0003014
ISO 27799:2016 Health informatics — Information security management in health using ISO/IEC 27002, Second Edition
International Organization for Standardization
International or National Standard
For Purchase
ISO 27799:2016
ISO 27799:2016 Health informatics — Information security management in health using ISO/IEC 27002
2016-07-01
The document as a whole was last reviewed and released on 2019-08-02T00:00:00-0700.
0003014
For Purchase
International Organization for Standardization
International or National Standard
ISO 27799:2016
ISO 27799:2016 Health informatics — Information security management in health using ISO/IEC 27002
2016-07-01
The document as a whole was last reviewed and released on 2019-08-02T00:00:00-0700.
This Authority Document In Depth Report is copyrighted - © 2024 - Network Frontiers LLC. All rights reserved. Copyright in the Authority Document analyzed herein is held by its authors. Network Frontiers makes no claims of copyright in this Authority Document.
This Authority Document In Depth Report is provided for informational purposes only and does not constitute, and should not be construed as, legal advice. The reader is encouraged to consult with an attorney experienced in these areas for further explanation and advice.
This Authority Document In Depth Report provides analysis and guidance for use and implementation of the Authority Document but it is not a substitute for the original authority document itself. Readers should refer to the original authority document as the definitive resource on obligations and compliance requirements.
This document has been mapped into the Unified Compliance Framework using a patented methodology and patented tools (you can research our patents HERE). The mapping team has taken every effort to ensure the quality of mapping is of the highest degree. To learn more about the process we use to map Authority Documents, or to become involved in that process, click HERE.
When the UCF Mapping Teams tag Citations and their associated mandates within an Authority Document, those Citations and Mandates are tied to Common Controls. In addition, and by virtue of those Citations and mandates being tied to Common Controls, there are three sets of meta data that are associated with each Citation; Controls by Impact Zone, Controls by Type, and Controls by Classification.
The online version of the mapping analysis you see here is just a fraction of the work the UCF Mapping Team has done. The downloadable version of this document, available within the Common Controls Hub (available HERE) contains the following:
Document implementation analysis – statistics about the document’s alignment with Common Controls as compared to other Authority Documents and statistics on usage of key terms and non-standard terms.
Citation and Mandate Tagging and Mapping – A complete listing of each and every Citation we found within ISO 27799:2016 Health informatics — Information security management in health using ISO/IEC 27002, Second Edition that have been tagged with their primary and secondary nouns and primary and secondary verbs in three column format. The first column shows the Citation (the marker within the Authority Document that points to where we found the guidance). The second column shows the Citation guidance per se, along with the tagging for the mandate we found within the Citation. The third column shows the Common Control ID that the mandate is linked to, and the final column gives us the Common Control itself.
Dictionary Terms – The dictionary terms listed for ISO 27799:2016 Health informatics — Information security management in health using ISO/IEC 27002, Second Edition are based upon terms either found within the Authority Document’s defined terms section(which most legal documents have), its glossary, and for the most part, as tagged within each mandate. The terms with links are terms that are the standardized version of the term.
An Impact Zone is a hierarchical way of organizing our suite of Common Controls — it is a taxonomy. The top levels of the UCF hierarchy are called Impact Zones. Common Controls are mapped within the UCF’s Impact Zones and are maintained in a legal hierarchy within that Impact Zone. Each Impact Zone deals with a separate area of policies, standards, and procedures: technology acquisition, physical security, continuity, records management, etc.
The UCF created its taxonomy by looking at the corpus of standards and regulations through the lens of unification and a view toward how the controls impact the organization. Thus, we created a hierarchical structure for each impact zone that takes into account regulatory and standards bodies, doctrines, and language.
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Acquisition or sale of facilities, technology, and services CC ID 01123 | IT Impact Zone | IT Impact Zone | |
Establish, implement, and maintain facilities, assets, and services acceptance procedures. CC ID 01144 [In addition to implementing the control given by ISO/IEC 27002, organizations processing personal health information shall establish acceptance criteria for planned new information systems, upgrades and new versions. They shall carry out suitable tests of the system prior to acceptance. § 14.2.9 Health-specific control ¶ 1] | Establish/Maintain Documentation | Preventive | |
Test new hardware or upgraded hardware and software against predefined performance requirements. CC ID 06740 [In addition to implementing the control given by ISO/IEC 27002, organizations processing personal health information shall establish acceptance criteria for planned new information systems, upgrades and new versions. They shall carry out suitable tests of the system prior to acceptance. § 14.2.9 Health-specific control ¶ 1] | Testing | Detective | |
Test new hardware or upgraded hardware and software for error recovery and restart procedures. CC ID 06741 | Testing | Detective | |
Follow the system's operating procedures when testing new hardware or upgraded hardware and software. CC ID 06742 | Testing | Detective | |
Test new hardware or upgraded hardware and software for implementation of security controls. CC ID 06743 | Testing | Detective | |
Test new software or upgraded software for security vulnerabilities. CC ID 01898 | Testing | Detective | |
Test new software or upgraded software for compatibility with the current system. CC ID 11654 | Testing | Detective | |
Test new hardware or upgraded hardware for compatibility with the current system. CC ID 11655 | Testing | Detective | |
Test new hardware or upgraded hardware for security vulnerabilities. CC ID 01899 | Testing | Detective | |
Test new hardware or upgraded hardware and software for implementation of predefined continuity arrangements. CC ID 06744 | Testing | Detective | |
Correct defective acquired goods or services. CC ID 06911 | Acquisition/Sale of Assets or Services | Corrective | |
Authorize new assets prior to putting them into the production environment. CC ID 13530 | Process or Activity | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Audits and risk management CC ID 00677 | IT Impact Zone | IT Impact Zone | |
Establish, implement, and maintain a risk management program. CC ID 12051 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain the risk assessment framework. CC ID 00685 | Establish/Maintain Documentation | Preventive | |
Correlate the business impact of identified risks in the risk assessment report. CC ID 00686 | Audits and Risk Management | Preventive | |
Analyze and quantify the risks to in scope systems and information. CC ID 00701 [Healthcare project management should consider patient safety as a project risk in any project involving the processing of personal health information. § 6.1.5 Health-specific control] | Audits and Risk Management | Preventive | |
Establish and maintain a Risk Scoping and Measurement Definitions Document. CC ID 00703 | Audits and Risk Management | Preventive | |
Identify the material risks in the risk assessment report. CC ID 06482 | Audits and Risk Management | Preventive | |
Assess the potential level of business impact risk associated with each business process. CC ID 06463 | Audits and Risk Management | Detective | |
Assess the potential level of business impact risk associated with the business environment. CC ID 06464 | Audits and Risk Management | Detective | |
Assess the potential level of business impact risk associated with business information of in scope systems. CC ID 06465 | Audits and Risk Management | Detective | |
Identify changes to in scope systems that could threaten communication between business units. CC ID 13173 | Investigate | Detective | |
Assess the potential business impact risk of in scope systems caused by deliberate threats to their confidentiality, integrity, and availability. CC ID 06466 | Audits and Risk Management | Detective | |
Assess the potential level of business impact risk caused by accidental threats to the confidentiality, integrity and availability of critical systems. CC ID 06467 | Audits and Risk Management | Detective | |
Assess the potential level of business impact risk associated with reputational damage. CC ID 15335 | Audits and Risk Management | Detective | |
Assess the potential level of business impact risk associated with insider threats. CC ID 06468 | Audits and Risk Management | Detective | |
Assess the potential level of business impact risk associated with external entities. CC ID 06469 | Audits and Risk Management | Detective | |
Assess the potential level of business impact risk associated with natural disasters. CC ID 06470 | Actionable Reports or Measurements | Detective | |
Assess the potential level of business impact risk associated with control weaknesses. CC ID 06471 | Audits and Risk Management | Detective | |
Establish a risk acceptance level that is appropriate to the organization's risk appetite. CC ID 00706 | Establish/Maintain Documentation | Preventive | |
Investigate alternative risk control strategies appropriate to the organization's risk appetite. CC ID 12887 | Investigate | Preventive | |
Select the appropriate risk treatment option for each identified risk in the risk register. CC ID 06483 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the risk acceptance level in the risk treatment plan to all interested personnel and affected parties. CC ID 06849 | Behavior | Preventive | |
Perform a gap analysis to review in scope controls for identified risks and implement new controls, as necessary. CC ID 00704 | Establish/Maintain Documentation | Detective | |
Prioritize and select controls based on the risk assessment findings. CC ID 00707 [In addition to implementing the control given by ISO/IEC 27002, organizations processing health information shall assess the risks associated with access by external parties to these systems or the data they contain, and then implement security controls that are appropriate to the identified level of risk and to the technologies employed. § 15.1.1 Health-specific control] | Audits and Risk Management | Preventive | |
Analyze the effect of threats on organizational strategies and objectives. CC ID 12850 | Process or Activity | Detective | |
Analyze the effect of opportunities on organizational strategies and objectives. CC ID 12849 | Process or Activity | Detective | |
Prioritize and categorize the effects of opportunities, threats and requirements on control activities. CC ID 12822 | Audits and Risk Management | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Human Resources management CC ID 00763 | IT Impact Zone | IT Impact Zone | |
Establish, implement, and maintain high level operational roles and responsibilities. CC ID 00806 | Establish Roles | Preventive | |
Define and assign the security staff roles and responsibilities. CC ID 11750 [At a minimum, at least one individual shall be responsible for health information security within the organization. § 6.1.1 Health-specific control ¶ 2] | Establish/Maintain Documentation | Preventive | |
Establish and maintain an Information Technology steering committee. CC ID 12706 | Human Resources Management | Preventive | |
Convene the Information Technology steering committee, as necessary. CC ID 12730 [The health information security forum shall meet regularly, on a monthly or near-to-monthly basis. (Typically, it is most effective to meet at the mid-point between the meetings of the governance body into which the forum reports. This allows emergency matters to be taken to a suitable meeting within a short period.) § 6.1.1 Health-specific control ¶ 3] | Human Resources Management | Preventive | |
Define and assign workforce roles and responsibilities. CC ID 13267 [Special attention needs to be placed upon the roles and responsibilities of temporary or short-term staff such as locums, students, interns, etc. § 7.1.2 Health-specific control ¶ 2] | Human Resources Management | Preventive | |
Establish, implement, and maintain cybersecurity roles and responsibilities. CC ID 13201 | Human Resources Management | Preventive | |
Assign roles and responsibilities for physical security, as necessary. CC ID 13113 | Establish Roles | Preventive | |
Document the use of external experts. CC ID 16263 | Human Resources Management | Preventive | |
Define and assign roles and responsibilities for those involved in risk management. CC ID 13660 | Human Resources Management | Preventive | |
Include the management structure in the duties and responsibilities for risk management. CC ID 13665 | Human Resources Management | Preventive | |
Assign the roles and responsibilities for the change control program. CC ID 13118 | Human Resources Management | Preventive | |
Identify and define all critical roles. CC ID 00777 | Establish Roles | Preventive | |
Assign cybersecurity reporting responsibilities to qualified personnel. CC ID 12739 | Establish Roles | Preventive | |
Assign responsibility for cyber threat intelligence. CC ID 12746 | Human Resources Management | Preventive | |
Assign the role of security management to applicable controls. CC ID 06444 | Establish Roles | Preventive | |
Assign the role of security leader to keep up to date on the latest threats. CC ID 12112 | Human Resources Management | Preventive | |
Define and assign the data processor's roles and responsibilities. CC ID 12607 | Human Resources Management | Preventive | |
Assign the data processor to assist the data controller in implementing security controls. CC ID 12677 | Human Resources Management | Preventive | |
Assign the data processor to notify the data controller when personal data processing could infringe on regulations. CC ID 12617 | Communicate | Preventive | |
Define and assign the data controller's roles and responsibilities. CC ID 00471 | Establish Roles | Preventive | |
Assign the role of data controller to be the Point of Contact for the supervisory authority. CC ID 12616 | Human Resources Management | Preventive | |
Assign the role of the Data Controller to cooperate with the supervisory authority. CC ID 12615 | Human Resources Management | Preventive | |
Assign the data controller to facilitate the exercise of the data subject's rights. CC ID 12666 | Human Resources Management | Preventive | |
Assign the role of data controller to applicable controls. CC ID 00354 | Establish Roles | Preventive | |
Assign the role of data controller to provide advice, when requested. CC ID 12611 | Human Resources Management | Preventive | |
Assign the role of data controller to additional personnel, as necessary. CC ID 00473 | Establish Roles | Preventive | |
Assign the role of Information Technology operations to applicable controls. CC ID 00682 | Establish Roles | Preventive | |
Assign the role of logical access control to applicable controls. CC ID 00772 | Establish Roles | Preventive | |
Assign the role of asset physical security to applicable controls. CC ID 00770 | Establish Roles | Preventive | |
Assign the role of data custodian to applicable controls. CC ID 04789 | Establish Roles | Preventive | |
Assign the role of the Quality Management committee to applicable controls. CC ID 00769 | Establish Roles | Preventive | |
Assign interested personnel to the Quality Management committee. CC ID 07193 | Establish Roles | Preventive | |
Assign the roles and responsibilities for the asset management system. CC ID 14368 | Establish/Maintain Documentation | Preventive | |
Assign personnel to a crime prevention unit and announce the members of the unit. CC ID 06348 | Establish Roles | Preventive | |
Assign the role of fire protection management to applicable controls. CC ID 04891 | Establish Roles | Preventive | |
Assign the role of Information Technology Service Continuity Management to applicable controls. CC ID 04894 | Establish Roles | Preventive | |
Assign the role of the Computer Emergency Response Team to applicable controls. CC ID 04895 | Establish Roles | Preventive | |
Assign the role of CRYPTO custodian to applicable controls. CC ID 06723 | Establish Roles | Preventive | |
Define and assign the roles and responsibilities of security guards. CC ID 12543 | Human Resources Management | Preventive | |
Define and assign roles and responsibilities for dispute resolution. CC ID 13626 | Human Resources Management | Preventive | |
Define and assign the roles for Legal Support Workers. CC ID 13711 | Human Resources Management | Preventive | |
Establish, implement, and maintain a personnel management program. CC ID 14018 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a personnel security program. CC ID 10628 | Establish/Maintain Documentation | Preventive | |
Employ individuals who have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 00782 [When an individual is hired for a specific information security role, organizations should make sure the candidate: has the necessary competence to perform the security role; § 7.1.1 Health-specific controls ¶ 3(a)] | Testing | Detective | |
Perform security skills assessments for all critical employees. CC ID 12102 [When an individual is hired for a specific information security role, organizations should make sure the candidate: can be trusted to take the role, especially if the role is critical for the organization. § 7.1.1 Health-specific controls ¶ 3(b)] | Human Resources Management | Detective | |
Assign security clearance procedures to qualified personnel. CC ID 06812 | Establish Roles | Preventive | |
Assign personnel screening procedures to qualified personnel. CC ID 11699 | Establish Roles | Preventive | |
Establish, implement, and maintain personnel screening procedures. CC ID 11700 | Establish/Maintain Documentation | Preventive | |
Perform a background check during personnel screening. CC ID 11758 | Human Resources Management | Detective | |
Perform a personal identification check during personnel screening. CC ID 06721 [All organizations whose staff, contractors, or volunteers process (or are expected to process) personal health information should, as a minimum, verify the identity, current address and previous employment of such staff, contractors and volunteers at the time of job application. § 7.1.1 Health-specific controls ¶ 1] | Human Resources Management | Preventive | |
Perform a criminal records check during personnel screening. CC ID 06643 | Establish/Maintain Documentation | Preventive | |
Include all residences in the criminal records check. CC ID 13306 | Process or Activity | Preventive | |
Document any reasons a full criminal records check could not be performed. CC ID 13305 | Establish/Maintain Documentation | Preventive | |
Perform a personal references check during personnel screening. CC ID 06645 | Human Resources Management | Preventive | |
Perform a credit check during personnel screening. CC ID 06646 | Human Resources Management | Preventive | |
Perform an academic records check during personnel screening. CC ID 06647 | Establish/Maintain Documentation | Preventive | |
Perform a drug test during personnel screening. CC ID 06648 | Testing | Preventive | |
Perform a resume check during personnel screening. CC ID 06659 [All organizations whose staff, contractors, or volunteers process (or are expected to process) personal health information should, as a minimum, verify the identity, current address and previous employment of such staff, contractors and volunteers at the time of job application. § 7.1.1 Health-specific controls ¶ 1 Background verification checks on all candidates for employment should include a verification of applicable health professional qualifications, where such qualifications are professionally accredited (e.g. physicians, nurses, etc.) § 7.1.1 Health-specific controls ¶ 2] | Human Resources Management | Preventive | |
Perform a curriculum vitae check during personnel screening. CC ID 06660 | Human Resources Management | Preventive | |
Allow personnel being screened to appeal findings and appeal decisions. CC ID 06720 | Human Resources Management | Preventive | |
Disseminate and communicate screening results to interested personnel and affected parties. CC ID 16445 | Communicate | Preventive | |
Perform personnel screening procedures, as necessary. CC ID 11763 | Human Resources Management | Preventive | |
Document the personnel risk assessment results. CC ID 11764 | Establish/Maintain Documentation | Detective | |
Establish, implement, and maintain security clearance procedures. CC ID 00783 | Establish/Maintain Documentation | Preventive | |
Perform periodic background checks on designated roles, as necessary. CC ID 11759 | Human Resources Management | Detective | |
Perform security clearance procedures, as necessary. CC ID 06644 | Human Resources Management | Preventive | |
Establish and maintain security clearances. CC ID 01634 | Human Resources Management | Preventive | |
Document the security clearance procedure results. CC ID 01635 | Establish/Maintain Documentation | Detective | |
Establish, implement, and maintain personnel status change and termination procedures. CC ID 06549 | Establish/Maintain Documentation | Preventive | |
Terminate access rights when notified of a personnel status change or an individual is terminated. CC ID 11826 [All organizations that process personal health information shall, as soon as possible, terminate the user access privileges with respect to such information for any departing permanent or temporary employee, third-party contractor or volunteer upon termination of employment, contracting, or volunteer activities. § 9.2.6 Health-specific control] | Technical Security | Corrective | |
Establish and maintain the staff structure in line with the strategic plan. CC ID 00764 | Establish Roles | Preventive | |
Document and communicate role descriptions to all applicable personnel. CC ID 00776 [In addition to the control given by ISO/IEC 27002, all organizations whose staff members are involved in processing personal health information should document such involvement in relevant job descriptions. Security roles and responsibilities, as laid down in the organization's information security policy, should also be documented in relevant job descriptions. § 7.1.2 Health-specific control ¶ 1 In addition to the control given by ISO/IEC 27002, all organizations whose staff members are involved in processing personal health information should document such involvement in relevant job descriptions. Security roles and responsibilities, as laid down in the organization's information security policy, should also be documented in relevant job descriptions. § 7.1.2 Health-specific control ¶ 1] | Establish Roles | Detective | |
Implement segregation of duties in roles and responsibilities. CC ID 00774 [In addition to implementing the control given by ISO/IEC 27002, organizations processing personal health information should, where feasible, segregate duties and areas of responsibility in order to reduce opportunities for unauthorized modification or misuse of personal health information. § 6.1.2 Health-specific control] | Testing | Detective | |
Establish, implement, and maintain segregation of duties compensating controls if segregation of duties is not practical. CC ID 06960 | Technical Security | Preventive | |
Establish job categorization criteria, job recruitment criteria, and promotion criteria. CC ID 00781 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain job applications. CC ID 16180 | Establish/Maintain Documentation | Preventive | |
Include a space for previous addresses and previous residences on the job application. CC ID 12302 [All organizations whose staff, contractors, or volunteers process (or are expected to process) personal health information should, as a minimum, verify the identity, current address and previous employment of such staff, contractors and volunteers at the time of job application. § 7.1.1 Health-specific controls ¶ 1] | Human Resources Management | Preventive | |
Train all personnel and third parties, as necessary. CC ID 00785 | Behavior | Preventive | |
Establish, implement, and maintain training plans. CC ID 00828 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a security awareness program. CC ID 11746 [In addition to implementing the control given by ISO/IEC 27002, organizations processing personal health information shall implement appropriate prevention, detection and response controls to protect against malicious software and shall implement appropriate user awareness training. § 12.2.1 Health-specific control] | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a security awareness and training policy. CC ID 14022 | Establish/Maintain Documentation | Preventive | |
Include compliance requirements in the security awareness and training policy. CC ID 14092 | Establish/Maintain Documentation | Preventive | |
Include coordination amongst entities in the security awareness and training policy. CC ID 14091 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain security awareness and training procedures. CC ID 14054 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the security awareness and training procedures to interested personnel and affected parties. CC ID 14138 | Communicate | Preventive | |
Include management commitment in the security awareness and training policy. CC ID 14049 | Establish/Maintain Documentation | Preventive | |
Include roles and responsibilities in the security awareness and training policy. CC ID 14048 | Establish/Maintain Documentation | Preventive | |
Include the scope in the security awareness and training policy. CC ID 14047 | Establish/Maintain Documentation | Preventive | |
Include the purpose in the security awareness and training policy. CC ID 14045 | Establish/Maintain Documentation | Preventive | |
Include configuration management procedures in the security awareness program. CC ID 13967 | Establish/Maintain Documentation | Preventive | |
Include media protection in the security awareness program. CC ID 16368 | Training | Preventive | |
Document security awareness requirements. CC ID 12146 | Establish/Maintain Documentation | Preventive | |
Include safeguards for information systems in the security awareness program. CC ID 13046 | Establish/Maintain Documentation | Preventive | |
Include security policies and security standards in the security awareness program. CC ID 13045 | Establish/Maintain Documentation | Preventive | |
Include physical security in the security awareness program. CC ID 16369 | Training | Preventive | |
Include mobile device security guidelines in the security awareness program. CC ID 11803 | Establish/Maintain Documentation | Preventive | |
Include updates on emerging issues in the security awareness program. CC ID 13184 | Training | Preventive | |
Include cybersecurity in the security awareness program. CC ID 13183 | Training | Preventive | |
Include implications of non-compliance in the security awareness program. CC ID 16425 | Training | Preventive | |
Include the acceptable use policy in the security awareness program. CC ID 15487 | Training | Preventive | |
Include training based on the participants' level of responsibility and access level in the security awareness program. CC ID 11802 | Establish/Maintain Documentation | Preventive | |
Include a requirement to train all new hires and interested personnel in the security awareness program. CC ID 11800 [In addition to implementing the control given by ISO/IEC 27002, all organizations processing personal health information shall ensure that information security education and training are provided on induction and, that regular updates in organizational security policies and procedures are provided to all employees and, where relevant, third-party contractors, researchers, students and volunteers who process personal health information. § 7.2.2 Health-specific control ¶ 1] | Establish/Maintain Documentation | Preventive | |
Include remote access in the security awareness program. CC ID 13892 | Establish/Maintain Documentation | Preventive | |
Document the goals of the security awareness program. CC ID 12145 | Establish/Maintain Documentation | Preventive | |
Compare current security awareness assessment reports to the security awareness baseline. CC ID 12150 | Establish/Maintain Documentation | Preventive | |
Establish and maintain management's commitment to supporting the security awareness program. CC ID 12151 | Human Resources Management | Preventive | |
Establish and maintain a steering committee to guide the security awareness program. CC ID 12149 | Human Resources Management | Preventive | |
Document the scope of the security awareness program. CC ID 12148 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a security awareness baseline. CC ID 12147 | Establish/Maintain Documentation | Preventive | |
Encourage interested personnel to obtain security certification. CC ID 11804 | Human Resources Management | Preventive | |
Disseminate and communicate the security awareness program to all interested personnel and affected parties. CC ID 00823 | Behavior | Preventive | |
Train all personnel and third parties on how to recognize and report security incidents. CC ID 01211 | Behavior | Preventive | |
Train all personnel and third parties on how to recognize and report system failures. CC ID 13475 | Training | Preventive | |
Require personnel to acknowledge, through writing their signature, that they have read and understand the organization's security policies. CC ID 01363 | Establish/Maintain Documentation | Preventive | |
Monitor and measure the effectiveness of security awareness. CC ID 06262 | Monitor and Evaluate Occurrences | Detective | |
Establish, implement, and maintain a Code of Conduct. CC ID 04897 | Establish/Maintain Documentation | Preventive | |
Implement a sanctions process for personnel who fail to comply to the organizational compliance program. CC ID 01442 [Employees of the organization and, where relevant, third-party contractors should be made aware of disciplinary processes and consequences with respect to breaches of information security. § 7.2.2 Health-specific control ¶ 2] | Behavior | Corrective | |
Notify designated personnel when a formal personnel sanctions process is initiated. CC ID 10632 | Communicate | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Leadership and high level objectives CC ID 00597 | IT Impact Zone | IT Impact Zone | |
Analyze organizational objectives, functions, and activities. CC ID 00598 | Monitor and Evaluate Occurrences | Preventive | |
Establish, implement, and maintain an information classification standard. CC ID 00601 [{confidential information} In addition to following the guidance given by ISO/IEC 27002, organizations processing personal health information should uniformly classify such data as confidential. § 8.2.1 Health-specific control] | Establish/Maintain Documentation | Preventive | |
Take into account the accessibility to and location of the data or information when establishing information impact levels. CC ID 04787 | Data and Information Management | Preventive | |
Take into account the organization's obligation to protect data or information when establishing information impact levels. CC ID 04786 | Data and Information Management | Preventive | |
Take into account the context of use for data or information when establishing information impact levels. CC ID 04785 | Data and Information Management | Preventive | |
Take into account the potential aggregation of restricted data fields when establishing information impact levels. CC ID 04784 | Data and Information Management | Preventive | |
Classify the sensitivity to unauthorized disclosure or modification of information in the information classification standard. CC ID 11997 | Data and Information Management | Preventive | |
Take into account the distinguishability factor when establishing information impact levels. CC ID 04783 | Data and Information Management | Preventive | |
Classify the criticality to unauthorized disclosure or modification of information in the information classification standard. CC ID 11996 | Data and Information Management | Preventive | |
Classify the value of information in the information classification standard. CC ID 11995 | Data and Information Management | Preventive | |
Classify the legal requirements of information in the information classification standard. CC ID 11994 | Data and Information Management | Preventive | |
Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241 [A formal scope statement shall be produced that defines the boundary of compliance activity in terms of people, processes, places, platforms and applications. § 6.1.1 Health-specific control ¶ 4] | Establish/Maintain Documentation | Preventive | |
Define the scope of the security policy. CC ID 07145 | Data and Information Management | Preventive | |
Identify roles, tasks, information, systems, and assets that fall under the organization's mandated Authority Documents. CC ID 00688 | Business Processes | Preventive | |
Establish and maintain an Information Systems Assurance Categories Definitions document. CC ID 01608 | Establish/Maintain Documentation | Preventive | |
Correlate Information Systems with applicable controls. CC ID 01621 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a policy and procedure management program. CC ID 06285 | Establish/Maintain Documentation | Preventive | |
Include requirements in the organization’s policies, standards, and procedures. CC ID 12956 | Establish/Maintain Documentation | Preventive | |
Include the effective date on all organizational policies. CC ID 06820 | Establish/Maintain Documentation | Preventive | |
Include threats in the organization’s policies, standards, and procedures. CC ID 12953 | Establish/Maintain Documentation | Preventive | |
Analyze organizational policies, as necessary. CC ID 14037 | Establish/Maintain Documentation | Detective | |
Assess the impact of changes to organizational policies, standards, and procedures, as necessary. CC ID 14824 | Business Processes | Preventive | |
Include opportunities in the organization’s policies, standards, and procedures. CC ID 12945 | Establish/Maintain Documentation | Preventive | |
Establish and maintain an Authority Document list. CC ID 07113 | Establish/Maintain Documentation | Preventive | |
Map in scope assets and in scope records to external requirements. CC ID 12189 | Establish/Maintain Documentation | Detective | |
Document organizational procedures that harmonize external requirements, including all legal requirements. CC ID 00623 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain full documentation of all policies, standards, and procedures that support the organization's compliance framework. CC ID 01636 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the organization’s policies, standards, and procedures to all interested personnel and affected parties. CC ID 12901 | Communicate | Preventive | |
Disseminate and communicate the list of Authority Documents that support the organization's compliance framework to interested personnel and affected parties. CC ID 01312 | Establish/Maintain Documentation | Preventive | |
Classify controls according to their preventive, detective, or corrective status. CC ID 06436 | Establish/Maintain Documentation | Preventive | |
Publish, disseminate, and communicate a Statement on Internal Control, as necessary. CC ID 06727 | Establish/Maintain Documentation | Preventive | |
Include signatures of c-level executives in the Statement on Internal Control. CC ID 14778 | Establish/Maintain Documentation | Preventive | |
Include management's assertions on the effectiveness of internal control in the Statement on Internal Control. CC ID 14771 | Establish/Maintain Documentation | Corrective | |
Include confirmation of any significant weaknesses in the Statement on Internal Control. CC ID 06861 | Establish/Maintain Documentation | Preventive | |
Include roles and responsibilities in the Statement on Internal Control. CC ID 14774 | Establish/Maintain Documentation | Preventive | |
Include an assurance statement regarding the counterterror protective security plan in the Statement on Internal Control. CC ID 06866 | Establish/Maintain Documentation | Preventive | |
Include limitations of internal control systems in the Statement on Internal Control. CC ID 14773 | Establish/Maintain Documentation | Preventive | |
Include a description of the methodology used to evaluate internal controls in the Statement on Internal Control. CC ID 14772 | Establish/Maintain Documentation | Preventive | |
Include the counterterror protective security plan test results in the Statement on Internal Control. CC ID 06867 | Establish/Maintain Documentation | Detective | |
Assign legislative body jurisdiction to the organization's assets, as necessary. CC ID 06956 | Establish Roles | Preventive | |
Approve all compliance documents. CC ID 06286 | Establish/Maintain Documentation | Preventive | |
Align the Authority Document list with external requirements. CC ID 06288 | Establish/Maintain Documentation | Preventive | |
Assign the appropriate roles to all applicable compliance documents. CC ID 06284 | Establish Roles | Preventive | |
Identify and document the Designated Approval Authority for compliance documents. CC ID 07114 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a compliance exception standard. CC ID 01628 | Establish/Maintain Documentation | Preventive | |
Include the authority for granting exemptions in the compliance exception standard. CC ID 14329 | Establish/Maintain Documentation | Preventive | |
Include all compliance exceptions in the compliance exception standard. CC ID 01630 | Establish/Maintain Documentation | Detective | |
Include explanations, compensating controls, or risk acceptance in the compliance exceptions Exceptions document. CC ID 01631 | Establish/Maintain Documentation | Preventive | |
Review the compliance exceptions in the exceptions document, as necessary. CC ID 01632 | Business Processes | Preventive | |
Include when exemptions expire in the compliance exception standard. CC ID 14330 | Establish/Maintain Documentation | Preventive | |
Assign the approval of compliance exceptions to the appropriate roles inside the organization. CC ID 06443 | Establish Roles | Preventive | |
Include management of the exemption register in the compliance exception standard. CC ID 14328 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate compliance documents to all interested personnel and affected parties. CC ID 06282 | Behavior | Preventive | |
Disseminate and communicate any compliance document changes when the documents are updated to interested personnel and affected parties. CC ID 06283 | Behavior | Preventive | |
Estimate the costs of implementing the compliance framework. CC ID 07191 | Business Processes | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Monitoring and measurement CC ID 00636 | IT Impact Zone | IT Impact Zone | |
Establish, implement, and maintain logging and monitoring operations. CC ID 00637 | Log Management | Detective | |
Operationalize key monitoring and logging concepts to ensure the audit trails capture sufficient information. CC ID 00638 | Log Management | Detective | |
Establish, implement, and maintain event logging procedures. CC ID 01335 | Log Management | Detective | |
Include a standard to collect and interpret event logs in the event logging procedures. CC ID 00643 [{incident management procedures} In addition to following the guidance given by ISO/IEC 27002, organizations processing personal health information should establish security incident management responsibilities and procedures in order: to collect and preserve incident-related audit logs and other relevant evidence. § 16.1.2 Health-specific controls ¶ 1(c)] | Log Management | Preventive | |
Protect the event logs from failure. CC ID 06290 | Log Management | Preventive | |
Overwrite the oldest records when audit logging fails. CC ID 14308 | Data and Information Management | Preventive | |
Supply each in scope asset with audit reduction tool and report generation capabilities to support after-the-fact investigations without altering the event logs. CC ID 01427 | Testing | Preventive | |
Provide predefined suspicious activity reports for suspicious activity discovered in the event log. CC ID 06774 | Establish/Maintain Documentation | Corrective | |
Include identity information of suspects in the suspicious activity report. CC ID 16648 | Establish/Maintain Documentation | Preventive | |
Compile the event logs of multiple components into a system-wide time-correlated audit trail. CC ID 01424 | Audits and Risk Management | Preventive | |
Review and update event logs and audit logs, as necessary. CC ID 00596 | Log Management | Detective | |
Eliminate false positives in event logs and audit logs. CC ID 07047 | Log Management | Corrective | |
Correlate log entries to security controls to verify the security control's effectiveness. CC ID 13207 | Log Management | Detective | |
Identify cybersecurity events in event logs and audit logs. CC ID 13206 | Technical Security | Detective | |
Follow up exceptions and anomalies identified when reviewing logs. CC ID 11925 | Investigate | Corrective | |
Reproduce the event log if a log failure is captured. CC ID 01426 | Log Management | Preventive | |
Establish, implement, and maintain a compliance monitoring policy. CC ID 00671 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a log management program. CC ID 00673 | Establish/Maintain Documentation | Preventive | |
Restrict access to audit trails to a need to know basis. CC ID 11641 [{use}{anti-tamper technology} Audit records shall be secure and tamper-proof. Access to system audit tools and audit trails shall be safeguarded to prevent misuse or compromise. § 12.4.2 Health-specific control] | Technical Security | Preventive | |
Protect logs from unauthorized activity. CC ID 01345 [{use}{anti-tamper technology} Audit records shall be secure and tamper-proof. Access to system audit tools and audit trails shall be safeguarded to prevent misuse or compromise. § 12.4.2 Health-specific control {use}{anti-tamper technology} Audit records shall be secure and tamper-proof. Access to system audit tools and audit trails shall be safeguarded to prevent misuse or compromise. § 12.4.2 Health-specific control] | Log Management | Preventive | |
Preserve the identity of individuals in audit trails. CC ID 10594 [Health information systems processing personal health information: shall ensure that each subject of care can be uniquely identified within the system; § 14.1.1.1 Health-specific control ¶ 1(a)] | Log Management | Preventive | |
Protect against misusing automated audit tools. CC ID 04547 [{use}{anti-tamper technology} Audit records shall be secure and tamper-proof. Access to system audit tools and audit trails shall be safeguarded to prevent misuse or compromise. § 12.4.2 Health-specific control] | Technical Security | Preventive | |
Evaluate the measurement process used for metrics. CC ID 06920 | Testing | Detective | |
Evaluate the information technology products used for metrics. CC ID 11644 | Technical Security | Detective | |
Identify and communicate improvements in metrics reporting. CC ID 06921 | Establish/Maintain Documentation | Corrective |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Operational and Systems Continuity CC ID 00731 | IT Impact Zone | IT Impact Zone | |
Establish, implement, and maintain a business continuity program. CC ID 13210 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain system continuity plan strategies. CC ID 00735 | Establish/Maintain Documentation | Preventive | |
Include technical preparation considerations for backup operations in the continuity plan. CC ID 01250 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain backup procedures for in scope systems. CC ID 01258 | Systems Continuity | Preventive | |
Establish and maintain off-site electronic media storage facilities. CC ID 00957 | Physical and Environmental Protection | Preventive | |
Store backup media at an off-site electronic media storage facility. CC ID 01332 [In addition to following the guidance given by ISO/IEC 27002, organizations processing personal health information shall back up all personal health information and store it in a physically secure environment to ensure its future availability. § 12.3.1 Health-specific control ¶ 1] | Data and Information Management | Preventive | |
Transport backup media in lockable electronic media storage containers. CC ID 01264 | Data and Information Management | Preventive | |
Identify the access methods for backup media at both the primary facility and the off-site electronic media storage facility. CC ID 01257 | Data and Information Management | Preventive | |
Store backup vital records in a manner that is accessible for emergency retrieval. CC ID 12765 [In addition to following the guidance given by ISO/IEC 27002, organizations processing personal health information shall back up all personal health information and store it in a physically secure environment to ensure its future availability. § 12.3.1 Health-specific control ¶ 1] | Systems Continuity | Preventive | |
Perform backup procedures for in scope systems. CC ID 11692 | Process or Activity | Preventive | |
Back up all records. CC ID 11974 [In addition to following the guidance given by ISO/IEC 27002, organizations processing personal health information shall back up all personal health information and store it in a physically secure environment to ensure its future availability. § 12.3.1 Health-specific control ¶ 1] | Systems Continuity | Preventive | |
Encrypt backup data. CC ID 00958 [To protect its confidentiality, personal health information should be backed up in an encrypted format. § 12.3.1 Health-specific control ¶ 2] | Configuration | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Operational management CC ID 00805 | IT Impact Zone | IT Impact Zone | |
Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a positive information control environment. CC ID 00813 [have an information security management forum (ISMF) in place to ensure that there is clear direction and visible management support for security initiatives involving the security of health information, as described in B.3 and B.4. § 6.1.1 Health-specific control ¶ 1(b)] | Business Processes | Preventive | |
Make compliance and governance decisions in a timely manner. CC ID 06490 | Behavior | Preventive | |
Establish, implement, and maintain an information security program. CC ID 00812 [have an information security management forum (ISMF) in place to ensure that there is clear direction and visible management support for security initiatives involving the security of health information, as described in B.3 and B.4. § 6.1.1 Health-specific control ¶ 1(b)] | Establish/Maintain Documentation | Preventive | |
Include physical safeguards in the information security program. CC ID 12375 | Establish/Maintain Documentation | Preventive | |
Include technical safeguards in the information security program. CC ID 12374 | Establish/Maintain Documentation | Preventive | |
Include administrative safeguards in the information security program. CC ID 12373 | Establish/Maintain Documentation | Preventive | |
Include system development in the information security program. CC ID 12389 | Establish/Maintain Documentation | Preventive | |
Include system maintenance in the information security program. CC ID 12388 | Establish/Maintain Documentation | Preventive | |
Include system acquisition in the information security program. CC ID 12387 | Establish/Maintain Documentation | Preventive | |
Include access control in the information security program. CC ID 12386 | Establish/Maintain Documentation | Preventive | |
Review and approve access controls, as necessary. CC ID 13074 | Process or Activity | Detective | |
Include operations management in the information security program. CC ID 12385 | Establish/Maintain Documentation | Preventive | |
Include communication management in the information security program. CC ID 12384 | Establish/Maintain Documentation | Preventive | |
Include environmental security in the information security program. CC ID 12383 | Establish/Maintain Documentation | Preventive | |
Include physical security in the information security program. CC ID 12382 | Establish/Maintain Documentation | Preventive | |
Include human resources security in the information security program. CC ID 12381 | Establish/Maintain Documentation | Preventive | |
Include asset management in the information security program. CC ID 12380 | Establish/Maintain Documentation | Preventive | |
Include a continuous monitoring program in the information security program. CC ID 14323 | Establish/Maintain Documentation | Preventive | |
Include change management procedures in the continuous monitoring plan. CC ID 16227 | Establish/Maintain Documentation | Preventive | |
include recovery procedures in the continuous monitoring plan. CC ID 16226 | Establish/Maintain Documentation | Preventive | |
Include mechanisms for decommissioning a system in the continuous monitoring plan. CC ID 16225 | Establish/Maintain Documentation | Preventive | |
Include mechanisms for appeal and override in the continuous monitoring plan. CC ID 16223 | Establish/Maintain Documentation | Preventive | |
Include how the information security department is organized in the information security program. CC ID 12379 | Establish/Maintain Documentation | Preventive | |
Include risk management in the information security program. CC ID 12378 | Establish/Maintain Documentation | Preventive | |
Include mitigating supply chain risks in the information security program. CC ID 13352 | Establish/Maintain Documentation | Preventive | |
Provide management direction and support for the information security program. CC ID 11999 | Process or Activity | Preventive | |
Monitor and review the effectiveness of the information security program. CC ID 12744 | Monitor and Evaluate Occurrences | Preventive | |
Establish, implement, and maintain an information security policy. CC ID 11740 [Organizations processing health information, including personal health information, shall have a written information security policy that is approved by management, published, and then communicated to all employees and relevant external parties. § 5.1.1 Health-specific control Organizations processing health information, including personal health information, shall have a written information security policy that is approved by management, published, and then communicated to all employees and relevant external parties. § 5.1.1 Health-specific control {ongoing basis} The health organization's information security policy should be subject to ongoing, staged review, such that the totality of the policy is addressed at least annually. The policy should be reviewed after the occurrence of a serious security incident. § 5.1.2 Health-specific control {ongoing basis} The health organization's information security policy should be subject to ongoing, staged review, such that the totality of the policy is addressed at least annually. The policy should be reviewed after the occurrence of a serious security incident. § 5.1.2 Health-specific control] | Establish/Maintain Documentation | Preventive | |
Align the information security policy with the organization's risk acceptance level. CC ID 13042 | Business Processes | Preventive | |
Include business processes in the information security policy. CC ID 16326 | Establish/Maintain Documentation | Preventive | |
Include the information security strategy in the information security policy. CC ID 16125 | Establish/Maintain Documentation | Preventive | |
Include a commitment to continuous improvement in the information security policy. CC ID 16123 | Establish/Maintain Documentation | Preventive | |
Include roles and responsibilities in the information security policy. CC ID 16120 | Establish/Maintain Documentation | Preventive | |
Include a commitment to the information security requirements in the information security policy. CC ID 13496 | Establish/Maintain Documentation | Preventive | |
Include information security objectives in the information security policy. CC ID 13493 | Establish/Maintain Documentation | Preventive | |
Include the use of Cloud Services in the information security policy. CC ID 13146 | Establish/Maintain Documentation | Preventive | |
Include notification procedures in the information security policy. CC ID 16842 | Establish/Maintain Documentation | Preventive | |
Approve the information security policy at the organization's management level or higher. CC ID 11737 [Organizations processing health information, including personal health information, shall have a written information security policy that is approved by management, published, and then communicated to all employees and relevant external parties. § 5.1.1 Health-specific control] | Process or Activity | Preventive | |
Establish, implement, and maintain information security procedures. CC ID 12006 | Business Processes | Preventive | |
Describe the group activities that protect restricted data in the information security procedures. CC ID 12294 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the information security procedures to all interested personnel and affected parties. CC ID 16303 | Communicate | Preventive | |
Document the roles and responsibilities for all activities that protect restricted data in the information security procedures. CC ID 12304 | Establish/Maintain Documentation | Preventive | |
Define thresholds for approving information security activities in the information security program. CC ID 15702 | Process or Activity | Preventive | |
Assign ownership of the information security program to the appropriate role. CC ID 00814 | Establish Roles | Preventive | |
Assign the responsibility for establishing, implementing, and maintaining the information security program to the appropriate role. CC ID 11884 | Human Resources Management | Preventive | |
Assign information security responsibilities to interested personnel and affected parties in the information security program. CC ID 11885 [clearly define and assign information security responsibilities; § 6.1.1 Health-specific control ¶ 1(a)] | Establish/Maintain Documentation | Preventive | |
Assign the responsibility for distributing the information security program to the appropriate role. CC ID 11883 | Human Resources Management | Preventive | |
Disseminate and communicate the information security policy to interested personnel and affected parties. CC ID 11739 [Organizations processing health information, including personal health information, shall have a written information security policy that is approved by management, published, and then communicated to all employees and relevant external parties. § 5.1.1 Health-specific control In addition to implementing the control given by ISO/IEC 27002, all organizations processing personal health information shall ensure that information security education and training are provided on induction and, that regular updates in organizational security policies and procedures are provided to all employees and, where relevant, third-party contractors, researchers, students and volunteers who process personal health information. § 7.2.2 Health-specific control ¶ 1] | Communicate | Preventive | |
Establish, implement, and maintain a social media governance program. CC ID 06536 | Establish/Maintain Documentation | Preventive | |
Refrain from requiring supervision when users are accessing social media applications. CC ID 14011 | Business Processes | Preventive | |
Refrain from requiring users to disclose social media account usernames or authenticators. CC ID 14009 | Business Processes | Preventive | |
Refrain from accepting instant messages from unknown senders. CC ID 12537 | Behavior | Preventive | |
Include instant messaging, texting, and tweeting in the social media acceptable use policy. CC ID 04578 | Establish/Maintain Documentation | Preventive | |
Include explicit restrictions in the social media acceptable use policy. CC ID 06655 | Establish/Maintain Documentation | Preventive | |
Include contributive content sites in the social media acceptable use policy. CC ID 06656 | Establish/Maintain Documentation | Preventive | |
Perform social network analysis, as necessary. CC ID 14864 | Investigate | Detective | |
Establish, implement, and maintain operational control procedures. CC ID 00831 | Establish/Maintain Documentation | Preventive | |
Include assigning and approving operations in operational control procedures. CC ID 06382 | Establish/Maintain Documentation | Preventive | |
Include startup processes in operational control procedures. CC ID 00833 | Establish/Maintain Documentation | Preventive | |
Include change control processes in the operational control procedures. CC ID 16793 | Establish/Maintain Documentation | Preventive | |
Establish and maintain a data processing run manual. CC ID 00832 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a Standard Operating Procedures Manual. CC ID 00826 | Establish/Maintain Documentation | Preventive | |
Use systems in accordance with the standard operating procedures manual. CC ID 15049 | Process or Activity | Preventive | |
Include metrics in the standard operating procedures manual. CC ID 14988 | Establish/Maintain Documentation | Preventive | |
Include maintenance measures in the standard operating procedures manual. CC ID 14986 | Establish/Maintain Documentation | Preventive | |
Include the expected lifetime of the system in the standard operating procedures manual. CC ID 14984 | Establish/Maintain Documentation | Preventive | |
Include technical measures used to interpret output in the standard operating procedures manual. CC ID 14982 | Establish/Maintain Documentation | Preventive | |
Include predetermined changes in the standard operating procedures manual. CC ID 14977 | Establish/Maintain Documentation | Preventive | |
Include specifications for input data in the standard operating procedures manual. CC ID 14975 | Establish/Maintain Documentation | Preventive | |
Include risks to health and safety or fundamental rights in the standard operating procedures manual. CC ID 14973 | Establish/Maintain Documentation | Preventive | |
Include circumstances that may impact the system in the standard operating procedures manual. CC ID 14972 | Establish/Maintain Documentation | Preventive | |
Include what the system was tested and validated for in the standard operating procedures manual. CC ID 14969 | Establish/Maintain Documentation | Preventive | |
Include the intended purpose in the standard operating procedures manual. CC ID 14967 | Establish/Maintain Documentation | Preventive | |
Include information on system performance in the standard operating procedures manual. CC ID 14965 | Establish/Maintain Documentation | Preventive | |
Include contact details in the standard operating procedures manual. CC ID 14962 | Establish/Maintain Documentation | Preventive | |
Include information sharing procedures in standard operating procedures. CC ID 12974 | Records Management | Preventive | |
Establish, implement, and maintain information sharing agreements. CC ID 15645 | Business Processes | Preventive | |
Provide support for information sharing activities. CC ID 15644 | Process or Activity | Preventive | |
Adhere to operating procedures as defined in the Standard Operating Procedures Manual. CC ID 06328 | Business Processes | Preventive | |
Update operating procedures that contribute to user errors. CC ID 06935 | Establish/Maintain Documentation | Corrective | |
Disseminate and communicate the Standard Operating Procedures Manual to all interested personnel and affected parties. CC ID 12026 | Communicate | Preventive | |
Establish, implement, and maintain a job scheduling methodology. CC ID 00834 | Establish/Maintain Documentation | Preventive | |
Establish and maintain a job schedule exceptions list. CC ID 00835 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a data processing continuity plan. CC ID 00836 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain Voice over Internet Protocol operating procedures. CC ID 04583 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain the Acceptable Use Policy. CC ID 01350 [{health information asset} In addition to following the guidance given by ISO/IEC 27002, organizations processing personal health information should: have rules for acceptable use of these assets that are identified, documented and implemented. § 8.1.1 Health-specific control ¶ 1(c)] | Establish/Maintain Documentation | Preventive | |
Include that explicit management authorization must be given for the use of all technologies and their documentation in the Acceptable Use Policy. CC ID 01351 [In addition to implementing the control given by ISO/IEC 27002, organizations processing personal health information shall ensure that any use, outside its premises, of medical devices that record or report data has been authorized. This should include equipment used by remote workers, even where such usage is perpetual (i.e. where it forms a core feature of the employee's role, such as for ambulance personnel, therapists, etc.) § 11.2.6 Health-specific control] | Establish/Maintain Documentation | Preventive | |
Include requiring users to protect restricted data in accordance with the Governance, Risk, and Compliance framework in the Acceptable Use Policy. CC ID 11894 | Establish/Maintain Documentation | Preventive | |
