation of duties across multiple users (1231.09c2Organizational.23).
All employees shall sign acceptance/acknowledgement of their security and privacy responsibilities (1303.02e2Organizational.2).
Employees and contractors shall receive documented initial (as part of their onboarding within sixty (60) days of hire), annual and ongoing training on their roles related to security and privacy (1301.02e1Organizational.12). Employees and contractors shall be informed in writing, (e.g., when they sign rules of behavior or an acceptable use agreement) that violations of the security policies will result in sanctions or disciplinary action (1306.06e1Organizational.5).All workforce members report non-compliance of Cloudticity's policies and procedures to the Security Officer or other individual as assigned by the Security Officer. Individuals that report violations in good faith may not be subjected to intimidation, threats, coercion, discrimination against, or any other retaliatory action as a consequence.
Rules shall be defined to describe user responsibilities and acceptable behavior for information system usage, including at minimum, rules for email, internet, mobile devices, social media and facility usage (1307.07c1Organizational.124).
Employees, contractors and third-party system users will be made aware of the limits that exist for their use of the company's information assets associated with the information processing facilities and resources; and they are responsible for their use of any of the information resources and any use carried out under their responsibility (1324.07c1Organizational.3).
All users shall be prohibited from installing unauthorized software, including data and software from external networks. Cloudticity will ensure users are made aware and trained on these requirements (1308.09j1Organizational.5).
Cloudticity workforce members are provided training, education, and awareness on safeguarding the privacy and security of business and ePHI. The security awareness program shall identify how workforce members are provided security awareness and training; identify the workforce members (including managers, senior executives, and as appropriate, business associates/partners, and contractors) who will receive security awareness and training; describe the types of security awareness and training that is reasonable and appropriate for its workforce members; how workforce members are provided security and awareness training when there is a change in the company's information systems; and how frequently security awareness and training is provided to all workforce members (1336.02e1Organizational.5).
Dedicated security and privacy awareness training shall be developed as part of Cloudticity's onboarding program, is documented and tracked, and includes the recognition and reporting of potential indicators of an insider threat (1302.02e2Organizational.134). All new workforce members are given HIPAA training within 30 days of beginning employment; this is included as part of the onboarding program..
An internal annual review shall be conducted to determine the effectiveness of its security and privacy education and training program (1314.02e2Organizational.5).
A documented list of each individual who completes the on-boarding process will be maintained as well as all training records for at least five (5) years (1305.02e3Organizational.23).
All senior executives shall be trained in their specific roles and responsibilities (1334.02e2Organizational.12).
All employees shall be provided with crisis management awareness and training (1311.12c2Organizational.3).
Specialized security and privacy education and training shall be provided as appropriate to the employee's based on their role/responsibilities within Cloudticity. This training will be provided to the company's business unit security POCs and system/software developers at the minimum (1315.02e2Organizational.67).
Workforce shall be trained on how covered information is stored in company-specified locations (1327.02e2Organizational.8) and on how to properly respond to perimeter security alarms (1331.02e3Organizational.4).
Training shall be provided on incident response. Contingency training shall be provided to information system users consistent with assigned roles and responsibilities within ninety (90) days of assuming an incident response role or responsibility; when required by information system changes; and within every three hundred sixty-five (365) days thereafter (1313.02e1Organizational.3).
Personnel with significant security responsibilities (e.g., system/database administrators) shall receive specialized education and training on their roles and responsibilities prior to being granted access to the company's systems and resources, when required by system changes, when entering into a new position that requires additional training, and no less than annually thereafter (1304.02e3Organizational.1).
Personnel who telework shall be trained on the risks, the controls implemented, and their responsibilities (1310.01y1Organizational.9).
Personnel using mobile computing devices shall be trained on the risks, the controls implemented, and their responsibilities, e.g., shoulder surfing, physical protections (1309.01x1System.36).
Mobile device security training on BYOD usage shall be provided, which includes providing an approved list of applications, application stores, and application extensions and plugins (1326.02e1Organizational.4).
Personnel will be appropriately trained on leading principles and practices for all types of information exchange (oral, paper and electronic) (1325.09s1Organizational.3).
Persons who develop, maintain, or use electronic record/electronic signature systems will have the proper and sufficient education, training, and experience to perform their assigned tasks (1335.02eCFRPart11Organizational.1).
Cloudticity makes every effort to assure all 3rd party organizations are compliant and do not compromise the integrity, security, and privacy of Cloudticity or Cloudticity customer data. 3rd parties include customers, partners, subcontractors, and contracted developers.
Access to the company's information and systems by external parties must not be permitted until due diligence has been conducted, the appropriate controls have been implemented, and a contract/agreement reflecting the security requirements is signed acknowledging they understand and accept their obligations (1401.05i1Organizational.1239). Cloudticity regularly enters into Mutual Non-Disclosure contracts with 3rd parties. Requirements for confidentiality and non-disclosure agreements are reviewed at least annually and when changes occur that influence these requirements, such as applicable laws and regulations for the jurisdiction to which they apply.
Cloudticity shall address information security and other business considerations when acquiring systems or services; including maintaining security during transitions and continuity following a failure or disaster (1410.09e2System.23).
Cloudticity shall maintain written agreements (contracts) that include: (i) an acknowledgement that the third-party (e.g., a service provider) is responsible for the security of the data and requirements to address the associated information security risks; and (ii) requirements to address the information security risks associated with information and communications technology services (e.g., cloud computing services) and product supply chain (1429.05k1Organizational.34).
A standard business associate agreement with third-parties will be defined and includes the required security controls in accordance with the company's security policies (1406.05k1Organizational.110). Service Level Agreements (SLAs) or contracts with an agreed service arrangement shall address liability, service definitions, security controls, and other aspects of services management (1408.09e1System.1). Any changes to partner and subcontractor services and systems are reviewed before implementation, when possible.
Such agreements ensure that there is no misunderstanding between the company and the third-party and satisfies the company as to the indemnity of the third-party (1430.05k1Organizational.56).
A list of current service providers shall be developed, disseminated and annually reviewed/updated, in which the list includes a description of services provided (1409.09e2System.1).
A service management relationship shall be established and a process between Cloudticity and a third-party to monitor (i) security control compliance by external service providers on an ongoing basis; and (ii) network service feature and service levels to detect abnormalities and violations (1442.09f2System.456).
Network services shall be periodically audited to ensure that providers implement the required security features and meet the requirements agreed upon with management, including new and existing regulations (1413.09f2System.3).
Regular progress meetings will be conducted as required by the SLA to review reports, audit trails, security events, operational issues, failures and disruptions, and identified problems/issues are investigated and resolved accordingly (1412.09f2System.12). The results of monitoring activities of third-party services shall be compared against the Service Level Agreements (SLA) or contracts at least annually (1411.09f1System.1).
A screening process shall be conducted for contractors and third-party users; and, where contractors are provided through an company, (i) the contract with the company clearly specifies the company's responsibilities for screening and the notification procedures they need to follow if screening has not been completed or if the results give cause for doubt or concern and, in the same way; (ii) the agreement with the third-party clearly specifies all responsibilities and notification procedures for screening (1432.05k1Organizational.89).
Personnel security requirements shall be established, including security roles and responsibilities, for third-party providers that are coordinated and aligned with internal security roles and responsibilities (1431.05k1Organizational.7).
The service provider will protect the company's data with reasonable controls (e.g., policies and procedures) designed to detect, prevent, and mitigate risk (1438.09e2System.4).
The company ensures that customers are aware of their obligations and rights, and accept the responsibilities and liabilities involved in accessing, processing, communicating, or managing the company's information and information assets (1419.05j1Organizational.12).
The identification of risks related to external party access will take into account a minimal set of specifically defined issues (1418.05i1Organizational.8).
Cloudticity shall identify and mandate information security controls to specifically address supplier access to the company's information and information assets (1428.05k1Organizational.2).
Remote access connections between the company and external parties shall be encrypted (1402.05i1Organizational.45).
Access granted to external parties shall be limited to the minimum necessary and granted only for the duration required (1403.05i1Organizational.67). Cloudticity does not allow 3rd party access to production systems containing ePHI. No Cloudticity customers or partners have access outside of their own environment, meaning they cannot access, modify, or delete anything related to other 3rd parties.
Where software development is outsourced, formal contracts shall be in place to address the ownership and security of the code and application (1416.10l1Organizational.1).
The development process will be monitored by Cloudticity and include independent security and code reviews (1417.10l2Organizational.1).
Cloudticity shall restrict the location of facilities that process, transmit or store covered information (e.g., to those located in the United States), as needed, based on its legal, regulatory, contractual and other security and privacy-related obligations (1464.09e2Organizational.5).
Clients can have security issues which are not the responsibility of Cloudticity. Even in these scenarios, Cloudticity can be helpful in the identification of the problem. In the event that a security issue is identified in the client’s environment, Cloudticity will follow the process detailed in Cloudticity’s Client Security Issue Process. In general, this flow consists of identifying the timing of the security issue, whether is covered on the BAA with the client, and working with the client to determine the scope and severity of the issue.
A formal security incident response program shall be established to respond, report (without fear of repercussion), escalate and treat breaches and reported security events or incidents. Organization-wide standards are specified for the time required for system administrators and other personnel to report anomalous events to the incident handling team, the mechanisms for such reporting, and the kind of information that should be included in the incident notification. This reporting includes notifying internal and external stakeholders, the appropriate community Computer Emergency Response Team, and law enforcement agencies in accordance with all legal or regulatory requirements for involving that organization in computer incidents (1505.11a1Organizational.13).
The security incident response program will prepare Cloudticity for a variety of security incidents (1516.11c1Organizational.12). The program shall include a process/mechanism to anonymously report security issues (1508.11a2Organizational.1). The program shall include an insider threat program that includes a cross-discipline insider threat incident handling team shall be implemented (1507.11a1Organizational.4). Incident response is formally managed and includes specific elements (1539.11c2Organizational.7).
The program shall include incident handling capability for security incidents that addresses (i) policy (setting corporate direction) and procedures defining roles and responsibilities; (ii) incident handling procedures (business and technical); (iii) communication; (iv) reporting and retention; and (v) references to a vulnerability management program (1561.11d2Organizational.14).
Cloudticity currently utilizes Trend Micro Deep Security (TMDS) to track file system integrity, monitor log data, detect rootkit access, provide intrusion detection and prevention, and provide anti-malware security. Additionally, the intrusion detection/information protection system (IDS/IPS) alerts will be utilized for reporting information security events (1512.11a2Organizational.8).
The security incident response program will formally define information security incidents and the phases of incident response; roles and responsibilities; incident handling, reporting and communication processes; third-party relationships and the handling of third-party breaches; and the supporting forensics program. The program shall formally assign job titles and duties for handling computer and network security incidents to specific individuals and identifies management personnel who will support the incident handling process by acting in key decision-making roles (1509.11a2Organizational.236).
The program will define the purpose, scope, roles, responsibilities, management commitment, coordination among the company's entities and compliance requirements (1518.11c2Organizational.13). The incident management plan shall be reviewed and updated annually (1587.11c2Organizational.10).
The program shall establish a point of contact for reporting information security events. This person will be made known throughout the company, always available, and able to provide adequate and timely response. A list of third-party contact information (e.g., the email addresses of their information security offices), which can be used to report a security incident will be maintained (1506.11a1Organizational.2). The point of contact will be responsible for coordinating incident responses and has the authority to direct actions required in all phases of the incident response process (1517.11c1Organizational.3).
Cloudticity shall test and/or exercise its incident response capability regularly (1589.11c1Organizational.5). Testing exercises shall be planned, coordinated, executed, and documented periodically, at least annually, using reviews, analyses, and simulations to determine incident response effectiveness. Testing includes personnel associated with the incident handling team to ensure that they understand current threats and risks, as well as their responsibilities in supporting the incident handling team (1521.11c2Organizational.56). The incident handling activities will be coordinated with any contingency planning activities (1562.11d2Organizational.2).
The information gained from the evaluation (tests) of information security incidents will be used to identify recurring or high-impact incidents and update the incident response and recovery strategy (1560.11d1Organizational.1).
Lessons learned from ongoing incident handling activities and industry developments will be included into incident response procedures, training and testing exercises, and will implement the resulting changes accordingly (1563.11d2Organizational.3). Incidents (or a sample of incidents) identified will then be reviewed to identify necessary improvement to the security controls (1515.11a3Organizational.3).
The incident response plan shall be communicated to the appropriate individuals throughout the company (1520.11c2Organizational.4).
All employees, contractors and third-party users will receive mandatory incident response training to ensure they are aware of their responsibilities to report information security events as quickly as possible. The procedure for reporting information security events, and the point(s) of contact, including the incident response team, and the contact information is published and made readily available (1511.11a2Organizational.5).
An incident response support resource, who is an integral part of the company's incident response team, shall be available to offer advice and assistance to users of information systems for the handling and reporting of security incidents in a timely manner (1522.11c3Organizational.13).
Cloudticity shall adhere to all HITECH Act requirements for responding to a data breach (of covered information) and reporting the breach to affected individuals, media, and federal agencies (1513.11a2Organizational.9).
Reports and communications shall be made without unreasonable delay and no later than sixty (60) days after the discovery of an incident, unless otherwise stated by law enforcement orally or in writing and include the necessary elements (1510.11a2Organizational.47).
For unauthorized disclosures of covered information, a log will be maintained and annually submitted to the appropriate parties (e.g., HHS) (1519.11c2Organizational.2).
Workforce members will always cooperate with federal or state investigations or disciplinary proceedings (1524.11a1Organizational.5). Incidents shall be promptly reported to the appropriate authorities and outside parties (e.g., FedCIRC, CERT/CC) (1523.11c3Organizational.24).
Management shall approve the use of information assets and will take appropriate action when unauthorized activity occurs (1504.06e1Organizational.34).
Sanctions shall be fairly applied to employees following violations of the information security policies once a breach is verified. Cloudticity shall document personnel involved in incidents, steps taken, timeline associated with those steps, steps taken for notification, the rationale for discipline, and the final outcome for each incident (1501.02f1Organizational.123).
A list of employees involved in such security incidents will be maintained with the resulting outcome from the investigation (1502.02f1Organizational.4).
A contact in HR shall be appointed to handle employee security incidents and notify the CISO or a designated representative of the application of a formal employee sanctions process, identifying the individual and the reason for the sanction (1503.02f2Organizational.12).
Cloudticity will take disciplinary action against workforce members that fail to cooperate with federal and state investigations (1525.11a1Organizational.6).
The sanctions program will ensure individuals are held accountable and responsible for actions initiated under their electronic signatures, to help deter record and signature falsification (1581.02f1Organizational.7).
The business contingency program shall address required capacity, identify critical missions and business functions, define recovery objectives and priorities, and identify roles and responsibilities (1602.12c1Organizational.4567, 1634.12b1Organizational.1).
The business continuity program will be (i) based on identifying events (or sequence of events) that can cause interruptions to the company's critical business processes (e.g., equipment failure, human errors, theft, fire, natural disasters acts of terrorism); (ii) followed by a risk assessment to determine the probability and impact of such interruptions, in terms of time, damage scale and recovery period; (iii) based on the results of the risk assessment, a business continuity strategy is developed to identify the overall approach to business continuity; and (iv) once this strategy has been created, endorsement is provided by management, and a plan created and endorsed to implement this strategy (1635.12b1Organizational.2).
The business continuity planning framework shall address a specific, minimal set of information security requirements (1669.12d1Organizational.8).
Business continuity planning will include identification and agreement on all responsibilities, business continuity processes, and the acceptable loss of information and services (1607.12c2Organizational.4).
The program shall include a minimum of one (1) business continuity plan and ensure each plan (i) has an owner; (ii) describes the approach for continuity, ensuring at a minimum the approach to maintain information or information asset availability and security; and (iii) specifies the escalation plan and the conditions for its activation, as well as the individuals responsible for executing each component of the plan (1666.12d1Organizational.1235).
Emergency procedures, manual "fallback" procedures, and resumption plans shall be the responsibility of the owner of the business resources or processes involved; and fallback arrangements for alternative technical services, such as information processing and communications facilities, are the responsibility of the service providers (1668.12d1Organizational.67).
