Question 1: Does your organization have an up-to-date inventory of ETC and all systems and applications that collect, process, store or transmit it?
Status
Risk Statement 1: There is no policy requiring that your organization maintain an up-to-date inventory of ETC.
The lack of an inventory policy compromises the entire security program at risk.
Likelihood
Impact
Risk
Not Set
Next
Recommendation:
Category:
Finding:
Applicable: Administrative
Status
Risk Statement 2: There are no procedures for maintaining an ETC inventory
If the procedures are not consistent, the ETC inventory cannot be expected to be accurate.
Likelihood
Impact
Risk
Not Set
Next
Recommendation:
Category:
Finding:
Applicable: Administrative
Status
Risk Statement 3: The inventory of devices that may hold confidential data is incomplete or missing.
Confidential data exists on devices. It is not sufficient to know that a piece of ETC exists, you must know where it is and what controls protect it.
Likelihood
Impact
Risk
Not Set
Next
Recommendation:
Category:
Finding:
Applicable: Administrative
Status
Risk Statement 4: The inventory of ETC is incomplete or missing.
Any ETC that is not accounted for in an inventory can be lost without detection. This can seriously impact the organization.
Likelihood
Impact
Risk
Not Set
Next
Recommendation:
Category:
Finding:
Applicable: Administrative
Status
Question 2: Do you have policies and procedures that are followed to track and document actions that must be taken to close known vulnerabilities and weaknesses?
Status
Risk Statement 1: Policies are not in place that set standards for remediating vulnerabilities when they are found.
Inadequate vulnerability management policies make consistent remediation of risk impossible. Adopt a policy for vulnerability management.
Likelihood
Impact
Risk
Not Set
Next
Recommendation:
Category:
Finding:
Applicable: Administrative
Status
Risk Statement 2: When Vulnerabilities are discovered they are not recorded or evaluated for the risk they pose to the organization.
Failure to correct known security vulnerabilites is a cumulative problem resulting an increasing level of unknown risk. Adopt procedures that record, evaluate, prioritize and plan remediation of vulnerabilities.
Likelihood
Impact
Risk
Not Set
Next
Recommendation:
Category:
Finding:
Applicable: Administrative
Status
Risk Statement 3: When vulnerabilities are discovered they are not remediated.
Hackers and malicious insiders often use unremediated known vulnerabilities to gain access to systems. Set standards for vulnerability remediation and track the completion or tasks.
Likelihood
Impact
Risk
Not Set
Next
Recommendation:
Category:
Finding:
Applicable: Administrative
Status
Risk Statement 4: When vulnerabilities are discovered the actions taken are not documented.
Failure to document vulnerabilities results in a large unknown level of risk and potential waste in repeated remediation actions. Set and follow documentation standards for documenting vulnerabilities.
Likelihood
Impact
Risk
Not Set
Next
Recommendation:
Category:
Finding:
Applicable: Administrative
Status
Question 3: Is all confidential data present on workstations, mobile devices or mobile media encrypted?
Status
Risk Statement 1: Policies are not present requiring encryption of mobile devices or workstations
Adopt a policy to address protection of data at rest on workstations mobile devices. Encryption is the best mechanism and regardless of the technology used, policy should specify that measure must be in place to prevent release of ETC in the event of loss or theft.
Likelihood
Impact
Risk
Not Set
Next
Recommendation:
Category:
Finding:
Applicable: Administrative
Status
Risk Statement 2: Confidential data present on a mobile device is not encrypted or is accessed without authorization
Procedures must be implemented and documented covering data at rest on mobile devices. Lost or stolen mobile devices is one of the most common causes of confidential data breaches. If the data is not encrypted any time a mobile device falls into the hands of an unauthorized person constitutes a privacy breach.
Likelihood
Impact
Risk
Not Set
Next
Recommendation:
Category:
Finding:
Applicable: Technical
Status
Risk Statement 3: Confidential data present on a workstation and other accessible equipment in the office is not encrypted and it is stolen
Protection procedures should be documented for non-mobile but accessible devices that contain confidential data. Consider the likelihood where offices or buildings are left unlocked and unattended,members of the workforce are not trustworthy or offices or physical security is not consistently assured. Here the theft of office equipment can lead to a breach.
Likelihood
Impact
Risk
Not Set
Next
Recommendation:
Category:
Finding:
Applicable: Technical
Status
Risk Statement 4: Where unencrypted confidential data is present on a mobile device procedures are not implemented to effectively track and is accessed without authorization and it is accessed without authorization.
Mobile device tracking and workstation inventories must be implemented and documented wherever confidential data is stored without encryption. If the device is not encrypted and there is no mechanism to ascertain when and where a device disappeared or what it contained the impact is high.
Likelihood
Impact
Risk
Not Set
Next
Recommendation:
Category:
Finding:
Applicable: Physical
Status
Question 4: Prior to giving them access to ETC, new users are not trained in how to handle ETC and other sensitive information as it is created, maintained and disposed of in conformance with internal policies, REG and other laws.
Status
Risk Statement 1: Policies are not present requiring all personnel with access to ETC or other sentitive data to regularly undergo organizational security training.
Adopt policies that require regular security and privacy training be delivered to each person with access to ETC.
Likelihood
Impact
Risk
Not Set
Next
Recommendation:
Category:
Finding:
Applicable: Administrative
Status
Risk Statement 2: Procedures are not present to ensure that all personnel are trained in their security responsibilities when handing IT equipment and ETC.
Procedures must be adopted and documented to maintain the consistency of schedule, content, delivery and documentation of security training.
Likelihood
Impact
Risk
Not Set
Next
Recommendation:
Category:
Finding:
Applicable: Administrative
Status
Risk Statement 3: Regular users of confidential data applications are not trained on how to protect their devices, software and data using strong passwords, encryption, anti-virus and other technology and procedures of the organization.
Training content needs to include the secure operation of technology for all users.
Likelihood
Impact
Risk
Not Set
Next
Recommendation:
Category:
Finding:
Applicable: Administrative
Status
Risk Statement 4: Users are not trained in how to handle ETC and other sensitive information as it is created, maintained and disposed of in conformance with internal policies, REG and other laws.
Training content must also include the awareness of organizational policies and legal obligations that users must comply with.