Include Bring Your Own Device agreements in the Acceptable Use Policy. CC ID 15703 | Establish/Maintain Documentation | Preventive | |
Include the obligations of users in the Bring Your Own Device agreement. CC ID 15708 | Establish/Maintain Documentation | Preventive | |
Include the rights of the organization in the Bring Your Own Device agreement. CC ID 15707 | Establish/Maintain Documentation | Preventive | |
Include the circumstances in which the organization may confiscate, audit, or inspect assets in the Bring Your Own Device agreement. CC ID 15706 | Establish/Maintain Documentation | Preventive | |
Include the circumstances in which the organization may manage assets in the Bring Your Own Device agreement. CC ID 15705 | Establish/Maintain Documentation | Preventive | |
Include Bring Your Own Device usage in the Acceptable Use Policy. CC ID 12293 | Establish/Maintain Documentation | Preventive | |
Include a web usage policy in the Acceptable Use Policy. CC ID 16496 | Establish/Maintain Documentation | Preventive | |
Include Bring Your Own Device security guidelines in the Acceptable Use Policy. CC ID 01352 | Establish/Maintain Documentation | Preventive | |
Include asset tags in the Acceptable Use Policy. CC ID 01354 | Establish/Maintain Documentation | Preventive | |
Specify the owner of applicable assets in the Acceptable Use Policy. CC ID 15699 | Establish/Maintain Documentation | Preventive | |
Include asset use policies in the Acceptable Use Policy. CC ID 01355 | Establish/Maintain Documentation | Preventive | |
Include authority for access authorization lists for assets in all relevant Acceptable Use Policies. CC ID 11872 | Establish/Maintain Documentation | Preventive | |
Include access control mechanisms in the Acceptable Use Policy. CC ID 01353 | Establish/Maintain Documentation | Preventive | |
Include temporary activation of remote access technologies for third parties in the Acceptable Use Policy. CC ID 11892 | Technical Security | Preventive | |
Include prohibiting the copying or moving of restricted data from its original source onto local hard drives or removable storage media in the Acceptable Use Policy. CC ID 11893 | Establish/Maintain Documentation | Preventive | |
Include a removable storage media use policy in the Acceptable Use Policy. CC ID 06772 | Data and Information Management | Preventive | |
Correlate the Acceptable Use Policy with the network security policy. CC ID 01356 | Establish/Maintain Documentation | Preventive | |
Include appropriate network locations for each technology in the Acceptable Use Policy. CC ID 11881 | Establish/Maintain Documentation | Preventive | |
Correlate the Acceptable Use Policy with the approved product list. CC ID 01357 | Establish/Maintain Documentation | Preventive | |
Include facility access and facility use in the Acceptable Use Policy. CC ID 06441 | Establish/Maintain Documentation | Preventive | |
Include disciplinary actions in the Acceptable Use Policy. CC ID 00296 | Establish/Maintain Documentation | Corrective | |
Include the usage restrictions of mobile code technologies in the Acceptable Use Policy. CC ID 15311 | Establish/Maintain Documentation | Preventive | |
Include a software installation policy in the Acceptable Use Policy. CC ID 06749 | Establish/Maintain Documentation | Preventive | |
Document idle session termination and logout for remote access technologies in the Acceptable Use Policy. CC ID 12472 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the Acceptable Use Policy to all interested personnel and affected parties. CC ID 12431 | Communicate | Preventive | |
Require interested personnel and affected parties to sign Acceptable Use Policies. CC ID 06661 | Establish/Maintain Documentation | Preventive | |
Require interested personnel and affected parties to re-sign Acceptable Use Policies, as necessary. CC ID 06663 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain an Intellectual Property Right program. CC ID 00821 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain domain name registration and renewal procedures. CC ID 07075 | Business Processes | Preventive | |
Establish, implement, and maintain Intellectual Property Rights protection procedures. CC ID 11512 | Establish/Maintain Documentation | Preventive | |
Protect against circumvention of the organization's Intellectual Property Rights. CC ID 11513 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain an e-mail policy. CC ID 06439 | Establish/Maintain Documentation | Preventive | |
Include business use of personal e-mail in the e-mail policy. CC ID 14381 | Establish/Maintain Documentation | Preventive | |
Identify the sender in all electronic messages. CC ID 13996 | Data and Information Management | Preventive | |
Protect policies, standards, and procedures from unauthorized modification or disclosure. CC ID 10603 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain nondisclosure agreements. CC ID 04536 [In addition to implementing the control given by ISO/IEC 27002, organizations processing personal health information shall have a confidentiality agreement in place that specifies the confidential nature of this information. The agreement shall be applicable to all personnel accessing health information. § 13.2.4 Health-specific control] | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate nondisclosure agreements to interested personnel and affected parties. CC ID 16191 | Communicate | Preventive | |
Require interested personnel and affected parties to sign nondisclosure agreements. CC ID 06667 | Establish/Maintain Documentation | Preventive | |
Require interested personnel and affected parties to re-sign nondisclosure agreements, as necessary. CC ID 06669 | Establish/Maintain Documentation | Preventive | |
Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818 | Business Processes | Preventive | |
Establish, implement, and maintain consequences for non-compliance with the organizational compliance framework. CC ID 11747 [Employees of the organization and, where relevant, third-party contractors should be made aware of disciplinary processes and consequences with respect to breaches of information security. § 7.2.2 Health-specific control ¶ 2] | Process or Activity | Corrective | |
Establish, implement, and maintain an Asset Management program. CC ID 06630 | Business Processes | Preventive | |
Assign an information owner to organizational assets, as necessary. CC ID 12729 [In addition to following the guidance given by ISO/IEC 27002, organizations processing personal health information should: have a designated custodian of these health information assets (see 8.1.2); § 8.1.1 Health-specific control ¶ 1(b) The source (authorship) of publicly available health information should be stated and its integrity should be protected. § 14.1.3.1 Health-specific controls ¶ 3] | Human Resources Management | Preventive | |
Establish, implement, and maintain an asset inventory. CC ID 06631 [In addition to following the guidance given by ISO/IEC 27002, organizations processing personal health information should: account for health information assets (i.e. maintain an inventory of such assets); § 8.1.1 Health-specific control ¶ 1(a)] | Business Processes | Preventive | |
Establish, implement, and maintain an Information Technology inventory with asset discovery audit trails. CC ID 00689 | Establish/Maintain Documentation | Preventive | |
Include all account types in the Information Technology inventory. CC ID 13311 | Establish/Maintain Documentation | Preventive | |
Include each Information System's system boundaries in the Information Technology inventory. CC ID 00695 | Systems Design, Build, and Implementation | Preventive | |
Identify processes, Information Systems, and third parties that transmit, process, or store restricted data. CC ID 06289 | Data and Information Management | Preventive | |
Include each Information System's major applications in the Information Technology inventory. CC ID 01407 | Establish/Maintain Documentation | Preventive | |
Categorize all major applications according to the business information they process. CC ID 07182 | Establish/Maintain Documentation | Preventive | |
Document the resources, hazards, and Evaluation Assurance Levels for each major application. CC ID 01164 | Establish/Maintain Documentation | Preventive | |
Include the General Support Systems and security support structure in the Information Technology inventory. CC ID 01408 | Establish/Maintain Documentation | Preventive | |
Include each Information System's minor applications in the Information Technology inventory. CC ID 01409 | Establish/Maintain Documentation | Preventive | |
Conduct environmental surveys. CC ID 00690 | Physical and Environmental Protection | Preventive | |
Categorize facilities in the Information Technology inventory according to their environmental risks. CC ID 06729 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a hardware asset inventory. CC ID 00691 | Establish/Maintain Documentation | Preventive | |
Include network equipment in the Information Technology inventory. CC ID 00693 | Establish/Maintain Documentation | Preventive | |
Include mobile devices that store restricted data or restricted information in the Information Technology inventory. CC ID 04719 | Establish/Maintain Documentation | Preventive | |
Include interconnected systems and Software as a Service in the Information Technology inventory. CC ID 04885 | Process or Activity | Preventive | |
Include software in the Information Technology inventory. CC ID 00692 | Establish/Maintain Documentation | Preventive | |
Establish and maintain a list of authorized software and versions required for each system. CC ID 12093 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a storage media inventory. CC ID 00694 | Establish/Maintain Documentation | Preventive | |
Include all electronic storage media containing restricted data or restricted information in the storage media inventory. CC ID 00962 | Establish/Maintain Documentation | Detective | |
Establish, implement, and maintain a records inventory and database inventory. CC ID 01260 | Establish/Maintain Documentation | Preventive | |
Add inventoried assets to the asset register database, as necessary. CC ID 07051 | Establish/Maintain Documentation | Preventive | |
Identify discrepancies between the asset register database and the Information Technology inventory, as necessary. CC ID 07052 | Monitor and Evaluate Occurrences | Corrective | |
Investigate and resolve discrepancies between the asset register database and the Information Technology inventory. CC ID 07053 | Monitor and Evaluate Occurrences | Corrective | |
Organize the asset register database by grouping objects according to an organizational information classification standard. CC ID 07181 | Establish/Maintain Documentation | Preventive | |
Use automated tools to collect Information Technology inventory information, as necessary. CC ID 07054 | Technical Security | Preventive | |
Link the authentication system to the asset inventory. CC ID 13718 | Technical Security | Preventive | |
Record a unique name for each asset in the asset inventory. CC ID 16305 | Data and Information Management | Preventive | |
Record the decommission date for applicable assets in the asset inventory. CC ID 14920 | Establish/Maintain Documentation | Preventive | |
Record the status of information systems in the asset inventory. CC ID 16304 | Data and Information Management | Preventive | |
Record the communication interfaces for applicable assets in the asset inventory. CC ID 16301 | Data and Information Management | Preventive | |
Record the Uniform Resource Locator for applicable assets in the asset inventory. CC ID 14918 | Establish/Maintain Documentation | Preventive | |
Include source code in the asset inventory. CC ID 14858 | Records Management | Preventive | |
Assign ownership of maintaining the asset inventory, as necessary. CC ID 12344 [{establish}{ownership} Assets maintained in the inventory should be owned. § 8.1.2 Control ¶ 2] | Human Resources Management | Preventive | |
Employ Dynamic Host Configuration Protocol server logging to detect systems not in the asset inventory. CC ID 12110 | Technical Security | Detective | |
Record the review date for applicable assets in the asset inventory. CC ID 14919 | Establish/Maintain Documentation | Preventive | |
Record software license information for each asset in the asset inventory. CC ID 11736 | Data and Information Management | Preventive | |
Record services for applicable assets in the asset inventory. CC ID 13733 | Establish/Maintain Documentation | Preventive | |
Record protocols for applicable assets in the asset inventory. CC ID 13734 | Establish/Maintain Documentation | Preventive | |
Record the software version in the asset inventory. CC ID 12196 | Establish/Maintain Documentation | Preventive | |
Record the publisher for applicable assets in the asset inventory. CC ID 13725 | Establish/Maintain Documentation | Preventive | |
Record the authentication system in the asset inventory. CC ID 13724 | Establish/Maintain Documentation | Preventive | |
Tag unsupported assets in the asset inventory. CC ID 13723 | Establish/Maintain Documentation | Preventive | |
Record the install date for applicable assets in the asset inventory. CC ID 13720 | Establish/Maintain Documentation | Preventive | |
Record the make, model of device for applicable assets in the asset inventory. CC ID 12465 | Establish/Maintain Documentation | Preventive | |
Record the asset tag for physical assets in the asset inventory. CC ID 06632 | Establish/Maintain Documentation | Preventive | |
Record the host name of applicable assets in the asset inventory. CC ID 13722 | Establish/Maintain Documentation | Preventive | |
Record network ports for applicable assets in the asset inventory. CC ID 13730 | Establish/Maintain Documentation | Preventive | |
Record the MAC address for applicable assets in the asset inventory. CC ID 13721 | Establish/Maintain Documentation | Preventive | |
Record the operating system version for applicable assets in the asset inventory. CC ID 11748 | Data and Information Management | Preventive | |
Record the operating system type for applicable assets in the asset inventory. CC ID 06633 | Establish/Maintain Documentation | Preventive | |
Record rooms at external locations in the asset inventory. CC ID 16302 | Data and Information Management | Preventive | |
Record the department associated with the asset in the asset inventory. CC ID 12084 | Establish/Maintain Documentation | Preventive | |
Record the physical location for applicable assets in the asset inventory. CC ID 06634 | Establish/Maintain Documentation | Preventive | |
Record the manufacturer's serial number for applicable assets in the asset inventory. CC ID 06635 | Establish/Maintain Documentation | Preventive | |
Record the firmware version for applicable assets in the asset inventory. CC ID 12195 | Establish/Maintain Documentation | Preventive | |
Record the related business function for applicable assets in the asset inventory. CC ID 06636 | Establish/Maintain Documentation | Preventive | |
Record the deployment environment for applicable assets in the asset inventory. CC ID 06637 | Establish/Maintain Documentation | Preventive | |
Record the Internet Protocol address for applicable assets in the asset inventory. CC ID 06638 | Establish/Maintain Documentation | Preventive | |
Record trusted keys and certificates in the asset inventory. CC ID 15486 | Data and Information Management | Preventive | |
Record cipher suites and protocols in the asset inventory. CC ID 15489 | Data and Information Management | Preventive | |
Link the software asset inventory to the hardware asset inventory. CC ID 12085 | Establish/Maintain Documentation | Preventive | |
Record the owner for applicable assets in the asset inventory. CC ID 06640 | Establish/Maintain Documentation | Preventive | |
Record all compliance requirements for applicable assets in the asset inventory. CC ID 15696 | Establish/Maintain Documentation | Preventive | |
Record all changes to assets in the asset inventory. CC ID 12190 | Establish/Maintain Documentation | Preventive | |
Record cloud service derived data in the asset inventory. CC ID 13007 | Establish/Maintain Documentation | Preventive | |
Include cloud service customer data in the asset inventory. CC ID 13006 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a customer service program. CC ID 00846 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain an Incident Management program. CC ID 00853 | Business Processes | Preventive | |
Include incident escalation procedures in the Incident Management program. CC ID 00856 [{incident management procedures} In addition to following the guidance given by ISO/IEC 27002, organizations processing personal health information should establish security incident management responsibilities and procedures in order: to ensure that there is an effective and prioritized escalation path for incidents, such that crisis management and business continuity management plans can be invoked in the right circumstances and at the right time; § 16.1.2 Health-specific controls ¶ 1(b)] | Establish/Maintain Documentation | Preventive | |
Include detection procedures in the Incident Management program. CC ID 00588 | Establish/Maintain Documentation | Preventive | |
Contain the incident to prevent further loss. CC ID 01751 | Process or Activity | Corrective | |
Store system logs for in scope systems as digital forensic evidence after a security incident has been detected. CC ID 01754 [{incident management procedures} In addition to following the guidance given by ISO/IEC 27002, organizations processing personal health information should establish security incident management responsibilities and procedures in order: to collect and preserve incident-related audit logs and other relevant evidence. § 16.1.2 Health-specific controls ¶ 1(c)] | Log Management | Corrective | |
Include incident management procedures in the Incident Management program. CC ID 12689 [{incident management procedures} In addition to following the guidance given by ISO/IEC 27002, organizations processing personal health information should establish security incident management responsibilities and procedures in order: § 16.1.2 Health-specific controls ¶ 1] | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain temporary and emergency access authorization procedures. CC ID 00858 | Establish/Maintain Documentation | Corrective | |
Establish, implement, and maintain temporary and emergency access revocation procedures. CC ID 15334 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain an Incident Response program. CC ID 00579 | Establish/Maintain Documentation | Preventive | |
Include incident response team structures in the Incident Response program. CC ID 01237 | Establish/Maintain Documentation | Preventive | |
Include the incident response team member's roles and responsibilities in the Incident Response program. CC ID 01652 [{incident management procedures} In addition to following the guidance given by ISO/IEC 27002, organizations processing personal health information should establish security incident management responsibilities and procedures in order: § 16.1.2 Health-specific controls ¶ 1] | Establish Roles | Preventive | |
Include the incident response point of contact's roles and responsibilities in the Incident Response program. CC ID 01877 | Establish Roles | Preventive | |
Open a priority incident request after a security breach is detected. CC ID 04838 | Testing | Corrective | |
Activate the incident response notification procedures after a security breach is detected. CC ID 04839 | Testing | Corrective | |
Notify interested personnel and affected parties that a security breach was detected. CC ID 11788 | Communicate | Corrective | |
Include the head of information security's roles and responsibilities in the Incident Response program. CC ID 01878 | Establish Roles | Preventive | |
Include the customer database owner's roles and responsibilities in the Incident Response program. CC ID 01879 | Establish Roles | Preventive | |
Include the online sales department's roles and responsibilities in the Incident Response program. CC ID 01880 | Establish Roles | Preventive | |
Include the incident response point of contact for credit card payment system's roles and responsibilities in the Incident Response program. CC ID 01881 | Establish Roles | Preventive | |
Include the organizational legal counsel's roles and responsibilities in the Incident Response program. CC ID 01882 | Establish Roles | Preventive | |
Include the Human Resources point of contact's roles and responsibilities in the Incident Response program. CC ID 01883 | Establish Roles | Preventive | |
Include the organizational incident response network architecture point of contact's roles and responsibilities in the Incident Response program. CC ID 01884 | Establish Roles | Preventive | |
Include the organizational incident response public relations point of contact's roles and responsibilities in the Incident Response program. CC ID 01885 | Establish Roles | Preventive | |
Include the organizational incident response location manager's roles and responsibilities in the Incident Response program. CC ID 01886 | Establish Roles | Preventive | |
Assign the distribution of security alerts to the appropriate role in the incident response program. CC ID 11887 | Human Resources Management | Preventive | |
Assign monitoring and analyzing the security alert when a security alert is received to the appropriate role in the incident response program. CC ID 11886 | Investigate | Detective | |
Assign establishing, implementing, and maintaining incident response procedures to the appropriate role in the incident response program. CC ID 12473 | Establish/Maintain Documentation | Preventive | |
Assign the distribution of incident response procedures to the appropriate role in the incident response program. CC ID 12474 | Communicate | Preventive | |
Establish, implement, and maintain incident response procedures. CC ID 01206 [{incident management procedures} In addition to following the guidance given by ISO/IEC 27002, organizations processing personal health information should establish security incident management responsibilities and procedures in order: to ensure effective and timely response to security incidents; § 16.1.2 Health-specific controls ¶ 1(a)] | Establish/Maintain Documentation | Detective | |
Include references to industry best practices in the incident response procedures. CC ID 11956 | Establish/Maintain Documentation | Preventive | |
Include responding to alerts from security monitoring systems in the incident response procedures. CC ID 11949 | Establish/Maintain Documentation | Preventive | |
Respond when an integrity violation is detected, as necessary. CC ID 10678 | Technical Security | Corrective | |
Shut down systems when an integrity violation is detected, as necessary. CC ID 10679 | Technical Security | Corrective | |
Restart systems when an integrity violation is detected, as necessary. CC ID 10680 | Technical Security | Corrective | |
Establish, implement, and maintain a change control program. CC ID 00886 [In addition to implementing the control given by ISO/IEC 27002, organizations processing personal health information shall, by means of a formal and structured change control process, control changes to information processing facilities and systems that process personal health information to ensure the appropriate control of host applications and systems and continuity of patient care. § 12.1.2 Health-specific control] | Establish/Maintain Documentation | Preventive | |
Include potential consequences of unintended changes in the change control program. CC ID 12243 | Establish/Maintain Documentation | Preventive | |
Include version control in the change control program. CC ID 13119 | Establish/Maintain Documentation | Preventive | |
Include service design and transition in the change control program. CC ID 13920 | Establish/Maintain Documentation | Preventive | |
Separate the production environment from development environment or test environment for the change control process. CC ID 11864 | Maintenance | Preventive | |
Integrate configuration management procedures into the change control program. CC ID 13646 | Technical Security | Preventive | |
Establish, implement, and maintain a back-out plan. CC ID 13623 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain back-out procedures for each proposed change in a change request. CC ID 00373 | Establish/Maintain Documentation | Preventive | |
Approve back-out plans, as necessary. CC ID 13627 | Establish/Maintain Documentation | Corrective | |
Manage change requests. CC ID 00887 [In addition to implementing the control given by ISO/IEC 27002, organizations processing personal health information shall, by means of a formal and structured change control process, control changes to information processing facilities and systems that process personal health information to ensure the appropriate control of host applications and systems and continuity of patient care. § 12.1.2 Health-specific control] | Business Processes | Preventive | |
Include documentation of the impact level of proposed changes in the change request. CC ID 11942 | Establish/Maintain Documentation | Preventive | |
Establish and maintain a change request approver list. CC ID 06795 | Establish/Maintain Documentation | Preventive | |
Document all change requests in change request forms. CC ID 06794 | Establish/Maintain Documentation | Preventive | |
Test proposed changes prior to their approval. CC ID 00548 | Testing | Detective | |
Examine all changes to ensure they correspond with the change request. CC ID 12345 | Business Processes | Detective | |
Approve tested change requests. CC ID 11783 | Data and Information Management | Preventive | |
Validate the system before implementing approved changes. CC ID 01510 | Systems Design, Build, and Implementation | Preventive | |
Disseminate and communicate proposed changes to all interested personnel and affected parties. CC ID 06807 | Behavior | Preventive | |
Establish, implement, and maintain emergency change procedures. CC ID 00890 | Establish/Maintain Documentation | Preventive | |
Perform emergency changes, as necessary. CC ID 12707 | Process or Activity | Preventive | |
Back up emergency changes after the change has been performed. CC ID 12734 | Process or Activity | Preventive | |
Log emergency changes after they have been performed. CC ID 12733 | Establish/Maintain Documentation | Preventive | |
Perform risk assessments prior to approving change requests. CC ID 00888 | Testing | Preventive | |
Conduct network certifications prior to approving change requests for networks. CC ID 13121 | Process or Activity | Detective | |
Analyze mitigating controls for vulnerabilities in the network when certifying the network. CC ID 13126 | Investigate | Detective | |
Collect data about the network environment when certifying the network. CC ID 13125 | Investigate | Detective | |
Implement changes according to the change control program. CC ID 11776 | Business Processes | Preventive | |
Provide audit trails for all approved changes. CC ID 13120 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a patch management program. CC ID 00896 | Process or Activity | Preventive | |
Document the sources of all software updates. CC ID 13316 | Establish/Maintain Documentation | Preventive | |
Implement patch management software, as necessary. CC ID 12094 | Technical Security | Preventive | |
Include updates and exceptions to hardened images as a part of the patch management program. CC ID 12087 | Technical Security | Preventive | |
Establish, implement, and maintain a patch management policy. CC ID 16432 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain patch management procedures. CC ID 15224 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a patch log. CC ID 01642 | Establish/Maintain Documentation | Preventive | |
Review the patch log for missing patches. CC ID 13186 | Technical Security | Detective | |
Perform a patch test prior to deploying a patch. CC ID 00898 | Testing | Detective | |
Prioritize deploying patches according to vulnerability risk metrics. CC ID 06796 | Business Processes | Preventive | |
Deploy software patches in accordance with organizational standards. CC ID 07032 | Configuration | Corrective | |
Test software patches for any potential compromise of the system's security. CC ID 13175 | Testing | Detective | |
Patch software. CC ID 11825 | Technical Security | Corrective | |
Patch the operating system, as necessary. CC ID 11824 | Technical Security | Corrective | |
Deploy software patches in the disaster recovery environment to mirror those in the production environment. CC ID 13174 | Configuration | Corrective | |
Remove outdated software after software has been updated. CC ID 11792 | Configuration | Corrective | |
Update computer firmware, as necessary. CC ID 11755 | Configuration | Corrective | |
Review changes to computer firmware. CC ID 12226 | Testing | Detective | |
Certify changes to computer firmware are free of malicious logic. CC ID 12227 | Testing | Detective | |
Remove outdated computer firmware after the computer firmware has been updated. CC ID 10671 | Configuration | Corrective | |
Implement cryptographic mechanisms to authenticate software and computer firmware before installation. CC ID 10682 | Technical Security | Detective | |
Establish, implement, and maintain a software release policy. CC ID 00893 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain traceability documentation. CC ID 16388 | Systems Design, Build, and Implementation | Preventive | |
Disseminate and communicate software update information to users and regulators. CC ID 06602 | Behavior | Preventive | |
Allow interested personnel and affected parties to opt out of specific version releases and software updates. CC ID 06809 | Data and Information Management | Preventive | |
Mitigate the adverse effects of unauthorized changes. CC ID 12244 | Business Processes | Corrective | |
Establish, implement, and maintain approved change acceptance testing procedures. CC ID 06391 | Establish/Maintain Documentation | Detective | |
Test the system's operational functionality after implementing approved changes. CC ID 06294 | Testing | Detective | |
Perform and pass acceptance testing before moving a system back into operation after an approved change has occurred. CC ID 04541 | Testing | Detective | |
Establish, implement, and maintain a change acceptance testing log. CC ID 06392 | Establish/Maintain Documentation | Corrective | |
Update associated documentation after the system configuration has been changed. CC ID 00891 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a configuration change log. CC ID 08710 | Configuration | Detective | |
Document approved configuration deviations. CC ID 08711 | Establish/Maintain Documentation | Corrective |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Physical and environmental protection CC ID 00709 | IT Impact Zone | IT Impact Zone | |
Establish, implement, and maintain a physical security program. CC ID 11757 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a facility physical security program. CC ID 00711 | Establish/Maintain Documentation | Preventive | |
Identify and document physical access controls for all physical entry points. CC ID 01637 | Establish/Maintain Documentation | Preventive | |
Control physical access to (and within) the facility. CC ID 01329 [Organizations processing personal health information should use security perimeters to protect areas that contain information processing facilities supporting such health applications. These secure areas should be protected by appropriate entry controls to ensure that only authorized personnel are allowed access. § 11.1.1 Health-specific control] | Physical and Environmental Protection | Preventive | |
Establish, implement, and maintain physical access procedures. CC ID 13629 | Establish/Maintain Documentation | Preventive | |
Meet the physical access requirements of disabled individuals, if reasonably possible. CC ID 00419 | Physical and Environmental Protection | Preventive | |
Secure physical entry points with physical access controls or security guards. CC ID 01640 | Physical and Environmental Protection | Detective | |
Configure the access control system to grant access only during authorized working hours. CC ID 12325 | Physical and Environmental Protection | Preventive | |
Establish, implement, and maintain a visitor access permission policy. CC ID 06699 | Establish/Maintain Documentation | Preventive | |
Escort visitors within the facility, as necessary. CC ID 06417 | Establish/Maintain Documentation | Preventive | |
Check the visitor's stated identity against a provided government issued identification. CC ID 06701 | Physical and Environmental Protection | Preventive | |
Authorize visitors before granting entry to physical areas containing restricted data or restricted information. CC ID 01330 | Testing | Preventive | |
Disseminate and communicate the right of the organization to search visitors while at the facility. CC ID 06702 | Behavior | Preventive | |
Establish, implement, and maintain procedures for changing a visitor's access requirements. CC ID 12048 | Establish/Maintain Documentation | Preventive | |
Maintain and review facility access lists of personnel who have been granted authorized entry to (and within) facilities that contain restricted data or restricted information. CC ID 01436 | Establish/Maintain Documentation | Preventive | |
Authorize physical access to sensitive areas based on job functions. CC ID 12462 | Establish/Maintain Documentation | Preventive | |
Change access requirements to organizational assets for personnel and visitors, as necessary. CC ID 12463 | Physical and Environmental Protection | Corrective | |
Escort uncleared personnel who need to work in or access controlled access areas. CC ID 00747 | Monitor and Evaluate Occurrences | Preventive | |
Establish, implement, and maintain physical identification procedures. CC ID 00713 | Establish/Maintain Documentation | Preventive | |
Disallow opting out of wearing or displaying identification cards or badges. CC ID 13030 | Human Resources Management | Preventive | |
Implement physical identification processes. CC ID 13715 | Process or Activity | Preventive | |
Refrain from using knowledge-based authentication for in-person identity verification. CC ID 13717 | Process or Activity | Preventive | |
Issue photo identification badges to all employees. CC ID 12326 | Physical and Environmental Protection | Preventive | |
Implement operational requirements for card readers. CC ID 02225 | Testing | Preventive | |
Establish, implement, and maintain lost or damaged identification card procedures, as necessary. CC ID 14819 | Establish/Maintain Documentation | Preventive | |
Document all lost badges in a lost badge list. CC ID 12448 | Establish/Maintain Documentation | Corrective | |
Report lost badges, stolen badges, and broken badges to the Security Manager. CC ID 12334 | Physical and Environmental Protection | Preventive | |
Manage constituent identification inside the facility. CC ID 02215 | Behavior | Preventive | |
Direct each employee to be responsible for their identification card or badge. CC ID 12332 | Human Resources Management | Preventive | |
Manage visitor identification inside the facility. CC ID 11670 | Physical and Environmental Protection | Preventive | |
Issue visitor identification badges to all non-employees. CC ID 00543 | Behavior | Preventive | |
Secure unissued visitor identification badges. CC ID 06712 | Physical and Environmental Protection | Preventive | |
Retrieve visitor identification badges prior to the exit of a visitor from the facility. CC ID 01331 | Behavior | Preventive | |
Include name, date of entry, and validity period on disposable identification cards or badges. CC ID 12331 | Physical and Environmental Protection | Preventive | |
Establish, implement, and maintain identification issuance procedures for identification cards or badges. CC ID 06598 | Establish/Maintain Documentation | Preventive | |
Record the assigned identification card or badge serial number when issuing an identification card or badge. CC ID 06714 | Process or Activity | Preventive | |
Include error handling controls in identification issuance procedures. CC ID 13709 | Establish/Maintain Documentation | Preventive | |
Include an appeal process in the identification issuance procedures. CC ID 15428 | Business Processes | Preventive | |
Include information security in the identification issuance procedures. CC ID 15425 | Establish/Maintain Documentation | Preventive | |
Include identity proofing processes in the identification issuance procedures. CC ID 06597 | Process or Activity | Preventive | |
Establish, implement, and maintain post-issuance update procedures for identification cards or badges. CC ID 15426 | Establish/Maintain Documentation | Preventive | |
Include an identity registration process in the identification issuance procedures. CC ID 11671 | Establish/Maintain Documentation | Preventive | |
Restrict access to the badge system to authorized personnel. CC ID 12043 | Physical and Environmental Protection | Preventive | |
Enforce dual control for badge assignments. CC ID 12328 | Physical and Environmental Protection | Preventive | |
Enforce dual control for accessing unassigned identification cards or badges. CC ID 12327 | Physical and Environmental Protection | Preventive | |
Refrain from imprinting the company name or company logo on identification cards or badges. CC ID 12282 | Physical and Environmental Protection | Preventive | |
Establish, implement, and maintain identification renewal procedures for identification cards or badges. CC ID 06599 | Establish/Maintain Documentation | Preventive | |
Assign employees the responsibility for controlling their identification badges. CC ID 12333 | Human Resources Management | Preventive | |
Establish, implement, and maintain identification re-issuing procedures for identification cards or badges. CC ID 06596 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain identification mechanism termination procedures. CC ID 06306 | Establish/Maintain Documentation | Preventive | |
Prevent tailgating through physical entry points. CC ID 06685 | Physical and Environmental Protection | Preventive | |
Implement physical security standards for mainframe rooms or data centers. CC ID 00749 [Organizations processing personal health information should use security perimeters to protect areas that contain information processing facilities supporting such health applications. These secure areas should be protected by appropriate entry controls to ensure that only authorized personnel are allowed access. § 11.1.1 Health-specific control] | Physical and Environmental Protection | Preventive | |
Establish and maintain equipment security cages in a shared space environment. CC ID 06711 | Physical and Environmental Protection | Preventive | |
Secure systems in lockable equipment cabinets, as necessary. CC ID 06716 | Physical and Environmental Protection | Preventive | |
Lock all lockable equipment cabinets. CC ID 11673 | Physical and Environmental Protection | Detective | |
Establish, implement, and maintain physical security controls for distributed assets. CC ID 00718 | Physical and Environmental Protection | Preventive | |
Protect distributed assets against theft. CC ID 06799 | Physical and Environmental Protection | Preventive | |
Establish, implement, and maintain asset removal procedures or asset decommissioning procedures. CC ID 04540 | Establish/Maintain Documentation | Preventive | |
Prohibit assets from being taken off-site absent prior authorization. CC ID 12027 [In addition to implementing the control given by ISO/IEC 27002, organizations providing or using equipment, data or software to support a healthcare application containing personal health information shall not allow such equipment, data, or software to be removed from the site or relocated within it without authorization by the organization. § 11.2.5 Health-specific control] | Process or Activity | Preventive | |
Establish, implement, and maintain asset return procedures. CC ID 04537 | Establish/Maintain Documentation | Preventive | |
Require the return of all assets upon notification an individual is terminated. CC ID 06679 [In addition to implementing the control given by ISO/IEC 27002, all employees and contractors, upon termination of employment, shall return all personal health information in their possession that is in non-electronic form and ensure that all personal health information in their possession in electronic form is updated on relevant systems and then securely deleted from any devices on which it has resided. § 8.1.4 Health-specific control] | Behavior | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Privacy protection for information and data CC ID 00008 | IT Impact Zone | IT Impact Zone | |
Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a personal data transparency program. CC ID 00375 | Data and Information Management | Preventive | |
Provide adequate structures, policies, procedures, and mechanisms to support direct access by the data subject to personal data that is provided upon request. CC ID 00393 | Establish/Maintain Documentation | Preventive | |
Provide the data subject with what personal data is made available to related organizations or subsidiaries. CC ID 00399 | Data and Information Management | Preventive | |
Include individual's names to whom restricted data may be disclosed in the disclosure accounting record. CC ID 13027 [The organization should identify and document all parties with whom patient data is exchanged and contractual agreements should be made with these parties regulating access and privileges, prior to exchange of patient data. § 9.1.1 Health-specific control ¶ 5] | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a personal data use limitation program. CC ID 13428 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a personal data use purpose specification. CC ID 00093 | Establish/Maintain Documentation | Preventive | |
Dispose of media and restricted data in a timely manner. CC ID 00125 [In addition to implementing the control given by ISO/IEC 27002, all employees and contractors, upon termination of employment, shall return all personal health information in their possession that is in non-electronic form and ensure that all personal health information in their possession in electronic form is updated on relevant systems and then securely deleted from any devices on which it has resided. § 8.1.4 Health-specific control In addition to implementing the control given by ISO/IEC 27002, organizations processing health information applications shall securely erase or else destroy all media containing health information application software or personal health information when the media are no longer required for use. § 11.2.7 Health-specific control In addition to implementing the control given by ISO/IEC 27002, all personal health information shall be securely erased or else the media destroyed when no longer required for use. § 8.3.2 Health-specific control In addition to implementing the control given by ISO/IEC 27002, all personal health information shall be securely erased or else the media destroyed when no longer required for use. § 8.3.2 Health-specific control] | Data and Information Management | Preventive | |
Refrain from destroying records being inspected or reviewed. CC ID 13015 | Records Management | Preventive | |
Notify the data subject after their personal data is disposed, as necessary. CC ID 13502 | Communicate | Preventive | |
Establish, implement, and maintain restricted data use limitation procedures. CC ID 00128 | Establish/Maintain Documentation | Preventive | |
Process restricted data lawfully and carefully. CC ID 00086 | Establish Roles | Preventive | |
Process personal data pertaining to a patient's health in order to treat those patients. CC ID 00200 | Data and Information Management | Preventive | |
Notify the subject of care when a lack of availability of health information systems might have adversely affected their care. CC ID 13990 [Organizations should inform the subject of care whenever lack of availability of health information systems may have adversely affected their care. § 16.1.2 Health-specific controls ¶ 4] | Communicate | Corrective | |
Document the conditions for the disclosure of Individually Identifiable Health Information by an organization providing healthcare services to organizations other than business associates or other covered entities. CC ID 00201 | Establish/Maintain Documentation | Preventive | |
Disclose Individually Identifiable Health Information in order to carry out treatment when the disclosing organization is a healthcare provider. CC ID 00207 [Health information systems processing personal health information shall provide personally identifying information to assist health professionals in confirming that the electronic health record retrieved matches the subject of care under treatment. § 14.1.1.2 Health-specific control Organizations processing personal health information shall control access to such information. In general, users of health information systems should only access personal health information: when a healthcare relationship exists between the user and the data subject (the subject of care whose personal health information is being accessed); § 9.1.1 Health-specific control ¶ 1(a)] | Data and Information Management | Preventive | |
Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject has provided consent and the disclosing organization is a healthcare provider. CC ID 00208 | Data and Information Management | Preventive | |
Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject's guardian or representative has provided consent and the disclosing organization is a healthcare provider. CC ID 00209 [Organizations processing personal health information shall control access to such information. In general, users of health information systems should only access personal health information: when the user is carrying out an activity on behalf of the data subject; § 9.1.1 Health-specific control ¶ 1(b)] | Data and Information Management | Preventive | |
Notify the data subject when personal data has been inadvertently disclosed. CC ID 13989 [Organizations should inform the subject of care whenever personal health information has been unintentionally disclosed. § 16.1.2 Health-specific controls ¶ 3] | Communicate | Corrective | |
Establish, implement, and maintain a data handling program. CC ID 13427 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain data handling policies. CC ID 00353 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain data and information confidentiality policies. CC ID 00361 [{confidential information} All health information systems processing personal health information should inform users of the confidentiality of personal health information accessible from the system (e.g. at start-up or log-in) and should label hardcopy output as confidential when it contains personal health information. § 8.2.2 Health-specific control] | Establish/Maintain Documentation | Preventive | |
Prohibit personal data from being sent by e-mail or instant messaging. CC ID 00565 | Data and Information Management | Preventive | |
Protect electronic messaging information. CC ID 12022 | Technical Security | Preventive | |
Establish, implement, and maintain record structures to support information confidentiality. CC ID 00360 | Data and Information Management | Preventive | |
Include passwords, Personal Identification Numbers, and card security codes in the personal data definition. CC ID 04699 | Configuration | Preventive | |
Refrain from storing data elements containing payment card full magnetic stripe data. CC ID 04757 | Testing | Detective | |
Store payment card data in secure chips, if possible. CC ID 13065 | Configuration | Preventive | |
Refrain from storing data elements containing sensitive authentication data after authorization is approved. CC ID 04758 | Configuration | Preventive | |
Render unrecoverable sensitive authentication data after authorization is approved. CC ID 11952 | Technical Security | Preventive | |
Automate the disposition process for records that contain "do not store" data or "delete after transaction process" data. CC ID 06083 | Data and Information Management | Preventive | |
Log the disclosure of personal data. CC ID 06628 | Log Management | Preventive | |
Log the modification of personal data. CC ID 11844 | Log Management | Preventive | |
Encrypt, truncate, or tokenize data fields, as necessary. CC ID 06850 | Technical Security | Preventive | |
Implement security measures to protect personal data. CC ID 13606 | Technical Security | Preventive | |
Implement physical controls to protect personal data. CC ID 00355 | Testing | Preventive | |
Limit data leakage. CC ID 00356 | Data and Information Management | Preventive | |
Conduct personal data risk assessments. CC ID 00357 | Testing | Detective | |
Identify potential red flags to alert the organization before a data leakage has occurred. CC ID 04654 | Monitor and Evaluate Occurrences | Preventive | |
Establish, implement, and maintain Consumer Reporting Agency notification procedures. CC ID 04851 | Business Processes | Preventive | |
Establish, implement, and maintain suspicious document procedures. CC ID 04852 | Establish/Maintain Documentation | Detective | |
Establish, implement, and maintain suspicious personal data procedures. CC ID 04853 | Data and Information Management | Detective | |
Compare certain personal data such as name, date of birth, address, driver's license, or other identification against personal data on file for the applicant. CC ID 04855 | Data and Information Management | Detective | |
Establish, implement, and maintain suspicious user account activity procedures. CC ID 04854 | Monitor and Evaluate Occurrences | Detective | |
Perform an identity check prior to approving an account change request. CC ID 13670 | Investigate | Detective | |
Use the contact information on file to contact the individual identified in an account change request. CC ID 04857 | Behavior | Detective | |
Match consumer reports with current accounts on file to ensure account misuse or information misuse has not occurred. CC ID 04873 | Data and Information Management | Detective | |
Log account access dates and report when dormant accounts suddenly exhibit unusual activity. CC ID 04874 | Log Management | Detective | |
Report fraudulent account activity, unauthorized transactions, or discrepancies with current accounts. CC ID 04875 | Monitor and Evaluate Occurrences | Corrective | |
Log dates for account name changes or address changes. CC ID 04876 | Log Management | Detective | |
Review accounts that are changed for additional user requests. CC ID 11846 | Monitor and Evaluate Occurrences | Detective | |
Send change notices for change of address requests to the old address and the new address. CC ID 04877 | Data and Information Management | Detective | |
Acquire enough insurance to cover the liability for damages due to data leakage. CC ID 06408 | Acquisition/Sale of Assets or Services | Preventive | |
Search the Internet for evidence of data leakage. CC ID 10419 | Process or Activity | Detective | |
Alert appropriate personnel when data leakage is detected. CC ID 14715 | Process or Activity | Preventive | |
Review monitored websites for data leakage. CC ID 10593 | Monitor and Evaluate Occurrences | Detective | |
Take appropriate action when a data leakage is discovered. CC ID 14716 | Process or Activity | Corrective | |
Develop remedies and sanctions for privacy policy violations. CC ID 00474 | Data and Information Management | Preventive | |
Change or destroy any personal data that is incorrect. CC ID 00462 [In addition to implementing the control given by ISO/IEC 27002, all employees and contractors, upon termination of employment, shall return all personal health information in their possession that is in non-electronic form and ensure that all personal health information in their possession in electronic form is updated on relevant systems and then securely deleted from any devices on which it has resided. § 8.1.4 Health-specific control] | Data and Information Management | Corrective | |
Notify the data subject of changes made to personal data as the result of a dispute. CC ID 00463 | Behavior | Corrective | |
Refrain from updating personal data on a regular basis, unless it is necessary for the purposes it was collected. CC ID 13610 | Data and Information Management | Preventive | |
Escalate the appeal process to change personal data when the data controller fails to make changes to the disputed data. CC ID 00465 | Data and Information Management | Corrective |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Records management CC ID 00902 | IT Impact Zone | IT Impact Zone | |
Establish, implement, and maintain records management policies. CC ID 00903 | Establish/Maintain Documentation | Preventive | |
Define each system's preservation requirements for records and logs. CC ID 00904 | Establish/Maintain Documentation | Detective | |
Establish, implement, and maintain a data retention program. CC ID 00906 | Establish/Maintain Documentation | Detective | |
Archive appropriate records, logs, and database tables. CC ID 06321 [Publicly available health information (as distinct from personal health information) should be archived. § 14.1.3.1 Health-specific controls ¶ 1] | Records Management | Preventive | |
Maintain continued integrity for all stored data and stored records. CC ID 00969 [The source (authorship) of publicly available health information should be stated and its integrity should be protected. § 14.1.3.1 Health-specific controls ¶ 3] | Testing | Detective | |
Establish, implement, and maintain records management procedures. CC ID 11619 [Health information systems processing personal health information: shall be capable of merging duplicate or multiple records if it is determined that multiple records for the same subject of care have been created unintentionally or during a medical emergency. § 14.1.1.1 Health-specific control ¶ 1(b)] | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain source document authorization tracking. CC ID 01262 | Records Management | Detective | |
Review the information that the organization collects, processes, and stores, as necessary. CC ID 12988 | Business Processes | Detective | |
Review the information classification of the information that the organization collects, processes, and stores, as necessary. CC ID 13008 | Process or Activity | Detective | |
Review the electronic storage media for the information the organization collects and processes. CC ID 13009 [{physical safeguard} In addition to the guidance given by ISO/IEC 27002, media containing personal health information shall be either physically protected or else have their data encrypted. The status and location of media containing unencrypted personal health information shall be monitored. § 8.3.1 Health-specific control] | Process or Activity | Detective | |
Remove non-public information from publicly accessible systems. CC ID 14246 | Data and Information Management | Corrective | |
Establish, implement, and maintain source document error handling tracking. CC ID 01263 | Records Management | Detective | |
Maintain electronic records in an equivalent manner as printed records, as necessary. CC ID 11806 | Records Management | Preventive | |
Process restricted information in a secure environment. CC ID 13058 | Process or Activity | Preventive | |
Refrain from creating printed records as copies of electronic records. CC ID 11808 | Records Management | Preventive | |
Assign ownership for all electronic records. CC ID 14814 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain data input and data access authorization tracking. CC ID 00920 | Monitor and Evaluate Occurrences | Detective | |
Validate transactions against master files of third parties and clients, as necessary. CC ID 06552 | Records Management | Detective | |
Attribute electronic records, as necessary. CC ID 14820 | Establish/Maintain Documentation | Preventive | |
Validate transactions using identifiers and credentials. CC ID 13203 | Technical Security | Preventive | |
Establish, implement, and maintain a system storage log. CC ID 13532 | Records Management | Preventive | |
Establish, implement, and maintain a system input log. CC ID 13531 | Establish/Maintain Documentation | Preventive | |
Protect records from loss in accordance with applicable requirements. CC ID 12007 | Records Management | Preventive | |
Establish, implement, and maintain data accuracy controls. CC ID 00921 | Monitor and Evaluate Occurrences | Detective | |
Capture the records required by organizational compliance requirements. CC ID 00912 | Records Management | Detective | |
Establish, implement, and maintain data completeness controls. CC ID 11649 | Process or Activity | Preventive | |
Establish, implement, and maintain authorization records. CC ID 14367 | Establish/Maintain Documentation | Preventive | |
Include the reasons for granting the authorization in the authorization records. CC ID 14371 | Establish/Maintain Documentation | Preventive | |
Include the date and time the authorization was granted in the authorization records. CC ID 14370 | Establish/Maintain Documentation | Preventive | |
Include the person's name who approved the authorization in the authorization records. CC ID 14369 | Establish/Maintain Documentation | Preventive | |
Assign the appropriate information classification to records imported into the Records Management system. CC ID 04555 | Data and Information Management | Detective | |
Establish, implement, and maintain electronic health records. CC ID 14436 | Data and Information Management | Preventive | |
Include Individually Identifiable Health Information in the patient's electronic health record. CC ID 14437 | Data and Information Management | Preventive | |
Review and update Individually Identifiable Health Information in the patient's electronic health records, as necessary. CC ID 14438 | Records Management | Preventive | |
Display required information automatically in electronic health records. CC ID 14442 | Process or Activity | Preventive | |
Create summary of care records in accordance with applicable standards. CC ID 14440 | Establish/Maintain Documentation | Preventive | |
Provide the patient with a summary of care record, as necessary. CC ID 14441 | Actionable Reports or Measurements | Preventive | |
Create export summaries, as necessary. CC ID 14446 | Process or Activity | Preventive | |
Import data files into a patient's electronic health record. CC ID 14448 | Data and Information Management | Preventive | |
Export requested sections of the electronic health record. CC ID 14447 | Data and Information Management | Preventive | |
Identify patient-specific education resources. CC ID 14439 | Process or Activity | Detective | |
Establish and maintain an implantable device list. CC ID 14444 | Records Management | Preventive | |
Display the implantable device list to authorized users. CC ID 14445 | Data and Information Management | Preventive | |
Establish, implement, and maintain decision support interventions. CC ID 14443 | Business Processes | Preventive | |
Include attributes in the decision support intervention. CC ID 16766 | Data and Information Management | Preventive | |
Establish, implement, and maintain a recordkeeping system. CC ID 15709 | Records Management | Preventive | |
Log the termination date in the recordkeeping system. CC ID 16181 | Records Management | Preventive | |
Log the name of the requestor in the recordkeeping system. CC ID 15712 | Records Management | Preventive | |
Log the date and time each item is accessed in the recordkeeping system. CC ID 15711 | Records Management | Preventive | |
Log records as being received into the recordkeeping system. CC ID 11696 | Records Management | Preventive | |
Log the date and time each item is received into the recordkeeping system. CC ID 11709 | Log Management | Preventive | |
Log the date and time each item is made available into the recordkeeping system. CC ID 11710 | Log Management | Preventive | |
Log the number of routine items received into the recordkeeping system. CC ID 11701 | Establish/Maintain Documentation | Preventive | |
Log the number of routine items in the organization's possession at the close of business for the month in the recordkeeping system. CC ID 11707 | Log Management | Preventive | |
Log the number of routine items received during the month that were turned around in the recordkeeping system. CC ID 11705 | Log Management | Preventive | |
Log the number of routine items received during the month that were not turned around within three business days of receipt in the recordkeeping system. CC ID 11703 | Log Management | Preventive | |
Log the date and time when a notice of refusal to perform the registrar function is received in the recordkeeping system. CC ID 11711 | Log Management | Preventive | |
Log inquiries concerning items in the recordkeeping system, annotating the date received. CC ID 11718 | Log Management | Preventive | |
Log responses to inquiries, annotating the send date for each response into the recordkeeping system. CC ID 11719 | Log Management | Preventive | |
Log the number of non-routine items received into the recordkeeping system. CC ID 11706 | Log Management | Preventive | |
Log the documentation of determination that items received are not routine into the recordkeeping system. CC ID 11716 | Log Management | Preventive | |
Log the number of non-routine items in the organization's possession at the close of business for the month in the recordkeeping system. CC ID 11708 | Log Management | Preventive | |
Log the number of non-routine items received during the month that were turned around in the recordkeeping system. CC ID 11704 | Log Management | Preventive | |
Log performance monitoring into the recordkeeping system. CC ID 11724 | Log Management | Preventive | |
Log the number of inquiries pending as of the close of business into the recordkeeping system. CC ID 11728 | Log Management | Preventive | |
