MUSC Information Security Policy Compliance Checklist for System Owners Instructions



Similar documents
HIPAA Security. 4 Security Standards: Technical Safeguards. Security Topics

HIPAA Security Alert

HIPAA Information Security Overview

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

VMware vcloud Air HIPAA Matrix

HIPAA Security Checklist

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc.

HIPAA Security. Jeanne Smythe, UNC-CH Jack McCoy, ECU Chad Bebout, UNC-CH Doug Brown, UNC-CH

Appendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice

How To Write A Health Care Security Rule For A University

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

HIPAA Audit Processes HIPAA Audit Processes. Erik Hafkey Rainer Waedlich

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

Information Security Policy

HIPAA Security COMPLIANCE Checklist For Employers

UNIVERSITY OF CALIFORNIA, SANTA CRUZ 2015 HIPAA Security Rule Compliance Workbook

ISLAND COUNTY SECURITY POLICIES & PROCEDURES

HIPAA Security Matrix

Technical Safeguards is the third area of safeguard defined by the HIPAA Security Rule. The technical safeguards are intended to create policies and

Cyber Self Assessment

HIPAA Compliance Guide

HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE

HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER

HIPAA Security. assistance with implementation of the. security standards. This series aims to

HIPAA Security. 1 Security 101 for Covered Entities. Security Topics

User Name: [insert facility name]grids (for example, lomitagrids or villagrids)

HIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS

What is HIPAA? The Health Insurance Portability and Accountability Act of 1996

SECURITY RISK ASSESSMENT SUMMARY

Introduction. Purpose. Reference. Applicability. HIPAA Policy 7.1. Safeguards to Protect the Privacy of PHI

Healthcare Compliance Solutions

Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification

VISP Vendor Information Security Plan: A tool for IT and Institutions to evaluate third party vendor capacity and technology to protect research data

Supplier Information Security Addendum for GE Restricted Data

Estate Agents Authority

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES

SAMPLE HIPAA/HITECH POLICIES AND PROCEDURES MANUAL FOR THE SECURITY OF ELECTRONIC PROTECTED HEALTH INFORMATION

Password Expiration Passwords require a maximum expiration age of 60 days. Previously used passwords may not be reused.

CHIS, Inc. Privacy General Guidelines

Securing the FOSS VistA Stack HIPAA Baseline Discussion. Jack L. Shaffer, Jr. Chief Operations Officer

PRIVACY POLICIES AND FORMS FOR BUSINESS ASSOCIATES

State HIPAA Security Policy State of Connecticut

Policies and Compliance Guide

Supplier IT Security Guide

Security Is Everyone s Concern:

System Security Plan University of Texas Health Science Center School of Public Health

WHITE PAPER. Support for the HIPAA Security Rule RadWhere 3.0

HIPAA Security Series

University of Illinois at Chicago Health Sciences Colleges Information Technology Group Security Policies Summary

Richard Gadsden Information Security Office Office of the CIO Information Services

HIPAA Security Policies and Procedures

Telemedicine HIPAA/HITECH Privacy and Security

White Paper. Support for the HIPAA Security Rule PowerScribe 360

Credit Card Acceptance Policy. Vice Chancellor of Business Affairs. History: Effective July 1, 2011 Updated February 2013

Walton Centre. Document History Date Version Author Changes 01/10/ A Cobain L Wyatt 31/03/ L Wyatt Update to procedure

INITIAL APPROVAL DATE INITIAL EFFECTIVE DATE

HIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist

HIPAA Security Rule Compliance

FINAL May Guideline on Security Systems for Safeguarding Customer Information

RAYSAFE S1 SECURITY WHITEPAPER VERSION B. RaySafe S1 SECURITY WHITEPAPER

SAS 70 Exams Of EBT Controls And Processors

SAMPLE TEMPLATE. Massachusetts Written Information Security Plan

IBM Internet Security Systems. The IBM Internet Security Systems approach for Health Insurance Portability and Accountability Act compliance overview

