Back

International > International Organization for Standardization

ISO 27799:2016 Health informatics — Information security management in health using ISO/IEC 27002, Second Edition



AD ID

0003014

AD STATUS

ISO 27799:2016 Health informatics — Information security management in health using ISO/IEC 27002, Second Edition

ORIGINATOR

International Organization for Standardization

TYPE

International or National Standard

AVAILABILITY

For Purchase

SYNONYMS

ISO 27799:2016

ISO 27799:2016 Health informatics — Information security management in health using ISO/IEC 27002

EFFECTIVE

2016-07-01

ADDED

The document as a whole was last reviewed and released on 2019-08-02T00:00:00+0000.

AD ID

0003014

AD STATUS

For Purchase

ORIGINATOR

International Organization for Standardization

TYPE

International or National Standard

AVAILABILITY

SYNONYMS

ISO 27799:2016

ISO 27799:2016 Health informatics — Information security management in health using ISO/IEC 27002

EFFECTIVE

2016-07-01

ADDED

The document as a whole was last reviewed and released on 2019-08-02T00:00:00+0000.


Important Notice

This Authority Document In Depth Report is copyrighted - © 2020 - Network Frontiers LLC. All rights reserved. Copyright in the Authority Document analyzed herein is held by its authors. Network Frontiers makes no claims of copyright in this Authority Document.

This Authority Document In Depth Report is provided for informational purposes only and does not constitute, and should not be construed as, legal advice. The reader is encouraged to consult with an attorney experienced in these areas for further explanation and advice.

This Authority Document In Depth Report provides analysis and guidance for use and implementation of the Authority Document but it is not a substitute for the original authority document itself. Readers should refer to the original authority document as the definitive resource on obligations and compliance requirements.

The process we used to tag and map this document

This document has been mapped into the Unified Compliance Framework using a patented methodology and patented tools (you can research our patents HERE). The mapping team has taken every effort to ensure the quality of mapping is of the highest degree. To learn more about the process we use to map Authority Documents, or to become involved in that process, click HERE.

Controls and asociated Citations breakdown

When the UCF Mapping Teams tag Citations and their associated mandates within an Authority Document, those Citations and Mandates are tied to Common Controls. In addition, and by virtue of those Citations and mandates being tied to Common Controls, there are three sets of meta data that are associated with each Citation; Controls by Impact Zone, Controls by Type, and Controls by Classification.

The online version of the mapping analysis you see here is just a fraction of the work the UCF Mapping Team has done. The downloadable version of this document, available within the Common Controls Hub (available HERE) contains the following:

Document implementation analysis – statistics about the document’s alignment with Common Controls as compared to other Authority Documents and statistics on usage of key terms and non-standard terms.

Citation and Mandate Tagging and Mapping – A complete listing of each and every Citation we found within ISO 27799:2016 Health informatics — Information security management in health using ISO/IEC 27002, Second Edition that have been tagged with their primary and secondary nouns and primary and secondary verbs in three column format. The first column shows the Citation (the marker within the Authority Document that points to where we found the guidance). The second column shows the Citation guidance per se, along with the tagging for the mandate we found within the Citation. The third column shows the Common Control ID that the mandate is linked to, and the final column gives us the Common Control itself.

Dictionary Terms – The dictionary terms listed for ISO 27799:2016 Health informatics — Information security management in health using ISO/IEC 27002, Second Edition are based upon terms either found within the Authority Document’s defined terms section(which most legal documents have), its glossary, and for the most part, as tagged within each mandate. The terms with links are terms that are the standardized version of the term.



Common Controls and
mandates by Impact Zone
87 Mandated Controls - bold    
107 Implied Controls - italic     580 Implementation

An Impact Zone is a hierarchical way of organizing our suite of Common Controls — it is a taxonomy. The top levels of the UCF hierarchy are called Impact Zones. Common Controls are mapped within the UCF’s Impact Zones and are maintained in a legal hierarchy within that Impact Zone. Each Impact Zone deals with a separate area of policies, standards, and procedures: technology acquisition, physical security, continuity, records management, etc.


The UCF created its taxonomy by looking at the corpus of standards and regulations through the lens of unification and a view toward how the controls impact the organization. Thus, we created a hierarchical structure for each impact zone that takes into account regulatory and standards bodies, doctrines, and language.