Log the number of inquiries received but not responded to within the required time frame into the recordkeeping system. CC ID 11727 | Log Management | Preventive | |
Establish, implement, and maintain a transfer journal. CC ID 11729 | Records Management | Preventive | |
Log any notices filed by the organization into the recordkeeping system. CC ID 11725 | Log Management | Preventive | |
Log telephone responses into a telephone log, annotating the date of each response, in the recordkeeping system. CC ID 11723 | Log Management | Preventive | |
Log the date each certificate is made available to interested personnel and affected parties into the recordkeeping system. CC ID 11720 | Log Management | Preventive | |
Log the number of items not processed within the required time frame into the recordkeeping system. CC ID 11717 | Log Management | Preventive | |
Provide a receipt of records logged into the recordkeeping system. CC ID 11697 | Records Management | Preventive | |
Log the appointments and termination of appointments of registered transfer agents into the recordkeeping system. CC ID 11712 | Log Management | Preventive | |
Log any stop orders or notices of adverse claims into the recordkeeping system. CC ID 11726 | Log Management | Preventive | |
Log the number of items processed within the required time frame into the recordkeeping system. CC ID 11715 | Log Management | Preventive | |
Classify restricted data or restricted information in Records Management systems according to the data or information's sensitivity. CC ID 04720 | Data and Information Management | Detective | |
Include record integrity techniques in the records management procedures. CC ID 06418 [The integrity of publicly available health information should be protected to prevent unauthorized modification. § 14.1.3.1 Health-specific controls ¶ 2] | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain data availability controls. CC ID 15301 | Data and Information Management | Preventive | |
Note in electronic records converted from printed records, the location of the original. CC ID 11809 | Records Management | Preventive | |
Incorporate desktop publishing into the organization's Records Management program. CC ID 06535 | Establish/Maintain Documentation | Preventive | |
Provide structures for browsing records stored in the Electronic Document and Records Management system. CC ID 10009 | Business Processes | Preventive | |
Provide structures for searching for items stored in the Electronic Document and Records Management system. CC ID 10010 | Business Processes | Preventive | |
Provide structures for downloading records from the Electronic Document and Records Management system. CC ID 10011 | Business Processes | Preventive | |
Provide structures for managing e-mail stored in the Electronic Document and Records Management system. CC ID 10012 | Business Processes | Preventive | |
Provide structures for authorized parties to approve record updates in the Electronic Document and Records Management system. CC ID 11965 | Records Management | Preventive | |
Provide structures for version control of records stored in the Electronic Document and Records Management system. CC ID 10013 | Business Processes | Preventive | |
Control error handling when data is being inputted. CC ID 00922 | Data and Information Management | Detective | |
Establish, implement, and maintain electronic storage media security controls. CC ID 13204 | Technical Security | Preventive | |
Use automated entry devices to reduce errors during data input. CC ID 06626 | Data and Information Management | Preventive | |
Establish, implement, and maintain data processing integrity controls. CC ID 00923 | Establish Roles | Preventive | |
Compare each record's data input to its final form. CC ID 11813 | Records Management | Detective | |
Sanitize user input in accordance with organizational standards. CC ID 16856 | Process or Activity | Preventive | |
Establish, implement, and maintain Automated Data Processing validation checks and editing checks. CC ID 00924 | Data and Information Management | Preventive | |
Establish, implement, and maintain Automated Data Processing error handling procedures. CC ID 00925 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain Automated Data Processing error handling reporting. CC ID 11659 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain document security requirements for the output of records. CC ID 11656 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain document handling procedures for paper documents. CC ID 00926 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain electronic storage media management procedures. CC ID 00931 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain security label procedures. CC ID 06747 | Establish/Maintain Documentation | Preventive | |
Label restricted storage media appropriately. CC ID 00966 | Data and Information Management | Preventive | |
Label printed output for specific record categories as directed by the organization's information classification standard. CC ID 01420 [{confidential information} All health information systems processing personal health information should inform users of the confidentiality of personal health information accessible from the system (e.g. at start-up or log-in) and should label hardcopy output as confidential when it contains personal health information. § 8.2.2 Health-specific control] | Records Management | Detective | |
Establish, implement, and maintain restricted material identification procedures. CC ID 01889 | Establish/Maintain Documentation | Preventive | |
Conspicuously locate the restricted record's overall classification. CC ID 01890 | Establish/Maintain Documentation | Preventive | |
Mark a restricted record's displayed pages or printed pages with the appropriate classification. CC ID 01891 | Establish/Maintain Documentation | Preventive | |
Mark a restricted record's components (appendices, annexes) with the appropriate classification. CC ID 01892 | Establish/Maintain Documentation | Preventive | |
Mark a restricted record's portions (paragraphs, sections) with the appropriate classification. CC ID 01893 | Establish/Maintain Documentation | Preventive | |
Mark a restricted record's subject line or title with the appropriate classification. CC ID 01894 | Establish/Maintain Documentation | Preventive | |
Mark all forms of electronic messages that contain restricted data or restricted information with the appropriate classification. CC ID 01896 | Data and Information Management | Preventive | |
Establish, implement, and maintain label inheritance mechanisms for aggregate data sets. CC ID 06957 | Technical Security | Preventive | |
Establish the minimum originator requirements for security labels. CC ID 06579 | Establish/Maintain Documentation | Preventive | |
Establish the minimum intermediate system requirements for security labels. CC ID 06581 | Establish/Maintain Documentation | Preventive | |
Establish the minimum receiver requirements for records or electronic storage media marked with security labels. CC ID 06580 | Establish/Maintain Documentation | Preventive | |
Establish policy based processing rules to process incoming records or electronic storage media marked with security labels. CC ID 06582 | Establish/Maintain Documentation | Preventive | |
Establish and maintain access controls for all records. CC ID 00371 | Records Management | Preventive | |
Reproduce materials containing restricted data or restricted information in accordance with compliance requirements. CC ID 02202 | Data and Information Management | Preventive | |
Establish, implement, and maintain a records lifecycle management program. CC ID 00951 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain an information preservation policy. CC ID 16483 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain information preservation procedures. CC ID 06277 | Establish/Maintain Documentation | Preventive | |
Implement and maintain high availability storage, as necessary. CC ID 00952 | Technical Security | Preventive | |
Implement and maintain backups and duplicate copies of organizational records. CC ID 00953 | Records Management | Preventive | |
Establish, implement, and maintain the duplicate original of record indexes. CC ID 00954 | Records Management | Preventive | |
Establish, implement, and maintain a transparent storage media strategy. CC ID 00932 | Records Management | Preventive | |
Establish, implement, and maintain an online availability plan that is commensurate with the electronic storage media. CC ID 00934 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain online storage monitoring and reporting capabilities. CC ID 00935 | Monitor and Evaluate Occurrences | Detective | |
Establish, implement, and maintain online storage controls. CC ID 00942 | Technical Security | Preventive | |
Establish, implement, and maintain security controls appropriate to the record types and electronic storage media. CC ID 00943 | Records Management | Preventive | |
Store records on non-rewritable, non-erasable storage media formats, as necessary. CC ID 00944 | Testing | Detective | |
Provide encryption for different types of electronic storage media. CC ID 00945 [{physical safeguard} In addition to the guidance given by ISO/IEC 27002, media containing personal health information shall be either physically protected or else have their data encrypted. The status and location of media containing unencrypted personal health information shall be monitored. § 8.3.1 Health-specific control] | Technical Security | Preventive | |
Implement electronic storage media integrity controls. CC ID 00946 | Configuration | Preventive | |
Automate electronic storage media integrity check controls. CC ID 00948 | Configuration | Preventive | |
Provide capacity for indexes on electronic storage media, as necessary. CC ID 00950 | Configuration | Preventive | |
Provide audit trails for all pertinent records. CC ID 00372 | Establish/Maintain Documentation | Detective | |
Establish, implement, and maintain a removable storage media log. CC ID 12317 [{physical safeguard} In addition to the guidance given by ISO/IEC 27002, media containing personal health information shall be either physically protected or else have their data encrypted. The status and location of media containing unencrypted personal health information shall be monitored. § 8.3.1 Health-specific control] | Log Management | Preventive | |
Include a unique identifier for each removable storage media asset in the removable storage media log. CC ID 12320 | Establish/Maintain Documentation | Preventive | |
Include the date and time in the removable storage media log. CC ID 12318 | Establish/Maintain Documentation | Preventive | |
Include the name and signature of the current custodian in the removable storage media log. CC ID 12315 | Establish/Maintain Documentation | Preventive | |
Include the number of physical media used for the data transfer in the removable storage media log. CC ID 12754 | Establish/Maintain Documentation | Preventive | |
Include the recipient's name for the data transfer in the removable storage media log. CC ID 12753 | Establish/Maintain Documentation | Preventive | |
Include the sender's name in the removable storage media log. CC ID 12752 | Establish/Maintain Documentation | Preventive | |
Include the type of physical media being used for the data transfer in the removable storage media log. CC ID 12751 | Establish/Maintain Documentation | Preventive | |
Include the reason for transfer in the removable storage media log. CC ID 12316 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain storage media downgrading procedures. CC ID 10619 | Process or Activity | Preventive | |
Identify electronic storage media that require downgrading. CC ID 10620 | Process or Activity | Detective | |
Downgrade electronic storage media, as necessary. CC ID 10621 | Process or Activity | Corrective | |
Document all actions taken when downgrading electronic storage media. CC ID 10622 | Establish/Maintain Documentation | Preventive | |
Test the storage media downgrade for correct performance. CC ID 10623 | Testing | Detective | |
Establish, implement, and maintain output distribution procedures. CC ID 00927 | Establish/Maintain Documentation | Preventive | |
Include printed output in output distribution procedures. CC ID 13477 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain document retention procedures. CC ID 11660 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain electronic media distribution procedures. CC ID 11650 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain output balancing audit trails. CC ID 00928 | Establish/Maintain Documentation | Detective | |
Establish and maintain an error suspense file for rejected transactions. CC ID 06623 | Records Management | Preventive | |
Establish and maintain reconciliation audit trails. CC ID 11647 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a data processing output log. CC ID 06624 | Log Management | Preventive | |
Establish, implement, and maintain output review and error handling checks with end users. CC ID 00929 | Establish/Maintain Documentation | Detective | |
Establish, implement, and maintain paper document integrity requirements for the output of records. CC ID 00930 | Establish/Maintain Documentation | Preventive | |
Review and approve output exceptions. CC ID 06625 | Records Management | Preventive | |
Perform regularly scheduled quality and integrity control reviews of output of records. CC ID 06627 | Testing | Detective |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
System hardening through configuration management CC ID 00860 | IT Impact Zone | IT Impact Zone | |
Establish, implement, and maintain system hardening procedures. CC ID 12001 | Establish/Maintain Documentation | Preventive | |
Configure the time server in accordance with organizational standards. CC ID 06426 | Configuration | Preventive | |
Configure the time server to synchronize with specifically designated hosts. CC ID 06427 [Health information systems supporting time-critical-shared care activities shall provide time synchronization services to support tracing and reconstitution of activity timelines where required. § 12.4.4 Health-specific control] | Configuration | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Systems design, build, and implementation CC ID 00989 | IT Impact Zone | IT Impact Zone | |
Initiate the System Development Life Cycle planning phase. CC ID 06266 | Systems Design, Build, and Implementation | Preventive | |
Separate the design and development environment from the production environment. CC ID 06088 [In addition to implementing the control given by ISO/IEC 27002, organizations processing personal health information shall separate (physically or virtually) development and testing environments for health information systems processing such information from operational environments hosting those health information systems. Rules for the migration of software from development to operational status shall be defined and documented by the organization hosting the affected application(s). § 12.1.4 Health-specific control] | Systems Design, Build, and Implementation | Preventive | |
Specify appropriate tools for the system development project. CC ID 06830 | Establish/Maintain Documentation | Preventive | |
Implement security controls in development endpoints. CC ID 16389 | Testing | Preventive | |
Initiate the System Development Life Cycle implementation phase. CC ID 06268 | Systems Design, Build, and Implementation | Preventive | |
Establish, implement, and maintain a system implementation standard. CC ID 01111 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain an implementation plan. CC ID 01114 [In addition to implementing the control given by ISO/IEC 27002, organizations processing personal health information shall separate (physically or virtually) development and testing environments for health information systems processing such information from operational environments hosting those health information systems. Rules for the migration of software from development to operational status shall be defined and documented by the organization hosting the affected application(s). § 12.1.4 Health-specific control] | Establish/Maintain Documentation | Preventive | |
Include an implementation schedule in the implementation plan. CC ID 16124 | Establish/Maintain Documentation | Preventive | |
Include the allocation of resources in the implementation plan. CC ID 16122 | Establish/Maintain Documentation | Preventive | |
Include roles and responsibilities in the implementation plan. CC ID 16121 | Establish/Maintain Documentation | Preventive | |
Approve implementation plans, as necessary. CC ID 13628 | Establish/Maintain Documentation | Corrective | |
Manage the system implementation process. CC ID 01115 | Behavior | Preventive | |
Evaluate and determine whether or not the newly developed system meets users' system design requirements. CC ID 01120 [Clinical users should be involved in the testing of clinically relevant system features. § 14.2.9 Health-specific control ¶ 2] | Testing | Detective |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Technical security CC ID 00508 | IT Impact Zone | IT Impact Zone | |
Establish, implement, and maintain an access control program. CC ID 11702 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain access control policies. CC ID 00512 [Organizations processing personal health information shall have an access control policy governing access to these data. § 9.1.1 Health-specific control ¶ 2 {external requirements} The access control policy, as a component of the information security policy framework described in 5.1.1, shall reflect professional, ethical, legal and subject-of-care-related requirements and should take account of the tasks performed by health professionals and the task's workflow. § 9.1.1 Health-specific control ¶ 4 The organization's policy on access control should be established on the basis of predefined roles with associated authorities which are consistent with, but limited to, the needs of that role. § 9.1.1 Health-specific control ¶ 3] | Establish/Maintain Documentation | Preventive | |
Include compliance requirements in the access control policy. CC ID 14006 | Establish/Maintain Documentation | Preventive | |
Include coordination amongst entities in the access control policy. CC ID 14005 | Establish/Maintain Documentation | Preventive | |
Include management commitment in the access control policy. CC ID 14004 | Establish/Maintain Documentation | Preventive | |
Include roles and responsibilities in the access control policy. CC ID 14003 | Establish/Maintain Documentation | Preventive | |
Include the scope in the access control policy. CC ID 14002 | Establish/Maintain Documentation | Preventive | |
Include the purpose in the access control policy. CC ID 14001 | Establish/Maintain Documentation | Preventive | |
Document the business need justification for user accounts. CC ID 15490 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain an instant messaging and chat system usage policy. CC ID 11815 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the access control policies to all interested personnel and affected parties. CC ID 10061 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain an access rights management plan. CC ID 00513 | Establish/Maintain Documentation | Preventive | |
Identify information system users. CC ID 12081 | Technical Security | Detective | |
Review user accounts. CC ID 00525 [User registration details shall be periodically reviewed to ensure that they are complete, accurate and that access is still required. § 9.2.1 Health-specific control ¶ 2] | Technical Security | Detective | |
Match user accounts to authorized parties. CC ID 12126 | Configuration | Detective | |
Control access rights to organizational assets. CC ID 00004 | Technical Security | Preventive | |
Establish access rights based on least privilege. CC ID 01411 [Access to health information systems that process personal health information shall be subject to a formal user registration process. User registration procedures shall ensure that the level of authentication required of claimed user identity is consistent with the level(s) of access that will become available to the user. § 9.2.1 Health-specific control ¶ 1] | Technical Security | Preventive | |
Assign user permissions based on job responsibilities. CC ID 00538 | Technical Security | Preventive | |
Assign user privileges after they have management sign off. CC ID 00542 | Technical Security | Preventive | |
Separate processing domains to segregate user privileges and enhance information flow control. CC ID 06767 | Configuration | Preventive | |
Assign Information System access authorizations if implementing segregation of duties. CC ID 06323 | Establish Roles | Preventive | |
Enforce access restrictions for restricted data. CC ID 01921 [Organizations processing personal health information shall control access to such information. In general, users of health information systems should only access personal health information: § 9.1.1 Health-specific control ¶ 1] | Data and Information Management | Preventive | |
Establish, implement, and maintain User Access Management procedures. CC ID 00514 [{external requirements} The access control policy, as a component of the information security policy framework described in 5.1.1, shall reflect professional, ethical, legal and subject-of-care-related requirements and should take account of the tasks performed by health professionals and the task's workflow. § 9.1.1 Health-specific control ¶ 4] | Technical Security | Preventive | |
Establish, implement, and maintain an authority for access authorization list. CC ID 06782 | Establish/Maintain Documentation | Preventive | |
Review and approve logical access to all assets based upon organizational policies. CC ID 06641 | Technical Security | Preventive | |
Control the addition and modification of user identifiers, user credentials, or other authenticators. CC ID 00515 | Technical Security | Preventive | |
Assign roles and responsibilities for administering user account management. CC ID 11900 | Human Resources Management | Preventive | |
Automate access control methods, as necessary. CC ID 11838 | Technical Security | Preventive | |
Automate Access Control Systems, as necessary. CC ID 06854 | Technical Security | Preventive | |
Refrain from storing logon credentials for third party applications. CC ID 13690 | Technical Security | Preventive | |
Refrain from allowing user access to identifiers and authenticators used by applications. CC ID 10048 | Technical Security | Preventive | |
Notify interested personnel when user accounts are added or deleted. CC ID 14327 | Communicate | Detective | |
Remove inactive user accounts, as necessary. CC ID 00517 | Technical Security | Corrective | |
Remove temporary user accounts, as necessary. CC ID 11839 | Technical Security | Corrective | |
Establish, implement, and maintain a password policy. CC ID 16346 | Establish/Maintain Documentation | Preventive | |
Enforce the password policy. CC ID 16347 | Technical Security | Preventive | |
Disseminate and communicate the password policies and password procedures to all users who have access to restricted data or restricted information. CC ID 00518 | Establish/Maintain Documentation | Preventive | |
Limit superuser accounts to designated System Administrators. CC ID 06766 | Configuration | Preventive | |
Enforce usage restrictions for superuser accounts. CC ID 07064 | Technical Security | Preventive | |
Establish, implement, and maintain access control procedures. CC ID 11663 [Access to health information systems that process personal health information shall be subject to a formal user registration process. User registration procedures shall ensure that the level of authentication required of claimed user identity is consistent with the level(s) of access that will become available to the user. § 9.2.1 Health-specific control ¶ 1] | Establish/Maintain Documentation | Preventive | |
Implement out-of-band authentication, as necessary. CC ID 10606 | Technical Security | Corrective | |
Grant access to authorized personnel or systems. CC ID 12186 | Configuration | Preventive | |
Document approving and granting access in the access control log. CC ID 06786 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the access control log to interested personnel and affected parties. CC ID 16442 | Communicate | Preventive | |
Include the user identifiers of all personnel who are authorized to access a system in the system record. CC ID 15171 | Establish/Maintain Documentation | Preventive | |
Include identity information of all personnel who are authorized to access a system in the system record. CC ID 16406 | Establish/Maintain Documentation | Preventive | |
Include the date and time that access was reviewed in the system record. CC ID 16416 | Data and Information Management | Preventive | |
Include the date and time that access rights were changed in the system record. CC ID 16415 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the access control procedures to all interested personnel and affected parties. CC ID 14123 | Communicate | Corrective | |
Identify and control all network access controls. CC ID 00529 | Technical Security | Preventive | |
Establish, implement, and maintain a Boundary Defense program. CC ID 00544 | Establish/Maintain Documentation | Preventive | |
Segregate systems in accordance with organizational standards. CC ID 12546 | Technical Security | Preventive | |
Segregate servers that contain restricted data or restricted information from direct public access. CC ID 00533 | Technical Security | Preventive | |
Segregate applications and databases that contain restricted data or restricted information in an internal network zone. CC ID 01289 [{processing architecture} Access to information and application system functions related to the processing personal health information should be isolated from (and separate to) access to information processing infrastructure that is unrelated to the processing of personal health information. § 9.4.1 Health-specific control ¶ 2 {processing architecture} Access to information and application system functions related to the processing personal health information should be isolated from (and separate to) access to information processing infrastructure that is unrelated to the processing of personal health information. § 9.4.1 Health-specific control ¶ 2] | Data and Information Management | Preventive | |
Enforce information flow control. CC ID 11781 | Monitor and Evaluate Occurrences | Preventive | |
Establish, implement, and maintain information flow control configuration standards. CC ID 01924 | Establish/Maintain Documentation | Preventive | |
Constrain the information flow of restricted data or restricted information. CC ID 06763 | Data and Information Management | Preventive | |
Restrict access to restricted data and restricted information on a need to know basis. CC ID 12453 [Organizations processing personal health information shall control access to such information. In general, users of health information systems should only access personal health information: when there is a need for specific data to support this activity. § 9.1.1 Health-specific control ¶ 1(c)] | Data and Information Management | Preventive | |
Establish, implement, and maintain information flow control policies inside the system and between interconnected systems. CC ID 01410 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain information flow procedures. CC ID 04542 [{external requirements} The access control policy, as a component of the information security policy framework described in 5.1.1, shall reflect professional, ethical, legal and subject-of-care-related requirements and should take account of the tasks performed by health professionals and the task's workflow. § 9.1.1 Health-specific control ¶ 4] | Establish/Maintain Documentation | Preventive | |
Disclose non-privacy related restricted information after a court makes a determination the information is material to a court case. CC ID 06242 | Data and Information Management | Preventive | |
Exchange non-privacy related restricted information with approved third parties if the information supports an approved activity. CC ID 06243 | Data and Information Management | Preventive | |
Control all methods of remote access and teleworking. CC ID 00559 | Technical Security | Preventive | |
Implement multifactor authentication techniques. CC ID 00561 [{multifactor authentication} Health information systems processing personal health information shall authenticate users and should do so by means of authentication involving at least two factors. § 9.4.1 Health-specific control ¶ 1] | Configuration | Preventive | |
Implement phishing-resistant multifactor authentication techniques. CC ID 16541 | Technical Security | Preventive | |
Document and approve requests to bypass multifactor authentication. CC ID 15464 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a malicious code protection program. CC ID 00574 | Establish/Maintain Documentation | Preventive | |
Install security and protection software, as necessary. CC ID 00575 [In addition to implementing the control given by ISO/IEC 27002, organizations processing personal health information shall implement appropriate prevention, detection and response controls to protect against malicious software and shall implement appropriate user awareness training. § 12.2.1 Health-specific control] | Configuration | Preventive | |
Install and maintain container security solutions. CC ID 16178 | Technical Security | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Third Party and supply chain oversight CC ID 08807 | IT Impact Zone | IT Impact Zone | |
Establish, implement, and maintain a supply chain management program. CC ID 11742 | Establish/Maintain Documentation | Preventive | |
Formalize client and third party relationships with contracts or nondisclosure agreements. CC ID 00794 | Process or Activity | Detective | |
Include a description of the data or information to be covered in third party contracts. CC ID 06510 | Establish/Maintain Documentation | Preventive | |
Include text about access, use, disclosure, and transfer of data or information in third party contracts. CC ID 11610 [The organization should identify and document all parties with whom patient data is exchanged and contractual agreements should be made with these parties regulating access and privileges, prior to exchange of patient data. § 9.1.1 Health-specific control ¶ 5] | Business Processes | Preventive | |
Include risk management procedures in the supply chain management policy. CC ID 08811 | Establish/Maintain Documentation | Preventive | |
Perform risk assessments of third parties, as necessary. CC ID 06454 | Testing | Detective | |
Include a determination on the risks third parties pose to Information Security in the supply chain risk assessment report. CC ID 10029 [In addition to implementing the control given by ISO/IEC 27002, organizations processing health information shall assess the risks associated with access by external parties to these systems or the data they contain, and then implement security controls that are appropriate to the identified level of risk and to the technologies employed. § 15.1.1 Health-specific control] | Establish/Maintain Documentation | Preventive |
Each Common Control is assigned a meta-data type to help you determine the objective of the Control and associated Authority Document mandates aligned with it. These types include behavioral controls, process controls, records management, technical security, configuration management, etc. They are provided as another tool to dissect the Authority Document’s mandates and assign them effectively within your organization.
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Correct defective acquired goods or services. CC ID 06911 | Acquisition or sale of facilities, technology, and services | Corrective | |
Acquire enough insurance to cover the liability for damages due to data leakage. CC ID 06408 | Privacy protection for information and data | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Assess the potential level of business impact risk associated with natural disasters. CC ID 06470 | Audits and risk management | Detective | |
Provide the patient with a summary of care record, as necessary. CC ID 14441 | Records management | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Compile the event logs of multiple components into a system-wide time-correlated audit trail. CC ID 01424 | Monitoring and measurement | Preventive | |
Correlate the business impact of identified risks in the risk assessment report. CC ID 00686 | Audits and risk management | Preventive | |
Analyze and quantify the risks to in scope systems and information. CC ID 00701 [Healthcare project management should consider patient safety as a project risk in any project involving the processing of personal health information. § 6.1.5 Health-specific control] | Audits and risk management | Preventive | |
Establish and maintain a Risk Scoping and Measurement Definitions Document. CC ID 00703 | Audits and risk management | Preventive | |
Identify the material risks in the risk assessment report. CC ID 06482 | Audits and risk management | Preventive | |
Assess the potential level of business impact risk associated with each business process. CC ID 06463 | Audits and risk management | Detective | |
Assess the potential level of business impact risk associated with the business environment. CC ID 06464 | Audits and risk management | Detective | |
Assess the potential level of business impact risk associated with business information of in scope systems. CC ID 06465 | Audits and risk management | Detective | |
Assess the potential business impact risk of in scope systems caused by deliberate threats to their confidentiality, integrity, and availability. CC ID 06466 | Audits and risk management | Detective | |
Assess the potential level of business impact risk caused by accidental threats to the confidentiality, integrity and availability of critical systems. CC ID 06467 | Audits and risk management | Detective | |
Assess the potential level of business impact risk associated with reputational damage. CC ID 15335 | Audits and risk management | Detective | |
Assess the potential level of business impact risk associated with insider threats. CC ID 06468 | Audits and risk management | Detective | |
Assess the potential level of business impact risk associated with external entities. CC ID 06469 | Audits and risk management | Detective | |
Assess the potential level of business impact risk associated with control weaknesses. CC ID 06471 | Audits and risk management | Detective | |
Prioritize and select controls based on the risk assessment findings. CC ID 00707 [In addition to implementing the control given by ISO/IEC 27002, organizations processing health information shall assess the risks associated with access by external parties to these systems or the data they contain, and then implement security controls that are appropriate to the identified level of risk and to the technologies employed. § 15.1.1 Health-specific control] | Audits and risk management | Preventive | |
Prioritize and categorize the effects of opportunities, threats and requirements on control activities. CC ID 12822 | Audits and risk management | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Disseminate and communicate compliance documents to all interested personnel and affected parties. CC ID 06282 | Leadership and high level objectives | Preventive | |
Disseminate and communicate any compliance document changes when the documents are updated to interested personnel and affected parties. CC ID 06283 | Leadership and high level objectives | Preventive | |
Disseminate and communicate the risk acceptance level in the risk treatment plan to all interested personnel and affected parties. CC ID 06849 | Audits and risk management | Preventive | |
Disseminate and communicate the right of the organization to search visitors while at the facility. CC ID 06702 | Physical and environmental protection | Preventive | |
Manage constituent identification inside the facility. CC ID 02215 | Physical and environmental protection | Preventive | |
Issue visitor identification badges to all non-employees. CC ID 00543 | Physical and environmental protection | Preventive | |
Retrieve visitor identification badges prior to the exit of a visitor from the facility. CC ID 01331 | Physical and environmental protection | Preventive | |
Require the return of all assets upon notification an individual is terminated. CC ID 06679 [In addition to implementing the control given by ISO/IEC 27002, all employees and contractors, upon termination of employment, shall return all personal health information in their possession that is in non-electronic form and ensure that all personal health information in their possession in electronic form is updated on relevant systems and then securely deleted from any devices on which it has resided. § 8.1.4 Health-specific control] | Physical and environmental protection | Preventive | |
Train all personnel and third parties, as necessary. CC ID 00785 | Human Resources management | Preventive | |
Disseminate and communicate the security awareness program to all interested personnel and affected parties. CC ID 00823 | Human Resources management | Preventive | |
Train all personnel and third parties on how to recognize and report security incidents. CC ID 01211 | Human Resources management | Preventive | |
Implement a sanctions process for personnel who fail to comply to the organizational compliance program. CC ID 01442 [Employees of the organization and, where relevant, third-party contractors should be made aware of disciplinary processes and consequences with respect to breaches of information security. § 7.2.2 Health-specific control ¶ 2] | Human Resources management | Corrective | |
Make compliance and governance decisions in a timely manner. CC ID 06490 | Operational management | Preventive | |
Refrain from accepting instant messages from unknown senders. CC ID 12537 | Operational management | Preventive | |
Disseminate and communicate proposed changes to all interested personnel and affected parties. CC ID 06807 | Operational management | Preventive | |
Disseminate and communicate software update information to users and regulators. CC ID 06602 | Operational management | Preventive | |
Manage the system implementation process. CC ID 01115 | Systems design, build, and implementation | Preventive | |
Use the contact information on file to contact the individual identified in an account change request. CC ID 04857 | Privacy protection for information and data | Detective | |
Notify the data subject of changes made to personal data as the result of a dispute. CC ID 00463 | Privacy protection for information and data | Corrective |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Identify roles, tasks, information, systems, and assets that fall under the organization's mandated Authority Documents. CC ID 00688 | Leadership and high level objectives | Preventive | |
Assess the impact of changes to organizational policies, standards, and procedures, as necessary. CC ID 14824 | Leadership and high level objectives | Preventive | |
Review the compliance exceptions in the exceptions document, as necessary. CC ID 01632 | Leadership and high level objectives | Preventive | |
Estimate the costs of implementing the compliance framework. CC ID 07191 | Leadership and high level objectives | Preventive | |
Include an appeal process in the identification issuance procedures. CC ID 15428 | Physical and environmental protection | Preventive | |
Establish, implement, and maintain a positive information control environment. CC ID 00813 [have an information security management forum (ISMF) in place to ensure that there is clear direction and visible management support for security initiatives involving the security of health information, as described in B.3 and B.4. § 6.1.1 Health-specific control ¶ 1(b)] | Operational management | Preventive | |
Align the information security policy with the organization's risk acceptance level. CC ID 13042 | Operational management | Preventive | |
Establish, implement, and maintain information security procedures. CC ID 12006 | Operational management | Preventive | |
Refrain from requiring supervision when users are accessing social media applications. CC ID 14011 | Operational management | Preventive | |
Refrain from requiring users to disclose social media account usernames or authenticators. CC ID 14009 | Operational management | Preventive | |
Establish, implement, and maintain information sharing agreements. CC ID 15645 | Operational management | Preventive | |
Adhere to operating procedures as defined in the Standard Operating Procedures Manual. CC ID 06328 | Operational management | Preventive | |
Establish, implement, and maintain domain name registration and renewal procedures. CC ID 07075 | Operational management | Preventive | |
Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818 | Operational management | Preventive | |
Establish, implement, and maintain an Asset Management program. CC ID 06630 | Operational management | Preventive | |
Establish, implement, and maintain an asset inventory. CC ID 06631 [In addition to following the guidance given by ISO/IEC 27002, organizations processing personal health information should: account for health information assets (i.e. maintain an inventory of such assets); § 8.1.1 Health-specific control ¶ 1(a)] | Operational management | Preventive | |
Establish, implement, and maintain an Incident Management program. CC ID 00853 | Operational management | Preventive | |
Manage change requests. CC ID 00887 [In addition to implementing the control given by ISO/IEC 27002, organizations processing personal health information shall, by means of a formal and structured change control process, control changes to information processing facilities and systems that process personal health information to ensure the appropriate control of host applications and systems and continuity of patient care. § 12.1.2 Health-specific control] | Operational management | Preventive | |
Examine all changes to ensure they correspond with the change request. CC ID 12345 | Operational management | Detective | |
Implement changes according to the change control program. CC ID 11776 | Operational management | Preventive | |
Prioritize deploying patches according to vulnerability risk metrics. CC ID 06796 | Operational management | Preventive | |
Mitigate the adverse effects of unauthorized changes. CC ID 12244 | Operational management | Corrective | |
Review the information that the organization collects, processes, and stores, as necessary. CC ID 12988 | Records management | Detective | |
Establish, implement, and maintain decision support interventions. CC ID 14443 | Records management | Preventive | |
Provide structures for browsing records stored in the Electronic Document and Records Management system. CC ID 10009 | Records management | Preventive | |
Provide structures for searching for items stored in the Electronic Document and Records Management system. CC ID 10010 | Records management | Preventive | |
Provide structures for downloading records from the Electronic Document and Records Management system. CC ID 10011 | Records management | Preventive | |
Provide structures for managing e-mail stored in the Electronic Document and Records Management system. CC ID 10012 | Records management | Preventive | |
Provide structures for version control of records stored in the Electronic Document and Records Management system. CC ID 10013 | Records management | Preventive | |
Establish, implement, and maintain Consumer Reporting Agency notification procedures. CC ID 04851 | Privacy protection for information and data | Preventive | |
Include text about access, use, disclosure, and transfer of data or information in third party contracts. CC ID 11610 [The organization should identify and document all parties with whom patient data is exchanged and contractual agreements should be made with these parties regulating access and privileges, prior to exchange of patient data. § 9.1.1 Health-specific control ¶ 5] | Third Party and supply chain oversight | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Disseminate and communicate the organization’s policies, standards, and procedures to all interested personnel and affected parties. CC ID 12901 | Leadership and high level objectives | Preventive | |
Notify interested personnel when user accounts are added or deleted. CC ID 14327 | Technical security | Detective | |
Disseminate and communicate the access control log to interested personnel and affected parties. CC ID 16442 | Technical security | Preventive | |
Disseminate and communicate the access control procedures to all interested personnel and affected parties. CC ID 14123 | Technical security | Corrective | |
Assign the data processor to notify the data controller when personal data processing could infringe on regulations. CC ID 12617 | Human Resources management | Preventive | |
Disseminate and communicate screening results to interested personnel and affected parties. CC ID 16445 | Human Resources management | Preventive | |
Disseminate and communicate the security awareness and training procedures to interested personnel and affected parties. CC ID 14138 | Human Resources management | Preventive | |
Notify designated personnel when a formal personnel sanctions process is initiated. CC ID 10632 | Human Resources management | Preventive | |
Disseminate and communicate the information security procedures to all interested personnel and affected parties. CC ID 16303 | Operational management | Preventive | |
Disseminate and communicate the information security policy to interested personnel and affected parties. CC ID 11739 [Organizations processing health information, including personal health information, shall have a written information security policy that is approved by management, published, and then communicated to all employees and relevant external parties. § 5.1.1 Health-specific control In addition to implementing the control given by ISO/IEC 27002, all organizations processing personal health information shall ensure that information security education and training are provided on induction and, that regular updates in organizational security policies and procedures are provided to all employees and, where relevant, third-party contractors, researchers, students and volunteers who process personal health information. § 7.2.2 Health-specific control ¶ 1] | Operational management | Preventive | |
Disseminate and communicate the Standard Operating Procedures Manual to all interested personnel and affected parties. CC ID 12026 | Operational management | Preventive | |
Disseminate and communicate the Acceptable Use Policy to all interested personnel and affected parties. CC ID 12431 | Operational management | Preventive | |
Disseminate and communicate nondisclosure agreements to interested personnel and affected parties. CC ID 16191 | Operational management | Preventive | |
Notify interested personnel and affected parties that a security breach was detected. CC ID 11788 | Operational management | Corrective | |
Assign the distribution of incident response procedures to the appropriate role in the incident response program. CC ID 12474 | Operational management | Preventive | |
Notify the data subject after their personal data is disposed, as necessary. CC ID 13502 | Privacy protection for information and data | Preventive | |
Notify the subject of care when a lack of availability of health information systems might have adversely affected their care. CC ID 13990 [Organizations should inform the subject of care whenever lack of availability of health information systems may have adversely affected their care. § 16.1.2 Health-specific controls ¶ 4] | Privacy protection for information and data | Corrective | |
Notify the data subject when personal data has been inadvertently disclosed. CC ID 13989 [Organizations should inform the subject of care whenever personal health information has been unintentionally disclosed. § 16.1.2 Health-specific controls ¶ 3] | Privacy protection for information and data | Corrective |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Match user accounts to authorized parties. CC ID 12126 | Technical security | Detective | |
Separate processing domains to segregate user privileges and enhance information flow control. CC ID 06767 | Technical security | Preventive | |
Limit superuser accounts to designated System Administrators. CC ID 06766 | Technical security | Preventive | |
Grant access to authorized personnel or systems. CC ID 12186 | Technical security | Preventive | |
Implement multifactor authentication techniques. CC ID 00561 [{multifactor authentication} Health information systems processing personal health information shall authenticate users and should do so by means of authentication involving at least two factors. § 9.4.1 Health-specific control ¶ 1] | Technical security | Preventive | |
Install security and protection software, as necessary. CC ID 00575 [In addition to implementing the control given by ISO/IEC 27002, organizations processing personal health information shall implement appropriate prevention, detection and response controls to protect against malicious software and shall implement appropriate user awareness training. § 12.2.1 Health-specific control] | Technical security | Preventive | |
Encrypt backup data. CC ID 00958 [To protect its confidentiality, personal health information should be backed up in an encrypted format. § 12.3.1 Health-specific control ¶ 2] | Operational and Systems Continuity | Preventive | |
Deploy software patches in accordance with organizational standards. CC ID 07032 | Operational management | Corrective | |
Deploy software patches in the disaster recovery environment to mirror those in the production environment. CC ID 13174 | Operational management | Corrective | |
Remove outdated software after software has been updated. CC ID 11792 | Operational management | Corrective | |
Update computer firmware, as necessary. CC ID 11755 | Operational management | Corrective | |
Remove outdated computer firmware after the computer firmware has been updated. CC ID 10671 | Operational management | Corrective | |
Establish, implement, and maintain a configuration change log. CC ID 08710 | Operational management | Detective | |
Configure the time server in accordance with organizational standards. CC ID 06426 | System hardening through configuration management | Preventive | |
Configure the time server to synchronize with specifically designated hosts. CC ID 06427 [Health information systems supporting time-critical-shared care activities shall provide time synchronization services to support tracing and reconstitution of activity timelines where required. § 12.4.4 Health-specific control] | System hardening through configuration management | Preventive | |
Implement electronic storage media integrity controls. CC ID 00946 | Records management | Preventive | |
Automate electronic storage media integrity check controls. CC ID 00948 | Records management | Preventive | |
Provide capacity for indexes on electronic storage media, as necessary. CC ID 00950 | Records management | Preventive | |
Include passwords, Personal Identification Numbers, and card security codes in the personal data definition. CC ID 04699 | Privacy protection for information and data | Preventive | |
Store payment card data in secure chips, if possible. CC ID 13065 | Privacy protection for information and data | Preventive | |
Refrain from storing data elements containing sensitive authentication data after authorization is approved. CC ID 04758 | Privacy protection for information and data | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Take into account the accessibility to and location of the data or information when establishing information impact levels. CC ID 04787 | Leadership and high level objectives | Preventive | |
Take into account the organization's obligation to protect data or information when establishing information impact levels. CC ID 04786 | Leadership and high level objectives | Preventive | |
Take into account the context of use for data or information when establishing information impact levels. CC ID 04785 | Leadership and high level objectives | Preventive | |
Take into account the potential aggregation of restricted data fields when establishing information impact levels. CC ID 04784 | Leadership and high level objectives | Preventive | |
Classify the sensitivity to unauthorized disclosure or modification of information in the information classification standard. CC ID 11997 | Leadership and high level objectives | Preventive | |
Take into account the distinguishability factor when establishing information impact levels. CC ID 04783 | Leadership and high level objectives | Preventive | |
Classify the criticality to unauthorized disclosure or modification of information in the information classification standard. CC ID 11996 | Leadership and high level objectives | Preventive | |
Classify the value of information in the information classification standard. CC ID 11995 | Leadership and high level objectives | Preventive | |
Classify the legal requirements of information in the information classification standard. CC ID 11994 | Leadership and high level objectives | Preventive | |
Define the scope of the security policy. CC ID 07145 | Leadership and high level objectives | Preventive | |
Overwrite the oldest records when audit logging fails. CC ID 14308 | Monitoring and measurement | Preventive | |
Enforce access restrictions for restricted data. CC ID 01921 [Organizations processing personal health information shall control access to such information. In general, users of health information systems should only access personal health information: § 9.1.1 Health-specific control ¶ 1] | Technical security | Preventive | |
Include the date and time that access was reviewed in the system record. CC ID 16416 | Technical security | Preventive | |
Segregate applications and databases that contain restricted data or restricted information in an internal network zone. CC ID 01289 [{processing architecture} Access to information and application system functions related to the processing personal health information should be isolated from (and separate to) access to information processing infrastructure that is unrelated to the processing of personal health information. § 9.4.1 Health-specific control ¶ 2 {processing architecture} Access to information and application system functions related to the processing personal health information should be isolated from (and separate to) access to information processing infrastructure that is unrelated to the processing of personal health information. § 9.4.1 Health-specific control ¶ 2] | Technical security | Preventive | |
Constrain the information flow of restricted data or restricted information. CC ID 06763 | Technical security | Preventive | |
Restrict access to restricted data and restricted information on a need to know basis. CC ID 12453 [Organizations processing personal health information shall control access to such information. In general, users of health information systems should only access personal health information: when there is a need for specific data to support this activity. § 9.1.1 Health-specific control ¶ 1(c)] | Technical security | Preventive | |
Disclose non-privacy related restricted information after a court makes a determination the information is material to a court case. CC ID 06242 | Technical security | Preventive | |
Exchange non-privacy related restricted information with approved third parties if the information supports an approved activity. CC ID 06243 | Technical security | Preventive | |
Store backup media at an off-site electronic media storage facility. CC ID 01332 [In addition to following the guidance given by ISO/IEC 27002, organizations processing personal health information shall back up all personal health information and store it in a physically secure environment to ensure its future availability. § 12.3.1 Health-specific control ¶ 1] | Operational and Systems Continuity | Preventive | |
Transport backup media in lockable electronic media storage containers. CC ID 01264 | Operational and Systems Continuity | Preventive | |
Identify the access methods for backup media at both the primary facility and the off-site electronic media storage facility. CC ID 01257 | Operational and Systems Continuity | Preventive | |
Include a removable storage media use policy in the Acceptable Use Policy. CC ID 06772 | Operational management | Preventive | |
Identify the sender in all electronic messages. CC ID 13996 | Operational management | Preventive | |
Identify processes, Information Systems, and third parties that transmit, process, or store restricted data. CC ID 06289 | Operational management | Preventive | |
Record a unique name for each asset in the asset inventory. CC ID 16305 | Operational management | Preventive | |
Record the status of information systems in the asset inventory. CC ID 16304 | Operational management | Preventive | |
Record the communication interfaces for applicable assets in the asset inventory. CC ID 16301 | Operational management | Preventive | |
Record software license information for each asset in the asset inventory. CC ID 11736 | Operational management | Preventive | |
Record the operating system version for applicable assets in the asset inventory. CC ID 11748 | Operational management | Preventive | |
Record rooms at external locations in the asset inventory. CC ID 16302 | Operational management | Preventive | |
Record trusted keys and certificates in the asset inventory. CC ID 15486 | Operational management | Preventive | |
Record cipher suites and protocols in the asset inventory. CC ID 15489 | Operational management | Preventive | |
Approve tested change requests. CC ID 11783 | Operational management | Preventive | |
Allow interested personnel and affected parties to opt out of specific version releases and software updates. CC ID 06809 | Operational management | Preventive | |
Remove non-public information from publicly accessible systems. CC ID 14246 | Records management | Corrective | |
Assign the appropriate information classification to records imported into the Records Management system. CC ID 04555 | Records management | Detective | |
Establish, implement, and maintain electronic health records. CC ID 14436 | Records management | Preventive | |
Include Individually Identifiable Health Information in the patient's electronic health record. CC ID 14437 | Records management | Preventive | |
Import data files into a patient's electronic health record. CC ID 14448 | Records management | Preventive | |
Export requested sections of the electronic health record. CC ID 14447 | Records management | Preventive | |
Display the implantable device list to authorized users. CC ID 14445 | Records management | Preventive | |
Include attributes in the decision support intervention. CC ID 16766 | Records management | Preventive | |
Classify restricted data or restricted information in Records Management systems according to the data or information's sensitivity. CC ID 04720 | Records management | Detective | |
Establish, implement, and maintain data availability controls. CC ID 15301 | Records management | Preventive | |
Control error handling when data is being inputted. CC ID 00922 | Records management | Detective | |
Use automated entry devices to reduce errors during data input. CC ID 06626 | Records management | Preventive | |
Establish, implement, and maintain Automated Data Processing validation checks and editing checks. CC ID 00924 | Records management | Preventive | |
Label restricted storage media appropriately. CC ID 00966 | Records management | Preventive | |
Mark all forms of electronic messages that contain restricted data or restricted information with the appropriate classification. CC ID 01896 | Records management | Preventive | |
Reproduce materials containing restricted data or restricted information in accordance with compliance requirements. CC ID 02202 | Records management | Preventive | |
Establish, implement, and maintain a personal data transparency program. CC ID 00375 | Privacy protection for information and data | Preventive | |
Provide the data subject with what personal data is made available to related organizations or subsidiaries. CC ID 00399 | Privacy protection for information and data | Preventive | |
Dispose of media and restricted data in a timely manner. CC ID 00125 [In addition to implementing the control given by ISO/IEC 27002, all employees and contractors, upon termination of employment, shall return all personal health information in their possession that is in non-electronic form and ensure that all personal health information in their possession in electronic form is updated on relevant systems and then securely deleted from any devices on which it has resided. § 8.1.4 Health-specific control In addition to implementing the control given by ISO/IEC 27002, organizations processing health information applications shall securely erase or else destroy all media containing health information application software or personal health information when the media are no longer required for use. § 11.2.7 Health-specific control In addition to implementing the control given by ISO/IEC 27002, all personal health information shall be securely erased or else the media destroyed when no longer required for use. § 8.3.2 Health-specific control In addition to implementing the control given by ISO/IEC 27002, all personal health information shall be securely erased or else the media destroyed when no longer required for use. § 8.3.2 Health-specific control] | Privacy protection for information and data | Preventive | |
Process personal data pertaining to a patient's health in order to treat those patients. CC ID 00200 | Privacy protection for information and data | Preventive | |