Copies of the business continuity plans will be distributed to key contingency personnel (1603.12c1Organizational.9) and shall be stored in a remote location (1608.12c2Organizational.5).
When new requirements are identified, any existing emergency procedures (e.g., evacuation plans or fallback arrangements) will be amended as appropriate (1667.12d1Organizational.4).
Cloudticity will recover and restore business operations and establish an availability of information in the time-frame required by the business objectives and without a deterioration of the security measures (1601.12c1Organizational.1238).
A formal definition of the level of backup required for each system shall be defined and documented including how each system will be restored, the scope of data to be imaged, frequency of imaging, and duration of retention based on relevant contractual, legal, regulatory and business requirements (1617.09l1Organizational.23).
Alternative storage and processing sites shall be identified (permanent and/or temporary) at a sufficient distance from the primary facility and configured with security measures equivalent to the primary site. The necessary third-party service agreements have been established to allow for the resumption of information systems operations of critical business functions within the time-period defined (e.g., priority of service provisions) based on a risk assessment, including Recovery Time Objectives (RTO), in accordance with the company's availability requirements (1604.12c2Organizational.16789).
Emergency power and backup telecommunications will be available at the main site (1605.12c2Organizational.2). Alternate telecommunications services shall be sufficiently separated from the primary service provider are established with priority-of-service provisions (1609.12c3Organizational.12).
When the backup service is delivered by the third-party, the Service Level Agreement (SLA) or contracts shall include the detailed protections to control confidentiality, integrity and availability of the backup information (1620.09l1Organizational.8).
Backup copies of information and software will be made, and tests of the media and restoration procedures are regularly performed at appropriate intervals (1616.09l1Organizational.16). Automated tools will be used to track all backups (1621.09l2Organizational.1). A current, retrievable copy of covered information will be made available before movement of servers (1626.09l3Organizational.5).
Three (3) generations of backups (full plus all related incremental or differential backups) shall be stored off-site, and both on-site and off-site backups are logged with name, date, time and action (1625.09l3Organizational.34). Incremental or differential backups will take place daily and full backups will take place weekly separate media will be used for each job (1624.09l3Organizational.12). Cloudticity shall test backup information following each backup to verify media reliability and information integrity, and at least annually thereafter (1627.09l3Organizational.6).
The backups shall be stored in a physically secure remote location, at a sufficient distance to make them reasonably immune from damage to the data at the primary site, and reasonable physical and environmental controls are in place to ensure their protection at the remote location (1618.09l1Organizational.45). Covered information shall be backed-up in an encrypted format to ensure confidentiality (1623.09l2Organizational.4).
Inventory records for the backup copies, including content and current location, will be maintained (1619.09l1Organizational.7). The integrity and security of the backup copies will be maintained to ensure future availability, and any potential accessibility problems with the backup copies are identified and mitigated in the event of an area-wide disaster (1622.09l2Organizational.23).
Workforce member roles and responsibilities in the data backup process will be identified and communicated to the workforce; in particular, Bring Your Own Device (BYOD) users are required to perform backups of the company's and/or client data on their devices (1699.09l1Organizational.10).
Cloudticity shall perform risk assessments in a consistent way and at planned intervals, or when there are major changes to the company's environment and reviews the risk assessment results annually (1704.03b1Organizational.12).
Cloudticity shall update the results of a formal, comprehensive risk assessment every two (2) years, or whenever there is a significant change to the information system or operational environment, assesses a subset of the security controls within every three hundred sixty-five (365) days during continuous monitoring, and reviews the risk assessment results annually (1705.03b2Organizational.12).
Risk assessments shall include the evaluation of multiple factors that may impact security as well as the likelihood and impact from a loss of confidentiality, integrity and availability of information and systems (1706.03b1Organizational.3).
Cloudticity will use a formal methodology with defined criteria for determining risk treatments and ensuring that corrective action plans for the security program and the associated the company's information systems are prioritized and maintained; and the remedial information security actions necessary to mitigate risk to the company's operations and assets, individuals, and other companies are documented (1707.03c1Organizational.12).
Risk assessments will be re-evaluated at least annually, or when there are significant changes in the environment (1733.03d1Organizational.1). Risk assessments will be conducted whenever there is a significant change in the environment, or a change that could have a significant impact, and the results of the assessments are included in the change management process so they may guide the decisions within the change management process (e.g., approvals for changes) (1735.03d2Organizational.23).
Risk assessments will be updated before issuing a new formal authorization to operate or within every three (3) years, whichever comes first, or when conditions occur that may impact the security or authorization state of the system (1736.03d2Organizational.4).
The risk management process shall be integrated with the change management process within the company (1734.03d2Organizational.1). The privacy, security and risk management program(s) shall be updated to reflect changes in risks (1737.03d2Organizational.5). Any harmful effect that is known to the covered entity of a use or disclosure of PHI by the covered entity or its business associates, in violation of its policies and procedures shall be mitigated (1713.03c1Organizational.3).
Cloudticity will implement an integrated control system characterized using different control types (e.g., layered, preventative, detective, corrective, and compensating) that mitigates identified risks (17126.03c1System.6).
Cloudticity shall formally address the purpose, scope, roles, responsibilities, management commitment, coordination among the company's entities, and compliance with system and information integrity requirements and facilitate the implementation of system and information integrity requirements/controls (1780.10a1Organizational.1).
Information system specifications for security control requirements shall state that security controls are to be incorporated in the information system, supplemented by manual controls as needed, and these considerations are also applied when evaluating software packages, developed or purchased (1781.10a1Organizational.23).
Security requirements and controls shall reflect the business value of the information assets involved, and the potential business damage that might result from a failure or absence of security (1782.10a1Organizational.4).
Business requirements will be included for the availability of information systems when specifying the security requirements; and, where availability cannot be guaranteed using existing architectures, redundant components or architectures are considered along with the risks associated with implementing such redundancies (1790.10a2Organizational.45).
The requirement definition phase will include (i) consideration of system requirements for information security and the processes for implementing security; and (ii) data classification and risk to information assets that are assigned and approved (signed-off) by management to ensure appropriate controls are considered and the correct project team members are involved (1793.10a2Organizational.91011).
Where additional functionality is supplied and causes a security risk, the functionality shall be disabled or mitigated through application of additional controls (1785.10a1Organizational.8).
A formal acquisition process shall be followed for purchased commercial products, and supplier contracts and will include the identified security requirements (1783.10a1Organizational.56).
Where the security functionality in a proposed product does not satisfy the specified requirement, then the risk introduced and the associated controls shall be reconsidered prior to purchasing the product (1784.10a1Organizational.7).
Commercial products other than operating system software used to store and/or process covered information shall undergo a security assessment and/or security certification by a qualified assessor prior to implementation (1796.10a2Organizational.15).
Specific security-related requirements in information system acquisition contracts shall be based on applicable laws, policies, standards, guidelines and business needs (17100.10a3Organizational.5).
All existing outsourced information services will be documented and an assessment shall be conducted regarding risk prior to the acquisition or outsourcing of information services (17120.10a3Organizational.5).
An enterprise architecture program shall be developed with consideration for information security and the resulting risk to the company's operations, assets, and individuals, as well as other company's (1797.10a3Organizational.1). Such a program includes the information security architecture for the information system (1798.10a3Organizational.2).
Cloudticity shall review and update (as necessary) the information security architecture whenever changes are made to the enterprise architecture and ensure that planned information security architecture changes are reflected in the security plan and the company's procurements and acquisitions (1799.10a3Organizational.34).
Information security and privacy shall be addressed in all phases of the project management methodology (1787.10a2Organizational.1).
Cloudticity will require developers of information systems, components, and developers or providers of services to identify (document) early in the system development life-cycle, the functions ports, protocols, and services intended for the company's use (1786.10a1Organizational.9) and requires the developer of the information system, system component, or information system service to provide specific control design and implementation information (17101.10a3Organizational.6).
The SDLC will establish and appropriately protect secure development environments for system development and integration efforts that cover the entire system development life cycle (1788.10a2Organizational.2).
The SDLC shall apply information system security engineering principles in the specification, design, development, implementation, and modification of security requirements and controls in developed and acquired information systems (1789.10a2Organizational.3).
Specifications for the security control requirements state automated controls will be incorporated in the information system, supplemented by manual controls as needed, as evidenced throughout the SDLC (1791.10a2Organizational.6).
Information security risk management shall be integrated into the SDLC, and information security roles and responsibilities are defined for all SDLC phases (1792.10a2Organizational.7814).
When developing software or systems thorough testing and verification during the development process shall be conducted (1794.10a2Organizational.12).
Independent acceptance testing proportional to the importance and nature of the system will be performed both for in-house and for outsourced development to ensure the system works as expected and only as expected (1795.10a2Organizational.13).
The company will formally address the purpose, scope, roles, responsibilities, management commitment, coordination among the company's entities and compliance requirements for its physical and environmental protection and equipment maintenance programs; e.g., through policy, standards, guidelines, and procedures (1863.08d1Organizational.4, 18108.08j1Organizational.1).
Access to network equipment will be physically protected (1892.01l1Organizational.1).
Visitor and third-party support access shall be recorded and supervised unless previously approved (1801.08b1Organizational.124).
Combinations and keys for company-defined high-risk entry/exit points will be changed when lost or stolen or combinations are compromised (1811.08b3Organizational.3).
Areas where sensitive information (e.g., covered information, payment card data) is stored or processed shall be controlled and restricted to authorized individuals only (1802.08b1Organizational.3).
Maintenance and service shall be controlled and conducted by authorized personnel in accordance with supplier-recommended intervals, insurance policies and the company's maintenance program, taking into account whether this maintenance is performed by personnel on site or external to the company (1819.08j1Organizational.23).
Cloudticity shall develop, approve and maintain a list of individuals with authorized access to the facility where the information system resides; issues authorization credentials for facility access; reviews the access list and authorization credentials periodically but no less than quarterly; and removes individuals from the facility access list when access is no longer required (1844.08b1Organizational.6).
For facilities where the information system resides, Cloudticity shall enforce physical access authorizations at defined entry/exit points to the facility where the information system resides, maintains physical access audit logs, and provides security safeguards that the company determines necessary for areas officially designated as publicly accessible (1845.08b1Organizational.7).
A visitor log containing appropriate information shall be reviewed monthly and maintained for at least two years (1804.08b2Organizational.12).
Physical authentication controls shall be used to authorize and validate access (1805.08b2Organizational.3).
An audit trail of all physical access will be maintained (1806.08b2Organizational.4).
Visible identification that clearly identifies the individual will be required to be worn by employees, visitors, contractors and third parties (1807.08b2Organizational.56).
Physical access rights will be reviewed every ninety (90) days and updated accordingly (1808.08b2Organizational.7).
Any security threats presented by neighboring premises shall be identified (1816.08d2Organizational.4).
Visitors shall only be granted access for specific and authorized purposes and issued with instructions on the security requirements of the area and on emergency procedures (1846.08b2Organizational.8).
Cloudticity will ensure onsite personnel and visitor identification (e.g., badges) are revoked, updated when access requirements change, or terminated when expired or when access is no longer authorized, and all physical access mechanisms, such as keys, access cards and combinations, are returned, disabled or changed (1847.08b2Organizational.910).
A restricted area, security room, or locked room will be used to control access to areas containing covered information and is controlled accordingly (1848.08b2Organizational.11).
Doors to internal secure areas shall lock automatically, include a door delay alarm, and shall be equipped with electronic locks (1809.08b3Organizational.1).
Inventories of physical access devices will be performed every ninety (90) days (1810.08b3Organizational.2).
Cloudticity shall actively monitor unoccupied areas at all times and sensitive and/or restricted areas in real time as appropriate for the area (1813.08b3Organizational.56).
Cloudticity will regularly test alarms to ensure proper operation (18145.08b3Organizational.7).
Cloudticity will maintain an electronic log of alarm system events and regularly review the logs, no less than monthly (18146.08b3Organizational.8).
Intrusion detection systems (e.g., alarms and surveillance equipment) will be installed on all external doors and accessible windows, the systems are monitored, and incidents/alarms will be investigated (1812.08b3Organizational.46).
Repairs or modifications to the physical components of a facility which are related to security (e.g., hardware, walls, doors and locks) shall be documented and retained in accordance with the company's retention policy (1803.08b1Organizational.5).
Fire extinguishers and detectors shall be installed according to applicable laws and regulations (1814.08d1Organizational.12). Fire prevention and suppression mechanisms, including workforce training, will be provided (1815.08d2Organizational.123). Fire suppression and detection systems shall be supported by an independent energy source (1818.08d3Organizational.3). Fire authorities are automatically notified when a fire alarm is activated (1862.08d3Organizational.3).
The company will maintain a list of authorized maintenance company's or personnel, ensures that non-escorted personnel performing maintenance on the information system have required access authorizations, and designates the company's personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations (18109.08j1Organizational.4).
The company will monitor and control nonlocal maintenance and diagnostic activities; and prohibit nonlocal system maintenance unless explicitly authorized, in writing, by the CTO or his/her designated representative (18110.08j1Organizational.5).
The company must obtain maintenance support and/or spare parts for defined key information system components (defined in the applicable security plan) within the applicable Recovery Time Objective (RTO) specified in the contingency plan (18111.08j1Organizational.6).
The company will document the requirements (e.g., policies and procedures) for the establishment and use of nonlocal maintenance and diagnostic connections in the security plan for the information system (18112.08j3Organizational.4).
Covered information shall be cleared from equipment prior to maintenance unless explicitly authorized (1820.08j2Organizational.1). Following maintenance, security controls shall be checked and verified (1821.08j2Organizational.3). Records of maintenance will be maintained (1822.08j2Organizational.2).
Water detection mechanisms shall be in place with master shutoff or isolation valves accessible, working and known (1817.08d3Organizational.12).
Tools for maintenance shall be approved, controlled, monitored and periodically checked (1823.08j3Organizational.12).
Cloudticity will securely dispose of sensitive information. Electronic and physical media containing covered information shall be securely sanitized prior to reuse, or if it cannot be sanitized, is destroyed prior to disposal (1825.08l1Organizational.12456, 1826.09p1Organizational.1).
Surplus equipment shall be stored securely while not in use and disposed of or sanitized when no longer required (18127.08l1Organizational.3).
The risk of information leakage to unauthorized persons during secure media disposal shall be minimized. If collection and disposal services offered by other companies are used, care is taken in selecting a suitable contractor with adequate controls and experience (18130.09p1Organizational.24).
Disposal methods shall commensurate with the sensitivity of the information contained on the media (18131.09p1Organizational.3).
Cloudticity shall take measures to minimize the aggregation effect, which may cause a large quantity of non-covered information to become covered through accumulation of media for disposal (1827.09p2Organizational.1).
Media containing diagnostic and test programs shall be checked for malicious code prior to use (1824.08j3Organizational.3).
The confidentiality and integrity of covered information at rest shall be protected using an encryption method appropriate to the medium where it is stored; where Cloudticity chooses not to encrypt covered information, a documented rationale for not doing so shall be maintained (1903.06d1Organizational.3456711). All production data at rest is stored on encrypted volumes using encryption keys managed by Cloudticity, in conjunction with AWS.
Covered information shall only be retained for as long as it is required (1904.06d2Organizational.1), storage of such information shall be kept to a minimum (19242.06d1Organizational.14) and the information is controlled on where it can be stored (19243.06d1Organizational.15). Technical means to ensure covered information is stored in such company specified locations will be deployed (19245.06d2Organizational.2).
Specific controls for record storage, access, retention, and destruction shall be implemented (19145.06c2Organizational.2). Guidelines will be issued to all business units on the ownership, classification, retention, storage, handling and disposal of ALL records and information (19142.06c1Organizational.8). Designated senior management within Cloudticity will review and approve the security categorizations and associated guidelines (19143.06c1Organizational.9).
Records with sensitive personal information shall be protected during transfer to organizations lawfully collecting such information (1911.06d1Organizational.13).
The public will have access to information about the company's security and privacy activities and is able to communicate with its senior security official and senior privacy official (19134.05j1Organizational.5).
