Information Technology Security Plan Policies, Controls, and Procedures Protect: Identity Management and Access Control PR.AC

Size: px
Start display at page:

Download "Information Technology Security Plan Policies, Controls, and Procedures Protect: Identity Management and Access Control PR.AC"

Transcription

1 Information Technology Security Plan Policies, Controls, and Procedures Protect: Identity Management and Access Control PR.AC Location: ITSecPlan_PRAC2017.pdf

2 Information Security Policy and Procedures Protect: Identity Management and Access Control PR.AC Table of Contents Protect: Identity Management and Access Control PR.AC Overview.. 3 Manage Identities and Credentials for Authorized Devices PR.AC Risk Management: Compliance Management: Resources Required Links to Supporting Policies, Documentation, and Resources Deliverables Status: Manage and Protect Physical Access to Assets PR.AC Risk Management: Compliance Management: Resources Required Links to Supporting Policies, Documentation, and Resources Deliverables Status: Manage Remote Access PR.AC Risk Management: Compliance Management: Resources Required Links to Supporting Policies, Documentation, and Resources Deliverables Status: PR.AC Page: 1

3 Manage Access Permissions and Authorizations, Incorporating Principles of Least Privilege and Separation of Duties PR.AC Risk Management: Compliance Management: Resources Required Links to Supporting Policies, Documentation, and Resources Deliverables Status: Protect Network Integrity Incorporating Network Segregation Where Appropriate PR.AC Risk Management: Compliance Management: Resources Required Links to Supporting Policies, Documentation, and Resources Deliverables Status: Identities Proofed, Bound to Credentials and Asserted in Interaction When Appropriate PR.AC Risk Management: Compliance Management: Resources Required Links to Supporting Policies, Documentation, and Resources Deliverables Status: PR.AC Page: 2

4 Protect: Identity Management and Access Control PR.AC Protect: Identity Management and Access Control PR.AC Overview Disciplined systems and personnel identity and authentication management is perhaps the most crucial aspect of systems management to limit the ability of threat perpetrators. Threat actors seek access privileges to penetrate and travel through systems. The Identity Management and Access Control functions intends to ensure access to physical and logical assets and associated facilities is limited to authorized users, processes, and devices, and is managed consistent with the assessed risk of unauthorized access. Protect Identity Management and Access Control functions are: Manage Identities and Credentials for Authorized Devices PR.AC-1 Identities and credentials are issued, managed, revoked, and audited for authorized devices, users, and processes Manage and Protect Physical Access to Assets PR.AC-2 Physical access to assets is managed and protected Manage Remote Access PR.AC-3 Remote access is managed Manage Access Permissions and Authorizations, Incorporating Principles of Least Privilege and Separation of Duties PR.AC-4 Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties Protect Network Integrity Incorporating Network Segregation Where Appropriate PR.AC-5 Network integrity is protected, incorporating network segregation where appropriate PR.AC Page: 3

5 Identities Proofed, Bound to Credentials and Asserted in Interaction When Appropriate PR.AC-6 Identities are proofed and bound to credentials, and asserted in interactions when appropriate PR.AC Page: 4

6 Manage Identities and Credentials for Authorized Devices PR.AC-1 Identities and credentials are issued, managed, revoked, and audited for authorized devices, users, and processes Primary Control Reference - NIST SP Rev. 4 (HD added AC-1), AC-2, IA Family AC-1 ACCESS CONTROL POLICY AND PROCEDURES - Control: The organization: o Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. An access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the access control policy and associated access controls; and o b. Reviews and updates the current: 1. Access control policy [Assignment: organization-defined frequency]; and 2. Access control procedures [Assignment: organizationdefined frequency]. Supplemental Guidance: This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AC family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. PR.AC Page: 5

7 o Related control: PM-9. o Control Enhancements: None. o References: NIST Special Publications , o Priority and Baseline Allocation: AC-2 ACCOUNT MANAGEMENT - Control: The organization: o a. Identifies and selects the following types of information system accounts to support organizational missions/business functions: [Assignment: organization-defined information system account types]; o b. Assigns account managers for information system accounts; o c. Establishes conditions for group and role membership; o d. Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account; o e. Requires approvals by [Assignment: organization-defined personnel or roles] for requests to create information system accounts; o f. Creates, enables, modifies, disables, and removes information system accounts in accordance with [Assignment: organizationdefined procedures or conditions]; o g. Monitors the use of information system accounts; o h. Notifies account managers: 1. When accounts are no longer required; 2. When users are terminated or transferred; and 3. When individual information system usage or need-toknow changes; i. Authorizes access to the information system based on: 1. A valid access authorization; 2. Intended system usage; and 3. Other attributes as required by the organization or associated missions/business functions; PR.AC Page: 6

8 o j. Reviews accounts for compliance with account management requirements [Assignment: organization-defined frequency]; and o k. Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group IA-1 IDENTIFICATION AND AUTHENTICATION POLICY AND PROCEDURES - Control: The organization: o a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. An identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls; and o b. Reviews and updates the current: 1. Identification and authentication policy [Assignment: organization-defined frequency]; and 2. Identification and authentication procedures [Assignment: organization-defined frequency]. IA-2 IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) - Control: The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users). IA-3 DEVICE IDENTIFICATION AND AUTHENTICATION - Control: The information system uniquely identifies and authenticates [Assignment: organization defined specific and/or PR.AC Page: 7

9 types of devices] before establishing a [Selection (one or more): local; remote; network] connection. IA-4 IDENTIFIER MANAGEMENT - Control: The organization manages information system identifiers by: o a. Receiving authorization from [Assignment: organizationdefined personnel or roles] to assign an individual, group, role, or device identifier; o b. Selecting an identifier that identifies an individual, group, role, or device; o c. Assigning the identifier to the intended individual, group, role, or device; o d. Preventing reuse of identifiers for [Assignment: organizationdefined time period]; and o e. Disabling the identifier after [Assignment: organizationdefined time period of inactivity]. IA-5 AUTHENTICATOR MANAGEMENT - Control: The organization manages information system authenticators by: o a. Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator; o b. Establishing initial authenticator content for authenticators defined by the organization; o c. Ensuring that authenticators have sufficient strength of mechanism for their intended use; o d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators; o e. Changing default content of authenticators prior to information system installation; o f. Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators; PR.AC Page: 8

10 o g. Changing/refreshing authenticators [Assignment: organization-defined time period by authenticator type]; o h. Protecting authenticator content from unauthorized disclosure and modification; o i. Requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators; and o j. Changing authenticators for group/role accounts when membership to those accounts changes. IA-6 AUTHENTICATOR FEEDBACK - Control: The information system obscures feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals. IA-7 CRYPTOGRAPHIC MODULE AUTHENTICATION - Control: The information system implements mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication. IA-8 IDENTIFICATION AND AUTHENTICATION (NON- ORGANIZATIONAL USERS) - Control: The information system uniquely identifies and authenticates non-organizational users (or processes acting on behalf of non-organizational users). IA-9 SERVICE IDENTIFICATION AND AUTHENTICATION - Control: The organization identifies and authenticates [Assignment: organization-defined information system services] using [Assignment: organization-defined security safeguards]. IA-10 ADAPTIVE IDENTIFICATION AND AUTHENTICATION - Control: The organization requires that individuals accessing the information system employ [Assignment: organization-defined supplemental authentication techniques or PR.AC Page: 9