Disclose Individually Identifiable Health Information in order to carry out treatment when the disclosing organization is a healthcare provider. CC ID 00207 [Health information systems processing personal health information shall provide personally identifying information to assist health professionals in confirming that the electronic health record retrieved matches the subject of care under treatment. § 14.1.1.2 Health-specific control Organizations processing personal health information shall control access to such information. In general, users of health information systems should only access personal health information: when a healthcare relationship exists between the user and the data subject (the subject of care whose personal health information is being accessed); § 9.1.1 Health-specific control ¶ 1(a)] | Privacy protection for information and data | Preventive | |
Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject has provided consent and the disclosing organization is a healthcare provider. CC ID 00208 | Privacy protection for information and data | Preventive | |
Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject's guardian or representative has provided consent and the disclosing organization is a healthcare provider. CC ID 00209 [Organizations processing personal health information shall control access to such information. In general, users of health information systems should only access personal health information: when the user is carrying out an activity on behalf of the data subject; § 9.1.1 Health-specific control ¶ 1(b)] | Privacy protection for information and data | Preventive | |
Prohibit personal data from being sent by e-mail or instant messaging. CC ID 00565 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain record structures to support information confidentiality. CC ID 00360 | Privacy protection for information and data | Preventive | |
Automate the disposition process for records that contain "do not store" data or "delete after transaction process" data. CC ID 06083 | Privacy protection for information and data | Preventive | |
Limit data leakage. CC ID 00356 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain suspicious personal data procedures. CC ID 04853 | Privacy protection for information and data | Detective | |
Compare certain personal data such as name, date of birth, address, driver's license, or other identification against personal data on file for the applicant. CC ID 04855 | Privacy protection for information and data | Detective | |
Match consumer reports with current accounts on file to ensure account misuse or information misuse has not occurred. CC ID 04873 | Privacy protection for information and data | Detective | |
Send change notices for change of address requests to the old address and the new address. CC ID 04877 | Privacy protection for information and data | Detective | |
Develop remedies and sanctions for privacy policy violations. CC ID 00474 | Privacy protection for information and data | Preventive | |
Change or destroy any personal data that is incorrect. CC ID 00462 [In addition to implementing the control given by ISO/IEC 27002, all employees and contractors, upon termination of employment, shall return all personal health information in their possession that is in non-electronic form and ensure that all personal health information in their possession in electronic form is updated on relevant systems and then securely deleted from any devices on which it has resided. § 8.1.4 Health-specific control] | Privacy protection for information and data | Corrective | |
Refrain from updating personal data on a regular basis, unless it is necessary for the purposes it was collected. CC ID 13610 | Privacy protection for information and data | Preventive | |
Escalate the appeal process to change personal data when the data controller fails to make changes to the disputed data. CC ID 00465 | Privacy protection for information and data | Corrective |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Assign legislative body jurisdiction to the organization's assets, as necessary. CC ID 06956 | Leadership and high level objectives | Preventive | |
Assign the appropriate roles to all applicable compliance documents. CC ID 06284 | Leadership and high level objectives | Preventive | |
Assign the approval of compliance exceptions to the appropriate roles inside the organization. CC ID 06443 | Leadership and high level objectives | Preventive | |
Assign Information System access authorizations if implementing segregation of duties. CC ID 06323 | Technical security | Preventive | |
Establish, implement, and maintain high level operational roles and responsibilities. CC ID 00806 | Human Resources management | Preventive | |
Assign roles and responsibilities for physical security, as necessary. CC ID 13113 | Human Resources management | Preventive | |
Identify and define all critical roles. CC ID 00777 | Human Resources management | Preventive | |
Assign cybersecurity reporting responsibilities to qualified personnel. CC ID 12739 | Human Resources management | Preventive | |
Assign the role of security management to applicable controls. CC ID 06444 | Human Resources management | Preventive | |
Define and assign the data controller's roles and responsibilities. CC ID 00471 | Human Resources management | Preventive | |
Assign the role of data controller to applicable controls. CC ID 00354 | Human Resources management | Preventive | |
Assign the role of data controller to additional personnel, as necessary. CC ID 00473 | Human Resources management | Preventive | |
Assign the role of Information Technology operations to applicable controls. CC ID 00682 | Human Resources management | Preventive | |
Assign the role of logical access control to applicable controls. CC ID 00772 | Human Resources management | Preventive | |
Assign the role of asset physical security to applicable controls. CC ID 00770 | Human Resources management | Preventive | |
Assign the role of data custodian to applicable controls. CC ID 04789 | Human Resources management | Preventive | |
Assign the role of the Quality Management committee to applicable controls. CC ID 00769 | Human Resources management | Preventive | |
Assign interested personnel to the Quality Management committee. CC ID 07193 | Human Resources management | Preventive | |
Assign personnel to a crime prevention unit and announce the members of the unit. CC ID 06348 | Human Resources management | Preventive | |
Assign the role of fire protection management to applicable controls. CC ID 04891 | Human Resources management | Preventive | |
Assign the role of Information Technology Service Continuity Management to applicable controls. CC ID 04894 | Human Resources management | Preventive | |
Assign the role of the Computer Emergency Response Team to applicable controls. CC ID 04895 | Human Resources management | Preventive | |
Assign the role of CRYPTO custodian to applicable controls. CC ID 06723 | Human Resources management | Preventive | |
Assign security clearance procedures to qualified personnel. CC ID 06812 | Human Resources management | Preventive | |
Assign personnel screening procedures to qualified personnel. CC ID 11699 | Human Resources management | Preventive | |
Establish and maintain the staff structure in line with the strategic plan. CC ID 00764 | Human Resources management | Preventive | |
Document and communicate role descriptions to all applicable personnel. CC ID 00776 [In addition to the control given by ISO/IEC 27002, all organizations whose staff members are involved in processing personal health information should document such involvement in relevant job descriptions. Security roles and responsibilities, as laid down in the organization's information security policy, should also be documented in relevant job descriptions. § 7.1.2 Health-specific control ¶ 1 In addition to the control given by ISO/IEC 27002, all organizations whose staff members are involved in processing personal health information should document such involvement in relevant job descriptions. Security roles and responsibilities, as laid down in the organization's information security policy, should also be documented in relevant job descriptions. § 7.1.2 Health-specific control ¶ 1] | Human Resources management | Detective | |
Assign ownership of the information security program to the appropriate role. CC ID 00814 | Operational management | Preventive | |
Include the incident response team member's roles and responsibilities in the Incident Response program. CC ID 01652 [{incident management procedures} In addition to following the guidance given by ISO/IEC 27002, organizations processing personal health information should establish security incident management responsibilities and procedures in order: § 16.1.2 Health-specific controls ¶ 1] | Operational management | Preventive | |
Include the incident response point of contact's roles and responsibilities in the Incident Response program. CC ID 01877 | Operational management | Preventive | |
Include the head of information security's roles and responsibilities in the Incident Response program. CC ID 01878 | Operational management | Preventive | |
Include the customer database owner's roles and responsibilities in the Incident Response program. CC ID 01879 | Operational management | Preventive | |
Include the online sales department's roles and responsibilities in the Incident Response program. CC ID 01880 | Operational management | Preventive | |
Include the incident response point of contact for credit card payment system's roles and responsibilities in the Incident Response program. CC ID 01881 | Operational management | Preventive | |
Include the organizational legal counsel's roles and responsibilities in the Incident Response program. CC ID 01882 | Operational management | Preventive | |
Include the Human Resources point of contact's roles and responsibilities in the Incident Response program. CC ID 01883 | Operational management | Preventive | |
Include the organizational incident response network architecture point of contact's roles and responsibilities in the Incident Response program. CC ID 01884 | Operational management | Preventive | |
Include the organizational incident response public relations point of contact's roles and responsibilities in the Incident Response program. CC ID 01885 | Operational management | Preventive | |
Include the organizational incident response location manager's roles and responsibilities in the Incident Response program. CC ID 01886 | Operational management | Preventive | |
Establish, implement, and maintain data processing integrity controls. CC ID 00923 | Records management | Preventive | |
Process restricted data lawfully and carefully. CC ID 00086 | Privacy protection for information and data | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Establish, implement, and maintain an information classification standard. CC ID 00601 [{confidential information} In addition to following the guidance given by ISO/IEC 27002, organizations processing personal health information should uniformly classify such data as confidential. § 8.2.1 Health-specific control] | Leadership and high level objectives | Preventive | |
Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241 [A formal scope statement shall be produced that defines the boundary of compliance activity in terms of people, processes, places, platforms and applications. § 6.1.1 Health-specific control ¶ 4] | Leadership and high level objectives | Preventive | |
Establish and maintain an Information Systems Assurance Categories Definitions document. CC ID 01608 | Leadership and high level objectives | Preventive | |
Correlate Information Systems with applicable controls. CC ID 01621 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain a policy and procedure management program. CC ID 06285 | Leadership and high level objectives | Preventive | |
Include requirements in the organization’s policies, standards, and procedures. CC ID 12956 | Leadership and high level objectives | Preventive | |
Include the effective date on all organizational policies. CC ID 06820 | Leadership and high level objectives | Preventive | |
Include threats in the organization’s policies, standards, and procedures. CC ID 12953 | Leadership and high level objectives | Preventive | |
Analyze organizational policies, as necessary. CC ID 14037 | Leadership and high level objectives | Detective | |
Include opportunities in the organization’s policies, standards, and procedures. CC ID 12945 | Leadership and high level objectives | Preventive | |
Establish and maintain an Authority Document list. CC ID 07113 | Leadership and high level objectives | Preventive | |
Map in scope assets and in scope records to external requirements. CC ID 12189 | Leadership and high level objectives | Detective | |
Document organizational procedures that harmonize external requirements, including all legal requirements. CC ID 00623 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain full documentation of all policies, standards, and procedures that support the organization's compliance framework. CC ID 01636 | Leadership and high level objectives | Preventive | |
Disseminate and communicate the list of Authority Documents that support the organization's compliance framework to interested personnel and affected parties. CC ID 01312 | Leadership and high level objectives | Preventive | |
Classify controls according to their preventive, detective, or corrective status. CC ID 06436 | Leadership and high level objectives | Preventive | |
Publish, disseminate, and communicate a Statement on Internal Control, as necessary. CC ID 06727 | Leadership and high level objectives | Preventive | |
Include signatures of c-level executives in the Statement on Internal Control. CC ID 14778 | Leadership and high level objectives | Preventive | |
Include management's assertions on the effectiveness of internal control in the Statement on Internal Control. CC ID 14771 | Leadership and high level objectives | Corrective | |
Include confirmation of any significant weaknesses in the Statement on Internal Control. CC ID 06861 | Leadership and high level objectives | Preventive | |
Include roles and responsibilities in the Statement on Internal Control. CC ID 14774 | Leadership and high level objectives | Preventive | |
Include an assurance statement regarding the counterterror protective security plan in the Statement on Internal Control. CC ID 06866 | Leadership and high level objectives | Preventive | |
Include limitations of internal control systems in the Statement on Internal Control. CC ID 14773 | Leadership and high level objectives | Preventive | |
Include a description of the methodology used to evaluate internal controls in the Statement on Internal Control. CC ID 14772 | Leadership and high level objectives | Preventive | |
Include the counterterror protective security plan test results in the Statement on Internal Control. CC ID 06867 | Leadership and high level objectives | Detective | |
Approve all compliance documents. CC ID 06286 | Leadership and high level objectives | Preventive | |
Align the Authority Document list with external requirements. CC ID 06288 | Leadership and high level objectives | Preventive | |
Identify and document the Designated Approval Authority for compliance documents. CC ID 07114 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain a compliance exception standard. CC ID 01628 | Leadership and high level objectives | Preventive | |
Include the authority for granting exemptions in the compliance exception standard. CC ID 14329 | Leadership and high level objectives | Preventive | |
Include all compliance exceptions in the compliance exception standard. CC ID 01630 | Leadership and high level objectives | Detective | |
Include explanations, compensating controls, or risk acceptance in the compliance exceptions Exceptions document. CC ID 01631 | Leadership and high level objectives | Preventive | |
Include when exemptions expire in the compliance exception standard. CC ID 14330 | Leadership and high level objectives | Preventive | |
Include management of the exemption register in the compliance exception standard. CC ID 14328 | Leadership and high level objectives | Preventive | |
Provide predefined suspicious activity reports for suspicious activity discovered in the event log. CC ID 06774 | Monitoring and measurement | Corrective | |
Include identity information of suspects in the suspicious activity report. CC ID 16648 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain a compliance monitoring policy. CC ID 00671 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain a log management program. CC ID 00673 | Monitoring and measurement | Preventive | |
Identify and communicate improvements in metrics reporting. CC ID 06921 | Monitoring and measurement | Corrective | |
Establish, implement, and maintain a risk management program. CC ID 12051 | Audits and risk management | Preventive | |
Establish, implement, and maintain the risk assessment framework. CC ID 00685 | Audits and risk management | Preventive | |
Establish a risk acceptance level that is appropriate to the organization's risk appetite. CC ID 00706 | Audits and risk management | Preventive | |
Select the appropriate risk treatment option for each identified risk in the risk register. CC ID 06483 | Audits and risk management | Preventive | |
Perform a gap analysis to review in scope controls for identified risks and implement new controls, as necessary. CC ID 00704 | Audits and risk management | Detective | |
Establish, implement, and maintain an access control program. CC ID 11702 | Technical security | Preventive | |
Establish, implement, and maintain access control policies. CC ID 00512 [Organizations processing personal health information shall have an access control policy governing access to these data. § 9.1.1 Health-specific control ¶ 2 {external requirements} The access control policy, as a component of the information security policy framework described in 5.1.1, shall reflect professional, ethical, legal and subject-of-care-related requirements and should take account of the tasks performed by health professionals and the task's workflow. § 9.1.1 Health-specific control ¶ 4 The organization's policy on access control should be established on the basis of predefined roles with associated authorities which are consistent with, but limited to, the needs of that role. § 9.1.1 Health-specific control ¶ 3] | Technical security | Preventive | |
Include compliance requirements in the access control policy. CC ID 14006 | Technical security | Preventive | |
Include coordination amongst entities in the access control policy. CC ID 14005 | Technical security | Preventive | |
Include management commitment in the access control policy. CC ID 14004 | Technical security | Preventive | |
Include roles and responsibilities in the access control policy. CC ID 14003 | Technical security | Preventive | |
Include the scope in the access control policy. CC ID 14002 | Technical security | Preventive | |
Include the purpose in the access control policy. CC ID 14001 | Technical security | Preventive | |
Document the business need justification for user accounts. CC ID 15490 | Technical security | Preventive | |
Establish, implement, and maintain an instant messaging and chat system usage policy. CC ID 11815 | Technical security | Preventive | |
Disseminate and communicate the access control policies to all interested personnel and affected parties. CC ID 10061 | Technical security | Preventive | |
Establish, implement, and maintain an access rights management plan. CC ID 00513 | Technical security | Preventive | |
Establish, implement, and maintain an authority for access authorization list. CC ID 06782 | Technical security | Preventive | |
Establish, implement, and maintain a password policy. CC ID 16346 | Technical security | Preventive | |
Disseminate and communicate the password policies and password procedures to all users who have access to restricted data or restricted information. CC ID 00518 | Technical security | Preventive | |
Establish, implement, and maintain access control procedures. CC ID 11663 [Access to health information systems that process personal health information shall be subject to a formal user registration process. User registration procedures shall ensure that the level of authentication required of claimed user identity is consistent with the level(s) of access that will become available to the user. § 9.2.1 Health-specific control ¶ 1] | Technical security | Preventive | |
Document approving and granting access in the access control log. CC ID 06786 | Technical security | Preventive | |
Include the user identifiers of all personnel who are authorized to access a system in the system record. CC ID 15171 | Technical security | Preventive | |
Include identity information of all personnel who are authorized to access a system in the system record. CC ID 16406 | Technical security | Preventive | |
Include the date and time that access rights were changed in the system record. CC ID 16415 | Technical security | Preventive | |
Establish, implement, and maintain a Boundary Defense program. CC ID 00544 | Technical security | Preventive | |
Establish, implement, and maintain information flow control configuration standards. CC ID 01924 | Technical security | Preventive | |
Establish, implement, and maintain information flow control policies inside the system and between interconnected systems. CC ID 01410 | Technical security | Preventive | |
Establish, implement, and maintain information flow procedures. CC ID 04542 [{external requirements} The access control policy, as a component of the information security policy framework described in 5.1.1, shall reflect professional, ethical, legal and subject-of-care-related requirements and should take account of the tasks performed by health professionals and the task's workflow. § 9.1.1 Health-specific control ¶ 4] | Technical security | Preventive | |
Document and approve requests to bypass multifactor authentication. CC ID 15464 | Technical security | Preventive | |
Establish, implement, and maintain a malicious code protection program. CC ID 00574 | Technical security | Preventive | |
Establish, implement, and maintain a physical security program. CC ID 11757 | Physical and environmental protection | Preventive | |
Establish, implement, and maintain a facility physical security program. CC ID 00711 | Physical and environmental protection | Preventive | |
Identify and document physical access controls for all physical entry points. CC ID 01637 | Physical and environmental protection | Preventive | |
Establish, implement, and maintain physical access procedures. CC ID 13629 | Physical and environmental protection | Preventive | |
Establish, implement, and maintain a visitor access permission policy. CC ID 06699 | Physical and environmental protection | Preventive | |
Escort visitors within the facility, as necessary. CC ID 06417 | Physical and environmental protection | Preventive | |
Establish, implement, and maintain procedures for changing a visitor's access requirements. CC ID 12048 | Physical and environmental protection | Preventive | |
Maintain and review facility access lists of personnel who have been granted authorized entry to (and within) facilities that contain restricted data or restricted information. CC ID 01436 | Physical and environmental protection | Preventive | |
Authorize physical access to sensitive areas based on job functions. CC ID 12462 | Physical and environmental protection | Preventive | |
Establish, implement, and maintain physical identification procedures. CC ID 00713 | Physical and environmental protection | Preventive | |
Establish, implement, and maintain lost or damaged identification card procedures, as necessary. CC ID 14819 | Physical and environmental protection | Preventive | |
Document all lost badges in a lost badge list. CC ID 12448 | Physical and environmental protection | Corrective | |
Establish, implement, and maintain identification issuance procedures for identification cards or badges. CC ID 06598 | Physical and environmental protection | Preventive | |
Include error handling controls in identification issuance procedures. CC ID 13709 | Physical and environmental protection | Preventive | |
Include information security in the identification issuance procedures. CC ID 15425 | Physical and environmental protection | Preventive | |
Establish, implement, and maintain post-issuance update procedures for identification cards or badges. CC ID 15426 | Physical and environmental protection | Preventive | |
Include an identity registration process in the identification issuance procedures. CC ID 11671 | Physical and environmental protection | Preventive | |
Establish, implement, and maintain identification renewal procedures for identification cards or badges. CC ID 06599 | Physical and environmental protection | Preventive | |
Establish, implement, and maintain identification re-issuing procedures for identification cards or badges. CC ID 06596 | Physical and environmental protection | Preventive | |
Establish, implement, and maintain identification mechanism termination procedures. CC ID 06306 | Physical and environmental protection | Preventive | |
Establish, implement, and maintain asset removal procedures or asset decommissioning procedures. CC ID 04540 | Physical and environmental protection | Preventive | |
Establish, implement, and maintain asset return procedures. CC ID 04537 | Physical and environmental protection | Preventive | |
Establish, implement, and maintain a business continuity program. CC ID 13210 | Operational and Systems Continuity | Preventive | |
Establish, implement, and maintain system continuity plan strategies. CC ID 00735 | Operational and Systems Continuity | Preventive | |
Include technical preparation considerations for backup operations in the continuity plan. CC ID 01250 | Operational and Systems Continuity | Preventive | |
Define and assign the security staff roles and responsibilities. CC ID 11750 [At a minimum, at least one individual shall be responsible for health information security within the organization. § 6.1.1 Health-specific control ¶ 2] | Human Resources management | Preventive | |
Assign the roles and responsibilities for the asset management system. CC ID 14368 | Human Resources management | Preventive | |
Establish, implement, and maintain a personnel management program. CC ID 14018 | Human Resources management | Preventive | |
Establish, implement, and maintain a personnel security program. CC ID 10628 | Human Resources management | Preventive | |
Establish, implement, and maintain personnel screening procedures. CC ID 11700 | Human Resources management | Preventive | |
Perform a criminal records check during personnel screening. CC ID 06643 | Human Resources management | Preventive | |
Document any reasons a full criminal records check could not be performed. CC ID 13305 | Human Resources management | Preventive | |
Perform an academic records check during personnel screening. CC ID 06647 | Human Resources management | Preventive | |
Document the personnel risk assessment results. CC ID 11764 | Human Resources management | Detective | |
Establish, implement, and maintain security clearance procedures. CC ID 00783 | Human Resources management | Preventive | |
Document the security clearance procedure results. CC ID 01635 | Human Resources management | Detective | |
Establish, implement, and maintain personnel status change and termination procedures. CC ID 06549 | Human Resources management | Preventive | |
Establish job categorization criteria, job recruitment criteria, and promotion criteria. CC ID 00781 | Human Resources management | Preventive | |
Establish, implement, and maintain job applications. CC ID 16180 | Human Resources management | Preventive | |
Establish, implement, and maintain training plans. CC ID 00828 | Human Resources management | Preventive | |
Establish, implement, and maintain a security awareness program. CC ID 11746 [In addition to implementing the control given by ISO/IEC 27002, organizations processing personal health information shall implement appropriate prevention, detection and response controls to protect against malicious software and shall implement appropriate user awareness training. § 12.2.1 Health-specific control] | Human Resources management | Preventive | |
Establish, implement, and maintain a security awareness and training policy. CC ID 14022 | Human Resources management | Preventive | |
Include compliance requirements in the security awareness and training policy. CC ID 14092 | Human Resources management | Preventive | |
Include coordination amongst entities in the security awareness and training policy. CC ID 14091 | Human Resources management | Preventive | |
Establish, implement, and maintain security awareness and training procedures. CC ID 14054 | Human Resources management | Preventive | |
Include management commitment in the security awareness and training policy. CC ID 14049 | Human Resources management | Preventive | |
Include roles and responsibilities in the security awareness and training policy. CC ID 14048 | Human Resources management | Preventive | |
Include the scope in the security awareness and training policy. CC ID 14047 | Human Resources management | Preventive | |
Include the purpose in the security awareness and training policy. CC ID 14045 | Human Resources management | Preventive | |
Include configuration management procedures in the security awareness program. CC ID 13967 | Human Resources management | Preventive | |
Document security awareness requirements. CC ID 12146 | Human Resources management | Preventive | |
Include safeguards for information systems in the security awareness program. CC ID 13046 | Human Resources management | Preventive | |
Include security policies and security standards in the security awareness program. CC ID 13045 | Human Resources management | Preventive | |
Include mobile device security guidelines in the security awareness program. CC ID 11803 | Human Resources management | Preventive | |
Include training based on the participants' level of responsibility and access level in the security awareness program. CC ID 11802 | Human Resources management | Preventive | |
Include a requirement to train all new hires and interested personnel in the security awareness program. CC ID 11800 [In addition to implementing the control given by ISO/IEC 27002, all organizations processing personal health information shall ensure that information security education and training are provided on induction and, that regular updates in organizational security policies and procedures are provided to all employees and, where relevant, third-party contractors, researchers, students and volunteers who process personal health information. § 7.2.2 Health-specific control ¶ 1] | Human Resources management | Preventive | |
Include remote access in the security awareness program. CC ID 13892 | Human Resources management | Preventive | |
Document the goals of the security awareness program. CC ID 12145 | Human Resources management | Preventive | |
Compare current security awareness assessment reports to the security awareness baseline. CC ID 12150 | Human Resources management | Preventive | |
Document the scope of the security awareness program. CC ID 12148 | Human Resources management | Preventive | |
Establish, implement, and maintain a security awareness baseline. CC ID 12147 | Human Resources management | Preventive | |
Require personnel to acknowledge, through writing their signature, that they have read and understand the organization's security policies. CC ID 01363 | Human Resources management | Preventive | |
Establish, implement, and maintain a Code of Conduct. CC ID 04897 | Human Resources management | Preventive | |
Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 | Operational management | Preventive | |
Establish, implement, and maintain an information security program. CC ID 00812 [have an information security management forum (ISMF) in place to ensure that there is clear direction and visible management support for security initiatives involving the security of health information, as described in B.3 and B.4. § 6.1.1 Health-specific control ¶ 1(b)] | Operational management | Preventive | |
Include physical safeguards in the information security program. CC ID 12375 | Operational management | Preventive | |
Include technical safeguards in the information security program. CC ID 12374 | Operational management | Preventive | |
Include administrative safeguards in the information security program. CC ID 12373 | Operational management | Preventive | |
Include system development in the information security program. CC ID 12389 | Operational management | Preventive | |
Include system maintenance in the information security program. CC ID 12388 | Operational management | Preventive | |
Include system acquisition in the information security program. CC ID 12387 | Operational management | Preventive | |
Include access control in the information security program. CC ID 12386 | Operational management | Preventive | |
Include operations management in the information security program. CC ID 12385 | Operational management | Preventive | |
Include communication management in the information security program. CC ID 12384 | Operational management | Preventive | |
Include environmental security in the information security program. CC ID 12383 | Operational management | Preventive | |
Include physical security in the information security program. CC ID 12382 | Operational management | Preventive | |
Include human resources security in the information security program. CC ID 12381 | Operational management | Preventive | |
Include asset management in the information security program. CC ID 12380 | Operational management | Preventive | |
Include a continuous monitoring program in the information security program. CC ID 14323 | Operational management | Preventive | |
Include change management procedures in the continuous monitoring plan. CC ID 16227 | Operational management | Preventive | |
include recovery procedures in the continuous monitoring plan. CC ID 16226 | Operational management | Preventive | |
Include mechanisms for decommissioning a system in the continuous monitoring plan. CC ID 16225 | Operational management | Preventive | |
Include mechanisms for appeal and override in the continuous monitoring plan. CC ID 16223 | Operational management | Preventive | |
Include how the information security department is organized in the information security program. CC ID 12379 | Operational management | Preventive | |
Include risk management in the information security program. CC ID 12378 | Operational management | Preventive | |
Include mitigating supply chain risks in the information security program. CC ID 13352 | Operational management | Preventive | |
Establish, implement, and maintain an information security policy. CC ID 11740 [Organizations processing health information, including personal health information, shall have a written information security policy that is approved by management, published, and then communicated to all employees and relevant external parties. § 5.1.1 Health-specific control Organizations processing health information, including personal health information, shall have a written information security policy that is approved by management, published, and then communicated to all employees and relevant external parties. § 5.1.1 Health-specific control {ongoing basis} The health organization's information security policy should be subject to ongoing, staged review, such that the totality of the policy is addressed at least annually. The policy should be reviewed after the occurrence of a serious security incident. § 5.1.2 Health-specific control {ongoing basis} The health organization's information security policy should be subject to ongoing, staged review, such that the totality of the policy is addressed at least annually. The policy should be reviewed after the occurrence of a serious security incident. § 5.1.2 Health-specific control] | Operational management | Preventive | |
Include business processes in the information security policy. CC ID 16326 | Operational management | Preventive | |
Include the information security strategy in the information security policy. CC ID 16125 | Operational management | Preventive | |
Include a commitment to continuous improvement in the information security policy. CC ID 16123 | Operational management | Preventive | |
Include roles and responsibilities in the information security policy. CC ID 16120 | Operational management | Preventive | |
Include a commitment to the information security requirements in the information security policy. CC ID 13496 | Operational management | Preventive | |
Include information security objectives in the information security policy. CC ID 13493 | Operational management | Preventive | |
Include the use of Cloud Services in the information security policy. CC ID 13146 | Operational management | Preventive | |
Include notification procedures in the information security policy. CC ID 16842 | Operational management | Preventive | |
Describe the group activities that protect restricted data in the information security procedures. CC ID 12294 | Operational management | Preventive | |
Document the roles and responsibilities for all activities that protect restricted data in the information security procedures. CC ID 12304 | Operational management | Preventive | |
Assign information security responsibilities to interested personnel and affected parties in the information security program. CC ID 11885 [clearly define and assign information security responsibilities; § 6.1.1 Health-specific control ¶ 1(a)] | Operational management | Preventive | |
Establish, implement, and maintain a social media governance program. CC ID 06536 | Operational management | Preventive | |
Include instant messaging, texting, and tweeting in the social media acceptable use policy. CC ID 04578 | Operational management | Preventive | |
Include explicit restrictions in the social media acceptable use policy. CC ID 06655 | Operational management | Preventive | |
Include contributive content sites in the social media acceptable use policy. CC ID 06656 | Operational management | Preventive | |
Establish, implement, and maintain operational control procedures. CC ID 00831 | Operational management | Preventive | |
Include assigning and approving operations in operational control procedures. CC ID 06382 | Operational management | Preventive | |
Include startup processes in operational control procedures. CC ID 00833 | Operational management | Preventive | |
Include change control processes in the operational control procedures. CC ID 16793 | Operational management | Preventive | |
Establish and maintain a data processing run manual. CC ID 00832 | Operational management | Preventive | |
Establish, implement, and maintain a Standard Operating Procedures Manual. CC ID 00826 | Operational management | Preventive | |
Include metrics in the standard operating procedures manual. CC ID 14988 | Operational management | Preventive | |
Include maintenance measures in the standard operating procedures manual. CC ID 14986 | Operational management | Preventive | |
Include the expected lifetime of the system in the standard operating procedures manual. CC ID 14984 | Operational management | Preventive | |
Include technical measures used to interpret output in the standard operating procedures manual. CC ID 14982 | Operational management | Preventive | |
Include predetermined changes in the standard operating procedures manual. CC ID 14977 | Operational management | Preventive | |
Include specifications for input data in the standard operating procedures manual. CC ID 14975 | Operational management | Preventive | |
Include risks to health and safety or fundamental rights in the standard operating procedures manual. CC ID 14973 | Operational management | Preventive | |
Include circumstances that may impact the system in the standard operating procedures manual. CC ID 14972 | Operational management | Preventive | |
Include what the system was tested and validated for in the standard operating procedures manual. CC ID 14969 | Operational management | Preventive | |
Include the intended purpose in the standard operating procedures manual. CC ID 14967 | Operational management | Preventive | |
Include information on system performance in the standard operating procedures manual. CC ID 14965 | Operational management | Preventive | |
Include contact details in the standard operating procedures manual. CC ID 14962 | Operational management | Preventive | |
Update operating procedures that contribute to user errors. CC ID 06935 | Operational management | Corrective | |
Establish, implement, and maintain a job scheduling methodology. CC ID 00834 | Operational management | Preventive | |
Establish and maintain a job schedule exceptions list. CC ID 00835 | Operational management | Preventive | |
Establish, implement, and maintain a data processing continuity plan. CC ID 00836 | Operational management | Preventive | |
Establish, implement, and maintain Voice over Internet Protocol operating procedures. CC ID 04583 | Operational management | Preventive | |
Establish, implement, and maintain the Acceptable Use Policy. CC ID 01350 [{health information asset} In addition to following the guidance given by ISO/IEC 27002, organizations processing personal health information should: have rules for acceptable use of these assets that are identified, documented and implemented. § 8.1.1 Health-specific control ¶ 1(c)] | Operational management | Preventive | |
Include that explicit management authorization must be given for the use of all technologies and their documentation in the Acceptable Use Policy. CC ID 01351 [In addition to implementing the control given by ISO/IEC 27002, organizations processing personal health information shall ensure that any use, outside its premises, of medical devices that record or report data has been authorized. This should include equipment used by remote workers, even where such usage is perpetual (i.e. where it forms a core feature of the employee's role, such as for ambulance personnel, therapists, etc.) § 11.2.6 Health-specific control] | Operational management | Preventive | |
Include requiring users to protect restricted data in accordance with the Governance, Risk, and Compliance framework in the Acceptable Use Policy. CC ID 11894 | Operational management | Preventive | |
Include Bring Your Own Device agreements in the Acceptable Use Policy. CC ID 15703 | Operational management | Preventive | |
Include the obligations of users in the Bring Your Own Device agreement. CC ID 15708 | Operational management | Preventive | |
Include the rights of the organization in the Bring Your Own Device agreement. CC ID 15707 | Operational management | Preventive | |
Include the circumstances in which the organization may confiscate, audit, or inspect assets in the Bring Your Own Device agreement. CC ID 15706 | Operational management | Preventive | |
Include the circumstances in which the organization may manage assets in the Bring Your Own Device agreement. CC ID 15705 | Operational management | Preventive | |
Include Bring Your Own Device usage in the Acceptable Use Policy. CC ID 12293 | Operational management | Preventive | |
Include a web usage policy in the Acceptable Use Policy. CC ID 16496 | Operational management | Preventive | |
Include Bring Your Own Device security guidelines in the Acceptable Use Policy. CC ID 01352 | Operational management | Preventive | |
Include asset tags in the Acceptable Use Policy. CC ID 01354 | Operational management | Preventive | |
Specify the owner of applicable assets in the Acceptable Use Policy. CC ID 15699 | Operational management | Preventive | |
Include asset use policies in the Acceptable Use Policy. CC ID 01355 | Operational management | Preventive | |
Include authority for access authorization lists for assets in all relevant Acceptable Use Policies. CC ID 11872 | Operational management | Preventive | |
Include access control mechanisms in the Acceptable Use Policy. CC ID 01353 | Operational management | Preventive | |
Include prohibiting the copying or moving of restricted data from its original source onto local hard drives or removable storage media in the Acceptable Use Policy. CC ID 11893 | Operational management | Preventive | |
Correlate the Acceptable Use Policy with the network security policy. CC ID 01356 | Operational management | Preventive | |
Include appropriate network locations for each technology in the Acceptable Use Policy. CC ID 11881 | Operational management | Preventive | |
Correlate the Acceptable Use Policy with the approved product list. CC ID 01357 | Operational management | Preventive | |
Include facility access and facility use in the Acceptable Use Policy. CC ID 06441 | Operational management | Preventive | |
Include disciplinary actions in the Acceptable Use Policy. CC ID 00296 | Operational management | Corrective | |
Include the usage restrictions of mobile code technologies in the Acceptable Use Policy. CC ID 15311 | Operational management | Preventive | |
Include a software installation policy in the Acceptable Use Policy. CC ID 06749 | Operational management | Preventive | |
Document idle session termination and logout for remote access technologies in the Acceptable Use Policy. CC ID 12472 | Operational management | Preventive | |
Require interested personnel and affected parties to sign Acceptable Use Policies. CC ID 06661 | Operational management | Preventive | |
Require interested personnel and affected parties to re-sign Acceptable Use Policies, as necessary. CC ID 06663 | Operational management | Preventive | |
Establish, implement, and maintain an Intellectual Property Right program. CC ID 00821 | Operational management | Preventive | |
Establish, implement, and maintain Intellectual Property Rights protection procedures. CC ID 11512 | Operational management | Preventive | |
Protect against circumvention of the organization's Intellectual Property Rights. CC ID 11513 | Operational management | Preventive | |
Establish, implement, and maintain an e-mail policy. CC ID 06439 | Operational management | Preventive | |
Include business use of personal e-mail in the e-mail policy. CC ID 14381 | Operational management | Preventive | |
Protect policies, standards, and procedures from unauthorized modification or disclosure. CC ID 10603 | Operational management | Preventive | |
Establish, implement, and maintain nondisclosure agreements. CC ID 04536 [In addition to implementing the control given by ISO/IEC 27002, organizations processing personal health information shall have a confidentiality agreement in place that specifies the confidential nature of this information. The agreement shall be applicable to all personnel accessing health information. § 13.2.4 Health-specific control] | Operational management | Preventive | |
Require interested personnel and affected parties to sign nondisclosure agreements. CC ID 06667 | Operational management | Preventive | |
Require interested personnel and affected parties to re-sign nondisclosure agreements, as necessary. CC ID 06669 | Operational management | Preventive | |
Establish, implement, and maintain an Information Technology inventory with asset discovery audit trails. CC ID 00689 | Operational management | Preventive | |
Include all account types in the Information Technology inventory. CC ID 13311 | Operational management | Preventive | |
Include each Information System's major applications in the Information Technology inventory. CC ID 01407 | Operational management | Preventive | |
Categorize all major applications according to the business information they process. CC ID 07182 | Operational management | Preventive | |
Document the resources, hazards, and Evaluation Assurance Levels for each major application. CC ID 01164 | Operational management | Preventive | |
Include the General Support Systems and security support structure in the Information Technology inventory. CC ID 01408 | Operational management | Preventive | |
Include each Information System's minor applications in the Information Technology inventory. CC ID 01409 | Operational management | Preventive | |
Categorize facilities in the Information Technology inventory according to their environmental risks. CC ID 06729 | Operational management | Preventive | |
Establish, implement, and maintain a hardware asset inventory. CC ID 00691 | Operational management | Preventive | |
Include network equipment in the Information Technology inventory. CC ID 00693 | Operational management | Preventive | |
Include mobile devices that store restricted data or restricted information in the Information Technology inventory. CC ID 04719 | Operational management | Preventive | |
Include software in the Information Technology inventory. CC ID 00692 | Operational management | Preventive | |
Establish and maintain a list of authorized software and versions required for each system. CC ID 12093 | Operational management | Preventive | |
Establish, implement, and maintain a storage media inventory. CC ID 00694 | Operational management | Preventive | |
Include all electronic storage media containing restricted data or restricted information in the storage media inventory. CC ID 00962 | Operational management | Detective | |
Establish, implement, and maintain a records inventory and database inventory. CC ID 01260 | Operational management | Preventive | |
Add inventoried assets to the asset register database, as necessary. CC ID 07051 | Operational management | Preventive | |
Organize the asset register database by grouping objects according to an organizational information classification standard. CC ID 07181 | Operational management | Preventive | |
Record the decommission date for applicable assets in the asset inventory. CC ID 14920 | Operational management | Preventive | |
Record the Uniform Resource Locator for applicable assets in the asset inventory. CC ID 14918 | Operational management | Preventive | |
Record the review date for applicable assets in the asset inventory. CC ID 14919 | Operational management | Preventive | |
Record services for applicable assets in the asset inventory. CC ID 13733 | Operational management | Preventive | |
Record protocols for applicable assets in the asset inventory. CC ID 13734 | Operational management | Preventive | |
Record the software version in the asset inventory. CC ID 12196 | Operational management | Preventive | |
Record the publisher for applicable assets in the asset inventory. CC ID 13725 | Operational management | Preventive | |
Record the authentication system in the asset inventory. CC ID 13724 | Operational management | Preventive | |
Tag unsupported assets in the asset inventory. CC ID 13723 | Operational management | Preventive | |
Record the install date for applicable assets in the asset inventory. CC ID 13720 | Operational management | Preventive | |
Record the make, model of device for applicable assets in the asset inventory. CC ID 12465 | Operational management | Preventive | |
Record the asset tag for physical assets in the asset inventory. CC ID 06632 | Operational management | Preventive | |
Record the host name of applicable assets in the asset inventory. CC ID 13722 | Operational management | Preventive | |
Record network ports for applicable assets in the asset inventory. CC ID 13730 | Operational management | Preventive | |
Record the MAC address for applicable assets in the asset inventory. CC ID 13721 | Operational management | Preventive | |
Record the operating system type for applicable assets in the asset inventory. CC ID 06633 | Operational management | Preventive | |
Record the department associated with the asset in the asset inventory. CC ID 12084 | Operational management | Preventive | |
Record the physical location for applicable assets in the asset inventory. CC ID 06634 | Operational management | Preventive | |
Record the manufacturer's serial number for applicable assets in the asset inventory. CC ID 06635 | Operational management | Preventive | |
Record the firmware version for applicable assets in the asset inventory. CC ID 12195 | Operational management | Preventive | |
Record the related business function for applicable assets in the asset inventory. CC ID 06636 | Operational management | Preventive | |
Record the deployment environment for applicable assets in the asset inventory. CC ID 06637 | Operational management | Preventive | |
Record the Internet Protocol address for applicable assets in the asset inventory. CC ID 06638 | Operational management | Preventive | |
Link the software asset inventory to the hardware asset inventory. CC ID 12085 | Operational management | Preventive | |
Record the owner for applicable assets in the asset inventory. CC ID 06640 | Operational management | Preventive | |
Record all compliance requirements for applicable assets in the asset inventory. CC ID 15696 | Operational management | Preventive | |
Record all changes to assets in the asset inventory. CC ID 12190 | Operational management | Preventive | |
Record cloud service derived data in the asset inventory. CC ID 13007 | Operational management | Preventive | |
Include cloud service customer data in the asset inventory. CC ID 13006 | Operational management | Preventive | |
Establish, implement, and maintain a customer service program. CC ID 00846 | Operational management | Preventive | |
Include incident escalation procedures in the Incident Management program. CC ID 00856 [{incident management procedures} In addition to following the guidance given by ISO/IEC 27002, organizations processing personal health information should establish security incident management responsibilities and procedures in order: to ensure that there is an effective and prioritized escalation path for incidents, such that crisis management and business continuity management plans can be invoked in the right circumstances and at the right time; § 16.1.2 Health-specific controls ¶ 1(b)] | Operational management | Preventive | |
Include detection procedures in the Incident Management program. CC ID 00588 | Operational management | Preventive | |
Include incident management procedures in the Incident Management program. CC ID 12689 [{incident management procedures} In addition to following the guidance given by ISO/IEC 27002, organizations processing personal health information should establish security incident management responsibilities and procedures in order: § 16.1.2 Health-specific controls ¶ 1] | Operational management | Preventive | |
Establish, implement, and maintain temporary and emergency access authorization procedures. CC ID 00858 | Operational management | Corrective | |
Establish, implement, and maintain temporary and emergency access revocation procedures. CC ID 15334 | Operational management | Preventive | |
Establish, implement, and maintain an Incident Response program. CC ID 00579 | Operational management | Preventive | |
Include incident response team structures in the Incident Response program. CC ID 01237 | Operational management | Preventive | |
Assign establishing, implementing, and maintaining incident response procedures to the appropriate role in the incident response program. CC ID 12473 | Operational management | Preventive | |
Establish, implement, and maintain incident response procedures. CC ID 01206 [{incident management procedures} In addition to following the guidance given by ISO/IEC 27002, organizations processing personal health information should establish security incident management responsibilities and procedures in order: to ensure effective and timely response to security incidents; § 16.1.2 Health-specific controls ¶ 1(a)] | Operational management | Detective | |
Include references to industry best practices in the incident response procedures. CC ID 11956 | Operational management | Preventive | |
Include responding to alerts from security monitoring systems in the incident response procedures. CC ID 11949 | Operational management | Preventive | |
Establish, implement, and maintain a change control program. CC ID 00886 [In addition to implementing the control given by ISO/IEC 27002, organizations processing personal health information shall, by means of a formal and structured change control process, control changes to information processing facilities and systems that process personal health information to ensure the appropriate control of host applications and systems and continuity of patient care. § 12.1.2 Health-specific control] | Operational management | Preventive | |
Include potential consequences of unintended changes in the change control program. CC ID 12243 | Operational management | Preventive | |
Include version control in the change control program. CC ID 13119 | Operational management | Preventive | |
Include service design and transition in the change control program. CC ID 13920 | Operational management | Preventive | |
Establish, implement, and maintain a back-out plan. CC ID 13623 | Operational management | Preventive | |
Establish, implement, and maintain back-out procedures for each proposed change in a change request. CC ID 00373 | Operational management | Preventive | |
Approve back-out plans, as necessary. CC ID 13627 | Operational management | Corrective | |
Include documentation of the impact level of proposed changes in the change request. CC ID 11942 | Operational management | Preventive | |
Establish and maintain a change request approver list. CC ID 06795 | Operational management | Preventive | |
Document all change requests in change request forms. CC ID 06794 | Operational management | Preventive | |
Establish, implement, and maintain emergency change procedures. CC ID 00890 | Operational management | Preventive | |
Log emergency changes after they have been performed. CC ID 12733 | Operational management | Preventive | |
Provide audit trails for all approved changes. CC ID 13120 | Operational management | Preventive | |
Document the sources of all software updates. CC ID 13316 | Operational management | Preventive | |
Establish, implement, and maintain a patch management policy. CC ID 16432 | Operational management | Preventive | |
Establish, implement, and maintain patch management procedures. CC ID 15224 | Operational management | Preventive | |
Establish, implement, and maintain a patch log. CC ID 01642 | Operational management | Preventive | |
Establish, implement, and maintain a software release policy. CC ID 00893 | Operational management | Preventive | |
Establish, implement, and maintain approved change acceptance testing procedures. CC ID 06391 | Operational management | Detective | |
Establish, implement, and maintain a change acceptance testing log. CC ID 06392 | Operational management | Corrective | |
Update associated documentation after the system configuration has been changed. CC ID 00891 | Operational management | Preventive | |
Document approved configuration deviations. CC ID 08711 | Operational management | Corrective | |
Establish, implement, and maintain system hardening procedures. CC ID 12001 | System hardening through configuration management | Preventive | |
Establish, implement, and maintain records management policies. CC ID 00903 | Records management | Preventive | |
Define each system's preservation requirements for records and logs. CC ID 00904 | Records management | Detective | |
Establish, implement, and maintain a data retention program. CC ID 00906 | Records management | Detective | |
Establish, implement, and maintain records management procedures. CC ID 11619 [Health information systems processing personal health information: shall be capable of merging duplicate or multiple records if it is determined that multiple records for the same subject of care have been created unintentionally or during a medical emergency. § 14.1.1.1 Health-specific control ¶ 1(b)] | Records management | Preventive | |
Assign ownership for all electronic records. CC ID 14814 | Records management | Preventive | |
Attribute electronic records, as necessary. CC ID 14820 | Records management | Preventive | |
Establish, implement, and maintain a system input log. CC ID 13531 | Records management | Preventive | |
Establish, implement, and maintain authorization records. CC ID 14367 | Records management | Preventive | |
Include the reasons for granting the authorization in the authorization records. CC ID 14371 | Records management | Preventive | |
Include the date and time the authorization was granted in the authorization records. CC ID 14370 | Records management | Preventive | |
Include the person's name who approved the authorization in the authorization records. CC ID 14369 | Records management | Preventive | |
Create summary of care records in accordance with applicable standards. CC ID 14440 | Records management | Preventive | |
Log the number of routine items received into the recordkeeping system. CC ID 11701 | Records management | Preventive | |
Include record integrity techniques in the records management procedures. CC ID 06418 [The integrity of publicly available health information should be protected to prevent unauthorized modification. § 14.1.3.1 Health-specific controls ¶ 2] | Records management | Preventive | |
Incorporate desktop publishing into the organization's Records Management program. CC ID 06535 | Records management | Preventive | |
Establish, implement, and maintain Automated Data Processing error handling procedures. CC ID 00925 | Records management | Preventive | |
Establish, implement, and maintain Automated Data Processing error handling reporting. CC ID 11659 | Records management | Preventive | |
Establish, implement, and maintain document security requirements for the output of records. CC ID 11656 | Records management | Preventive | |
Establish, implement, and maintain document handling procedures for paper documents. CC ID 00926 | Records management | Preventive | |
Establish, implement, and maintain electronic storage media management procedures. CC ID 00931 | Records management | Preventive | |
Establish, implement, and maintain security label procedures. CC ID 06747 | Records management | Preventive | |