Cloudticity shall formally appoint a data protection officer (Privacy Officer) responsible for the privacy of covered information (1901.06d1Organizational.1). The Privacy Officer [HIPAA - 164.308(a)(2)] is responsible for assisting with compliance and security training for workforce members, assuring the organization remains in compliance with evolving compliance rules, and helping the Security Officer in his responsibilities.
When required, consent shall be obtained before any protected information (e.g., about a patient) is emailed, faxed, or communicated by telephone conversation, or otherwise disclosed to parties external to the company (1902.06d1Organizational.2).
Cloudticity shall document compliance with the notice requirements by retaining copies of the notices issued by the covered entity for a period of six (6) years and, if applicable, any written acknowledgements of receipt of the notice or documentation of good faith efforts to obtain such written acknowledgement (1906.06.c1Organizational.2).
Cloudticity shall document and maintain accountings of disclosure as the company's records for a period of six (6) years, including the information required for disclosure, the written accounting provided to the individual, and the titles of the persons or offices responsible for receiving and processing requests for an accounting (1909.06.c1Organizational.5).
A formal records document retention program shall be established (19144.06c2Organizational.1). In which, PHI shall be safeguarded for a period of fifty (50) years following the death of the individual (1905.06.c1Organizational.6).
Cloudticity shall document restrictions in writing and formally maintains such writing, or an electronic copy of such writing as the company's record for a period of six (6) years (1907.06.c1Organizational.3).
Cloudticity shall document and maintain the designated record sets that are subject to access by individuals and the titles of the persons or office responsible for receiving and processing requests for access by individuals as the company's records for a period of six (6) years (1908.06.c1Organizational.4).
Cloudticity's formal policies and procedures, other critical records and disclosures of individuals' protected health information made will be retained for a minimum of six (6) years; and, for electronic health records, the company retains records of disclosures to carry out treatment, payment and health care operations for a minimum of three (3) years (19140.06c1Organizational.1).
Important records, such as contracts, personnel records, financial information, patient records, etc., of the company shall be protected from loss, destruction and falsification through the implementation of security controls such as access controls, encryption, backups, electronic signatures, locked facilities or containers, etc. (19141.06c1Organizational.7).
Periodic reviews of the policies shall be done at least annually and in response to any changes affecting the basis of risk assessment, e.g., significant security incidents, new vulnerabilities, or changes to the company's or technical infrastructure.
| Intra-Domain No. | Page No. | Domain | Unique ID | Requirement |
|---|---|---|---|---|
| 1 | 6 | 01 Information Protection Program | 0101.00a1Organizational.123 | The company has a formal information protection program based on an accepted industry framework that is reviewed and updated as needed. |
| 2 | 6 | 01 Information Protection Program | 0102.00a2Organizational.123 | The information protection program is formally documented and actively monitored, reviewed and updated to ensure program objectives continue to be met. |
| 3 | 6 | 01 Information Protection Program | 0103.00a3Organizational.1234567 | Independent audits are conducted at least annually to determine whether the information protection program is approved by executive management, communicated to stakeholders, adequately resourced, conforms to relevant legislation or regulations and other business requirements, and adjusted as needed to ensure the program continues to meet defined objectives. |
| 4 | 7 | 01 Information Protection Program | 0104.02a1Organizational.12 | User security roles and responsibilities are clearly defined and communicated. |
| 5 | 7 | 01 Information Protection Program | 0105.02a2Organizational.1 | Risk designations are assigned for all positions within the company as appropriate, with commensurate screening criteria, and reviewed/revised every three hundred and sixty-five (365) days. |
| 6 | 7 | 01 Information Protection Program | 0106.02a2Organizational.23 | The pre-employment process is reviewed by recruitment to ensure security roles/responsibilities are specifically defined (in writing) and clearly communicated to job candidates. |
| 7 | 7 | 01 Information Protection Program | 0107.02d1Organizational.1 | The company has an information security workforce improvement program. |
| 8 | 7 | 01 Information Protection Program | 0108.02d1Organizational.23 | The company ensures plans for security testing, training and monitoring activities are developed, implemented, maintained and reviewed for consistency with the risk management strategy and response priorities. |
| 9 | 7 | 01 Information Protection Program | 0109.02d1Organizational.4 | Management ensures users are briefed on their security role(s)/responsibilities, conform with the terms and conditions of employment prior to obtaining access to the company's information systems; are provided with guidelines regarding the security expectations of their roles; are motivated to comply with security policies; and continue to have the appropriate skills and qualifications for their role(s). |
| 10 | 7 | 01 Information Protection Program | 0110.02d2Organizational.1 | An individual or dedicated team is assigned to manage the information security of the company's users. |
| 11 | 8 | 01 Information Protection Program | 0111.02d2Organizational.2 | Non-employees are provided the company's data privacy and security policy requirements prior to accessing system resources and data. |
| 12 | 7 | 01 Information Protection Program | 01110.05a1Organizational.5 | If the senior-level information security official is employed by the company, one of its affiliates, or a third-party service, the company retains responsibility for its cybersecurity program, designate a senior member of the company responsible for direction and oversight, and require the third-party service to maintain an appropriate cybersecurity program of its own. |
| 13 | 8 | 01 Information Protection Program | 0112.02d2Organizational.3 | Acceptable usage is defined and usage is explicitly authorized. |
| 14 | 6 | 01 Information Protection Program | 0113.04a1Organizational.123 | Information security objectives, approach, scope, importance, goals and principles for the company's security program are formally identified, communicated throughout the company to users in a form that is relevant, accessible and understandable to the intended reader, and supported by a controls framework that considers legislative, regulatory, contractual requirements and other policy-related requirements. |
| 15 | 7 | 01 Information Protection Program | 0114.04b1Organizational.1 | The security policies are regularly reviewed and updated to ensure they reflect leading practices (e.g., for systems and services development and acquisition), and communicated throughout the company. |
| 16 | 7 | 01 Information Protection Program | 0117.05a1Organizational.1 | A senior-level information security official is appointed and is responsible for ensuring security processes are in place, communicated to all stakeholders, and consider and address the company's requirements. |
| 17 | 7 | 01 Information Protection Program | 0118.05a1Organizational.2 | Senior management assigns an individual or group to ensure the effectiveness of the information protection program through program oversight, establish and communicate the company's priorities for the company's mission, objectives, and activities, review and update of the company's security plan, ensure compliance with the security plan by the workforce, and to evaluate and accept security risks on behalf of the company. |
| 18 | 7 | 01 Information Protection Program | 0119.05a1Organizational.3 | Security contacts are appointed by name for each major the company's area or business unit. |
| 19 | 6 | 01 Information Protection Program | 0120.05a1Organizational.4 | Capital planning and investment requests include the resources needed to implement the security program, employ a business case (or Exhibit 300 and/or 53 for federal government), and the company ensures the resources are available for expenditure as planned. |
| 20 | 8 | 01 Information Protection Program | 0135.02f1Organizational.56 | The company employs a formal sanctions process for personnel failing to comply with established information security policies and procedures and notifies defined personnel (e.g., supervisors) within a defined time frame (e.g., twenty-four (24) hours) when a formal sanction process is initiated, identifying the individual sanctioned and the reason for the sanction. Further, the company includes specific procedures for license, registration, and certification denial or revocation and other disciplinary action. |
| 21 | 7 | 01 Information Protection Program | 0137.02a1Organizational.3 | The company formally addresses the purpose, scope, roles, responsibilities, management commitment, coordination among the company's entities and compliance requirements for its human resources security protection program (e.g., through policy, standards, guidelines, and procedures). |
| 22 | 8 | 01 Information Protection Program | 0162.04b1Organizational.2 | The company ensures individuals may make complaints concerning the information security policies, procedures, or the company's compliance with its policies and procedures; documents the complaints and requests for changes, and records their disposition, if applicable. |
| 23 | 6 | 01 Information Protection Program | 0177.05h1Organizational.12 | An independent review of the company's information security management program is initiated by management to ensure the continuing suitability, adequacy, and effectiveness of the company's approach to managing information security. |
| 24 | 6 | 01 Information Protection Program | 0178.05h1Organizational.3 | The results of independent security program reviews are recorded and reported to the management official/office initiating the review; and the results are maintained for a predetermined period of time as determined by the company, but not less than three (3) years. |
| 25 | 6 | 01 Information Protection Program | 0179.05h1Organizational.4 | If an independent review identifies that the company's approach and implementation to managing information security is inadequate or not compliant with the direction for information security stated in the information security policy document, management takes corrective actions. |
| 26 | 8 | 01 Information Protection Program | 0197.02d2Organizational.4 | Management identifies mobile computing requirements specific to BYOD usage including identifying approved applications, eligibility requirements, privacy expectations, data wipe, and usage. |
| 1 | 8 | 02 Endpoint Protection | 0201.09j1Organizational.124 | Anti-virus and anti-spyware are installed, operating and updated on all end-user devices to conduct periodic scans of the systems to identify and remove unauthorized software. Server environments for which the server software developer specifically recommends not installing host-based anti-virus and anti-spyware software are addressed via a network-based malware detection (NBMD) solution. |
| 2 | 8 | 02 Endpoint Protection | 0202.09j1Organizational.3 | Audit logs of the scans are maintained. |
| 3 | 8 | 02 Endpoint Protection | 0204.09j2Organizational.1 | Scans for malicious software are performed on boot and every twelve (12) hours. |
| 4 | 8 | 02 Endpoint Protection | 0205.09j2Organizational.2 | Malicious code that is identified is blocked, quarantined, and an alert is sent to the administrators. |
| 5 | 8 | 02 Endpoint Protection | 0206.09j2Organizational.34 | Anti-malware is centrally managed and cannot be disabled by the users. |
| 6 | 8 | 02 Endpoint Protection | 0207.09j2Organizational.56 | Centrally managed, up-to-date anti-spam and anti-malware protection is implemented at information system entry/exit points for the network and on all devices. |
| 7 | 8 | 02 Endpoint Protection | 0208.09j2Organizational.7 | User functionality (including user interface services [e.g., Web services]) is separated from information system management (e.g., database management systems) functionality. |
| 8 | 8 | 02 Endpoint Protection | 0209.09m3Organizational.7 | File sharing is disabled on wireless enabled devices. |
| 9 | 8 | 02 Endpoint Protection | 0214.09j1Organizational.6 | Protection against malicious code is based on malicious code detection and repair software, security awareness, and appropriate system access and change management controls. |
| 10 | 8 | 02 Endpoint Protection | 0215.09j2Organizational.8 | The company addresses the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the information system. |
| 11 | 8 | 02 Endpoint Protection | 0216.09j2Organizational.9 | For systems considered not commonly affected by malicious software, the company performs periodic assessments to identify and evaluate evolving malware threats to confirm whether such systems continue to not require anti-virus software. |
| 12 | 8 | 02 Endpoint Protection | 0217.09j2Organizational.10 | The company configures malicious code and spam protection mechanisms to perform periodic scans of the information system according to company guidelines and real-time scans of files from external sources at endpoints and network entry/exit points as the files are downloaded, opened, or executed in accordance with the company's security policy; and block malicious code, quarantine malicious code, or send an alert to the administrator in response to malicious code detection. |
| 13 | 8 | 02 Endpoint Protection | 0219.09j2Organizational.12 | The information system implements safeguards to protect its memory from unauthorized code execution. |
| 14 | 8 | 02 Endpoint Protection | 0225.09k1Organizational.1 | Automated controls (e.g., browser settings) are in place to authorize and restrict the use of mobile code (e.g., Java, JavaScript, ActiveX, PDF, postscript, Shockwave movies, and Flash animations). |
| 15 | 9 | 02 Endpoint Protection | 0226.09k1Organizational.2 | The company has implemented and regularly updates mobile code protection, including anti-virus and anti-spyware. |
| 16 | 9 | 02 Endpoint Protection | 0227.09k2Organizational.12 | The company takes specific actions to protect against mobile code performing unauthorized actions. |
| 17 | 8 | 02 Endpoint Protection | 0228.09k2Organizational.3 | Rules for the migration of software from development to operational status are defined and documented by the company hosting the affected application(s), including that development, test, and operational systems must be separated (physically or virtually) to reduce the risks of unauthorized access or changes to the operational system. |
| 1 | 9 | 03 Portable Media Security | 0301.09o1Organizational.123 | The company, based on the data classification level, registers media (including laptops) prior to use, places reasonable restrictions on how such media be used, and provides an appropriate level of physical and logical protection (including encryption) for media containing covered information until properly destroyed or sanitized. |
| 2 | 9 | 03 Portable Media Security | 0302.09o2Organizational.1 | The company protects and controls media containing sensitive information during transport outside of controlled areas. |
| 3 | 9 | 03 Portable Media Security | 0303.09o2Organizational.2 | Digital and non-digital media requiring restricted use and the specific safeguards used to restrict their use are identified. |
| 4 | 9 | 03 Portable Media Security | 0304.09o3Organizational.1 | The company restricts the use of writable removable media and personally-owned removable media in the company's systems. |
| 5 | 9 | 03 Portable Media Security | 0305.09q1Organizational.12 | Media is labeled, encrypted, and handled according to its classification. |
| 6 | 9 | 03 Portable Media Security | 0306.09q1Organizational.3 | The status and location of unencrypted covered information is maintained and monitored. |
| 7 | 9 | 03 Portable Media Security | 0307.09q2Organizational.12 | Data transfers outside of controlled areas are approved and records of the transfers maintained. |
| 1 | 9 | 04 Mobile Device Security | 0401.01x1System.124579 | Mobile computing devices are protected at all times by access controls, usage restrictions, connection requirements, encryption, virus protections, host-based firewalls or equivalent functionality, secure configurations, and physical protections. |
| 2 | 9 | 04 Mobile Device Security | 0403.01x1System.8 | The company monitors for unauthorized connections of mobile devices. |
| 3 | 10 | 04 Mobile Device Security | 0405.01y1Organizational.12345678 | Teleworking activities are only authorized if security arrangements and controls that comply with relevant security policies and the company's requirements are in place. |
| 4 | 9 | 04 Mobile Device Security | 0410.01x1System.12 | If it is determined that encryption is not reasonable and appropriate, the company documents its rationale and acceptance of risk. |
| 5 | 10 | 04 Mobile Device Security | 0415.01y1Organizational.10 | Suitable protections of the teleworking site are in place to protect against the theft of equipment and information, the unauthorized disclosure of information, and unauthorized remote access to the company's internal systems or misuse of facilities. |
| 6 | 9 | 04 Mobile Device Security | 0425.01x1System.13 | A documented list of approved application stores has been defined as acceptable for mobile devices accessing or storing entity (client) or cloud service provider-managed client data, and the use of unapproved application stores is prohibited for company-owned and BYOD mobile devices. Non-approved applications or approved applications not obtained through approved application stores are prohibited. |
| 7 | 9 | 04 Mobile Device Security | 0429.01x1System.14 | The company prohibits the circumvention of built-in security controls on mobile devices (e.g., jailbreaking or rooting). |
| 1 | 10 | 05 Wireless Security | 0504.09m2Organizational.5 | Firewalls are configured to deny or control any traffic from a wireless environment into the covered data environment. |
| 2 | 10 | 05 Wireless Security | 0505.09m2Organizational.3 | Quarterly scans are performed to identify unauthorized wireless access points, and appropriate action is taken if any unauthorized access points are discovered. |
| 1 | 10 | 06 Configuration Management | 0601.06g1Organizational.124 | Annual compliance reviews are conducted by security or audit individuals using manual or automated tools; if non-compliance is found, appropriate action is taken. |
| 2 | 10 | 06 Configuration Management | 0602.06g1Organizational.3 | The results and recommendations of the reviews are documented and approved by management. |
| 3 | 10 | 06 Configuration Management | 0603.06g2Organizational.1 | Automated compliance tools are used when possible. |
| 4 | 10 | 06 Configuration Management | 0604.06g2Organizational.2 | The company has developed a continuous monitoring strategy and implemented a continuous monitoring program. |
| 5 | 11 | 06 Configuration Management | 0605.10h1System.12 | Only authorized administrators are allowed to implement approved upgrades to software, applications, and program libraries, based on business requirements and the security implications of the release. |