Number of Controls
774 Total
  • Acquisition or sale of facilities, technology, and services
    13
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Acquisition or sale of facilities, technology, and services CC ID 01123 IT Impact Zone IT Impact Zone
    Establish and maintain facilities, assets, and services acceptance procedures. CC ID 01144
    [In addition to implementing the control given by ISO/IEC 27002, organizations processing personal health information shall establish acceptance criteria for planned new information systems, upgrades and new versions. They shall carry out suitable tests of the system prior to acceptance. § 14.2.9 Health-specific control ¶ 1]
    Establish/Maintain Documentation Preventive
    Test new hardware or upgraded hardware and software against predefined performance requirements. CC ID 06740
    [In addition to implementing the control given by ISO/IEC 27002, organizations processing personal health information shall establish acceptance criteria for planned new information systems, upgrades and new versions. They shall carry out suitable tests of the system prior to acceptance. § 14.2.9 Health-specific control ¶ 1]
    Testing Detective
    Test new hardware or upgraded hardware and software for error recovery and restart procedures. CC ID 06741 Testing Detective
    Follow the system's operating procedures when testing new hardware or upgraded hardware and software. CC ID 06742 Testing Detective
    Test new hardware or upgraded hardware and software for implementation of security controls. CC ID 06743 Testing Detective
    Test new software or upgraded software for security vulnerabilities. CC ID 01898 Testing Detective
    Test new software or upgraded software for compatibility with the current system. CC ID 11654 Testing Detective
    Test new hardware or upgraded hardware for compatibility with the current system. CC ID 11655 Testing Detective
    Test new hardware or upgraded hardware for security vulnerabilities. CC ID 01899 Testing Detective
    Test new hardware or upgraded hardware and software for implementation of predefined continuity arrangements. CC ID 06744 Testing Detective
    Correct defective acquired goods or services. CC ID 06911 Acquisition/Sale of Assets or Services Corrective
    Authorize new assets prior to putting them into the production environment. CC ID 13530 Process or Activity Preventive
  • Audits and risk management
    26
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Audits and risk management CC ID 00677 IT Impact Zone IT Impact Zone
    Establish and maintain a risk management program. CC ID 12051 Establish/Maintain Documentation Preventive
    Establish and maintain the risk assessment framework. CC ID 00685 Establish/Maintain Documentation Preventive
    Correlate the business impact of identified risks in the risk assessment report. CC ID 00686 Audits and Risk Management Preventive
    Analyze and quantify the risks to in scope systems and information. CC ID 00701
    [Healthcare project management should consider patient safety as a project risk in any project involving the processing of personal health information. § 6.1.5 Health-specific control]
    Audits and Risk Management Preventive
    Establish and maintain a Risk Scoping and Measurement Definitions Document. CC ID 00703 Audits and Risk Management Preventive
    Identify the material risks in the risk assessment report. CC ID 06482 Audits and Risk Management Preventive
    Assess the potential level of business impact risk associated with each business process. CC ID 06463 Audits and Risk Management Detective
    Assess the potential level of business impact risk associated with the business environment. CC ID 06464 Audits and Risk Management Detective
    Assess the potential level of business impact risk associated with business information of in scope systems. CC ID 06465 Audits and Risk Management Detective
    Identify changes to in scope systems that could threaten communication between business units. CC ID 13173 Investigate Detective
    Assess the potential business impact risk of in scope systems caused by deliberate threats to their confidentiality, integrity, and availability. CC ID 06466 Audits and Risk Management Detective
    Assess the potential level of business impact risk caused by accidental threats to the confidentiality, integrity and availability of critical systems. CC ID 06467 Audits and Risk Management Detective
    Assess the potential level of business impact risk associated with insider threats. CC ID 06468 Audits and Risk Management Detective
    Assess the potential level of business impact risk associated with external entities. CC ID 06469 Audits and Risk Management Detective
    Assess the potential level of business impact risk associated with natural disasters. CC ID 06470 Actionable Reports or Measurements Detective
    Assess the potential level of business impact risk associated with control weaknesses. CC ID 06471 Audits and Risk Management Detective
    Establish a risk acceptance level that is appropriate to the organization's risk appetite. CC ID 00706 Establish/Maintain Documentation Preventive
    Investigate alternative risk control strategies appropriate to the organization's risk appetite. CC ID 12887 Investigate Preventive
    Select the appropriate risk treatment option for each identified risk in the risk register. CC ID 06483 Establish/Maintain Documentation Preventive
    Disseminate and communicate the risk acceptance level in the risk treatment plan to all interested personnel and affected parties. CC ID 06849 Behavior Preventive
    Perform a gap analysis to review in scope controls for identified risks and implement new controls, as necessary. CC ID 00704 Establish/Maintain Documentation Detective
    Prioritize and select controls based on the risk assessment findings. CC ID 00707
    [In addition to implementing the control given by ISO/IEC 27002, organizations processing health information shall assess the risks associated with access by external parties to these systems or the data they contain, and then implement security controls that are appropriate to the identified level of risk and to the technologies employed. § 15.1.1 Health-specific control]
    Audits and Risk Management Preventive
    Analyze the effect of threats on organizational strategies and objectives. CC ID 12850 Process or Activity Detective
    Analyze the effect of opportunities on organizational strategies and objectives. CC ID 12849 Process or Activity Detective
    Prioritize and categorize the effects of opportunities, threats and requirements on control activities. CC ID 12822 Audits and Risk Management Preventive
  • Human Resources management
    111
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Human Resources management CC ID 00763 IT Impact Zone IT Impact Zone
    Establish and maintain high level operational roles and responsibilities. CC ID 00806 Establish Roles Preventive
    Define and assign the security staff roles and responsibilities. CC ID 11750
    [At a minimum, at least one individual shall be responsible for health information security within the organization. § 6.1.1 Health-specific control ¶ 2]
    Establish/Maintain Documentation Preventive
    Establish and maintain an Information Technology steering committee. CC ID 12706 Human Resources Management Preventive
    Convene the Information Technology steering committee, as necessary. CC ID 12730
    [The health information security forum shall meet regularly, on a monthly or near-to-monthly basis. (Typically, it is most effective to meet at the mid-point between the meetings of the governance body into which the forum reports. This allows emergency matters to be taken to a suitable meeting within a short period.) § 6.1.1 Health-specific control ¶ 3]
    Human Resources Management Preventive
    Define and assign workforce roles and responsibilities. CC ID 13267
    [Special attention needs to be placed upon the roles and responsibilities of temporary or short-term staff such as locums, students, interns, etc. § 7.1.2 Health-specific control ¶ 2]
    Human Resources Management Preventive
    Establish and maintain cybersecurity roles and responsibilities. CC ID 13201 Human Resources Management Preventive
    Assign roles and responsibilities for physical security, as necessary. CC ID 13113 Establish Roles Preventive
    Define and assign roles and responsibilities for those involved in risk management. CC ID 13660 Human Resources Management Preventive
    Include the management structure in the duties and responsibilities for risk management. CC ID 13665 Human Resources Management Preventive
    Assign the roles and responsibilities for the change control program. CC ID 13118 Human Resources Management Preventive
    Identify and define all key Information Technology roles. CC ID 00777 Establish Roles Preventive
    Assign cybersecurity reporting responsibilities to qualified personnel. CC ID 12739 Establish Roles Preventive
    Assign responsibility for cyber threat intelligence. CC ID 12746 Human Resources Management Preventive
    Assign the role of security management to applicable controls. CC ID 06444 Establish Roles Preventive
    Assign the role of security leader to keep up to date on the latest threats. CC ID 12112 Human Resources Management Preventive
    Define and assign the data processor's roles and responsibilities. CC ID 12607 Human Resources Management Preventive
    Assign the data processor to assist the data controller in implementing security controls. CC ID 12677 Human Resources Management Preventive
    Assign the data processor to notify the data controller when personal data processing could infringe on regulations. CC ID 12617 Communicate Preventive
    Define and assign the data controller's roles and responsibilities. CC ID 00471 Establish Roles Preventive
    Assign the role of data controller to be the Point of Contact for the supervisory authority. CC ID 12616 Human Resources Management Preventive
    Assign the role of the Data Controller to cooperate with the supervisory authority. CC ID 12615 Human Resources Management Preventive
    Assign the data controller to facilitate the exercise of the data subject's rights. CC ID 12666 Human Resources Management Preventive
    Assign the role of data controller to applicable controls. CC ID 00354 Establish Roles Preventive
    Assign the role of data controller to provide advice, when requested. CC ID 12611 Human Resources Management Preventive
    Assign the role of data controller to additional personnel, as necessary. CC ID 00473 Establish Roles Preventive
    Assign the role of Information Technology operations to applicable controls. CC ID 00682 Establish Roles Preventive
    Assign the role of logical access control to applicable controls. CC ID 00772 Establish Roles Preventive
    Assign the role of asset physical security to applicable controls. CC ID 00770 Establish Roles Preventive
    Assign the role of data custodian to applicable controls. CC ID 04789 Establish Roles Preventive
    Assign the role of the Quality Management committee to applicable controls. CC ID 00769 Establish Roles Preventive
    Assign interested personnel to the Quality Management committee. CC ID 07193 Establish Roles Preventive
    Assign personnel to a crime prevention unit and announce the members of the unit. CC ID 06348 Establish Roles Preventive
    Assign the role of fire protection management to applicable controls. CC ID 04891 Establish Roles Preventive
    Assign the role of Information Technology Service Continuity Management to applicable controls. CC ID 04894 Establish Roles Preventive
    Assign the role of the Computer Emergency Response Team to applicable controls. CC ID 04895 Establish Roles Preventive
    Assign the role of CRYPTO custodian to applicable controls. CC ID 06723 Establish Roles Preventive
    Assign the roles and responsibilities of security guards. CC ID 12543 Human Resources Management Preventive
    Define and assign roles and responsibilities for dispute resolution. CC ID 13626 Human Resources Management Preventive
    Define and assign the roles for Legal Support Workers. CC ID 13711 Human Resources Management Preventive
    Establish and maintain a personnel management program. CC ID 14018 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a personnel security program. CC ID 10628 Establish/Maintain Documentation Preventive
    Employ individuals who have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 00782
    [When an individual is hired for a specific information security role, organizations should make sure the candidate: has the necessary competence to perform the security role; § 7.1.1 Health-specific controls ¶ 3(a)]
    Testing Detective
    Perform security skills assessments for all critical employees. CC ID 12102
    [When an individual is hired for a specific information security role, organizations should make sure the candidate: can be trusted to take the role, especially if the role is critical for the organization. § 7.1.1 Health-specific controls ¶ 3(b)]
    Human Resources Management Detective
    Assign security clearance procedures to qualified personnel. CC ID 06812 Establish Roles Preventive
    Assign personnel screening procedures to qualified personnel. CC ID 11699 Establish Roles Preventive
    Establish and maintain personnel screening procedures. CC ID 11700 Establish/Maintain Documentation Preventive
    Perform a background check during personnel screening. CC ID 11758 Human Resources Management Detective
    Perform a personal identification check during personnel screening. CC ID 06721
    [All organizations whose staff, contractors, or volunteers process (or are expected to process) personal health information should, as a minimum, verify the identity, current address and previous employment of such staff, contractors and volunteers at the time of job application. § 7.1.1 Health-specific controls ¶ 1]
    Human Resources Management Preventive
    Perform a criminal records check during personnel screening. CC ID 06643 Establish/Maintain Documentation Preventive
    Include all residences in the criminal records check. CC ID 13306 Process or Activity Preventive
    Document any reasons a full criminal records check could not be performed. CC ID 13305 Establish/Maintain Documentation Preventive
    Perform a personal references check during personnel screening. CC ID 06645 Human Resources Management Preventive
    Perform a credit check during personnel screening. CC ID 06646 Human Resources Management Preventive
    Perform an academic records check during personnel screening. CC ID 06647 Establish/Maintain Documentation Preventive
    Perform a drug test during personnel screening. CC ID 06648 Testing Preventive
    Perform a resume check during personnel screening. CC ID 06659
    [All organizations whose staff, contractors, or volunteers process (or are expected to process) personal health information should, as a minimum, verify the identity, current address and previous employment of such staff, contractors and volunteers at the time of job application. § 7.1.1 Health-specific controls ¶ 1
    Background verification checks on all candidates for employment should include a verification of applicable health professional qualifications, where such qualifications are professionally accredited (e.g. physicians, nurses, etc.) § 7.1.1 Health-specific controls ¶ 2]
    Human Resources Management Preventive
    Perform a curriculum vitae check during personnel screening. CC ID 06660 Human Resources Management Preventive
    Allow personnel being screened to appeal findings and appeal decisions. CC ID 06720 Human Resources Management Preventive
    Perform personnel screening procedures, as necessary. CC ID 11763 Human Resources Management Preventive
    Document the personnel risk assessment results. CC ID 11764 Establish/Maintain Documentation Detective
    Establish, implement, and maintain security clearance procedures. CC ID 00783 Establish/Maintain Documentation Preventive
    Perform periodic background checks on designated roles, as necessary. CC ID 11759 Human Resources Management Detective
    Perform security clearance procedures, as necessary. CC ID 06644 Human Resources Management Preventive
    Update security clearances, as necessary. CC ID 01634 Human Resources Management Preventive
    Document the security clearance procedure results. CC ID 01635 Establish/Maintain Documentation Detective
    Establish and maintain the Information Technology staff structure in line with the Strategic Information Technology Plan. CC ID 00764 Establish Roles Preventive
    Document and communicate role descriptions to all applicable personnel. CC ID 00776
    [In addition to the control given by ISO/IEC 27002, all organizations whose staff members are involved in processing personal health information should document such involvement in relevant job descriptions. Security roles and responsibilities, as laid down in the organization's information security policy, should also be documented in relevant job descriptions. § 7.1.2 Health-specific control ¶ 1
    In addition to the control given by ISO/IEC 27002, all organizations whose staff members are involved in processing personal health information should document such involvement in relevant job descriptions. Security roles and responsibilities, as laid down in the organization's information security policy, should also be documented in relevant job descriptions. § 7.1.2 Health-specific control ¶ 1]
    Establish Roles Detective
    Implement segregation of duties in roles and responsibilities. CC ID 00774
    [In addition to implementing the control given by ISO/IEC 27002, organizations processing personal health information should, where feasible, segregate duties and areas of responsibility in order to reduce opportunities for unauthorized modification or misuse of personal health information. § 6.1.2 Health-specific control]
    Testing Detective
    Establish, implement, and maintain segregation of duties compensating controls if segregation of duties is not practical. CC ID 06960 Technical Security Preventive
    Establish job categorization criteria, job recruitment criteria, and promotion criteria. CC ID 00781 Establish/Maintain Documentation Preventive
    Include a space for previous addresses and previous residences on the job application. CC ID 12302
    [All organizations whose staff, contractors, or volunteers process (or are expected to process) personal health information should, as a minimum, verify the identity, current address and previous employment of such staff, contractors and volunteers at the time of job application. § 7.1.1 Health-specific controls ¶ 1]
    Human Resources Management Preventive
    Train all personnel and third parties, as necessary. CC ID 00785 Behavior Preventive
    Establish and implement training plans. CC ID 00828 Establish/Maintain Documentation Preventive
    Establish and maintain a security awareness program. CC ID 11746
    [In addition to implementing the control given by ISO/IEC 27002, organizations processing personal health information shall implement appropriate prevention, detection and response controls to protect against malicious software and shall implement appropriate user awareness training. § 12.2.1 Health-specific control]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a security awareness and training policy. CC ID 14022 Establish/Maintain Documentation Preventive
    Include compliance requirements in the security awareness and training policy. CC ID 14092 Establish/Maintain Documentation Preventive
    Include coordination amongst entities in the security awareness and training policy. CC ID 14091 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain security awareness and training procedures. CC ID 14054 Establish/Maintain Documentation Preventive
    Review and update the security awareness and training procedures, as necessary. CC ID 14140 Establish/Maintain Documentation Corrective
    Disseminate and communicate the security awareness and training procedures to interested personnel and affected parties. CC ID 14138 Communicate Preventive
    Review and update the security awareness and training policy, as necessary. CC ID 14050 Establish/Maintain Documentation Corrective
    Include management commitment in the security awareness and training policy. CC ID 14049 Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the security awareness and training policy. CC ID 14048 Establish/Maintain Documentation Preventive
    Include the scope in the security awareness and training policy. CC ID 14047 Establish/Maintain Documentation Preventive
    Include the purpose in the security awareness and training policy. CC ID 14045 Establish/Maintain Documentation Preventive
    Include configuration management procedures in the security awareness program. CC ID 13967 Establish/Maintain Documentation Preventive
    Document security awareness requirements. CC ID 12146 Establish/Maintain Documentation Preventive
    Include safeguards for information systems in the security awareness program. CC ID 13046 Establish/Maintain Documentation Preventive
    Include security policies and security standards in the security awareness program. CC ID 13045 Establish/Maintain Documentation Preventive
    Include mobile device security guidelines in the security awareness program. CC ID 11803 Establish/Maintain Documentation Preventive
    Include updates on emerging issues in the security awareness program. CC ID 13184 Training Preventive
    Include cybersecurity in the security awareness program. CC ID 13183 Training Preventive
    Include training based on the participants' level of responsibility and access level in the security awareness program. CC ID 11802 Establish/Maintain Documentation Preventive
    Include a requirement to train all new hires and interested personnel in the security awareness program. CC ID 11800
    [In addition to implementing the control given by ISO/IEC 27002, all organizations processing personal health information shall ensure that information security education and training are provided on induction and, that regular updates in organizational security policies and procedures are provided to all employees and, where relevant, third-party contractors, researchers, students and volunteers who process personal health information. § 7.2.2 Health-specific control ¶ 1]
    Establish/Maintain Documentation Preventive
    Include remote access in the security awareness program. CC ID 13892 Establish/Maintain Documentation Preventive
    Document the goals of the security awareness program. CC ID 12145 Establish/Maintain Documentation Preventive
    Compare current security awareness assessment reports to the security awareness baseline. CC ID 12150 Establish/Maintain Documentation Preventive
    Establish and maintain management's commitment to supporting the security awareness program. CC ID 12151 Human Resources Management Preventive
    Establish and maintain a steering committee to guide the security awareness program. CC ID 12149 Human Resources Management Preventive
    Document the scope of the security awareness program. CC ID 12148 Establish/Maintain Documentation Preventive
    Establish and maintain a security awareness baseline. CC ID 12147 Establish/Maintain Documentation Preventive
    Encourage interested personnel to obtain security certification. CC ID 11804 Human Resources Management Preventive
    Disseminate and communicate security awareness and the internal control framework to all interested personnel and affected parties. CC ID 00823 Behavior Preventive
    Train all personnel and third parties on how to recognize and report security incidents. CC ID 01211 Behavior Preventive
    Train all personnel and third parties on how to recognize and report system failures. CC ID 13475 Training Preventive
    Require personnel to acknowledge, through writing their signature, that they have read and understand the organization's security policies. CC ID 01363 Establish/Maintain Documentation Preventive
    Monitor and measure the effectiveness of security awareness. CC ID 06262 Monitor and Evaluate Occurrences Detective
    Establish and maintain a Code of Conduct as a part of the Terms and Conditions of employment. CC ID 04897 Establish/Maintain Documentation Preventive
    Implement a sanctions process for personnel who fail to comply to the organizational compliance program. CC ID 01442
    [Employees of the organization and, where relevant, third-party contractors should be made aware of disciplinary processes and consequences with respect to breaches of information security. § 7.2.2 Health-specific control ¶ 2]
    Behavior Corrective
    Notify designated personnel when a formal personnel sanctions process is initiated. CC ID 10632 Communicate Preventive
  • Leadership and high level objectives
    52
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Leadership and high level objectives CC ID 00597 IT Impact Zone IT Impact Zone
    Analyze organizational objectives, functions, and activities. CC ID 00598 Monitor and Evaluate Occurrences Preventive
    Establish, implement, and maintain an information classification standard. CC ID 00601
    [{confidential information} In addition to following the guidance given by ISO/IEC 27002, organizations processing personal health information should uniformly classify such data as confidential. § 8.2.1 Health-specific control]
    Establish/Maintain Documentation Preventive
    Take into account the accessibility to and location of the data or information when establishing information impact levels. CC ID 04787 Data and Information Management Preventive
    Take into account the organization's obligation to protect data or information when establishing information impact levels. CC ID 04786 Data and Information Management Preventive
    Take into account the context of use for data or information when establishing information impact levels. CC ID 04785 Data and Information Management Preventive