Establish, implement, and maintain restricted material identification procedures. CC ID 01889 | Records management | Preventive | |
Conspicuously locate the restricted record's overall classification. CC ID 01890 | Records management | Preventive | |
Mark a restricted record's displayed pages or printed pages with the appropriate classification. CC ID 01891 | Records management | Preventive | |
Mark a restricted record's components (appendices, annexes) with the appropriate classification. CC ID 01892 | Records management | Preventive | |
Mark a restricted record's portions (paragraphs, sections) with the appropriate classification. CC ID 01893 | Records management | Preventive | |
Mark a restricted record's subject line or title with the appropriate classification. CC ID 01894 | Records management | Preventive | |
Establish the minimum originator requirements for security labels. CC ID 06579 | Records management | Preventive | |
Establish the minimum intermediate system requirements for security labels. CC ID 06581 | Records management | Preventive | |
Establish the minimum receiver requirements for records or electronic storage media marked with security labels. CC ID 06580 | Records management | Preventive | |
Establish policy based processing rules to process incoming records or electronic storage media marked with security labels. CC ID 06582 | Records management | Preventive | |
Establish, implement, and maintain a records lifecycle management program. CC ID 00951 | Records management | Preventive | |
Establish, implement, and maintain an information preservation policy. CC ID 16483 | Records management | Preventive | |
Establish, implement, and maintain information preservation procedures. CC ID 06277 | Records management | Preventive | |
Establish, implement, and maintain an online availability plan that is commensurate with the electronic storage media. CC ID 00934 | Records management | Preventive | |
Provide audit trails for all pertinent records. CC ID 00372 | Records management | Detective | |
Include a unique identifier for each removable storage media asset in the removable storage media log. CC ID 12320 | Records management | Preventive | |
Include the date and time in the removable storage media log. CC ID 12318 | Records management | Preventive | |
Include the name and signature of the current custodian in the removable storage media log. CC ID 12315 | Records management | Preventive | |
Include the number of physical media used for the data transfer in the removable storage media log. CC ID 12754 | Records management | Preventive | |
Include the recipient's name for the data transfer in the removable storage media log. CC ID 12753 | Records management | Preventive | |
Include the sender's name in the removable storage media log. CC ID 12752 | Records management | Preventive | |
Include the type of physical media being used for the data transfer in the removable storage media log. CC ID 12751 | Records management | Preventive | |
Include the reason for transfer in the removable storage media log. CC ID 12316 | Records management | Preventive | |
Document all actions taken when downgrading electronic storage media. CC ID 10622 | Records management | Preventive | |
Establish, implement, and maintain output distribution procedures. CC ID 00927 | Records management | Preventive | |
Include printed output in output distribution procedures. CC ID 13477 | Records management | Preventive | |
Establish, implement, and maintain document retention procedures. CC ID 11660 | Records management | Preventive | |
Establish, implement, and maintain electronic media distribution procedures. CC ID 11650 | Records management | Preventive | |
Establish, implement, and maintain output balancing audit trails. CC ID 00928 | Records management | Detective | |
Establish and maintain reconciliation audit trails. CC ID 11647 | Records management | Preventive | |
Establish, implement, and maintain output review and error handling checks with end users. CC ID 00929 | Records management | Detective | |
Establish, implement, and maintain paper document integrity requirements for the output of records. CC ID 00930 | Records management | Preventive | |
Specify appropriate tools for the system development project. CC ID 06830 | Systems design, build, and implementation | Preventive | |
Establish, implement, and maintain a system implementation standard. CC ID 01111 | Systems design, build, and implementation | Preventive | |
Establish, implement, and maintain an implementation plan. CC ID 01114 [In addition to implementing the control given by ISO/IEC 27002, organizations processing personal health information shall separate (physically or virtually) development and testing environments for health information systems processing such information from operational environments hosting those health information systems. Rules for the migration of software from development to operational status shall be defined and documented by the organization hosting the affected application(s). § 12.1.4 Health-specific control] | Systems design, build, and implementation | Preventive | |
Include an implementation schedule in the implementation plan. CC ID 16124 | Systems design, build, and implementation | Preventive | |
Include the allocation of resources in the implementation plan. CC ID 16122 | Systems design, build, and implementation | Preventive | |
Include roles and responsibilities in the implementation plan. CC ID 16121 | Systems design, build, and implementation | Preventive | |
Approve implementation plans, as necessary. CC ID 13628 | Systems design, build, and implementation | Corrective | |
Establish, implement, and maintain facilities, assets, and services acceptance procedures. CC ID 01144 [In addition to implementing the control given by ISO/IEC 27002, organizations processing personal health information shall establish acceptance criteria for planned new information systems, upgrades and new versions. They shall carry out suitable tests of the system prior to acceptance. § 14.2.9 Health-specific control ¶ 1] | Acquisition or sale of facilities, technology, and services | Preventive | |
Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850 | Privacy protection for information and data | Preventive | |
Provide adequate structures, policies, procedures, and mechanisms to support direct access by the data subject to personal data that is provided upon request. CC ID 00393 | Privacy protection for information and data | Preventive | |
Include individual's names to whom restricted data may be disclosed in the disclosure accounting record. CC ID 13027 [The organization should identify and document all parties with whom patient data is exchanged and contractual agreements should be made with these parties regulating access and privileges, prior to exchange of patient data. § 9.1.1 Health-specific control ¶ 5] | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain a personal data use limitation program. CC ID 13428 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain a personal data use purpose specification. CC ID 00093 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain restricted data use limitation procedures. CC ID 00128 | Privacy protection for information and data | Preventive | |
Document the conditions for the disclosure of Individually Identifiable Health Information by an organization providing healthcare services to organizations other than business associates or other covered entities. CC ID 00201 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain a data handling program. CC ID 13427 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain data handling policies. CC ID 00353 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain data and information confidentiality policies. CC ID 00361 [{confidential information} All health information systems processing personal health information should inform users of the confidentiality of personal health information accessible from the system (e.g. at start-up or log-in) and should label hardcopy output as confidential when it contains personal health information. § 8.2.2 Health-specific control] | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain suspicious document procedures. CC ID 04852 | Privacy protection for information and data | Detective | |
Establish, implement, and maintain a supply chain management program. CC ID 11742 | Third Party and supply chain oversight | Preventive | |
Include a description of the data or information to be covered in third party contracts. CC ID 06510 | Third Party and supply chain oversight | Preventive | |
Include risk management procedures in the supply chain management policy. CC ID 08811 | Third Party and supply chain oversight | Preventive | |
Include a determination on the risks third parties pose to Information Security in the supply chain risk assessment report. CC ID 10029 [In addition to implementing the control given by ISO/IEC 27002, organizations processing health information shall assess the risks associated with access by external parties to these systems or the data they contain, and then implement security controls that are appropriate to the identified level of risk and to the technologies employed. § 15.1.1 Health-specific control] | Third Party and supply chain oversight | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Assign roles and responsibilities for administering user account management. CC ID 11900 | Technical security | Preventive | |
Disallow opting out of wearing or displaying identification cards or badges. CC ID 13030 | Physical and environmental protection | Preventive | |
Direct each employee to be responsible for their identification card or badge. CC ID 12332 | Physical and environmental protection | Preventive | |
Assign employees the responsibility for controlling their identification badges. CC ID 12333 | Physical and environmental protection | Preventive | |
Establish and maintain an Information Technology steering committee. CC ID 12706 | Human Resources management | Preventive | |
Convene the Information Technology steering committee, as necessary. CC ID 12730 [The health information security forum shall meet regularly, on a monthly or near-to-monthly basis. (Typically, it is most effective to meet at the mid-point between the meetings of the governance body into which the forum reports. This allows emergency matters to be taken to a suitable meeting within a short period.) § 6.1.1 Health-specific control ¶ 3] | Human Resources management | Preventive | |
Define and assign workforce roles and responsibilities. CC ID 13267 [Special attention needs to be placed upon the roles and responsibilities of temporary or short-term staff such as locums, students, interns, etc. § 7.1.2 Health-specific control ¶ 2] | Human Resources management | Preventive | |
Establish, implement, and maintain cybersecurity roles and responsibilities. CC ID 13201 | Human Resources management | Preventive | |
Document the use of external experts. CC ID 16263 | Human Resources management | Preventive | |
Define and assign roles and responsibilities for those involved in risk management. CC ID 13660 | Human Resources management | Preventive | |
Include the management structure in the duties and responsibilities for risk management. CC ID 13665 | Human Resources management | Preventive | |
Assign the roles and responsibilities for the change control program. CC ID 13118 | Human Resources management | Preventive | |
Assign responsibility for cyber threat intelligence. CC ID 12746 | Human Resources management | Preventive | |
Assign the role of security leader to keep up to date on the latest threats. CC ID 12112 | Human Resources management | Preventive | |
Define and assign the data processor's roles and responsibilities. CC ID 12607 | Human Resources management | Preventive | |
Assign the data processor to assist the data controller in implementing security controls. CC ID 12677 | Human Resources management | Preventive | |
Assign the role of data controller to be the Point of Contact for the supervisory authority. CC ID 12616 | Human Resources management | Preventive | |
Assign the role of the Data Controller to cooperate with the supervisory authority. CC ID 12615 | Human Resources management | Preventive | |
Assign the data controller to facilitate the exercise of the data subject's rights. CC ID 12666 | Human Resources management | Preventive | |
Assign the role of data controller to provide advice, when requested. CC ID 12611 | Human Resources management | Preventive | |
Define and assign the roles and responsibilities of security guards. CC ID 12543 | Human Resources management | Preventive | |
Define and assign roles and responsibilities for dispute resolution. CC ID 13626 | Human Resources management | Preventive | |
Define and assign the roles for Legal Support Workers. CC ID 13711 | Human Resources management | Preventive | |
Perform security skills assessments for all critical employees. CC ID 12102 [When an individual is hired for a specific information security role, organizations should make sure the candidate: can be trusted to take the role, especially if the role is critical for the organization. § 7.1.1 Health-specific controls ¶ 3(b)] | Human Resources management | Detective | |
Perform a background check during personnel screening. CC ID 11758 | Human Resources management | Detective | |
Perform a personal identification check during personnel screening. CC ID 06721 [All organizations whose staff, contractors, or volunteers process (or are expected to process) personal health information should, as a minimum, verify the identity, current address and previous employment of such staff, contractors and volunteers at the time of job application. § 7.1.1 Health-specific controls ¶ 1] | Human Resources management | Preventive | |
Perform a personal references check during personnel screening. CC ID 06645 | Human Resources management | Preventive | |
Perform a credit check during personnel screening. CC ID 06646 | Human Resources management | Preventive | |
Perform a resume check during personnel screening. CC ID 06659 [All organizations whose staff, contractors, or volunteers process (or are expected to process) personal health information should, as a minimum, verify the identity, current address and previous employment of such staff, contractors and volunteers at the time of job application. § 7.1.1 Health-specific controls ¶ 1 Background verification checks on all candidates for employment should include a verification of applicable health professional qualifications, where such qualifications are professionally accredited (e.g. physicians, nurses, etc.) § 7.1.1 Health-specific controls ¶ 2] | Human Resources management | Preventive | |
Perform a curriculum vitae check during personnel screening. CC ID 06660 | Human Resources management | Preventive | |
Allow personnel being screened to appeal findings and appeal decisions. CC ID 06720 | Human Resources management | Preventive | |
Perform personnel screening procedures, as necessary. CC ID 11763 | Human Resources management | Preventive | |
Perform periodic background checks on designated roles, as necessary. CC ID 11759 | Human Resources management | Detective | |
Perform security clearance procedures, as necessary. CC ID 06644 | Human Resources management | Preventive | |
Establish and maintain security clearances. CC ID 01634 | Human Resources management | Preventive | |
Include a space for previous addresses and previous residences on the job application. CC ID 12302 [All organizations whose staff, contractors, or volunteers process (or are expected to process) personal health information should, as a minimum, verify the identity, current address and previous employment of such staff, contractors and volunteers at the time of job application. § 7.1.1 Health-specific controls ¶ 1] | Human Resources management | Preventive | |
Establish and maintain management's commitment to supporting the security awareness program. CC ID 12151 | Human Resources management | Preventive | |
Establish and maintain a steering committee to guide the security awareness program. CC ID 12149 | Human Resources management | Preventive | |
Encourage interested personnel to obtain security certification. CC ID 11804 | Human Resources management | Preventive | |
Assign the responsibility for establishing, implementing, and maintaining the information security program to the appropriate role. CC ID 11884 | Operational management | Preventive | |
Assign the responsibility for distributing the information security program to the appropriate role. CC ID 11883 | Operational management | Preventive | |
Assign an information owner to organizational assets, as necessary. CC ID 12729 [In addition to following the guidance given by ISO/IEC 27002, organizations processing personal health information should: have a designated custodian of these health information assets (see 8.1.2); § 8.1.1 Health-specific control ¶ 1(b) The source (authorship) of publicly available health information should be stated and its integrity should be protected. § 14.1.3.1 Health-specific controls ¶ 3] | Operational management | Preventive | |
Assign ownership of maintaining the asset inventory, as necessary. CC ID 12344 [{establish}{ownership} Assets maintained in the inventory should be owned. § 8.1.2 Control ¶ 2] | Operational management | Preventive | |
Assign the distribution of security alerts to the appropriate role in the incident response program. CC ID 11887 | Operational management | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Leadership and high level objectives CC ID 00597 | Leadership and high level objectives | IT Impact Zone | |
Monitoring and measurement CC ID 00636 | Monitoring and measurement | IT Impact Zone | |
Audits and risk management CC ID 00677 | Audits and risk management | IT Impact Zone | |
Technical security CC ID 00508 | Technical security | IT Impact Zone | |
Physical and environmental protection CC ID 00709 | Physical and environmental protection | IT Impact Zone | |
Operational and Systems Continuity CC ID 00731 | Operational and Systems Continuity | IT Impact Zone | |
Human Resources management CC ID 00763 | Human Resources management | IT Impact Zone | |
Operational management CC ID 00805 | Operational management | IT Impact Zone | |
System hardening through configuration management CC ID 00860 | System hardening through configuration management | IT Impact Zone | |
Records management CC ID 00902 | Records management | IT Impact Zone | |
Systems design, build, and implementation CC ID 00989 | Systems design, build, and implementation | IT Impact Zone | |
Acquisition or sale of facilities, technology, and services CC ID 01123 | Acquisition or sale of facilities, technology, and services | IT Impact Zone | |
Privacy protection for information and data CC ID 00008 | Privacy protection for information and data | IT Impact Zone | |
Third Party and supply chain oversight CC ID 08807 | Third Party and supply chain oversight | IT Impact Zone |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Follow up exceptions and anomalies identified when reviewing logs. CC ID 11925 | Monitoring and measurement | Corrective | |
Identify changes to in scope systems that could threaten communication between business units. CC ID 13173 | Audits and risk management | Detective | |
Investigate alternative risk control strategies appropriate to the organization's risk appetite. CC ID 12887 | Audits and risk management | Preventive | |
Perform social network analysis, as necessary. CC ID 14864 | Operational management | Detective | |
Assign monitoring and analyzing the security alert when a security alert is received to the appropriate role in the incident response program. CC ID 11886 | Operational management | Detective | |
Analyze mitigating controls for vulnerabilities in the network when certifying the network. CC ID 13126 | Operational management | Detective | |
Collect data about the network environment when certifying the network. CC ID 13125 | Operational management | Detective | |
Perform an identity check prior to approving an account change request. CC ID 13670 | Privacy protection for information and data | Detective |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Establish, implement, and maintain logging and monitoring operations. CC ID 00637 | Monitoring and measurement | Detective | |
Operationalize key monitoring and logging concepts to ensure the audit trails capture sufficient information. CC ID 00638 | Monitoring and measurement | Detective | |
Establish, implement, and maintain event logging procedures. CC ID 01335 | Monitoring and measurement | Detective | |
Include a standard to collect and interpret event logs in the event logging procedures. CC ID 00643 [{incident management procedures} In addition to following the guidance given by ISO/IEC 27002, organizations processing personal health information should establish security incident management responsibilities and procedures in order: to collect and preserve incident-related audit logs and other relevant evidence. § 16.1.2 Health-specific controls ¶ 1(c)] | Monitoring and measurement | Preventive | |
Protect the event logs from failure. CC ID 06290 | Monitoring and measurement | Preventive | |
Review and update event logs and audit logs, as necessary. CC ID 00596 | Monitoring and measurement | Detective | |
Eliminate false positives in event logs and audit logs. CC ID 07047 | Monitoring and measurement | Corrective | |
Correlate log entries to security controls to verify the security control's effectiveness. CC ID 13207 | Monitoring and measurement | Detective | |
Reproduce the event log if a log failure is captured. CC ID 01426 | Monitoring and measurement | Preventive | |
Protect logs from unauthorized activity. CC ID 01345 [{use}{anti-tamper technology} Audit records shall be secure and tamper-proof. Access to system audit tools and audit trails shall be safeguarded to prevent misuse or compromise. § 12.4.2 Health-specific control {use}{anti-tamper technology} Audit records shall be secure and tamper-proof. Access to system audit tools and audit trails shall be safeguarded to prevent misuse or compromise. § 12.4.2 Health-specific control] | Monitoring and measurement | Preventive | |
Preserve the identity of individuals in audit trails. CC ID 10594 [Health information systems processing personal health information: shall ensure that each subject of care can be uniquely identified within the system; § 14.1.1.1 Health-specific control ¶ 1(a)] | Monitoring and measurement | Preventive | |
Store system logs for in scope systems as digital forensic evidence after a security incident has been detected. CC ID 01754 [{incident management procedures} In addition to following the guidance given by ISO/IEC 27002, organizations processing personal health information should establish security incident management responsibilities and procedures in order: to collect and preserve incident-related audit logs and other relevant evidence. § 16.1.2 Health-specific controls ¶ 1(c)] | Operational management | Corrective | |
Log the date and time each item is received into the recordkeeping system. CC ID 11709 | Records management | Preventive | |
Log the date and time each item is made available into the recordkeeping system. CC ID 11710 | Records management | Preventive | |
Log the number of routine items in the organization's possession at the close of business for the month in the recordkeeping system. CC ID 11707 | Records management | Preventive | |
Log the number of routine items received during the month that were turned around in the recordkeeping system. CC ID 11705 | Records management | Preventive | |
Log the number of routine items received during the month that were not turned around within three business days of receipt in the recordkeeping system. CC ID 11703 | Records management | Preventive | |
Log the date and time when a notice of refusal to perform the registrar function is received in the recordkeeping system. CC ID 11711 | Records management | Preventive | |
Log inquiries concerning items in the recordkeeping system, annotating the date received. CC ID 11718 | Records management | Preventive | |
Log responses to inquiries, annotating the send date for each response into the recordkeeping system. CC ID 11719 | Records management | Preventive | |
Log the number of non-routine items received into the recordkeeping system. CC ID 11706 | Records management | Preventive | |
Log the documentation of determination that items received are not routine into the recordkeeping system. CC ID 11716 | Records management | Preventive | |
Log the number of non-routine items in the organization's possession at the close of business for the month in the recordkeeping system. CC ID 11708 | Records management | Preventive | |
Log the number of non-routine items received during the month that were turned around in the recordkeeping system. CC ID 11704 | Records management | Preventive | |
Log performance monitoring into the recordkeeping system. CC ID 11724 | Records management | Preventive | |
Log the number of inquiries pending as of the close of business into the recordkeeping system. CC ID 11728 | Records management | Preventive | |
Log the number of inquiries received but not responded to within the required time frame into the recordkeeping system. CC ID 11727 | Records management | Preventive | |
Log any notices filed by the organization into the recordkeeping system. CC ID 11725 | Records management | Preventive | |
Log telephone responses into a telephone log, annotating the date of each response, in the recordkeeping system. CC ID 11723 | Records management | Preventive | |
Log the date each certificate is made available to interested personnel and affected parties into the recordkeeping system. CC ID 11720 | Records management | Preventive | |
Log the number of items not processed within the required time frame into the recordkeeping system. CC ID 11717 | Records management | Preventive | |
Log the appointments and termination of appointments of registered transfer agents into the recordkeeping system. CC ID 11712 | Records management | Preventive | |
Log any stop orders or notices of adverse claims into the recordkeeping system. CC ID 11726 | Records management | Preventive | |
Log the number of items processed within the required time frame into the recordkeeping system. CC ID 11715 | Records management | Preventive | |
Establish, implement, and maintain a removable storage media log. CC ID 12317 [{physical safeguard} In addition to the guidance given by ISO/IEC 27002, media containing personal health information shall be either physically protected or else have their data encrypted. The status and location of media containing unencrypted personal health information shall be monitored. § 8.3.1 Health-specific control] | Records management | Preventive | |
Establish, implement, and maintain a data processing output log. CC ID 06624 | Records management | Preventive | |
Log the disclosure of personal data. CC ID 06628 | Privacy protection for information and data | Preventive | |
Log the modification of personal data. CC ID 11844 | Privacy protection for information and data | Preventive | |
Log account access dates and report when dormant accounts suddenly exhibit unusual activity. CC ID 04874 | Privacy protection for information and data | Detective | |
Log dates for account name changes or address changes. CC ID 04876 | Privacy protection for information and data | Detective |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Separate the production environment from development environment or test environment for the change control process. CC ID 11864 | Operational management | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Analyze organizational objectives, functions, and activities. CC ID 00598 | Leadership and high level objectives | Preventive | |
Enforce information flow control. CC ID 11781 | Technical security | Preventive | |
Escort uncleared personnel who need to work in or access controlled access areas. CC ID 00747 | Physical and environmental protection | Preventive | |
Monitor and measure the effectiveness of security awareness. CC ID 06262 | Human Resources management | Detective | |
Monitor and review the effectiveness of the information security program. CC ID 12744 | Operational management | Preventive | |
Identify discrepancies between the asset register database and the Information Technology inventory, as necessary. CC ID 07052 | Operational management | Corrective | |
Investigate and resolve discrepancies between the asset register database and the Information Technology inventory. CC ID 07053 | Operational management | Corrective | |
Establish, implement, and maintain data input and data access authorization tracking. CC ID 00920 | Records management | Detective | |
Establish, implement, and maintain data accuracy controls. CC ID 00921 | Records management | Detective | |
Establish, implement, and maintain online storage monitoring and reporting capabilities. CC ID 00935 | Records management | Detective | |
Identify potential red flags to alert the organization before a data leakage has occurred. CC ID 04654 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain suspicious user account activity procedures. CC ID 04854 | Privacy protection for information and data | Detective | |
Report fraudulent account activity, unauthorized transactions, or discrepancies with current accounts. CC ID 04875 | Privacy protection for information and data | Corrective | |
Review accounts that are changed for additional user requests. CC ID 11846 | Privacy protection for information and data | Detective | |
Review monitored websites for data leakage. CC ID 10593 | Privacy protection for information and data | Detective |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Control physical access to (and within) the facility. CC ID 01329 [Organizations processing personal health information should use security perimeters to protect areas that contain information processing facilities supporting such health applications. These secure areas should be protected by appropriate entry controls to ensure that only authorized personnel are allowed access. § 11.1.1 Health-specific control] | Physical and environmental protection | Preventive | |
Meet the physical access requirements of disabled individuals, if reasonably possible. CC ID 00419 | Physical and environmental protection | Preventive | |
Secure physical entry points with physical access controls or security guards. CC ID 01640 | Physical and environmental protection | Detective | |
Configure the access control system to grant access only during authorized working hours. CC ID 12325 | Physical and environmental protection | Preventive | |
Check the visitor's stated identity against a provided government issued identification. CC ID 06701 | Physical and environmental protection | Preventive | |
Change access requirements to organizational assets for personnel and visitors, as necessary. CC ID 12463 | Physical and environmental protection | Corrective | |
Issue photo identification badges to all employees. CC ID 12326 | Physical and environmental protection | Preventive | |
Report lost badges, stolen badges, and broken badges to the Security Manager. CC ID 12334 | Physical and environmental protection | Preventive | |
Manage visitor identification inside the facility. CC ID 11670 | Physical and environmental protection | Preventive | |
Secure unissued visitor identification badges. CC ID 06712 | Physical and environmental protection | Preventive | |
Include name, date of entry, and validity period on disposable identification cards or badges. CC ID 12331 | Physical and environmental protection | Preventive | |
Restrict access to the badge system to authorized personnel. CC ID 12043 | Physical and environmental protection | Preventive | |
Enforce dual control for badge assignments. CC ID 12328 | Physical and environmental protection | Preventive | |
Enforce dual control for accessing unassigned identification cards or badges. CC ID 12327 | Physical and environmental protection | Preventive | |
Refrain from imprinting the company name or company logo on identification cards or badges. CC ID 12282 | Physical and environmental protection | Preventive | |
Prevent tailgating through physical entry points. CC ID 06685 | Physical and environmental protection | Preventive | |
Implement physical security standards for mainframe rooms or data centers. CC ID 00749 [Organizations processing personal health information should use security perimeters to protect areas that contain information processing facilities supporting such health applications. These secure areas should be protected by appropriate entry controls to ensure that only authorized personnel are allowed access. § 11.1.1 Health-specific control] | Physical and environmental protection | Preventive | |
Establish and maintain equipment security cages in a shared space environment. CC ID 06711 | Physical and environmental protection | Preventive | |
Secure systems in lockable equipment cabinets, as necessary. CC ID 06716 | Physical and environmental protection | Preventive | |
Lock all lockable equipment cabinets. CC ID 11673 | Physical and environmental protection | Detective | |
Establish, implement, and maintain physical security controls for distributed assets. CC ID 00718 | Physical and environmental protection | Preventive | |
Protect distributed assets against theft. CC ID 06799 | Physical and environmental protection | Preventive | |
Establish and maintain off-site electronic media storage facilities. CC ID 00957 | Operational and Systems Continuity | Preventive | |
Conduct environmental surveys. CC ID 00690 | Operational management | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Analyze the effect of threats on organizational strategies and objectives. CC ID 12850 | Audits and risk management | Detective | |
Analyze the effect of opportunities on organizational strategies and objectives. CC ID 12849 | Audits and risk management | Detective | |
Implement physical identification processes. CC ID 13715 | Physical and environmental protection | Preventive | |
Refrain from using knowledge-based authentication for in-person identity verification. CC ID 13717 | Physical and environmental protection | Preventive | |
Record the assigned identification card or badge serial number when issuing an identification card or badge. CC ID 06714 | Physical and environmental protection | Preventive | |
Include identity proofing processes in the identification issuance procedures. CC ID 06597 | Physical and environmental protection | Preventive | |
Prohibit assets from being taken off-site absent prior authorization. CC ID 12027 [In addition to implementing the control given by ISO/IEC 27002, organizations providing or using equipment, data or software to support a healthcare application containing personal health information shall not allow such equipment, data, or software to be removed from the site or relocated within it without authorization by the organization. § 11.2.5 Health-specific control] | Physical and environmental protection | Preventive | |
Perform backup procedures for in scope systems. CC ID 11692 | Operational and Systems Continuity | Preventive | |
Include all residences in the criminal records check. CC ID 13306 | Human Resources management | Preventive | |
Review and approve access controls, as necessary. CC ID 13074 | Operational management | Detective | |
Provide management direction and support for the information security program. CC ID 11999 | Operational management | Preventive | |
Approve the information security policy at the organization's management level or higher. CC ID 11737 [Organizations processing health information, including personal health information, shall have a written information security policy that is approved by management, published, and then communicated to all employees and relevant external parties. § 5.1.1 Health-specific control] | Operational management | Preventive | |
Define thresholds for approving information security activities in the information security program. CC ID 15702 | Operational management | Preventive | |
Use systems in accordance with the standard operating procedures manual. CC ID 15049 | Operational management | Preventive | |
Provide support for information sharing activities. CC ID 15644 | Operational management | Preventive | |
Establish, implement, and maintain consequences for non-compliance with the organizational compliance framework. CC ID 11747 [Employees of the organization and, where relevant, third-party contractors should be made aware of disciplinary processes and consequences with respect to breaches of information security. § 7.2.2 Health-specific control ¶ 2] | Operational management | Corrective | |
Include interconnected systems and Software as a Service in the Information Technology inventory. CC ID 04885 | Operational management | Preventive | |
Contain the incident to prevent further loss. CC ID 01751 | Operational management | Corrective | |
Perform emergency changes, as necessary. CC ID 12707 | Operational management | Preventive | |
Back up emergency changes after the change has been performed. CC ID 12734 | Operational management | Preventive | |
Conduct network certifications prior to approving change requests for networks. CC ID 13121 | Operational management | Detective | |
Establish, implement, and maintain a patch management program. CC ID 00896 | Operational management | Preventive | |
Review the information classification of the information that the organization collects, processes, and stores, as necessary. CC ID 13008 | Records management | Detective | |
Review the electronic storage media for the information the organization collects and processes. CC ID 13009 [{physical safeguard} In addition to the guidance given by ISO/IEC 27002, media containing personal health information shall be either physically protected or else have their data encrypted. The status and location of media containing unencrypted personal health information shall be monitored. § 8.3.1 Health-specific control] | Records management | Detective | |
Process restricted information in a secure environment. CC ID 13058 | Records management | Preventive | |
Establish, implement, and maintain data completeness controls. CC ID 11649 | Records management | Preventive | |
Display required information automatically in electronic health records. CC ID 14442 | Records management | Preventive | |
Create export summaries, as necessary. CC ID 14446 | Records management | Preventive | |
Identify patient-specific education resources. CC ID 14439 | Records management | Detective | |
Sanitize user input in accordance with organizational standards. CC ID 16856 | Records management | Preventive | |
Establish, implement, and maintain storage media downgrading procedures. CC ID 10619 | Records management | Preventive | |
Identify electronic storage media that require downgrading. CC ID 10620 | Records management | Detective | |
Downgrade electronic storage media, as necessary. CC ID 10621 | Records management | Corrective | |
Authorize new assets prior to putting them into the production environment. CC ID 13530 | Acquisition or sale of facilities, technology, and services | Preventive | |
Search the Internet for evidence of data leakage. CC ID 10419 | Privacy protection for information and data | Detective | |
Alert appropriate personnel when data leakage is detected. CC ID 14715 | Privacy protection for information and data | Preventive | |
Take appropriate action when a data leakage is discovered. CC ID 14716 | Privacy protection for information and data | Corrective | |
Formalize client and third party relationships with contracts or nondisclosure agreements. CC ID 00794 | Third Party and supply chain oversight | Detective |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Include information sharing procedures in standard operating procedures. CC ID 12974 | Operational management | Preventive | |
Include source code in the asset inventory. CC ID 14858 | Operational management | Preventive | |
Archive appropriate records, logs, and database tables. CC ID 06321 [Publicly available health information (as distinct from personal health information) should be archived. § 14.1.3.1 Health-specific controls ¶ 1] | Records management | Preventive | |
Establish, implement, and maintain source document authorization tracking. CC ID 01262 | Records management | Detective | |
Establish, implement, and maintain source document error handling tracking. CC ID 01263 | Records management | Detective | |
Maintain electronic records in an equivalent manner as printed records, as necessary. CC ID 11806 | Records management | Preventive | |
Refrain from creating printed records as copies of electronic records. CC ID 11808 | Records management | Preventive | |
Validate transactions against master files of third parties and clients, as necessary. CC ID 06552 | Records management | Detective | |
Establish, implement, and maintain a system storage log. CC ID 13532 | Records management | Preventive | |
Protect records from loss in accordance with applicable requirements. CC ID 12007 | Records management | Preventive | |
Capture the records required by organizational compliance requirements. CC ID 00912 | Records management | Detective | |
Review and update Individually Identifiable Health Information in the patient's electronic health records, as necessary. CC ID 14438 | Records management | Preventive | |
Establish and maintain an implantable device list. CC ID 14444 | Records management | Preventive | |
Establish, implement, and maintain a recordkeeping system. CC ID 15709 | Records management | Preventive | |
Log the termination date in the recordkeeping system. CC ID 16181 | Records management | Preventive | |
Log the name of the requestor in the recordkeeping system. CC ID 15712 | Records management | Preventive | |
Log the date and time each item is accessed in the recordkeeping system. CC ID 15711 | Records management | Preventive | |
Log records as being received into the recordkeeping system. CC ID 11696 | Records management | Preventive | |
Establish, implement, and maintain a transfer journal. CC ID 11729 | Records management | Preventive | |
Provide a receipt of records logged into the recordkeeping system. CC ID 11697 | Records management | Preventive | |
Note in electronic records converted from printed records, the location of the original. CC ID 11809 | Records management | Preventive | |
Provide structures for authorized parties to approve record updates in the Electronic Document and Records Management system. CC ID 11965 | Records management | Preventive | |
Compare each record's data input to its final form. CC ID 11813 | Records management | Detective | |
Label printed output for specific record categories as directed by the organization's information classification standard. CC ID 01420 [{confidential information} All health information systems processing personal health information should inform users of the confidentiality of personal health information accessible from the system (e.g. at start-up or log-in) and should label hardcopy output as confidential when it contains personal health information. § 8.2.2 Health-specific control] | Records management | Detective | |
Establish and maintain access controls for all records. CC ID 00371 | Records management | Preventive | |
Implement and maintain backups and duplicate copies of organizational records. CC ID 00953 | Records management | Preventive | |
Establish, implement, and maintain the duplicate original of record indexes. CC ID 00954 | Records management | Preventive | |
Establish, implement, and maintain a transparent storage media strategy. CC ID 00932 | Records management | Preventive | |
Establish, implement, and maintain security controls appropriate to the record types and electronic storage media. CC ID 00943 | Records management | Preventive | |
Establish and maintain an error suspense file for rejected transactions. CC ID 06623 | Records management | Preventive | |
Review and approve output exceptions. CC ID 06625 | Records management | Preventive | |
Refrain from destroying records being inspected or reviewed. CC ID 13015 | Privacy protection for information and data | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Establish, implement, and maintain backup procedures for in scope systems. CC ID 01258 | Operational and Systems Continuity | Preventive | |
Store backup vital records in a manner that is accessible for emergency retrieval. CC ID 12765 [In addition to following the guidance given by ISO/IEC 27002, organizations processing personal health information shall back up all personal health information and store it in a physically secure environment to ensure its future availability. § 12.3.1 Health-specific control ¶ 1] | Operational and Systems Continuity | Preventive | |
Back up all records. CC ID 11974 [In addition to following the guidance given by ISO/IEC 27002, organizations processing personal health information shall back up all personal health information and store it in a physically secure environment to ensure its future availability. § 12.3.1 Health-specific control ¶ 1] | Operational and Systems Continuity | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Include each Information System's system boundaries in the Information Technology inventory. CC ID 00695 | Operational management | Preventive | |
Validate the system before implementing approved changes. CC ID 01510 | Operational management | Preventive | |
Establish, implement, and maintain traceability documentation. CC ID 16388 | Operational management | Preventive | |
Initiate the System Development Life Cycle planning phase. CC ID 06266 | Systems design, build, and implementation | Preventive | |
Separate the design and development environment from the production environment. CC ID 06088 [In addition to implementing the control given by ISO/IEC 27002, organizations processing personal health information shall separate (physically or virtually) development and testing environments for health information systems processing such information from operational environments hosting those health information systems. Rules for the migration of software from development to operational status shall be defined and documented by the organization hosting the affected application(s). § 12.1.4 Health-specific control] | Systems design, build, and implementation | Preventive | |
Initiate the System Development Life Cycle implementation phase. CC ID 06268 | Systems design, build, and implementation | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Identify cybersecurity events in event logs and audit logs. CC ID 13206 | Monitoring and measurement | Detective | |
Restrict access to audit trails to a need to know basis. CC ID 11641 [{use}{anti-tamper technology} Audit records shall be secure and tamper-proof. Access to system audit tools and audit trails shall be safeguarded to prevent misuse or compromise. § 12.4.2 Health-specific control] | Monitoring and measurement | Preventive | |
Protect against misusing automated audit tools. CC ID 04547 [{use}{anti-tamper technology} Audit records shall be secure and tamper-proof. Access to system audit tools and audit trails shall be safeguarded to prevent misuse or compromise. § 12.4.2 Health-specific control] | Monitoring and measurement | Preventive | |
Evaluate the information technology products used for metrics. CC ID 11644 | Monitoring and measurement | Detective | |
Identify information system users. CC ID 12081 | Technical security | Detective | |
Review user accounts. CC ID 00525 [User registration details shall be periodically reviewed to ensure that they are complete, accurate and that access is still required. § 9.2.1 Health-specific control ¶ 2] | Technical security | Detective | |
Control access rights to organizational assets. CC ID 00004 | Technical security | Preventive | |
Establish access rights based on least privilege. CC ID 01411 [Access to health information systems that process personal health information shall be subject to a formal user registration process. User registration procedures shall ensure that the level of authentication required of claimed user identity is consistent with the level(s) of access that will become available to the user. § 9.2.1 Health-specific control ¶ 1] | Technical security | Preventive | |
Assign user permissions based on job responsibilities. CC ID 00538 | Technical security | Preventive | |
Assign user privileges after they have management sign off. CC ID 00542 | Technical security | Preventive | |
Establish, implement, and maintain User Access Management procedures. CC ID 00514 [{external requirements} The access control policy, as a component of the information security policy framework described in 5.1.1, shall reflect professional, ethical, legal and subject-of-care-related requirements and should take account of the tasks performed by health professionals and the task's workflow. § 9.1.1 Health-specific control ¶ 4] | Technical security | Preventive | |
Review and approve logical access to all assets based upon organizational policies. CC ID 06641 | Technical security | Preventive | |
Control the addition and modification of user identifiers, user credentials, or other authenticators. CC ID 00515 | Technical security | Preventive | |
Automate access control methods, as necessary. CC ID 11838 | Technical security | Preventive | |
Automate Access Control Systems, as necessary. CC ID 06854 | Technical security | Preventive | |
Refrain from storing logon credentials for third party applications. CC ID 13690 | Technical security | Preventive | |
Refrain from allowing user access to identifiers and authenticators used by applications. CC ID 10048 | Technical security | Preventive | |
Remove inactive user accounts, as necessary. CC ID 00517 | Technical security | Corrective | |
Remove temporary user accounts, as necessary. CC ID 11839 | Technical security | Corrective | |
Enforce the password policy. CC ID 16347 | Technical security | Preventive | |
Enforce usage restrictions for superuser accounts. CC ID 07064 | Technical security | Preventive | |
Implement out-of-band authentication, as necessary. CC ID 10606 | Technical security | Corrective | |
Identify and control all network access controls. CC ID 00529 | Technical security | Preventive | |
Segregate systems in accordance with organizational standards. CC ID 12546 | Technical security | Preventive | |
Segregate servers that contain restricted data or restricted information from direct public access. CC ID 00533 | Technical security | Preventive | |
Control all methods of remote access and teleworking. CC ID 00559 | Technical security | Preventive | |
Implement phishing-resistant multifactor authentication techniques. CC ID 16541 | Technical security | Preventive | |
Install and maintain container security solutions. CC ID 16178 | Technical security | Preventive | |
Terminate access rights when notified of a personnel status change or an individual is terminated. CC ID 11826 [All organizations that process personal health information shall, as soon as possible, terminate the user access privileges with respect to such information for any departing permanent or temporary employee, third-party contractor or volunteer upon termination of employment, contracting, or volunteer activities. § 9.2.6 Health-specific control] | Human Resources management | Corrective | |
Establish, implement, and maintain segregation of duties compensating controls if segregation of duties is not practical. CC ID 06960 | Human Resources management | Preventive | |
Include temporary activation of remote access technologies for third parties in the Acceptable Use Policy. CC ID 11892 | Operational management | Preventive | |
Use automated tools to collect Information Technology inventory information, as necessary. CC ID 07054 | Operational management | Preventive | |
Link the authentication system to the asset inventory. CC ID 13718 | Operational management | Preventive | |
Employ Dynamic Host Configuration Protocol server logging to detect systems not in the asset inventory. CC ID 12110 | Operational management | Detective | |
Respond when an integrity violation is detected, as necessary. CC ID 10678 | Operational management | Corrective | |
Shut down systems when an integrity violation is detected, as necessary. CC ID 10679 | Operational management | Corrective | |
Restart systems when an integrity violation is detected, as necessary. CC ID 10680 | Operational management | Corrective | |
Integrate configuration management procedures into the change control program. CC ID 13646 | Operational management | Preventive | |
Implement patch management software, as necessary. CC ID 12094 | Operational management | Preventive | |
Include updates and exceptions to hardened images as a part of the patch management program. CC ID 12087 | Operational management | Preventive | |
Review the patch log for missing patches. CC ID 13186 | Operational management | Detective | |
Patch software. CC ID 11825 | Operational management | Corrective | |
Patch the operating system, as necessary. CC ID 11824 | Operational management | Corrective | |
Implement cryptographic mechanisms to authenticate software and computer firmware before installation. CC ID 10682 | Operational management | Detective | |
Validate transactions using identifiers and credentials. CC ID 13203 | Records management | Preventive | |
Establish, implement, and maintain electronic storage media security controls. CC ID 13204 | Records management | Preventive | |
Establish, implement, and maintain label inheritance mechanisms for aggregate data sets. CC ID 06957 | Records management | Preventive | |
Implement and maintain high availability storage, as necessary. CC ID 00952 | Records management | Preventive | |
Establish, implement, and maintain online storage controls. CC ID 00942 | Records management | Preventive | |
Provide encryption for different types of electronic storage media. CC ID 00945 [{physical safeguard} In addition to the guidance given by ISO/IEC 27002, media containing personal health information shall be either physically protected or else have their data encrypted. The status and location of media containing unencrypted personal health information shall be monitored. § 8.3.1 Health-specific control] | Records management | Preventive | |
Protect electronic messaging information. CC ID 12022 | Privacy protection for information and data | Preventive | |
Render unrecoverable sensitive authentication data after authorization is approved. CC ID 11952 | Privacy protection for information and data | Preventive | |
Encrypt, truncate, or tokenize data fields, as necessary. CC ID 06850 | Privacy protection for information and data | Preventive | |
Implement security measures to protect personal data. CC ID 13606 | Privacy protection for information and data | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Supply each in scope asset with audit reduction tool and report generation capabilities to support after-the-fact investigations without altering the event logs. CC ID 01427 | Monitoring and measurement | Preventive | |
Evaluate the measurement process used for metrics. CC ID 06920 | Monitoring and measurement | Detective | |
Authorize visitors before granting entry to physical areas containing restricted data or restricted information. CC ID 01330 | Physical and environmental protection | Preventive | |
Implement operational requirements for card readers. CC ID 02225 | Physical and environmental protection | Preventive | |
Employ individuals who have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 00782 [When an individual is hired for a specific information security role, organizations should make sure the candidate: has the necessary competence to perform the security role; § 7.1.1 Health-specific controls ¶ 3(a)] | Human Resources management | Detective | |
Perform a drug test during personnel screening. CC ID 06648 | Human Resources management | Preventive | |
Implement segregation of duties in roles and responsibilities. CC ID 00774 [In addition to implementing the control given by ISO/IEC 27002, organizations processing personal health information should, where feasible, segregate duties and areas of responsibility in order to reduce opportunities for unauthorized modification or misuse of personal health information. § 6.1.2 Health-specific control] | Human Resources management | Detective | |
Open a priority incident request after a security breach is detected. CC ID 04838 | Operational management | Corrective | |
Activate the incident response notification procedures after a security breach is detected. CC ID 04839 | Operational management | Corrective | |
Test proposed changes prior to their approval. CC ID 00548 | Operational management | Detective | |
Perform risk assessments prior to approving change requests. CC ID 00888 | Operational management | Preventive | |
Perform a patch test prior to deploying a patch. CC ID 00898 | Operational management | Detective | |
Test software patches for any potential compromise of the system's security. CC ID 13175 | Operational management | Detective | |
Review changes to computer firmware. CC ID 12226 | Operational management | Detective | |
Certify changes to computer firmware are free of malicious logic. CC ID 12227 | Operational management | Detective | |
Test the system's operational functionality after implementing approved changes. CC ID 06294 | Operational management | Detective | |
Perform and pass acceptance testing before moving a system back into operation after an approved change has occurred. CC ID 04541 | Operational management | Detective | |
Maintain continued integrity for all stored data and stored records. CC ID 00969 [The source (authorship) of publicly available health information should be stated and its integrity should be protected. § 14.1.3.1 Health-specific controls ¶ 3] | Records management | Detective | |
Store records on non-rewritable, non-erasable storage media formats, as necessary. CC ID 00944 | Records management | Detective | |
Test the storage media downgrade for correct performance. CC ID 10623 | Records management | Detective | |
Perform regularly scheduled quality and integrity control reviews of output of records. CC ID 06627 | Records management | Detective | |
Implement security controls in development endpoints. CC ID 16389 | Systems design, build, and implementation | Preventive | |
Evaluate and determine whether or not the newly developed system meets users' system design requirements. CC ID 01120 [Clinical users should be involved in the testing of clinically relevant system features. § 14.2.9 Health-specific control ¶ 2] | Systems design, build, and implementation | Detective | |
Test new hardware or upgraded hardware and software against predefined performance requirements. CC ID 06740 [In addition to implementing the control given by ISO/IEC 27002, organizations processing personal health information shall establish acceptance criteria for planned new information systems, upgrades and new versions. They shall carry out suitable tests of the system prior to acceptance. § 14.2.9 Health-specific control ¶ 1] | Acquisition or sale of facilities, technology, and services | Detective | |
Test new hardware or upgraded hardware and software for error recovery and restart procedures. CC ID 06741 | Acquisition or sale of facilities, technology, and services | Detective | |
Follow the system's operating procedures when testing new hardware or upgraded hardware and software. CC ID 06742 | Acquisition or sale of facilities, technology, and services | Detective | |
Test new hardware or upgraded hardware and software for implementation of security controls. CC ID 06743 | Acquisition or sale of facilities, technology, and services | Detective | |
Test new software or upgraded software for security vulnerabilities. CC ID 01898 | Acquisition or sale of facilities, technology, and services | Detective | |
Test new software or upgraded software for compatibility with the current system. CC ID 11654 | Acquisition or sale of facilities, technology, and services | Detective | |
Test new hardware or upgraded hardware for compatibility with the current system. CC ID 11655 | Acquisition or sale of facilities, technology, and services | Detective | |
Test new hardware or upgraded hardware for security vulnerabilities. CC ID 01899 | Acquisition or sale of facilities, technology, and services | Detective | |
Test new hardware or upgraded hardware and software for implementation of predefined continuity arrangements. CC ID 06744 | Acquisition or sale of facilities, technology, and services | Detective | |
Refrain from storing data elements containing payment card full magnetic stripe data. CC ID 04757 | Privacy protection for information and data | Detective | |
Implement physical controls to protect personal data. CC ID 00355 | Privacy protection for information and data | Preventive | |
Conduct personal data risk assessments. CC ID 00357 | Privacy protection for information and data | Detective | |
Perform risk assessments of third parties, as necessary. CC ID 06454 | Third Party and supply chain oversight | Detective |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Include media protection in the security awareness program. CC ID 16368 | Human Resources management | Preventive | |
Include physical security in the security awareness program. CC ID 16369 | Human Resources management | Preventive | |
Include updates on emerging issues in the security awareness program. CC ID 13184 | Human Resources management | Preventive | |
Include cybersecurity in the security awareness program. CC ID 13183 | Human Resources management | Preventive | |
Include implications of non-compliance in the security awareness program. CC ID 16425 | Human Resources management | Preventive | |
Include the acceptable use policy in the security awareness program. CC ID 15487 | Human Resources management | Preventive | |
Train all personnel and third parties on how to recognize and report system failures. CC ID 13475 | Human Resources management | Preventive |
There are three types of Common Control classifications; corrective, detective, and preventive. Common Controls at the top level have the default assignment of Impact Zone.