11 mechanisms] under specific [Assignment: organization-defined circumstances or situations]. IA-11 RE-AUTHENTICATION - Control: The organization requires users and devices to re-authenticate when [Assignment: organization-defined circumstances or situations requiring reauthentication]. RISK MANAGEMENT: erisk Self-Assessment - 7) Access Control o 7.1) Is there a documented access control policy in place for all mission-critical systems? (Best practice: Access to mission-critical systems must be limited to the minimal number of employees or users actually requiring access. Additionally, access should be controlled using appropriate authentication mechanisms.) Answer Work in progress o 7.2) Are documented standards and procedures in place for user account registration, assignment of access rights, password management, and routine reviews by business/it managers to ensure up-to-date status and accuracy? (Best practice: Documented procedures that address the access rights of individual account owners must be enforced on a continuing basis to ensure that the organization retains effective control over its computing resources.) Answer: Work in progress o 7.3) Please describe how access management procedures are carried out within your organization. In particular, please describe your use of exit check lists and IT management notification procedures that are utilized when an employee leaves the company under both friendly and adverse circumstances. PR.AC Page: 10

12 Answer example: Active Directory groups are maintained in most cases; Standard form-based submission to IT to authorize new/change/depart employee access. o 7.4) Do you enforce a defined password composition and change standard that requires passwords to be at least 6-8 characters in length, using mixed-case alphanumeric and special characters, along with additional minimum requirements for non-reuse and change frequency? (Best practice: Poorly chosen (dictionary-based) passwords are one of the leading causes of a security breach and are a major vulnerability. 'Password cracking' software is prevalent and is highly efficient and effective. Ideally, password authentication should be augmented by physical 'token' devices that require a user to type in a random number generated from a keychain-sized device that remains with the individual.) Answer Work in progress o 7.5) Please describe the current password composition and change standards for all user accounts within your organization, and identify differences in these requirements that apply for normal versus administrator level user accounts. Answer Example: Strong Active Directory 8-character, 3-of- 4 from among upper/lower case, numeric, special characters. 90-day requirement. Admin passwords are subject to higher complexity and stored in a password vault solution. o 7.6) Are narrowly tailored, role-based, and managementapproved access rights assigned to systems administration personnel who require privileged access to systems or network components in order to carry out their assigned job tasks? PR.AC Page: 11

13 (Best practice: Privileges should be granted to only those administrators requiring them. They should be reviewed periodically to ensure they are withdrawn when they are no longer necessary. Moreover, proper separation of duties helps avoid giving a single administrator too much hands-on control over mission-critical business tools.) Answer Work in progress o 7.7) Are access controls monitored through event logging with manual reviews for audit compliance? (Best practice: Controls over network access should be a work-in-process employing hardware, access applications, and activity audits.) Answer: Work in progress COMPLIANCE MANAGEMENT: PCI Compliance Requirements o 7.1 Limit access to system components and cardholder data to only those individuals whose job requires such access o Restrict access to privileged user IDs to least privileges necessary to perform job responsibilities o Assign access based on individual personnel's job classification and function HIPAA AND TEXAS HOUSE BILL 300 Requirements o Information Access Management ( (a)(4)) 27 - HIPAA Standard: Implement policies and procedures for authorizing access to electronic protected health information that are consistent with the applicable requirements of subpart E of this part. Implement Policies and Procedures for Authorizing Access PR.AC Page: 12

14 Implement policies and procedures for granting access to EPHI, for example, through access to a workstation, transaction, program, process, or other mechanism. Decide how access will be granted to workforce members within the organization. Select the basis for restricting access. Select an access control method (e.g., identity-based, rolebased, or other reasonable and appropriate means of access.) Determine if direct access to EPHI will ever be appropriate for individuals external to the organization (e.g., business partners or patients seeking access to their own EPHI). Implement Policies and Procedures for Access Establishment and Modification Implement policies and procedures that, based upon the entity's access authorization policies, establish, document, review, and modify a user's right of access to a workstation, transaction, program, or process. Establish standards for granting access. Provide formal authorization from the appropriate authority before granting access to sensitive information. Evaluate Existing Security Measures Related to Access Controls 31 Evaluate the security features of access controls already in place, or those of any planned for implementation, as appropriate. Determine if these security features involve alignment with other existing management, operational, and technical controls, such as policy standards and personnel procedures, maintenance and review of audit trails, PR.AC Page: 13

15 identification and authentication of users, and physical access controls. o Access Control ( (a)(1)) - HIPAA Standard: Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in (a)(4). 76 Analyze Workloads and Operations To Identify the Access Needs of All Users 77 Identify an approach for access control. Consider all applications and systems containing EPHI that should be available only to authorized users. Integrate these activities into the access granting and management process. 78 Identify Technical Access Control Capabilities Determine the access control capability of all information systems with EPHI. Ensure that All System Users Have Been Assigned a Unique Identifier Assign a unique name and/or number for identifying and tracking user identity. Ensure that system activity can be traced to a specific user. Ensure that the necessary data is available in the system logs to support audit and other related business functions. 79 Develop Access Control Policy 80 Establish a formal policy for access control that will guide the development of procedures. 81 PR.AC Page: 14

16 Specify requirements for access control that are both feasible and cost-effective for implementation. 82 Implement Access Control Procedures Using Selected Hardware and Software Implement the policy and procedures using existing or additional hardware/software solution(s). Review and Update User Access Enforce policy and procedures as a matter of ongoing operations. 84 Determine if any changes are needed for access control mechanisms. Establish procedures for updating access when users require the following: 85 Initial access Increased access Access to different systems or applications than those they currently have Establish an Emergency Access Procedure Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency. Identify a method of supporting continuity of operations should the normal access procedures be disabled or unavailable due to system problems. Automatic Logoff and Encryption and Decryption Consider whether the addressable implementation specifications of this standard are reasonable and appropriate: PR.AC Page: 15

17 Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity. Implement a mechanism to encrypt and decrypt EPHI. Terminate Access if it is No Longer Required 91 Ensure that access to EPHI is terminated if the access is no longer authorized. RESOURCES REQUIRED Support agreements and other resources required to execute LINKS TO SUPPORTING POLICIES, DOCUMENTATION, AND RESOURCES DELIVERABLES STATUS: Supplier Deliverable Consumer Status PR.AC Page: 16

18 Manage and Protect Physical Access to Assets PR.AC-2 Physical access to assets is managed and protected Primary Control Reference - NIST SP Rev. 4 PE-2, PE-3, PE-4, PE-5, PE-6, PE-9 PE-1 PHYSICAL AND ENVIRONMENTAL PROTECTION POLICY AND PROCEDURES - Control: The organization: o a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. A physical and environmental protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls; and o b. Reviews and updates the current: 1. Physical and environmental protection policy [Assignment: organization-defined frequency]; and 2. Physical and environmental protection procedures [Assignment: organization-defined frequency]. PHYSICAL ACCESS AUTHORIZATIONS - Control: The organization: o a. Develops, approves, and maintains a list of individuals with authorized access to the facility where the information system resides; o b. Issues authorization credentials for facility access; o c. Reviews the access list detailing authorized facility access by individuals [Assignment: organization-defined frequency]; and PR.AC Page: 17

19 o d. Removes individuals from the facility access list when access is no longer required. PHYSICAL ACCESS CONTROL - Control: The organization: o a. Enforces physical access authorizations at [Assignment: organization-defined entry/exit points to the facility where the information system resides] by; 1. Verifying individual access authorizations before granting access to the facility; and 2. Controlling ingress/egress to the facility using [Selection (one or more): [Assignment: organization-defined physical access control systems/devices]; guards]; o b. Maintains physical access audit logs for [Assignment: organization-defined entry/exit points]; o c. Provides [Assignment: organization-defined security safeguards] to control access to areas within the facility officially designated as publicly accessible; o d. Escorts visitors and monitors visitor activity [Assignment: organization-defined circumstances requiring visitor escorts and monitoring]; o e. Secures keys, combinations, and other physical access devices; o f. Inventories [Assignment: organization-defined physical access devices] every [Assignment: organization-defined frequency]; and o g. Changes combinations and keys [Assignment: organizationdefined frequency] and/or when keys are lost, combinations are compromised, or individuals are transferred or terminated. PE-4 ACCESS CONTROL FOR TRANSMISSION MEDIUM - Control: The organization controls physical access to [Assignment: organization-defined information system distribution and PR.AC Page: 18