HIPAA Security and HITECH Compliance Checklist

MINNESOTA STATE STANDARD

Support for the HIPAA Security Rule

The second section of the HIPAA Security Rule is related to physical safeguards. Physical safeguards are physical measures, policies and procedures

Spillemyndigheden s Certification Programme Information Security Management System

STATE OF NEW JERSEY Security Controls Assessment Checklist

Smith College Information Security Risk Assessment Checklist

Information Technology General Controls And Best Practices

Security Management. Keeping the IT Security Administrator Busy

Controls for the Credit Card Environment Edit Date: May 17, 2007

6. AUDIT CHECKLIST FOR NETWORK ADMINISTRATION AND SECURITY AUDITING

PCI Training for Retail Jamboree Staff Volunteers. Securing Cardholder Data

Healthcare Compliance Solutions

C.T. Hellmuth & Associates, Inc.

DRAFT National Rural Water Association Identity Theft Program Model September 22, 2008

HIPAA Security. 5 Security Standards: Organizational, Policies. Security Topics. and Procedures and Documentation Requirements

HIPAA Compliance: Are you prepared for the new regulatory changes?

County Identity Theft Prevention Program

PCI Data Security and Classification Standards Summary

Information Technology General Controls (ITGCs) 101

State Of Florida's Real Estate Law

University of California, Riverside Computing and Communications. IS3 Local Campus Overview Departmental Planning Template

State of South Carolina Policy Guidance and Training

Data Processing Agreement for Oracle Cloud Services

Achieving PCI COMPLIANCE with the 2020 Audit & Control Suite.

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

Security Framework Information Security Management System

Identity Theft Prevention Program Compliance Model

Privacy Data Loss. Privacy Data Loss. Identity Theft. The Legal Issues

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

An Effective MSP Approach Towards HIPAA Compliance

New Boundary Technologies Financial Modernization Act of 1999 (Gramm-Leach-Bliley Act) Security Guide

Office 365 Data Processing Agreement with Model Clauses

Datto Compliance 101 1

Data Security Incident Response Plan. [Insert Organization Name]

Chapter 84. Information Security Rules for Street Hail Livery Technology System Providers. Table of Contents

Transcription:

Instructions This checklist can be used to identify gaps in compliance with MUSC's information security policies and standards, which are published on the Web at http://www.musc.edu/security. Each of the 34 Requirements was derived from a straightforward reading of the 16 MUSC information security policies and their associated performance standards. Each Requirement is accompanied by some questions that you should ask when scoring your System against that particular requirement. These questions are intended to help you understand the actual compliance requirements. For each Requirement, you should score your System's current degree of compliance with respect to that requirement, using the following scale: 0 = not implemented 1 = partially implemented 2 = implemented but not yet documented 3 = implemented and documented NA = not applicable You should record a of NA if and only if the Requirement does not apply to your System. The only Requirements that do not apply to all Systems that house protected informations are the requirements derived from the Workstation Use Policy (lines 11-14). If your System boundaries do not encompass any workstations, then these requirements do not apply to your System. If your System boundaries do encompass any workstations, then these requirements do apply. We also encourage you to record comments for each Requirement, in the space provided. Your comments can be invaluable, particularly at later steps in the compliance process, to help other people understand why you scored your System against a particular requirement the way you did... and to help you remember! For all requirements where a score of 3 is achieved, you should insert a copy of the relevant documentation into the Current System Procedures and Other Controls section of your binder, for later review by a compliance officer. Conversely, a score lower than 3 should help guide you towards corrective action(s) to address that requirement, as you progress through subsequent steps in the compliance process; specifically, each checklist requirement with a score lower than 3 should eventually map to one or more Issues in your Risk Analysis Worksheet, and remedial action(s) to address the issue(s) should then be documented in your Plan Summary. You may wish to print out a dated copy of the completed checklist and insert it into the Assessments, Analysis and Plans section of your binder. Your compliance officer may ask to review your completed checklist. Document Source: http://www.musc.edu/security/tools Rev 2005/11/11-01