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
---|---|---|---|
Include management's assertions on the effectiveness of internal control in the Statement on Internal Control. CC ID 14771 | Leadership and high level objectives | Establish/Maintain Documentation | |
Provide predefined suspicious activity reports for suspicious activity discovered in the event log. CC ID 06774 | Monitoring and measurement | Establish/Maintain Documentation | |
Eliminate false positives in event logs and audit logs. CC ID 07047 | Monitoring and measurement | Log Management | |
Follow up exceptions and anomalies identified when reviewing logs. CC ID 11925 | Monitoring and measurement | Investigate | |
Identify and communicate improvements in metrics reporting. CC ID 06921 | Monitoring and measurement | Establish/Maintain Documentation | |
Remove inactive user accounts, as necessary. CC ID 00517 | Technical security | Technical Security | |
Remove temporary user accounts, as necessary. CC ID 11839 | Technical security | Technical Security | |
Implement out-of-band authentication, as necessary. CC ID 10606 | Technical security | Technical Security | |
Disseminate and communicate the access control procedures to all interested personnel and affected parties. CC ID 14123 | Technical security | Communicate | |
Change access requirements to organizational assets for personnel and visitors, as necessary. CC ID 12463 | Physical and environmental protection | Physical and Environmental Protection | |
Document all lost badges in a lost badge list. CC ID 12448 | Physical and environmental protection | Establish/Maintain Documentation | |
Terminate access rights when notified of a personnel status change or an individual is terminated. CC ID 11826 [All organizations that process personal health information shall, as soon as possible, terminate the user access privileges with respect to such information for any departing permanent or temporary employee, third-party contractor or volunteer upon termination of employment, contracting, or volunteer activities. § 9.2.6 Health-specific control] | Human Resources management | Technical Security | |
Implement a sanctions process for personnel who fail to comply to the organizational compliance program. CC ID 01442 [Employees of the organization and, where relevant, third-party contractors should be made aware of disciplinary processes and consequences with respect to breaches of information security. § 7.2.2 Health-specific control ¶ 2] | Human Resources management | Behavior | |
Update operating procedures that contribute to user errors. CC ID 06935 | Operational management | Establish/Maintain Documentation | |
Include disciplinary actions in the Acceptable Use Policy. CC ID 00296 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain consequences for non-compliance with the organizational compliance framework. CC ID 11747 [Employees of the organization and, where relevant, third-party contractors should be made aware of disciplinary processes and consequences with respect to breaches of information security. § 7.2.2 Health-specific control ¶ 2] | Operational management | Process or Activity | |
Identify discrepancies between the asset register database and the Information Technology inventory, as necessary. CC ID 07052 | Operational management | Monitor and Evaluate Occurrences | |
Investigate and resolve discrepancies between the asset register database and the Information Technology inventory. CC ID 07053 | Operational management | Monitor and Evaluate Occurrences | |
Contain the incident to prevent further loss. CC ID 01751 | Operational management | Process or Activity | |
Store system logs for in scope systems as digital forensic evidence after a security incident has been detected. CC ID 01754 [{incident management procedures} In addition to following the guidance given by ISO/IEC 27002, organizations processing personal health information should establish security incident management responsibilities and procedures in order: to collect and preserve incident-related audit logs and other relevant evidence. § 16.1.2 Health-specific controls ¶ 1(c)] | Operational management | Log Management | |
Establish, implement, and maintain temporary and emergency access authorization procedures. CC ID 00858 | Operational management | Establish/Maintain Documentation | |
Open a priority incident request after a security breach is detected. CC ID 04838 | Operational management | Testing | |
Activate the incident response notification procedures after a security breach is detected. CC ID 04839 | Operational management | Testing | |
Notify interested personnel and affected parties that a security breach was detected. CC ID 11788 | Operational management | Communicate | |
Respond when an integrity violation is detected, as necessary. CC ID 10678 | Operational management | Technical Security | |
Shut down systems when an integrity violation is detected, as necessary. CC ID 10679 | Operational management | Technical Security | |
Restart systems when an integrity violation is detected, as necessary. CC ID 10680 | Operational management | Technical Security | |
Approve back-out plans, as necessary. CC ID 13627 | Operational management | Establish/Maintain Documentation | |
Deploy software patches in accordance with organizational standards. CC ID 07032 | Operational management | Configuration | |
Patch software. CC ID 11825 | Operational management | Technical Security | |
Patch the operating system, as necessary. CC ID 11824 | Operational management | Technical Security | |
Deploy software patches in the disaster recovery environment to mirror those in the production environment. CC ID 13174 | Operational management | Configuration | |
Remove outdated software after software has been updated. CC ID 11792 | Operational management | Configuration | |
Update computer firmware, as necessary. CC ID 11755 | Operational management | Configuration | |
Remove outdated computer firmware after the computer firmware has been updated. CC ID 10671 | Operational management | Configuration | |
Mitigate the adverse effects of unauthorized changes. CC ID 12244 | Operational management | Business Processes | |
Establish, implement, and maintain a change acceptance testing log. CC ID 06392 | Operational management | Establish/Maintain Documentation | |
Document approved configuration deviations. CC ID 08711 | Operational management | Establish/Maintain Documentation | |
Remove non-public information from publicly accessible systems. CC ID 14246 | Records management | Data and Information Management | |
Downgrade electronic storage media, as necessary. CC ID 10621 | Records management | Process or Activity | |
Approve implementation plans, as necessary. CC ID 13628 | Systems design, build, and implementation | Establish/Maintain Documentation | |
Correct defective acquired goods or services. CC ID 06911 | Acquisition or sale of facilities, technology, and services | Acquisition/Sale of Assets or Services | |
Notify the subject of care when a lack of availability of health information systems might have adversely affected their care. CC ID 13990 [Organizations should inform the subject of care whenever lack of availability of health information systems may have adversely affected their care. § 16.1.2 Health-specific controls ¶ 4] | Privacy protection for information and data | Communicate | |
Notify the data subject when personal data has been inadvertently disclosed. CC ID 13989 [Organizations should inform the subject of care whenever personal health information has been unintentionally disclosed. § 16.1.2 Health-specific controls ¶ 3] | Privacy protection for information and data | Communicate | |
Report fraudulent account activity, unauthorized transactions, or discrepancies with current accounts. CC ID 04875 | Privacy protection for information and data | Monitor and Evaluate Occurrences | |
Take appropriate action when a data leakage is discovered. CC ID 14716 | Privacy protection for information and data | Process or Activity | |
Change or destroy any personal data that is incorrect. CC ID 00462 [In addition to implementing the control given by ISO/IEC 27002, all employees and contractors, upon termination of employment, shall return all personal health information in their possession that is in non-electronic form and ensure that all personal health information in their possession in electronic form is updated on relevant systems and then securely deleted from any devices on which it has resided. § 8.1.4 Health-specific control] | Privacy protection for information and data | Data and Information Management | |
Notify the data subject of changes made to personal data as the result of a dispute. CC ID 00463 | Privacy protection for information and data | Behavior | |
Escalate the appeal process to change personal data when the data controller fails to make changes to the disputed data. CC ID 00465 | Privacy protection for information and data | Data and Information Management |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
---|---|---|---|
Analyze organizational policies, as necessary. CC ID 14037 | Leadership and high level objectives | Establish/Maintain Documentation | |
Map in scope assets and in scope records to external requirements. CC ID 12189 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the counterterror protective security plan test results in the Statement on Internal Control. CC ID 06867 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include all compliance exceptions in the compliance exception standard. CC ID 01630 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain logging and monitoring operations. CC ID 00637 | Monitoring and measurement | Log Management | |
Operationalize key monitoring and logging concepts to ensure the audit trails capture sufficient information. CC ID 00638 | Monitoring and measurement | Log Management | |
Establish, implement, and maintain event logging procedures. CC ID 01335 | Monitoring and measurement | Log Management | |
Review and update event logs and audit logs, as necessary. CC ID 00596 | Monitoring and measurement | Log Management | |
Correlate log entries to security controls to verify the security control's effectiveness. CC ID 13207 | Monitoring and measurement | Log Management | |
Identify cybersecurity events in event logs and audit logs. CC ID 13206 | Monitoring and measurement | Technical Security | |
Evaluate the measurement process used for metrics. CC ID 06920 | Monitoring and measurement | Testing | |
Evaluate the information technology products used for metrics. CC ID 11644 | Monitoring and measurement | Technical Security | |
Assess the potential level of business impact risk associated with each business process. CC ID 06463 | Audits and risk management | Audits and Risk Management | |
Assess the potential level of business impact risk associated with the business environment. CC ID 06464 | Audits and risk management | Audits and Risk Management | |
Assess the potential level of business impact risk associated with business information of in scope systems. CC ID 06465 | Audits and risk management | Audits and Risk Management | |
Identify changes to in scope systems that could threaten communication between business units. CC ID 13173 | Audits and risk management | Investigate | |
Assess the potential business impact risk of in scope systems caused by deliberate threats to their confidentiality, integrity, and availability. CC ID 06466 | Audits and risk management | Audits and Risk Management | |
Assess the potential level of business impact risk caused by accidental threats to the confidentiality, integrity and availability of critical systems. CC ID 06467 | Audits and risk management | Audits and Risk Management | |
Assess the potential level of business impact risk associated with reputational damage. CC ID 15335 | Audits and risk management | Audits and Risk Management | |
Assess the potential level of business impact risk associated with insider threats. CC ID 06468 | Audits and risk management | Audits and Risk Management | |
Assess the potential level of business impact risk associated with external entities. CC ID 06469 | Audits and risk management | Audits and Risk Management | |
Assess the potential level of business impact risk associated with natural disasters. CC ID 06470 | Audits and risk management | Actionable Reports or Measurements | |
Assess the potential level of business impact risk associated with control weaknesses. CC ID 06471 | Audits and risk management | Audits and Risk Management | |
Perform a gap analysis to review in scope controls for identified risks and implement new controls, as necessary. CC ID 00704 | Audits and risk management | Establish/Maintain Documentation | |
Analyze the effect of threats on organizational strategies and objectives. CC ID 12850 | Audits and risk management | Process or Activity | |
Analyze the effect of opportunities on organizational strategies and objectives. CC ID 12849 | Audits and risk management | Process or Activity | |
Identify information system users. CC ID 12081 | Technical security | Technical Security | |
Review user accounts. CC ID 00525 [User registration details shall be periodically reviewed to ensure that they are complete, accurate and that access is still required. § 9.2.1 Health-specific control ¶ 2] | Technical security | Technical Security | |
Match user accounts to authorized parties. CC ID 12126 | Technical security | Configuration | |
Notify interested personnel when user accounts are added or deleted. CC ID 14327 | Technical security | Communicate | |
Secure physical entry points with physical access controls or security guards. CC ID 01640 | Physical and environmental protection | Physical and Environmental Protection | |
Lock all lockable equipment cabinets. CC ID 11673 | Physical and environmental protection | Physical and Environmental Protection | |
Employ individuals who have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 00782 [When an individual is hired for a specific information security role, organizations should make sure the candidate: has the necessary competence to perform the security role; § 7.1.1 Health-specific controls ¶ 3(a)] | Human Resources management | Testing | |
Perform security skills assessments for all critical employees. CC ID 12102 [When an individual is hired for a specific information security role, organizations should make sure the candidate: can be trusted to take the role, especially if the role is critical for the organization. § 7.1.1 Health-specific controls ¶ 3(b)] | Human Resources management | Human Resources Management | |
Perform a background check during personnel screening. CC ID 11758 | Human Resources management | Human Resources Management | |
Document the personnel risk assessment results. CC ID 11764 | Human Resources management | Establish/Maintain Documentation | |
Perform periodic background checks on designated roles, as necessary. CC ID 11759 | Human Resources management | Human Resources Management | |
Document the security clearance procedure results. CC ID 01635 | Human Resources management | Establish/Maintain Documentation | |
Document and communicate role descriptions to all applicable personnel. CC ID 00776 [In addition to the control given by ISO/IEC 27002, all organizations whose staff members are involved in processing personal health information should document such involvement in relevant job descriptions. Security roles and responsibilities, as laid down in the organization's information security policy, should also be documented in relevant job descriptions. § 7.1.2 Health-specific control ¶ 1 In addition to the control given by ISO/IEC 27002, all organizations whose staff members are involved in processing personal health information should document such involvement in relevant job descriptions. Security roles and responsibilities, as laid down in the organization's information security policy, should also be documented in relevant job descriptions. § 7.1.2 Health-specific control ¶ 1] | Human Resources management | Establish Roles | |
Implement segregation of duties in roles and responsibilities. CC ID 00774 [In addition to implementing the control given by ISO/IEC 27002, organizations processing personal health information should, where feasible, segregate duties and areas of responsibility in order to reduce opportunities for unauthorized modification or misuse of personal health information. § 6.1.2 Health-specific control] | Human Resources management | Testing | |
Monitor and measure the effectiveness of security awareness. CC ID 06262 | Human Resources management | Monitor and Evaluate Occurrences | |
Review and approve access controls, as necessary. CC ID 13074 | Operational management | Process or Activity | |
Perform social network analysis, as necessary. CC ID 14864 | Operational management | Investigate | |
Include all electronic storage media containing restricted data or restricted information in the storage media inventory. CC ID 00962 | Operational management | Establish/Maintain Documentation | |
Employ Dynamic Host Configuration Protocol server logging to detect systems not in the asset inventory. CC ID 12110 | Operational management | Technical Security | |
Assign monitoring and analyzing the security alert when a security alert is received to the appropriate role in the incident response program. CC ID 11886 | Operational management | Investigate | |
Establish, implement, and maintain incident response procedures. CC ID 01206 [{incident management procedures} In addition to following the guidance given by ISO/IEC 27002, organizations processing personal health information should establish security incident management responsibilities and procedures in order: to ensure effective and timely response to security incidents; § 16.1.2 Health-specific controls ¶ 1(a)] | Operational management | Establish/Maintain Documentation | |
Test proposed changes prior to their approval. CC ID 00548 | Operational management | Testing | |
Examine all changes to ensure they correspond with the change request. CC ID 12345 | Operational management | Business Processes | |
Conduct network certifications prior to approving change requests for networks. CC ID 13121 | Operational management | Process or Activity | |
Analyze mitigating controls for vulnerabilities in the network when certifying the network. CC ID 13126 | Operational management | Investigate | |
Collect data about the network environment when certifying the network. CC ID 13125 | Operational management | Investigate | |
Review the patch log for missing patches. CC ID 13186 | Operational management | Technical Security | |
Perform a patch test prior to deploying a patch. CC ID 00898 | Operational management | Testing | |
Test software patches for any potential compromise of the system's security. CC ID 13175 | Operational management | Testing | |
Review changes to computer firmware. CC ID 12226 | Operational management | Testing | |
Certify changes to computer firmware are free of malicious logic. CC ID 12227 | Operational management | Testing | |
Implement cryptographic mechanisms to authenticate software and computer firmware before installation. CC ID 10682 | Operational management | Technical Security | |
Establish, implement, and maintain approved change acceptance testing procedures. CC ID 06391 | Operational management | Establish/Maintain Documentation | |
Test the system's operational functionality after implementing approved changes. CC ID 06294 | Operational management | Testing | |
Perform and pass acceptance testing before moving a system back into operation after an approved change has occurred. CC ID 04541 | Operational management | Testing | |
Establish, implement, and maintain a configuration change log. CC ID 08710 | Operational management | Configuration | |
Define each system's preservation requirements for records and logs. CC ID 00904 | Records management | Establish/Maintain Documentation | |
Establish, implement, and maintain a data retention program. CC ID 00906 | Records management | Establish/Maintain Documentation | |
Maintain continued integrity for all stored data and stored records. CC ID 00969 [The source (authorship) of publicly available health information should be stated and its integrity should be protected. § 14.1.3.1 Health-specific controls ¶ 3] | Records management | Testing | |
Review the information that the organization collects, processes, and stores, as necessary. CC ID 12988 | Records management | Business Processes | |
Establish, implement, and maintain source document authorization tracking. CC ID 01262 | Records management | Records Management | |
Review the information classification of the information that the organization collects, processes, and stores, as necessary. CC ID 13008 | Records management | Process or Activity | |
Review the electronic storage media for the information the organization collects and processes. CC ID 13009 [{physical safeguard} In addition to the guidance given by ISO/IEC 27002, media containing personal health information shall be either physically protected or else have their data encrypted. The status and location of media containing unencrypted personal health information shall be monitored. § 8.3.1 Health-specific control] | Records management | Process or Activity | |
Establish, implement, and maintain source document error handling tracking. CC ID 01263 | Records management | Records Management | |
Establish, implement, and maintain data input and data access authorization tracking. CC ID 00920 | Records management | Monitor and Evaluate Occurrences | |
Validate transactions against master files of third parties and clients, as necessary. CC ID 06552 | Records management | Records Management | |
Establish, implement, and maintain data accuracy controls. CC ID 00921 | Records management | Monitor and Evaluate Occurrences | |
Capture the records required by organizational compliance requirements. CC ID 00912 | Records management | Records Management | |
Assign the appropriate information classification to records imported into the Records Management system. CC ID 04555 | Records management | Data and Information Management | |
Identify patient-specific education resources. CC ID 14439 | Records management | Process or Activity | |
Classify restricted data or restricted information in Records Management systems according to the data or information's sensitivity. CC ID 04720 | Records management | Data and Information Management | |
Control error handling when data is being inputted. CC ID 00922 | Records management | Data and Information Management | |
Compare each record's data input to its final form. CC ID 11813 | Records management | Records Management | |
Label printed output for specific record categories as directed by the organization's information classification standard. CC ID 01420 [{confidential information} All health information systems processing personal health information should inform users of the confidentiality of personal health information accessible from the system (e.g. at start-up or log-in) and should label hardcopy output as confidential when it contains personal health information. § 8.2.2 Health-specific control] | Records management | Records Management | |
Establish, implement, and maintain online storage monitoring and reporting capabilities. CC ID 00935 | Records management | Monitor and Evaluate Occurrences | |
Store records on non-rewritable, non-erasable storage media formats, as necessary. CC ID 00944 | Records management | Testing | |
Provide audit trails for all pertinent records. CC ID 00372 | Records management | Establish/Maintain Documentation | |
Identify electronic storage media that require downgrading. CC ID 10620 | Records management | Process or Activity | |
Test the storage media downgrade for correct performance. CC ID 10623 | Records management | Testing | |
Establish, implement, and maintain output balancing audit trails. CC ID 00928 | Records management | Establish/Maintain Documentation | |
Establish, implement, and maintain output review and error handling checks with end users. CC ID 00929 | Records management | Establish/Maintain Documentation | |
Perform regularly scheduled quality and integrity control reviews of output of records. CC ID 06627 | Records management | Testing | |
Evaluate and determine whether or not the newly developed system meets users' system design requirements. CC ID 01120 [Clinical users should be involved in the testing of clinically relevant system features. § 14.2.9 Health-specific control ¶ 2] | Systems design, build, and implementation | Testing | |
Test new hardware or upgraded hardware and software against predefined performance requirements. CC ID 06740 [In addition to implementing the control given by ISO/IEC 27002, organizations processing personal health information shall establish acceptance criteria for planned new information systems, upgrades and new versions. They shall carry out suitable tests of the system prior to acceptance. § 14.2.9 Health-specific control ¶ 1] | Acquisition or sale of facilities, technology, and services | Testing | |
Test new hardware or upgraded hardware and software for error recovery and restart procedures. CC ID 06741 | Acquisition or sale of facilities, technology, and services | Testing | |
Follow the system's operating procedures when testing new hardware or upgraded hardware and software. CC ID 06742 | Acquisition or sale of facilities, technology, and services | Testing | |
Test new hardware or upgraded hardware and software for implementation of security controls. CC ID 06743 | Acquisition or sale of facilities, technology, and services | Testing | |
Test new software or upgraded software for security vulnerabilities. CC ID 01898 | Acquisition or sale of facilities, technology, and services | Testing | |
Test new software or upgraded software for compatibility with the current system. CC ID 11654 | Acquisition or sale of facilities, technology, and services | Testing | |
Test new hardware or upgraded hardware for compatibility with the current system. CC ID 11655 | Acquisition or sale of facilities, technology, and services | Testing | |
Test new hardware or upgraded hardware for security vulnerabilities. CC ID 01899 | Acquisition or sale of facilities, technology, and services | Testing | |
Test new hardware or upgraded hardware and software for implementation of predefined continuity arrangements. CC ID 06744 | Acquisition or sale of facilities, technology, and services | Testing | |
Refrain from storing data elements containing payment card full magnetic stripe data. CC ID 04757 | Privacy protection for information and data | Testing | |
Conduct personal data risk assessments. CC ID 00357 | Privacy protection for information and data | Testing | |
Establish, implement, and maintain suspicious document procedures. CC ID 04852 | Privacy protection for information and data | Establish/Maintain Documentation | |
Establish, implement, and maintain suspicious personal data procedures. CC ID 04853 | Privacy protection for information and data | Data and Information Management | |
Compare certain personal data such as name, date of birth, address, driver's license, or other identification against personal data on file for the applicant. CC ID 04855 | Privacy protection for information and data | Data and Information Management | |
Establish, implement, and maintain suspicious user account activity procedures. CC ID 04854 | Privacy protection for information and data | Monitor and Evaluate Occurrences | |
Perform an identity check prior to approving an account change request. CC ID 13670 | Privacy protection for information and data | Investigate | |
Use the contact information on file to contact the individual identified in an account change request. CC ID 04857 | Privacy protection for information and data | Behavior | |
Match consumer reports with current accounts on file to ensure account misuse or information misuse has not occurred. CC ID 04873 | Privacy protection for information and data | Data and Information Management | |
Log account access dates and report when dormant accounts suddenly exhibit unusual activity. CC ID 04874 | Privacy protection for information and data | Log Management | |
Log dates for account name changes or address changes. CC ID 04876 | Privacy protection for information and data | Log Management | |
Review accounts that are changed for additional user requests. CC ID 11846 | Privacy protection for information and data | Monitor and Evaluate Occurrences | |
Send change notices for change of address requests to the old address and the new address. CC ID 04877 | Privacy protection for information and data | Data and Information Management | |
Search the Internet for evidence of data leakage. CC ID 10419 | Privacy protection for information and data | Process or Activity | |
Review monitored websites for data leakage. CC ID 10593 | Privacy protection for information and data | Monitor and Evaluate Occurrences | |
Formalize client and third party relationships with contracts or nondisclosure agreements. CC ID 00794 | Third Party and supply chain oversight | Process or Activity | |
Perform risk assessments of third parties, as necessary. CC ID 06454 | Third Party and supply chain oversight | Testing |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
---|---|---|---|
Leadership and high level objectives CC ID 00597 | Leadership and high level objectives | IT Impact Zone | |
Monitoring and measurement CC ID 00636 | Monitoring and measurement | IT Impact Zone | |
Audits and risk management CC ID 00677 | Audits and risk management | IT Impact Zone | |
Technical security CC ID 00508 | Technical security | IT Impact Zone | |
Physical and environmental protection CC ID 00709 | Physical and environmental protection | IT Impact Zone | |
Operational and Systems Continuity CC ID 00731 | Operational and Systems Continuity | IT Impact Zone | |
Human Resources management CC ID 00763 | Human Resources management | IT Impact Zone | |
Operational management CC ID 00805 | Operational management | IT Impact Zone | |
System hardening through configuration management CC ID 00860 | System hardening through configuration management | IT Impact Zone | |
Records management CC ID 00902 | Records management | IT Impact Zone | |
Systems design, build, and implementation CC ID 00989 | Systems design, build, and implementation | IT Impact Zone | |
Acquisition or sale of facilities, technology, and services CC ID 01123 | Acquisition or sale of facilities, technology, and services | IT Impact Zone | |
Privacy protection for information and data CC ID 00008 | Privacy protection for information and data | IT Impact Zone | |
Third Party and supply chain oversight CC ID 08807 | Third Party and supply chain oversight | IT Impact Zone |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
---|---|---|---|
Analyze organizational objectives, functions, and activities. CC ID 00598 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
Establish, implement, and maintain an information classification standard. CC ID 00601 [{confidential information} In addition to following the guidance given by ISO/IEC 27002, organizations processing personal health information should uniformly classify such data as confidential. § 8.2.1 Health-specific control] | Leadership and high level objectives | Establish/Maintain Documentation | |
Take into account the accessibility to and location of the data or information when establishing information impact levels. CC ID 04787 | Leadership and high level objectives | Data and Information Management | |
Take into account the organization's obligation to protect data or information when establishing information impact levels. CC ID 04786 | Leadership and high level objectives | Data and Information Management | |
Take into account the context of use for data or information when establishing information impact levels. CC ID 04785 | Leadership and high level objectives | Data and Information Management | |
Take into account the potential aggregation of restricted data fields when establishing information impact levels. CC ID 04784 | Leadership and high level objectives | Data and Information Management | |
Classify the sensitivity to unauthorized disclosure or modification of information in the information classification standard. CC ID 11997 | Leadership and high level objectives | Data and Information Management | |
Take into account the distinguishability factor when establishing information impact levels. CC ID 04783 | Leadership and high level objectives | Data and Information Management | |
Classify the criticality to unauthorized disclosure or modification of information in the information classification standard. CC ID 11996 | Leadership and high level objectives | Data and Information Management | |
Classify the value of information in the information classification standard. CC ID 11995 | Leadership and high level objectives | Data and Information Management | |
Classify the legal requirements of information in the information classification standard. CC ID 11994 | Leadership and high level objectives | Data and Information Management | |
Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241 [A formal scope statement shall be produced that defines the boundary of compliance activity in terms of people, processes, places, platforms and applications. § 6.1.1 Health-specific control ¶ 4] | Leadership and high level objectives | Establish/Maintain Documentation | |
Define the scope of the security policy. CC ID 07145 | Leadership and high level objectives | Data and Information Management | |
Identify roles, tasks, information, systems, and assets that fall under the organization's mandated Authority Documents. CC ID 00688 | Leadership and high level objectives | Business Processes | |
Establish and maintain an Information Systems Assurance Categories Definitions document. CC ID 01608 | Leadership and high level objectives | Establish/Maintain Documentation | |
Correlate Information Systems with applicable controls. CC ID 01621 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain a policy and procedure management program. CC ID 06285 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the effective date on all organizational policies. CC ID 06820 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include requirements in the organization’s policies, standards, and procedures. CC ID 12956 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include threats in the organization’s policies, standards, and procedures. CC ID 12953 | Leadership and high level objectives | Establish/Maintain Documentation | |
Assess the impact of changes to organizational policies, standards, and procedures, as necessary. CC ID 14824 | Leadership and high level objectives | Business Processes | |
Include opportunities in the organization’s policies, standards, and procedures. CC ID 12945 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish and maintain an Authority Document list. CC ID 07113 | Leadership and high level objectives | Establish/Maintain Documentation | |
Document organizational procedures that harmonize external requirements, including all legal requirements. CC ID 00623 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain full documentation of all policies, standards, and procedures that support the organization's compliance framework. CC ID 01636 | Leadership and high level objectives | Establish/Maintain Documentation | |
Disseminate and communicate the organization’s policies, standards, and procedures to all interested personnel and affected parties. CC ID 12901 | Leadership and high level objectives | Communicate | |
Disseminate and communicate the list of Authority Documents that support the organization's compliance framework to interested personnel and affected parties. CC ID 01312 | Leadership and high level objectives | Establish/Maintain Documentation | |
Classify controls according to their preventive, detective, or corrective status. CC ID 06436 | Leadership and high level objectives | Establish/Maintain Documentation | |
Publish, disseminate, and communicate a Statement on Internal Control, as necessary. CC ID 06727 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include signatures of c-level executives in the Statement on Internal Control. CC ID 14778 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include confirmation of any significant weaknesses in the Statement on Internal Control. CC ID 06861 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include roles and responsibilities in the Statement on Internal Control. CC ID 14774 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include an assurance statement regarding the counterterror protective security plan in the Statement on Internal Control. CC ID 06866 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include limitations of internal control systems in the Statement on Internal Control. CC ID 14773 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include a description of the methodology used to evaluate internal controls in the Statement on Internal Control. CC ID 14772 | Leadership and high level objectives | Establish/Maintain Documentation | |
Assign legislative body jurisdiction to the organization's assets, as necessary. CC ID 06956 | Leadership and high level objectives | Establish Roles | |
Approve all compliance documents. CC ID 06286 | Leadership and high level objectives | Establish/Maintain Documentation | |
Align the Authority Document list with external requirements. CC ID 06288 | Leadership and high level objectives | Establish/Maintain Documentation | |
Assign the appropriate roles to all applicable compliance documents. CC ID 06284 | Leadership and high level objectives | Establish Roles | |
Identify and document the Designated Approval Authority for compliance documents. CC ID 07114 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain a compliance exception standard. CC ID 01628 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the authority for granting exemptions in the compliance exception standard. CC ID 14329 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include explanations, compensating controls, or risk acceptance in the compliance exceptions Exceptions document. CC ID 01631 | Leadership and high level objectives | Establish/Maintain Documentation | |
Review the compliance exceptions in the exceptions document, as necessary. CC ID 01632 | Leadership and high level objectives | Business Processes | |
Include when exemptions expire in the compliance exception standard. CC ID 14330 | Leadership and high level objectives | Establish/Maintain Documentation | |
Assign the approval of compliance exceptions to the appropriate roles inside the organization. CC ID 06443 | Leadership and high level objectives | Establish Roles | |
Include management of the exemption register in the compliance exception standard. CC ID 14328 | Leadership and high level objectives | Establish/Maintain Documentation | |
Disseminate and communicate compliance documents to all interested personnel and affected parties. CC ID 06282 | Leadership and high level objectives | Behavior | |
Disseminate and communicate any compliance document changes when the documents are updated to interested personnel and affected parties. CC ID 06283 | Leadership and high level objectives | Behavior | |
Estimate the costs of implementing the compliance framework. CC ID 07191 | Leadership and high level objectives | Business Processes | |
Include a standard to collect and interpret event logs in the event logging procedures. CC ID 00643 [{incident management procedures} In addition to following the guidance given by ISO/IEC 27002, organizations processing personal health information should establish security incident management responsibilities and procedures in order: to collect and preserve incident-related audit logs and other relevant evidence. § 16.1.2 Health-specific controls ¶ 1(c)] | Monitoring and measurement | Log Management | |
Protect the event logs from failure. CC ID 06290 | Monitoring and measurement | Log Management | |
Overwrite the oldest records when audit logging fails. CC ID 14308 | Monitoring and measurement | Data and Information Management | |
Supply each in scope asset with audit reduction tool and report generation capabilities to support after-the-fact investigations without altering the event logs. CC ID 01427 | Monitoring and measurement | Testing | |
Include identity information of suspects in the suspicious activity report. CC ID 16648 | Monitoring and measurement | Establish/Maintain Documentation | |
Compile the event logs of multiple components into a system-wide time-correlated audit trail. CC ID 01424 | Monitoring and measurement | Audits and Risk Management | |
Reproduce the event log if a log failure is captured. CC ID 01426 | Monitoring and measurement | Log Management | |
Establish, implement, and maintain a compliance monitoring policy. CC ID 00671 | Monitoring and measurement | Establish/Maintain Documentation | |
Establish, implement, and maintain a log management program. CC ID 00673 | Monitoring and measurement | Establish/Maintain Documentation | |
Restrict access to audit trails to a need to know basis. CC ID 11641 [{use}{anti-tamper technology} Audit records shall be secure and tamper-proof. Access to system audit tools and audit trails shall be safeguarded to prevent misuse or compromise. § 12.4.2 Health-specific control] | Monitoring and measurement | Technical Security | |
Protect logs from unauthorized activity. CC ID 01345 [{use}{anti-tamper technology} Audit records shall be secure and tamper-proof. Access to system audit tools and audit trails shall be safeguarded to prevent misuse or compromise. § 12.4.2 Health-specific control {use}{anti-tamper technology} Audit records shall be secure and tamper-proof. Access to system audit tools and audit trails shall be safeguarded to prevent misuse or compromise. § 12.4.2 Health-specific control] | Monitoring and measurement | Log Management | |
Preserve the identity of individuals in audit trails. CC ID 10594 [Health information systems processing personal health information: shall ensure that each subject of care can be uniquely identified within the system; § 14.1.1.1 Health-specific control ¶ 1(a)] | Monitoring and measurement | Log Management | |
Protect against misusing automated audit tools. CC ID 04547 [{use}{anti-tamper technology} Audit records shall be secure and tamper-proof. Access to system audit tools and audit trails shall be safeguarded to prevent misuse or compromise. § 12.4.2 Health-specific control] | Monitoring and measurement | Technical Security | |
Establish, implement, and maintain a risk management program. CC ID 12051 | Audits and risk management | Establish/Maintain Documentation | |
Establish, implement, and maintain the risk assessment framework. CC ID 00685 | Audits and risk management | Establish/Maintain Documentation | |
Correlate the business impact of identified risks in the risk assessment report. CC ID 00686 | Audits and risk management | Audits and Risk Management | |
Analyze and quantify the risks to in scope systems and information. CC ID 00701 [Healthcare project management should consider patient safety as a project risk in any project involving the processing of personal health information. § 6.1.5 Health-specific control] | Audits and risk management | Audits and Risk Management | |
Establish and maintain a Risk Scoping and Measurement Definitions Document. CC ID 00703 | Audits and risk management | Audits and Risk Management | |
Identify the material risks in the risk assessment report. CC ID 06482 | Audits and risk management | Audits and Risk Management | |
Establish a risk acceptance level that is appropriate to the organization's risk appetite. CC ID 00706 | Audits and risk management | Establish/Maintain Documentation | |
Investigate alternative risk control strategies appropriate to the organization's risk appetite. CC ID 12887 | Audits and risk management | Investigate | |
Select the appropriate risk treatment option for each identified risk in the risk register. CC ID 06483 | Audits and risk management | Establish/Maintain Documentation | |
Disseminate and communicate the risk acceptance level in the risk treatment plan to all interested personnel and affected parties. CC ID 06849 | Audits and risk management | Behavior | |
Prioritize and select controls based on the risk assessment findings. CC ID 00707 [In addition to implementing the control given by ISO/IEC 27002, organizations processing health information shall assess the risks associated with access by external parties to these systems or the data they contain, and then implement security controls that are appropriate to the identified level of risk and to the technologies employed. § 15.1.1 Health-specific control] | Audits and risk management | Audits and Risk Management | |
Prioritize and categorize the effects of opportunities, threats and requirements on control activities. CC ID 12822 | Audits and risk management | Audits and Risk Management | |
Establish, implement, and maintain an access control program. CC ID 11702 | Technical security | Establish/Maintain Documentation | |
Establish, implement, and maintain access control policies. CC ID 00512 [Organizations processing personal health information shall have an access control policy governing access to these data. § 9.1.1 Health-specific control ¶ 2 {external requirements} The access control policy, as a component of the information security policy framework described in 5.1.1, shall reflect professional, ethical, legal and subject-of-care-related requirements and should take account of the tasks performed by health professionals and the task's workflow. § 9.1.1 Health-specific control ¶ 4 The organization's policy on access control should be established on the basis of predefined roles with associated authorities which are consistent with, but limited to, the needs of that role. § 9.1.1 Health-specific control ¶ 3] | Technical security | Establish/Maintain Documentation | |
Include compliance requirements in the access control policy. CC ID 14006 | Technical security | Establish/Maintain Documentation | |
Include coordination amongst entities in the access control policy. CC ID 14005 | Technical security | Establish/Maintain Documentation | |
Include management commitment in the access control policy. CC ID 14004 | Technical security | Establish/Maintain Documentation | |
Include roles and responsibilities in the access control policy. CC ID 14003 | Technical security | Establish/Maintain Documentation | |
Include the scope in the access control policy. CC ID 14002 | Technical security | Establish/Maintain Documentation | |
Include the purpose in the access control policy. CC ID 14001 | Technical security | Establish/Maintain Documentation | |
Document the business need justification for user accounts. CC ID 15490 | Technical security | Establish/Maintain Documentation | |
Establish, implement, and maintain an instant messaging and chat system usage policy. CC ID 11815 | Technical security | Establish/Maintain Documentation | |
Disseminate and communicate the access control policies to all interested personnel and affected parties. CC ID 10061 | Technical security | Establish/Maintain Documentation | |
Establish, implement, and maintain an access rights management plan. CC ID 00513 | Technical security | Establish/Maintain Documentation | |
Control access rights to organizational assets. CC ID 00004 | Technical security | Technical Security | |
Establish access rights based on least privilege. CC ID 01411 [Access to health information systems that process personal health information shall be subject to a formal user registration process. User registration procedures shall ensure that the level of authentication required of claimed user identity is consistent with the level(s) of access that will become available to the user. § 9.2.1 Health-specific control ¶ 1] | Technical security | Technical Security | |
Assign user permissions based on job responsibilities. CC ID 00538 | Technical security | Technical Security | |
Assign user privileges after they have management sign off. CC ID 00542 | Technical security | Technical Security | |
Separate processing domains to segregate user privileges and enhance information flow control. CC ID 06767 | Technical security | Configuration | |
Assign Information System access authorizations if implementing segregation of duties. CC ID 06323 | Technical security | Establish Roles | |
Enforce access restrictions for restricted data. CC ID 01921 [Organizations processing personal health information shall control access to such information. In general, users of health information systems should only access personal health information: § 9.1.1 Health-specific control ¶ 1] | Technical security | Data and Information Management | |
Establish, implement, and maintain User Access Management procedures. CC ID 00514 [{external requirements} The access control policy, as a component of the information security policy framework described in 5.1.1, shall reflect professional, ethical, legal and subject-of-care-related requirements and should take account of the tasks performed by health professionals and the task's workflow. § 9.1.1 Health-specific control ¶ 4] | Technical security | Technical Security | |
Establish, implement, and maintain an authority for access authorization list. CC ID 06782 | Technical security | Establish/Maintain Documentation | |
Review and approve logical access to all assets based upon organizational policies. CC ID 06641 | Technical security | Technical Security | |
Control the addition and modification of user identifiers, user credentials, or other authenticators. CC ID 00515 | Technical security | Technical Security | |
Assign roles and responsibilities for administering user account management. CC ID 11900 | Technical security | Human Resources Management | |
Automate access control methods, as necessary. CC ID 11838 | Technical security | Technical Security | |
Automate Access Control Systems, as necessary. CC ID 06854 | Technical security | Technical Security | |
Refrain from storing logon credentials for third party applications. CC ID 13690 | Technical security | Technical Security | |
Refrain from allowing user access to identifiers and authenticators used by applications. CC ID 10048 | Technical security | Technical Security | |
Establish, implement, and maintain a password policy. CC ID 16346 | Technical security | Establish/Maintain Documentation | |
Enforce the password policy. CC ID 16347 | Technical security | Technical Security | |
Disseminate and communicate the password policies and password procedures to all users who have access to restricted data or restricted information. CC ID 00518 | Technical security | Establish/Maintain Documentation | |
Limit superuser accounts to designated System Administrators. CC ID 06766 | Technical security | Configuration | |
Enforce usage restrictions for superuser accounts. CC ID 07064 | Technical security | Technical Security | |
Establish, implement, and maintain access control procedures. CC ID 11663 [Access to health information systems that process personal health information shall be subject to a formal user registration process. User registration procedures shall ensure that the level of authentication required of claimed user identity is consistent with the level(s) of access that will become available to the user. § 9.2.1 Health-specific control ¶ 1] | Technical security | Establish/Maintain Documentation | |
Grant access to authorized personnel or systems. CC ID 12186 | Technical security | Configuration | |
Document approving and granting access in the access control log. CC ID 06786 | Technical security | Establish/Maintain Documentation | |
Disseminate and communicate the access control log to interested personnel and affected parties. CC ID 16442 | Technical security | Communicate | |
Include the user identifiers of all personnel who are authorized to access a system in the system record. CC ID 15171 | Technical security | Establish/Maintain Documentation | |
Include identity information of all personnel who are authorized to access a system in the system record. CC ID 16406 | Technical security | Establish/Maintain Documentation | |
Include the date and time that access was reviewed in the system record. CC ID 16416 | Technical security | Data and Information Management | |
Include the date and time that access rights were changed in the system record. CC ID 16415 | Technical security | Establish/Maintain Documentation | |
Identify and control all network access controls. CC ID 00529 | Technical security | Technical Security | |
Establish, implement, and maintain a Boundary Defense program. CC ID 00544 | Technical security | Establish/Maintain Documentation | |
Segregate systems in accordance with organizational standards. CC ID 12546 | Technical security | Technical Security | |
Segregate servers that contain restricted data or restricted information from direct public access. CC ID 00533 | Technical security | Technical Security | |
Segregate applications and databases that contain restricted data or restricted information in an internal network zone. CC ID 01289 [{processing architecture} Access to information and application system functions related to the processing personal health information should be isolated from (and separate to) access to information processing infrastructure that is unrelated to the processing of personal health information. § 9.4.1 Health-specific control ¶ 2 {processing architecture} Access to information and application system functions related to the processing personal health information should be isolated from (and separate to) access to information processing infrastructure that is unrelated to the processing of personal health information. § 9.4.1 Health-specific control ¶ 2] | Technical security | Data and Information Management | |
Enforce information flow control. CC ID 11781 | Technical security | Monitor and Evaluate Occurrences | |
Establish, implement, and maintain information flow control configuration standards. CC ID 01924 | Technical security | Establish/Maintain Documentation | |
Constrain the information flow of restricted data or restricted information. CC ID 06763 | Technical security | Data and Information Management | |
Restrict access to restricted data and restricted information on a need to know basis. CC ID 12453 [Organizations processing personal health information shall control access to such information. In general, users of health information systems should only access personal health information: when there is a need for specific data to support this activity. § 9.1.1 Health-specific control ¶ 1(c)] | Technical security | Data and Information Management | |
Establish, implement, and maintain information flow control policies inside the system and between interconnected systems. CC ID 01410 | Technical security | Establish/Maintain Documentation | |
Establish, implement, and maintain information flow procedures. CC ID 04542 [{external requirements} The access control policy, as a component of the information security policy framework described in 5.1.1, shall reflect professional, ethical, legal and subject-of-care-related requirements and should take account of the tasks performed by health professionals and the task's workflow. § 9.1.1 Health-specific control ¶ 4] | Technical security | Establish/Maintain Documentation | |