20 transmission lines] within organizational facilities using [Assignment: organization-defined security safeguards]. PE-5 ACCESS CONTROL FOR OUTPUT DEVICES - Control: The organization controls physical access to information system output devices to prevent unauthorized individuals from obtaining the output. PE-6 MONITORING PHYSICAL ACCESS - Control: The organization: o a. Monitors physical access to the facility where the information system resides to detect and respond to physical security incidents; o b. Reviews physical access logs [Assignment: organizationdefined frequency] and upon occurrence of [Assignment: organization-defined events or potential indications of events]; and o c. Coordinates results of reviews and investigations with the organizational incident response capability. PE-9 POWER EQUIPMENT AND CABLING - Control: The organization protects power equipment and power cabling for the information system from damage and destruction. RISK MANAGEMENT: erisk Self-Assessment Questions that apply COMPLIANCE MANAGEMENT: PCI Compliance Requirements Requirements that apply HIPAA AND TEXAS HOUSE BILL 300 Requirements Requirements and questions that apply RESOURCES REQUIRED PR.AC Page: 19

21 Support agreements and other resources required to execute LINKS TO SUPPORTING POLICIES, DOCUMENTATION, AND RESOURCES DELIVERABLES STATUS: Supplier Deliverable Consumer Status PR.AC Page: 20

22 Manage Remote Access PR.AC-3 Remote access is managed Primary Control Reference - NIST SP Rev. 4 AC-17, AC-19, AC-20 AC-17 REMOTE ACCESS - Control: The organization: o a. Establishes and documents usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and o b. Authorizes remote access to the information system prior to allowing such connections. AC-19 ACCESS CONTROL FOR MOBILE DEVICES - Control: The organization: o a. Establishes usage restrictions, configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices; and o b. Authorizes the connection of mobile devices to organizational information systems. AC-20 USE OF EXTERNAL INFORMATION SYSTEMS - Control: The organization establishes terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and/or maintaining external information systems, allowing authorized individuals to: o a. Access the information system from external information systems; and o b. Process, store, or transmit organization-controlled information using external information systems. RISK MANAGEMENT: erisk Self-Assessment PR.AC Page: 21

23 Questions that apply COMPLIANCE MANAGEMENT: PCI Compliance Requirements Requirements that apply HIPAA AND TEXAS HOUSE BILL 300 Requirements Requirements and questions that apply RESOURCES REQUIRED Support agreements and other resources required to execute LINKS TO SUPPORTING POLICIES, DOCUMENTATION, AND RESOURCES DELIVERABLES STATUS: Supplier Deliverable Consumer Status PR.AC Page: 22

24 Manage Access Permissions and Authorizations, Incorporating Principles of Least Privilege and Separation of Duties PR.AC-4 Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties Primary Control Reference - NIST SP Rev. 4 AC-2, AC-3, AC- 5, AC-6, AC-16 AC-2 ACCOUNT MANAGEMENT - Control: The organization: o a. Identifies and selects the following types of information system accounts to support organizational missions/business functions: [Assignment: organization-defined information system account types]; o b. Assigns account managers for information system accounts; o c. Establishes conditions for group and role membership; o d. Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account; o e. Requires approvals by [Assignment: organization-defined personnel or roles] for requests to create information system accounts; o f. Creates, enables, modifies, disables, and removes information system accounts in accordance with [Assignment: organizationdefined procedures or conditions]; o g. Monitors the use of information system accounts; o h. Notifies account managers: 1. When accounts are no longer required; 2. When users are terminated or transferred; and 3. When individual information system usage or need-toknow changes; PR.AC Page: 23

25 o i. Authorizes access to the information system based on: 1. A valid access authorization; 2. Intended system usage; and 3. Other attributes as required by the organization or associated missions/business functions; o j. Reviews accounts for compliance with account management requirements [Assignment: organization-defined frequency]; and o k. Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group. AC-3 ACCESS ENFORCEMENT - Control: The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies. AC-5 SEPARATION OF DUTIES - Control: The organization: o a. Separates [Assignment: organization-defined duties of individuals]; o b. Documents separation of duties of individuals; and o c. Defines information system access authorizations to support separation of duties AC-6 LEAST PRIVILEGE - Control: The organization employs the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions. AC-16 SECURITY ATTRIBUTES - Control: The organization: o a. Provides the means to associate [Assignment: organizationdefined types of security attributes] having [Assignment: PR.AC Page: 24

26 organization-defined security attribute values] with information in storage, in process, and/or in transmission; o b. Ensures that the security attribute associations are made and retained with the information; o c. Establishes the permitted [Assignment: organization-defined security attributes] for [Assignment: organization-defined information systems]; and o d. Determines the permitted [Assignment: organization-defined values or ranges] for each of the established security attributes. RISK MANAGEMENT: erisk Self-Assessment Questions that apply COMPLIANCE MANAGEMENT: PCI Compliance Requirements Requirements that apply HIPAA AND TEXAS HOUSE BILL 300 Requirements Requirements and questions that apply RESOURCES REQUIRED Support agreements and other resources required to execute LINKS TO SUPPORTING POLICIES, DOCUMENTATION, AND RESOURCES PR.AC Page: 25

27 DELIVERABLES STATUS: Supplier Deliverable Consumer Status PR.AC Page: 26

28 Protect Network Integrity Incorporating Network Segregation Where Appropriate PR.AC-5 Network integrity is protected, incorporating network segregation where appropriate Primary Control Reference - NIST SP Rev. 4 AC-4, SC-7 AC-4 INFORMATION FLOW ENFORCEMENT - Control: The information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems based on [Assignment: organizationdefined information flow control policies]. SC-7 BOUNDARY PROTECTION - Control: The information system: o a. Monitors and controls communications at the external boundary of the system and at key internal boundaries within the system; o b. Implements subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks; and o c. Connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture. RISK MANAGEMENT: erisk Self-Assessment Questions that apply COMPLIANCE MANAGEMENT: PCI Compliance Requirements Requirements that apply PR.AC Page: 27

29 HIPAA AND TEXAS HOUSE BILL 300 Requirements Requirements and questions that apply RESOURCES REQUIRED Support agreements and other resources required to execute LINKS TO SUPPORTING POLICIES, DOCUMENTATION, AND RESOURCES DELIVERABLES STATUS: Supplier Deliverable Consumer Status PR.AC Page: 28

30 Identities Proofed, Bound to Credentials and Asserted in Interaction When Appropriate PR.AC-6 Identities are proofed and bound to credentials, and asserted in interactions when appropriate Primary Control Reference - NIST SP Rev. 4 AC-2, AC-3, AC- 5, AC-6, AC-16, AC-19, AC-24, IA-2, IA-4, IA-5, IA-8, PE-2, PS-3 AC-2 ACCOUNT MANAGEMENT - Control: The organization: o a. Identifies and selects the following types of information system accounts to support organizational missions/business functions: [Assignment: organization-defined information system account types]; o b. Assigns account managers for information system accounts; o c. Establishes conditions for group and role membership; o d. Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account; o e. Requires approvals by [Assignment: organization-defined personnel or roles] for requests to create information system accounts; o f. Creates, enables, modifies, disables, and removes information system accounts in accordance with [Assignment: organizationdefined procedures or conditions]; o g. Monitors the use of information system accounts; o h. Notifies account managers: 1. When accounts are no longer required; 2. When users are terminated or transferred; and 3. When individual information system usage or need-toknow changes; o i. Authorizes access to the information system based on: PR.AC Page: 29