Likelihood
Impact
Risk
Not Set
Next
Recommendation:
Category:
Finding:
Applicable: Administrative
Status
Risk Statement 5: Training of personnel is not tracked to ensure that training for each person has been delivered and kept up to date.
To ensure that the training is administered consistently, documentation of the training history of each user is required.
Likelihood
Impact
Risk
Not Set
Next
Recommendation:
Category:
Finding:
Applicable: Administrative
Status
Question 5: Are all workstations and servers patched regularly to remove vulnerabilities identified by vendors?
Status
Risk Statement 1: There is no policy requiring and governing security patching for all IT devices?
Policies should be adopted that require security patches to be applied. Risk based decisions can be used in certain circumstances to defer patches where adequate protections have been put in place to minimize the risk.
Likelihood
Impact
Risk
Not Set
Next
Recommendation:
Category:
Finding:
Applicable: Administrative
Status
Risk Statement 2: There aren't written procedures that specify a schedule for applying security patches to all IT devices?
Procedures covering server and workstation security patches should be adopted to set a schedule, assign responsibility and decribe how and where the results will be documented. The procedures should provide the level of detail that is appropriate for the skill level of the persons responsible for patching.
Likelihood
Impact
Risk
Not Set
Next
Recommendation:
Category:
Finding:
Applicable: Technical
Status
Risk Statement 3: Security patches that have been released by the vendor for more than 2 months have not been installed on the organizations servers. The longer they go uninstalled the more exploits are circulated and the higher the risk.
Schedule scanning for unimplemented security patches. Unpatched software is commonly exploited to install malicious code.
Likelihood
Impact
Risk
Not Set
Next
Recommendation:
Category:
Finding:
Applicable: Technical
Status
Risk Statement 4: No one in the oganization is assigned to track the release of security patches for software used in the organization.
Ensure that procedures assign responsibility for tracking the release of patches for Operating Systems, Office Software, Browsers, Databases, Network Devices, etc.
Likelihood
Impact
Risk
Not Set
Next
Recommendation:
Category:
Finding:
Applicable: Technical
Status
Question 6: Does your organization have procedures that ensure anti-virus software is implemented on all devices
Status
Risk Statement 1: Policies are not present that require up-to-date Anti-virus/Anti-malware software and signatures.
Adopt policies that require all network accessible devices to have anti-virus/anti-malware software installed. Where software is not available for particular devices or would negatively impact required functionality, alternative mitigation should be in place, such as isolating the device in protected networks or otherwise limiting acces.
Likelihood
Impact
Risk
Not Set
Next
Recommendation:
Category:
Finding:
Applicable: Administrative
Status
Risk Statement 2: Anti-Virus maintenance procedures are not documented.
Document the Anti Virus procedures so that they can be consistently implemented. This includes the instalation, update of software, configuration settings and periodic audit of software and signature versions.
Likelihood
Impact
Risk
Not Set
Next
Recommendation:
Category:
Finding:
Applicable: Technical
Status
Risk Statement 3: Anti-virus Software is not installed on each computer and smart mobile device.
Install and configure anti-virus according to procedures. Each device must have correct configuration and up to date software and signatures.
Likelihood
Impact
Risk
Not Set
Next
Recommendation:
Category:
Finding:
Applicable: Technical
Status
Risk Statement 4: Antivirus software is not periodically checked to assure it is working correctly and has up-to-date signatures.
Schedule regular audit of anti-virus software on all devices. Many exploits disable the anti-virus software. This is an important indicator that malware may be present.
Likelihood
Impact
Risk
Not Set
Next
Recommendation:
Category:
Finding:
Applicable: Technical
Status
Question 7: Do all applications that transmit confidential data encrypt these transmissions to prevent alteration and improper disclosure?
Status
Risk Statement 1: Policies are not in place to require that transmission of ETC over insecure networks (such as the internet) must be encrypted.
A policy must be adopted that requires protection for each transmission of ETC. Where the ETC only travels within networks managed by the organization unencrypted transmissions may be acceptable. However, this should only be allowed if a risk based decision has determined that the likelihood of unauthorized access to the ETC data is minimal. In all cases where data is transmitted outside of the organization's network (via email, web access, file sharing, hosted services or other services that use the internet) the data transmitted should be encrypted using a secure protocol such as SSL, SHTTP, SCP, S-MIME, etc.
Likelihood
Impact
Risk
Not Set
Next
Recommendation:
Category:
Finding:
Applicable: Administrative
Status
Risk Statement 2: There are no procedures to ensure that ETC is encrypted where required by policy using appropriate encryption.
Documented procedures are necessary to 1) Check that all normal access by the organization's users is protected by SSL or other encryption technologies; and 2) protect ad hoc messages such as email or messaging from being sent without encryption, wherever required by policy.
Likelihood
Impact
Risk
Not Set
Next
Recommendation:
Category:
Finding:
Applicable: Technical
Status
Risk Statement 3: Applications that transmit confidential data do not encrypt it while enroute to its destination over insecure media such as wireless or the internet.
Audit all transmissions for applications that process ETC. Whereever it is not encrypted there is a risk that ETC may be intercepted and accessed. The internet and wireless media have no built-in mechanism to protect the confidentiality or integrity of data. When transmitted over insecure media, there is not assurance that ETC will not be viewed, changed or stored.
Likelihood
Impact
Risk
Not Set
Next
Recommendation:
Category:
Finding:
Applicable: Technical
Status
Risk Statement 4: Applications that transmit confidential data do not establish the identity of the destination devices or persons using passwords, digital certificates or encrypted keys.
Audit all transmissions of ETC to ensure it is sent to the party intended. When encrypted, the decryption key, password or certificate needs to be only in the hands of the person or device authorized to access the ETC. To establish this, systems generally use 1) a password or phrase that is communicated using a separate medium (e.g. text message), 2) a preshared key or 3) a digital key issued by a cerrtificate authority (e.g. commercial certificate company).
Likelihood
Impact
Risk
Not Set
Next
Recommendation:
Category:
Finding:
Applicable: Technical
Status
Question 8: Do you have a designated person who is responsible for IT security and privacy?
Status
Risk Statement 1: Policies are not in place to establish roles, responsibilities, accountability and authority for security and privacy.