Requirement Derived from the Which life cycle stage is your 1 Risk Management Risk assessments have been performed at appropriate points in the system's life cycle. system in? Has a risk assessment for your System that meets MUSC standards been completed in this stage? In any previous stages? When the most recent risk 2 Risk Management All of the System's risks that have been identified are being appropriately managed. assessment for your System was completed, was a security plan for your System developed? Has the security plan been approved? Is the security plan working? How do you know that your System's security plan is working? The effectiveness of the System's Are your System's security 3 Evaluation security measures is being monitored procedures and other security and evaluated. controls being monitored and evaluated? By whom? How, and how often? Rev 2005/11/11-01 Page 1

Requirement Derived from the Who authorizes new users to have access to your System? Who The System has procedures for authorizes changes in access 4 Workforce ensuring that no workforce member is granted access to protected permissions for existing users? Once authorization is provided, information without authorization. what procedures are followed for adding and changing the actual user accounts in your System? 5 Workforce The System has procedures for ensuring that workforce members' access is terminated when their authorization is revoked. How and when is authorization for access to your System revoked? When a user's authorization is revoked, how is the user's access to your System actually terminated? 6 7 Awareness and Training Incident Response Do you provide training and documentation to your System's Each authorized user of the System users, explaining their security has access to appropriate Systemspecific training resources and responsibilities? Do all users have access to this documentation? Are materials. all users aware of these responsibilities? Have you registered your System in Emergency contact information for the the MUSC System Registry, and System has been made available to have all your System's emergency the CSIRT. contacts been listed there? Rev 2005/11/11-01 Page 2

Requirement Derived from the Do you have a System contingency A contingency plan for the System is plan that meets MUSC standards, 8 Contingency Plan maintained, meeting all risk including your downtime management, business continuity, and procedures and communication regulatory requirements. plan? Who maintains your contingency plan? 9 Contingency Plan The System's contingency plan is periodically tested. Is your System's contingency plan tested? How often? How is it tested, and by whom? 10 Contingency Plan The System's contingency plan is revised as needed, in response to environmental, operational, policy and regulatory changes. Who keeps your System's contingency plan up to date? Is any of the information in it no longer accurate or relevant? When was the plan last revised? 11 Workstation For any workstations within the System's boundaries, the list of authorized applications is evident to any prospective user of the workstations. If your System includes any workstations, do the users know what the workstations may (and may not) be used for? Rev 2005/11/11-01 Page 3

Requirement Derived from the If your System includes any workstations, do you have 12 Workstation For any workstations within the System's boundaries, the authorized users of the workstation follow appropriate procedures for initiating, terminating and suspending their sessions on the workstations. procedures for users to login on the workstations, and are users trained to terminate their sessions appropriately (for example, by logging out)? Is there an inactivity timeout (automatic logout, or password lockout or screen saver) for all user sessions on the workstations? 13 Workstation Physical access to any workstations within the System's boundaries is restricted to authorized users of the workstations. If your System includes any workstations, what would prevent an unauthorized user from gaining physical access to one of your workstations? 14 Workstation Visual access to the displays of any workstations within the System's boundaries is restricted to authorized users of the workstations. If your System includes any workstations, what would prevent an unauthorized user from viewing information on one of your workstation's displays? Rev 2005/11/11-01 Page 4

Requirement Derived from the How do you securely erase (wipe) 15 Device and Media Controls Appropriate procedures are used for erasing protected information from the System's media prior to disposal or reuse. your System's disks and tapes prior to re-use or surplus? For other media such as cd-roms, how do you shred, destroy or otherwise render them unreadable, prior to any disposal of them? How do you track the location of equipment containing protected information? If your System 16 Device and Media Controls Appropriate procedures are used to maintain the physical security of the System's devices and media during movement and storage. includes any mobile devices, how do you protect them from loss or theft? How do you track the movement of backup media? If a tape were lost or stolen, how would you know it, whom would you notify, and what would you be able to tell them about the tape? Any maintenance contracts or other If you have a maintenance contract arrangements, used for servicing the that calls for a field service 17 Device and Media Controls System's devices and media, address the contractor's need to protect the confidentiality of any information that engineer to swap out an inoperable disk, how will the confidentiality of any protected information that is may exist on the devices and media still stored on the (old) disk be being serviced. protected? Rev 2005/11/11-01 Page 5