31 1. A valid access authorization; 2. Intended system usage; and 3. Other attributes as required by the organization or associated missions/business functions; o j. Reviews accounts for compliance with account management requirements [Assignment: organization-defined frequency]; and o k. Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group. AC-3 ACCESS ENFORCEMENT - Control: The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies. AC-5 SEPARATION OF DUTIES - Control: The organization: o a. Separates [Assignment: organization-defined duties of individuals]; o b. Documents separation of duties of individuals; and o c. Defines information system access authorizations to support separation of duties AC-6 LEAST PRIVILEGE - Control: The organization employs the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions. AC-16 SECURITY ATTRIBUTES - Control: The organization: o a. Provides the means to associate [Assignment: organizationdefined types of security attributes] having [Assignment: organization-defined security attribute values] with information in storage, in process, and/or in transmission; PR.AC Page: 30

32 o b. Ensures that the security attribute associations are made and retained with the information; o c. Establishes the permitted [Assignment: organization-defined security attributes] for [Assignment: organization-defined information systems]; and o d. Determines the permitted [Assignment: organization-defined values or ranges] for each of the established security attributes. AC-19 ACCESS CONTROL FOR MOBILE DEVICES - Control: The organization: o a. Establishes usage restrictions, configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices; and o b. Authorizes the connection of mobile devices to organizational information systems. IA-2 IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) - Control: The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users). IA-4 IDENTIFIER MANAGEMENT - Control: The organization manages information system identifiers by: o a. Receiving authorization from [Assignment: organizationdefined personnel or roles] to assign an individual, group, role, or device identifier; o b. Selecting an identifier that identifies an individual, group, role, or device; o c. Assigning the identifier to the intended individual, group, role, or device; o d. Preventing reuse of identifiers for [Assignment: organizationdefined time period]; and o e. Disabling the identifier after [Assignment: organizationdefined time period of inactivity]. PR.AC Page: 31

33 IA-5 AUTHENTICATOR MANAGEMENT - Control: The organization manages information system authenticators by: o a. Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator; o b. Establishing initial authenticator content for authenticators defined by the organization; o c. Ensuring that authenticators have sufficient strength of mechanism for their intended use; o d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators; o e. Changing default content of authenticators prior to information system installation; o f. Establishing minimum and maximum lifetime restrictions and reuse conditions for o authenticators; o g. Changing/refreshing authenticators [Assignment: organization-defined time period by authenticator type]; o h. Protecting authenticator content from unauthorized disclosure and modification; o i. Requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators; and o j. Changing authenticators for group/role accounts when membership to those accounts changes. IA-8 IDENTIFICATION AND AUTHENTICATION (NON- ORGANIZATIONAL USERS) - Control: The information system uniquely identifies and authenticates non-organizational users (or processes acting on behalf of non-organizational users). PE-1 PHYSICAL AND ENVIRONMENTAL PROTECTION POLICY AND PROCEDURES - Control: The organization: PR.AC Page: 32

34 o a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. A physical and environmental protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls; and o b. Reviews and updates the current: 1. Physical and environmental protection policy [Assignment: organization-defined frequency]; and 2. Physical and environmental protection procedures [Assignment: organization-defined frequency]. PS-3 PERSONNEL SCREENING - Control: The organization: o a. Screens individuals prior to authorizing access to the information system; and o b. Rescreens individuals according to [Assignment: organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of such rescreening]. RISK MANAGEMENT: erisk Self-Assessment Questions that apply COMPLIANCE MANAGEMENT: PCI Compliance Requirements Requirements that apply HIPAA AND TEXAS HOUSE BILL 300 Requirements Requirements and questions that apply PR.AC Page: 33

35 RESOURCES REQUIRED Support agreements and other resources required to execute LINKS TO SUPPORTING POLICIES, DOCUMENTATION, AND RESOURCES DELIVERABLES STATUS: Supplier Deliverable Consumer Status PR.AC Page: 34

Information Technology Security Plan Policies, Controls, and Procedures Identify Risk Assessment ID.RA

Information Technology Security Plan Policies, Controls, and Procedures Identify Risk Assessment ID.RA Information Technology Security Plan Policies, Controls, and Procedures Identify Risk Assessment ID.RA Information Security Policy and Procedures Identify Risk Assessment ID.RA Table of Contents Identify

More information

Interagency Advisory Board Meeting Agenda, December 7, 2009

Interagency Advisory Board Meeting Agenda, December 7, 2009 Interagency Advisory Board Meeting Agenda, December 7, 2009 1. Opening Remarks 2. FICAM Segment Architecture & PIV Issuance (Carol Bales, OMB) 3. ABA Working Group on Identity (Tom Smedinghoff) 4. F/ERO

More information

Information Technology Security Plan Policy, Control, and Procedures Manual Detect: Anomalies and Events

Information Technology Security Plan Policy, Control, and Procedures Manual Detect: Anomalies and Events Information Technology Security Plan Policy, Control, and Procedures Manual Detect: Anomalies and Events Location: Need the right URL for this document https://www.pdsimplified.com/ndcbf_pdframework/nist_csf_prc/documents/detect/ndcbf_i

More information

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV Location: https://www.pdsimplified.com/ndcbf_pdframework/nist_csf_prc/documents/identify/ndcbf _ITSecPlan_IDGV2017.pdf

More information

HIPAA Compliance Checklist

HIPAA Compliance Checklist HIPAA Compliance Checklist Hospitals, clinics, and any other health care providers that manage private health information today must adhere to strict policies for ensuring that data is secure at all times.

More information

HIPAA Security and Privacy Policies & Procedures

HIPAA Security and Privacy Policies & Procedures Component of HIPAA Security Policy and Procedures Templates (Updated for HITECH) Total Cost: $495 Our HIPAA Security policy and procedures template suite have 71 policies and will save you at least 400

More information

Annex 1 to NIST Special Publication Recommended Security Controls for Federal Information Systems

Annex 1 to NIST Special Publication Recommended Security Controls for Federal Information Systems Annex 1 to NIST Special Publication 800-53 Recommended Security Controls for Federal Information Systems Minimum Security Controls Low Baseline AC-1 ACCESS CONTROL POLICY AND PROCEDURES The organization

More information

EXCERPT. NIST Special Publication R1. Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations

EXCERPT. NIST Special Publication R1. Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations EXCERPT NIST Special Publication 800-171 R1 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations An Excerpt Listing All: Security Requirement Families & Controls Security

More information

NIST SP Controls

NIST SP Controls NIST SP 800-53 Controls and Netwrix Auditor Mapping www.netwrix.com Toll-free: 888-638-9749 About FISMA / NIST The Federal Information Security Management Act of 2002 (commonly abbreviated to FISMA) is

More information

SECURITY & PRIVACY DOCUMENTATION

SECURITY & PRIVACY DOCUMENTATION Okta s Commitment to Security & Privacy SECURITY & PRIVACY DOCUMENTATION (last updated September 15, 2017) Okta is committed to achieving and preserving the trust of our customers, by providing a comprehensive

More information

EXHIBIT A. - HIPAA Security Assessment Template -

EXHIBIT A. - HIPAA Security Assessment Template - Department/Unit: Date: Person(s) Conducting Assessment: Title: 1. Administrative Safeguards: The HIPAA Security Rule defines administrative safeguards as, administrative actions, and policies and procedures,

More information

The Common Controls Framework BY ADOBE

The Common Controls Framework BY ADOBE The Controls Framework BY ADOBE The following table contains the baseline security subset of control activities (derived from the Controls Framework by Adobe) that apply to Adobe s enterprise offerings.