Adopt a policy establishing roles and responsibilities for security and privacy. A clear chain of command must be established in policy and the organization must have each role clearly defined to prevent lack of coordination in risk management. At minimum it should designate Security Compliance and Privacy Compliance officer(s).
Likelihood
Impact
Risk
Not Set
Next
Recommendation:
Category:
Finding:
Applicable: Administrative
Status
Risk Statement 2: Responsibility and accountability for implementing privacy and security procedures is not clearly defined.
Assign one or more persons to the roles of Security Compliance and Privacy Compliance Officer as required by policy. Any lack of clarity in policies and procedures regarding who has responsibility and accountability for taking risk management actions will result in increased risk.
Likelihood
Impact
Risk
Not Set
Next
Recommendation:
Category:
Finding:
Applicable: Administrative
Status
Risk Statement 3: During emergencies, incidents or breaches, lines of authority are not clear, including who has the authority to act.
If not clarified in the Breach or Incident Response Plan ensure that the role of Incident manager is defined and filled at all times. During breaches or incidents, the outcomes are highly dependent upon successfully executing plans and standard procedures where they exist. Where they do not exist, the authority to act to prevent further damage is critical. Delegation of authority to lead should be part of any contingency plan and must include risk management decisions relating to ETC.
Likelihood
Impact
Risk
Not Set
Next
Recommendation:
Category:
Finding:
Applicable: Administrative
Status
Question 9: Are there physical protections and/or an automatic timeout when workstations are not attended to prevent unauthorized use?
Status
Risk Statement 1: Policy doesn't require protection of unattended workstations from viewing or use by unauthorized users.
Adopt a policy that unattended workstations and laptops will be protected from viewing or use by unauthorized viewers. Protections must be effective in the environment of the device. E.g. Frontdesk computers should be turned to prevent unauthorized viewing and exam room computers should be locked whenever they are not in use by staff. All computers should have a timeout lock, and laptops should only access ETC where privacy can be assured, etc.
Likelihood
Impact
Risk
Not Set
Next
Recommendation:
Category:
Finding:
Applicable: Administrative
Status
Risk Statement 2: Authorized users are not trained to lock their workstation whenever they leave it for any reason.
All users must be trained how to protect ETC from unauthorized use. Users must understand that they have responsibility for making sure their their workstations or laptops are protected when they are not attended. They should also be trained how to manually lock their computer and encouraged to do so whenever leaving it unattended.
Likelihood
Impact
Risk
Not Set
Next
Recommendation:
Category:
Finding:
Applicable: Administrative
Status
Risk Statement 3: Workstations are not configured to automatically lock after a short period of time to prevent unauthorized use when not attended by authorized personnel.
All workstations or laptops should have a timeout that locks them after a period without interaction. It should require a password to reopen the device. This is an imperfect but critical last-resort protection.
Likelihood
Impact
Risk
Not Set
Next
Recommendation:
Category:
Finding:
Applicable: Technical
Status
Risk Statement 4: Workstations that display ETC are physically situated so that they cannot be viewed by visitors, customers or unauthorized personnel.
Perform an audit of each publicly accessible workstation to make sure it is situated to prevent inadvertent viewing by visitors or other unauthorized persons.
Likelihood
Impact
Risk
Not Set
Next
Recommendation:
Category:
Finding:
Applicable: Physical
Status
Question 10: Are all users that have access to ETC including visiting and temporary staff and contractors, required to verify their identity using a documented procedure
Status
Risk Statement 1: Policy does not require that all persons with access to ETC undergo a background check and provide positive identification.
A policy must be adopted that requires all users to prove their identification using officially accepted documentation and undergo a background check to deny access for those with a history of irresponsible use of ETC.
Likelihood
Impact
Risk
Not Set
Next
Recommendation:
Category:
Finding:
Applicable: Administrative
Status
Risk Statement 2: Current users with access to confidential data and other sensitive data have not completed a background check and positive identification.
Implementing a policy that requires exisiting, trusted staff to obtain or undergo an extensive background check can be difficult for organizations. However, it may be appropriate to have a procedure that requires it for staff that have less than a year(or some other period) experience with the organization and wherever a disciplinary action or policy violation is investigated or sanction considered.
Likelihood
Impact
Risk
Not Set
Next
Recommendation:
Category:
Finding:
Applicable: Administrative
Status
Risk Statement 3: New staff, temporary staff and contractors are not subject to direct supervision until they undergo a background check.
Adopt procedures to perform a background and identity check all new staff as part of due diligence in the hiring process. Temporary staff should be checked depending upon the level of responsibility and access that they are given. Contractors backgrounds should be covered by a Business Associate Agreement wherever the contractor is given access to ETC and BAAs should be written to give the organization access to the user's Background investigation.
Likelihood
Impact
Risk
Not Set
Next
Recommendation:
Category:
Finding:
Applicable: Physical
Status
Question 11: Do you have a password policy and standards that forbid sharing of accounts and requires periodic password changes, minimum password length and non-alphanumeric characters?
Status
Risk Statement 1: There is no policy governing password creation, strength management and expriation.
Password policy must be adopted to set standards for password complexity, change and confidentiality and ensure that the administrative procedures, training and enforcement are mandated.
Likelihood
Impact
Risk
Not Set
Next
Recommendation:
Category:
Finding:
Applicable: Administrative
Status
Risk Statement 2: Passwords are not of adequate complexity to prevent brute force password cracking (e.g. min 8 char, upper, lower case and number or symbol).
Procedures should be adopted to implement complexity standards. Technical enforcement should be applied where available, staff should be trainined to meet these standards and some means of monitoring adherence should be implemented.
Likelihood
Impact
Risk
Not Set
Next
Recommendation:
Category:
Finding:
Applicable: Technical
Status
Risk Statement 3: Passwords are not required to change periodically (e.g. every 90 days).
Autmatic controls must be set to force periodic changes of passwords in conformance with a policy.
Likelihood
Impact
Risk
Not Set
Next
Recommendation:
Category:
Finding:
Applicable: Technical
Status
Risk Statement 4: Passwords and user accounts may be shared with other users.
Train users to keep all passwords and account information private. No shared accounts should be created or allowed.