    Take into account the potential aggregation of restricted data fields when establishing information impact levels. CC ID 04784 Data and Information Management Preventive
    Classify the sensitivity to unauthorized disclosure or modification of information in the information classification standard. CC ID 11997 Data and Information Management Preventive
    Take into account the distinguishability factor when establishing information impact levels. CC ID 04783 Data and Information Management Preventive
    Classify the criticality to unauthorized disclosure or modification of information in the information classification standard. CC ID 11996 Data and Information Management Preventive
    Classify the value of information in the information classification standard. CC ID 11995 Data and Information Management Preventive
    Classify the legal requirements of information in the information classification standard. CC ID 11994 Data and Information Management Preventive
    Update the information classification standard regularly or when new threats are discovered. CC ID 07048 Establish/Maintain Documentation Corrective
    Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241
    [A formal scope statement shall be produced that defines the boundary of compliance activity in terms of people, processes, places, platforms and applications. § 6.1.1 Health-specific control ¶ 4]
    Establish/Maintain Documentation Preventive
    Define the scope of the security policy. CC ID 07145 Data and Information Management Preventive
    Identify roles, tasks, information, systems, and assets that fall under the organization's mandated Authority Documents. CC ID 00688 Business Processes Preventive
    Establish and maintain an Information Systems Assurance Categories Definitions document. CC ID 01608 Establish/Maintain Documentation Preventive
    Correlate Information Systems with applicable controls. CC ID 01621 Establish/Maintain Documentation Preventive
    Establish and maintain an organizational policy and procedure management program. CC ID 06285 Establish/Maintain Documentation Preventive
    Include the effective date on all organizational policies. CC ID 06820 Establish/Maintain Documentation Preventive
    Analyze organizational policies, as necessary. CC ID 14037 Establish/Maintain Documentation Detective
    Implement organizational policies, standards, and procedures. CC ID 12893 Business Processes Preventive
    Include requirements in the organization’s policies, standards, and procedures. CC ID 12956 Establish/Maintain Documentation Preventive
    Include threats in the organization’s policies, standards, and procedures. CC ID 12953 Establish/Maintain Documentation Preventive
    Include opportunities in the organization’s policies, standards, and procedures. CC ID 12945 Establish/Maintain Documentation Preventive
    Establish and maintain a list of compliance documents. CC ID 07113 Establish/Maintain Documentation Preventive
    Map in scope assets and in scope records to external requirements. CC ID 12189 Establish/Maintain Documentation Detective
    Document organizational procedures that harmonize external requirements, including all legal requirements. CC ID 00623 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain full documentation of all policies, standards, and procedures that support the organization's compliance framework. CC ID 01636 Establish/Maintain Documentation Preventive
    Disseminate and communicate the organization’s policies, standards, and procedures to all interested personnel and affected parties. CC ID 12901 Communicate Preventive
    Disseminate and communicate the list of Authority Documents that support the organization's compliance framework to interested personnel and affected parties. CC ID 01312 Establish/Maintain Documentation Preventive
    Classify controls according to their preventive, detective, or corrective status. CC ID 06436 Establish/Maintain Documentation Preventive
    Publish and disseminate and communicate an annual Statement on Internal Control. CC ID 06727 Establish/Maintain Documentation Preventive
    Include confirmation of any significant weaknesses in the annual Statement on Internal Control. CC ID 06861 Establish/Maintain Documentation Preventive
    Include an assurance statement regarding the organization's counterterror protective security plan in the annual Statement on Internal Control. CC ID 06866 Establish/Maintain Documentation Preventive
    Include the counterterror protective security plan test results in the annual Statement on Internal Control. CC ID 06867 Establish/Maintain Documentation Detective
    Assign legislative body jurisdiction to the organization's assets, as necessary. CC ID 06956 Establish Roles Preventive
    Approve all compliance documents. CC ID 06286 Establish/Maintain Documentation Preventive
    Align the list of compliance documents with applicable laws, regulations, and contractual obligations. CC ID 06288 Establish/Maintain Documentation Preventive
    Assign the appropriate roles to all applicable compliance documents. CC ID 06284 Establish Roles Preventive
    Identify and document the Designated Approval Authority for compliance documents. CC ID 07114 Establish/Maintain Documentation Preventive
    Establish and maintain a Compliance Exception standard for compliance exceptions. CC ID 01628 Establish/Maintain Documentation Preventive
    Include the authority for granting exemptions in the compliance exception standard. CC ID 14329 Establish/Maintain Documentation Preventive
    Document compliance exceptions, as necessary. CC ID 01630 Establish/Maintain Documentation Detective
    Include explanations, compensating controls, or risk acceptance in the compliance exceptions Exceptions document. CC ID 01631 Establish/Maintain Documentation Preventive
    Review the compliance exceptions in the exceptions document, as necessary. CC ID 01632 Business Processes Preventive
    Include when exemptions expire in the compliance exception standard. CC ID 14330 Establish/Maintain Documentation Preventive
    Assign the approval of compliance exceptions to the appropriate roles inside the organization. CC ID 06443 Establish Roles Preventive
    Include management of the exemption register in the compliance exception standard. CC ID 14328 Establish/Maintain Documentation Preventive
    Disseminate and communicate compliance documents to all interested personnel and affected parties. CC ID 06282 Behavior Preventive
    Disseminate and communicate any compliance document changes when the documents are updated to interested personnel and affected parties. CC ID 06283 Behavior Preventive
    Estimate the costs of implementing the compliance framework. CC ID 07191 Business Processes Preventive
  • Monitoring and measurement
    23
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Monitoring and measurement CC ID 00636 IT Impact Zone IT Impact Zone
    Establish, implement, and maintain logging and monitoring operations. CC ID 00637 Log Management Detective
    Include a standard to collect and interpret event logs in the event logging procedures. CC ID 00643
    [{incident management procedures} In addition to following the guidance given by ISO/IEC 27002, organizations processing personal health information should establish security incident management responsibilities and procedures in order: to collect and preserve incident-related audit logs and other relevant evidence. § 16.1.2 Health-specific controls ¶ 1(c)]
    Log Management Preventive
    Protect the event logs from failure. CC ID 06290 Log Management Preventive
    Overwrite the oldest records when audit logging fails. CC ID 14308 Data and Information Management Preventive
    Supply each in scope asset with audit reduction tool and report generation capabilities to support after-the-fact investigations without altering the event logs. CC ID 01427 Testing Preventive
    Provide predefined suspicious activity reports for suspicious activity discovered in the event log. CC ID 06774 Establish/Maintain Documentation Corrective
    Compile the event logs of multiple components into a system-wide time-correlated audit trail. CC ID 01424 Audits and Risk Management Preventive
    Review event logs, Intrusion Detection System reports, security incident tracking reports, and other security logs regularly. CC ID 00596 Log Management Detective
    Eliminate false positives in event logs, intrusion detection system reports, security incident tracking reports, and other security logs. CC ID 07047 Log Management Corrective
    Correlate log entries to security controls to verify the security control's effectiveness. CC ID 13207 Log Management Detective
    Identify cybersecurity events in event logs and audit logs. CC ID 13206 Technical Security Detective
    Follow up exceptions and anomalies identified when reviewing logs. CC ID 11925 Investigate Corrective
    Reproduce the event log if a log failure is captured. CC ID 01426 Log Management Preventive
    Establish and maintain a compliance monitoring policy. CC ID 00671 Establish/Maintain Documentation Preventive
    Establish and maintain a log management program. CC ID 00673 Establish/Maintain Documentation Preventive
    Restrict access to audit trails to a need to know basis. CC ID 11641
    [{use}{anti-tamper technology} Audit records shall be secure and tamper-proof. Access to system audit tools and audit trails shall be safeguarded to prevent misuse or compromise. § 12.4.2 Health-specific control]
    Technical Security Preventive
    Protect logs from unauthorized activity. CC ID 01345
    [{use}{anti-tamper technology} Audit records shall be secure and tamper-proof. Access to system audit tools and audit trails shall be safeguarded to prevent misuse or compromise. § 12.4.2 Health-specific control
    {use}{anti-tamper technology} Audit records shall be secure and tamper-proof. Access to system audit tools and audit trails shall be safeguarded to prevent misuse or compromise. § 12.4.2 Health-specific control]
    Log Management Preventive
    Preserve the identity of individuals in audit trails. CC ID 10594
    [Health information systems processing personal health information: shall ensure that each subject of care can be uniquely identified within the system; § 14.1.1.1 Health-specific control ¶ 1(a)]
    Log Management Preventive
    Protect against misusing automated audit tools. CC ID 04547
    [{use}{anti-tamper technology} Audit records shall be secure and tamper-proof. Access to system audit tools and audit trails shall be safeguarded to prevent misuse or compromise. § 12.4.2 Health-specific control]
    Technical Security Preventive
    Evaluate the measurement process used for metrics. CC ID 06920 Testing Detective
    Evaluate the information technology products used for metrics. CC ID 11644 Technical Security Detective
    Identify and communicate improvements in metrics reporting. CC ID 06921 Establish/Maintain Documentation Corrective
  • Operational and Systems Continuity
    13
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Operational and Systems Continuity CC ID 00731 IT Impact Zone IT Impact Zone
    Establish and maintain a business continuity program. CC ID 13210 Establish/Maintain Documentation Preventive
    Establish and maintain system continuity plan strategies for all in scope systems. CC ID 00735 Establish/Maintain Documentation Preventive
    Include technical preparation considerations for backup operations in the continuity plan. CC ID 01250 Establish/Maintain Documentation Preventive
    Establish and maintain backup procedures for in scope systems. CC ID 01258 Systems Continuity Preventive
    Establish and maintain off-site electronic media storage facilities. CC ID 00957 Physical and Environmental Protection Preventive
    Store backup media at an off-site electronic media storage facility. CC ID 01332
    [In addition to following the guidance given by ISO/IEC 27002, organizations processing personal health information shall back up all personal health information and store it in a physically secure environment to ensure its future availability. § 12.3.1 Health-specific control ¶ 1]
    Data and Information Management Preventive
    Transport backup media in lockable electronic media storage containers. CC ID 01264 Data and Information Management Preventive
    Identify the access methods for backup media at both the primary facility and the off-site electronic media storage facility. CC ID 01257 Data and Information Management Preventive
    Store backup vital records in a manner that is accessible for emergency retrieval. CC ID 12765
    [In addition to following the guidance given by ISO/IEC 27002, organizations processing personal health information shall back up all personal health information and store it in a physically secure environment to ensure its future availability. § 12.3.1 Health-specific control ¶ 1]
    Systems Continuity Preventive
    Perform backup procedures for in scope systems. CC ID 11692 Process or Activity Preventive
    Back up all records. CC ID 11974
    [In addition to following the guidance given by ISO/IEC 27002, organizations processing personal health information shall back up all personal health information and store it in a physically secure environment to ensure its future availability. § 12.3.1 Health-specific control ¶ 1]
    Systems Continuity Preventive
    Encrypt backup data. CC ID 00958
    [To protect its confidentiality, personal health information should be backed up in an encrypted format. § 12.3.1 Health-specific control ¶ 2]
    Configuration Preventive
  • Operational management
    225
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Operational management CC ID 00805 IT Impact Zone IT Impact Zone
    Establish and maintain a Governance, Risk, and Compliance framework. CC ID 01406 Establish/Maintain Documentation Preventive
    Establish and maintain a positive information control environment. CC ID 00813
    [have an information security management forum (ISMF) in place to ensure that there is clear direction and visible management support for security initiatives involving the security of health information, as described in B.3 and B.4. § 6.1.1 Health-specific control ¶ 1(b)]
    Business Processes Preventive
    Make compliance and governance decisions in a timely manner. CC ID 06490 Behavior Preventive
    Establish and maintain an information security program. CC ID 00812
    [have an information security management forum (ISMF) in place to ensure that there is clear direction and visible management support for security initiatives involving the security of health information, as described in B.3 and B.4. § 6.1.1 Health-specific control ¶ 1(b)]
    Establish/Maintain Documentation Preventive
    Include physical safeguards in the information security program. CC ID 12375 Establish/Maintain Documentation Preventive
    Include technical safeguards in the information security program. CC ID 12374 Establish/Maintain Documentation Preventive
    Include administrative safeguards in the information security program. CC ID 12373 Establish/Maintain Documentation Preventive
    Include system development in the information security program. CC ID 12389 Establish/Maintain Documentation Preventive
    Include system maintenance in the information security program. CC ID 12388 Establish/Maintain Documentation Preventive
    Include system acquisition in the information security program. CC ID 12387 Establish/Maintain Documentation Preventive
    Include access control in the information security program. CC ID 12386 Establish/Maintain Documentation Preventive
    Review and approve access controls, as necessary. CC ID 13074 Process or Activity Detective
    Include operations management in the information security program. CC ID 12385 Establish/Maintain Documentation Preventive
    Include communication management in the information security program. CC ID 12384 Establish/Maintain Documentation Preventive
    Include environmental security in the information security program. CC ID 12383 Establish/Maintain Documentation Preventive
    Include physical security in the information security program. CC ID 12382 Establish/Maintain Documentation Preventive
    Include human resources security in the information security program. CC ID 12381 Establish/Maintain Documentation Preventive
    Include asset management in the information security program. CC ID 12380 Establish/Maintain Documentation Preventive
    Include a continuous monitoring program in the information security program. CC ID 14323 Establish/Maintain Documentation Preventive
    Include how the information security department is organized in the information security program. CC ID 12379 Establish/Maintain Documentation Preventive
    Include risk management in the information security program. CC ID 12378 Establish/Maintain Documentation Preventive
    Include mitigating supply chain risks in the Information Security Program. CC ID 13352 Establish/Maintain Documentation Preventive
    Provide management direction and support for the information security program. CC ID 11999 Process or Activity Preventive
    Monitor and review the effectiveness of the information security program. CC ID 12744 Monitor and Evaluate Occurrences Preventive
    Establish and maintain an information security policy. CC ID 11740
    [Organizations processing health information, including personal health information, shall have a written information security policy that is approved by management, published, and then communicated to all employees and relevant external parties. § 5.1.1 Health-specific control
    Organizations processing health information, including personal health information, shall have a written information security policy that is approved by management, published, and then communicated to all employees and relevant external parties. § 5.1.1 Health-specific control]
    Establish/Maintain Documentation Preventive
    Align the information security policy with the organization's risk acceptance level. CC ID 13042 Business Processes Preventive
    Include a commitment to the information security requirements in the information security policy. CC ID 13496 Establish/Maintain Documentation Preventive
    Include information security objectives in the information security policy. CC ID 13493 Establish/Maintain Documentation Preventive
    Include the use of Cloud Services in the information security policy. CC ID 13146 Establish/Maintain Documentation Preventive
    Review and update the information security policy, as necessary. CC ID 11741
    [{ongoing basis} The health organization's information security policy should be subject to ongoing, staged review, such that the totality of the policy is addressed at least annually. The policy should be reviewed after the occurrence of a serious security incident. § 5.1.2 Health-specific control
    {ongoing basis} The health organization's information security policy should be subject to ongoing, staged review, such that the totality of the policy is addressed at least annually. The policy should be reviewed after the occurrence of a serious security incident. § 5.1.2 Health-specific control]
    Establish/Maintain Documentation Corrective
    Review the information security procedures, as necessary. CC ID 12006 Business Processes Preventive
    Approve the information security policy at the organization's management level or higher. CC ID 11737
    [Organizations processing health information, including personal health information, shall have a written information security policy that is approved by management, published, and then communicated to all employees and relevant external parties. § 5.1.1 Health-specific control]
    Process or Activity Preventive
    Document the roles and responsibilities for all activities that protect restricted data in the information security procedures. CC ID 12304 Establish/Maintain Documentation Preventive
    Describe the group activities that protect restricted data in the information security procedures. CC ID 12294 Establish/Maintain Documentation Preventive
    Assign ownership of the information security program to the appropriate role. CC ID 00814 Establish Roles Preventive
    Assign the responsibility for establishing, implementing, and maintaining the information security program to the appropriate role. CC ID 11884 Human Resources Management Preventive
    Assign information security responsibilities to interested personnel and affected parties in the information security program. CC ID 11885
    [clearly define and assign information security responsibilities; § 6.1.1 Health-specific control ¶ 1(a)]
    Establish/Maintain Documentation Preventive
    Assign the responsibility for distributing the information security program to the appropriate role. CC ID 11883 Human Resources Management Preventive
    Disseminate and communicate the information security policy to interested personnel and affected parties. CC ID 11739
    [Organizations processing health information, including personal health information, shall have a written information security policy that is approved by management, published, and then communicated to all employees and relevant external parties. § 5.1.1 Health-specific control
    In addition to implementing the control given by ISO/IEC 27002, all organizations processing personal health information shall ensure that information security education and training are provided on induction and, that regular updates in organizational security policies and procedures are provided to all employees and, where relevant, third-party contractors, researchers, students and volunteers who process personal health information. § 7.2.2 Health-specific control ¶ 1]
    Communicate Preventive
    Establish and maintain a social media governance program. CC ID 06536 Establish/Maintain Documentation Preventive
    Refrain from requiring supervision when users are accessing social media applications. CC ID 14011 Business Processes Preventive
    Refrain from requiring users to disclose social media account usernames or passwords. CC ID 14009 Business Processes Preventive
    Refrain from accepting instant messages from unknown senders. CC ID 12537 Behavior Preventive
    Include instant messaging, texting, and tweeting in the social media acceptable use policy. CC ID 04578 Establish/Maintain Documentation Preventive
    Include explicit restrictions in the social media acceptable use policy. CC ID 06655 Establish/Maintain Documentation Preventive
    Include contributive content sites in the social media acceptable use policy. CC ID 06656 Establish/Maintain Documentation Preventive
    Establish and maintain operational control procedures. CC ID 00831 Establish/Maintain Documentation Preventive
    Include assigning and approving operations in operational control procedures. CC ID 06382 Establish/Maintain Documentation Preventive
    Include startup processes in operational control procedures. CC ID 00833 Establish/Maintain Documentation Preventive
    Review and update the operational control procedures, as necessary. CC ID 14278 Establish/Maintain Documentation Corrective
    Establish and maintain a data processing run manual. CC ID 00832 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a Standard Operating Procedures Manual. CC ID 00826 Establish/Maintain Documentation Preventive
    Include information sharing procedures in standard operating procedures. CC ID 12974 Records Management Preventive
    Adhere to operating procedures as defined in the Standard Operating Procedures Manual. CC ID 06328 Business Processes Preventive
    Update operating procedures that contribute to user errors. CC ID 06935 Establish/Maintain Documentation Corrective
    Disseminate and communicate the Standard Operating Procedures Manual to all interested personnel and affected parties. CC ID 12026 Communicate Preventive
    Establish and maintain a job scheduling methodology. CC ID 00834 Establish/Maintain Documentation Preventive
    Establish and maintain a job schedule exceptions list. CC ID 00835 Establish/Maintain Documentation Preventive
    Establish and maintain a data processing continuity plan. CC ID 00836 Establish/Maintain Documentation Preventive
    Establish and maintain Voice over Internet Protocol operating procedures. CC ID 04583 Establish/Maintain Documentation Preventive
    Establish and maintain an Acceptable Use Policy. CC ID 01350
    [{health information asset} In addition to following the guidance given by ISO/IEC 27002, organizations processing personal health information should: have rules for acceptable use of these assets that are identified, documented and implemented. § 8.1.1 Health-specific control ¶ 1(c)]
    Establish/Maintain Documentation Preventive
    Include that explicit management authorization must be given for the use of all technologies and their documentation in the Acceptable Use Policy. CC ID 01351
    [In addition to implementing the control given by ISO/IEC 27002, organizations processing personal health information shall ensure that any use, outside its premises, of medical devices that record or report data has been authorized. This should include equipment used by remote workers, even where such usage is perpetual (i.e. where it forms a core feature of the employee's role, such as for ambulance personnel, therapists, etc.) § 11.2.6 Health-specific control]
    Establish/Maintain Documentation Preventive
    Include requiring users to protect restricted data in accordance with the Governance, Risk, and Compliance framework in the acceptable use policy. CC ID 11894 Establish/Maintain Documentation Preventive
    Include Bring Your Own Device usage in the Acceptable Use Policy. CC ID 12293 Establish/Maintain Documentation Preventive
    Include Bring Your Own Device security guidelines in the Acceptable Use Policy. CC ID 01352 Establish/Maintain Documentation Preventive