More information

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers All Affiliate Research Policy Subject: HIPAA File Under: For Researchers ORA HIPAA Issuing Department: Office of Research Administration Original Policy Date Page 1 of 5 Approved by: May 9,2005 Revision

More information

Policy and Procedure: SDM Guidance for HIPAA Business Associates

Policy and Procedure: SDM Guidance for HIPAA Business Associates Policy and Procedure: SDM Guidance for HIPAA Business (Adapted from UPMC s Guidance for Business at http://www.upmc.com/aboutupmc/supplychainmanagement/documents/guidanceforbusinessassociates.pdf) Effective:

More information

HIPAA Security Checklist

HIPAA Security Checklist HIPAA Security Checklist The following checklist summarizes the HIPAA Security Rule requirements that should be implemented by both covered entities and business associates. The citations are to 45 CFR

More information

HIPAA Security Checklist

HIPAA Security Checklist HIPAA Security Checklist The following checklist summarizes the HIPAA Security Rule requirements that should be implemented by both covered entities and business associates. The citations are to 45 CFR

More information

Annex 3 to NIST Special Publication Recommended Security Controls for Federal Information Systems

Annex 3 to NIST Special Publication Recommended Security Controls for Federal Information Systems Annex 3 to NIST Special Publication 800-53 Recommended Security Controls for Federal Information Systems Minimum Security Controls High Baseline Includes updates through 04-22-2005 AC-1 ACCESS CONTROL

More information

NIST Compliance Controls

NIST Compliance Controls NIST 800-53 Compliance s The following control families represent a portion of special publication NIST 800-53 revision 4. This guide is intended to aid McAfee, its partners, and its customers, in aligning

More information

PT-BSC. PT-BSC version 0.3. Primechain Technologies Blockchain Security Controls. Version 0.4 dated 21 st October, 2017

PT-BSC. PT-BSC version 0.3. Primechain Technologies Blockchain Security Controls. Version 0.4 dated 21 st October, 2017 PT-BSC Primechain Technologies Blockchain Security Controls Version 0.4 dated 21 st October, 2017 PT-BSC version 0.3 PT-BSC (version 0.4 dated 21 st October, 2017) 1 Blockchain technology has earned the

More information

HIPAA Regulatory Compliance

HIPAA Regulatory Compliance Secure Access Solutions & HIPAA Regulatory Compliance Privacy in the Healthcare Industry Privacy has always been a high priority in the health profession. However, since the implementation of the Health

More information

HIPAA Security. 3 Security Standards: Physical Safeguards. Security Topics

HIPAA Security. 3 Security Standards: Physical Safeguards. Security Topics HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 2. Security Standards - Administrative Safeguards 3. Security Standards - Physical Safeguards 4. Security Standards - Technical

More information

DoD Guidance for Reviewing System Security Plans and the NIST SP Security Requirements Not Yet Implemented This guidance was developed to

DoD Guidance for Reviewing System Security Plans and the NIST SP Security Requirements Not Yet Implemented This guidance was developed to DoD Guidance for Reviewing System Security Plans and the s Not Yet Implemented This guidance was developed to facilitate the consistent review and understanding of System Security Plans and Plans of Action,

More information

SAC PA Security Frameworks - FISMA and NIST

SAC PA Security Frameworks - FISMA and NIST SAC PA Security Frameworks - FISMA and NIST 800-171 June 23, 2017 SECURITY FRAMEWORKS Chris Seiders, CISSP Scott Weinman, CISSP, CISA Agenda Compliance standards FISMA NIST SP 800-171 Importance of Compliance

More information

These rules are subject to change periodically, so it s good to check back once in a while to make sure you re still compliant.

These rules are subject to change periodically, so it s good to check back once in a while to make sure you re still compliant. HIPAA Checklist There are 3 main parts to the HIPAA Security Rule. They include technical safeguards, physical safeguards, and administrative safeguards. This document strives to summarize the requirements

More information

INFORMATION ASSURANCE DIRECTORATE

INFORMATION ASSURANCE DIRECTORATE National Security Agency/Central Security Service INFORMATION ASSURANCE DIRECTORATE Digital Policy Management consists of a set of computer programs used to generate, convert, deconflict, validate, assess

More information

Information Security Policy

Information Security Policy April 2016 Table of Contents PURPOSE AND SCOPE 5 I. CONFIDENTIAL INFORMATION 5 II. SCOPE 6 ORGANIZATION OF INFORMATION SECURITY 6 I. RESPONSIBILITY FOR INFORMATION SECURITY 6 II. COMMUNICATIONS REGARDING

More information

Recommended Security Controls for Federal Information Systems and Organizations

Recommended Security Controls for Federal Information Systems and Organizations NIST Special Publication 800-53 Revision 3 Excerpt Recommended Security Controls for Federal Information Systems and Organizations JOINT TASK FORCE TRANSFORMATION INITIATIVE HIGH-IMPACT BASELINE I N F

More information

HIPAA Federal Security Rule H I P A A

HIPAA Federal Security Rule H I P A A H I P A A HIPAA Federal Security Rule nsurance ortability ccountability ct of 1996 HIPAA Introduction - What is HIPAA? HIPAA = The Health Insurance Portability and Accountability Act A Federal Law Created

More information

Mapping of FedRAMP Tailored LI SaaS Baseline to ISO Security Controls

Mapping of FedRAMP Tailored LI SaaS Baseline to ISO Security Controls Mapping of FedRAMP Tailored LI SaaS Baseline to ISO 27001 Security Controls This document provides a list of all controls that require the Cloud Service Provider, Esri, to provide detailed descriptions

More information

Mapping of ITSG-33 Security Controls to SP Revision 4 Security Controls

Mapping of ITSG-33 Security Controls to SP Revision 4 Security Controls 1 April 2013 BD Pro Mapping of ITSG-33 Security Controls to SP 800-53 Revision 4 Security Controls NIST SP 800-53 Revision 4 is replacing the August 2009 Revision 3 version of the security controls catalogue.

More information

Identifying and Implementing FAR Basic Safeguarding Requirements

Identifying and Implementing FAR Basic Safeguarding Requirements Identifying and Implementing FAR Basic Safeguarding Requirements This document is designed to assist suppliers in complying with FAR 52.204-21 (Basic Safeguarding of Covered Contractor Information Systems)

More information

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I Standards Sections Checklist Section Security Management Process 164.308(a)(1) Information Security Program Risk Analysis (R) Assigned Security Responsibility 164.308(a)(2) Information Security Program

More information

Page 1 of 15. Applicability. Compatibility EACMS PACS. Version 5. Version 3 PCA EAP. ERC NO ERC Low Impact BES. ERC Medium Impact BES

Page 1 of 15. Applicability. Compatibility EACMS PACS. Version 5. Version 3 PCA EAP. ERC NO ERC Low Impact BES. ERC Medium Impact BES 002 5 R1. Each Responsible Entity shall implement a process that considers each of the following assets for purposes of parts 1.1 through 1.3: i. Control Centers and backup Control Centers; ii. Transmission