Likelihood
Impact
Risk
Not Set
Next
Recommendation:
Category:
Finding:
Applicable: Technical
Status
Question 12: Do you have policies and procedures that specify how confidential data should be handled when physically transported out of the facility in media
Status
Risk Statement 1: There is no policy that establishes how ETC will be prortected when it is physically transported out of the facility in mobile devices or media (jump drives, CDs, DVDs, etc)?
Policy must establish under what circumstances ETC can be transported physically on devices. This must both set standards for protection (such as encryption) as well as require tracking of the ETC to ensure that the organization can account for where it has been and who is responsible for its physical location.
Likelihood
Impact
Risk
Not Set
Next
Recommendation:
Category:
Finding:
Applicable: Administrative
Status
Risk Statement 2: Procedures are not present for staff to follow whenever ETC is transported out of the facility in mobile devices or media.
Procedures must be implemented and documented to establish protection of data when it is transported out of the facility in mobile devices or media. The procedures should include encryption, handling, physical protections (e.g. locks), tracking, training and anything that helps provide assurance that ETC is not accessed without authorization.
Likelihood
Impact
Risk
Not Set
Next
Recommendation:
Category:
Finding:
Applicable: Physical
Status
Risk Statement 3: Staff and all other users of confidential data are not trained in secure handling of devices that contain confidential data when transported outside of the facility.
Training should be conducted for each person who uses mobile devices or media to ensure that they understand policies and procedures that must be implemented to protect ETC.
Likelihood
Impact
Risk
Not Set
Next
Recommendation:
Category:
Finding:
Applicable: Physical
Status
Risk Statement 4: Devices that contain unencrypted confidential data are not signed out and in, or otherwise tracked, to ensure the security and privacy of the confidential data is accounted for at all times.
A procedure must be implemented to track any unencrypted ETC that leaves the organization's facilities. At all times an individual must be responsible and accountable for the protection of the ETC.
Likelihood
Impact
Risk
Not Set
Next
Recommendation:
Category:
Finding:
Applicable: Physical
Status
Question 13: Is access to IT accounts removed within 24 hours of termination for outgoing employees?
Status
Risk Statement 1: Policies don't set standards for closing all IT accounts upon termination or serverance of employees or other users.
Policy must make clear that all IT accounts must be closed for departing or terminated users and designate the time by which this is accomplished. The best practice is immediate closure of all IT accounts at the time of termination.
Likelihood
Impact
Risk
Not Set
Next
Recommendation:
Category:
Finding:
Applicable: Administrative
Status
Risk Statement 2: The procedures aren't in place to confirm that a termination process results in closure of all IT accounts.
Procedures must be documented to enforce the policy on closure of IT accounts upon termination or severance. Since hiring and termination are HR functions, HR processes should be aligned to enforce the security policy.
Likelihood
Impact
Risk
Not Set
Next
Recommendation:
Category:
Finding:
Applicable: Administrative
Status
Risk Statement 3: When a person leaves the organization IT accounts are not closed and credentials, keys badges, etc. returned or destroyed within 24 hours.
Documentation must be collected to show that each token, account or credential that provided the user with access is returned, destroyed or disable upon termination.
Likelihood
Impact
Risk
Not Set
Next
Recommendation:
Category:
Finding:
Applicable: Technical
Status
Question 14: Do you have procedures to ensure that external users of your electronic ETC are given access only as required and permitted by REG and other applicable laws?
Status
Risk Statement 1: A policy is not present that directs all access and use of ETC by external users (including contractors, temporary workers etc.) to be compliant with REG security and privacy rules as well as any other laws that are applicable.
Policy must be adopted that states that the organization will only grant access to ETC within the limitations set forth in the REG Privacy Rule. It should explicitly require temporary or other non-staff users to meet these requirements.
Likelihood
Impact
Risk
Not Set
Next
Recommendation:
Category:
Finding:
Applicable: Administrative
Status
Risk Statement 2: When external users are given access to confidential data it is not limited to the subject and information permitted by the REG privacy rule or not limited to the duration necessary to for a permitted activity.
Procedures must define what data the individual is authorized to access and the duration of that authorization. Unlike staff, whose employment ends in a process mediated by HR, temporary or contractor users should have a prearranged time limit on their accounts based on the expected duration of their access needs.
Likelihood
Impact
Risk
Not Set
Next
Recommendation:
Category:
Finding:
Applicable: Administrative
Status
Risk Statement 3: An external user is given an account with access to the organization's confidential data without evaluating the need.
Documentation must be collected showing clause of the REG Privacy Rule under which the external user is granted access to ETC.
Likelihood
Impact
Risk
Not Set
Next
Recommendation:
Category:
Finding:
Applicable: Administrative
Status
Risk Statement 4: Business Associates staff are given access to IT accounts without a Business Associate Agreement that specifies what protections will be in place binding their behavior and use of the ETC.
Where access to the organization's ETC is granted to a Business Associate, a BAA must be in place that hold the Business Associate accountable for its users and the protection of the ETC while under the protection of the Business Associate.
Likelihood
Impact
Risk
Not Set
Next
Recommendation:
Category:
Finding:
Applicable: Administrative
Status
Question 15: Do you have a facility security plan that establishes restricted access areas
Status
Risk Statement 1: A Facilities or Physical Security Plan is not required by policy.
Policy should require a plan be adopted to establish physical security controls that protect confidential data in the facility.
Likelihood
Impact
Risk
Not Set
Next
Recommendation:
Category:
Finding:
Applicable: Administrative
Status
Risk Statement 2: A facilities plan does not designate restricted access areas where confidential data can be physically protected from unauthorized personnel.
The facilitiy or physical security plan should identify what areas are only accessible to authorized personnel and who those persons are. It also should have a procedure for establishing who has access to these restricted areas.
Likelihood
Impact
Risk
Not Set
Next
Recommendation:
Category:
Finding:
Applicable: Physical
Status
Risk Statement 3: Personnel without authorization are not supervised in restricted areas.
The physical security plan should be updated to address supervision of unauthorized personnel when they are in the restricted areas. To keep restricted area management from being a burden on the organization, it is acceptible to allow unauthorized personnel into restricted spaces as long as they have adequate supervision.