    Include asset tags in the Acceptable Use Policy. CC ID 01354 Establish/Maintain Documentation Preventive
    Include asset use policies in the Acceptable Use Policy. CC ID 01355 Establish/Maintain Documentation Preventive
    Include authority for access authorization lists for assets in all relevant Acceptable Use Policies. CC ID 11872 Establish/Maintain Documentation Preventive
    Include access control mechanisms in the Acceptable Use Policy. CC ID 01353 Establish/Maintain Documentation Preventive
    Include temporary activation of remote access technologies for third parties in the acceptable use policy. CC ID 11892 Technical Security Preventive
    Include prohibiting copying or moving of restricted data from its original source onto local hard drives or removable storage media in the acceptable use policy. CC ID 11893 Establish/Maintain Documentation Preventive
    Include a removable storage media use policy in the Acceptable Use Policy. CC ID 06772 Data and Information Management Preventive
    Correlate the Acceptable Use Policy with the network security policy. CC ID 01356 Establish/Maintain Documentation Preventive
    Include appropriate network locations for each technology in the acceptable use policy. CC ID 11881 Establish/Maintain Documentation Preventive
    Correlate the Acceptable Use Policy with the approved product list. CC ID 01357 Establish/Maintain Documentation Preventive
    Include facility access and facility use in the Acceptable Use Policy. CC ID 06441 Establish/Maintain Documentation Preventive
    Include disciplinary actions in the Acceptable Use Policy. CC ID 00296 Establish/Maintain Documentation Corrective
    Include a software installation policy in the Acceptable Use Policy. CC ID 06749 Establish/Maintain Documentation Preventive
    Document idle session termination and logout for remote access technologies in the Acceptable Use Policy. CC ID 12472 Establish/Maintain Documentation Preventive
    Disseminate and communicate the Acceptable Use Policy to all interested personnel and affected parties. CC ID 12431 Communicate Preventive
    Review and update the acceptable use policy, as necessary. CC ID 14276 Establish/Maintain Documentation Corrective
    Require interested personnel and affected parties to sign Acceptable Use Policies. CC ID 06661 Establish/Maintain Documentation Preventive
    Require interested personnel and affected parties to re-sign Acceptable Use Policies, as necessary. CC ID 06663 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain an Intellectual Property Right program. CC ID 00821 Establish/Maintain Documentation Preventive
    Establish and maintain domain name registration and renewal procedures. CC ID 07075 Business Processes Preventive
    Establish and maintain Intellectual Property Rights protection procedures. CC ID 11512 Establish/Maintain Documentation Preventive
    Protect against circumvention of the organization's Intellectual Property Rights. CC ID 11513 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain an e-mail policy. CC ID 06439 Establish/Maintain Documentation Preventive
    Identify the sender in all electronic messages. CC ID 13996 Data and Information Management Preventive
    Protect policies, standards, and procedures from unauthorized modification or disclosure. CC ID 10603 Establish/Maintain Documentation Preventive
    Establish and maintain nondisclosure agreements. CC ID 04536
    [In addition to implementing the control given by ISO/IEC 27002, organizations processing personal health information shall have a confidentiality agreement in place that specifies the confidential nature of this information. The agreement shall be applicable to all personnel accessing health information. § 13.2.4 Health-specific control]
    Establish/Maintain Documentation Preventive
    Require interested personnel and affected parties to sign nondisclosure agreements. CC ID 06667 Establish/Maintain Documentation Preventive
    Require interested personnel and affected parties to re-sign nondisclosure agreements, as necessary. CC ID 06669 Establish/Maintain Documentation Preventive
    Review nondisclosure agreements on a regular basis. CC ID 12437 Human Resources Management Preventive
    Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818 Business Processes Preventive
    Establish and maintain consequences for non-compliance with the organizational compliance framework. CC ID 11747
    [Employees of the organization and, where relevant, third-party contractors should be made aware of disciplinary processes and consequences with respect to breaches of information security. § 7.2.2 Health-specific control ¶ 2]
    Process or Activity Corrective
    Establish and maintain an Asset Management program. CC ID 06630 Business Processes Preventive
    Assign an information owner to organizational assets, as necessary. CC ID 12729
    [In addition to following the guidance given by ISO/IEC 27002, organizations processing personal health information should: have a designated custodian of these health information assets (see 8.1.2); § 8.1.1 Health-specific control ¶ 1(b)
    The source (authorship) of publicly available health information should be stated and its integrity should be protected. § 14.1.3.1 Health-specific controls ¶ 3]
    Human Resources Management Preventive
    Establish, implement, and maintain an asset inventory database. CC ID 06631
    [In addition to following the guidance given by ISO/IEC 27002, organizations processing personal health information should: account for health information assets (i.e. maintain an inventory of such assets); § 8.1.1 Health-specific control ¶ 1(a)]
    Business Processes Preventive
    Link the authentication system to the asset inventory. CC ID 13718 Technical Security Preventive
    Assign ownership of maintaining the asset inventory, as necessary. CC ID 12344
    [{establish}{ownership} Assets maintained in the inventory should be owned. § 8.1.2 Control ¶ 2]
    Human Resources Management Preventive
    Employ Dynamic Host Configuration Protocol server logging to detect systems not in the asset inventory. CC ID 12110 Technical Security Detective
    Record software license information for each asset in the asset inventory. CC ID 11736 Data and Information Management Preventive
    Record services for applicable assets in the asset inventory. CC ID 13733 Establish/Maintain Documentation Preventive
    Record protocols for applicable assets in the asset inventory. CC ID 13734 Establish/Maintain Documentation Preventive
    Include the software version for applicable assets in the asset inventory. CC ID 12196 Establish/Maintain Documentation Preventive
    Record the publisher for applicable assets in the asset inventory. CC ID 13725 Establish/Maintain Documentation Preventive
    Include authentication systems in the asset inventory. CC ID 13724 Establish/Maintain Documentation Preventive
    Tag unsupported assets in the asset inventory. CC ID 13723 Establish/Maintain Documentation Preventive
    Record the install date for applicable assets in the asset inventory. CC ID 13720 Establish/Maintain Documentation Preventive
    Record the make, model of device for applicable assets in the asset inventory. CC ID 12465 Establish/Maintain Documentation Preventive
    Record the asset tag for physical assets in the asset inventory. CC ID 06632 Establish/Maintain Documentation Preventive
    Record the host name of applicable assets in the asset inventory. CC ID 13722 Establish/Maintain Documentation Preventive
    Record network ports for applicable assets in the asset inventory. CC ID 13730 Establish/Maintain Documentation Preventive
    Record the MAC address for applicable assets in the asset inventory. CC ID 13721 Establish/Maintain Documentation Preventive
    Record the operating system version for applicable assets in the asset inventory. CC ID 11748 Data and Information Management Preventive
    Record the operating system type for applicable assets in the asset inventory. CC ID 06633 Establish/Maintain Documentation Preventive
    Record the department associated with the asset in the asset inventory. CC ID 12084 Establish/Maintain Documentation Preventive
    Record the physical location for applicable assets in the asset inventory. CC ID 06634 Establish/Maintain Documentation Preventive
    Record the manufacturer's serial number for applicable assets in the asset inventory. CC ID 06635 Establish/Maintain Documentation Preventive
    Record the firmware version for applicable assets in the asset inventory. CC ID 12195 Establish/Maintain Documentation Preventive
    Record the related business function for applicable assets in the asset inventory. CC ID 06636 Establish/Maintain Documentation Preventive
    Record the deployment environment for applicable assets in the asset inventory. CC ID 06637 Establish/Maintain Documentation Preventive
    Record the Internet Protocol address for applicable assets in the asset inventory. CC ID 06638 Establish/Maintain Documentation Preventive
    Link the software asset inventory to the hardware asset inventory. CC ID 12085 Establish/Maintain Documentation Preventive
    Record the owner for applicable assets in the asset inventory. CC ID 06640 Establish/Maintain Documentation Preventive
    Record all changes to assets in the asset inventory database. CC ID 12190 Establish/Maintain Documentation Preventive
    Include cloud service derived data in the asset inventory database. CC ID 13007 Establish/Maintain Documentation Preventive
    Include cloud service customer data in the asset inventory database, as necessary. CC ID 13006 Establish/Maintain Documentation Preventive
    Establish and maintain a customer service program. CC ID 00846 Establish/Maintain Documentation Preventive
    Establish and maintain an Incident Management program. CC ID 00853 Business Processes Preventive
    Include incident escalation procedures in the Incident Management program. CC ID 00856
    [{incident management procedures} In addition to following the guidance given by ISO/IEC 27002, organizations processing personal health information should establish security incident management responsibilities and procedures in order: to ensure that there is an effective and prioritized escalation path for incidents, such that crisis management and business continuity management plans can be invoked in the right circumstances and at the right time; § 16.1.2 Health-specific controls ¶ 1(b)]
    Establish/Maintain Documentation Preventive
    Include intrusion detection procedures in the Incident Management program. CC ID 00588 Establish/Maintain Documentation Preventive
    Contain the incident to prevent further loss and preserve the system for forensic analysis. CC ID 01751 Process or Activity Corrective
    Store system logs for in scope systems as digital forensic evidence after a security incident has been detected. CC ID 01754
    [{incident management procedures} In addition to following the guidance given by ISO/IEC 27002, organizations processing personal health information should establish security incident management responsibilities and procedures in order: to collect and preserve incident-related audit logs and other relevant evidence. § 16.1.2 Health-specific controls ¶ 1(c)]
    Log Management Corrective
    Include incident management procedures in the Incident Management program. CC ID 12689
    [{incident management procedures} In addition to following the guidance given by ISO/IEC 27002, organizations processing personal health information should establish security incident management responsibilities and procedures in order: § 16.1.2 Health-specific controls ¶ 1]
    Establish/Maintain Documentation Preventive
    Include temporary and emergency access authorization procedures in the Incident Management program. CC ID 00858 Establish/Maintain Documentation Corrective
    Establish and maintain an Incident Response program. CC ID 00579 Establish/Maintain Documentation Preventive
    Include incident response team structures in the Incident Response program. CC ID 01237 Establish/Maintain Documentation Preventive
    Include the incident response team member's roles and responsibilities in the Incident Response program. CC ID 01652
    [{incident management procedures} In addition to following the guidance given by ISO/IEC 27002, organizations processing personal health information should establish security incident management responsibilities and procedures in order: § 16.1.2 Health-specific controls ¶ 1]
    Establish Roles Preventive
    Include the incident response point of contact's roles and responsibilities in the Incident Response program. CC ID 01877 Establish Roles Preventive
    Open a priority incident request after a security breach is detected. CC ID 04838 Testing Corrective
    Activate the incident response notification procedures after a security breach is detected. CC ID 04839 Testing Corrective
    Notify interested personnel and affected parties that a security breach was detected. CC ID 11788 Communicate Corrective
    Include the head of information security's roles and responsibilities in the Incident Response program. CC ID 01878 Establish Roles Preventive
    Include the customer database owner's roles and responsibilities in the Incident Response program. CC ID 01879 Establish Roles Preventive
    Include the online sales department's roles and responsibilities in the Incident Response program. CC ID 01880 Establish Roles Preventive
    Include the incident response point of contact for credit card payment system's roles and responsibilities in the Incident Response program. CC ID 01881 Establish Roles Preventive
    Include the organizational legal counsel's roles and responsibilities in the Incident Response program. CC ID 01882 Establish Roles Preventive
    Include the Human Resources point of contact's roles and responsibilities in the Incident Response program. CC ID 01883 Establish Roles Preventive
    Include the organizational incident response network architecture point of contact's roles and responsibilities in the Incident Response program. CC ID 01884 Establish Roles Preventive
    Include the organizational incident response public relations point of contact's roles and responsibilities in the Incident Response program. CC ID 01885 Establish Roles Preventive
    Include the organizational incident response location manager's roles and responsibilities in the Incident Response program. CC ID 01886 Establish Roles Preventive
    Assign the distribution of security alerts to the appropriate role in the incident response program. CC ID 11887 Human Resources Management Preventive
    Assign monitoring and analyzing the security alert when a security alert is received to the appropriate role in the incident response program. CC ID 11886 Investigate Detective
    Assign establishing, implementing, and maintaining incident response procedures to the appropriate role in the incident response program. CC ID 12473 Establish/Maintain Documentation Preventive
    Assign the distribution of incident response procedures to the appropriate role in the incident response program. CC ID 12474 Communicate Preventive
    Establish and maintain incident response procedures. CC ID 01206
    [{incident management procedures} In addition to following the guidance given by ISO/IEC 27002, organizations processing personal health information should establish security incident management responsibilities and procedures in order: to ensure effective and timely response to security incidents; § 16.1.2 Health-specific controls ¶ 1(a)]
    Establish/Maintain Documentation Detective
    Include references to industry best practices in the incident response procedures. CC ID 11956 Establish/Maintain Documentation Preventive
    Include responding to alerts from security monitoring systems in the incident response procedures. CC ID 11949 Establish/Maintain Documentation Preventive
    Automatically respond when an integrity violation is detected. CC ID 10678 Technical Security Corrective
    Shut down systems when an integrity violation is detected, as necessary. CC ID 10679 Technical Security Corrective
    Restart systems when an integrity violation is detected, as necessary. CC ID 10680 Technical Security Corrective
    Establish and maintain a change control program. CC ID 00886
    [In addition to implementing the control given by ISO/IEC 27002, organizations processing personal health information shall, by means of a formal and structured change control process, control changes to information processing facilities and systems that process personal health information to ensure the appropriate control of host applications and systems and continuity of patient care. § 12.1.2 Health-specific control]
    Establish/Maintain Documentation Preventive
    Include potential consequences of unintended changes in the change control program. CC ID 12243 Establish/Maintain Documentation Preventive
    Include version control in the change control program. CC ID 13119 Establish/Maintain Documentation Preventive
    Include service design and transition in the change control program. CC ID 13920 Establish/Maintain Documentation Preventive
    Separate the production environment from development environment or test environment for the change control process. CC ID 11864 Maintenance Preventive
    Integrate configuration management procedures into the change control program. CC ID 13646 Technical Security Preventive
    Establish and maintain a back-out plan. CC ID 13623 Establish/Maintain Documentation Preventive
    Establish back-out procedures for each proposed change in a change request. CC ID 00373 Establish/Maintain Documentation Preventive
    Review and approve back-out plans, as necessary. CC ID 13627 Establish/Maintain Documentation Corrective
    Manage change requests. CC ID 00887
    [In addition to implementing the control given by ISO/IEC 27002, organizations processing personal health information shall, by means of a formal and structured change control process, control changes to information processing facilities and systems that process personal health information to ensure the appropriate control of host applications and systems and continuity of patient care. § 12.1.2 Health-specific control]
    Business Processes Preventive
    Include documentation of the impact level of proposed changes in the change request. CC ID 11942 Establish/Maintain Documentation Preventive
    Establish and maintain a change request approver list. CC ID 06795 Establish/Maintain Documentation Preventive
    Document all change requests in change request forms. CC ID 06794 Establish/Maintain Documentation Preventive
    Test proposed changes prior to their approval. CC ID 00548 Testing Detective
    Examine all changes to ensure they correspond with the change request. CC ID 12345 Business Processes Detective
    Approve tested change requests. CC ID 11783 Data and Information Management Preventive
    Validate the system before implementing approved changes. CC ID 01510 Systems Design, Build, and Implementation Preventive
    Disseminate and communicate proposed changes to all interested personnel and affected parties. CC ID 06807 Behavior Preventive
    Establish and maintain emergency change procedures. CC ID 00890 Establish/Maintain Documentation Preventive
    Perform emergency changes, as necessary. CC ID 12707 Process or Activity Preventive
    Back up emergency changes after the change has been performed. CC ID 12734 Process or Activity Preventive
    Log emergency changes after they have been performed. CC ID 12733 Establish/Maintain Documentation Preventive
    Perform risk assessments prior to approving change requests. CC ID 00888 Testing Preventive
    Conduct network certifications prior to approving change requests for networks. CC ID 13121 Process or Activity Detective
    Analyze mitigating controls for vulnerabilities in the network when certifying the network. CC ID 13126 Investigate Detective
    Collect data about the network environment when certifying the network. CC ID 13125 Investigate Detective
    Implement changes according to the change control program. CC ID 11776 Business Processes Preventive
    Provide audit trails for all approved changes. CC ID 13120 Establish/Maintain Documentation Preventive
    Establish and maintain a patch management program. CC ID 00896 Process or Activity Preventive
    Document the sources of all software updates. CC ID 13316 Establish/Maintain Documentation Preventive
    Implement patch management software, as necessary. CC ID 12094 Technical Security Preventive
    Include updates and exceptions to hardened images as a part of the patch management program. CC ID 12087 Technical Security Preventive
    Establish and maintain a patch log. CC ID 01642 Establish/Maintain Documentation Preventive
    Review the patch log for missing patches. CC ID 13186 Technical Security Detective
    Perform a patch test prior to deploying a patch. CC ID 00898 Testing Detective
    Prioritize deploying patches according to vulnerability risk metrics. CC ID 06796 Business Processes Preventive
    Deploy software patches. CC ID 07032 Configuration Corrective
    Test software patches for any potential compromise of the system's security. CC ID 13175 Testing Detective
    Patch software. CC ID 11825 Technical Security Corrective
    Patch Operating System software. CC ID 11824 Technical Security Corrective
    Deploy software patches in the disaster recovery environment to mirror those in the production environment. CC ID 13174 Configuration Corrective
    Remove outdated software after software has been updated. CC ID 11792 Configuration Corrective
    Update computer firmware. CC ID 11755 Configuration Corrective
    Update computer firmware to the latest version once upgrade notification has been received. CC ID 06081 Configuration Preventive
    Review changes to computer firmware. CC ID 12226 Testing Detective
    Certify changes to computer firmware are free of malicious logic. CC ID 12227 Testing Detective
    Remove outdated computer firmware after the computer firmware has been updated. CC ID 10671 Configuration Corrective
    Implement cryptographic mechanisms to authenticate software and computer firmware before installation. CC ID 10682 Technical Security Detective
    Establish and maintain a software release policy. CC ID 00893 Establish/Maintain Documentation Preventive
    Disseminate and communicate software update information to users and regulators. CC ID 06602 Behavior Preventive
    Allow interested personnel and affected parties to opt out of specific version releases and software updates. CC ID 06809 Data and Information Management Preventive
    Mitigate the adverse effects of unauthorized changes. CC ID 12244 Business Processes Corrective
    Establish and maintain approved change acceptance testing procedures. CC ID 06391 Establish/Maintain Documentation Detective
    Test the system's operational functionality after implementing approved changes. CC ID 06294 Testing Detective
    Perform and pass acceptance testing before moving a system back into operation after an approved change has occurred. CC ID 04541 Testing Detective
    Establish and maintain a change acceptance testing log. CC ID 06392 Establish/Maintain Documentation Corrective
    Update associated documentation after the system configuration has been changed. CC ID 00891 Establish/Maintain Documentation Preventive
    Establish and maintain a configuration change log. CC ID 08710 Configuration Detective
    Review the configuration change log. CC ID 11754 Configuration Detective
    Document approved configuration deviations. CC ID 08711 Establish/Maintain Documentation Corrective
    Update the system's backup procedures after an approved change has occurred. CC ID 04498 Data and Information Management Preventive
  • Physical and environmental protection
    60
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Physical and environmental protection CC ID 00709 IT Impact Zone IT Impact Zone
    Establish and maintain a physical security program. CC ID 11757 Establish/Maintain Documentation Preventive
    Establish and maintain a facility physical security program. CC ID 00711 Establish/Maintain Documentation Preventive
    Identify and document physical access controls for all physical entry points. CC ID 01637 Establish/Maintain Documentation Preventive
    Control physical access to (and within) the facility. CC ID 01329
    [Organizations processing personal health information should use security perimeters to protect areas that contain information processing facilities supporting such health applications. These secure areas should be protected by appropriate entry controls to ensure that only authorized personnel are allowed access. § 11.1.1 Health-specific control]
    Physical and Environmental Protection Preventive
    Define and implement access procedures for all organizational facilities and controlled access areas. CC ID 13629 Establish/Maintain Documentation Preventive
    Meet the physical access requirements of disabled individuals, if reasonably possible. CC ID 00419 Physical and Environmental Protection Preventive
    Secure physical entry points with physical access controls or security guards. CC ID 01640 Physical and Environmental Protection Detective
    Configure the access control system to grant access only during authorized working hours. CC ID 12325 Physical and Environmental Protection Preventive
    Establish and maintain a visitor access permissions policy. CC ID 06699 Establish/Maintain Documentation Preventive
    Escort visitors within the facility, as necessary. CC ID 06417 Establish/Maintain Documentation Preventive
    Check the visitor's stated identity against a provided government issued identification. CC ID 06701 Physical and Environmental Protection Preventive
    Authorize visitors before granting entry to physical areas containing restricted data or restricted information. CC ID 01330 Testing Preventive