| 6 | 11 | 06 Configuration Management | 0606.10h2System.1 | Applications and operating systems are tested for usability, security and impact prior to production. |
| 7 | 12 | 06 Configuration Management | 0607.10h2System.23 | The company uses its configuration control program to maintain control of all implemented software and its system documentation and archive prior versions of implemented software and associated system documentation. |
| 8 | 10 | 06 Configuration Management | 0613.06h1Organizational.12 | The company performs annual checks on the technical security configuration of systems, either manually by an individual with experience with the systems and/or with the assistance of automated software tools, and takes appropriate action if non-compliance is found. |
| 9 | 10 | 06 Configuration Management | 0614.06h2Organizational.12 | Technical compliance checks are performed by an experienced specialist with the assistance of industry standard automated tools, which generate a technical report for subsequent interpretation. These checks are performed annually, but more frequently where needed, based on risk as part of an official risk assessment process. |
| 10 | 10 | 06 Configuration Management | 0615.06h2Organizational.3 | Technical compliance checks are used to help support technical interoperability. |
| 11 | 10 | 06 Configuration Management | 0618.09b1System.1 | Changes to information assets, including systems, networks and network services, are controlled and archived. |
| 12 | 11 | 06 Configuration Management | 0619.09b2System.12 | Changes to equipment, software and procedures are strictly and consistently managed. |
| 13 | 11 | 06 Configuration Management | 0620.09b2System.3 | Fallback procedures are defined and implemented, including procedures and responsibilities for aborting and recovering from unsuccessful changes and unforeseen events. |
| 14 | 12 | 06 Configuration Management | 0626.10h1System.3 | Operational systems only hold approved programs or executable code. |
| 15 | 12 | 06 Configuration Management | 0627.10h1System.45 | The company maintains information systems according to a current baseline configuration and configures system security parameters to prevent misuse. Vendor supplied software used in operational systems is maintained at a level supported by the supplier, and uses the latest version of Web browsers on operational systems to take advantage of the latest security functions in the application. |
| 16 | 12 | 06 Configuration Management | 0628.10h1System.6 | If systems or system components in production are no longer supported by the developer, vendor, or manufacturer, the company must show evidence of a formal migration plan approved by management to replace the system or system components. |
| 17 | 12 | 06 Configuration Management | 0629.10h2System.45 | A rollback strategy is in place before changes are implemented, and an audit log is maintained of all updates to operational program libraries. |
| 18 | 12 | 06 Configuration Management | 0630.10h2System.6 | Physical or logical access is only given to suppliers for support purposes when necessary, with management approval, and such access is monitored. |
| 19 | 11 | 06 Configuration Management | 0635.10k1Organizational.12 | Managers responsible for application systems are also responsible for the strict control (security) of the project or support environment and ensure that all proposed system changes are reviewed to check that they do not compromise the security of either the system or the operating environment. |
| 20 | 11 | 06 Configuration Management | 0636.10k2Organizational.1 | The company formally addresses purpose, scope, roles, responsibilities, management commitment, coordination among the company's entities, and compliance for configuration management (e.g., through policies, standards, processes). |
| 21 | 11 | 06 Configuration Management | 0637.10k2Organizational.2 | The company has developed, documented, and implemented a configuration management plan for the information system. |
| 22 | 10 | 06 Configuration Management | 0638.10k2Organizational.34569 | Changes are formally controlled, documented and enforced in order to minimize the corruption of information systems. |
| 23 | 11 | 06 Configuration Management | 0639.10k2Organizational.78 | Installation checklists and vulnerability scans are used to validate the configuration of servers, workstations, devices and appliances and ensure the configuration meets minimum standards. |
| 24 | 12 | 06 Configuration Management | 0640.10k2Organizational.1012 | Where development is outsourced, change control procedures to address security are included in the contract(s) and specifically require the developer to track security flaws and flaw resolution within the system, component, or service and report findings to company-defined personnel or roles. |
| 25 | 11 | 06 Configuration Management | 0641.10k2Organizational.11 | The company does not use automated updates on critical systems. |
| 26 | 11 | 06 Configuration Management | 0642.10k3Organizational.12 | The company develops, documents, and maintains, under configuration control, a current baseline configuration of the information system, and reviews and updates the baseline as required. |
| 27 | 11 | 06 Configuration Management | 0643.10k3Organizational.3 | The company (i) establishes and documents mandatory configuration settings for information technology products employed within the information system using the latest security configuration baselines; (ii) identifies, documents, and approves exceptions from the mandatory established configuration settings for individual components based on explicit operational requirements; and (iii) monitors and controls changes to the configuration settings in accordance with the company's policies and procedures. |
| 28 | 10 | 06 Configuration Management | 0644.10k3Organizational.4 | The company employs automated mechanisms to (i) centrally manage, apply, and verify configuration settings; (ii) respond to unauthorized changes to network and system security-related configuration settings; and (iii) enforce access restrictions and auditing of the enforcement actions. |
| 29 | 11 | 06 Configuration Management | 0663.10h1System.7 | The operating system has in place supporting technical controls such as antivirus, file integrity monitoring, host-based (personal) firewalls or port filtering tools, and logging as part of its baseline. |
| 30 | 11 | 06 Configuration Management | 0663.10h2Organizational.9 | The company prevents program execution in accordance with the list of unauthorized (blacklisted) software programs and rules authorizing the terms and conditions of software program usage. |
| 31 | 11 | 06 Configuration Management | 0664.10h2Organizational.10 | The company identifies unauthorized (blacklisted) software on the information system, including servers, workstations and laptops, employs an allow-all, deny-by-exception policy to prohibit the execution of known unauthorized (blacklisted) software on the information system, and reviews and updates the list of unauthorized (blacklisted) software periodically but no less than annually. |
| 32 | 11 | 06 Configuration Management | 0671.10k1System.1 | The company manages changes to mobile device operating systems, patch levels, and/or applications through a formal change management process. |
| 33 | 11 | 06 Configuration Management | 0672.10k3System.5 | The integrity of all virtual machine images is ensured at all times by (i) logging and raising an alert for any changes made to virtual machine images, and (ii) making available to the business owner(s) and/or customer(s) through electronic methods (e.g., portals or alerts) the results of a change or move and the subsequent validation of the image's integrity. |
| 34 | 10 | 06 Configuration Management | 068.06g2Organizational.34 | The company employs assessors or assessment teams with a level of independence appropriate to its continuous monitoring strategy to monitor the security controls in the information system on an ongoing basis. |
| 35 | 10 | 06 Configuration Management | 069.06g2Organizational.56 | The internal security company reviews and maintains records of compliance results (e.g., company-defined metrics) in order to better track security trends within the company, respond to the results of correlation and analysis, and to address longer term areas of concern as part of its formal risk assessment process. |
| 1 | 12 | 07 Vulnerability Management | 0701.07a1Organizational.12 | An inventory of assets and services is maintained. |
| 2 | 12 | 07 Vulnerability Management | 0702.07a1Organizational.3 | The information lifecycle manages the secure use, transfer, exchange, and disposal of IT-related assets. |
| 3 | 12 | 07 Vulnerability Management | 0703.07a2Organizational.1 | The inventory of all authorized assets includes the owner of the information asset, custodianship, categorizes the information asset according to criticality and information classification, and identifies protection and sustainment requirements commensurate with the asset's categorization. |
| 4 | 12 | 07 Vulnerability Management | 0704.07a3Organizational.12 | Organizational inventories of IT assets are updated during installations, removals, and system changes, with full physical inventories performed for capital assets (at least annually) and for non-capital assets. |
| 5 | 12 | 07 Vulnerability Management | 0705.07a3Organizational.3 | The IT Asset Lifecycle Program is regularly reviewed and updated. |
| 6 | 14 | 07 Vulnerability Management | 0706.10b1System.12 | Applications developed by the company are based on secure coding guidelines to prevent common vulnerabilities or undergo appropriate testing. |
| 7 | 14 | 07 Vulnerability Management | 0707.10b2System.1 | Applications that store, process or transmit covered information undergo automated application vulnerability testing by a qualified party on an annual basis. |
| 8 | 13 | 07 Vulnerability Management | 0708.10b2System.2 | System and information integrity requirements are developed, documented, disseminated, reviewed and updated annually. |
| 9 | 13 | 07 Vulnerability Management | 0709.10m1Organizational.1 | Technical vulnerabilities are identified, evaluated for risk and corrected in a timely manner. |
| 10 | 13 | 07 Vulnerability Management | 0710.10m2Organizational.1 | A hardened configuration standard exists for all system and network components. |
| 11 | 13 | 07 Vulnerability Management | 0711.10m2Organizational.23 | A technical vulnerability management program is in place to monitor, assess, rank, and remediate vulnerabilities identified in systems. |
| 12 | 14 | 07 Vulnerability Management | 0712.10m2Organizational.4 | Internal and external vulnerability assessments of covered information systems, virtualized environments, and networked environments, including both network- and application-layer tests, are performed by a qualified individual on a quarterly basis or after significant changes. |
| 13 | 13 | 07 Vulnerability Management | 0713.10m2Organizational.5 | Patches are tested and evaluated before they are installed. |
| 14 | 13 | 07 Vulnerability Management | 0714.10m2Organizational.7 | The technical vulnerability management program is evaluated on a quarterly basis. |
| 15 | 13 | 07 Vulnerability Management | 0715.10m2Organizational.8 | Systems are appropriately hardened (e.g., configured with only necessary and secure services, ports and protocols enabled). |
| 16 | 14 | 07 Vulnerability Management | 0716.10m3Organizational.1 | The company conducts an enterprise security posture review as needed but no less than once within every three-hundred-sixty-five (365) days, in accordance with the company's IS procedures. |
| 17 | 14 | 07 Vulnerability Management | 0717.10m3Organizational.2 | Vulnerability scanning tools include the capability to readily update the information system vulnerabilities scanned. |
| 18 | 13 | 07 Vulnerability Management | 0718.10m3Organizational.34 | The company scans for vulnerabilities in the information system and hosted applications to determine the state of flaw remediation monthly (automatically) and again (manually or automatically) when new vulnerabilities potentially affecting the systems and networked environments are identified and reported. |
| 19 | 14 | 07 Vulnerability Management | 0719.10m3Organizational.5 | The company updates the list of information system vulnerabilities scanned within every thirty (30) days or when new vulnerabilities are identified and reported. |
| 20 | 12 | 07 Vulnerability Management | 0720.07a1Organizational.4 | The company's asset inventory does not duplicate other inventories unnecessarily and ensures their respective content is aligned. |
| 21 | 13 | 07 Vulnerability Management | 0722.07a1Organizational.67 | If the company assigns assets to contractors, it ensures that the procedures for assigning and monitoring the use of the property are included in the contract; and, if assigned to volunteer workers, there is a written agreement specifying how and when the property will be inventoried and how it will be returned upon completion of the volunteer assignment. |
| 22 | 13 | 07 Vulnerability Management | 0723.07a1Organizational.8 | The company creates and documents the process/procedure the company intends to use for deleting data from hard-drives prior to property transfer, exchange, or disposal/surplus. |
| 23 | 13 | 07 Vulnerability Management | 0724.07a3Organizational.4 | The company employs automated mechanisms to scan the network, no less than weekly, to detect the presence of unauthorized components/devices (including hardware, firmware and software) in the environment; and disables network access by such components/devices or notify designated the company's officials. |
| 24 | 12 | 07 Vulnerability Management | 0725.07a3Organizational.5 | The company provides an updated inventory identifying assets with sensitive information (e.g., ePHI, PII) to the CTO or information security official, and the senior privacy official on a company-defined basis, but no less than annually. |
| 25 | 13 | 07 Vulnerability Management | 0733.10b2System.4 | The information system checks the validity of company-defined information inputs for accuracy, completeness, validity, and authenticity as close to the point of origin as possible. For in-house developed software, the company ensures that explicit error checking is performed and documented for all input, including for size, data type, and acceptable ranges or formats. |
| 26 | 14 | 07 Vulnerability Management | 0737.10m2Organizational.9 | Information resources—that will be used to identify relevant technical vulnerabilities and to maintain awareness about them—are identified for software and other technology, and the information resources identified are updated based on changes in the inventory, or when other new or useful resources are found. |
| 27 | 13 | 07 Vulnerability Management | 0786.10m2Organizational.13 | A prioritization process is implemented to determine which patches are applied across the company's systems. |
| 28 | 13 | 07 Vulnerability Management | 0787.10m2Organizational.14 | Patches installed in the production environment are also installed in the company's disaster recovery environment in a timely manner. |
| 29 | 14 | 07 Vulnerability Management | 0788.10m3Organizational.20 | The company undergoes regular penetration testing by an independent agent or team, at least every three hundred and sixty-five (365) days, on defined information systems or system components; conducts such testing from outside as well as inside the network perimeter; and such testing includes tests for the protection of unprotected system information that would be useful to attackers. |
| 30 | 14 | 07 Vulnerability Management | 0789.10m3Organizational.21 | The company employs vulnerability scanning procedures that can identify the breadth and depth of coverage (i.e., information system components scanned and vulnerabilities checked). |
| 31 | 14 | 07 Vulnerability Management | 0790.10m3Organizational.22 | The company reviews historic audit logs to determine if high vulnerability scan findings identified in the information system have been previously exploited. |
| 32 | 14 | 07 Vulnerability Management | 0791.10b2Organizational.4 | Procedures, guidelines, and standards for the development of applications are periodically reviewed, assessed and updated as necessary by the appointed senior-level information security official of the company. |
| 1 | 15 | 08 Network Protection | 0805.01m1Organizational.12 | The company's security gateways (e.g., firewalls) enforce security policies and are configured to filter traffic between domains, block unauthorized access, and are used to maintain segregation between internal wired, internal wireless, and external network segments (e.g., the Internet) including DMZs and enforce access control policies for each of the domains. |
| 2 | 15 | 08 Network Protection | 0806.01m2Organizational.12356 | The company's network is logically and physically segmented with a defined security perimeter and a graduated set of controls, including subnetworks for publicly accessible system components that are logically separated from the internal network, based on the company's requirements; and traffic is controlled based on functionality required and classification of the data/systems based on a risk assessment and their respective security requirements. |
| 3 | 16 | 08 Network Protection | 0808.10b2System.3 | For any public-facing Web applications, application-level firewalls have been implemented to control traffic. For any public-facing applications that are not Web-based, the company has implemented a network-based firewall specific to the application type. If the traffic to the public-facing application is encrypted, ensuring that the device either sits behind the encryption or is capable of decrypting the traffic prior to analysis. |
| 4 | 16 | 08 Network Protection | 0809.01n2Organizational.1234 | Network traffic is controlled in accordance with the company's access control policy through firewall and other network-related restrictions for each network access point or external telecommunication service's managed interface. |
| 5 | 17 | 08 Network Protection | 0810.01n2Organizational.5 | Transmitted information is secured and, at a minimum, encrypted over open, public networks. |
| 6 | 15 | 08 Network Protection | 08101.09m2Organizational.14 | The company uses secured and encrypted communication channels when migrating physical servers, applications or data to virtualized servers. |
| 7 | 16 | 08 Network Protection | 0811.01n2Organizational.6 | Exceptions to the traffic flow policy are documented with a supporting mission/business need, duration of the exception, and reviewed at least annually; traffic flow policy exceptions are removed when no longer supported by an explicit mission/business need. |
| 8 | 17 | 08 Network Protection | 0812.01n2Organizational.8 | Remote devices establishing a non-remote connection are not allowed to communicate with external (remote) resources. |
| 9 | 16 | 08 Network Protection | 0814.01n1Organizational.12 | The ability of users to connect to the internal network is restricted using a deny-by-default and allow-by-exception policy at managed interfaces according to the access control policy and the requirements of clinical and business applications. |