Requirement Derived from the 18 Access Control The System has access control procedures to restrict access to the System's protected information to the authorized users of the information. What are your System's access control procedures? Are they completely effective at preventing unauthorized access to your System? Does each user of your System Users of the System are assigned have his own individual account? 19 Access Control unique identifiers that enable tracking of their access to the System's Can you track each instance of access to protected information in protected information. your System, to the individual responsible for the access? Does your System have Users of the System are trained in the documented procedures for user 20 Access Control proper procedures for the management of their passwords and management of their assigned passwords? Are all users trained on other credentials. these procedures? Are all users aware of these procedures? 21 Access Control User sessions that may provide Does your System enforce inactivity access to protected information are timeouts (automatic logouts) for all terminated after a reasonable period of user sessions that provide access inactivity. to protected information? Rev 2005/11/11-01 Page 6

Requirement Derived from the 22 Access Control There is a procedure that exists to allow authorized users to obtain access to the System's protected information in an emergency. In your System's contingency plan, what kinds of emergency scenarios have been considered? Do you have a way to provide access in each of these scenarios? Encryption of the System's protected Do you know if and when your information, whether at rest or in System's protected information 23 Access Control transit, is used whenever reasonable should be encrypted? Is protected and appropriate for restricting access information being encrypted when it to the information. should? If not, why not? 24 Network Access System administrators follow applicable MUSC System s to configure and harden each of the System's networked components. Does your System include any networked components? Is each component hardened in accordance with MUSC standards? Procedures have been established Does your System log user 25 Audit Controls and are being followed to collect and maintain appropriate records of sessions, user access to records containing protected information, System activity. and other security related events? 26 Audit Controls An appropriate retention schedule for System activity records has been established and is being followed. Do you have a retention schedule for your System's log records? How did you determine that schedule? Is it being followed? Rev 2005/11/11-01 Page 7

Requirement Derived from the 27 Audit Controls System activity records are being regularly reviewed and analyzed for records of unauthorized activity involving or affecting the System. Who reviews your System's log records? How are they reviewed, and how often? Procedures have been established for Do you have a procedure for 28 Audit Controls making System activity records available for external review as providing an authorized auditor or compliance officer with access to required by MUSC policy. your System's logs? How do the people who access Appropriate procedures and other your System prove that they are 29 Person or Entity Authentication controls are being used to authenticate who they say they are? If your each person or other entity seeking access to the System's protected System has automated interfaces with other systems, how is entity information. authentication handled within those interfaces? 30 Data Integrity Appropriate procedures and other controls are being used to protect the System's data against improper alteration or desctruction during storage, processing, or transmission over a network. What would prevent the loss or improper alteration of your System's data during storage, processing, or transmission over a network? Rev 2005/11/11-01 Page 8

Requirement Derived from the 31 Encryption Appropriate procedures and other controls are being used to encrypt the System's data during storage, processing, or transmission over a network. Refer to #23. If your System does encrypt information, how, when and where is encryption being performed? Refer to #23. If your System does Appropriate procedures are being encrypt information, how are you 32 Encryption used for the management of any keys managing and protecting the keys used for encrypting the System's data. that are used by your encryption processes? All of the System's security management processes are appropriately documented, including Do you have all of the security 33 Documentation risk assessments, risk management management documentation decisions and actions, and changes to required by MUSC policies? the System's security procedures and other controls. All of the System's security 34 Documentation documentation is made available as Do you manage and retain your needed to all authorized personnel, is security documentation in periodically reviewed, is updated when accordance with MUSC policies? appropriate, and is retained for a minimum of six years. Rev 2005/11/11-01 Page 9

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information