    Disseminate and communicate the right of the organization to search visitors while at the facility. CC ID 06702 Behavior Preventive
    Establish and maintain procedures for changing a visitor's access requirements. CC ID 12048 Establish/Maintain Documentation Preventive
    Maintain and review facility access lists of personnel who have been granted authorized entry to (and within) facilities that contain restricted data or restricted information. CC ID 01436 Establish/Maintain Documentation Preventive
    Authorize physical access to sensitive areas based on job functions. CC ID 12462 Establish/Maintain Documentation Preventive
    Review facility access lists. CC ID 01251 Establish/Maintain Documentation Detective
    Change access requirements to organizational assets for personnel and visitors, as necessary. CC ID 12463 Physical and Environmental Protection Corrective
    Escort uncleared personnel who need to work in or access controlled access areas. CC ID 00747 Monitor and Evaluate Occurrences Preventive
    Establish and maintain physical identification procedures. CC ID 00713 Establish/Maintain Documentation Preventive
    Disallow opting out of wearing or displaying identification cards or badges. CC ID 13030 Human Resources Management Preventive
    Implement physical identification processes. CC ID 13715 Process or Activity Preventive
    Refrain from using knowledge-based authentication for in-person identity verification. CC ID 13717 Process or Activity Preventive
    Issue photo identification badges to all employees. CC ID 12326 Physical and Environmental Protection Preventive
    Implement operational requirements for card readers. CC ID 02225 Testing Preventive
    Report lost badges, stolen badges, and broken badges to the Security Manager. CC ID 12334 Physical and Environmental Protection Preventive
    Document all lost badges in a lost badge list. CC ID 12448 Establish/Maintain Documentation Corrective
    Manage constituent identification inside the facility. CC ID 02215 Behavior Preventive
    Direct each employee to be responsible for their identification card or badge. CC ID 12332 Human Resources Management Preventive
    Manage visitor identification inside the facility. CC ID 11670 Physical and Environmental Protection Preventive
    Issue visitor identification badges to all non-employees. CC ID 00543 Behavior Preventive
    Secure unissued visitor identification badges. CC ID 06712 Physical and Environmental Protection Preventive
    Retrieve visitor identification badges prior to the exit of a visitor from the facility. CC ID 01331 Behavior Preventive
    Include name, date of entry, and validity period on disposable identification cards or badges. CC ID 12331 Physical and Environmental Protection Preventive
    Establish and maintain identification issuance procedures for identification cards or badges. CC ID 06598 Establish/Maintain Documentation Preventive
    Record the assigned identification card or badge serial number when issuing an identification card or badge. CC ID 06714 Process or Activity Preventive
    Include error handling controls in identification issuance procedures. CC ID 13709 Establish/Maintain Documentation Preventive
    Include identity proofing processes in the identification issuance procedures. CC ID 06597 Process or Activity Preventive
    Include an identity registration process in the identification issuance procedures. CC ID 11671 Establish/Maintain Documentation Preventive
    Restrict access to the badge system to authorized personnel. CC ID 12043 Physical and Environmental Protection Preventive
    Enforce dual control for badge assignments. CC ID 12328 Physical and Environmental Protection Preventive
    Enforce dual control for accessing unassigned identification cards or badges. CC ID 12327 Physical and Environmental Protection Preventive
    Refrain from imprinting the company name or company logo on identification cards or badges. CC ID 12282 Physical and Environmental Protection Preventive
    Establish and maintain identification renewal procedures for identification cards or badges. CC ID 06599 Establish/Maintain Documentation Preventive
    Assign employees the responsibility for controlling their identification badges. CC ID 12333 Human Resources Management Preventive
    Establish and maintain identification re-issuing procedures for identification cards or badges. CC ID 06596 Establish/Maintain Documentation Preventive
    Establish and maintain identification mechanism termination procedures. CC ID 06306 Establish/Maintain Documentation Preventive
    Prevent tailgating through physical entry points. CC ID 06685 Physical and Environmental Protection Preventive
    Monitor for unauthorized physical access at physical entry points. CC ID 06797 Monitor and Evaluate Occurrences Detective
    Implement physical security standards for mainframe rooms or data centers. CC ID 00749
    [Organizations processing personal health information should use security perimeters to protect areas that contain information processing facilities supporting such health applications. These secure areas should be protected by appropriate entry controls to ensure that only authorized personnel are allowed access. § 11.1.1 Health-specific control]
    Physical and Environmental Protection Preventive
    Establish and maintain equipment security cages in a shared space environment. CC ID 06711 Physical and Environmental Protection Preventive
    Secure systems in lockable equipment cabinets, as necessary. CC ID 06716 Physical and Environmental Protection Preventive
    Lock all lockable equipment cabinets. CC ID 11673 Physical and Environmental Protection Detective
    Establish and maintain physical security controls for distributed Information Technology assets. CC ID 00718 Physical and Environmental Protection Preventive
    Protect distributed Information Technology assets against theft. CC ID 06799 Physical and Environmental Protection Preventive
    Establish and maintain Information Technology asset removal procedures. CC ID 04540 Establish/Maintain Documentation Preventive
    Prohibit assets from being taken off-site absent prior authorization. CC ID 12027
    [In addition to implementing the control given by ISO/IEC 27002, organizations providing or using equipment, data or software to support a healthcare application containing personal health information shall not allow such equipment, data, or software to be removed from the site or relocated within it without authorization by the organization. § 11.2.5 Health-specific control]
    Process or Activity Preventive
    Establish and maintain asset return procedures. CC ID 04537 Establish/Maintain Documentation Preventive
    Require the return of all assets upon notification an individual is terminated. CC ID 06679
    [In addition to implementing the control given by ISO/IEC 27002, all employees and contractors, upon termination of employment, shall return all personal health information in their possession that is in non-electronic form and ensure that all personal health information in their possession in electronic form is updated on relevant systems and then securely deleted from any devices on which it has resided. § 8.1.4 Health-specific control]
    Behavior Preventive
  • Privacy protection for information and data
    61
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Privacy protection for information and data CC ID 00008 IT Impact Zone IT Impact Zone
    Establish and maintain a privacy framework that protects restricted data. CC ID 11850 Establish/Maintain Documentation Preventive
    Establish and maintain a personal data transparency and openness program. CC ID 00375 Data and Information Management Preventive
    Provide adequate structures, policies, procedures, and mechanisms to support direct access by the data subject to personal data that is provided upon request. CC ID 00393 Establish/Maintain Documentation Preventive
    Provide the data subject with what personal data is made available to related organizations or subsidiaries. CC ID 00399 Data and Information Management Preventive
    Include individual's names to whom personal data may be disclosed in the disclosure accounting record. CC ID 13027
    [The organization should identify and document all parties with whom patient data is exchanged and contractual agreements should be made with these parties regulating access and privileges, prior to exchange of patient data. § 9.1.1 Health-specific control ¶ 5]
    Establish/Maintain Documentation Preventive
    Establish and maintain a personal data use limitation program. CC ID 13428 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a personal data use purpose specification. CC ID 00093 Establish/Maintain Documentation Preventive
    Dispose of media and personal data in a timely manner. CC ID 00125
    [In addition to implementing the control given by ISO/IEC 27002, all employees and contractors, upon termination of employment, shall return all personal health information in their possession that is in non-electronic form and ensure that all personal health information in their possession in electronic form is updated on relevant systems and then securely deleted from any devices on which it has resided. § 8.1.4 Health-specific control
    In addition to implementing the control given by ISO/IEC 27002, organizations processing health information applications shall securely erase or else destroy all media containing health information application software or personal health information when the media are no longer required for use. § 11.2.7 Health-specific control
    In addition to implementing the control given by ISO/IEC 27002, all personal health information shall be securely erased or else the media destroyed when no longer required for use. § 8.3.2 Health-specific control
    In addition to implementing the control given by ISO/IEC 27002, all personal health information shall be securely erased or else the media destroyed when no longer required for use. § 8.3.2 Health-specific control]
    Data and Information Management Preventive
    Refrain from destroying records being inspected or reviewed. CC ID 13015 Records Management Preventive
    Notify the data subject after their personal data is disposed, as necessary. CC ID 13502 Communicate Preventive
    Establish and maintain personal data use limitation procedures. CC ID 00128 Establish/Maintain Documentation Preventive
    Process personal data lawfully and carefully. CC ID 00086 Establish Roles Preventive
    Process personal data pertaining to a patient's health in order to treat those patients. CC ID 00200 Data and Information Management Preventive
    Notify the subject of care when a lack of availability of health information systems might have adversely affected their care. CC ID 13990
    [Organizations should inform the subject of care whenever lack of availability of health information systems may have adversely affected their care. § 16.1.2 Health-specific controls ¶ 4]
    Communicate Corrective
    Document the conditions for the disclosure of Individually Identifiable Health Information by an organization providing healthcare services to organizations other than business associates or other covered entities. CC ID 00201 Establish/Maintain Documentation Preventive
    Disclose Individually Identifiable Health Information in order to carry out treatment when the disclosing organization is a healthcare provider. CC ID 00207
    [Health information systems processing personal health information shall provide personally identifying information to assist health professionals in confirming that the electronic health record retrieved matches the subject of care under treatment. § 14.1.1.2 Health-specific control
    Organizations processing personal health information shall control access to such information. In general, users of health information systems should only access personal health information: when a healthcare relationship exists between the user and the data subject (the subject of care whose personal health information is being accessed); § 9.1.1 Health-specific control ¶ 1(a)]
    Data and Information Management Preventive
    Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject has provided consent and the disclosing organization is a healthcare provider. CC ID 00208 Data and Information Management Preventive
    Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject's guardian or representative has provided consent and the disclosing organization is a healthcare provider. CC ID 00209
    [Organizations processing personal health information shall control access to such information. In general, users of health information systems should only access personal health information: when the user is carrying out an activity on behalf of the data subject; § 9.1.1 Health-specific control ¶ 1(b)]
    Data and Information Management Preventive
    Notify the data subject when personal data has been inadvertently disclosed. CC ID 13989
    [Organizations should inform the subject of care whenever personal health information has been unintentionally disclosed. § 16.1.2 Health-specific controls ¶ 3]
    Communicate Corrective
    Establish and maintain a data handling program. CC ID 13427 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain data handling policies. CC ID 00353 Establish/Maintain Documentation Preventive
    Establish and maintain data and information confidentiality policies. CC ID 00361
    [{confidential information} All health information systems processing personal health information should inform users of the confidentiality of personal health information accessible from the system (e.g. at start-up or log-in) and should label hardcopy output as confidential when it contains personal health information. § 8.2.2 Health-specific control]
    Establish/Maintain Documentation Preventive
    Prohibit personal data from being sent by e-mail or instant messaging. CC ID 00565 Data and Information Management Preventive
    Protect electronic messaging information. CC ID 12022 Technical Security Preventive
    Establish, implement, and maintain record structures to support information confidentiality. CC ID 00360 Data and Information Management Preventive
    Include passwords, Personal Identification Numbers, and card security codes in the personal data definition. CC ID 04699 Configuration Preventive
    Refrain from storing data elements containing payment card full magnetic stripe data. CC ID 04757 Testing Detective
    Store payment card data in secure chips, if possible. CC ID 13065 Configuration Preventive
    Refrain from storing data elements containing sensitive authentication data after authorization is approved. CC ID 04758 Configuration Preventive
    Render unrecoverable sensitive authentication data after authorization is approved. CC ID 11952 Technical Security Preventive
    Automate the disposition process for records that contain "do not store" data or "delete after transaction process" data. CC ID 06083 Data and Information Management Preventive
    Log the disclosure of personal data. CC ID 06628 Log Management Preventive
    Log the modification of personal data. CC ID 11844 Log Management Preventive
    Encrypt, truncate, or tokenize data fields, as necessary. CC ID 06850 Technical Security Preventive
    Implement security measures to protect personal data. CC ID 13606 Technical Security Preventive
    Implement physical controls to protect personal data. CC ID 00355 Testing Preventive
    Limit data leakage. CC ID 00356 Data and Information Management Preventive
    Conduct personal data risk assessments. CC ID 00357 Testing Detective
    Identify potential red flags to alert the organization before a data leakage has occurred. CC ID 04654 Monitor and Evaluate Occurrences Preventive
    Establish, implement, and maintain Consumer Reporting Agency notification procedures. CC ID 04851 Business Processes Preventive
    Establish and maintain suspicious document procedures. CC ID 04852 Establish/Maintain Documentation Detective
    Establish and maintain suspicious personal data procedures. CC ID 04853 Data and Information Management Detective
    Compare certain personal data such as name, date of birth, address, driver's license, or other identification against personal data on file for the applicant. CC ID 04855 Data and Information Management Detective
    Establish and maintain suspicious user account activity procedures. CC ID 04854 Monitor and Evaluate Occurrences Detective
    Perform an identity check prior to approving an account change request. CC ID 13670 Investigate Detective
    Use the contact information on file to contact the individual identified in an account change request. CC ID 04857 Behavior Detective
    Match consumer reports with current accounts on file to ensure account misuse or information misuse has not occurred. CC ID 04873 Data and Information Management Detective
    Log account access dates and report when dormant accounts suddenly exhibit unusual activity. CC ID 04874 Log Management Detective
    Report fraudulent account activity, unauthorized transactions, or discrepancies with current accounts. CC ID 04875 Monitor and Evaluate Occurrences Corrective
    Log dates for account name changes or address changes. CC ID 04876 Log Management Detective
    Review accounts that are changed for additional user requests. CC ID 11846 Monitor and Evaluate Occurrences Detective
    Send change notices for change of address requests to the old address and the new address. CC ID 04877 Data and Information Management Detective
    Acquire enough insurance to cover the liability for damages due to data leakage. CC ID 06408 Acquisition/Sale of Assets or Services Preventive
    Search the Internet for evidence of data leakage. CC ID 10419 Process or Activity Detective
    Review monitored websites for data leakage. CC ID 10593 Monitor and Evaluate Occurrences Detective
    Develop remedies and sanctions for privacy policy violations. CC ID 00474 Data and Information Management Preventive
    Change or destroy any personal data that is incorrect. CC ID 00462
    [In addition to implementing the control given by ISO/IEC 27002, all employees and contractors, upon termination of employment, shall return all personal health information in their possession that is in non-electronic form and ensure that all personal health information in their possession in electronic form is updated on relevant systems and then securely deleted from any devices on which it has resided. § 8.1.4 Health-specific control]
    Data and Information Management Corrective
    Notify the data subject of changes made to personal data as the result of a dispute. CC ID 00463 Behavior Corrective
    Refrain from updating personal data on a regular basis, unless it is necessary for the purposes it was collected. CC ID 13610 Data and Information Management Preventive
    Escalate the appeal process to change personal data when the data controller fails to make changes to the disputed data. CC ID 00465 Data and Information Management Corrective
  • Records management
    102
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Records management CC ID 00902 IT Impact Zone IT Impact Zone
    Establish and maintain records management policies used to manage organizational records. CC ID 00903 Establish/Maintain Documentation Preventive
    Define each system's preservation requirements for records and logs. CC ID 00904 Establish/Maintain Documentation Detective
    Establish and maintain a data retention program. CC ID 00906 Establish/Maintain Documentation Detective
    Archive appropriate records, logs, and database tables. CC ID 06321
    [Publicly available health information (as distinct from personal health information) should be archived. § 14.1.3.1 Health-specific controls ¶ 1]
    Records Management Preventive
    Maintain continued integrity for all stored data and stored records. CC ID 00969
    [The source (authorship) of publicly available health information should be stated and its integrity should be protected. § 14.1.3.1 Health-specific controls ¶ 3]
    Testing Detective
    Establish and maintain records management procedures used to manage organizational records. CC ID 11619
    [Health information systems processing personal health information: shall be capable of merging duplicate or multiple records if it is determined that multiple records for the same subject of care have been created unintentionally or during a medical emergency. § 14.1.1.1 Health-specific control ¶ 1(b)]
    Establish/Maintain Documentation Preventive
    Review the information that the organization collects, processes, and stores, as necessary. CC ID 12988 Business Processes Detective
    Review the information classification of the information that the organization collects, processes, and stores, as necessary. CC ID 13008 Process or Activity Detective
    Review the electronic storage media for the information the organization collects and processes. CC ID 13009
    [{physical safeguard} In addition to the guidance given by ISO/IEC 27002, media containing personal health information shall be either physically protected or else have their data encrypted. The status and location of media containing unencrypted personal health information shall be monitored. § 8.3.1 Health-specific control]
    Process or Activity Detective
    Remove non-public information from publicly accessible systems. CC ID 14246 Data and Information Management Corrective
    Maintain electronic records in an equivalent manner as printed records, as necessary. CC ID 11806 Records Management Preventive
    Process restricted information in a secure environment. CC ID 13058 Process or Activity Preventive
    Refrain from creating printed records as copies of electronic records. CC ID 11808 Records Management Preventive
    Protect records from loss in accordance with applicable requirements. CC ID 12007 Records Management Preventive
    Capture the records required by organizational compliance requirements. CC ID 00912 Records Management Detective
    Assign the appropriate information classification to records imported into the Records Management system. CC ID 04555 Data and Information Management Detective
    Log records as being received into the recordkeeping system. CC ID 11696 Records Management Preventive
    Log the date and time each item is received into the recordkeeping system. CC ID 11709 Log Management Preventive
    Log the date and time in the recordkeeping system each item is made available. CC ID 11710 Log Management Preventive
    Log the number of routine items received into the recordkeeping system. CC ID 11701 Establish/Maintain Documentation Preventive
    Log the number of routine items in the organization's possession at the close of business for the month in the recordkeeping system. CC ID 11707 Log Management Preventive
    Log the number of routine items received during the month that were turned around in the recordkeeping system. CC ID 11705 Log Management Preventive
    Log the number of routine items received during the month that were not turned around within three business days of receipt in the recordkeeping system. CC ID 11703 Log Management Preventive
    Log the date and time when a notice of refusal to perform the registrar function is received in the recordkeeping system. CC ID 11711 Log Management Preventive
    Log inquiries concerning items in the recordkeeping system, annotating the date received. CC ID 11718 Log Management Preventive
    Log responses to inquiries, annotating the send date for each response. CC ID 11719 Log Management Preventive
    Log the number of non-routine items received into the recordkeeping system. CC ID 11706 Log Management Preventive
    Log the documentation of determination that items received are not routine. CC ID 11716 Log Management Preventive
    Log the number of non-routine items in the organization's possession at the close of business for the month in the recordkeeping system. CC ID 11708 Log Management Preventive
    Log the number of non-routine items received during the month that were turned around in the recordkeeping system. CC ID 11704 Log Management Preventive
    Log performance monitoring for the organization. CC ID 11724 Log Management Preventive
    Log the number of inquiries pending as of the close of business. CC ID 11728 Log Management Preventive
    Log the number of inquiries received but not responded to within the required time frame. CC ID 11727 Log Management Preventive
    Establish and maintain current a transfer journal. CC ID 11729 Records Management Preventive
    Log any notices filed by the organization. CC ID 11725 Log Management Preventive
    Log telephone responses into a telephone log, annotating the date of each response. CC ID 11723 Log Management Preventive
    Log the date each certificate is made available to the presentor. CC ID 11720 Log Management Preventive
    Log the number of items not processed within the required time frame. CC ID 11717 Log Management Preventive
    Provide a receipt of records logged into the recordkeeping system. CC ID 11697 Records Management Preventive
    Log the appointments and termination of appointments of registered transfer agents. CC ID 11712 Log Management Preventive
    Log the number of items processed within the required time frame. CC ID 11715 Log Management Preventive
    Log any stop orders or notices of adverse claims. CC ID 11726 Log Management Preventive
    Classify restricted data or restricted information in Records Management systems according to the data or information's sensitivity. CC ID 04720 Data and Information Management Detective
    Include record integrity techniques in the Records Management procedures. CC ID 06418
    [The integrity of publicly available health information should be protected to prevent unauthorized modification. § 14.1.3.1 Health-specific controls ¶ 2]
    Establish/Maintain Documentation Preventive