| 10 | 15 | 08 Network Protection | 0815.01o2Organizational.123 | Requirements for network routing control are based on the access control policy, including positive source and destination checking mechanisms, such as firewall validation of source/destination addresses, and the hiding of internal directory services and IP addresses. The company has designed and implemented network perimeters so that all outgoing network traffic to the Internet must pass through at least one application layer filtering proxy server. The proxy supports decrypting network traffic, logging individual TCP sessions, blocking specific URLs, domain names, and IP addresses to implement a black list, and applying whitelists of allowed sites that can be accessed through the proxy while blocking all other sites. The company forces outbound traffic to the Internet through an authenticated proxy server on the enterprise perimeter. |
| 11 | 15 | 08 Network Protection | 0816.01w1System.1 | The sensitivity of applications/systems is explicitly identified and documented by the application/system owner. |
| 12 | 14 | 08 Network Protection | 0819.09m1Organizational.23 | A current network diagram (including wireless networks) exists and is updated whenever there are network changes and no less than every six months. |
| 13 | 15 | 08 Network Protection | 0820.09m2Organizational.1 | The company uniquely identifies and authenticates network devices that require authentication mechanisms before establishing a connection, that at a minimum, use shared information (i.e., MAC or IP address) and access control lists to control remote network access. |
| 14 | 16 | 08 Network Protection | 0821.09m2Organizational.2 | The company tests and approves all network connections and firewall, router, and switch configuration changes prior to implementation. Any deviations from the standard configuration or updates to the standard configuration are documented and approved in a change control system. All new configuration rules beyond a baseline-hardened configuration that allow traffic to flow through network security devices, such as firewalls and network-based IPS, are also documented and recorded, with a specific business reason for each change, a specific individual's name responsible for that business need, and an expected duration of the need. |
| 15 | 16 | 08 Network Protection | 0822.09m2Organizational.4 | Firewalls restrict inbound and outbound traffic to the minimum necessary. |
| 16 | 14 | 08 Network Protection | 0824.09m3Organizational.1 | The impact of the loss of network service to the business is defined. |
| 17 | 15 | 08 Network Protection | 0825.09m3Organizational.23 | Technical tools such as an IDS/IPS are implemented and operating on the network perimeter and other key points to identify vulnerabilities, monitor traffic, and detect attack attempts and successful compromises, and mitigate threats; and these tools are updated on a regular basis. |
| 18 | 16 | 08 Network Protection | 0826.09m3Organizational.45 | Firewall and router configuration standards are defined and implemented and are reviewed every six months. |
| 19 | 15 | 08 Network Protection | 0827.09m3Organizational.6 | MAC address authentication and static IP addresses are implemented. |
| 20 | 16 | 08 Network Protection | 0828.09m3Organizational.8 | Quarterly network scans are performed to identify unauthorized components/devices. |
| 21 | 16 | 08 Network Protection | 0829.09m3Organizational.911 | The company utilizes firewalls from at least two different vendors that employ stateful packet inspection (also known as dynamic packet filtering). |
| 22 | 15 | 08 Network Protection | 0830.09m3Organizational.1012 | A DMZ is established with all database(s), servers and other system components storing or processing covered information placed behind it to limit external network traffic to the internal network. |
| 23 | 15 | 08 Network Protection | 0832.09m3Organizational.14 | The company uses at least two DNS servers located on different subnets, which are geographically separated and perform different roles (internal and external) to eliminate single points of failure and enhance redundancy. |
| 24 | 14 | 08 Network Protection | 0835.09n1Organizational.1 | Agreed services provided by a network service provider/manager are formally managed and monitored to ensure they are provided securely. |
| 25 | 17 | 08 Network Protection | 0836.09n2Organizational.1 | The company formally authorizes and documents the characteristics of each connection from an information system to other information systems outside the company. |
| 26 | 14 | 08 Network Protection | 0837.09n2Organizational.2 | Formal agreements with external information system providers include specific obligations for security and privacy. |
| 27 | 16 | 08 Network Protection | 0850.01o1Organizational.12 | Routing controls are implemented through security gateways (e.g., firewalls) used between internal and external networks (e.g., the Internet and 3rd party networks). |
| 28 | 16 | 08 Network Protection | 0858.09m1Organizational.4 | The company monitors for all authorized and unauthorized wireless access to the information system and prohibits installation of wireless access points (WAPs) unless explicitly authorized in writing by the CTO or his/her designated representative. |
| 29 | 15 | 08 Network Protection | 0859.09m1Organizational.78 | The company ensures the security of information in networks, availability of network services and information services using the network, and the protection of connected services from unauthorized access. |
| 30 | 16 | 08 Network Protection | 0860.09m1Organizational.9 | The company formally manages equipment on the network, including equipment in user areas. |
| 31 | 17 | 08 Network Protection | 0861.09m2Organizational.67 | To identify and authenticate devices on local and/or wide area networks, including wireless networks, the information system uses either a (i) shared known information solution or (ii) the company's authentication solution, the exact selection and strength of which is dependent on the security categorization of the information system. |
| 32 | 15 | 08 Network Protection | 0862.09m2Organizational.8 | The company ensures information systems protect the confidentiality and integrity of transmitted information, including during preparation for transmission and during reception. |
| 33 | 17 | 08 Network Protection | 0863.09m2Organizational.910 | The company builds a firewall configuration that restricts connections between un-trusted networks and any system components in the covered information environment; and any changes to the firewall configuration are updated in the network diagram. |
| 34 | 16 | 08 Network Protection | 0864.09m2Organizational.12 | Usage restrictions and implementation guidance are formally defined for VoIP, including the authorization and monitoring of the service. |
| 35 | 17 | 08 Network Protection | 0865.09m2Organizational.13 | The company (i) authorizes connections from the information system to other information systems outside of the company through the use of interconnection security agreements or other formal agreement; (ii) documents each connection, the interface characteristics, security requirements, and the nature of the information communicated; (iii) employs a deny all, permit by exception policy for allowing connections from the information system to other information systems outside of the company; and (iv) applies a default-deny rule that drops all traffic via host-based firewalls or port filtering tools on its endpoints (workstations, servers, etc.), except those services and ports that are explicitly allowed. |
| 36 | 15 | 08 Network Protection | 0866.09m3Organizational.1516 | The company describes the groups, roles, and responsibilities for the logical management of network components and ensures coordination of and consistency in the elements of the network infrastructure. |
| 37 | 17 | 08 Network Protection | 0868.09m3Organizational.18 | The company builds a firewall configuration to restrict inbound and outbound traffic to that which is necessary for the covered data environment. |
| 38 | 16 | 08 Network Protection | 0869.09m3Organizational.19 | The router configuration files are secured and synchronized. |
| 39 | 16 | 08 Network Protection | 0870.09m3Organizational.20 | Access to all proxies is denied, except for those hosts, ports, and services that are explicitly required. |
| 40 | 15 | 08 Network Protection | 0871.09m3Organizational.22 | Authoritative DNS servers are segregated into internal and external roles. |
| 41 | 17 | 08 Network Protection | 0885.09n2Organizational.3 | The company reviews and updates the interconnection security agreements on an ongoing basis verifying enforcement of security requirements. |
| 42 | 17 | 08 Network Protection | 0886.09n2Organizational.4 | The company employs and documents in a formal agreement or other document, either i) allow-all, deny-by-exception, or, ii) deny-all, permit-by-exception (preferred), policy for allowing specific information systems to connect to external information systems. |
| 43 | 17 | 08 Network Protection | 0887.09n2Organizational.5 | The company requires external/outsourced service providers to identify the specific functions, ports, and protocols used in the provision of the external/outsourced services. |
| 44 | 17 | 08 Network Protection | 0888.09n2Organizational.6 | The contract with the external/outsourced service provider includes the specification that the service provider is responsible for the protection of covered information shared. |
| 45 | 15 | 08 Network Protection | 0894.01m2Organizational.7 | Networks are segregated from production-level networks when migrating physical servers, applications or data to virtualized servers. |
| 1 | 17 | 09 Transmission Protection | 0901.09s1Organizational.1 | The company formally addresses multiple safeguards before allowing the use of information systems for information exchange. |
| 2 | 18 | 09 Transmission Protection | 0903.10f1Organizational.1 | Encryption is used to protect covered information on mobile/removable media and across communication lines based on pre-determined criteria. |
| 3 | 18 | 09 Transmission Protection | 0911.09s1Organizational.2 | The company establishes terms and conditions, consistent with any trust relationship established with other organization's owning, operating, and/or maintaining external information systems, allowing authorized individuals to (i) access the information system from external information systems; and (ii) process, store or transmit company-controlled information using external information systems. |
| 4 | 18 | 09 Transmission Protection | 0912.09s1Organizational.4 | Cryptography is used to protect the confidentiality and integrity of remote access sessions to the internal network and to external systems. |
| 5 | 18 | 09 Transmission Protection | 0913.09s1Organizational.5 | Strong cryptography protocols are used to safeguard covered information during transmission over less trusted / open public networks. |
| 6 | 17 | 09 Transmission Protection | 0914.09s1Organizational.6 | The company ensures that communication protection requirements, including the security of exchanges of information, are the subject of policy development and compliance audits. |
| 7 | 18 | 09 Transmission Protection | 0925.09v1Organizational.1 | Legal considerations, including requirements for electronic signatures, are addressed. |
| 8 | 17 | 09 Transmission Protection | 0926.09v1Organizational.2 | Approvals are obtained prior to using external public services, including instant messaging or file sharing. |
| 9 | 18 | 09 Transmission Protection | 0927.09v1Organizational.3 | Stronger levels of authentication are implemented to control access from publicly accessible networks. |
| 10 | 18 | 09 Transmission Protection | 0928.09v1Organizational.45 | Stronger controls are implemented to protect certain electronic messages, and electronic messages are protected throughout the duration of its end-to-end transport path using cryptographic mechanisms unless protected by alternative measures. |
| 11 | 18 | 09 Transmission Protection | 0929.09v1Organizational.6 | The company never sends unencrypted sensitive information by end-user messaging technologies (e.g., email, instant messaging, and chat). |
| 12 | 18 | 09 Transmission Protection | 0943.09y1Organizational.1 | Data involved in electronic commerce and online transactions is checked to determine if it contains covered information. |
| 13 | 18 | 09 Transmission Protection | 0944.09y1Organizational.2 | Security is maintained through all aspects of the transaction. |
| 14 | 18 | 09 Transmission Protection | 0945.09y1Organizational.3 | Protocols used to communicate between all involved parties are secured using cryptographic techniques (e.g., SSL). |
| 15 | 18 | 09 Transmission Protection | 0963.10fCFRPart11Organizational.1 | Persons using electronic signatures, prior to or at the time of such use, certify to the agency that the electronic signatures in their system, use on or after August 20, 1997, are intended to be the legally binding equivalent of traditional handwritten signatures as required. |
| 16 | 18 | 09 Transmission Protection | 099.09m2Organizational.11 | The company uses FIPS-validated cryptographic mechanisms during transmission to prevent unauthorized disclosure of information and detect changes to information unless otherwise protected by company-defined alternative physical measures. |
| 1 | 19 | 10 Password Management | 1002.01d1System.1 | Passwords are not displayed when entered. |
| 2 | 19 | 10 Password Management | 1003.01d1System.3 | User identities are verified prior to performing password resets. |
| 3 | 19 | 10 Password Management | 1004.01d1System.8913 | The company maintains a list of commonly-used, expected or compromised passwords, and updates the list at least every 180 days and when the company's passwords are suspected to have been compromised, either directly or indirectly; verifies, when users create or update passwords, that the passwords are not found on the company-defined list of commonly-used, expected or compromised passwords; allows users to select long passwords and passphrases, including spaces and all printable characters; and employs automated tools to assist the user in selecting strong passwords and authenticators. |
| 4 | 19 | 10 Password Management | 1005.01d1System.1011 | The company transmits passwords only when cryptographically-protected and stores passwords using an approved hash algorithm. |
| 5 | 19 | 10 Password Management | 1006.01d2System.1 | Passwords are not included in automated log-on processes. |
| 6 | 19 | 10 Password Management | 1007.01d2System.2 | Passwords are encrypted during transmission and storage on all system components. |
| 7 | 19 | 10 Password Management | 1008.01d2System.3 | Users sign a statement acknowledging their responsibility to keep passwords confidential. |
| 8 | 19 | 10 Password Management | 1009.01d2System.4 | Temporary passwords are unique and not guessable. |
| 9 | 19 | 10 Password Management | 1010.01d2System.5 | Identification codes used in conjunction with passwords for electronic signatures are protected. |
| 10 | 19 | 10 Password Management | 1014.01d1System.12 | The company avoids the use of third parties or unprotected (clear text) electronic mail messages for the dissemination of passwords. |
| 11 | 19 | 10 Password Management | 1015.01d1System.14 | Users acknowledge receipt of passwords. |
| 12 | 19 | 10 Password Management | 1022.01d1System.15 | Password policies, applicable to mobile devices, are documented and enforced through technical controls on all company devices or devices approved for BYOD usage, and prohibit the changing of password/PIN lengths and authentication requirements. |
| 13 | 19 | 10 Password Management | 1027.01d2System.6 | Electronic signatures that are not based upon biometrics employ at least two distinct identification components that are administered and executed. |
| 14 | 19 | 10 Password Management | 1031.01d1System.34510 | The company changes passwords for default system accounts, whenever there is any indication of password compromise, at first logon following the issuance of a temporary password, and requires immediate selection of a new password upon account recovery. |
| 1 | 20 | 11 Access Control | 1106.01b1System.1 | User identities are verified prior to establishing accounts. |
| 2 | 21 | 11 Access Control | 1107.01b1System.2 | Default and unnecessary system accounts are removed, disabled, or otherwise secured (e.g., the passwords are changed and privileges are reduced to the lowest levels of access.). |
| 3 | 19 | 11 Access Control | 1108.01b1System.3 | Account managers are notified when users' access rights change (e.g., termination, change in position) and modify the user's account accordingly. |
| 4 | 19 | 11 Access Control | 1109.01b1System.479 | User registration and de-registration, at a minimum, communicate relevant policies to users and require acknowledgement (e.g. signed or captured electronically), check authorization and minimum level of access necessary prior to granting access, ensure access is appropriate to the business and/or clinical needs (consistent with sensitivity/risk and does not violate segregation of duties requirements), address termination and transfer, ensure default accounts are removed and/or renamed, remove or block critical access rights of users who have changed roles or jobs, and automatically remove or disable inactive accounts. |
| 5 | 20 | 11 Access Control | 1110.01b1System.5 | Users are given a written statement of their access rights, which they are required to sign stating they understand the conditions of access. Guest/anonymous, shared/group, emergency and temporary accounts are specifically authorized and use monitored. |
| 6 | 21 | 11 Access Control | 11109.01q1Organizational.57 | The company ensures that redundant user IDs are not issued to other users and that all users are uniquely identified and authenticated for both local and remote access to information systems. |
| 7 | 21 | 11 Access Control | 1111.01b2System.1 | Group, shared or generic accounts and passwords (e.g., for first-time log-on) are not used. |
| 8 | 21 | 11 Access Control | 11110.01q1Organizational.6 | Non-organizational users (all information system users other than the company's users, such as patients, customers, contractors, or foreign nationals), or processes acting on behalf of non-the company's users, determined to need access to information residing on the company's information systems, are uniquely identified and authenticated. |
| 9 | 22 | 11 Access Control | 11111.01q2System.4 | When PKI-based authentication is used, the information system validates certificates by constructing and verifying a certification path to an accepted trust anchor, including checking certificate status information; enforces access to the corresponding private key; maps the identity to the corresponding account of the individual or group; and implements a local cache of revocation data to support path discovery and validation in case of an inability to access revocation information via the network. |
| 10 | 21 | 11 Access Control | 11112.01q2Organizational.67 | The information system employs replay-resistant authentication mechanisms such as nonce, one-time passwords, or time stamps to secure network access for privileged accounts; and, for hardware token-based authentication, employs mechanisms that satisfy minimum token requirements discussed in NIST SP 800-63-2, Electronic Authentication Guideline. |
| 11 | 22 | 11 Access Control | 11113.01q3Organizational.1 | The company employs multifactor authentication for network access to privileged and non-privileged accounts, such that one of the factors is provided by a device separate from the system gaining access, and for local access to privileged accounts (including those used for non-local maintenance and diagnostic sessions). |