Likelihood
Impact
Risk
Not Set
Next
Recommendation:
Category:
Finding:
Applicable: Physical
Status
Risk Statement 4: Access keys and tokens are not tracked and accounted for to prevent unauthorized access to restricted areas.
Procedures must be implemented to account for all access keys and tokens that have been given to staff or other personnel if they allow access to ETC. Each person who has been given a key or token should be documented and a tracking process documented and implemented that allows access to be revoked as needed.
Likelihood
Impact
Risk
Not Set
Next
Recommendation:
Category:
Finding:
Applicable: Physical
Status
Question 16: Is a policy implemented that specifies what kinds of websites, data and applications a user is prohibited or permitted to access from workstations, mobile devices, servers or other IT equipment?
Status
Risk Statement 1: There is no policy that establishes standards of behavior for IT users.
Adopt a policy defining acceptible rules of behavior for staff use of IT equipment, software and data. Without a policy users can misuse IT services and internet access without any consequences. A policy should set standards of behavior, require training of users in acceptable use and establish that enforcement of the policy will include potential sanctions.
Likelihood
Impact
Risk
Not Set
Next
Recommendation:
Category:
Finding:
Applicable: Administrative
Status
Risk Statement 2: Staff are not trained in computer hygine and can be relied upon to use good judgement and due caution in usage of the internet.
Train all users to know what kinds of web sites, applications and practices are prohibited and which ones should only be accessed with permission from the Compliance Officer.
Likelihood
Impact
Risk
Not Set
Next
Recommendation:
Category:
Finding:
Applicable: Administrative
Status
Risk Statement 3: Users do not know who they should inform if they suspect that their computer or device has been infected by malicious code from a web site or email.
Train all users to identify and promptly report security incidents resulting from internet services such as web, email or streaming.
Likelihood
Impact
Risk
Not Set
Next
Recommendation:
Category:
Finding:
Applicable: Administrative
Status
Question 17: Does your organization have a security risk assessment that has been conducted in the last 24 months and policies that require it to be kept up-to-date?
Status
Risk Statement 1: The organization has no policy requiring that a Risk Assessment must be done on a regualr basis.
Adopt a policy that requires the organization to conduct a periodic Risk assessment. It should be updated once a year.
Likelihood
Impact
Risk
Not Set
Next
Recommendation:
Category:
Finding:
Applicable: Administrative
Status
Risk Statement 2: The organization has not conducted a risk assessment and has no objective way of determining if security risks are being addressed.
Conduct a Risk Assessment. Risk Assessments help establish what protections are missing or not functioning in the security program In security, the weakest link has the greatest risk of failure.
Likelihood
Impact
Risk
Not Set
Next
Recommendation:
Category:
Finding:
Applicable: Administrative
Status
Risk Statement 3: The most recent risk assessment is more than 2 years old.
Reassess your risk. Changes to systems, data, people, missing doucmentation, vulnerabilities and external threats all gradually undermine the accuracy of the previous risk assessment.
Likelihood
Impact
Risk
Not Set
Next
Recommendation:
Category:
Finding:
Applicable: Administrative
Status
Risk Statement 4: A recent risk assessment has been done but the recommendations identified in it have not been acted upon.
Create a risk remediation plan to manage and track the implementation of risk management actions that address finding of each risk assessment. Risk assessment is the first step in risk management. Unless the recommendations are implemented there is no decrease in the overall risk to the business.
Likelihood
Impact
Risk
Not Set
Next
Recommendation:
Category:
Finding:
Applicable: Administrative
Status
Question 18: Do you have up-to-date signed Business Associate Agreements
Status
Risk Statement 1: Organizational policy does not require a REG compliant Business Associate Agreement (BAA) be signed with each Business Associate.
Adopt a Business Associate Policy. All business associates, (persons or organizations who store and process ETC on behalf of the Organization) must be covered by a BAA.
Likelihood
Impact
Risk
Not Set
Next
Recommendation:
Category:
Finding:
Applicable: Administrative
Status
Risk Statement 2: Confidential data is shared with a Business Associate without a written contract.
Implement and document procedures to ensure that ETC is not shared with or processed by external organizations unless in accordance with 45 CFR 164.502a. BAAs are required except where the exemptions are noted in REG (e.g. Treatment, Plan sponsor, laboratory).
Likelihood
Impact
Risk
Not Set
Next
Recommendation:
Category:
Finding:
Applicable: Administrative
Status
Risk Statement 3: The Business Associate Agreement (BAA) covering the security of shared ETC is not adequate to guarantee that the Business Associate meets data protection and breach reporting standards required by REG.
Adopt a template for the Business Associate Agreement that is known to be compliant with the REG security and privacy rules. Where significant deviations from this template are to be requested, include procedures to review alternative BAAs to ensure compliance.
Likelihood
Impact
Risk
Not Set
Next
Recommendation:
Category:
Finding:
Applicable: Administrative
Status
Risk Statement 4: The Business Associate Agreement does not ensure that the security protection requirements bind any subcontractors of the Business Associate.
Ensure that the BAA contains a clause that binds subcontractors of the BA to the same protection as the BA.
Likelihood
Impact
Risk
Not Set
Next
Recommendation:
Category:
Finding:
Applicable: Administrative
Status
Risk Statement 5: The Business Associate Agreement does not ensure that the Business Assocate can be audited, inspected or otherwise required to prove the effectiveness of security risk management.
Ensure that the BAA includes language permitting the audit or inspection of security and privacy controls. A critical element of the BAA is the right of the organization to audit or inspect the security controls that are required by it.
Likelihood
Impact
Risk
Not Set
Next
Recommendation:
Category:
Finding:
Applicable: Administrative
Status
Question 19: Do you have policies and procedures to grant or revoke access to ETC based on defined roles within the organization and minimum necessary requirements of the REG Privacy Rule?
Status
Risk Statement 1: Adopt policies consistent with the restrictions defined in REG that define how permissions are granted or revoked in the organization.
Adopt policies that require consistent procedures that grant, maintain and revoke access to ETC consistent with the restrictions in REG.
Likelihood
Impact
Risk
Not Set
Next
Recommendation:
Category:
Finding:
Applicable: Administrative
Status
Risk Statement 2: A standard procedure is not documented for granting, maintaining and revoking user's acces privileges based on the excpetions authorized by REG.