    Note in electronic records converted from printed records, the location of the original. CC ID 11809 Records Management Preventive
    Incorporate desktop publishing into the organization's Records Management program. CC ID 06535 Establish/Maintain Documentation Preventive
    Provide structures for browsing records stored in the Electronic Document and Records Management system. CC ID 10009 Business Processes Preventive
    Provide structures for searching for items stored in the Electronic Document and Records Management system. CC ID 10010 Business Processes Preventive
    Provide structures for downloading records from the Electronic Document and Records Management system. CC ID 10011 Business Processes Preventive
    Provide structures for managing e-mail stored in the Electronic Document and Records Management system. CC ID 10012 Business Processes Preventive
    Provide structures for authorized parties to approve record updates in the Electronic Document and Records Management system. CC ID 11965 Records Management Preventive
    Provide structures for version control of records stored in the Electronic Document and Records Management system. CC ID 10013 Business Processes Preventive
    Establish and maintain electronic storage media security controls. CC ID 13204 Technical Security Preventive
    Establish and maintain electronic storage media management procedures. CC ID 00931 Establish/Maintain Documentation Preventive
    Establish and maintain storage media and record security label procedures. CC ID 06747 Establish/Maintain Documentation Preventive
    Label restricted storage media appropriately. CC ID 00966 Data and Information Management Preventive
    Label printed output for specific record categories as directed by the organization's information classification standard. CC ID 01420
    [{confidential information} All health information systems processing personal health information should inform users of the confidentiality of personal health information accessible from the system (e.g. at start-up or log-in) and should label hardcopy output as confidential when it contains personal health information. § 8.2.2 Health-specific control]
    Records Management Detective
    Establish and maintain restricted material identification procedures. CC ID 01889 Establish/Maintain Documentation Preventive
    Conspicuously locate the restricted record's overall classification. CC ID 01890 Establish/Maintain Documentation Preventive
    Mark a restricted record's displayed pages or printed pages with the appropriate classification. CC ID 01891 Establish/Maintain Documentation Preventive
    Mark a restricted record's components (appendices, annexes) with the appropriate classification. CC ID 01892 Establish/Maintain Documentation Preventive
    Mark a restricted record's portions (paragraphs, sections) with the appropriate classification. CC ID 01893 Establish/Maintain Documentation Preventive
    Mark a restricted record's subject line or title with the appropriate classification. CC ID 01894 Establish/Maintain Documentation Preventive
    Mark all forms of electronic messages that contain restricted data or restricted information with the appropriate classification. CC ID 01896 Data and Information Management Preventive
    Establish and maintain label inheritance mechanisms for aggregate data sets. CC ID 06957 Technical Security Preventive
    Establish the minimum originator requirements for security labels. CC ID 06579 Establish/Maintain Documentation Preventive
    Establish the minimum intermediate system requirements for security labels. CC ID 06581 Establish/Maintain Documentation Preventive
    Establish the minimum receiver requirements for records or electronic storage media marked with security labels. CC ID 06580 Establish/Maintain Documentation Preventive
    Establish policy based processing rules to process incoming records or electronic storage media marked with security labels. CC ID 06582 Establish/Maintain Documentation Preventive
    Establish and maintain access controls for all records. CC ID 00371 Records Management Preventive
    Reproduce materials containing restricted data or restricted information in accordance with compliance requirements. CC ID 02202 Data and Information Management Preventive
    Establish and maintain a records lifecycle management program. CC ID 00951 Establish/Maintain Documentation Preventive
    Establish and maintain information preservation procedures. CC ID 06277 Establish/Maintain Documentation Preventive
    Implement and maintain high availability storage, as necessary. CC ID 00952 Technical Security Preventive
    Implement and maintain backups and duplicate copies of organizational records. CC ID 00953 Records Management Preventive
    Implement and maintain a duplicate originals of record indexes. CC ID 00954 Records Management Preventive
    Establish and maintain a transparent storage media strategy. CC ID 00932 Records Management Preventive
    Establish and maintain an online availability plan that is commensurate with the electronic storage media. CC ID 00934 Establish/Maintain Documentation Preventive
    Establish and maintain online storage monitoring and reporting capabilities. CC ID 00935 Monitor and Evaluate Occurrences Detective
    Establish and maintain online storage controls. CC ID 00942 Technical Security Preventive
    Establish and maintain security controls appropriate to the record types and electronic storage media in use. CC ID 00943 Records Management Preventive
    Store records on non-rewritable, non-erasable storage media formats, as necessary. CC ID 00944 Testing Detective
    Provide encryption for different types of electronic storage media. CC ID 00945
    [{physical safeguard} In addition to the guidance given by ISO/IEC 27002, media containing personal health information shall be either physically protected or else have their data encrypted. The status and location of media containing unencrypted personal health information shall be monitored. § 8.3.1 Health-specific control]
    Technical Security Preventive
    Implement electronic storage media integrity controls. CC ID 00946 Configuration Preventive
    Automate electronic storage media integrity check controls. CC ID 00948 Configuration Preventive
    Provide capacity for indexes on electronic storage media, as necessary. CC ID 00950 Configuration Preventive
    Provide audit trails for all pertinent records. CC ID 00372 Establish/Maintain Documentation Detective
    Establish and maintain a removable storage media log. CC ID 12317
    [{physical safeguard} In addition to the guidance given by ISO/IEC 27002, media containing personal health information shall be either physically protected or else have their data encrypted. The status and location of media containing unencrypted personal health information shall be monitored. § 8.3.1 Health-specific control]
    Log Management Preventive
    Include a unique identifier for each removable storage media asset in the removable storage media log. CC ID 12320 Establish/Maintain Documentation Preventive
    Include the date and time in the removable storage media log. CC ID 12318 Establish/Maintain Documentation Preventive
    Include the name and signature of the current custodian in the removable storage media log. CC ID 12315 Establish/Maintain Documentation Preventive
    Record the number of physical media used for the data transfer in the removable storage media log. CC ID 12754 Establish/Maintain Documentation Preventive
    Record the recipient's name for the data transfer in the removable storage media log. CC ID 12753 Establish/Maintain Documentation Preventive
    Record the sender's name in the removable storage media log. CC ID 12752 Establish/Maintain Documentation Preventive
    Record the type of physical media being used for the data transfer in the removable storage media log. CC ID 12751 Establish/Maintain Documentation Preventive
    Include the reason for transfer in the removable storage media log. CC ID 12316 Establish/Maintain Documentation Preventive
    Establish and maintain storage media downgrading procedures. CC ID 10619 Process or Activity Preventive
    Identify electronic storage media that require downgrading. CC ID 10620 Process or Activity Detective
    Downgrade electronic storage media, as necessary. CC ID 10621 Process or Activity Corrective
    Document all actions taken when downgrading electronic storage media. CC ID 10622 Establish/Maintain Documentation Preventive
    Test the storage media downgrade for correct performance. CC ID 10623 Testing Detective
  • System hardening through configuration management
    4
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    System hardening through configuration management CC ID 00860 IT Impact Zone IT Impact Zone
    Establish and maintain system hardening procedures. CC ID 12001 Establish/Maintain Documentation Preventive
    Configure the time server in accordance with organizational standards. CC ID 06426 Configuration Preventive
    Configure the time server to synchronize with specifically designated hosts. CC ID 06427
    [Health information systems supporting time-critical-shared care activities shall provide time synchronization services to support tracing and reconstitution of activity timelines where required. § 12.4.4 Health-specific control]
    Configuration Preventive
  • Systems design, build, and implementation
    10
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Systems design, build, and implementation CC ID 00989 IT Impact Zone IT Impact Zone
    Initiate the System Development Life Cycle planning phase. CC ID 06266 Systems Design, Build, and Implementation Preventive
    Separate the design and development environment from the production environment. CC ID 06088
    [In addition to implementing the control given by ISO/IEC 27002, organizations processing personal health information shall separate (physically or virtually) development and testing environments for health information systems processing such information from operational environments hosting those health information systems. Rules for the migration of software from development to operational status shall be defined and documented by the organization hosting the affected application(s). § 12.1.4 Health-specific control]
    Systems Design, Build, and Implementation Preventive
    Specify appropriate tools for the system development project. CC ID 06830 Establish/Maintain Documentation Preventive
    Initiate the System Development Life Cycle implementation phase. CC ID 06268 Systems Design, Build, and Implementation Preventive
    Establish and maintain a system implementation standard. CC ID 01111 Establish/Maintain Documentation Preventive
    Establish and maintain implementation plans. CC ID 01114
    [In addition to implementing the control given by ISO/IEC 27002, organizations processing personal health information shall separate (physically or virtually) development and testing environments for health information systems processing such information from operational environments hosting those health information systems. Rules for the migration of software from development to operational status shall be defined and documented by the organization hosting the affected application(s). § 12.1.4 Health-specific control]
    Establish/Maintain Documentation Preventive
    Review and approve implementation plans, as necessary. CC ID 13628 Establish/Maintain Documentation Corrective
    Manage the system implementation process. CC ID 01115 Behavior Preventive
    Evaluate and determine whether or not the newly developed system meets users' system design requirements. CC ID 01120
    [Clinical users should be involved in the testing of clinically relevant system features. § 14.2.9 Health-specific control ¶ 2]
    Testing Detective
  • Technical security
    66
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Technical security CC ID 00508 IT Impact Zone IT Impact Zone
    Establish and maintain an access control program. CC ID 11702 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain access control policies. CC ID 00512
    [Organizations processing personal health information shall have an access control policy governing access to these data. § 9.1.1 Health-specific control ¶ 2
    {external requirements} The access control policy, as a component of the information security policy framework described in 5.1.1, shall reflect professional, ethical, legal and subject-of-care-related requirements and should take account of the tasks performed by health professionals and the task's workflow. § 9.1.1 Health-specific control ¶ 4
    The organization's policy on access control should be established on the basis of predefined roles with associated authorities which are consistent with, but limited to, the needs of that role. § 9.1.1 Health-specific control ¶ 3]
    Establish/Maintain Documentation Preventive
    Include compliance requirements in the access control policy. CC ID 14006 Establish/Maintain Documentation Preventive
    Include coordination amongst entities in the access control policy. CC ID 14005 Establish/Maintain Documentation Preventive
    Include management commitment in the access control policy. CC ID 14004 Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the access control policy. CC ID 14003 Establish/Maintain Documentation Preventive
    Include the scope in the access control policy. CC ID 14002 Establish/Maintain Documentation Preventive
    Include the purpose in the access control policy. CC ID 14001 Establish/Maintain Documentation Preventive
    Establish and maintain an instant messaging and chat system usage policy. CC ID 11815 Establish/Maintain Documentation Preventive
    Review the Access Control policies, as necessary. CC ID 06416 Process or Activity Detective
    Disseminate and communicate the Access Control policies to all interested personnel and affected parties. CC ID 10061 Establish/Maintain Documentation Preventive
    Establish and maintain an access rights management plan. CC ID 00513 Establish/Maintain Documentation Preventive
    Identify information system users. CC ID 12081 Technical Security Detective
    Review user accounts. CC ID 00525
    [User registration details shall be periodically reviewed to ensure that they are complete, accurate and that access is still required. § 9.2.1 Health-specific control ¶ 2]
    Technical Security Detective
    Match user accounts to authorized parties. CC ID 12126 Configuration Detective
    Review and update accounts and access rights when notified of personnel status changes. CC ID 00788 Behavior Corrective
    Change access codes after personnel status changes. CC ID 12284 Human Resources Management Preventive
    Review each user's access capabilities when their role changes. CC ID 00524 Technical Security Preventive
    Control access rights to organizational assets. CC ID 00004 Technical Security Preventive
    Establish access rights based on least privilege. CC ID 01411
    [Access to health information systems that process personal health information shall be subject to a formal user registration process. User registration procedures shall ensure that the level of authentication required of claimed user identity is consistent with the level(s) of access that will become available to the user. § 9.2.1 Health-specific control ¶ 1]
    Technical Security Preventive
    Assign user permissions based on job responsibilities. CC ID 00538 Technical Security Preventive
    Assign user privileges after they have management sign off. CC ID 00542 Technical Security Preventive
    Separate processing domains to segregate user privileges and enhance information flow control. CC ID 06767 Configuration Preventive
    Assign Information System access authorizations if implementing segregation of duties. CC ID 06323 Establish Roles Preventive
    Enforce access restrictions for restricted data. CC ID 01921
    [Organizations processing personal health information shall control access to such information. In general, users of health information systems should only access personal health information: § 9.1.1 Health-specific control ¶ 1]
    Data and Information Management Preventive
    Establish and maintain User Access Management procedures for all systems. CC ID 00514
    [{external requirements} The access control policy, as a component of the information security policy framework described in 5.1.1, shall reflect professional, ethical, legal and subject-of-care-related requirements and should take account of the tasks performed by health professionals and the task's workflow. § 9.1.1 Health-specific control ¶ 4]
    Technical Security Preventive
    Establish, implement, and maintain an authority for access authorization list. CC ID 06782 Establish/Maintain Documentation Preventive
    Review and approve logical access to all assets based upon organizational policies. CC ID 06641 Technical Security Preventive
    Control the addition and modification of user identifiers, user credentials, or other object identifiers. CC ID 00515 Technical Security Preventive
    Assign roles and responsibilities for administering user account management. CC ID 11900 Human Resources Management Preventive
    Automate access control methods, as necessary. CC ID 11838 Technical Security Preventive
    Automate Access Control Systems, as necessary. CC ID 06854 Technical Security Preventive
    Refrain from storing logon credentials for third party applications. CC ID 13690 Technical Security Preventive
    Refrain from allowing user access to identifiers and passwords used by applications. CC ID 10048 Technical Security Preventive
    Notify interested personnel when user accounts are added or deleted. CC ID 14327 Communicate Detective
    Remove inactive user accounts, as necessary. CC ID 00517 Technical Security Corrective
    Remove temporary user accounts, as necessary. CC ID 11839 Technical Security Corrective
    Terminate user accounts when notified that an individual is terminated. CC ID 11614 Technical Security Corrective
    Encrypt files and move them to a secure file server when a user account is disabled. CC ID 07065 Configuration Preventive
    Terminate access rights when notified that an individual is terminated. CC ID 11826
    [All organizations that process personal health information shall, as soon as possible, terminate the user access privileges with respect to such information for any departing permanent or temporary employee, third-party contractor or volunteer upon termination of employment, contracting, or volunteer activities. § 9.2.6 Health-specific control]
    Technical Security Corrective
    Revoke asset access when an individual is terminated. CC ID 00516 Behavior Corrective
    Deny access to restricted data or restricted information when an individual is terminated. CC ID 01309 Data and Information Management Corrective
    Disseminate and communicate the password policies and password procedures to all users who have access to restricted data or restricted information. CC ID 00518 Establish/Maintain Documentation Preventive
    Limit superuser accounts to designated System Administrators. CC ID 06766 Configuration Preventive
    Use superuser accounts only in emergencies. CC ID 07064 Technical Security Preventive
    Establish and maintain access control procedures. CC ID 11663 Establish/Maintain Documentation Preventive
    Include Access Control procedures in the Access Control program. CC ID 00528
    [Access to health information systems that process personal health information shall be subject to a formal user registration process. User registration procedures shall ensure that the level of authentication required of claimed user identity is consistent with the level(s) of access that will become available to the user. § 9.2.1 Health-specific control ¶ 1]
    Technical Security Preventive
    Implement out-of-band authentication, as necessary. CC ID 10606 Technical Security Corrective
    Identify and control all network access controls. CC ID 00529 Technical Security Preventive
    Establish and maintain a Boundary Defense program. CC ID 00544 Establish/Maintain Documentation Preventive
    Segregate out of scope systems from in scope systems. CC ID 12546 Technical Security Preventive
    Segregate servers that contain restricted data or restricted information from direct public access. CC ID 00533 Technical Security Preventive
    Segregate applications and databases that contain restricted data or restricted information in an internal network zone. CC ID 01289
    [{processing architecture} Access to information and application system functions related to the processing personal health information should be isolated from (and separate to) access to information processing infrastructure that is unrelated to the processing of personal health information. § 9.4.1 Health-specific control ¶ 2
    {processing architecture} Access to information and application system functions related to the processing personal health information should be isolated from (and separate to) access to information processing infrastructure that is unrelated to the processing of personal health information. § 9.4.1 Health-specific control ¶ 2]
    Data and Information Management Preventive
    Enforce information flow control. CC ID 11781 Monitor and Evaluate Occurrences Preventive
    Establish and maintain information flow control configuration standards. CC ID 01924 Establish/Maintain Documentation Preventive
    Constrain the information flow of restricted data or restricted information. CC ID 06763 Data and Information Management Preventive
    Restrict access to restricted data and restricted information on a need to know basis. CC ID 12453
    [Organizations processing personal health information shall control access to such information. In general, users of health information systems should only access personal health information: when there is a need for specific data to support this activity. § 9.1.1 Health-specific control ¶ 1(c)]
    Data and Information Management Preventive
    Establish, implement, and maintain information flow control policies inside the system and between interconnected systems. CC ID 01410 Establish/Maintain Documentation Preventive
    Establish and maintain information flow procedures. CC ID 04542
    [{external requirements} The access control policy, as a component of the information security policy framework described in 5.1.1, shall reflect professional, ethical, legal and subject-of-care-related requirements and should take account of the tasks performed by health professionals and the task's workflow. § 9.1.1 Health-specific control ¶ 4]
    Establish/Maintain Documentation Preventive
    Disclose non-privacy related restricted information after a court makes a determination the information is material to a court case. CC ID 06242 Data and Information Management Preventive
    Exchange non-privacy related restricted information with approved third parties if the information supports an approved activity. CC ID 06243 Data and Information Management Preventive
    Control all methods of remote access and teleworking. CC ID 00559 Technical Security Preventive
    Implement two-factor authentication techniques. CC ID 00561
    [{multifactor authentication} Health information systems processing personal health information shall authenticate users and should do so by means of authentication involving at least two factors. § 9.4.1 Health-specific control ¶ 1]
    Configuration Preventive
    Establish, implement, and maintain a malicious code protection program. CC ID 00574 Establish/Maintain Documentation Preventive
    Install security and protection software on all systems. CC ID 00575
    [In addition to implementing the control given by ISO/IEC 27002, organizations processing personal health information shall implement appropriate prevention, detection and response controls to protect against malicious software and shall implement appropriate user awareness training. § 12.2.1 Health-specific control]
    Configuration Preventive
  • Third Party and supply chain oversight
    8
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Third Party and supply chain oversight CC ID 08807 IT Impact Zone IT Impact Zone
    Establish and maintain a supply chain management program. CC ID 11742 Establish/Maintain Documentation Preventive
    Formalize client and third party relationships with contracts or nondisclosure agreements, as necessary. CC ID 00794 Process or Activity Detective
    Include a description of the data or information to be covered in third party contracts. CC ID 06510 Establish/Maintain Documentation Preventive
    Include text about access, use, disclosure, and transfer of data or information in third party contracts. CC ID 11610
    [The organization should identify and document all parties with whom patient data is exchanged and contractual agreements should be made with these parties regulating access and privileges, prior to exchange of patient data. § 9.1.1 Health-specific control ¶ 5]
    Business Processes Preventive
    Include risk management procedures in the supply chain management policy. CC ID 08811 Establish/Maintain Documentation Preventive
    Perform a risk assessment prior to engaging a third party. CC ID 06454 Testing Detective
    Include a determination on the risks third parties pose to Information Security in the supply chain risk assessment report. CC ID 10029
    [In addition to implementing the control given by ISO/IEC 27002, organizations processing health information shall assess the risks associated with access by external parties to these systems or the data they contain, and then implement security controls that are appropriate to the identified level of risk and to the technologies employed. § 15.1.1 Health-specific control]
    Establish/Maintain Documentation Preventive
Common Controls and
mandates by Type
87 Mandated Controls - bold    
107 Implied Controls - italic     580 Implementation