| 12 | 20 | 11 Access Control | 1112.01b2System.2 | User identities are verified in person before a designated registration authority with authorization by a designated the company's official (e.g., a supervisor or other individual defined in an applicable security plan) prior to receiving a hardware token. |
| 13 | 23 | 11 Access Control | 11126.01t1Organizational.12 | A time-out system (e.g., a screen saver) pauses the session screen after 15 minutes of inactivity, closes network sessions after 30 minutes of inactivity, and requires the user to reestablish authenticated access once the session has been paused or closed; or, if the system cannot be modified, a limited form of time-out that clears the screen but does not close down the application or network sessions is used. |
| 14 | 22 | 11 Access Control | 11127.01t2Organizational.1 | A time-out system (e.g., a screen saver) pauses the session screen after 2 minutes of inactivity and closes network sessions after 30 minutes of inactivity. |
| 15 | 20 | 11 Access Control | 1113.01b3System.123 | Automated mechanisms support the management of information system accounts, including the disabling of emergency accounts within 24 hours and temporary accounts within a fixed duration not to exceed 365 days. |
| 16 | 23 | 11 Access Control | 1114.01h1Organizational.123 | Covered or critical business information is not left unattended or available for unauthorized individuals to access, including on desks, printers, copiers, fax machines, and computer monitors. |
| 17 | 20 | 11 Access Control | 11154.02i1Organizational.5 | Access rights to information assets and facilities is reduced or removed before the employment or other workforce arrangement terminates or changes, depending on the evaluation of risk factors. |
| 18 | 22 | 11 Access Control | 1116.01j1Organizational.145 | Strong authentication methods such as multi-factor, Radius or Kerberos and CHAP are implemented for all external connections to the company's network. |
| 19 | 22 | 11 Access Control | 1117.01j1Organizational.23 | Remote access by vendors and business partners (e.g., for remote maintenance) is disabled/deactivated when not in use. |
| 20 | 22 | 11 Access Control | 1118.01j2Organizational.124 | The company has implemented encryption (e.g. VPN solutions or private lines) and logs remote access to the company's network by employees, contractors or third-party. |
| 21 | 22 | 11 Access Control | 11180.01c3System.6 | Access to management functions or administrative consoles for systems hosting virtualized systems are restricted to personnel based upon the principle of least privilege and supported through technical controls. |
| 22 | 22 | 11 Access Control | 1119.01j2Organizational.3 | Network equipment is checked for unanticipated dial-up capabilities. |
| 23 | 19 | 11 Access Control | 11190.01t1Organizational.3 | Bring your own device (BYOD) and/or company-owned devices are configured to require an automatic lockout screen, and the requirement is enforced through technical controls. |
| 24 | 22 | 11 Access Control | 1120.09ab3System.9 | Unauthorized remote connections to the information systems are monitored and reviewed at least quarterly, and appropriate action is taken if an unauthorized connection is discovered. |
| 25 | 18 | 11 Access Control | 11200.01b2Organizational.3 | Identity verification of the individual is required prior to establishing, assigning, or certifying an individual's electronic signature or any element of such signature. |
| 26 | 18 | 11 Access Control | 11208.01q1Organizational.8 | The company requires that electronic signatures, unique to one individual, cannot be reused by, or reassigned to, anyone else. |
| 27 | 19 | 11 Access Control | 11209.01q2Organizational.9 | Electronic signatures based upon biometrics are designed to ensure that they cannot be used by any individual other than their genuine owners. |
| 28 | 22 | 11 Access Control | 1121.01j3Organizational.2 | Remote administration sessions are authorized, encrypted, and employ increased security measures. |
| 29 | 18 | 11 Access Control | 11210.01q2Organizational.10 | Electronic signatures and handwritten signatures executed to electronic records are linked to their respective electronic records. |
| 30 | 18 | 11 Access Control | 11211.01q2Organizational.11 | Signed electronic records contain information associated with the signing in human-readable format. |
| 31 | 20 | 11 Access Control | 11219.01b1Organizational.10 | The company maintains a current listing of all workforce members (individuals, contractors and Business Associates) with access to PHI. |
| 32 | 20 | 11 Access Control | 1122.01q1System.1 | Unique IDs that can be used to trace activities to the responsible individual are required for all types of the company's and non-the company's users. |
| 33 | 20 | 11 Access Control | 11220.01b1System.10 | User registration and de-registration formally address establishing, activating, modifying, reviewing, disabling and removing accounts. |
| 34 | 21 | 11 Access Control | 1123.01q1System.2 | Users who performed privileged functions (e.g., system administration) use separate accounts when performing those privileged functions. |
| 35 | 21 | 11 Access Control | 1124.01q1System.34 | Shared/group and generic user IDs are only used in exceptional circumstances where there is a clear business benefit, when user functions do not need to be traced, additional accountability controls are implemented, and after approval by management. |
| 36 | 22 | 11 Access Control | 1125.01q2System.1 | Multi-factor authentication methods are used in accordance with the company's policy, (e.g., for remote network access). |
| 37 | 20 | 11 Access Control | 1127.01q2System.3 | Where tokens are provided for multi-factor authentication, in-person verification is required prior to granting access. |
| 38 | 20 | 11 Access Control | 1128.01q2System.5 | Help desk support requires user identification for any transaction that has information security implications. |
| 39 | 20 | 11 Access Control | 1129.01v1System.12 | Access rights to applications and application functions are limited to the minimum necessary using menus. |
| 40 | 20 | 11 Access Control | 1130.01v2System.1 | Access rights from an application to other applications are controlled. |
| 41 | 21 | 11 Access Control | 1131.01v2System.2 | Outputs from application systems handling covered information are limited to the minimum necessary and sent only to authorized terminals/locations. |
| 42 | 18 | 11 Access Control | 1132.01v2System.3 | Covered information is encrypted when stored in non-secure areas and, if not encrypted at rest, the company must document its rationale. |
| 43 | 20 | 11 Access Control | 1133.01v2System.4 | Actions that can be performed without identification and authentication are permitted by exception. |
| 44 | 22 | 11 Access Control | 1134.01v3System.1 | Copy (including print screen), move, print, and storage of sensitive data are prohibited when accessed remotely without a defined business need. |
| 45 | 20 | 11 Access Control | 1135.02i1Organizational.1234 | Upon termination or changes in employment for employees, contractors, third-party users or other workforce arrangement, physical and logical access rights and associated materials (e.g., passwords, keycards, keys, documentation that identify them as current members of the company) are removed or modified to restrict access within 24 hours and old accounts are closed after 90 days of opening new accounts. |
| 46 | 20 | 11 Access Control | 1137.06e1Organizational.1 | Acceptable use agreements are signed by all employees before being allowed access to information assets. |
| 47 | 23 | 11 Access Control | 1138.06e2Organizational.12 | Computer login banners are displayed outlining the terms and conditions of access and must be accepted before access is granted. |
| 48 | 20 | 11 Access Control | 1139.01b1System.68 | Account types are identified (individual, shared/group, system, application, guest/anonymous, emergency and temporary), conditions for group and role membership are established, and, if used, shared/group account credentials are modified when users are removed from the group. |
| 49 | 19 | 11 Access Control | 1140.01b3System.4 | In addition to assigning a unique ID and password, token devices (e.g., SecureID, certificates, public key), biometrics or both methods are employed to authenticate all users. |
| 50 | 21 | 11 Access Control | 1143.01c1System.123 | Privileges are formally authorized and controlled, allocated to users on a need-to-use and event-by-event basis for their functional role (e.g., user or administrator), and documented for each system product/element. |
| 51 | 21 | 11 Access Control | 1144.01c1System.4 | The company explicitly authorizes access to specific security relevant functions (deployed in hardware, software, and firmware) and security-relevant information. |
| 52 | 20 | 11 Access Control | 1145.01c2System.1 | Role-based access control is implemented and capable of mapping each user to one or more roles, and each role to one or more system functions. |
| 53 | 21 | 11 Access Control | 1146.01c2System.23 | The company promotes the development and use of programs that avoid the need to run with elevated privileges and system routines to avoid the need to grant privileges to users. |
| 54 | 21 | 11 Access Control | 1147.01c2System.456 | Elevated privileges are assigned to a different user ID from those used for normal business use, all users access privileged services in a single role, and such privileged access is minimized. |
| 55 | 21 | 11 Access Control | 1148.01c2System.78 | The company restricts access to privileged functions and all security-relevant information. |
| 56 | 21 | 11 Access Control | 1149.01c2System.9 | The company facilitates information sharing by enabling authorized users to determine a business partner's access when discretion is allowed as defined by the company and by employing manual processes or automated mechanisms to assist users in making information sharing/collaboration decisions. |
| 57 | 21 | 11 Access Control | 1150.01c2System.10 | The access control system for the system components storing, processing or transmitting covered information is set with a default "deny-all" setting. |
| 58 | 21 | 11 Access Control | 1151.01c3System.1 | The company limits authorization to privileged accounts on information systems to a pre-defined subset of users. |
| 59 | 22 | 11 Access Control | 1152.01c3System.2 | The company audits the execution of privileged functions on information systems and ensures information systems prevent non-privileged users from executing privileged functions. |
| 60 | 20 | 11 Access Control | 1153.01c3System.35 | All file system access not explicitly required is disabled, and only authorized users are permitted access to only that which is expressly required for the performance of the users' job duties. |
| 61 | 20 | 11 Access Control | 1154.01c3System.4 | Contractors are provided with minimal system and physical access only after the company assesses the contractor's ability to comply with its security requirements and the contractor agrees to comply. |
| 62 | 20 | 11 Access Control | 1166.01e1System.12 | User access rights are reviewed after any changes and reallocated as necessary. |
| 63 | 20 | 11 Access Control | 1167.01e2System.1 | The company maintains a documented list of authorized users of information assets. |
| 64 | 20 | 11 Access Control | 1168.01e2System.2 | The company reviews critical system accounts and privileged access rights every 60 days; all other accounts, including user access and changes to access authorizations, are reviewed every 90 days. |
| 65 | 22 | 11 Access Control | 1175.01j1Organizational.8 | Remote access to business information across public networks only takes place after successful identification and authentication. |
| 66 | 20 | 11 Access Control | 1177.01j2Organizational.6 | User IDs assigned to vendors are reviewed in accordance with the company's access review policy, at a minimum annually. |
| 67 | 22 | 11 Access Control | 1178.01j2Organizational.7 | Node authentication, including cryptographic techniques (e.g., machine certificates), serves as an alternative means of authenticating groups of remote users where they are connected to a secure, shared computer facility. |
| 68 | 22 | 11 Access Control | 1179.01j3Organizational.1 | The information system monitors and controls remote access methods. |
| 69 | 22 | 11 Access Control | 1193.01l2Organizational.13 | Controls for the access to diagnostic and configuration ports include the use of a key lock and the implementation of supporting procedures to control physical access to the port. |
| 70 | 21 | 11 Access Control | 1194.01l2Organizational.2 | Ports, services, and similar applications installed on a computer or network systems, which are not specifically required for business functionality, are disabled or removed. |
| 1 | 23 | 12 Audit Logging & Monitoring | 1201.06e1Organizational.2 | The company provides notice that the employee's actions may be monitored, and that the employee consents to such monitoring. |
| 2 | 23 | 12 Audit Logging & Monitoring | 1202.09aa1System.1 | A secure audit record is created for all activities on the system (create, read, update, delete) involving covered information. |
| 3 | 23 | 12 Audit Logging & Monitoring | 1203.09aa1System.2 | Audit records include the unique user ID, unique data subject ID, function performed, and date/time the event was performed. |
| 4 | 24 | 12 Audit Logging & Monitoring | 1204.09aa1System.3 | The activities of privileged users (administrators, operators, etc.) include the success/failure of the event, time the event occurred, the account involved, the processes involved, and additional information about the event. |
| 5 | 23 | 12 Audit Logging & Monitoring | 1205.09aa2System.1 | Logs of messages sent and received are maintained including the date, time, origin and destination of the message, but not its contents. |
| 6 | 23 | 12 Audit Logging & Monitoring | 1206.09aa2System.23 | Auditing is always available while the system is active and tracks key events, success/failed data access, system security configuration changes, privileged or utility use, any alarms raised, activation and de-activation of protection systems (e.g., A/V and IDS), activation and deactivation of identification and authentication mechanisms, and creation and deletion of system-level objects. |
| 7 | 23 | 12 Audit Logging & Monitoring | 1207.09aa2System.4 | Audit records are retained for 90 days and older audit records are archived for one year. |
| 8 | 23 | 12 Audit Logging & Monitoring | 1208.09aa3System.1 | Audit logs are maintained for management activities, system and application startup/shutdown/errors, file changes, and security policy changes. |
| 9 | 23 | 12 Audit Logging & Monitoring | 1209.09aa3System.2 | The information system generates audit records containing the following detailed information: (i) filename accessed; (ii) program or command used to initiate the event; and (iii) source and destination addresses. |
| 10 | 24 | 12 Audit Logging & Monitoring | 1210.09aa3System.3 | All disclosures of covered information within or outside of the company are logged including type of disclosure, date/time of the event, recipient, and sender. |
| 11 | 24 | 12 Audit Logging & Monitoring | 12100.09ab2System.15 | The company monitors the information system to identify irregularities or anomalies that are indicators of a system malfunction or compromise and help confirm the system is functioning in an optimal, resilient and secure state. |
| 12 | 23 | 12 Audit Logging & Monitoring | 12101.09ab1Organizational.3 | The company specifies how often audit logs are reviewed, how the reviews are documented, and the specific roles and responsibilities of the personnel conducting the reviews, including the professional certifications or other qualifications required. |
| 13 | 24 | 12 Audit Logging & Monitoring | 12102.09ab1Organizational.4 | The company periodically tests its monitoring and detection processes, remediates deficiencies, and improves its processes. |
| 14 | 23 | 12 Audit Logging & Monitoring | 12103.09ab1Organizational.5 | Information collected from multiple sources is aggregated for review. |
| 15 | 24 | 12 Audit Logging & Monitoring | 1211.09aa3System.4 | The company verifies every ninety (90) days for each extract of covered information recorded that the data is erased or its use is still required. |
| 16 | 23 | 12 Audit Logging & Monitoring | 1212.09ab1System.1 | All applicable legal requirements related to monitoring authorized access and unauthorized access attempts are met. |
| 17 | 24 | 12 Audit Logging & Monitoring | 1213.09ab2System.128 | Automated systems deployed throughout the company's environment are used to monitor key events and anomalous activity, and analyze system logs, the results of which are reviewed regularly. |
| 18 | 24 | 12 Audit Logging & Monitoring | 1214.09ab2System.3456 | Monitoring includes privileged operations, authorized access or unauthorized access attempts, including attempts to access deactivated accounts, and system alerts or failures. |
| 19 | 24 | 12 Audit Logging & Monitoring | 1215.09ab2System.7 | Auditing and monitoring systems employed by the company support audit reduction and report generation. |
| 20 | 24 | 12 Audit Logging & Monitoring | 1216.09ab3System.12 | Automated systems are used to review monitoring activities of security systems (e.g., IPS/IDS) and system records on a daily basis, and identify and document anomalies. |
| 21 | 24 | 12 Audit Logging & Monitoring | 1217.09ab3System.3 | Alerts are generated for technical personnel to analyze and investigate suspicious activity or suspected violations. |
| 22 | 24 | 12 Audit Logging & Monitoring | 1218.09ab3System.47 | Automated systems support near real-time analysis and alerting of events (e.g., malicious code, potential intrusions) and integrate intrusion detection into access and flow control mechanisms. |
| 23 | 24 | 12 Audit Logging & Monitoring | 1219.09ab3System.10 | The information system is able to automatically process audit records for events of interest based on selectable criteria. |
| 24 | 24 | 12 Audit Logging & Monitoring | 1220.09ab3System.56 | Monitoring includes inbound and outbound communications and file integrity monitoring. |
| 25 | 24 | 12 Audit Logging & Monitoring | 1222.09ab3System.8 | The company analyzes and correlates audit records across different repositories using a security information and event management (SIEM) tool or log analytics tools for log aggregation and consolidation from multiple systems/machines/devices, and correlates this information with input from non-technical sources to gain and enhance company-wide situational awareness. Using the SIEM tool, the company devise profiles of common events from given systems/machines/devices so that it can tune detection to focus on unusual activity, avoid false positives, more rapidly identify anomalies, and prevent overwhelming analysts with insignificant alerts. |
| 26 | 24 | 12 Audit Logging & Monitoring | 1229.09c1Organizational.1 | Separation of duties is used to limit the risk of unauthorized or unintentional modification of information and systems. |
| 27 | 25 | 12 Audit Logging & Monitoring | 1230.09c2Organizational.1 | No single person is able to access, modify, or use information systems without authorization or detection. |
| 28 | 25 | 12 Audit Logging & Monitoring | 1231.09c2Organizational.23 | Job descriptions define duties and responsibilities that support the separation of duties across multiple users. |
| 29 | 23 | 12 Audit Logging & Monitoring | 1239.09aa1System.4 | Retention for audit logs is specified by the company and the logs retained accordingly. |