Document procedures to grant maintain and revoke user access rights to ETC. REG allows access to a user's confidential data for service, billing and operations of the covered entity. In addition, permission can be granted explicitly in writing by the user for other uses. The procedures must track the right granted to the user and assign the justification for that right.
Likelihood
Impact
Risk
Not Set
Next
Recommendation:
Category:
Finding:
Applicable: Administrative
Status
Risk Statement 3: A users access is not revoked or revised when he/she leaves the organization or changes job function.
Document the revocation of accounts, credentials, keys and tokens upon departure of staff and others with access to ETC. Timely revocation of access to ETC is a critical security/privacy requirement. Any delay in removing accounts is a risk to system accountability.
Likelihood
Impact
Risk
Not Set
Next
Recommendation:
Category:
Finding:
Applicable: Administrative
Status
Risk Statement 4: A periodic review of user privileges is not done to ensure that access is restricted in compliance with REG regulations.
Schedule a periodic review of user rights. Organizations must periodically audit, review and purge users accounts to prevent unauthorized access.
Likelihood
Impact
Risk
Not Set
Next
Recommendation:
Category:
Finding:
Applicable: Administrative
Status
Question 20: Do you have an incident response policy, procedures to govern security and privacy incidents and breaches ?
Status
Risk Statement 1: There is no policy requiring a plan be in place to evaluate the criticality of security incidents and how to respond to them.
A policy should be adopted that requires the creation of a plan that guides the identification and response to security suspicious events and breaches.
Likelihood
Impact
Risk
Not Set
Next
Recommendation:
Category:
Finding:
Applicable: Administrative
Status
Risk Statement 2: In the event of a security incident or a privacy breach there is no guidance to direct actions that need to be taken by the organization's staff.
The Response Plan for incidents and breaches must be written to manage the processes of identification, categorization, response, mitgation, closure, roles, responsibilities, reporting and analysis of security and privacy incidents.
Likelihood
Impact
Risk
Not Set
Next
Recommendation:
Category:
Finding:
Applicable: Administrative
Status
Risk Statement 3: In the event of a breach, there is no REG compliant plan established to determine when and how authorities and users must be notified.
Ensure the Response plan specifies and documents a reporting procedure that is compliant with REG and all other applicable regulations.
Likelihood
Impact
Risk
Not Set
Next
Recommendation:
Category:
Finding:
Applicable: Administrative
Status
Risk Statement 4: Incidents and breaches response actions are not coordinated or evalauted to determine if the response is/was effective at containing, mitigating and reporting the loss.
Update the Response Plan to ensure that a post-incident analysis is done to mitigate any causative factors and prevent or minimize the impact of future security and privacy incidents.
Likelihood
Impact
Risk
Not Set
Next
Recommendation:
Category:
Finding:
Applicable: Administrative
Status
Question 21: Do you have procedures that must be followed to ensure the destruction of all confidential data that may still be present on electronic equipment when decommissioning or repurposing?
Status
Risk Statement 1: The organization does not have a policy that requires evaluation of all devices prior to repurpose or disposal to identify the presence of ETC and render it totally unreadable.
Policy should be adopted to ensure that ETC present on any device is completely removed or totally destroyed before the device is reused or disposed of.
Likelihood
Impact
Risk
Not Set
Next
Recommendation:
Category:
Finding:
Applicable: Administrative
Status
Risk Statement 2: Procedures are not available to prepare devices for resale, disposal or reuse in conformance with REG and policy.
Procedures should cover the various types of devices that may be encountered, the evaluation methodology and the acceptable ETC destruction methods. It should also specify the records that must be kept to track the disposal of devices.
Likelihood
Impact
Risk
Not Set
Next
Recommendation:
Category:
Finding:
Applicable: Physical
Status
Risk Statement 3: Unencrypted storage media in devices that are present in laptops or workstations, thumbdrives, USB disks, printers, network devices, etc. are sold, given or thrown away without being rendered unreadable by a secure data destruction program or physical destruction process.
Document the proper evaluation and disposal of all electronic equipment and media. Most networked devices and computer peripherals contain storage that may contain residual ETC if not carefully deleted, scrubbed or destroyed using a verified procedure. Of special concern are network devices, printers and other devices that appear to be "dumb" but have the ability to store data.
Likelihood
Impact
Risk
Not Set
Next
Recommendation:
Category:
Finding:
Applicable: Physical
Status
Question 22: Does your organization have a sanction policy and procedures to address intentional and/or negligent policy violations?
Status
Risk Statement 1: There is no policy that holds staff responsible for violations of the organization's policy and mandates a procedure for applying sanctions for policy violations.
Adopt a policy that establishes roles, responsibilities and procedures governing violations of organizational policies. When staff willfully or negligently violate policy, the process for determining sanctions must have already been defined.
Likelihood
Impact
Risk
Not Set
Next
Recommendation:
Category:
Finding:
Applicable: Administrative
Status
Risk Statement 2: The organization has no predetermined official procedures that govern how violations of policy are to be addressed.
The violations and sanctions procedures must be documented to provide a credible and consistent deterrent.
Likelihood
Impact
Risk
Not Set
Next
Recommendation:
Category:
Finding:
Applicable: Administrative
Status
Risk Statement 3: Users are unaware of the consequences for failure to adhere to the security policies.
Incorporate staff training in the sanctions procedures so that consequences are known to users.
Likelihood
Impact
Risk
Not Set
Next
Recommendation:
Category:
Finding:
Applicable: Administrative
Status
Risk Statement 4: Users who hide or assist violations by other users do not face sanctions.
Incorporate staff training in the sanctions procedures so that consequences are known to users.
Likelihood
Impact
Risk
Not Set
Next
Recommendation:
Category:
Finding:
Applicable: Administrative
Status
Question 23: Do you have an up-to-date Contingency Plan that documents the procedures to maintain and restore access while responding to disasters and emergencies
Status
Risk Statement 1: IT Security has not been incorporated into Business Contingency Planning.
The contingency plan must be updated to identify and reconcile the competing interests of confidentiality, integrity and availability in advance of contingency events. Failure to plan for this can result dangerous lapses in treatment or unnecessary breach of privacy. The contingency plan should assure continuity of service, maintain integrity of the critical data and to the best extent possible maintain the privacy of users.