Each Common Control is assigned a meta-data type to help you determine the objective of the Control and associated Authority Document mandates aligned with it. These types include behavioral controls, process controls, records management, technical security, configuration management, etc. They are provided as another tool to dissect the Authority Document’s mandates and assign them effectively within your organization.

Number of Controls
774 Total
  • Acquisition/Sale of Assets or Services
    2
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Correct defective acquired goods or services. CC ID 06911 Acquisition or sale of facilities, technology, and services Corrective
    Acquire enough insurance to cover the liability for damages due to data leakage. CC ID 06408 Privacy protection for information and data Preventive
  • Actionable Reports or Measurements
    1
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Assess the potential level of business impact risk associated with natural disasters. CC ID 06470 Audits and risk management Detective
  • Audits and Risk Management
    15
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Correlate the business impact of identified risks in the risk assessment report. CC ID 00686 Audits and risk management Preventive
    Analyze and quantify the risks to in scope systems and information. CC ID 00701
    [Healthcare project management should consider patient safety as a project risk in any project involving the processing of personal health information. § 6.1.5 Health-specific control]
    Audits and risk management Preventive
    Establish and maintain a Risk Scoping and Measurement Definitions Document. CC ID 00703 Audits and risk management Preventive
    Identify the material risks in the risk assessment report. CC ID 06482 Audits and risk management Preventive
    Assess the potential level of business impact risk associated with each business process. CC ID 06463 Audits and risk management Detective
    Assess the potential level of business impact risk associated with the business environment. CC ID 06464 Audits and risk management Detective
    Assess the potential level of business impact risk associated with business information of in scope systems. CC ID 06465 Audits and risk management Detective
    Assess the potential business impact risk of in scope systems caused by deliberate threats to their confidentiality, integrity, and availability. CC ID 06466 Audits and risk management Detective
    Assess the potential level of business impact risk caused by accidental threats to the confidentiality, integrity and availability of critical systems. CC ID 06467 Audits and risk management Detective
    Assess the potential level of business impact risk associated with insider threats. CC ID 06468 Audits and risk management Detective
    Assess the potential level of business impact risk associated with external entities. CC ID 06469 Audits and risk management Detective
    Assess the potential level of business impact risk associated with control weaknesses. CC ID 06471 Audits and risk management Detective
    Prioritize and select controls based on the risk assessment findings. CC ID 00707
    [In addition to implementing the control given by ISO/IEC 27002, organizations processing health information shall assess the risks associated with access by external parties to these systems or the data they contain, and then implement security controls that are appropriate to the identified level of risk and to the technologies employed. § 15.1.1 Health-specific control]
    Audits and risk management Preventive
    Prioritize and categorize the effects of opportunities, threats and requirements on control activities. CC ID 12822 Audits and risk management Preventive
    Compile the event logs of multiple components into a system-wide time-correlated audit trail. CC ID 01424 Monitoring and measurement Preventive
  • Behavior
    21
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Disseminate and communicate compliance documents to all interested personnel and affected parties. CC ID 06282 Leadership and high level objectives Preventive
    Disseminate and communicate any compliance document changes when the documents are updated to interested personnel and affected parties. CC ID 06283 Leadership and high level objectives Preventive
    Disseminate and communicate the risk acceptance level in the risk treatment plan to all interested personnel and affected parties. CC ID 06849 Audits and risk management Preventive
    Review and update accounts and access rights when notified of personnel status changes. CC ID 00788 Technical security Corrective
    Revoke asset access when an individual is terminated. CC ID 00516 Technical security Corrective
    Disseminate and communicate the right of the organization to search visitors while at the facility. CC ID 06702 Physical and environmental protection Preventive
    Manage constituent identification inside the facility. CC ID 02215 Physical and environmental protection Preventive
    Issue visitor identification badges to all non-employees. CC ID 00543 Physical and environmental protection Preventive
    Retrieve visitor identification badges prior to the exit of a visitor from the facility. CC ID 01331 Physical and environmental protection Preventive
    Require the return of all assets upon notification an individual is terminated. CC ID 06679
    [In addition to implementing the control given by ISO/IEC 27002, all employees and contractors, upon termination of employment, shall return all personal health information in their possession that is in non-electronic form and ensure that all personal health information in their possession in electronic form is updated on relevant systems and then securely deleted from any devices on which it has resided. § 8.1.4 Health-specific control]
    Physical and environmental protection Preventive
    Train all personnel and third parties, as necessary. CC ID 00785 Human Resources management Preventive
    Disseminate and communicate security awareness and the internal control framework to all interested personnel and affected parties. CC ID 00823 Human Resources management Preventive
    Train all personnel and third parties on how to recognize and report security incidents. CC ID 01211 Human Resources management Preventive
    Implement a sanctions process for personnel who fail to comply to the organizational compliance program. CC ID 01442
    [Employees of the organization and, where relevant, third-party contractors should be made aware of disciplinary processes and consequences with respect to breaches of information security. § 7.2.2 Health-specific control ¶ 2]
    Human Resources management Corrective
    Make compliance and governance decisions in a timely manner. CC ID 06490 Operational management Preventive
    Refrain from accepting instant messages from unknown senders. CC ID 12537 Operational management Preventive
    Disseminate and communicate proposed changes to all interested personnel and affected parties. CC ID 06807 Operational management Preventive
    Disseminate and communicate software update information to users and regulators. CC ID 06602 Operational management Preventive
    Manage the system implementation process. CC ID 01115 Systems design, build, and implementation Preventive
    Use the contact information on file to contact the individual identified in an account change request. CC ID 04857 Privacy protection for information and data Detective
    Notify the data subject of changes made to personal data as the result of a dispute. CC ID 00463 Privacy protection for information and data Corrective
  • Business Processes
    28
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Identify roles, tasks, information, systems, and assets that fall under the organization's mandated Authority Documents. CC ID 00688 Leadership and high level objectives Preventive
    Implement organizational policies, standards, and procedures. CC ID 12893 Leadership and high level objectives Preventive
    Review the compliance exceptions in the exceptions document, as necessary. CC ID 01632 Leadership and high level objectives Preventive
    Estimate the costs of implementing the compliance framework. CC ID 07191 Leadership and high level objectives Preventive
    Establish and maintain a positive information control environment. CC ID 00813
    [have an information security management forum (ISMF) in place to ensure that there is clear direction and visible management support for security initiatives involving the security of health information, as described in B.3 and B.4. § 6.1.1 Health-specific control ¶ 1(b)]
    Operational management Preventive
    Align the information security policy with the organization's risk acceptance level. CC ID 13042 Operational management Preventive
    Review the information security procedures, as necessary. CC ID 12006 Operational management Preventive
    Refrain from requiring supervision when users are accessing social media applications. CC ID 14011 Operational management Preventive
    Refrain from requiring users to disclose social media account usernames or passwords. CC ID 14009 Operational management Preventive
    Adhere to operating procedures as defined in the Standard Operating Procedures Manual. CC ID 06328 Operational management Preventive
    Establish and maintain domain name registration and renewal procedures. CC ID 07075 Operational management Preventive
    Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818 Operational management Preventive
    Establish and maintain an Asset Management program. CC ID 06630 Operational management Preventive
    Establish, implement, and maintain an asset inventory database. CC ID 06631
    [In addition to following the guidance given by ISO/IEC 27002, organizations processing personal health information should: account for health information assets (i.e. maintain an inventory of such assets); § 8.1.1 Health-specific control ¶ 1(a)]
    Operational management Preventive
    Establish and maintain an Incident Management program. CC ID 00853 Operational management Preventive
    Manage change requests. CC ID 00887
    [In addition to implementing the control given by ISO/IEC 27002, organizations processing personal health information shall, by means of a formal and structured change control process, control changes to information processing facilities and systems that process personal health information to ensure the appropriate control of host applications and systems and continuity of patient care. § 12.1.2 Health-specific control]
    Operational management Preventive
    Examine all changes to ensure they correspond with the change request. CC ID 12345 Operational management Detective
    Implement changes according to the change control program. CC ID 11776 Operational management Preventive
    Prioritize deploying patches according to vulnerability risk metrics. CC ID 06796 Operational management Preventive
    Mitigate the adverse effects of unauthorized changes. CC ID 12244 Operational management Corrective
    Review the information that the organization collects, processes, and stores, as necessary. CC ID 12988 Records management Detective
    Provide structures for browsing records stored in the Electronic Document and Records Management system. CC ID 10009 Records management Preventive
    Provide structures for searching for items stored in the Electronic Document and Records Management system. CC ID 10010 Records management Preventive
    Provide structures for downloading records from the Electronic Document and Records Management system. CC ID 10011 Records management Preventive
    Provide structures for managing e-mail stored in the Electronic Document and Records Management system. CC ID 10012 Records management Preventive
    Provide structures for version control of records stored in the Electronic Document and Records Management system. CC ID 10013 Records management Preventive
    Establish, implement, and maintain Consumer Reporting Agency notification procedures. CC ID 04851 Privacy protection for information and data Preventive
    Include text about access, use, disclosure, and transfer of data or information in third party contracts. CC ID 11610
    [The organization should identify and document all parties with whom patient data is exchanged and contractual agreements should be made with these parties regulating access and privileges, prior to exchange of patient data. § 9.1.1 Health-specific control ¶ 5]
    Third Party and supply chain oversight Preventive
  • Communicate
    13
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Disseminate and communicate the organization’s policies, standards, and procedures to all interested personnel and affected parties. CC ID 12901 Leadership and high level objectives Preventive
    Notify interested personnel when user accounts are added or deleted. CC ID 14327 Technical security Detective
    Assign the data processor to notify the data controller when personal data processing could infringe on regulations. CC ID 12617 Human Resources management Preventive
    Disseminate and communicate the security awareness and training procedures to interested personnel and affected parties. CC ID 14138 Human Resources management Preventive
    Notify designated personnel when a formal personnel sanctions process is initiated. CC ID 10632 Human Resources management Preventive
    Disseminate and communicate the information security policy to interested personnel and affected parties. CC ID 11739
    [Organizations processing health information, including personal health information, shall have a written information security policy that is approved by management, published, and then communicated to all employees and relevant external parties. § 5.1.1 Health-specific control
    In addition to implementing the control given by ISO/IEC 27002, all organizations processing personal health information shall ensure that information security education and training are provided on induction and, that regular updates in organizational security policies and procedures are provided to all employees and, where relevant, third-party contractors, researchers, students and volunteers who process personal health information. § 7.2.2 Health-specific control ¶ 1]
    Operational management Preventive
    Disseminate and communicate the Standard Operating Procedures Manual to all interested personnel and affected parties. CC ID 12026 Operational management Preventive
    Disseminate and communicate the Acceptable Use Policy to all interested personnel and affected parties. CC ID 12431 Operational management Preventive
    Notify interested personnel and affected parties that a security breach was detected. CC ID 11788 Operational management Corrective
    Assign the distribution of incident response procedures to the appropriate role in the incident response program. CC ID 12474 Operational management Preventive
    Notify the data subject after their personal data is disposed, as necessary. CC ID 13502 Privacy protection for information and data Preventive
    Notify the subject of care when a lack of availability of health information systems might have adversely affected their care. CC ID 13990
    [Organizations should inform the subject of care whenever lack of availability of health information systems may have adversely affected their care. § 16.1.2 Health-specific controls ¶ 4]
    Privacy protection for information and data Corrective
    Notify the data subject when personal data has been inadvertently disclosed. CC ID 13989
    [Organizations should inform the subject of care whenever personal health information has been unintentionally disclosed. § 16.1.2 Health-specific controls ¶ 3]
    Privacy protection for information and data Corrective
  • Configuration
    23
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Match user accounts to authorized parties. CC ID 12126 Technical security Detective
    Separate processing domains to segregate user privileges and enhance information flow control. CC ID 06767 Technical security Preventive
    Encrypt files and move them to a secure file server when a user account is disabled. CC ID 07065 Technical security Preventive
    Limit superuser accounts to designated System Administrators. CC ID 06766 Technical security Preventive
    Implement two-factor authentication techniques. CC ID 00561
    [{multifactor authentication} Health information systems processing personal health information shall authenticate users and should do so by means of authentication involving at least two factors. § 9.4.1 Health-specific control ¶ 1]
    Technical security Preventive
    Install security and protection software on all systems. CC ID 00575
    [In addition to implementing the control given by ISO/IEC 27002, organizations processing personal health information shall implement appropriate prevention, detection and response controls to protect against malicious software and shall implement appropriate user awareness training. § 12.2.1 Health-specific control]
    Technical security Preventive
    Encrypt backup data. CC ID 00958
    [To protect its confidentiality, personal health information should be backed up in an encrypted format. § 12.3.1 Health-specific control ¶ 2]
    Operational and Systems Continuity Preventive
    Deploy software patches. CC ID 07032 Operational management Corrective
    Deploy software patches in the disaster recovery environment to mirror those in the production environment. CC ID 13174 Operational management Corrective
    Remove outdated software after software has been updated. CC ID 11792 Operational management Corrective
    Update computer firmware. CC ID 11755 Operational management Corrective
    Update computer firmware to the latest version once upgrade notification has been received. CC ID 06081 Operational management Preventive
    Remove outdated computer firmware after the computer firmware has been updated. CC ID 10671 Operational management Corrective
    Establish and maintain a configuration change log. CC ID 08710 Operational management Detective
    Review the configuration change log. CC ID 11754 Operational management Detective
    Configure the time server in accordance with organizational standards. CC ID 06426 System hardening through configuration management Preventive
    Configure the time server to synchronize with specifically designated hosts. CC ID 06427
    [Health information systems supporting time-critical-shared care activities shall provide time synchronization services to support tracing and reconstitution of activity timelines where required. § 12.4.4 Health-specific control]
    System hardening through configuration management Preventive
    Implement electronic storage media integrity controls. CC ID 00946 Records management Preventive
    Automate electronic storage media integrity check controls. CC ID 00948 Records management Preventive
    Provide capacity for indexes on electronic storage media, as necessary. CC ID 00950 Records management Preventive
    Include passwords, Personal Identification Numbers, and card security codes in the personal data definition. CC ID 04699 Privacy protection for information and data Preventive
    Store payment card data in secure chips, if possible. CC ID 13065 Privacy protection for information and data Preventive
    Refrain from storing data elements containing sensitive authentication data after authorization is approved. CC ID 04758 Privacy protection for information and data Preventive
  • Data and Information Management
    53
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Take into account the accessibility to and location of the data or information when establishing information impact levels. CC ID 04787 Leadership and high level objectives Preventive
    Take into account the organization's obligation to protect data or information when establishing information impact levels. CC ID 04786 Leadership and high level objectives Preventive
    Take into account the context of use for data or information when establishing information impact levels. CC ID 04785 Leadership and high level objectives Preventive
    Take into account the potential aggregation of restricted data fields when establishing information impact levels. CC ID 04784 Leadership and high level objectives Preventive
    Classify the sensitivity to unauthorized disclosure or modification of information in the information classification standard. CC ID 11997 Leadership and high level objectives Preventive
    Take into account the distinguishability factor when establishing information impact levels. CC ID 04783 Leadership and high level objectives Preventive
    Classify the criticality to unauthorized disclosure or modification of information in the information classification standard. CC ID 11996 Leadership and high level objectives Preventive
    Classify the value of information in the information classification standard. CC ID 11995 Leadership and high level objectives Preventive
    Classify the legal requirements of information in the information classification standard. CC ID 11994 Leadership and high level objectives Preventive
    Define the scope of the security policy. CC ID 07145 Leadership and high level objectives Preventive
    Overwrite the oldest records when audit logging fails. CC ID 14308 Monitoring and measurement Preventive
    Enforce access restrictions for restricted data. CC ID 01921
    [Organizations processing personal health information shall control access to such information. In general, users of health information systems should only access personal health information: § 9.1.1 Health-specific control ¶ 1]
    Technical security Preventive
    Deny access to restricted data or restricted information when an individual is terminated. CC ID 01309 Technical security Corrective
    Segregate applications and databases that contain restricted data or restricted information in an internal network zone. CC ID 01289
    [{processing architecture} Access to information and application system functions related to the processing personal health information should be isolated from (and separate to) access to information processing infrastructure that is unrelated to the processing of personal health information. § 9.4.1 Health-specific control ¶ 2
    {processing architecture} Access to information and application system functions related to the processing personal health information should be isolated from (and separate to) access to information processing infrastructure that is unrelated to the processing of personal health information. § 9.4.1 Health-specific control ¶ 2]
    Technical security Preventive
    Constrain the information flow of restricted data or restricted information. CC ID 06763 Technical security Preventive
    Restrict access to restricted data and restricted information on a need to know basis. CC ID 12453
    [Organizations processing personal health information shall control access to such information. In general, users of health information systems should only access personal health information: when there is a need for specific data to support this activity. § 9.1.1 Health-specific control ¶ 1(c)]
    Technical security Preventive
    Disclose non-privacy related restricted information after a court makes a determination the information is material to a court case. CC ID 06242 Technical security Preventive
    Exchange non-privacy related restricted information with approved third parties if the information supports an approved activity. CC ID 06243 Technical security Preventive
    Store backup media at an off-site electronic media storage facility. CC ID 01332
    [In addition to following the guidance given by ISO/IEC 27002, organizations processing personal health information shall back up all personal health information and store it in a physically secure environment to ensure its future availability. § 12.3.1 Health-specific control ¶ 1]
    Operational and Systems Continuity Preventive
    Transport backup media in lockable electronic media storage containers. CC ID 01264 Operational and Systems Continuity Preventive
    Identify the access methods for backup media at both the primary facility and the off-site electronic media storage facility. CC ID 01257 Operational and Systems Continuity Preventive