| 30 | 24 | 12 Audit Logging & Monitoring | 1240.09aa2System.56 | The company provides a rationale for why the auditable events are deemed adequate to support after the fact investigations of security incidents and which events require auditing on a continuous basis in response to specific situations; and the listing of auditable events and supporting rational are reviewed and updated periodically within 365 days. |
| 31 | 24 | 12 Audit Logging & Monitoring | 1259.09ab2System.9 | The company responds to physical security incidents and coordinates results of reviews and investigations with the company's incident response capability. |
| 32 | 23 | 12 Audit Logging & Monitoring | 1270.09ad1System.12 | The company ensures proper logging is enabled in order to audit administrator activities; and reviews system administrator and operator logs on a regular basis. |
| 33 | 25 | 12 Audit Logging & Monitoring | 1276.09c2Organizational.2 | Security audit activities are independent. |
| 34 | 23 | 12 Audit Logging & Monitoring | 1277.09c2Organizational.4 | The initiation of an event is separated from its authorization to reduce the possibility of collusion. |
| 35 | 24 | 12 Audit Logging & Monitoring | 1278.09c2Organizational.56 | The company identifies duties that require separation and defines information system access authorizations to support separation of duties; and incompatible duties are segregated across multiple users to minimize the opportunity for misuse or fraud. |
| 1 | 25 | 13 Education, Training and Awareness | 1301.02e1Organizational.12 | Employees and contractors receive documented initial (as part of their onboarding within sixty (60) days of hire), annual and ongoing training on their roles related to security and privacy. |
| 2 | 25 | 13 Education, Training and Awareness | 1302.02e2Organizational.134 | Dedicated security and privacy awareness training is developed as part of the company's onboarding program, is documented and tracked, and includes the recognition and reporting of potential indicators of an insider threat. |
| 3 | 25 | 13 Education, Training and Awareness | 1303.02e2Organizational.2 | Employees sign acceptance/acknowledgement of their security and privacy responsibilities. |
| 4 | 26 | 13 Education, Training and Awareness | 1304.02e3Organizational.1 | Personnel with significant security responsibilities receive specialized education and training on their roles and responsibilities prior to being granted access to the company's systems and resources, when required by system changes, when entering into a new position that requires additional training, and no less than annually thereafter. |
| 5 | 25 | 13 Education, Training and Awareness | 1305.02e3Organizational.23 | The company maintains a documented list of each individual who completes the on-boarding process and maintains all training records for at least five (5) years. |
| 6 | 25 | 13 Education, Training and Awareness | 1306.06e1Organizational.5 | Employees and contractors are informed in writing that violations of the security policies will result in sanctions or disciplinary action. |
| 7 | 25 | 13 Education, Training and Awareness | 1307.07c1Organizational.124 | The company defines rules to describe user responsibilities and acceptable behavior for information system usage, including at a minimum, rules for email, internet, mobile devices, social media and facility usage. |
| 8 | 25 | 13 Education, Training and Awareness | 1308.09j1Organizational.5 | The company prohibits users from installing unauthorized software, including data and software from external networks, and ensures users are made aware and trained on these requirements. |
| 9 | 26 | 13 Education, Training and Awareness | 1309.01x1System.36 | Personnel using mobile computing devices are trained on the risks, the controls implemented, and their responsibilities, e.g., shoulder surfing, physical protections. |
| 10 | 26 | 13 Education, Training and Awareness | 1310.01y1Organizational.9 | Personnel who telework are trained on the risks, the controls implemented, and their responsibilities. |
| 11 | 25 | 13 Education, Training and Awareness | 1311.12c2Organizational.3 | The company's employees are provided with crisis management awareness and training. |
| 12 | 26 | 13 Education, Training and Awareness | 1313.02e1Organizational.3 | The company provides incident response and contingency training to information system users consistent with assigned roles and responsibilities within ninety (90) days of assuming an incident response role or responsibility; when required by information system changes; and within every three hundred sixty-five (365) days thereafter. |
| 13 | 25 | 13 Education, Training and Awareness | 1314.02e2Organizational.5 | The company conducts an internal annual review of the effectiveness of its security and privacy education and training program and updates the program to reflect risks identified in the company's risk assessment. |
| 14 | 25 | 13 Education, Training and Awareness | 1315.02e2Organizational.67 | The company provides specialized security and privacy education and training appropriate to the employee's role/responsibilities, including the company's business unit security POCs and system/software developers. |
| 15 | 25 | 13 Education, Training and Awareness | 1324.07c1Organizational.3 | Employees, contractors and third-party system users are aware of the limits existing for their use of the company's information and assets associated with information processing facilities and resources; and they are responsible for their use of any information resource and of any use carried out under their responsibility. |
| 16 | 26 | 13 Education, Training and Awareness | 1325.09s1Organizational.3 | Personnel are appropriately trained on leading principles and practices for all types of information exchange (oral, paper and electronic). |
| 17 | 26 | 13 Education, Training and Awareness | 1326.02e1Organizational.4 | The company provides training on BYOD usage, which includes providing an approved list of applications, application stores, and application extensions and plugins. |
| 18 | 26 | 13 Education, Training and Awareness | 1327.02e2Organizational.8 | The company trains its workforce to ensure covered information is stored in company-specified locations. |
| 19 | 26 | 13 Education, Training and Awareness | 1331.02e3Organizational.4 | The company trains workforce members on how to properly respond to perimeter security alarms. |
| 20 | 25 | 13 Education, Training and Awareness | 1334.02e2Organizational.12 | The company ensures that the senior executives have been trained in their specific roles and responsibilities. |
| 21 | 26 | 13 Education, Training and Awareness | 1335.02eCFRPart11Organizational.1 | Persons who develop, maintain, or use electronic record/electronic signature systems have the proper and sufficient education, training, and experience to perform their assigned tasks. |
| 22 | 25 | 13 Education, Training and Awareness | 1336.02e1Organizational.5 | The company's security awareness and training program identifies how workforce members are provided security awareness and training and the workforce members who will receive security awareness and training; and describes the types of security awareness and training that is reasonable and appropriate for its workforce members, how workforce members are provided security and awareness training when there is a change in the company's information systems, and how frequently security awareness and training is provided to all workforce members. |
| 1 | 26 | 14 Third-Party Assurance | 1401.05i1Organizational.1239 | Access to the company's information and systems by external parties is not permitted until due diligence has been conducted, the appropriate controls have been implemented, and a contract/agreement reflecting the security requirements is signed acknowledging they understand and accept their obligations. |
| 2 | 27 | 14 Third-Party Assurance | 1402.05i1Organizational.45 | Remote access connections between the company and external parties are encrypted. |
| 3 | 27 | 14 Third-Party Assurance | 1403.05i1Organizational.67 | Access granted to external parties is limited to the minimum necessary and granted only for the duration required. |
| 4 | 26 | 14 Third-Party Assurance | 1406.05k1Organizational.110 | A standard agreement with third parties is defined and includes the required security controls in accordance with the company's security policies. |
| 5 | 26 | 14 Third-Party Assurance | 1408.09e1System.1 | Service Level Agreements (SLAs) or contracts with an agreed service arrangement address liability, service definitions, security controls, and other aspects of services management. |
| 6 | 26 | 14 Third-Party Assurance | 1409.09e2System.1 | The company develops, disseminates and annually reviews/updates a list of current service providers, which includes a description of services provided. |
| 7 | 26 | 14 Third-Party Assurance | 1410.09e2System.23 | The company addresses information security and other business considerations when acquiring systems or services; including maintaining security during transitions and continuity following a failure or disaster. |
| 8 | 27 | 14 Third-Party Assurance | 1411.09f1System.1 | The results of monitoring activities of third-party services are compared against the Service Level Agreements or contracts at least annually. |
| 9 | 27 | 14 Third-Party Assurance | 1412.09f2System.12 | Regular progress meetings are conducted as required by the SLA to review reports, audit trails, security events, operational issues, failures and disruptions, and identified problems/issues are investigated and resolved accordingly. |
| 10 | 27 | 14 Third-Party Assurance | 1413.09f2System.3 | Network services are periodically audited to ensure that providers have implemented the required security features and meet the requirements agreed with management, including new and existing regulations. |
| 11 | 27 | 14 Third-Party Assurance | 1416.10l1Organizational.1 | Where software development is outsourced, formal contracts are in place to address the ownership and security of the code and application. |
| 12 | 27 | 14 Third-Party Assurance | 1417.10l2Organizational.1 | Where software development is outsourced, the development process is monitored by the company and includes independent security and code reviews. |
| 13 | 27 | 14 Third-Party Assurance | 1418.05i1Organizational.8 | The identification of risks related to external party access takes into account a minimal set of specifically defined issues. |
| 14 | 27 | 14 Third-Party Assurance | 1419.05j1Organizational.12 | The company ensures that customers are aware of their obligations and rights, and accept the responsibilities and liabilities involved in accessing, processing, communicating, or managing the company's information and information assets. |
| 15 | 27 | 14 Third-Party Assurance | 1428.05k1Organizational.2 | The company identifies and mandates information security controls to specifically address supplier access to the company's information and information assets. |
| 16 | 26 | 14 Third-Party Assurance | 1429.05k1Organizational.34 | The company maintains written agreements (contracts) that include: (i) an acknowledgement that the third-party (e.g., a service provider) is responsible for the security of the data and requirements to address the associated information security risks and (ii) requirements to address the information security risks associated with information and communications technology services (e.g., cloud computing services) and product supply chain. |
| 17 | 26 | 14 Third-Party Assurance | 1430.05k1Organizational.56 | The agreement ensures that there is no misunderstanding between the company and the third-party and satisfies the company as to the indemnity of the third-party. |
| 18 | 27 | 14 Third-Party Assurance | 1431.05k1Organizational.7 | The company establishes personnel security requirements, including security roles and responsibilities, for third-party providers that are coordinated and aligned with internal security roles and responsibilities. |
| 19 | 27 | 14 Third-Party Assurance | 1432.05k1Organizational.89 | The company ensures a screening process is carried out for contractors and third-party users; and, where contractors are provided through an company, (i) the contract with the company clearly specifies the company's responsibilities for screening and the notification procedures they need to follow if screening has not been completed or if the results give cause for doubt or concern and, in the same way, (ii) the agreement with the third-party clearly specifies all responsibilities and notification procedures for screening. |
| 20 | 27 | 14 Third-Party Assurance | 1438.09e2System.4 | The service provider protects the company's data with reasonable controls (e.g., policies and procedures) designed to detect, prevent, and mitigate risk. |
| 21 | 27 | 14 Third-Party Assurance | 1442.09f2System.456 | The company employs a service management relationship and process between itself and a third-party to monitor (i) security control compliance by external service providers on an ongoing basis and (ii) network service features and service levels to detect abnormalities and violations. |
| 22 | 27 | 14 Third-Party Assurance | 1464.09e2Organizational.5 | The company restricts the location of facilities that process, transmit or store covered information (e.g., to those located in the United States), as needed, based on its legal, regulatory, contractual and other security and privacy-related obligations. |
| 1 | 29 | 15 Incident Management | 1501.02f1Organizational.123 | Sanctions are fairly applied to employees following violations of the information security policies once a breach is verified and includes consideration of multiple factors. The company documents personnel involved in incidents, steps taken, and the timeline associated with those steps, steps taken for notification, the rationale for discipline, and the final outcome for each incident. |
| 2 | 29 | 15 Incident Management | 1502.02f1Organizational.4 | A list of employees involved in security incidents is maintained with the resulting outcome from the investigation. |
| 3 | 29 | 15 Incident Management | 1503.02f2Organizational.12 | A contact in HR is appointed to handle employee security incidents and notify the CISO or a designated representative of the application of a formal employee sanctions process, identifying the individual and the reason for the sanction. |
| 4 | 29 | 15 Incident Management | 1504.06e1Organizational.34 | Management approves the use of information assets and takes appropriate action when unauthorized activity occurs. |
| 5 | 28 | 15 Incident Management | 1505.11a1Organizational.13 | A formal security incident response program has been established to respond, report (without fear of repercussion), escalate and treat breaches and reported security events or incidents. Organization-wide standards are specified for the time required for system administrators and other personnel to report anomalous events to the incident handling team, the mechanisms for such reporting, and the kind of information that should be included in the incident notification. This reporting includes notifying internal and external stakeholders, the appropriate community Computer Emergency Response Team, and law enforcement agencies in accordance with all legal or regulatory requirements for involving such organizations in computer incidents. |
| 6 | 28 | 15 Incident Management | 1506.11a1Organizational.2 | There is a point of contact for reporting information security events who is made known throughout the company, always available, and able to provide adequate and timely response. The company maintains a list of third-party contact information, which can be used to report a security incident. |
| 7 | 28 | 15 Incident Management | 1507.11a1Organizational.4 | The company has implemented an insider threat program that includes a cross-discipline insider threat incident handling team. |
| 8 | 28 | 15 Incident Management | 1508.11a2Organizational.1 | The company provides a process/mechanism to anonymously report security issues. |
| 9 | 28 | 15 Incident Management | 1509.11a2Organizational.236 | The incident management program formally defines information security incidents and the phases of incident response; roles and responsibilities; incident handling, reporting and communication processes; third-party relationships and the handling of third-party breaches; and the supporting forensics program. The company formally assigns job titles and duties for handling computer and network security incidents to specific individuals and identifies management personnel who will support the incident handling process by acting in key decision-making roles. |
| 10 | 29 | 15 Incident Management | 1510.11a2Organizational.47 | Reports and communications are made without unreasonable delay and no later than sixty (60) days after the discovery of an incident, unless otherwise stated by law enforcement orally or in writing, and include the necessary elements. |
| 11 | 29 | 15 Incident Management | 1511.11a2Organizational.5 | All employees, contractors and third-party users receive mandatory incident response training to ensure they are aware of their responsibilities to report information security events as quickly as possible, the procedure for reporting information security events, and the point(s) of contact, including the incident response team, and the contact information is published and made readily available. |
| 12 | 28 | 15 Incident Management | 1512.11a2Organizational.8 | Intrusion detection/information protection system (IDS/IPS) alerts are utilized for reporting information security events. |
| 13 | 29 | 15 Incident Management | 1513.11a2Organizational.9 | The company adheres to the HITECH Act requirements for responding to a data breach (of covered information) and reporting the breach to affected individuals, media, and federal agencies. |
| 14 | 28 | 15 Incident Management | 1516.11c1Organizational.12 | The security incident response program accounts for and prepares the company for a variety of incidents. |
| 15 | 28 | 15 Incident Management | 1517.11c1Organizational.3 | There is a point of contact who is responsible for coordinating incident responses and has the authority to direct actions required in all phases of the incident response process. |
| 16 | 28 | 15 Incident Management | 1518.11c2Organizational.13 | The company formally addresses the purpose, scope, roles, responsibilities, management commitment, coordination among the company's entities and compliance requirements for its incident management program. |
| 17 | 29 | 15 Incident Management | 1519.11c2Organizational.2 | For unauthorized disclosures of covered information, a log is maintained and annually submitted to the appropriate parties (e.g., HHS). |
| 18 | 29 | 15 Incident Management | 1520.11c2Organizational.4 | The incident response plan is communicated to the appropriate individuals throughout the company. |
| 19 | 28 | 15 Incident Management | 1521.11c2Organizational.56 | Testing exercises are planned, coordinated, executed, and documented periodically, at least annually, using reviews, analyses, and simulations to determine incident response effectiveness. Testing includes personnel associated with the incident handling team to ensure that they understand current threats and risks, as well as their responsibilities in supporting the incident handling team. |
| 20 | 29 | 15 Incident Management | 1522.11c3Organizational.13 | An incident response support resource, who is an integral part of the company's incident response capability, is available to offer advice and assistance to users of information systems for the handling and reporting of security incidents in a timely manner. |