Likelihood
Impact
Risk
Not Set
Next
Recommendation:
Category:
Finding:
Applicable: Administrative
Status
Risk Statement 2: Contingency Plans do not address how access to critical data resources will be maintained during disasters, emergencies or other disruption to operations.
The contingency plan must be updated to identify and reconcile the competing interests of confidentiality, integrity and availability in advance of contingency events. A critical requirement is to maintain access to critical data . This should be reflected as a primary goal of the contingency plan.
Likelihood
Impact
Risk
Not Set
Next
Recommendation:
Category:
Finding:
Applicable: Administrative
Status
Risk Statement 3: Contingency Plans do not address how critical data resources will be protected from unauthorized access during disasters, emergencies or other disruption to operations.
The contingency plan must be updated to identify and reconcile the competing interests of confidentiality, integrity and availability in advance of contingency events. In contingencies many of the security controls used to protect the confidentiality of user data may not work. The plan should anticipate the loss of security controls and identify alternative strategies to unauthroized access to ETC.
Likelihood
Impact
Risk
Not Set
Next
Recommendation:
Category:
Finding:
Applicable: Administrative
Status
Question 24: Do you have a policy and procedures to monitor administrative access to applications that process confidential data and detect unauthorized changes to system configuration?
Status
Risk Statement 1: Policies do not limit the administrator's right to make undocumented changes to IT systems and applications.
Policy should be adopted to require logging of administrative changes and prohibit changes to logs by administrators. Best practice is to log administrative changes to an external log management device on which the adminstrator does not have write access.
Likelihood
Impact
Risk
Not Set
Next
Recommendation:
Category:
Finding:
Applicable: Administrative
Status
Risk Statement 2: There are no procedures to periodically review the access to ETC and other sensitive data by administrators.
Document the log review procedures. These should include configuration of systems to prevent their manipulation after the fact by administrators.
Likelihood
Impact
Risk
Not Set
Next
Recommendation:
Category:
Finding:
Applicable: Administrative
Status
Question 25: Do you periodically review & validate the access rights to confidential data that are currently granted to users?
Status
Risk Statement 1: Policy does not require a periodic review of all accounts.
A policy should be adopted to require a scheduled review of user accounts for all systems and applications that process, transmit or store confidential data or other sensitive information.
Likelihood
Impact
Risk
Not Set
Next
Recommendation:
Category:
Finding:
Applicable: Administrative
Status
Risk Statement 2: There is no procedure and schedule to ensure that the accounts for applications and systems that access ETC and other sensitive data are active only for current users who have the necessary functional roles.
Document procedures and a schedule to review access rights of all users.
Likelihood
Impact
Risk
Not Set
Next
Recommendation:
Category:
Finding:
Applicable: Administrative
Status
Risk Statement 3: A change from one functional role to another role (e.g. billing to clinical) does not result in removal of the rights granted for the previous role
Conduct a review of user rights. When users change jobs within an organization or access rights are revised, the previous authorization should be reviewed and where appropriate, revoked.
Likelihood
Impact
Risk
Not Set
Next
Recommendation:
Category:
Finding:
Applicable: Administrative
Status
Risk Statement 4: Mistakes in granting access rights are not identified and corrected after the mistake has been made.
Conduct a review of user rights. There should be controls to detect mistakes in granting users rights to confidential data. Perform a root cause analysis on persistent problems.
Likelihood
Impact
Risk
Not Set
Next
Recommendation:
Category:
Finding:
Applicable: Administrative
Status
Question 26: Are successful and unsuccessful logins recorded and checked in applications that handle confidential data?
Status
Risk Statement 1: Policy does not require the recording and review of successful and unsuccessful login events.
A policy must be adopted that requires systems and applications that process, store or transmit ETC and other sensitive data to record successful and unsuccessful login events. It must also require that these logs be reviewed to identify suspicious events.
Likelihood
Impact
Risk
Not Set
Next
Recommendation:
Category:
Finding:
Applicable: Administrative
Status
Risk Statement 2: There is no review process of unsuccessful and successful attempts at logging into systems that process, transmit or store confidential data.
A review process should be documented specifing the review schedule, the kinds of events that should be reported and the person who is responsible for the review.
Likelihood
Impact
Risk
Not Set
Next
Recommendation:
Category:
Finding:
Applicable: Technical
Status
Risk Statement 3: A persitent attempt to guess passwords will not be detected because repeated failed logins are not recorded or reviewed.
Review and correct the log configuration and review process to ensure that brute force attacks against user credentials are detected. If review is not done regularly brute force password guessing software may be successfully used against your organization.
Likelihood
Impact
Risk
Not Set
Next
Recommendation:
Category:
Finding:
Applicable: Technical
Status
Risk Statement 4: Successful logins are not recorded and/or improper access to ETC outside of working hours goes undetected.
Review and correct the log configuration and review process to ensure that suspicious access times and dates are detected and investigated. Login reviews also can sometimes detect insider misuse of sensitive data.
Likelihood
Impact
Risk
Not Set
Next
Recommendation:
Category:
Finding:
Applicable: Technical
Status
Question 27: Do the applications record the history of access and changes to confidential data for users and are these logs regularly examined to detect improper access or modification?
Status
Risk Statement 1: There is no policy to require logging and review of the access of ETC by users.
A policy should be adopted specifing that all applications must log user access to confidential data and the logs must be periodically reviewed.
Likelihood
Impact
Risk
Not Set
Next
Recommendation:
Category:
Finding:
Applicable: Administrative
Status
Risk Statement 2: Applications that provide access to confidential data are not configured to record log user access or if they are there is not a procedure and a schedule for reviewing these logs.
Documented procedures should provide enough detail to ensure that the policy requirements are met consistently and according to a predefined schedule.
Likelihood
Impact
Risk
Not Set
Next
Recommendation:
Category:
Finding:
Applicable: Technical
Status
Risk Statement 3: In the event of a request from a user, the record of access to the user's file cannot be produced as required by law.
A procedure should be documented to meet the REG requirement that the organization be able to provide users with a record of all access to their files except as allowed by REG. The impact of non-compliance can be substantial in the form of fines and legal liability.