Disclose non-privacy related restricted information after a court makes a determination the information is material to a court case. CC ID 06242 | Technical security | Data and Information Management | |
Exchange non-privacy related restricted information with approved third parties if the information supports an approved activity. CC ID 06243 | Technical security | Data and Information Management | |
Control all methods of remote access and teleworking. CC ID 00559 | Technical security | Technical Security | |
Implement multifactor authentication techniques. CC ID 00561 [{multifactor authentication} Health information systems processing personal health information shall authenticate users and should do so by means of authentication involving at least two factors. § 9.4.1 Health-specific control ¶ 1] | Technical security | Configuration | |
Implement phishing-resistant multifactor authentication techniques. CC ID 16541 | Technical security | Technical Security | |
Document and approve requests to bypass multifactor authentication. CC ID 15464 | Technical security | Establish/Maintain Documentation | |
Establish, implement, and maintain a malicious code protection program. CC ID 00574 | Technical security | Establish/Maintain Documentation | |
Install security and protection software, as necessary. CC ID 00575 [In addition to implementing the control given by ISO/IEC 27002, organizations processing personal health information shall implement appropriate prevention, detection and response controls to protect against malicious software and shall implement appropriate user awareness training. § 12.2.1 Health-specific control] | Technical security | Configuration | |
Install and maintain container security solutions. CC ID 16178 | Technical security | Technical Security | |
Establish, implement, and maintain a physical security program. CC ID 11757 | Physical and environmental protection | Establish/Maintain Documentation | |
Establish, implement, and maintain a facility physical security program. CC ID 00711 | Physical and environmental protection | Establish/Maintain Documentation | |
Identify and document physical access controls for all physical entry points. CC ID 01637 | Physical and environmental protection | Establish/Maintain Documentation | |
Control physical access to (and within) the facility. CC ID 01329 [Organizations processing personal health information should use security perimeters to protect areas that contain information processing facilities supporting such health applications. These secure areas should be protected by appropriate entry controls to ensure that only authorized personnel are allowed access. § 11.1.1 Health-specific control] | Physical and environmental protection | Physical and Environmental Protection | |
Establish, implement, and maintain physical access procedures. CC ID 13629 | Physical and environmental protection | Establish/Maintain Documentation | |
Meet the physical access requirements of disabled individuals, if reasonably possible. CC ID 00419 | Physical and environmental protection | Physical and Environmental Protection | |
Configure the access control system to grant access only during authorized working hours. CC ID 12325 | Physical and environmental protection | Physical and Environmental Protection | |
Establish, implement, and maintain a visitor access permission policy. CC ID 06699 | Physical and environmental protection | Establish/Maintain Documentation | |
Escort visitors within the facility, as necessary. CC ID 06417 | Physical and environmental protection | Establish/Maintain Documentation | |
Check the visitor's stated identity against a provided government issued identification. CC ID 06701 | Physical and environmental protection | Physical and Environmental Protection | |
Authorize visitors before granting entry to physical areas containing restricted data or restricted information. CC ID 01330 | Physical and environmental protection | Testing | |
Disseminate and communicate the right of the organization to search visitors while at the facility. CC ID 06702 | Physical and environmental protection | Behavior | |
Establish, implement, and maintain procedures for changing a visitor's access requirements. CC ID 12048 | Physical and environmental protection | Establish/Maintain Documentation | |
Maintain and review facility access lists of personnel who have been granted authorized entry to (and within) facilities that contain restricted data or restricted information. CC ID 01436 | Physical and environmental protection | Establish/Maintain Documentation | |
Authorize physical access to sensitive areas based on job functions. CC ID 12462 | Physical and environmental protection | Establish/Maintain Documentation | |
Escort uncleared personnel who need to work in or access controlled access areas. CC ID 00747 | Physical and environmental protection | Monitor and Evaluate Occurrences | |
Establish, implement, and maintain physical identification procedures. CC ID 00713 | Physical and environmental protection | Establish/Maintain Documentation | |
Disallow opting out of wearing or displaying identification cards or badges. CC ID 13030 | Physical and environmental protection | Human Resources Management | |
Implement physical identification processes. CC ID 13715 | Physical and environmental protection | Process or Activity | |
Refrain from using knowledge-based authentication for in-person identity verification. CC ID 13717 | Physical and environmental protection | Process or Activity | |
Issue photo identification badges to all employees. CC ID 12326 | Physical and environmental protection | Physical and Environmental Protection | |
Implement operational requirements for card readers. CC ID 02225 | Physical and environmental protection | Testing | |
Establish, implement, and maintain lost or damaged identification card procedures, as necessary. CC ID 14819 | Physical and environmental protection | Establish/Maintain Documentation | |
Report lost badges, stolen badges, and broken badges to the Security Manager. CC ID 12334 | Physical and environmental protection | Physical and Environmental Protection | |
Manage constituent identification inside the facility. CC ID 02215 | Physical and environmental protection | Behavior | |
Direct each employee to be responsible for their identification card or badge. CC ID 12332 | Physical and environmental protection | Human Resources Management | |
Manage visitor identification inside the facility. CC ID 11670 | Physical and environmental protection | Physical and Environmental Protection | |
Issue visitor identification badges to all non-employees. CC ID 00543 | Physical and environmental protection | Behavior | |
Secure unissued visitor identification badges. CC ID 06712 | Physical and environmental protection | Physical and Environmental Protection | |
Retrieve visitor identification badges prior to the exit of a visitor from the facility. CC ID 01331 | Physical and environmental protection | Behavior | |
Include name, date of entry, and validity period on disposable identification cards or badges. CC ID 12331 | Physical and environmental protection | Physical and Environmental Protection | |
Establish, implement, and maintain identification issuance procedures for identification cards or badges. CC ID 06598 | Physical and environmental protection | Establish/Maintain Documentation | |
Record the assigned identification card or badge serial number when issuing an identification card or badge. CC ID 06714 | Physical and environmental protection | Process or Activity | |
Include error handling controls in identification issuance procedures. CC ID 13709 | Physical and environmental protection | Establish/Maintain Documentation | |
Include an appeal process in the identification issuance procedures. CC ID 15428 | Physical and environmental protection | Business Processes | |
Include information security in the identification issuance procedures. CC ID 15425 | Physical and environmental protection | Establish/Maintain Documentation | |
Include identity proofing processes in the identification issuance procedures. CC ID 06597 | Physical and environmental protection | Process or Activity | |
Establish, implement, and maintain post-issuance update procedures for identification cards or badges. CC ID 15426 | Physical and environmental protection | Establish/Maintain Documentation | |
Include an identity registration process in the identification issuance procedures. CC ID 11671 | Physical and environmental protection | Establish/Maintain Documentation | |
Restrict access to the badge system to authorized personnel. CC ID 12043 | Physical and environmental protection | Physical and Environmental Protection | |
Enforce dual control for badge assignments. CC ID 12328 | Physical and environmental protection | Physical and Environmental Protection | |
Enforce dual control for accessing unassigned identification cards or badges. CC ID 12327 | Physical and environmental protection | Physical and Environmental Protection | |
Refrain from imprinting the company name or company logo on identification cards or badges. CC ID 12282 | Physical and environmental protection | Physical and Environmental Protection | |
Establish, implement, and maintain identification renewal procedures for identification cards or badges. CC ID 06599 | Physical and environmental protection | Establish/Maintain Documentation | |
Assign employees the responsibility for controlling their identification badges. CC ID 12333 | Physical and environmental protection | Human Resources Management | |
Establish, implement, and maintain identification re-issuing procedures for identification cards or badges. CC ID 06596 | Physical and environmental protection | Establish/Maintain Documentation | |
Establish, implement, and maintain identification mechanism termination procedures. CC ID 06306 | Physical and environmental protection | Establish/Maintain Documentation | |
Prevent tailgating through physical entry points. CC ID 06685 | Physical and environmental protection | Physical and Environmental Protection | |
Implement physical security standards for mainframe rooms or data centers. CC ID 00749 [Organizations processing personal health information should use security perimeters to protect areas that contain information processing facilities supporting such health applications. These secure areas should be protected by appropriate entry controls to ensure that only authorized personnel are allowed access. § 11.1.1 Health-specific control] | Physical and environmental protection | Physical and Environmental Protection | |
Establish and maintain equipment security cages in a shared space environment. CC ID 06711 | Physical and environmental protection | Physical and Environmental Protection | |
Secure systems in lockable equipment cabinets, as necessary. CC ID 06716 | Physical and environmental protection | Physical and Environmental Protection | |
Establish, implement, and maintain physical security controls for distributed assets. CC ID 00718 | Physical and environmental protection | Physical and Environmental Protection | |
Protect distributed assets against theft. CC ID 06799 | Physical and environmental protection | Physical and Environmental Protection | |
Establish, implement, and maintain asset removal procedures or asset decommissioning procedures. CC ID 04540 | Physical and environmental protection | Establish/Maintain Documentation | |
Prohibit assets from being taken off-site absent prior authorization. CC ID 12027 [In addition to implementing the control given by ISO/IEC 27002, organizations providing or using equipment, data or software to support a healthcare application containing personal health information shall not allow such equipment, data, or software to be removed from the site or relocated within it without authorization by the organization. § 11.2.5 Health-specific control] | Physical and environmental protection | Process or Activity | |
Establish, implement, and maintain asset return procedures. CC ID 04537 | Physical and environmental protection | Establish/Maintain Documentation | |
Require the return of all assets upon notification an individual is terminated. CC ID 06679 [In addition to implementing the control given by ISO/IEC 27002, all employees and contractors, upon termination of employment, shall return all personal health information in their possession that is in non-electronic form and ensure that all personal health information in their possession in electronic form is updated on relevant systems and then securely deleted from any devices on which it has resided. § 8.1.4 Health-specific control] | Physical and environmental protection | Behavior | |
Establish, implement, and maintain a business continuity program. CC ID 13210 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Establish, implement, and maintain system continuity plan strategies. CC ID 00735 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Include technical preparation considerations for backup operations in the continuity plan. CC ID 01250 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Establish, implement, and maintain backup procedures for in scope systems. CC ID 01258 | Operational and Systems Continuity | Systems Continuity | |
Establish and maintain off-site electronic media storage facilities. CC ID 00957 | Operational and Systems Continuity | Physical and Environmental Protection | |
Store backup media at an off-site electronic media storage facility. CC ID 01332 [In addition to following the guidance given by ISO/IEC 27002, organizations processing personal health information shall back up all personal health information and store it in a physically secure environment to ensure its future availability. § 12.3.1 Health-specific control ¶ 1] | Operational and Systems Continuity | Data and Information Management | |
Transport backup media in lockable electronic media storage containers. CC ID 01264 | Operational and Systems Continuity | Data and Information Management | |
Identify the access methods for backup media at both the primary facility and the off-site electronic media storage facility. CC ID 01257 | Operational and Systems Continuity | Data and Information Management | |
Store backup vital records in a manner that is accessible for emergency retrieval. CC ID 12765 [In addition to following the guidance given by ISO/IEC 27002, organizations processing personal health information shall back up all personal health information and store it in a physically secure environment to ensure its future availability. § 12.3.1 Health-specific control ¶ 1] | Operational and Systems Continuity | Systems Continuity | |
Perform backup procedures for in scope systems. CC ID 11692 | Operational and Systems Continuity | Process or Activity | |
Back up all records. CC ID 11974 [In addition to following the guidance given by ISO/IEC 27002, organizations processing personal health information shall back up all personal health information and store it in a physically secure environment to ensure its future availability. § 12.3.1 Health-specific control ¶ 1] | Operational and Systems Continuity | Systems Continuity | |
Encrypt backup data. CC ID 00958 [To protect its confidentiality, personal health information should be backed up in an encrypted format. § 12.3.1 Health-specific control ¶ 2] | Operational and Systems Continuity | Configuration | |
Establish, implement, and maintain high level operational roles and responsibilities. CC ID 00806 | Human Resources management | Establish Roles | |
Define and assign the security staff roles and responsibilities. CC ID 11750 [At a minimum, at least one individual shall be responsible for health information security within the organization. § 6.1.1 Health-specific control ¶ 2] | Human Resources management | Establish/Maintain Documentation | |
Establish and maintain an Information Technology steering committee. CC ID 12706 | Human Resources management | Human Resources Management | |
Convene the Information Technology steering committee, as necessary. CC ID 12730 [The health information security forum shall meet regularly, on a monthly or near-to-monthly basis. (Typically, it is most effective to meet at the mid-point between the meetings of the governance body into which the forum reports. This allows emergency matters to be taken to a suitable meeting within a short period.) § 6.1.1 Health-specific control ¶ 3] | Human Resources management | Human Resources Management | |
Define and assign workforce roles and responsibilities. CC ID 13267 [Special attention needs to be placed upon the roles and responsibilities of temporary or short-term staff such as locums, students, interns, etc. § 7.1.2 Health-specific control ¶ 2] | Human Resources management | Human Resources Management | |
Establish, implement, and maintain cybersecurity roles and responsibilities. CC ID 13201 | Human Resources management | Human Resources Management | |
Assign roles and responsibilities for physical security, as necessary. CC ID 13113 | Human Resources management | Establish Roles | |
Document the use of external experts. CC ID 16263 | Human Resources management | Human Resources Management | |
Define and assign roles and responsibilities for those involved in risk management. CC ID 13660 | Human Resources management | Human Resources Management | |
Include the management structure in the duties and responsibilities for risk management. CC ID 13665 | Human Resources management | Human Resources Management | |
Assign the roles and responsibilities for the change control program. CC ID 13118 | Human Resources management | Human Resources Management | |
Identify and define all critical roles. CC ID 00777 | Human Resources management | Establish Roles | |
Assign cybersecurity reporting responsibilities to qualified personnel. CC ID 12739 | Human Resources management | Establish Roles | |
Assign responsibility for cyber threat intelligence. CC ID 12746 | Human Resources management | Human Resources Management | |
Assign the role of security management to applicable controls. CC ID 06444 | Human Resources management | Establish Roles | |
Assign the role of security leader to keep up to date on the latest threats. CC ID 12112 | Human Resources management | Human Resources Management | |
Define and assign the data processor's roles and responsibilities. CC ID 12607 | Human Resources management | Human Resources Management | |
Assign the data processor to assist the data controller in implementing security controls. CC ID 12677 | Human Resources management | Human Resources Management | |
Assign the data processor to notify the data controller when personal data processing could infringe on regulations. CC ID 12617 | Human Resources management | Communicate | |
Define and assign the data controller's roles and responsibilities. CC ID 00471 | Human Resources management | Establish Roles | |
Assign the role of data controller to be the Point of Contact for the supervisory authority. CC ID 12616 | Human Resources management | Human Resources Management | |
Assign the role of the Data Controller to cooperate with the supervisory authority. CC ID 12615 | Human Resources management | Human Resources Management | |
Assign the data controller to facilitate the exercise of the data subject's rights. CC ID 12666 | Human Resources management | Human Resources Management | |
Assign the role of data controller to applicable controls. CC ID 00354 | Human Resources management | Establish Roles | |
Assign the role of data controller to provide advice, when requested. CC ID 12611 | Human Resources management | Human Resources Management | |
Assign the role of data controller to additional personnel, as necessary. CC ID 00473 | Human Resources management | Establish Roles | |
Assign the role of Information Technology operations to applicable controls. CC ID 00682 | Human Resources management | Establish Roles | |
Assign the role of logical access control to applicable controls. CC ID 00772 | Human Resources management | Establish Roles | |
Assign the role of asset physical security to applicable controls. CC ID 00770 | Human Resources management | Establish Roles | |
Assign the role of data custodian to applicable controls. CC ID 04789 | Human Resources management | Establish Roles | |
Assign the role of the Quality Management committee to applicable controls. CC ID 00769 | Human Resources management | Establish Roles | |
Assign interested personnel to the Quality Management committee. CC ID 07193 | Human Resources management | Establish Roles | |
Assign the roles and responsibilities for the asset management system. CC ID 14368 | Human Resources management | Establish/Maintain Documentation | |
Assign personnel to a crime prevention unit and announce the members of the unit. CC ID 06348 | Human Resources management | Establish Roles | |
Assign the role of fire protection management to applicable controls. CC ID 04891 | Human Resources management | Establish Roles | |
Assign the role of Information Technology Service Continuity Management to applicable controls. CC ID 04894 | Human Resources management | Establish Roles | |
Assign the role of the Computer Emergency Response Team to applicable controls. CC ID 04895 | Human Resources management | Establish Roles | |
Assign the role of CRYPTO custodian to applicable controls. CC ID 06723 | Human Resources management | Establish Roles | |
Define and assign the roles and responsibilities of security guards. CC ID 12543 | Human Resources management | Human Resources Management | |
Define and assign roles and responsibilities for dispute resolution. CC ID 13626 | Human Resources management | Human Resources Management | |
Define and assign the roles for Legal Support Workers. CC ID 13711 | Human Resources management | Human Resources Management | |
Establish, implement, and maintain a personnel management program. CC ID 14018 | Human Resources management | Establish/Maintain Documentation | |
Establish, implement, and maintain a personnel security program. CC ID 10628 | Human Resources management | Establish/Maintain Documentation | |
Assign security clearance procedures to qualified personnel. CC ID 06812 | Human Resources management | Establish Roles | |
Assign personnel screening procedures to qualified personnel. CC ID 11699 | Human Resources management | Establish Roles | |
Establish, implement, and maintain personnel screening procedures. CC ID 11700 | Human Resources management | Establish/Maintain Documentation | |
Perform a personal identification check during personnel screening. CC ID 06721 [All organizations whose staff, contractors, or volunteers process (or are expected to process) personal health information should, as a minimum, verify the identity, current address and previous employment of such staff, contractors and volunteers at the time of job application. § 7.1.1 Health-specific controls ¶ 1] | Human Resources management | Human Resources Management | |
Perform a criminal records check during personnel screening. CC ID 06643 | Human Resources management | Establish/Maintain Documentation | |
Include all residences in the criminal records check. CC ID 13306 | Human Resources management | Process or Activity | |
Document any reasons a full criminal records check could not be performed. CC ID 13305 | Human Resources management | Establish/Maintain Documentation | |
Perform a personal references check during personnel screening. CC ID 06645 | Human Resources management | Human Resources Management | |
Perform a credit check during personnel screening. CC ID 06646 | Human Resources management | Human Resources Management | |
Perform an academic records check during personnel screening. CC ID 06647 | Human Resources management | Establish/Maintain Documentation | |
Perform a drug test during personnel screening. CC ID 06648 | Human Resources management | Testing | |
Perform a resume check during personnel screening. CC ID 06659 [All organizations whose staff, contractors, or volunteers process (or are expected to process) personal health information should, as a minimum, verify the identity, current address and previous employment of such staff, contractors and volunteers at the time of job application. § 7.1.1 Health-specific controls ¶ 1 Background verification checks on all candidates for employment should include a verification of applicable health professional qualifications, where such qualifications are professionally accredited (e.g. physicians, nurses, etc.) § 7.1.1 Health-specific controls ¶ 2] | Human Resources management | Human Resources Management | |
Perform a curriculum vitae check during personnel screening. CC ID 06660 | Human Resources management | Human Resources Management | |
Allow personnel being screened to appeal findings and appeal decisions. CC ID 06720 | Human Resources management | Human Resources Management | |
Disseminate and communicate screening results to interested personnel and affected parties. CC ID 16445 | Human Resources management | Communicate | |
Perform personnel screening procedures, as necessary. CC ID 11763 | Human Resources management | Human Resources Management | |
Establish, implement, and maintain security clearance procedures. CC ID 00783 | Human Resources management | Establish/Maintain Documentation | |
Perform security clearance procedures, as necessary. CC ID 06644 | Human Resources management | Human Resources Management | |
Establish and maintain security clearances. CC ID 01634 | Human Resources management | Human Resources Management | |
Establish, implement, and maintain personnel status change and termination procedures. CC ID 06549 | Human Resources management | Establish/Maintain Documentation | |
Establish and maintain the staff structure in line with the strategic plan. CC ID 00764 | Human Resources management | Establish Roles | |
Establish, implement, and maintain segregation of duties compensating controls if segregation of duties is not practical. CC ID 06960 | Human Resources management | Technical Security | |
Establish job categorization criteria, job recruitment criteria, and promotion criteria. CC ID 00781 | Human Resources management | Establish/Maintain Documentation | |
Establish, implement, and maintain job applications. CC ID 16180 | Human Resources management | Establish/Maintain Documentation | |
Include a space for previous addresses and previous residences on the job application. CC ID 12302 [All organizations whose staff, contractors, or volunteers process (or are expected to process) personal health information should, as a minimum, verify the identity, current address and previous employment of such staff, contractors and volunteers at the time of job application. § 7.1.1 Health-specific controls ¶ 1] | Human Resources management | Human Resources Management | |
Train all personnel and third parties, as necessary. CC ID 00785 | Human Resources management | Behavior | |
Establish, implement, and maintain training plans. CC ID 00828 | Human Resources management | Establish/Maintain Documentation | |
Establish, implement, and maintain a security awareness program. CC ID 11746 [In addition to implementing the control given by ISO/IEC 27002, organizations processing personal health information shall implement appropriate prevention, detection and response controls to protect against malicious software and shall implement appropriate user awareness training. § 12.2.1 Health-specific control] | Human Resources management | Establish/Maintain Documentation | |
Establish, implement, and maintain a security awareness and training policy. CC ID 14022 | Human Resources management | Establish/Maintain Documentation | |
Include compliance requirements in the security awareness and training policy. CC ID 14092 | Human Resources management | Establish/Maintain Documentation | |
Include coordination amongst entities in the security awareness and training policy. CC ID 14091 | Human Resources management | Establish/Maintain Documentation | |
Establish, implement, and maintain security awareness and training procedures. CC ID 14054 | Human Resources management | Establish/Maintain Documentation | |
Disseminate and communicate the security awareness and training procedures to interested personnel and affected parties. CC ID 14138 | Human Resources management | Communicate | |
Include management commitment in the security awareness and training policy. CC ID 14049 | Human Resources management | Establish/Maintain Documentation | |
Include roles and responsibilities in the security awareness and training policy. CC ID 14048 | Human Resources management | Establish/Maintain Documentation | |
Include the scope in the security awareness and training policy. CC ID 14047 | Human Resources management | Establish/Maintain Documentation | |
Include the purpose in the security awareness and training policy. CC ID 14045 | Human Resources management | Establish/Maintain Documentation | |
Include configuration management procedures in the security awareness program. CC ID 13967 | Human Resources management | Establish/Maintain Documentation | |
Include media protection in the security awareness program. CC ID 16368 | Human Resources management | Training | |
Document security awareness requirements. CC ID 12146 | Human Resources management | Establish/Maintain Documentation | |
Include safeguards for information systems in the security awareness program. CC ID 13046 | Human Resources management | Establish/Maintain Documentation | |
Include security policies and security standards in the security awareness program. CC ID 13045 | Human Resources management | Establish/Maintain Documentation | |
Include physical security in the security awareness program. CC ID 16369 | Human Resources management | Training | |
Include mobile device security guidelines in the security awareness program. CC ID 11803 | Human Resources management | Establish/Maintain Documentation | |
Include updates on emerging issues in the security awareness program. CC ID 13184 | Human Resources management | Training | |
Include cybersecurity in the security awareness program. CC ID 13183 | Human Resources management | Training | |
Include implications of non-compliance in the security awareness program. CC ID 16425 | Human Resources management | Training | |
Include the acceptable use policy in the security awareness program. CC ID 15487 | Human Resources management | Training | |
Include training based on the participants' level of responsibility and access level in the security awareness program. CC ID 11802 | Human Resources management | Establish/Maintain Documentation | |
Include a requirement to train all new hires and interested personnel in the security awareness program. CC ID 11800 [In addition to implementing the control given by ISO/IEC 27002, all organizations processing personal health information shall ensure that information security education and training are provided on induction and, that regular updates in organizational security policies and procedures are provided to all employees and, where relevant, third-party contractors, researchers, students and volunteers who process personal health information. § 7.2.2 Health-specific control ¶ 1] | Human Resources management | Establish/Maintain Documentation | |
Include remote access in the security awareness program. CC ID 13892 | Human Resources management | Establish/Maintain Documentation | |
Document the goals of the security awareness program. CC ID 12145 | Human Resources management | Establish/Maintain Documentation | |
Compare current security awareness assessment reports to the security awareness baseline. CC ID 12150 | Human Resources management | Establish/Maintain Documentation | |
Establish and maintain management's commitment to supporting the security awareness program. CC ID 12151 | Human Resources management | Human Resources Management | |
Establish and maintain a steering committee to guide the security awareness program. CC ID 12149 | Human Resources management | Human Resources Management | |
Document the scope of the security awareness program. CC ID 12148 | Human Resources management | Establish/Maintain Documentation | |
Establish, implement, and maintain a security awareness baseline. CC ID 12147 | Human Resources management | Establish/Maintain Documentation | |
Encourage interested personnel to obtain security certification. CC ID 11804 | Human Resources management | Human Resources Management | |
Disseminate and communicate the security awareness program to all interested personnel and affected parties. CC ID 00823 | Human Resources management | Behavior | |
Train all personnel and third parties on how to recognize and report security incidents. CC ID 01211 | Human Resources management | Behavior | |
Train all personnel and third parties on how to recognize and report system failures. CC ID 13475 | Human Resources management | Training | |
Require personnel to acknowledge, through writing their signature, that they have read and understand the organization's security policies. CC ID 01363 | Human Resources management | Establish/Maintain Documentation | |
Establish, implement, and maintain a Code of Conduct. CC ID 04897 | Human Resources management | Establish/Maintain Documentation | |
Notify designated personnel when a formal personnel sanctions process is initiated. CC ID 10632 | Human Resources management | Communicate | |
Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain a positive information control environment. CC ID 00813 [have an information security management forum (ISMF) in place to ensure that there is clear direction and visible management support for security initiatives involving the security of health information, as described in B.3 and B.4. § 6.1.1 Health-specific control ¶ 1(b)] | Operational management | Business Processes | |
Make compliance and governance decisions in a timely manner. CC ID 06490 | Operational management | Behavior | |
Establish, implement, and maintain an information security program. CC ID 00812 [have an information security management forum (ISMF) in place to ensure that there is clear direction and visible management support for security initiatives involving the security of health information, as described in B.3 and B.4. § 6.1.1 Health-specific control ¶ 1(b)] | Operational management | Establish/Maintain Documentation | |
Include physical safeguards in the information security program. CC ID 12375 | Operational management | Establish/Maintain Documentation | |
Include technical safeguards in the information security program. CC ID 12374 | Operational management | Establish/Maintain Documentation | |
Include administrative safeguards in the information security program. CC ID 12373 | Operational management | Establish/Maintain Documentation | |
Include system development in the information security program. CC ID 12389 | Operational management | Establish/Maintain Documentation | |
Include system maintenance in the information security program. CC ID 12388 | Operational management | Establish/Maintain Documentation | |
Include system acquisition in the information security program. CC ID 12387 | Operational management | Establish/Maintain Documentation | |
Include access control in the information security program. CC ID 12386 | Operational management | Establish/Maintain Documentation | |
Include operations management in the information security program. CC ID 12385 | Operational management | Establish/Maintain Documentation | |
Include communication management in the information security program. CC ID 12384 | Operational management | Establish/Maintain Documentation | |
Include environmental security in the information security program. CC ID 12383 | Operational management | Establish/Maintain Documentation | |
Include physical security in the information security program. CC ID 12382 | Operational management | Establish/Maintain Documentation | |
Include human resources security in the information security program. CC ID 12381 | Operational management | Establish/Maintain Documentation | |
Include asset management in the information security program. CC ID 12380 | Operational management | Establish/Maintain Documentation | |
Include a continuous monitoring program in the information security program. CC ID 14323 | Operational management | Establish/Maintain Documentation | |
Include change management procedures in the continuous monitoring plan. CC ID 16227 | Operational management | Establish/Maintain Documentation | |
include recovery procedures in the continuous monitoring plan. CC ID 16226 | Operational management | Establish/Maintain Documentation | |
Include mechanisms for decommissioning a system in the continuous monitoring plan. CC ID 16225 | Operational management | Establish/Maintain Documentation | |
Include mechanisms for appeal and override in the continuous monitoring plan. CC ID 16223 | Operational management | Establish/Maintain Documentation | |
Include how the information security department is organized in the information security program. CC ID 12379 | Operational management | Establish/Maintain Documentation | |
Include risk management in the information security program. CC ID 12378 | Operational management | Establish/Maintain Documentation | |
Include mitigating supply chain risks in the information security program. CC ID 13352 | Operational management | Establish/Maintain Documentation | |
Provide management direction and support for the information security program. CC ID 11999 | Operational management | Process or Activity | |
Monitor and review the effectiveness of the information security program. CC ID 12744 | Operational management | Monitor and Evaluate Occurrences | |
Establish, implement, and maintain an information security policy. CC ID 11740 [Organizations processing health information, including personal health information, shall have a written information security policy that is approved by management, published, and then communicated to all employees and relevant external parties. § 5.1.1 Health-specific control Organizations processing health information, including personal health information, shall have a written information security policy that is approved by management, published, and then communicated to all employees and relevant external parties. § 5.1.1 Health-specific control {ongoing basis} The health organization's information security policy should be subject to ongoing, staged review, such that the totality of the policy is addressed at least annually. The policy should be reviewed after the occurrence of a serious security incident. § 5.1.2 Health-specific control {ongoing basis} The health organization's information security policy should be subject to ongoing, staged review, such that the totality of the policy is addressed at least annually. The policy should be reviewed after the occurrence of a serious security incident. § 5.1.2 Health-specific control] | Operational management | Establish/Maintain Documentation | |
Align the information security policy with the organization's risk acceptance level. CC ID 13042 | Operational management | Business Processes | |
Include business processes in the information security policy. CC ID 16326 | Operational management | Establish/Maintain Documentation | |
Include the information security strategy in the information security policy. CC ID 16125 | Operational management | Establish/Maintain Documentation | |
Include a commitment to continuous improvement in the information security policy. CC ID 16123 | Operational management | Establish/Maintain Documentation | |
Include roles and responsibilities in the information security policy. CC ID 16120 | Operational management | Establish/Maintain Documentation | |
Include a commitment to the information security requirements in the information security policy. CC ID 13496 | Operational management | Establish/Maintain Documentation | |
Include information security objectives in the information security policy. CC ID 13493 | Operational management | Establish/Maintain Documentation | |
Include the use of Cloud Services in the information security policy. CC ID 13146 | Operational management | Establish/Maintain Documentation | |
Include notification procedures in the information security policy. CC ID 16842 | Operational management | Establish/Maintain Documentation | |
Approve the information security policy at the organization's management level or higher. CC ID 11737 [Organizations processing health information, including personal health information, shall have a written information security policy that is approved by management, published, and then communicated to all employees and relevant external parties. § 5.1.1 Health-specific control] | Operational management | Process or Activity | |
Establish, implement, and maintain information security procedures. CC ID 12006 | Operational management | Business Processes | |
Describe the group activities that protect restricted data in the information security procedures. CC ID 12294 | Operational management | Establish/Maintain Documentation | |
Disseminate and communicate the information security procedures to all interested personnel and affected parties. CC ID 16303 | Operational management | Communicate | |
Document the roles and responsibilities for all activities that protect restricted data in the information security procedures. CC ID 12304 | Operational management | Establish/Maintain Documentation | |
Define thresholds for approving information security activities in the information security program. CC ID 15702 | Operational management | Process or Activity | |
Assign ownership of the information security program to the appropriate role. CC ID 00814 | Operational management | Establish Roles | |
Assign the responsibility for establishing, implementing, and maintaining the information security program to the appropriate role. CC ID 11884 | Operational management | Human Resources Management | |
Assign information security responsibilities to interested personnel and affected parties in the information security program. CC ID 11885 [clearly define and assign information security responsibilities; § 6.1.1 Health-specific control ¶ 1(a)] | Operational management | Establish/Maintain Documentation | |
Assign the responsibility for distributing the information security program to the appropriate role. CC ID 11883 | Operational management | Human Resources Management | |
Disseminate and communicate the information security policy to interested personnel and affected parties. CC ID 11739 [Organizations processing health information, including personal health information, shall have a written information security policy that is approved by management, published, and then communicated to all employees and relevant external parties. § 5.1.1 Health-specific control In addition to implementing the control given by ISO/IEC 27002, all organizations processing personal health information shall ensure that information security education and training are provided on induction and, that regular updates in organizational security policies and procedures are provided to all employees and, where relevant, third-party contractors, researchers, students and volunteers who process personal health information. § 7.2.2 Health-specific control ¶ 1] | Operational management | Communicate | |
Establish, implement, and maintain a social media governance program. CC ID 06536 | Operational management | Establish/Maintain Documentation | |
Refrain from requiring supervision when users are accessing social media applications. CC ID 14011 | Operational management | Business Processes | |
Refrain from requiring users to disclose social media account usernames or authenticators. CC ID 14009 | Operational management | Business Processes | |
Refrain from accepting instant messages from unknown senders. CC ID 12537 | Operational management | Behavior | |
Include instant messaging, texting, and tweeting in the social media acceptable use policy. CC ID 04578 | Operational management | Establish/Maintain Documentation | |
Include explicit restrictions in the social media acceptable use policy. CC ID 06655 | Operational management | Establish/Maintain Documentation | |
Include contributive content sites in the social media acceptable use policy. CC ID 06656 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain operational control procedures. CC ID 00831 | Operational management | Establish/Maintain Documentation | |
Include assigning and approving operations in operational control procedures. CC ID 06382 | Operational management | Establish/Maintain Documentation | |
Include startup processes in operational control procedures. CC ID 00833 | Operational management | Establish/Maintain Documentation | |
Include change control processes in the operational control procedures. CC ID 16793 | Operational management | Establish/Maintain Documentation | |
Establish and maintain a data processing run manual. CC ID 00832 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain a Standard Operating Procedures Manual. CC ID 00826 | Operational management | Establish/Maintain Documentation | |
Use systems in accordance with the standard operating procedures manual. CC ID 15049 | Operational management | Process or Activity | |
Include metrics in the standard operating procedures manual. CC ID 14988 | Operational management | Establish/Maintain Documentation | |
Include maintenance measures in the standard operating procedures manual. CC ID 14986 | Operational management | Establish/Maintain Documentation | |
Include the expected lifetime of the system in the standard operating procedures manual. CC ID 14984 | Operational management | Establish/Maintain Documentation | |
Include technical measures used to interpret output in the standard operating procedures manual. CC ID 14982 | Operational management | Establish/Maintain Documentation | |
Include predetermined changes in the standard operating procedures manual. CC ID 14977 | Operational management | Establish/Maintain Documentation | |
Include specifications for input data in the standard operating procedures manual. CC ID 14975 | Operational management | Establish/Maintain Documentation | |
Include risks to health and safety or fundamental rights in the standard operating procedures manual. CC ID 14973 | Operational management | Establish/Maintain Documentation | |
Include circumstances that may impact the system in the standard operating procedures manual. CC ID 14972 | Operational management | Establish/Maintain Documentation | |
Include what the system was tested and validated for in the standard operating procedures manual. CC ID 14969 | Operational management | Establish/Maintain Documentation | |
Include the intended purpose in the standard operating procedures manual. CC ID 14967 | Operational management | Establish/Maintain Documentation | |
Include information on system performance in the standard operating procedures manual. CC ID 14965 | Operational management | Establish/Maintain Documentation | |
Include contact details in the standard operating procedures manual. CC ID 14962 | Operational management | Establish/Maintain Documentation | |
Include information sharing procedures in standard operating procedures. CC ID 12974 | Operational management | Records Management | |
Establish, implement, and maintain information sharing agreements. CC ID 15645 | Operational management | Business Processes | |
Provide support for information sharing activities. CC ID 15644 | Operational management | Process or Activity | |
Adhere to operating procedures as defined in the Standard Operating Procedures Manual. CC ID 06328 | Operational management | Business Processes | |
Disseminate and communicate the Standard Operating Procedures Manual to all interested personnel and affected parties. CC ID 12026 | Operational management | Communicate | |
Establish, implement, and maintain a job scheduling methodology. CC ID 00834 | Operational management | Establish/Maintain Documentation | |
Establish and maintain a job schedule exceptions list. CC ID 00835 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain a data processing continuity plan. CC ID 00836 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain Voice over Internet Protocol operating procedures. CC ID 04583 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain the Acceptable Use Policy. CC ID 01350 [{health information asset} In addition to following the guidance given by ISO/IEC 27002, organizations processing personal health information should: have rules for acceptable use of these assets that are identified, documented and implemented. § 8.1.1 Health-specific control ¶ 1(c)] | Operational management | Establish/Maintain Documentation | |
Include that explicit management authorization must be given for the use of all technologies and their documentation in the Acceptable Use Policy. CC ID 01351 [In addition to implementing the control given by ISO/IEC 27002, organizations processing personal health information shall ensure that any use, outside its premises, of medical devices that record or report data has been authorized. This should include equipment used by remote workers, even where such usage is perpetual (i.e. where it forms a core feature of the employee's role, such as for ambulance personnel, therapists, etc.) § 11.2.6 Health-specific control] | Operational management | Establish/Maintain Documentation | |
Include requiring users to protect restricted data in accordance with the Governance, Risk, and Compliance framework in the Acceptable Use Policy. CC ID 11894 | Operational management | Establish/Maintain Documentation | |
Include Bring Your Own Device agreements in the Acceptable Use Policy. CC ID 15703 | Operational management | Establish/Maintain Documentation | |
Include the obligations of users in the Bring Your Own Device agreement. CC ID 15708 | Operational management | Establish/Maintain Documentation | |
Include the rights of the organization in the Bring Your Own Device agreement. CC ID 15707 | Operational management | Establish/Maintain Documentation | |
Include the circumstances in which the organization may confiscate, audit, or inspect assets in the Bring Your Own Device agreement. CC ID 15706 | Operational management | Establish/Maintain Documentation | |
Include the circumstances in which the organization may manage assets in the Bring Your Own Device agreement. CC ID 15705 | Operational management | Establish/Maintain Documentation | |
Include Bring Your Own Device usage in the Acceptable Use Policy. CC ID 12293 | Operational management | Establish/Maintain Documentation | |
Include a web usage policy in the Acceptable Use Policy. CC ID 16496 | Operational management | Establish/Maintain Documentation | |
Include Bring Your Own Device security guidelines in the Acceptable Use Policy. CC ID 01352 | Operational management | Establish/Maintain Documentation | |
Include asset tags in the Acceptable Use Policy. CC ID 01354 | Operational management | Establish/Maintain Documentation | |
Specify the owner of applicable assets in the Acceptable Use Policy. CC ID 15699 | Operational management | Establish/Maintain Documentation | |
Include asset use policies in the Acceptable Use Policy. CC ID 01355 | Operational management | Establish/Maintain Documentation | |
Include authority for access authorization lists for assets in all relevant Acceptable Use Policies. CC ID 11872 | Operational management | Establish/Maintain Documentation | |
Include access control mechanisms in the Acceptable Use Policy. CC ID 01353 | Operational management | Establish/Maintain Documentation | |
Include temporary activation of remote access technologies for third parties in the Acceptable Use Policy. CC ID 11892 | Operational management | Technical Security | |
Include prohibiting the copying or moving of restricted data from its original source onto local hard drives or removable storage media in the Acceptable Use Policy. CC ID 11893 | Operational management | Establish/Maintain Documentation | |
Include a removable storage media use policy in the Acceptable Use Policy. CC ID 06772 | Operational management | Data and Information Management | |
Correlate the Acceptable Use Policy with the network security policy. CC ID 01356 | Operational management | Establish/Maintain Documentation | |
Include appropriate network locations for each technology in the Acceptable Use Policy. CC ID 11881 | Operational management | Establish/Maintain Documentation | |
Correlate the Acceptable Use Policy with the approved product list. CC ID 01357 | Operational management | Establish/Maintain Documentation | |
Include facility access and facility use in the Acceptable Use Policy. CC ID 06441 | Operational management | Establish/Maintain Documentation | |
Include the usage restrictions of mobile code technologies in the Acceptable Use Policy. CC ID 15311 | Operational management | Establish/Maintain Documentation | |
Include a software installation policy in the Acceptable Use Policy. CC ID 06749 | Operational management | Establish/Maintain Documentation | |
Document idle session termination and logout for remote access technologies in the Acceptable Use Policy. CC ID 12472 | Operational management | Establish/Maintain Documentation | |
Disseminate and communicate the Acceptable Use Policy to all interested personnel and affected parties. CC ID 12431 | Operational management | Communicate | |
Require interested personnel and affected parties to sign Acceptable Use Policies. CC ID 06661 | Operational management | Establish/Maintain Documentation | |
Require interested personnel and affected parties to re-sign Acceptable Use Policies, as necessary. CC ID 06663 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain an Intellectual Property Right program. CC ID 00821 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain domain name registration and renewal procedures. CC ID 07075 | Operational management | Business Processes | |
Establish, implement, and maintain Intellectual Property Rights protection procedures. CC ID 11512 | Operational management | Establish/Maintain Documentation | |
Protect against circumvention of the organization's Intellectual Property Rights. CC ID 11513 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain an e-mail policy. CC ID 06439 | Operational management | Establish/Maintain Documentation | |
Include business use of personal e-mail in the e-mail policy. CC ID 14381 | Operational management | Establish/Maintain Documentation | |
Identify the sender in all electronic messages. CC ID 13996 | Operational management | Data and Information Management | |
Protect policies, standards, and procedures from unauthorized modification or disclosure. CC ID 10603 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain nondisclosure agreements. CC ID 04536 [In addition to implementing the control given by ISO/IEC 27002, organizations processing personal health information shall have a confidentiality agreement in place that specifies the confidential nature of this information. The agreement shall be applicable to all personnel accessing health information. § 13.2.4 Health-specific control] | Operational management | Establish/Maintain Documentation | |
Disseminate and communicate nondisclosure agreements to interested personnel and affected parties. CC ID 16191 | Operational management | Communicate | |
Require interested personnel and affected parties to sign nondisclosure agreements. CC ID 06667 | Operational management | Establish/Maintain Documentation | |
Require interested personnel and affected parties to re-sign nondisclosure agreements, as necessary. CC ID 06669 | Operational management | Establish/Maintain Documentation | |
Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818 | Operational management | Business Processes | |
Establish, implement, and maintain an Asset Management program. CC ID 06630 | Operational management | Business Processes | |
Assign an information owner to organizational assets, as necessary. CC ID 12729 [In addition to following the guidance given by ISO/IEC 27002, organizations processing personal health information should: have a designated custodian of these health information assets (see 8.1.2); § 8.1.1 Health-specific control ¶ 1(b) The source (authorship) of publicly available health information should be stated and its integrity should be protected. § 14.1.3.1 Health-specific controls ¶ 3] | Operational management | Human Resources Management | |
Establish, implement, and maintain an asset inventory. CC ID 06631 [In addition to following the guidance given by ISO/IEC 27002, organizations processing personal health information should: account for health information assets (i.e. maintain an inventory of such assets); § 8.1.1 Health-specific control ¶ 1(a)] | Operational management | Business Processes | |
Establish, implement, and maintain an Information Technology inventory with asset discovery audit trails. CC ID 00689 | Operational management | Establish/Maintain Documentation | |
Include all account types in the Information Technology inventory. CC ID 13311 | Operational management | Establish/Maintain Documentation | |
Include each Information System's system boundaries in the Information Technology inventory. CC ID 00695 | Operational management | Systems Design, Build, and Implementation | |
Identify processes, Information Systems, and third parties that transmit, process, or store restricted data. CC ID 06289 | Operational management | Data and Information Management | |
Include each Information System's major applications in the Information Technology inventory. CC ID 01407 | Operational management | Establish/Maintain Documentation | |
Categorize all major applications according to the business information they process. CC ID 07182 | Operational management | Establish/Maintain Documentation | |
Document the resources, hazards, and Evaluation Assurance Levels for each major application. CC ID 01164 | Operational management | Establish/Maintain Documentation | |
Include the General Support Systems and security support structure in the Information Technology inventory. CC ID 01408 | Operational management | Establish/Maintain Documentation | |
Include each Information System's minor applications in the Information Technology inventory. CC ID 01409 | Operational management | Establish/Maintain Documentation | |
Conduct environmental surveys. CC ID 00690 | Operational management | Physical and Environmental Protection | |
Categorize facilities in the Information Technology inventory according to their environmental risks. CC ID 06729 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain a hardware asset inventory. CC ID 00691 | Operational management | Establish/Maintain Documentation | |
Include network equipment in the Information Technology inventory. CC ID 00693 | Operational management | Establish/Maintain Documentation | |
Include mobile devices that store restricted data or restricted information in the Information Technology inventory. CC ID 04719 | Operational management | Establish/Maintain Documentation | |
Include interconnected systems and Software as a Service in the Information Technology inventory. CC ID 04885 | Operational management | Process or Activity | |
Include software in the Information Technology inventory. CC ID 00692 | Operational management | Establish/Maintain Documentation | |
Establish and maintain a list of authorized software and versions required for each system. CC ID 12093 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain a storage media inventory. CC ID 00694 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain a records inventory and database inventory. CC ID 01260 | Operational management | Establish/Maintain Documentation | |
Add inventoried assets to the asset register database, as necessary. CC ID 07051 | Operational management | Establish/Maintain Documentation | |
Organize the asset register database by grouping objects according to an organizational information classification standard. CC ID 07181 | Operational management | Establish/Maintain Documentation | |
Use automated tools to collect Information Technology inventory information, as necessary. CC ID 07054 | Operational management | Technical Security | |
Link the authentication system to the asset inventory. CC ID 13718 | Operational management | Technical Security | |
Record a unique name for each asset in the asset inventory. CC ID 16305 | Operational management | Data and Information Management | |
Record the decommission date for applicable assets in the asset inventory. CC ID 14920 | Operational management | Establish/Maintain Documentation | |
Record the status of information systems in the asset inventory. CC ID 16304 | Operational management | Data and Information Management | |
Record the communication interfaces for applicable assets in the asset inventory. CC ID 16301 | Operational management | Data and Information Management | |
Record the Uniform Resource Locator for applicable assets in the asset inventory. CC ID 14918 | Operational management | Establish/Maintain Documentation | |
Include source code in the asset inventory. CC ID 14858 | Operational management | Records Management | |
Assign ownership of maintaining the asset inventory, as necessary. CC ID 12344 [{establish}{ownership} Assets maintained in the inventory should be owned. § 8.1.2 Control ¶ 2] | Operational management | Human Resources Management | |
Record the review date for applicable assets in the asset inventory. CC ID 14919 | Operational management | Establish/Maintain Documentation | |
Record software license information for each asset in the asset inventory. CC ID 11736 | Operational management | Data and Information Management | |
Record services for applicable assets in the asset inventory. CC ID 13733 | Operational management | Establish/Maintain Documentation | |
Record protocols for applicable assets in the asset inventory. CC ID 13734 | Operational management | Establish/Maintain Documentation | |
Record the software version in the asset inventory. CC ID 12196 | Operational management | Establish/Maintain Documentation | |
Record the publisher for applicable assets in the asset inventory. CC ID 13725 | Operational management | Establish/Maintain Documentation | |
Record the authentication system in the asset inventory. CC ID 13724 | Operational management | Establish/Maintain Documentation | |
Tag unsupported assets in the asset inventory. CC ID 13723 | Operational management | Establish/Maintain Documentation | |
Record the install date for applicable assets in the asset inventory. CC ID 13720 | Operational management | Establish/Maintain Documentation | |
Record the make, model of device for applicable assets in the asset inventory. CC ID 12465 | Operational management | Establish/Maintain Documentation | |
Record the asset tag for physical assets in the asset inventory. CC ID 06632 | Operational management | Establish/Maintain Documentation | |
Record the host name of applicable assets in the asset inventory. CC ID 13722 | Operational management | Establish/Maintain Documentation | |
Record network ports for applicable assets in the asset inventory. CC ID 13730 | Operational management | Establish/Maintain Documentation | |
Record the MAC address for applicable assets in the asset inventory. CC ID 13721 | Operational management | Establish/Maintain Documentation | |
Record the operating system version for applicable assets in the asset inventory. CC ID 11748 | Operational management | Data and Information Management | |
Record the operating system type for applicable assets in the asset inventory. CC ID 06633 | Operational management | Establish/Maintain Documentation | |
Record rooms at external locations in the asset inventory. CC ID 16302 | Operational management | Data and Information Management | |
Record the department associated with the asset in the asset inventory. CC ID 12084 | Operational management | Establish/Maintain Documentation | |
Record the physical location for applicable assets in the asset inventory. CC ID 06634 | Operational management | Establish/Maintain Documentation | |
Record the manufacturer's serial number for applicable assets in the asset inventory. CC ID 06635 | Operational management | Establish/Maintain Documentation | |
Record the firmware version for applicable assets in the asset inventory. CC ID 12195 | Operational management | Establish/Maintain Documentation | |
Record the related business function for applicable assets in the asset inventory. CC ID 06636 | Operational management | Establish/Maintain Documentation | |
Record the deployment environment for applicable assets in the asset inventory. CC ID 06637 | Operational management | Establish/Maintain Documentation | |
Record the Internet Protocol address for applicable assets in the asset inventory. CC ID 06638 | Operational management | Establish/Maintain Documentation | |
Record trusted keys and certificates in the asset inventory. CC ID 15486 | Operational management | Data and Information Management | |
Record cipher suites and protocols in the asset inventory. CC ID 15489 | Operational management | Data and Information Management | |
Link the software asset inventory to the hardware asset inventory. CC ID 12085 | Operational management | Establish/Maintain Documentation | |
Record the owner for applicable assets in the asset inventory. CC ID 06640 | Operational management | Establish/Maintain Documentation | |
Record all compliance requirements for applicable assets in the asset inventory. CC ID 15696 | Operational management | Establish/Maintain Documentation | |
Record all changes to assets in the asset inventory. CC ID 12190 | Operational management | Establish/Maintain Documentation | |
Record cloud service derived data in the asset inventory. CC ID 13007 | Operational management | Establish/Maintain Documentation | |
Include cloud service customer data in the asset inventory. CC ID 13006 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain a customer service program. CC ID 00846 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain an Incident Management program. CC ID 00853 | Operational management | Business Processes | |
Include incident escalation procedures in the Incident Management program. CC ID 00856 [{incident management procedures} In addition to following the guidance given by ISO/IEC 27002, organizations processing personal health information should establish security incident management responsibilities and procedures in order: to ensure that there is an effective and prioritized escalation path for incidents, such that crisis management and business continuity management plans can be invoked in the right circumstances and at the right time; § 16.1.2 Health-specific controls ¶ 1(b)] | Operational management | Establish/Maintain Documentation | |
Include detection procedures in the Incident Management program. CC ID 00588 | Operational management | Establish/Maintain Documentation | |
Include incident management procedures in the Incident Management program. CC ID 12689 [{incident management procedures} In addition to following the guidance given by ISO/IEC 27002, organizations processing personal health information should establish security incident management responsibilities and procedures in order: § 16.1.2 Health-specific controls ¶ 1] | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain temporary and emergency access revocation procedures. CC ID 15334 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain an Incident Response program. CC ID 00579 | Operational management | Establish/Maintain Documentation | |
Include incident response team structures in the Incident Response program. CC ID 01237 | Operational management | Establish/Maintain Documentation | |
Include the incident response team member's roles and responsibilities in the Incident Response program. CC ID 01652 [{incident management procedures} In addition to following the guidance given by ISO/IEC 27002, organizations processing personal health information should establish security incident management responsibilities and procedures in order: § 16.1.2 Health-specific controls ¶ 1] | Operational management | Establish Roles | |
Include the incident response point of contact's roles and responsibilities in the Incident Response program. CC ID 01877 | Operational management | Establish Roles | |
Include the head of information security's roles and responsibilities in the Incident Response program. CC ID 01878 | Operational management | Establish Roles | |
Include the customer database owner's roles and responsibilities in the Incident Response program. CC ID 01879 | Operational management | Establish Roles | |
Include the online sales department's roles and responsibilities in the Incident Response program. CC ID 01880 | Operational management | Establish Roles | |
Include the incident response point of contact for credit card payment system's roles and responsibilities in the Incident Response program. CC ID 01881 | Operational management | Establish Roles | |
Include the organizational legal counsel's roles and responsibilities in the Incident Response program. CC ID 01882 | Operational management | Establish Roles | |
Include the Human Resources point of contact's roles and responsibilities in the Incident Response program. CC ID 01883 | Operational management | Establish Roles | |
Include the organizational incident response network architecture point of contact's roles and responsibilities in the Incident Response program. CC ID 01884 | Operational management | Establish Roles | |
Include the organizational incident response public relations point of contact's roles and responsibilities in the Incident Response program. CC ID 01885 | Operational management | Establish Roles | |
Include the organizational incident response location manager's roles and responsibilities in the Incident Response program. CC ID 01886 | Operational management | Establish Roles | |
Assign the distribution of security alerts to the appropriate role in the incident response program. CC ID 11887 | Operational management | Human Resources Management | |
Assign establishing, implementing, and maintaining incident response procedures to the appropriate role in the incident response program. CC ID 12473 | Operational management | Establish/Maintain Documentation | |
Assign the distribution of incident response procedures to the appropriate role in the incident response program. CC ID 12474 | Operational management | Communicate | |
Include references to industry best practices in the incident response procedures. CC ID 11956 | Operational management | Establish/Maintain Documentation | |
Include responding to alerts from security monitoring systems in the incident response procedures. CC ID 11949 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain a change control program. CC ID 00886 [In addition to implementing the control given by ISO/IEC 27002, organizations processing personal health information shall, by means of a formal and structured change control process, control changes to information processing facilities and systems that process personal health information to ensure the appropriate control of host applications and systems and continuity of patient care. § 12.1.2 Health-specific control] | Operational management | Establish/Maintain Documentation | |
Include potential consequences of unintended changes in the change control program. CC ID 12243 | Operational management | Establish/Maintain Documentation | |
Include version control in the change control program. CC ID 13119 | Operational management | Establish/Maintain Documentation | |
Include service design and transition in the change control program. CC ID 13920 | Operational management | Establish/Maintain Documentation | |
Separate the production environment from development environment or test environment for the change control process. CC ID 11864 | Operational management | Maintenance | |
Integrate configuration management procedures into the change control program. CC ID 13646 | Operational management | Technical Security | |
Establish, implement, and maintain a back-out plan. CC ID 13623 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain back-out procedures for each proposed change in a change request. CC ID 00373 | Operational management | Establish/Maintain Documentation | |
Manage change requests. CC ID 00887 [In addition to implementing the control given by ISO/IEC 27002, organizations processing personal health information shall, by means of a formal and structured change control process, control changes to information processing facilities and systems that process personal health information to ensure the appropriate control of host applications and systems and continuity of patient care. § 12.1.2 Health-specific control] | Operational management | Business Processes | |
Include documentation of the impact level of proposed changes in the change request. CC ID 11942 | Operational management | Establish/Maintain Documentation | |
Establish and maintain a change request approver list. CC ID 06795 | Operational management | Establish/Maintain Documentation | |
Document all change requests in change request forms. CC ID 06794 | Operational management | Establish/Maintain Documentation | |
Approve tested change requests. CC ID 11783 | Operational management | Data and Information Management | |
Validate the system before implementing approved changes. CC ID 01510 | Operational management | Systems Design, Build, and Implementation | |
Disseminate and communicate proposed changes to all interested personnel and affected parties. CC ID 06807 | Operational management | Behavior | |
Establish, implement, and maintain emergency change procedures. CC ID 00890 | Operational management | Establish/Maintain Documentation | |
Perform emergency changes, as necessary. CC ID 12707 | Operational management | Process or Activity | |
Back up emergency changes after the change has been performed. CC ID 12734 | Operational management | Process or Activity | |
Log emergency changes after they have been performed. CC ID 12733 | Operational management | Establish/Maintain Documentation | |
Perform risk assessments prior to approving change requests. CC ID 00888 | Operational management | Testing | |
Implement changes according to the change control program. CC ID 11776 | Operational management | Business Processes | |
Provide audit trails for all approved changes. CC ID 13120 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain a patch management program. CC ID 00896 | Operational management | Process or Activity | |
Document the sources of all software updates. CC ID 13316 | Operational management | Establish/Maintain Documentation | |
Implement patch management software, as necessary. CC ID 12094 | Operational management | Technical Security | |
Include updates and exceptions to hardened images as a part of the patch management program. CC ID 12087 | Operational management | Technical Security | |
Establish, implement, and maintain a patch management policy. CC ID 16432 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain patch management procedures. CC ID 15224 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain a patch log. CC ID 01642 | Operational management | Establish/Maintain Documentation | |
Prioritize deploying patches according to vulnerability risk metrics. CC ID 06796 | Operational management | Business Processes | |
Establish, implement, and maintain a software release policy. CC ID 00893 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain traceability documentation. CC ID 16388 | Operational management | Systems Design, Build, and Implementation | |
Disseminate and communicate software update information to users and regulators. CC ID 06602 | Operational management | Behavior | |
Allow interested personnel and affected parties to opt out of specific version releases and software updates. CC ID 06809 | Operational management | Data and Information Management | |
Update associated documentation after the system configuration has been changed. CC ID 00891 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain system hardening procedures. CC ID 12001 | System hardening through configuration management | Establish/Maintain Documentation | |
Configure the time server in accordance with organizational standards. CC ID 06426 | System hardening through configuration management | Configuration | |
Configure the time server to synchronize with specifically designated hosts. CC ID 06427 [Health information systems supporting time-critical-shared care activities shall provide time synchronization services to support tracing and reconstitution of activity timelines where required. § 12.4.4 Health-specific control] | System hardening through configuration management | Configuration | |
Establish, implement, and maintain records management policies. CC ID 00903 | Records management | Establish/Maintain Documentation | |
Archive appropriate records, logs, and database tables. CC ID 06321 [Publicly available health information (as distinct from personal health information) should be archived. § 14.1.3.1 Health-specific controls ¶ 1] | Records management | Records Management | |
Establish, implement, and maintain records management procedures. CC ID 11619 [Health information systems processing personal health information: shall be capable of merging duplicate or multiple records if it is determined that multiple records for the same subject of care have been created unintentionally or during a medical emergency. § 14.1.1.1 Health-specific control ¶ 1(b)] | Records management | Establish/Maintain Documentation | |
Maintain electronic records in an equivalent manner as printed records, as necessary. CC ID 11806 | Records management | Records Management | |
Process restricted information in a secure environment. CC ID 13058 | Records management | Process or Activity | |
Refrain from creating printed records as copies of electronic records. CC ID 11808 | Records management | Records Management | |
Assign ownership for all electronic records. CC ID 14814 | Records management | Establish/Maintain Documentation | |
Attribute electronic records, as necessary. CC ID 14820 | Records management | Establish/Maintain Documentation | |
Validate transactions using identifiers and credentials. CC ID 13203 | Records management | Technical Security | |
Establish, implement, and maintain a system storage log. CC ID 13532 | Records management | Records Management | |
Establish, implement, and maintain a system input log. CC ID 13531 | Records management | Establish/Maintain Documentation | |
Protect records from loss in accordance with applicable requirements. CC ID 12007 | Records management | Records Management | |
Establish, implement, and maintain data completeness controls. CC ID 11649 | Records management | Process or Activity | |
Establish, implement, and maintain authorization records. CC ID 14367 | Records management | Establish/Maintain Documentation | |
Include the reasons for granting the authorization in the authorization records. CC ID 14371 | Records management | Establish/Maintain Documentation | |
Include the date and time the authorization was granted in the authorization records. CC ID 14370 | Records management | Establish/Maintain Documentation | |
Include the person's name who approved the authorization in the authorization records. CC ID 14369 | Records management | Establish/Maintain Documentation | |
Establish, implement, and maintain electronic health records. CC ID 14436 | Records management | Data and Information Management | |
Include Individually Identifiable Health Information in the patient's electronic health record. CC ID 14437 | Records management | Data and Information Management | |
Review and update Individually Identifiable Health Information in the patient's electronic health records, as necessary. CC ID 14438 | Records management | Records Management | |
Display required information automatically in electronic health records. CC ID 14442 | Records management | Process or Activity | |
Create summary of care records in accordance with applicable standards. CC ID 14440 | Records management | Establish/Maintain Documentation | |
Provide the patient with a summary of care record, as necessary. CC ID 14441 | Records management | Actionable Reports or Measurements | |
Create export summaries, as necessary. CC ID 14446 | Records management | Process or Activity | |
Import data files into a patient's electronic health record. CC ID 14448 | Records management | Data and Information Management | |
Export requested sections of the electronic health record. CC ID 14447 | Records management | Data and Information Management | |
Establish and maintain an implantable device list. CC ID 14444 | Records management | Records Management | |
Display the implantable device list to authorized users. CC ID 14445 | Records management | Data and Information Management | |
Establish, implement, and maintain decision support interventions. CC ID 14443 | Records management | Business Processes | |
Include attributes in the decision support intervention. CC ID 16766 | Records management | Data and Information Management | |
Establish, implement, and maintain a recordkeeping system. CC ID 15709 | Records management | Records Management | |
Log the termination date in the recordkeeping system. CC ID 16181 | Records management | Records Management | |
Log the name of the requestor in the recordkeeping system. CC ID 15712 | Records management | Records Management | |
Log the date and time each item is accessed in the recordkeeping system. CC ID 15711 | Records management | Records Management | |
Log records as being received into the recordkeeping system. CC ID 11696 | Records management | Records Management | |
Log the date and time each item is received into the recordkeeping system. CC ID 11709 | Records management | Log Management | |
Log the date and time each item is made available into the recordkeeping system. CC ID 11710 | Records management | Log Management | |
Log the number of routine items received into the recordkeeping system. CC ID 11701 | Records management | Establish/Maintain Documentation | |
Log the number of routine items in the organization's possession at the close of business for the month in the recordkeeping system. CC ID 11707 | Records management | Log Management | |
Log the number of routine items received during the month that were turned around in the recordkeeping system. CC ID 11705 | Records management | Log Management | |
Log the number of routine items received during the month that were not turned around within three business days of receipt in the recordkeeping system. CC ID 11703 | Records management | Log Management | |
Log the date and time when a notice of refusal to perform the registrar function is received in the recordkeeping system. CC ID 11711 | Records management | Log Management | |
Log inquiries concerning items in the recordkeeping system, annotating the date received. CC ID 11718 | Records management | Log Management | |
Log responses to inquiries, annotating the send date for each response into the recordkeeping system. CC ID 11719 | Records management | Log Management | |
Log the number of non-routine items received into the recordkeeping system. CC ID 11706 | Records management | Log Management | |
Log the documentation of determination that items received are not routine into the recordkeeping system. CC ID 11716 | Records management | Log Management | |
Log the number of non-routine items in the organization's possession at the close of business for the month in the recordkeeping system. CC ID 11708 | Records management | Log Management | |
Log the number of non-routine items received during the month that were turned around in the recordkeeping system. CC ID 11704 | Records management | Log Management | |
Log performance monitoring into the recordkeeping system. CC ID 11724 | Records management | Log Management | |
Log the number of inquiries pending as of the close of business into the recordkeeping system. CC ID 11728 | Records management | Log Management | |
Log the number of inquiries received but not responded to within the required time frame into the recordkeeping system. CC ID 11727 | Records management | Log Management | |
Establish, implement, and maintain a transfer journal. CC ID 11729 | Records management | Records Management | |
Log any notices filed by the organization into the recordkeeping system. CC ID 11725 | Records management | Log Management | |
Log telephone responses into a telephone log, annotating the date of each response, in the recordkeeping system. CC ID 11723 | Records management | Log Management | |
Log the date each certificate is made available to interested personnel and affected parties into the recordkeeping system. CC ID 11720 | Records management | Log Management | |
Log the number of items not processed within the required time frame into the recordkeeping system. CC ID 11717 | Records management | Log Management | |
Provide a receipt of records logged into the recordkeeping system. CC ID 11697 | Records management | Records Management | |
Log the appointments and termination of appointments of registered transfer agents into the recordkeeping system. CC ID 11712 | Records management | Log Management | |
Log any stop orders or notices of adverse claims into the recordkeeping system. CC ID 11726 | Records management | Log Management | |
Log the number of items processed within the required time frame into the recordkeeping system. CC ID 11715 | Records management | Log Management | |
Establish, implement, and maintain data availability controls. CC ID 15301 | Records management | Data and Information Management | |
Include record integrity techniques in the records management procedures. CC ID 06418 [The integrity of publicly available health information should be protected to prevent unauthorized modification. § 14.1.3.1 Health-specific controls ¶ 2] | Records management | Establish/Maintain Documentation | |
Note in electronic records converted from printed records, the location of the original. CC ID 11809 | Records management | Records Management | |
Incorporate desktop publishing into the organization's Records Management program. CC ID 06535 | Records management | Establish/Maintain Documentation | |
Provide structures for browsing records stored in the Electronic Document and Records Management system. CC ID 10009 | Records management | Business Processes | |
Provide structures for searching for items stored in the Electronic Document and Records Management system. CC ID 10010 | Records management | Business Processes | |
Provide structures for downloading records from the Electronic Document and Records Management system. CC ID 10011 | Records management | Business Processes | |
Provide structures for managing e-mail stored in the Electronic Document and Records Management system. CC ID 10012 | Records management | Business Processes | |
Provide structures for authorized parties to approve record updates in the Electronic Document and Records Management system. CC ID 11965 | Records management | Records Management | |
Provide structures for version control of records stored in the Electronic Document and Records Management system. CC ID 10013 | Records management | Business Processes | |
Establish, implement, and maintain electronic storage media security controls. CC ID 13204 | Records management | Technical Security | |
Use automated entry devices to reduce errors during data input. CC ID 06626 | Records management | Data and Information Management | |
Establish, implement, and maintain data processing integrity controls. CC ID 00923 | Records management | Establish Roles | |
Sanitize user input in accordance with organizational standards. CC ID 16856 | Records management | Process or Activity | |
Establish, implement, and maintain Automated Data Processing validation checks and editing checks. CC ID 00924 | Records management | Data and Information Management | |
Establish, implement, and maintain Automated Data Processing error handling procedures. CC ID 00925 | Records management | Establish/Maintain Documentation | |
Establish, implement, and maintain Automated Data Processing error handling reporting. CC ID 11659 | Records management | Establish/Maintain Documentation | |
Establish, implement, and maintain document security requirements for the output of records. CC ID 11656 | Records management | Establish/Maintain Documentation | |
Establish, implement, and maintain document handling procedures for paper documents. CC ID 00926 | Records management | Establish/Maintain Documentation | |
Establish, implement, and maintain electronic storage media management procedures. CC ID 00931 | Records management | Establish/Maintain Documentation | |
Establish, implement, and maintain security label procedures. CC ID 06747 | Records management | Establish/Maintain Documentation | |
Label restricted storage media appropriately. CC ID 00966 | Records management | Data and Information Management | |
Establish, implement, and maintain restricted material identification procedures. CC ID 01889 | Records management | Establish/Maintain Documentation | |
Conspicuously locate the restricted record's overall classification. CC ID 01890 | Records management | Establish/Maintain Documentation | |
Mark a restricted record's displayed pages or printed pages with the appropriate classification. CC ID 01891 | Records management | Establish/Maintain Documentation | |
Mark a restricted record's components (appendices, annexes) with the appropriate classification. CC ID 01892 | Records management | Establish/Maintain Documentation | |
Mark a restricted record's portions (paragraphs, sections) with the appropriate classification. CC ID 01893 | Records management | Establish/Maintain Documentation | |
Mark a restricted record's subject line or title with the appropriate classification. CC ID 01894 | Records management | Establish/Maintain Documentation | |
Mark all forms of electronic messages that contain restricted data or restricted information with the appropriate classification. CC ID 01896 | Records management | Data and Information Management | |
Establish, implement, and maintain label inheritance mechanisms for aggregate data sets. CC ID 06957 | Records management | Technical Security | |
Establish the minimum originator requirements for security labels. CC ID 06579 | Records management | Establish/Maintain Documentation | |
Establish the minimum intermediate system requirements for security labels. CC ID 06581 | Records management | Establish/Maintain Documentation | |
Establish the minimum receiver requirements for records or electronic storage media marked with security labels. CC ID 06580 | Records management | Establish/Maintain Documentation | |
Establish policy based processing rules to process incoming records or electronic storage media marked with security labels. CC ID 06582 | Records management | Establish/Maintain Documentation | |
Establish and maintain access controls for all records. CC ID 00371 | Records management | Records Management | |
Reproduce materials containing restricted data or restricted information in accordance with compliance requirements. CC ID 02202 | Records management | Data and Information Management | |
Establish, implement, and maintain a records lifecycle management program. CC ID 00951 | Records management | Establish/Maintain Documentation | |
Establish, implement, and maintain an information preservation policy. CC ID 16483 | Records management | Establish/Maintain Documentation | |
Establish, implement, and maintain information preservation procedures. CC ID 06277 | Records management | Establish/Maintain Documentation | |
Implement and maintain high availability storage, as necessary. CC ID 00952 | Records management | Technical Security | |
Implement and maintain backups and duplicate copies of organizational records. CC ID 00953 | Records management | Records Management | |
Establish, implement, and maintain the duplicate original of record indexes. CC ID 00954 | Records management | Records Management | |
Establish, implement, and maintain a transparent storage media strategy. CC ID 00932 | Records management | Records Management | |
Establish, implement, and maintain an online availability plan that is commensurate with the electronic storage media. CC ID 00934 | Records management | Establish/Maintain Documentation | |
Establish, implement, and maintain online storage controls. CC ID 00942 | Records management | Technical Security | |
Establish, implement, and maintain security controls appropriate to the record types and electronic storage media. CC ID 00943 | Records management | Records Management | |
Provide encryption for different types of electronic storage media. CC ID 00945 [{physical safeguard} In addition to the guidance given by ISO/IEC 27002, media containing personal health information shall be either physically protected or else have their data encrypted. The status and location of media containing unencrypted personal health information shall be monitored. § 8.3.1 Health-specific control] | Records management | Technical Security | |
Implement electronic storage media integrity controls. CC ID 00946 | Records management | Configuration | |
Automate electronic storage media integrity check controls. CC ID 00948 | Records management | Configuration | |
Provide capacity for indexes on electronic storage media, as necessary. CC ID 00950 | Records management | Configuration | |
Establish, implement, and maintain a removable storage media log. CC ID 12317 [{physical safeguard} In addition to the guidance given by ISO/IEC 27002, media containing personal health information shall be either physically protected or else have their data encrypted. The status and location of media containing unencrypted personal health information shall be monitored. § 8.3.1 Health-specific control] | Records management | Log Management | |
Include a unique identifier for each removable storage media asset in the removable storage media log. CC ID 12320 | Records management | Establish/Maintain Documentation | |
Include the date and time in the removable storage media log. CC ID 12318 | Records management | Establish/Maintain Documentation | |
Include the name and signature of the current custodian in the removable storage media log. CC ID 12315 | Records management | Establish/Maintain Documentation | |
Include the number of physical media used for the data transfer in the removable storage media log. CC ID 12754 | Records management | Establish/Maintain Documentation | |
Include the recipient's name for the data transfer in the removable storage media log. CC ID 12753 | Records management | Establish/Maintain Documentation | |
Include the sender's name in the removable storage media log. CC ID 12752 | Records management | Establish/Maintain Documentation | |
Include the type of physical media being used for the data transfer in the removable storage media log. CC ID 12751 | Records management | Establish/Maintain Documentation | |
Include the reason for transfer in the removable storage media log. CC ID 12316 | Records management | Establish/Maintain Documentation | |
Establish, implement, and maintain storage media downgrading procedures. CC ID 10619 | Records management | Process or Activity | |
Document all actions taken when downgrading electronic storage media. CC ID 10622 | Records management | Establish/Maintain Documentation | |
Establish, implement, and maintain output distribution procedures. CC ID 00927 | Records management | Establish/Maintain Documentation | |
Include printed output in output distribution procedures. CC ID 13477 | Records management | Establish/Maintain Documentation | |
Establish, implement, and maintain document retention procedures. CC ID 11660 | Records management | Establish/Maintain Documentation | |
Establish, implement, and maintain electronic media distribution procedures. CC ID 11650 | Records management | Establish/Maintain Documentation | |
Establish and maintain an error suspense file for rejected transactions. CC ID 06623 | Records management | Records Management | |
Establish and maintain reconciliation audit trails. CC ID 11647 | Records management | Establish/Maintain Documentation | |
Establish, implement, and maintain a data processing output log. CC ID 06624 | Records management | Log Management | |
Establish, implement, and maintain paper document integrity requirements for the output of records. CC ID 00930 | Records management | Establish/Maintain Documentation | |
Review and approve output exceptions. CC ID 06625 | Records management | Records Management | |
Initiate the System Development Life Cycle planning phase. CC ID 06266 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
Separate the design and development environment from the production environment. CC ID 06088 [In addition to implementing the control given by ISO/IEC 27002, organizations processing personal health information shall separate (physically or virtually) development and testing environments for health information systems processing such information from operational environments hosting those health information systems. Rules for the migration of software from development to operational status shall be defined and documented by the organization hosting the affected application(s). § 12.1.4 Health-specific control] | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
Specify appropriate tools for the system development project. CC ID 06830 | Systems design, build, and implementation | Establish/Maintain Documentation | |
Implement security controls in development endpoints. CC ID 16389 | Systems design, build, and implementation | Testing | |
Initiate the System Development Life Cycle implementation phase. CC ID 06268 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
Establish, implement, and maintain a system implementation standard. CC ID 01111 | Systems design, build, and implementation | Establish/Maintain Documentation | |
Establish, implement, and maintain an implementation plan. CC ID 01114 [In addition to implementing the control given by ISO/IEC 27002, organizations processing personal health information shall separate (physically or virtually) development and testing environments for health information systems processing such information from operational environments hosting those health information systems. Rules for the migration of software from development to operational status shall be defined and documented by the organization hosting the affected application(s). § 12.1.4 Health-specific control] | Systems design, build, and implementation | Establish/Maintain Documentation | |
Include an implementation schedule in the implementation plan. CC ID 16124 | Systems design, build, and implementation | Establish/Maintain Documentation | |
Include the allocation of resources in the implementation plan. CC ID 16122 | Systems design, build, and implementation | Establish/Maintain Documentation | |
Include roles and responsibilities in the implementation plan. CC ID 16121 | Systems design, build, and implementation | Establish/Maintain Documentation | |
Manage the system implementation process. CC ID 01115 | Systems design, build, and implementation | Behavior | |
Establish, implement, and maintain facilities, assets, and services acceptance procedures. CC ID 01144 [In addition to implementing the control given by ISO/IEC 27002, organizations processing personal health information shall establish acceptance criteria for planned new information systems, upgrades and new versions. They shall carry out suitable tests of the system prior to acceptance. § 14.2.9 Health-specific control ¶ 1] | Acquisition or sale of facilities, technology, and services | Establish/Maintain Documentation | |
Authorize new assets prior to putting them into the production environment. CC ID 13530 | Acquisition or sale of facilities, technology, and services | Process or Activity | |
Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850 | Privacy protection for information and data | Establish/Maintain Documentation | |
Establish, implement, and maintain a personal data transparency program. CC ID 00375 | Privacy protection for information and data | Data and Information Management | |
Provide adequate structures, policies, procedures, and mechanisms to support direct access by the data subject to personal data that is provided upon request. CC ID 00393 | Privacy protection for information and data | Establish/Maintain Documentation | |
Provide the data subject with what personal data is made available to related organizations or subsidiaries. CC ID 00399 | Privacy protection for information and data | Data and Information Management | |
Include individual's names to whom restricted data may be disclosed in the disclosure accounting record. CC ID 13027 [The organization should identify and document all parties with whom patient data is exchanged and contractual agreements should be made with these parties regulating access and privileges, prior to exchange of patient data. § 9.1.1 Health-specific control ¶ 5] | Privacy protection for information and data | Establish/Maintain Documentation | |
Establish, implement, and maintain a personal data use limitation program. CC ID 13428 | Privacy protection for information and data | Establish/Maintain Documentation | |
Establish, implement, and maintain a personal data use purpose specification. CC ID 00093 | Privacy protection for information and data | Establish/Maintain Documentation | |
Dispose of media and restricted data in a timely manner. CC ID 00125 [In addition to implementing the control given by ISO/IEC 27002, all employees and contractors, upon termination of employment, shall return all personal health information in their possession that is in non-electronic form and ensure that all personal health information in their possession in electronic form is updated on relevant systems and then securely deleted from any devices on which it has resided. § 8.1.4 Health-specific control In addition to implementing the control given by ISO/IEC 27002, organizations processing health information applications shall securely erase or else destroy all media containing health information application software or personal health information when the media are no longer required for use. § 11.2.7 Health-specific control In addition to implementing the control given by ISO/IEC 27002, all personal health information shall be securely erased or else the media destroyed when no longer required for use. § 8.3.2 Health-specific control In addition to implementing the control given by ISO/IEC 27002, all personal health information shall be securely erased or else the media destroyed when no longer required for use. § 8.3.2 Health-specific control] | Privacy protection for information and data | Data and Information Management | |
Refrain from destroying records being inspected or reviewed. CC ID 13015 | Privacy protection for information and data | Records Management | |
Notify the data subject after their personal data is disposed, as necessary. CC ID 13502 | Privacy protection for information and data | Communicate | |
Establish, implement, and maintain restricted data use limitation procedures. CC ID 00128 | Privacy protection for information and data | Establish/Maintain Documentation | |
Process restricted data lawfully and carefully. CC ID 00086 | Privacy protection for information and data | Establish Roles | |
Process personal data pertaining to a patient's health in order to treat those patients. CC ID 00200 | Privacy protection for information and data | Data and Information Management | |
Document the conditions for the disclosure of Individually Identifiable Health Information by an organization providing healthcare services to organizations other than business associates or other covered entities. CC ID 00201 | Privacy protection for information and data | Establish/Maintain Documentation | |
Disclose Individually Identifiable Health Information in order to carry out treatment when the disclosing organization is a healthcare provider. CC ID 00207 [Health information systems processing personal health information shall provide personally identifying information to assist health professionals in confirming that the electronic health record retrieved matches the subject of care under treatment. § 14.1.1.2 Health-specific control Organizations processing personal health information shall control access to such information. In general, users of health information systems should only access personal health information: when a healthcare relationship exists between the user and the data subject (the subject of care whose personal health information is being accessed); § 9.1.1 Health-specific control ¶ 1(a)] | Privacy protection for information and data | Data and Information Management | |
Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject has provided consent and the disclosing organization is a healthcare provider. CC ID 00208 | Privacy protection for information and data | Data and Information Management | |
Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject's guardian or representative has provided consent and the disclosing organization is a healthcare provider. CC ID 00209 [Organizations processing personal health information shall control access to such information. In general, users of health information systems should only access personal health information: when the user is carrying out an activity on behalf of the data subject; § 9.1.1 Health-specific control ¶ 1(b)] | Privacy protection for information and data | Data and Information Management | |
Establish, implement, and maintain a data handling program. CC ID 13427 | Privacy protection for information and data | Establish/Maintain Documentation | |
Establish, implement, and maintain data handling policies. CC ID 00353 | Privacy protection for information and data | Establish/Maintain Documentation | |
Establish, implement, and maintain data and information confidentiality policies. CC ID 00361 [{confidential information} All health information systems processing personal health information should inform users of the confidentiality of personal health information accessible from the system (e.g. at start-up or log-in) and should label hardcopy output as confidential when it contains personal health information. § 8.2.2 Health-specific control] | Privacy protection for information and data | Establish/Maintain Documentation | |
Prohibit personal data from being sent by e-mail or instant messaging. CC ID 00565 | Privacy protection for information and data | Data and Information Management | |
Protect electronic messaging information. CC ID 12022 | Privacy protection for information and data | Technical Security | |
Establish, implement, and maintain record structures to support information confidentiality. CC ID 00360 | Privacy protection for information and data | Data and Information Management | |
Include passwords, Personal Identification Numbers, and card security codes in the personal data definition. CC ID 04699 | Privacy protection for information and data | Configuration | |
Store payment card data in secure chips, if possible. CC ID 13065 | Privacy protection for information and data | Configuration | |
Refrain from storing data elements containing sensitive authentication data after authorization is approved. CC ID 04758 | Privacy protection for information and data | Configuration | |
Render unrecoverable sensitive authentication data after authorization is approved. CC ID 11952 | Privacy protection for information and data | Technical Security | |
Automate the disposition process for records that contain "do not store" data or "delete after transaction process" data. CC ID 06083 | Privacy protection for information and data | Data and Information Management | |
Log the disclosure of personal data. CC ID 06628 | Privacy protection for information and data | Log Management | |
Log the modification of personal data. CC ID 11844 | Privacy protection for information and data | Log Management | |
Encrypt, truncate, or tokenize data fields, as necessary. CC ID 06850 | Privacy protection for information and data | Technical Security | |
Implement security measures to protect personal data. CC ID 13606 | Privacy protection for information and data | Technical Security | |
Implement physical controls to protect personal data. CC ID 00355 | Privacy protection for information and data | Testing | |
Limit data leakage. CC ID 00356 | Privacy protection for information and data | Data and Information Management | |
Identify potential red flags to alert the organization before a data leakage has occurred. CC ID 04654 | Privacy protection for information and data | Monitor and Evaluate Occurrences | |
Establish, implement, and maintain Consumer Reporting Agency notification procedures. CC ID 04851 | Privacy protection for information and data | Business Processes | |
Acquire enough insurance to cover the liability for damages due to data leakage. CC ID 06408 | Privacy protection for information and data | Acquisition/Sale of Assets or Services | |
Alert appropriate personnel when data leakage is detected. CC ID 14715 | Privacy protection for information and data | Process or Activity | |
Develop remedies and sanctions for privacy policy violations. CC ID 00474 | Privacy protection for information and data | Data and Information Management | |
Refrain from updating personal data on a regular basis, unless it is necessary for the purposes it was collected. CC ID 13610 | Privacy protection for information and data | Data and Information Management | |
Establish, implement, and maintain a supply chain management program. CC ID 11742 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include a description of the data or information to be covered in third party contracts. CC ID 06510 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include text about access, use, disclosure, and transfer of data or information in third party contracts. CC ID 11610 [The organization should identify and document all parties with whom patient data is exchanged and contractual agreements should be made with these parties regulating access and privileges, prior to exchange of patient data. § 9.1.1 Health-specific control ¶ 5] | Third Party and supply chain oversight | Business Processes | |
Include risk management procedures in the supply chain management policy. CC ID 08811 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include a determination on the risks third parties pose to Information Security in the supply chain risk assessment report. CC ID 10029 [In addition to implementing the control given by ISO/IEC 27002, organizations processing health information shall assess the risks associated with access by external parties to these systems or the data they contain, and then implement security controls that are appropriate to the identified level of risk and to the technologies employed. § 15.1.1 Health-specific control] | Third Party and supply chain oversight | Establish/Maintain Documentation |