| 21 | 29 | 15 Incident Management | 1523.11c3Organizational.24 | Incidents are promptly reported to the appropriate authorities and outside parties (e.g., FedCIRC, CERT/CC). |
| 22 | 29 | 15 Incident Management | 1524.11a1Organizational.5 | Workforce members cooperate with federal or state investigations or disciplinary proceedings. |
| 23 | 29 | 15 Incident Management | 1525.11a1Organizational.6 | The company takes disciplinary action against workforce members that fail to cooperate with federal and state investigations. |
| 24 | 28 | 15 Incident Management | 1539.11c2Organizational.7 | Incident response is formally managed and include specific elements. |
| 25 | 28 | 15 Incident Management | 1560.11d1Organizational.1 | The information gained from the evaluation of information security incidents is used to identify recurring or high-impact incidents, and update the incident response and recovery strategy. |
| 26 | 28 | 15 Incident Management | 1561.11d2Organizational.14 | The company has implemented an incident handling capability for security incidents that addresses (i) policy (setting corporate direction) and procedures defining roles and responsibilities; (ii) incident handling procedures (business and technical); (iii) communication; (iv) reporting and retention; and (v) references to a vulnerability management program. |
| 27 | 28 | 15 Incident Management | 1562.11d2Organizational.2 | The company coordinates incident handling activities with contingency planning activities. |
| 28 | 28 | 15 Incident Management | 1563.11d2Organizational.3 | The company incorporates lessons learned from ongoing incident handling activities and industry developments into incident response procedures, training and testing exercises, and implements the resulting changes accordingly. |
| 29 | 29 | 15 Incident Management | 1581.02f1Organizational.7 | The company ensures individuals are held accountable and responsible for actions initiated under their electronic signatures, to help deter record and signature falsification. |
| 30 | 28 | 15 Incident Management | 1587.11c2Organizational.10 | The incident management plan is reviewed and updated annually. |
| 31 | 28 | 15 Incident Management | 1589.11c1Organizational.5 | The company tests and/or exercises its incident response capability regularly. |
| 1 | 30 | 16 Business Continuity & Disaster Recovery | 1601.12c1Organizational.1238 | The company can recover and restore business operations and establish an availability of information in the time frame required by the business objectives and without a deterioration of the security measures. |
| 2 | 30 | 16 Business Continuity & Disaster Recovery | 1602.12c1Organizational.4567 | The contingency program addresses required capacity, identifies critical missions and business functions, defines recovery objectives and priorities, and identifies roles and responsibilities. |
| 3 | 30 | 16 Business Continuity & Disaster Recovery | 1603.12c1Organizational.9 | Copies of the business continuity plans are distributed to key contingency personnel. |
| 4 | 30 | 16 Business Continuity & Disaster Recovery | 1604.12c2Organizational.16789 | Alternative storage and processing sites are identified (permanent and/or temporary) at a sufficient distance from the primary facility and configured with security measures equivalent to the primary site, and the necessary third-party service agreements have been established to allow for the resumption of information systems operations of critical business functions within the time-period defined (e.g. priority of service provisions) based on a risk assessment, including Recovery Time Objectives (RTO), in accordance with the company's availability requirements. |
| 5 | 30 | 16 Business Continuity & Disaster Recovery | 1605.12c2Organizational.2 | Emergency power and backup telecommunications are available at the main site. |
| 6 | 30 | 16 Business Continuity & Disaster Recovery | 1607.12c2Organizational.4 | Business continuity planning includes identification and agreement on all responsibilities, business continuity processes, and the acceptable loss of information and services. |
| 7 | 30 | 16 Business Continuity & Disaster Recovery | 1608.12c2Organizational.5 | Business continuity plans are stored in a remote location. |
| 8 | 30 | 16 Business Continuity & Disaster Recovery | 1609.12c3Organizational.12 | Alternate telecommunications services that are sufficiently separated from the primary service provider are established with priority-of-service provisions. |
| 9 | 31 | 16 Business Continuity & Disaster Recovery | 1616.09l1Organizational.16 | Backup copies of information and software are made and tests of the media and restoration procedures are regularly performed at appropriate intervals. |
| 10 | 30 | 16 Business Continuity & Disaster Recovery | 1617.09l1Organizational.23 | A formal definition of the level of backup required for each system is defined and documented including how each system will be restored, the scope of data to be imaged, frequency of imaging, and duration of retention based on relevant contractual, legal, regulatory and business requirements. |
| 11 | 31 | 16 Business Continuity & Disaster Recovery | 1618.09l1Organizational.45 | The backups are stored in a physically secure remote location, at a sufficient distance to make them reasonably immune from damage to data at the primary site, and reasonable physical and environmental controls are in place to ensure their protection at the remote location. |
| 12 | 31 | 16 Business Continuity & Disaster Recovery | 1619.09l1Organizational.7 | Inventory records for the backup copies, including content and current location, are maintained. |
| 13 | 31 | 16 Business Continuity & Disaster Recovery | 1620.09l1Organizational.8 | When the backup service is delivered by the third-party, the service level agreement includes the detailed protections to control confidentiality, integrity and availability of the backup information. |
| 14 | 31 | 16 Business Continuity & Disaster Recovery | 1621.09l2Organizational.1 | Automated tools are used to track all backups. |
| 15 | 31 | 16 Business Continuity & Disaster Recovery | 1622.09l2Organizational.23 | The integrity and security of the backup copies are maintained to ensure future availability, and any potential accessibility problems with the backup copies are identified and mitigated in the event of an area-wide disaster. |
| 16 | 31 | 16 Business Continuity & Disaster Recovery | 1623.09l2Organizational.4 | Covered information is backed-up in an encrypted format to ensure confidentiality. |
| 17 | 31 | 16 Business Continuity & Disaster Recovery | 1624.09l3Organizational.12 | The company performs incremental or differential backups daily and full backups weekly to separate media. |
| 18 | 31 | 16 Business Continuity & Disaster Recovery | 1625.09l3Organizational.34 | Three generations of backups (full plus all related incremental or differential backups) are stored off-site, and both on-site and off-site backups are logged with name, date, time and action. |
| 19 | 31 | 16 Business Continuity & Disaster Recovery | 1626.09l3Organizational.5 | The company ensures a current, retrievable copy of covered information is available before movement of servers. |
| 20 | 31 | 16 Business Continuity & Disaster Recovery | 1627.09l3Organizational.6 | The company tests backup information following each backup to verify media reliability and information integrity, and at least annually thereafter. |
| 21 | 30 | 16 Business Continuity & Disaster Recovery | 1634.12b1Organizational.1 | The company identifies the critical business processes requiring business continuity. |
| 22 | 30 | 16 Business Continuity & Disaster Recovery | 1635.12b1Organizational.2 | Information security aspects of business continuity are (i) based on identifying events (or sequence of events) that can cause interruptions to the company's critical business processes (e.g., equipment failure, human errors, theft, fire, natural disasters acts of terrorism); (ii) followed by a risk assessment to determine the probability and impact of such interruptions, in terms of time, damage scale and recovery period; (iii) based on the results of the risk assessment, a business continuity strategy is developed to identify the overall approach to business continuity; and (iv) once this strategy has been created, endorsement is provided by management, and a plan created and endorsed to implement this strategy. |
| 23 | 30 | 16 Business Continuity & Disaster Recovery | 1666.12d1Organizational.1235 | The company creates at a minimum one (1) business continuity plan and ensures each plan (i) has an owner, (ii) describes the approach for continuity, ensuring at a minimum the approach to maintain information or information asset availability and security, and (iii) specifies the escalation plan and the conditions for its activation, as well as the individuals responsible for executing each component of the plan. |
| 24 | 30 | 16 Business Continuity & Disaster Recovery | 1667.12d1Organizational.4 | When new requirements are identified, any existing emergency procedures (e.g., evacuation plans or fallback arrangements) are amended as appropriate. |
| 25 | 30 | 16 Business Continuity & Disaster Recovery | 1668.12d1Organizational.67 | Emergency procedures, manual "fallback" procedures, and resumption plans are the responsibility of the owner of the business resources or processes involved; and fallback arrangements for alternative technical services, such as information processing and communications facilities, are the responsibility of the service providers. |
| 26 | 30 | 16 Business Continuity & Disaster Recovery | 1669.12d1Organizational.8 | The business continuity planning framework addresses a specific, minimal set of information security requirements. |
| 27 | 31 | 16 Business Continuity & Disaster Recovery | 1699.09l1Organizational.10 | Workforce members roles and responsibilities in the data backup process are identified and communicated to the workforce; in particular, Bring Your Own Device (BYOD) users are required to perform backups of the company's and/or client data on their devices. |
| 1 | 31 | 17 Risk Management | 1704.03b1Organizational.12 | The company performs risk assessments in a consistent way and at planned intervals, or when there are major changes to the company's environment, and reviews the risk assessment results annually. |
| 2 | 31 | 17 Risk Management | 1705.03b2Organizational.12 | The company updates the results of a formal, comprehensive risk assessment every two (2) years, or whenever there is a significant change to the information system or operational environment, assesses a subset of the security controls within every three hundred sixty-five (365) days during continuous monitoring, and reviews the risk assessment results annually. |
| 3 | 31 | 17 Risk Management | 1706.03bHIPAAOrganizational.3 | Risk assessments include the evaluation of multiple factors that may impact security as well as the likelihood and impact from a loss of confidentiality, integrity and availability of information and systems. |
| 4 | 31 | 17 Risk Management | 1707.03c1Organizational.12 | The company uses a formal methodology with defined criteria for determining risk treatments and ensuring that corrective action plans for the security program and the associated the company's information systems are prioritized and maintained; and the remedial information security actions necessary to mitigate risk to the company's operations and assets, individuals, and other organizations are documented. |
| 5 | 32 | 17 Risk Management | 17100.10a3Organizational.5 | The company includes specific security-related requirements in information system acquisition contracts based on applicable laws, policies, standards, guidelines and business needs. |
| 6 | 33 | 17 Risk Management | 17101.10a3Organizational.6 | The company requires the developer of the information system, system component, or information system service to provide specific control design and implementation information. |
| 7 | 32 | 17 Risk Management | 17120.10a3Organizational.5 | The company documents all existing outsourced information services and conducts an organizational assessment of risk prior to the acquisition or outsourcing of information services. |
| 8 | 32 | 17 Risk Management | 17126.03c1System.6 | The company has implemented an integrated control system characterized using different control types (e.g., layered, preventative, detective, corrective, and compensating) that mitigates identified risks. |
| 9 | 32 | 17 Risk Management | 1713.03c1Organizational.3 | The company mitigates any harmful effect that is known to the company of a use or disclosure of PHI by the company or its business associates, in violation of its policies and procedures. |
| 10 | 31 | 17 Risk Management | 1733.03d1Organizational.1 | The risk management program includes the requirement that risk assessments be re-evaluated at least annually, or when there are significant changes in the environment. |
| 11 | 32 | 17 Risk Management | 1734.03d2Organizational.1 | The risk management process is integrated with the change management process within the company. |
| 12 | 31 | 17 Risk Management | 1735.03d2Organizational.23 | Risk assessments are conducted whenever there is a significant change in the environment, or a change that could have a significant impact, and the results of the assessments are included in the change management process, so they may guide the decisions within the change management process (e.g., approvals for changes). |
| 13 | 32 | 17 Risk Management | 1736.03d2Organizational.4 | The company updates the risk assessment before issuing a new formal authorization to operate or within every three (3) years, whichever comes first, or when conditions occur that may impact the security or authorization state of the system. |
| 14 | 32 | 17 Risk Management | 1737.03d2Organizational.5 | The privacy, security and risk management program(s) is (are) updated to reflect changes in risks. |
| 15 | 32 | 17 Risk Management | 1780.10a1Organizational.1 | The company formally addresses the purpose, scope, roles, responsibilities, management commitment, coordination among the company's entities, and compliance with system and information integrity requirements and facilitates the implementation of system and information integrity requirements/controls. |
| 16 | 32 | 17 Risk Management | 1781.10a1Organizational.23 | Information system specifications for security control requirements state that security controls are to be incorporated in the information system, supplemented by manual controls as needed, and these considerations are also applied when evaluating software packages, developed or purchased. |
| 17 | 32 | 17 Risk Management | 1782.10a1Organizational.4 | Security requirements and controls reflect the business value of the information assets involved, and the potential business damage that might result from a failure or absence of security. |
| 18 | 32 | 17 Risk Management | 1783.10a1Organizational.56 | A formal acquisition process is followed for purchased commercial products, and supplier contracts include the identified security requirements. |
| 19 | 32 | 17 Risk Management | 1784.10a1Organizational.7 | Where the security functionality in a proposed product does not satisfy the specified requirement, the risk introduced and associated controls are reconsidered prior to purchasing the product. |
| 20 | 32 | 17 Risk Management | 1785.10a1Organizational.8 | Where additional functionality is supplied and causes a security risk, the functionality is disabled or mitigated through application of additional controls. |
| 21 | 33 | 17 Risk Management | 1786.10a1Organizational.9 | The company requires developers of information systems, components, and developers or providers of services to identify (document) early in the system development life cycle, the functions ports, protocols, and services intended for the company's use. |
| 22 | 33 | 17 Risk Management | 1787.10a2Organizational.1 | Information security and privacy are addressed in all phases of the project management methodology. |
| 23 | 33 | 17 Risk Management | 1788.10a2Organizational.2 | The company has established and appropriately protected secure development environments for system development and integration efforts that cover the entire system development life cycle. |
| 24 | 33 | 17 Risk Management | 1789.10a2Organizational.3 | The company applies information system security engineering principles in the specification, design, development, implementation, and modification of security requirements and controls in developed and acquired information systems. |
| 25 | 32 | 17 Risk Management | 1790.10a2Organizational.45 | The company includes business requirements for the availability of information systems when specifying the security requirements; and, where availability cannot be guaranteed using existing architectures, redundant components or architectures are considered along with the risks associated with implementing such redundancies. |
| 26 | 33 | 17 Risk Management | 1791.10a2Organizational.6 | Specifications for the security control requirements state automated controls will be incorporated in the information system, supplemented by manual controls as needed, as evidenced throughout the SDLC. |
| 27 | 33 | 17 Risk Management | 1792.10a2Organizational.7814 | Information security risk management is integrated into the SDLC, and information security roles and responsibilities are defined for all SDLC phases. |
| 28 | 32 | 17 Risk Management | 1793.10a2Organizational.91011 | The requirement definition phase includes (i) consideration of system requirements for information security and the processes for implementing security, and (ii) data classification and risk to information assets are assigned and approved (signed-off) by management to ensure appropriate controls are considered and the correct project team members are involved. |
| 29 | 33 | 17 Risk Management | 1794.10a2Organizational.12 | When developing software or systems the company performs thorough testing and verification during the development process. |
| 30 | 33 | 17 Risk Management | 1795.10a2Organizational.13 | Independent acceptance testing proportional to the importance and nature of the system is performed both for in-house and for outsourced development to ensure the system works as expected and only as expected. |
| 31 | 32 | 17 Risk Management | 1796.10a2Organizational.15 | Commercial products other than operating system software used to store and/or process covered information undergo a security assessment and/or security certification by a qualified assessor prior to implementation. |
| 32 | 33 | 17 Risk Management | 1797.10a3Organizational.1 | The company develops enterprise architecture with consideration for information security and the resulting risk to the company's operations, assets, and individuals, as well as other organizations. |
| 33 | 33 | 17 Risk Management | 1798.10a3Organizational.2 | The company has developed an information security architecture for the information system. |
| 34 | 33 | 17 Risk Management | 1799.10a3Organizational.34 | The company reviews and updates (as necessary) the information security architecture whenever changes are made to the enterprise architecture, and ensures that planned information security architecture changes are reflected in the security plan and the company's procurements and acquisitions. |
| 1 | 33 | 18 Physical & Environmental Security | 1801.08b1Organizational.124 | Visitor and third-party support access is recorded and supervised unless previously approved. |
| 2 | 34 | 18 Physical & Environmental Security | 1802.08b1Organizational.3 | Areas where sensitive information (e.g., covered information, payment card data) is stored or |