Likelihood
Impact
Risk
Not Set
Next
Recommendation:
Category:
Finding:
Applicable: Administrative
Status
Risk Statement 4: Changes to user records or other confidential data cannot be accounted for to ensure integrity.
Configure application logging to record who made the change and what the change was. Change logs should be reviewed periodically for suspicious changes.
Likelihood
Impact
Risk
Not Set
Next
Recommendation:
Category:
Finding:
Applicable: Technical
Status
Question 28: In the last 12 months have you tested your ability to restore your business critical applications from a backup in the event of an emergency?
Status
Risk Statement 1: Policy is not in place requiring regular tests to assure successful restoration of critical data and applications from backup media.
Policy must specify that critical applications and data must be identified, procedures documented to create backup copies of these resources, and periodic tests conducted to show that the backup media can be restored in the event of emregencies or disasters. A backup strategy should also be required that provides for relocation of the IT services in the event of damage to the production systems.
Likelihood
Impact
Risk
Not Set
Next
Recommendation:
Category:
Finding:
Applicable: Administrative
Status
Risk Statement 2: Procedures are not documented to identify the critical resources for backup, to restore backups and test the restoration process.
Documented procedures should meet the policy requirements and give satisfactory assurance that emergencies will not cause a loss of user data or a lapse in its availability.
Likelihood
Impact
Risk
Not Set
Next
Recommendation:
Category:
Finding:
Applicable: Technical
Status
Risk Statement 3: Backup media cannot be restored leaving the organization without critical data or applications.
Conduct and document testing to show that the restore procedure will provide viable critical data and applications in the event of a disaster.
Likelihood
Impact
Risk
Not Set
Next
Recommendation:
Category:
Finding:
Applicable: Technical
Status
Question 29: Has your firewall configuration and the architecture of your local network been evaluated and validated?
Status
Risk Statement 1: There is no policy defining who will assure that the organization's IT infrastructure meets the technical security requirements.
The policy should establish the requirement for technical review by the Security Officer with the help of a competent technical consultant.
Likelihood
Impact
Risk
Not Set
Next
Recommendation:
Category:
Finding:
Applicable: Administrative
Status
Risk Statement 2: There is no documentation that the technical requirements and their implementation for IT infrastructure have been evaluated and endorsed.
The technical security review should be documented and confirm that the controls such as firewall, wireless and DMZs are architected and configured correctly to achieve the desired security objectives.
Likelihood
Impact
Risk
Not Set
Next
Recommendation:
Category:
Finding:
Applicable: Technical
Status
Question 30: Q31: Is all wireless access at the facility governed by and implemented according to policy and procedures that protect the confidentiality and integrity of confidential data?
Status
Risk Statement 1: Policy governing wireless fails to require the complete separation of public and protected networks.
Adopt a policy governing wireless networks that requires a firewall separating any network that is used by unauthroized personnel from any networks that access ETC. Wireless networks that are used to transport ETC should be isolated from any publicly accessible wireless networks.
Likelihood
Impact
Risk
Not Set
Next
Recommendation:
Category:
Finding:
Applicable: Administrative
Status
Risk Statement 2: Policy does not require strong encryption of wireless networks that transport ETC.
Policy must require strong encryption of wireless network traffic wherever ETC it transmitted. The internal network used by clinicians, staff and other personnel to access confidential data must encrypt data to prevent unauthorized viewing and access.
Likelihood
Impact
Risk
Not Set
Next
Recommendation:
Category:
Finding:
Applicable: Technical
Status
Risk Statement 3: When users leave the organization they still retain access to the wireless network.
A procedure must be documented to change encryption keys to the trusted network whenever untrusted users might be able to gain access to it. If a Pre-Shared Key (PSK) authorization is used to encrypt ETC over wireless, the key should be changed to prevent staff and other users from accessing the trusted network once they are no longer authorized to access ETC.
Likelihood
Impact
Risk
Not Set
Next
Recommendation:
Category:
Finding:
Applicable: Technical
Status
Risk Statement 4: Users install their own access points without notifying IT security.
Policy should reflect and staff should be trained that installing unapproved devices such as wireless access points on the internal networks is prohibited and represents a grave security risk .
Likelihood
Impact
Risk
Not Set
Next
Recommendation:
Category:
Finding:
Applicable: Technical
Status
Question 31: Do you periodically scan or test all devices on your network for known vulnerabilities?
Status
Risk Statement 1: Policy does not require that a scan of all systems for vulnerabilities using a automated scan engine or penetration test.
Policy should require periodic vulnerability testing and should define a schedule and scope for the tests (e.g. all systems are connected to the trusted network)
Likelihood
Impact
Risk
Not Set
Next
Recommendation:
Category:
Finding:
Applicable: Administrative
Status
Risk Statement 2: Procedures are not documented to define the scope of scanning or penetration testing.
Procedure and a schedule for a periodic scan of the organization's network should be documented. A scanning or penetration test requires a specification of which devices and what the security controls will be tested for vulnerabilities.
Likelihood
Impact
Risk
Not Set
Next
Recommendation:
Category:
Finding:
Applicable: Technical
Status
Risk Statement 3: No scans or penetration tests have been conducted that can identify high risk vulnerabilities for technical staff.
A scan of technical vulnerabilities or a penetration test should be done on a regular basis and the resulting findings remediated.
Likelihood
Impact
Risk
Not Set
Next
Recommendation:
Category:
Finding:
Applicable: Technical
Status
Question 32: Are all of your organization' s security policies, procedures, plans, assessments and the implementation records of logs, access control, security baselines, inventories and staff suitability periodically updated, documented, available for review archived for a period of 6 years from the time of creation?
Status
Risk Statement 1: Policy doesn't require all records of security and privacy decsions and documentation to be saved for a period of 6 years.
Adopt a policy that all records of security and privacy decision making must be documented and saved for 6 years.
Likelihood
Impact
Risk
Not Set
Next
Recommendation:
Category:
Finding:
Applicable: Administrative
Status
Risk Statement 2: There is not archive of security documentation that holds the policies, procedures, plans, etc that have been in effect over the last 6 years.
Create a security archive to hold historical security documentation and upload to it all required documents covering the last 6 years.