More information

MINIMUM SECURITY CONTROLS SUMMARY

MINIMUM SECURITY CONTROLS SUMMARY APPENDIX D MINIMUM SECURITY CONTROLS SUMMARY LOW-IMPACT, MODERATE-IMPACT, AND HIGH-IMPACT INFORMATION SYSTEMS The following table lists the minimum security controls, or security control baselines, for

More information

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS Target2-Securities Project Team TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS Reference: T2S-07-0270 Date: 09 October 2007 Version: 0.1 Status: Draft Target2-Securities - User s TABLE OF CONTENTS

More information

Approved 10/15/2015. IDEF Baseline Functional Requirements v1.0

Approved 10/15/2015. IDEF Baseline Functional Requirements v1.0 Approved 10/15/2015 IDEF Baseline Functional Requirements v1.0 IDESG.org IDENTITY ECOSYSTEM STEERING GROUP IDEF Baseline Functional Requirements v1.0 NOTES: (A) The Requirements language is presented in

More information

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud Introduction The Criminal Justice Information Security (CJIS) Policy is a publically accessible document that contains

More information

SYSTEMS ASSET MANAGEMENT POLICY

SYSTEMS ASSET MANAGEMENT POLICY SYSTEMS ASSET MANAGEMENT POLICY Policy: Asset Management Policy Owner: CIO Change Management Original Implementation Date: 7/1/2017 Effective Date: 7/1/2017 Revision Date: Approved By: NIST Cyber Security

More information

University of Pittsburgh Security Assessment Questionnaire (v1.7)

University of Pittsburgh Security Assessment Questionnaire (v1.7) Technology Help Desk 412 624-HELP [4357] technology.pitt.edu University of Pittsburgh Security Assessment Questionnaire (v1.7) Directions and Instructions for completing this assessment The answers provided

More information

Healthcare Privacy and Security:

Healthcare Privacy and Security: Healthcare Privacy and Security: Breach prevention and mitigation/ Insuring for breach Colin J. Zick Foley Hoag LLP (617) 832-1000 www.foleyhoag.com www.securityprivacyandthelaw.com Boston Bar Association

More information

Rev.1 Solution Brief

Rev.1 Solution Brief FISMA-NIST SP 800-171 Rev.1 Solution Brief New York FISMA Cybersecurity NIST SP 800-171 EventTracker 8815 Centre Park Drive, Columbia MD 21045 About EventTracker EventTracker delivers business critical

More information

Guide: HIPPA Compliance. Corporate HIPAA Compliance Guide. Privacy, productivity and remote access. gotomypc.com

Guide: HIPPA Compliance. Corporate HIPAA Compliance Guide. Privacy, productivity and remote access. gotomypc.com : HIPPA Compliance GoToMyPC Corporate HIPAA Compliance Privacy, productivity and remote access 2 The healthcare industry has benefited greatly from the ability to use remote access to view patient data

More information

1. Post for 45-day comment period and pre-ballot review. 7/26/ Conduct initial ballot. 8/30/2010

1. Post for 45-day comment period and pre-ballot review. 7/26/ Conduct initial ballot. 8/30/2010 Standard CIP 011 1 Cyber Security Protection Standard Development Roadmap This section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes

More information

DFARS Requirements for Defense Contractors Must Be Satisfied by DECEMBER 31, 2017

DFARS Requirements for Defense Contractors Must Be Satisfied by DECEMBER 31, 2017 DFARS 252.204-7012 Requirements for Defense Contractors Must Be Satisfied by DECEMBER 31, 2017 As with most government documents, one often leads to another. And that s the case with DFARS 252.204-7012.

More information

Security and Privacy Controls for Federal Information Systems and Organizations Appendix F

Security and Privacy Controls for Federal Information Systems and Organizations Appendix F NIST Special Publication 800-53 Revision 4 Security and Privacy Controls for Federal Information Systems and Organizations Appendix F NOTE: THIS DOCUMENT PROVIDES A MARKUP OF CHANGES MADE TO SP 800-53,

More information

ACHIEVING COMPLIANCE WITH NIST SP REV. 4:

ACHIEVING COMPLIANCE WITH NIST SP REV. 4: ACHIEVING COMPLIANCE WITH NIST SP 800-53 REV. 4: How Thycotic Helps Implement Access Controls OVERVIEW NIST Special Publication 800-53, Revision 4 (SP 800-53, Rev. 4) reflects the U.S. federal government

More information

INTERNATIONAL CIVIL AVIATION ORGANIZATION ASIA and PACIFIC OFFICE ASIA/PAC RECOMMENDED SECURITY CHECKLIST

INTERNATIONAL CIVIL AVIATION ORGANIZATION ASIA and PACIFIC OFFICE ASIA/PAC RECOMMENDED SECURITY CHECKLIST INTERNATIONAL CIVIL AVIATION ORGANIZATION ASIA and PACIFIC OFFICE Aeronautical Telecommunication Network Implementation Coordination Group (ATNICG) ASIA/PAC RECOMMENDED SECURITY CHECKLIST September 2009

More information

How Secure Do You Feel About Your HIPAA Compliance Plan? Daniel F. Shay, Esq.

How Secure Do You Feel About Your HIPAA Compliance Plan? Daniel F. Shay, Esq. How Secure Do You Feel About Your HIPAA Compliance Plan? Daniel F. Shay, Esq. Word Count: 2,268 Physician practices have lived with the reality of HIPAA for over twenty years. In that time, it has likely

More information

existing customer base (commercial and guidance and directives and all Federal regulations as federal)

existing customer base (commercial and guidance and directives and all Federal regulations as federal) ATTACHMENT 7 BSS RISK MANAGEMENT FRAMEWORK PLAN [L.30.2.7, M.2.2.(7), G.5.6; F.2.1(41) THROUGH (76)] A7.1 BSS SECURITY REQUIREMENTS Our Business Support Systems (BSS) Risk MetTel ensures the security of

More information

SECURITY PLAN DRAFT For Major Applications and General Support Systems

SECURITY PLAN DRAFT For Major Applications and General Support Systems SECURITY PLAN For Major Applications and General Support Systems TABLE OF CONTENTS EXECUTIVE SUMMARY A. APPLICATION/SYSTEM IDENTIFICATION A.1 Application/System Category Indicate whether the application/system

More information

UT HEALTH SAN ANTONIO HANDBOOK OF OPERATING PROCEDURES

UT HEALTH SAN ANTONIO HANDBOOK OF OPERATING PROCEDURES ACCESS MANAGEMENT Policy UT Health San Antonio shall adopt access management processes to ensure that access to Information Resources is restricted to authorized users with minimal access rights necessary

More information

Auditing and Monitoring for HIPAA Compliance. HCCA COMPLIANCE INSTITUTE 2003 April, Presented by: Suzie Draper Sheryl Vacca, CHC

Auditing and Monitoring for HIPAA Compliance. HCCA COMPLIANCE INSTITUTE 2003 April, Presented by: Suzie Draper Sheryl Vacca, CHC Auditing and Monitoring for HIPAA Compliance HCCA COMPLIANCE INSTITUTE 2003 April, 2003 Presented by: Suzie Draper Sheryl Vacca, CHC 1 The Elements of Corporate Compliance Program There are seven key elements

More information

Compliance Brief: The National Institute of Standards and Technology (NIST) , for Federal Organizations

Compliance Brief: The National Institute of Standards and Technology (NIST) , for Federal Organizations VARONIS COMPLIANCE BRIEF NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY (NIST) 800-53 FOR FEDERAL INFORMATION SYSTEMS CONTENTS OVERVIEW 3 MAPPING NIST 800-53 CONTROLS TO VARONIS SOLUTIONS 4 2 OVERVIEW

More information

HIPAA/HITECH Privacy & Security Checklist Assessment HIPAA PRIVACY RULE

HIPAA/HITECH Privacy & Security Checklist Assessment HIPAA PRIVACY RULE 164.502 Develop "minimum necessary" policies for: HIPAA PRIVACY RULE 164.514 - Uses 15 Exempts disclosure for the purpose of treatment from the minimum necessary standard. Page references for - Routine

More information

Password Standard Version 2.0 October 2006

Password Standard Version 2.0 October 2006 Password Standard Version 2.0 October 2006 TABLE OF CONTENTS 1.1 SCOPE 2 1.2 PRINCIPLES 2 1.3 REVISIONS 3 2.1 OBJECTIVE 4 3.1 POLICY 4 3.2 PROTECTION 4 3.3 LENGTH 4 3.4 SELECTIONS 4 3.5 EXPIRATION 5 3.6

More information

U.S. Department of Health and Human Services (HHS) The Office of the National Coordinator for Health Information Technology (ONC)

U.S. Department of Health and Human Services (HHS) The Office of the National Coordinator for Health Information Technology (ONC) U.S. Department of Health and Human Services (HHS) The Office of the National Coordinator for Health Information Technology (ONC) Security Risk Assessment Tool Physical Safeguards Content Version Date:

More information

Virginia Commonwealth University School of Medicine Information Security Standard

Virginia Commonwealth University School of Medicine Information Security Standard Virginia Commonwealth University School of Medicine Information Security Standard Title: Scope: Personnel Security Standard This standard is applicable to all VCU School of Medicine personnel. Approval

More information

Employee Security Awareness Training Program

Employee Security Awareness Training Program Employee Security Awareness Training Program Date: September 15, 2015 Version: 2015 1. Scope This Employee Security Awareness Training Program is designed to educate any InComm employee, independent contractor,

More information

Access to University Data Policy

Access to University Data Policy UNIVERSITY OF OKLAHOMA Health Sciences Center Information Technology Security Policy Access to University Data Policy 1. Purpose This policy defines roles and responsibilities for protecting OUHSC s non-public

More information

Altius IT Policy Collection Compliance and Standards Matrix

Altius IT Policy Collection Compliance and Standards Matrix Governance Context and Alignment Policy 4.1 4.4 800-26 164.308 12.4 EDM01 IT Governance Policy 5.1 800-30 12.5 EDM02 Leadership Mergers and Acquisitions Policy A.6.1.1 800-33 EDM03 Context Terms and Definitions

More information

Integrating HIPAA into Your Managed Care Compliance Program

Integrating HIPAA into Your Managed Care Compliance Program Integrating HIPAA into Your Managed Care Compliance Program The First National HIPAA Summit October 16, 2000 Mark E. Lutes, Esq. Epstein Becker & Green, P.C. 1227 25th Street, N.W., Suite 700 Washington,

More information

Support for the HIPAA Security Rule

Support for the HIPAA Security Rule white paper Support for the HIPAA Security Rule PowerScribe 360 Reporting v1.1 healthcare 2 Summary This white paper is intended to assist Nuance customers who are evaluating the security aspects of PowerScribe

More information

Data Inventory and Classification, Physical Devices and Systems ID.AM-1, Software Platforms and Applications ID.AM-2 Inventory

Data Inventory and Classification, Physical Devices and Systems ID.AM-1, Software Platforms and Applications ID.AM-2 Inventory Audience: NDCBF IT Security Team Last Reviewed/Updated: March 2018 Contact: Henry Draughon hdraughon@processdeliveysystems.com Overview... 2 Sensitive Data Inventory and Classification... 3 Applicable

More information

Executive Order 13556

Executive Order 13556 Briefing Outline Executive Order 13556 CUI Registry 32 CFR, Part 2002 Understanding the CUI Program Phased Implementation Approach to Contractor Environment 2 Executive Order 13556 Established CUI Program

More information

01.0 Policy Responsibilities and Oversight

01.0 Policy Responsibilities and Oversight Number 1.0 Policy Owner Information Security and Technology Policy Policy Responsibility & Oversight Effective 01/01/2014 Last Revision 12/30/2013 Department of Innovation and Technology 1. Policy Responsibilities

More information

efolder White Paper: HIPAA Compliance

efolder White Paper: HIPAA Compliance efolder White Paper: HIPAA Compliance November 2015 Copyright 2015, efolder, Inc. Abstract This paper outlines how companies can use certain efolder services to facilitate HIPAA and HITECH compliance within

More information

Internal Audit Report DATA CENTER LOGICAL SECURITY

Internal Audit Report DATA CENTER LOGICAL SECURITY Internal Audit Report DATA CENTER LOGICAL SECURITY Report No. SC 12 06 June 2012 David Lane Principal IT Auditor Jim Dougherty Principal Auditor Approved Barry Long, Director Internal Audit & Advisory

More information

Altius IT Policy Collection Compliance and Standards Matrix

Altius IT Policy Collection Compliance and Standards Matrix Governance Context and Alignment Policy 4.1 4.4 800-26 164.308 12.4 EDM01 IT Governance Policy 5.1 800-30 12.5 EDM02 Leadership Mergers and Acquisitions Policy A.6.1.1 800-33 EDM03 Context Terms and Definitions

More information

MIS Week 9 Host Hardening

MIS Week 9 Host Hardening MIS 5214 Week 9 Host Hardening Agenda NIST Risk Management Framework A quick review Implementing controls Host hardening Security configuration checklist (w/disa STIG Viewer) NIST 800-53Ar4 How Controls

More information

HIPAA Controls. Powered by Auditor Mapping.

HIPAA Controls. Powered by Auditor Mapping. HIPAA Controls Powered by Auditor Mapping www.tetherview.com About HIPAA The Health Insurance Portability and Accountability Act (HIPAA) is a set of standards created by Congress that aim to safeguard

More information

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation Compliance Report PCI DSS 2.0 Generated by Check Point Compliance Blade, on April 16, 2018 15:41 PM O verview 1 90% Compliance About PCI DSS 2.0 PCI-DSS is a legal obligation mandated not by government

More information

Security Rule for IT Staffs. J. T. Ash University of Hawaii System HIPAA Compliance Officer

Security Rule for IT Staffs. J. T. Ash University of Hawaii System HIPAA Compliance Officer Security Rule for IT Staffs J. T. Ash University of Hawaii System HIPAA Compliance Officer jtash@hawaii.edu hipaa@hawaii.edu Disclaimer HIPAA is a TEAM SPORT and everyone has a role in protecting protected

More information

Boerner Consulting, LLC Reinhart Boerner Van Deuren s.c.

Boerner Consulting, LLC Reinhart Boerner Van Deuren s.c. Catherine M. Boerner, Boerner Consulting LLC Heather Fields, 1 Discuss any aggregate results of the desk audits Explore the Sample(s) Requested and Inquire of Management requests for the full on-site audits

More information

HIPAA Security Rule Policy Map

HIPAA Security Rule Policy Map Rule Policy Map Document Information Identifier Status Published Published 02/15/2008 Last Reviewed 02/15/1008 Last Updated 02/15/2008 Version 1.0 Revision History Version Published Author Description

More information

the SWIFT Customer Security

the SWIFT Customer Security TECH BRIEF Mapping BeyondTrust Solutions to the SWIFT Customer Security Controls Framework Privileged Access Management and Vulnerability Management Table of ContentsTable of Contents... 2 Purpose of This

More information

Lakeshore Technical College Official Policy

Lakeshore Technical College Official Policy Policy Title Original Adoption Date Policy Number Information Security 05/12/2015 IT-720 Responsible College Division/Department Responsible College Manager Title Information Technology Services Director

More information

Checklist: Credit Union Information Security and Privacy Policies

Checklist: Credit Union Information Security and Privacy Policies Checklist: Credit Union Information Security and Privacy Policies Acceptable Use Access Control and Password Management Background Check Backup and Recovery Bank Secrecy Act/Anti-Money Laundering/OFAC

More information

HIPAA COMPLIANCE FOR VOYANCE

HIPAA COMPLIANCE FOR VOYANCE HIPAA COMPLIANCE FOR VOYANCE How healthcare organizations can deploy Nyansa s Voyance analytics platform within a HIPAA-compliant network environment in order to support their mission of delivering best-in-class

More information

Four Deadly Traps of Using Frameworks NIST Examples

Four Deadly Traps of Using Frameworks NIST Examples Four Deadly Traps of Using Frameworks NIST 800-53 Examples ISACA Feb. 2015 Meeting Doug Landoll dlandoll@lantego.com (512) 633-8405 Session Agenda Framework Definition & Uses NIST 800-53 Framework Intro

More information

HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp

HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp Agenda Introductions HIPAA Background and History Overview of HIPAA Requirements

More information

How To Establish A Compliance Program. Richard E. Mackey, Jr. SystemExperts Corporation

How To Establish A Compliance Program. Richard E. Mackey, Jr. SystemExperts Corporation How To Establish A Compliance Program Richard E. Mackey, Jr. Vice president SystemExperts Corporation Agenda High level requirements A written program A sample structure Elements of the program Create

More information

HIPAA Privacy & Security Training. Privacy and Security of Protected Health Information

HIPAA Privacy & Security Training. Privacy and Security of Protected Health Information HIPAA Privacy & Security Training Privacy and Security of Protected Health Information Course Competencies: This training module addresses the essential elements of maintaining the HIPAA Privacy and Security

More information

UTAH VALLEY UNIVERSITY Policies and Procedures

UTAH VALLEY UNIVERSITY Policies and Procedures Page 1 of 5 POLICY TITLE Section Subsection Responsible Office Private Sensitive Information Facilities, Operations, and Information Technology Information Technology Office of the Vice President of Information

More information

Protecting Controlled Unclassified Information(CUI) in Nonfederal Information Systems and Organizations

Protecting Controlled Unclassified Information(CUI) in Nonfederal Information Systems and Organizations Protecting Controlled Unclassified Information(CUI) in Nonfederal Information Systems and Organizations January 9 th, 2018 SPEAKER Chris Seiders, CISSP Security Analyst Computing Services and Systems Development

More information

Oracle Data Cloud ( ODC ) Inbound Security Policies

Oracle Data Cloud ( ODC ) Inbound Security Policies Oracle Data Cloud ( ODC ) Inbound Security Policies Contents Contents... 1 Overview... 2 Oracle Data Cloud Security Policy... 2 Oracle Information Security Practices - General... 2 Security Standards...

More information

Apex Information Security Policy

Apex Information Security Policy Apex Information Security Policy Table of Contents Sr.No Contents Page No 1. Objective 4 2. Policy 4 3. Scope 4 4. Approval Authority 5 5. Purpose 5 6. General Guidelines 7 7. Sub policies exist for 8

More information

DFARS Compliance. SLAIT Consulting SECURITY SERVICES. Mike D Arezzo Director of Security Services. SLAITCONSULTING.com

DFARS Compliance. SLAIT Consulting SECURITY SERVICES. Mike D Arezzo Director of Security Services. SLAITCONSULTING.com DFARS Compliance SLAIT Consulting SECURITY SERVICES Mike D Arezzo Director of Security Services Introduction 18+ year career in Information Technology and Security General Electric (GE) as Software Governance

More information

ISSP Network Security Plan

ISSP Network Security Plan ISSP-000 - Network Security Plan 1 CONTENTS 2 INTRODUCTION (Purpose and Intent)... 1 3 SCOPE... 2 4 STANDARD PROVISIONS... 2 5 STATEMENT OF PROCEDURES... 3 5.1 Network Control... 3 5.2 DHCP Services...

More information

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data Kenna Platform Security A technical overview of the comprehensive security measures Kenna uses to protect your data V3.0, MAY 2017 Multiple Layers of Protection Overview Password Salted-Hash Thank you

More information

Sparta Systems TrackWise Digital Solution

Sparta Systems TrackWise Digital Solution Systems TrackWise Digital Solution 21 CFR Part 11 and Annex 11 Assessment February 2018 Systems TrackWise Digital Solution Introduction The purpose of this document is to outline the roles and responsibilities

More information

State of Colorado Cyber Security Policies

State of Colorado Cyber Security Policies TITLE: State of Colorado Cyber Security Policies Access Control Policy Overview This policy document is part of the State of Colorado Cyber Security Policies, created to support the State of Colorado Chief

More information

Ensuring Desktop Central Compliance to Payment Card Industry (PCI) Data Security Standard

Ensuring Desktop Central Compliance to Payment Card Industry (PCI) Data Security Standard Ensuring Desktop Central Compliance to Payment Card Industry (PCI) Data Security Standard Introduction Manage Engine Desktop Central is part of ManageEngine family that represents entire IT infrastructure

More information

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS NERC CIP VERSION 6 COMPLIANCE BACKGROUND The North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Reliability Standards define a comprehensive set of requirements

More information

HIPAA FINAL SECURITY RULE 2004 WIGGIN AND DANA LLP

HIPAA FINAL SECURITY RULE 2004 WIGGIN AND DANA LLP SUMMY OF HIP FINL SECUITY ULE 2004 WIGGIN ND DN LLP INTODUCTION On February 20, 2003, the Department of Health and Human Services ( HHS ) published the final HIP security standards, Health Insurance eform:

More information

CYBER SECURITY POLICY REVISION: 12

CYBER SECURITY POLICY REVISION: 12 1. General 1.1. Purpose 1.1.1. To manage and control the risk to the reliable operation of the Bulk Electric System (BES) located within the service territory footprint of Emera Maine (hereafter referred

More information

Trust Services Principles and Criteria

Trust Services Principles and Criteria Trust Services Principles and Criteria Security Principle and Criteria The security principle refers to the protection of the system from unauthorized access, both logical and physical. Limiting access

More information

Security and Privacy Governance Program Guidelines

Security and Privacy Governance Program Guidelines Security and Privacy Governance Program Guidelines Effective Security and Privacy Programs start with attention to Governance. Governance refers to the roles and responsibilities that are established by

More information

FRAMEWORK MAPPING HITRUST CSF V9 TO ISO 27001/27002:2013. Visit us online at Flank.org to learn more.

FRAMEWORK MAPPING HITRUST CSF V9 TO ISO 27001/27002:2013. Visit us online at Flank.org to learn more. FRAMEWORK MAPPING HITRUST CSF V9 TO ISO 27001/27002:2013 Visit us online at Flank.org to learn more. HITRUST CSF v9 Framework ISO 27001/27002:2013 Framework FLANK ISO 27001/27002:2013 Documentation from

More information

How Managed File Transfer Addresses HIPAA Requirements for ephi

How Managed File Transfer Addresses HIPAA Requirements for ephi How Managed File Transfer Addresses HIPAA Requirements for ephi INTRODUCTION These new requirements have effectively made traditional File Transfer Protocol (FTP) file sharing ill-advised, if not obsolete.

More information

A company built on security

A company built on security Security How we handle security at Flywheel Flywheel was founded in 2012 on a mission to create an exceptional platform to help creatives do their best work. As the leading WordPress hosting provider for

More information