    Include a removable storage media use policy in the Acceptable Use Policy. CC ID 06772 Operational management Preventive
    Identify the sender in all electronic messages. CC ID 13996 Operational management Preventive
    Record software license information for each asset in the asset inventory. CC ID 11736 Operational management Preventive
    Record the operating system version for applicable assets in the asset inventory. CC ID 11748 Operational management Preventive
    Approve tested change requests. CC ID 11783 Operational management Preventive
    Allow interested personnel and affected parties to opt out of specific version releases and software updates. CC ID 06809 Operational management Preventive
    Update the system's backup procedures after an approved change has occurred. CC ID 04498 Operational management Preventive
    Remove non-public information from publicly accessible systems. CC ID 14246 Records management Corrective
    Assign the appropriate information classification to records imported into the Records Management system. CC ID 04555 Records management Detective
    Classify restricted data or restricted information in Records Management systems according to the data or information's sensitivity. CC ID 04720 Records management Detective
    Label restricted storage media appropriately. CC ID 00966 Records management Preventive
    Mark all forms of electronic messages that contain restricted data or restricted information with the appropriate classification. CC ID 01896 Records management Preventive
    Reproduce materials containing restricted data or restricted information in accordance with compliance requirements. CC ID 02202 Records management Preventive
    Establish and maintain a personal data transparency and openness program. CC ID 00375 Privacy protection for information and data Preventive
    Provide the data subject with what personal data is made available to related organizations or subsidiaries. CC ID 00399 Privacy protection for information and data Preventive
    Dispose of media and personal data in a timely manner. CC ID 00125
    [In addition to implementing the control given by ISO/IEC 27002, all employees and contractors, upon termination of employment, shall return all personal health information in their possession that is in non-electronic form and ensure that all personal health information in their possession in electronic form is updated on relevant systems and then securely deleted from any devices on which it has resided. § 8.1.4 Health-specific control
    In addition to implementing the control given by ISO/IEC 27002, organizations processing health information applications shall securely erase or else destroy all media containing health information application software or personal health information when the media are no longer required for use. § 11.2.7 Health-specific control
    In addition to implementing the control given by ISO/IEC 27002, all personal health information shall be securely erased or else the media destroyed when no longer required for use. § 8.3.2 Health-specific control
    In addition to implementing the control given by ISO/IEC 27002, all personal health information shall be securely erased or else the media destroyed when no longer required for use. § 8.3.2 Health-specific control]
    Privacy protection for information and data Preventive
    Process personal data pertaining to a patient's health in order to treat those patients. CC ID 00200 Privacy protection for information and data Preventive
    Disclose Individually Identifiable Health Information in order to carry out treatment when the disclosing organization is a healthcare provider. CC ID 00207
    [Health information systems processing personal health information shall provide personally identifying information to assist health professionals in confirming that the electronic health record retrieved matches the subject of care under treatment. § 14.1.1.2 Health-specific control
    Organizations processing personal health information shall control access to such information. In general, users of health information systems should only access personal health information: when a healthcare relationship exists between the user and the data subject (the subject of care whose personal health information is being accessed); § 9.1.1 Health-specific control ¶ 1(a)]
    Privacy protection for information and data Preventive
    Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject has provided consent and the disclosing organization is a healthcare provider. CC ID 00208 Privacy protection for information and data Preventive
    Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject's guardian or representative has provided consent and the disclosing organization is a healthcare provider. CC ID 00209
    [Organizations processing personal health information shall control access to such information. In general, users of health information systems should only access personal health information: when the user is carrying out an activity on behalf of the data subject; § 9.1.1 Health-specific control ¶ 1(b)]
    Privacy protection for information and data Preventive
    Prohibit personal data from being sent by e-mail or instant messaging. CC ID 00565 Privacy protection for information and data Preventive
    Establish, implement, and maintain record structures to support information confidentiality. CC ID 00360 Privacy protection for information and data Preventive
    Automate the disposition process for records that contain "do not store" data or "delete after transaction process" data. CC ID 06083 Privacy protection for information and data Preventive
    Limit data leakage. CC ID 00356 Privacy protection for information and data Preventive
    Establish and maintain suspicious personal data procedures. CC ID 04853 Privacy protection for information and data Detective
    Compare certain personal data such as name, date of birth, address, driver's license, or other identification against personal data on file for the applicant. CC ID 04855 Privacy protection for information and data Detective
    Match consumer reports with current accounts on file to ensure account misuse or information misuse has not occurred. CC ID 04873 Privacy protection for information and data Detective
    Send change notices for change of address requests to the old address and the new address. CC ID 04877 Privacy protection for information and data Detective
    Develop remedies and sanctions for privacy policy violations. CC ID 00474 Privacy protection for information and data Preventive
    Change or destroy any personal data that is incorrect. CC ID 00462
    [In addition to implementing the control given by ISO/IEC 27002, all employees and contractors, upon termination of employment, shall return all personal health information in their possession that is in non-electronic form and ensure that all personal health information in their possession in electronic form is updated on relevant systems and then securely deleted from any devices on which it has resided. § 8.1.4 Health-specific control]
    Privacy protection for information and data Corrective
    Refrain from updating personal data on a regular basis, unless it is necessary for the purposes it was collected. CC ID 13610 Privacy protection for information and data Preventive
    Escalate the appeal process to change personal data when the data controller fails to make changes to the disputed data. CC ID 00465 Privacy protection for information and data Corrective
  • Establish Roles
    40
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Assign legislative body jurisdiction to the organization's assets, as necessary. CC ID 06956 Leadership and high level objectives Preventive
    Assign the appropriate roles to all applicable compliance documents. CC ID 06284 Leadership and high level objectives Preventive
    Assign the approval of compliance exceptions to the appropriate roles inside the organization. CC ID 06443 Leadership and high level objectives Preventive
    Assign Information System access authorizations if implementing segregation of duties. CC ID 06323 Technical security Preventive
    Establish and maintain high level operational roles and responsibilities. CC ID 00806 Human Resources management Preventive
    Assign roles and responsibilities for physical security, as necessary. CC ID 13113 Human Resources management Preventive
    Identify and define all key Information Technology roles. CC ID 00777 Human Resources management Preventive
    Assign cybersecurity reporting responsibilities to qualified personnel. CC ID 12739 Human Resources management Preventive
    Assign the role of security management to applicable controls. CC ID 06444 Human Resources management Preventive
    Define and assign the data controller's roles and responsibilities. CC ID 00471 Human Resources management Preventive
    Assign the role of data controller to applicable controls. CC ID 00354 Human Resources management Preventive
    Assign the role of data controller to additional personnel, as necessary. CC ID 00473 Human Resources management Preventive
    Assign the role of Information Technology operations to applicable controls. CC ID 00682 Human Resources management Preventive
    Assign the role of logical access control to applicable controls. CC ID 00772 Human Resources management Preventive
    Assign the role of asset physical security to applicable controls. CC ID 00770 Human Resources management Preventive
    Assign the role of data custodian to applicable controls. CC ID 04789 Human Resources management Preventive
    Assign the role of the Quality Management committee to applicable controls. CC ID 00769 Human Resources management Preventive
    Assign interested personnel to the Quality Management committee. CC ID 07193 Human Resources management Preventive
    Assign personnel to a crime prevention unit and announce the members of the unit. CC ID 06348 Human Resources management Preventive
    Assign the role of fire protection management to applicable controls. CC ID 04891 Human Resources management Preventive
    Assign the role of Information Technology Service Continuity Management to applicable controls. CC ID 04894 Human Resources management Preventive
    Assign the role of the Computer Emergency Response Team to applicable controls. CC ID 04895 Human Resources management Preventive
    Assign the role of CRYPTO custodian to applicable controls. CC ID 06723 Human Resources management Preventive
    Assign security clearance procedures to qualified personnel. CC ID 06812 Human Resources management Preventive
    Assign personnel screening procedures to qualified personnel. CC ID 11699 Human Resources management Preventive
    Establish and maintain the Information Technology staff structure in line with the Strategic Information Technology Plan. CC ID 00764 Human Resources management Preventive
    Document and communicate role descriptions to all applicable personnel. CC ID 00776
    [In addition to the control given by ISO/IEC 27002, all organizations whose staff members are involved in processing personal health information should document such involvement in relevant job descriptions. Security roles and responsibilities, as laid down in the organization's information security policy, should also be documented in relevant job descriptions. § 7.1.2 Health-specific control ¶ 1
    In addition to the control given by ISO/IEC 27002, all organizations whose staff members are involved in processing personal health information should document such involvement in relevant job descriptions. Security roles and responsibilities, as laid down in the organization's information security policy, should also be documented in relevant job descriptions. § 7.1.2 Health-specific control ¶ 1]
    Human Resources management Detective
    Assign ownership of the information security program to the appropriate role. CC ID 00814 Operational management Preventive
    Include the incident response team member's roles and responsibilities in the Incident Response program. CC ID 01652
    [{incident management procedures} In addition to following the guidance given by ISO/IEC 27002, organizations processing personal health information should establish security incident management responsibilities and procedures in order: § 16.1.2 Health-specific controls ¶ 1]
    Operational management Preventive
    Include the incident response point of contact's roles and responsibilities in the Incident Response program. CC ID 01877 Operational management Preventive
    Include the head of information security's roles and responsibilities in the Incident Response program. CC ID 01878 Operational management Preventive
    Include the customer database owner's roles and responsibilities in the Incident Response program. CC ID 01879 Operational management Preventive
    Include the online sales department's roles and responsibilities in the Incident Response program. CC ID 01880 Operational management Preventive
    Include the incident response point of contact for credit card payment system's roles and responsibilities in the Incident Response program. CC ID 01881 Operational management Preventive
    Include the organizational legal counsel's roles and responsibilities in the Incident Response program. CC ID 01882 Operational management Preventive
    Include the Human Resources point of contact's roles and responsibilities in the Incident Response program. CC ID 01883 Operational management Preventive
    Include the organizational incident response network architecture point of contact's roles and responsibilities in the Incident Response program. CC ID 01884 Operational management Preventive
    Include the organizational incident response public relations point of contact's roles and responsibilities in the Incident Response program. CC ID 01885 Operational management Preventive
    Include the organizational incident response location manager's roles and responsibilities in the Incident Response program. CC ID 01886 Operational management Preventive
    Process personal data lawfully and carefully. CC ID 00086 Privacy protection for information and data Preventive
  • Establish/Maintain Documentation
    297
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Establish, implement, and maintain an information classification standard. CC ID 00601
    [{confidential information} In addition to following the guidance given by ISO/IEC 27002, organizations processing personal health information should uniformly classify such data as confidential. § 8.2.1 Health-specific control]
    Leadership and high level objectives Preventive
    Update the information classification standard regularly or when new threats are discovered. CC ID 07048 Leadership and high level objectives Corrective
    Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241
    [A formal scope statement shall be produced that defines the boundary of compliance activity in terms of people, processes, places, platforms and applications. § 6.1.1 Health-specific control ¶ 4]
    Leadership and high level objectives Preventive
    Establish and maintain an Information Systems Assurance Categories Definitions document. CC ID 01608 Leadership and high level objectives Preventive
    Correlate Information Systems with applicable controls. CC ID 01621 Leadership and high level objectives Preventive
    Establish and maintain an organizational policy and procedure management program. CC ID 06285 Leadership and high level objectives Preventive
    Include the effective date on all organizational policies. CC ID 06820 Leadership and high level objectives Preventive
    Analyze organizational policies, as necessary. CC ID 14037 Leadership and high level objectives Detective
    Include requirements in the organization’s policies, standards, and procedures. CC ID 12956 Leadership and high level objectives Preventive
    Include threats in the organization’s policies, standards, and procedures. CC ID 12953 Leadership and high level objectives Preventive
    Include opportunities in the organization’s policies, standards, and procedures. CC ID 12945 Leadership and high level objectives Preventive
    Establish and maintain a list of compliance documents. CC ID 07113 Leadership and high level objectives Preventive
    Map in scope assets and in scope records to external requirements. CC ID 12189 Leadership and high level objectives Detective
    Document organizational procedures that harmonize external requirements, including all legal requirements. CC ID 00623 Leadership and high level objectives Preventive
    Establish, implement, and maintain full documentation of all policies, standards, and procedures that support the organization's compliance framework. CC ID 01636 Leadership and high level objectives Preventive
    Disseminate and communicate the list of Authority Documents that support the organization's compliance framework to interested personnel and affected parties. CC ID 01312 Leadership and high level objectives Preventive
    Classify controls according to their preventive, detective, or corrective status. CC ID 06436 Leadership and high level objectives Preventive
    Publish and disseminate and communicate an annual Statement on Internal Control. CC ID 06727 Leadership and high level objectives Preventive
    Include confirmation of any significant weaknesses in the annual Statement on Internal Control. CC ID 06861 Leadership and high level objectives Preventive
    Include an assurance statement regarding the organization's counterterror protective security plan in the annual Statement on Internal Control. CC ID 06866 Leadership and high level objectives Preventive
    Include the counterterror protective security plan test results in the annual Statement on Internal Control. CC ID 06867 Leadership and high level objectives Detective
    Approve all compliance documents. CC ID 06286 Leadership and high level objectives Preventive
    Align the list of compliance documents with applicable laws, regulations, and contractual obligations. CC ID 06288 Leadership and high level objectives Preventive
    Identify and document the Designated Approval Authority for compliance documents. CC ID 07114 Leadership and high level objectives Preventive
    Establish and maintain a Compliance Exception standard for compliance exceptions. CC ID 01628 Leadership and high level objectives Preventive
    Include the authority for granting exemptions in the compliance exception standard. CC ID 14329 Leadership and high level objectives Preventive
    Document compliance exceptions, as necessary. CC ID 01630 Leadership and high level objectives Detective
    Include explanations, compensating controls, or risk acceptance in the compliance exceptions Exceptions document. CC ID 01631 Leadership and high level objectives Preventive
    Include when exemptions expire in the compliance exception standard. CC ID 14330 Leadership and high level objectives Preventive
    Include management of the exemption register in the compliance exception standard. CC ID 14328 Leadership and high level objectives Preventive
    Establish and maintain a risk management program. CC ID 12051 Audits and risk management Preventive
    Establish and maintain the risk assessment framework. CC ID 00685 Audits and risk management Preventive
    Establish a risk acceptance level that is appropriate to the organization's risk appetite. CC ID 00706 Audits and risk management Preventive
    Select the appropriate risk treatment option for each identified risk in the risk register. CC ID 06483 Audits and risk management Preventive
    Perform a gap analysis to review in scope controls for identified risks and implement new controls, as necessary. CC ID 00704 Audits and risk management Detective
    Provide predefined suspicious activity reports for suspicious activity discovered in the event log. CC ID 06774 Monitoring and measurement Corrective
    Establish and maintain a compliance monitoring policy. CC ID 00671 Monitoring and measurement Preventive
    Establish and maintain a log management program. CC ID 00673 Monitoring and measurement Preventive
    Identify and communicate improvements in metrics reporting. CC ID 06921 Monitoring and measurement Corrective
    Establish and maintain an access control program. CC ID 11702 Technical security Preventive
    Establish, implement, and maintain access control policies. CC ID 00512
    [Organizations processing personal health information shall have an access control policy governing access to these data. § 9.1.1 Health-specific control ¶ 2
    {external requirements} The access control policy, as a component of the information security policy framework described in 5.1.1, shall reflect professional, ethical, legal and subject-of-care-related requirements and should take account of the tasks performed by health professionals and the task's workflow. § 9.1.1 Health-specific control ¶ 4
    The organization's policy on access control should be established on the basis of predefined roles with associated authorities which are consistent with, but limited to, the needs of that role. § 9.1.1 Health-specific control ¶ 3]
    Technical security Preventive
    Include compliance requirements in the access control policy. CC ID 14006 Technical security Preventive
    Include coordination amongst entities in the access control policy. CC ID 14005 Technical security Preventive
    Include management commitment in the access control policy. CC ID 14004 Technical security Preventive
    Include roles and responsibilities in the access control policy. CC ID 14003 Technical security Preventive
    Include the scope in the access control policy. CC ID 14002 Technical security Preventive
    Include the purpose in the access control policy. CC ID 14001 Technical security Preventive
    Establish and maintain an instant messaging and chat system usage policy. CC ID 11815 Technical security Preventive
    Disseminate and communicate the Access Control policies to all interested personnel and affected parties. CC ID 10061 Technical security Preventive
    Establish and maintain an access rights management plan. CC ID 00513 Technical security Preventive
    Establish, implement, and maintain an authority for access authorization list. CC ID 06782 Technical security Preventive
    Disseminate and communicate the password policies and password procedures to all users who have access to restricted data or restricted information. CC ID 00518 Technical security Preventive
    Establish and maintain access control procedures. CC ID 11663 Technical security Preventive
    Establish and maintain a Boundary Defense program. CC ID 00544 Technical security Preventive
    Establish and maintain information flow control configuration standards. CC ID 01924 Technical security Preventive
    Establish, implement, and maintain information flow control policies inside the system and between interconnected systems. CC ID 01410 Technical security Preventive
    Establish and maintain information flow procedures. CC ID 04542
    [{external requirements} The access control policy, as a component of the information security policy framework described in 5.1.1, shall reflect professional, ethical, legal and subject-of-care-related requirements and should take account of the tasks performed by health professionals and the task's workflow. § 9.1.1 Health-specific control ¶ 4]
    Technical security Preventive
    Establish, implement, and maintain a malicious code protection program. CC ID 00574 Technical security Preventive
    Establish and maintain a physical security program. CC ID 11757 Physical and environmental protection Preventive
    Establish and maintain a facility physical security program. CC ID 00711 Physical and environmental protection Preventive
    Identify and document physical access controls for all physical entry points. CC ID 01637 Physical and environmental protection Preventive
    Define and implement access procedures for all organizational facilities and controlled access areas. CC ID 13629 Physical and environmental protection Preventive
    Establish and maintain a visitor access permissions policy. CC ID 06699 Physical and environmental protection Preventive
    Escort visitors within the facility, as necessary. CC ID 06417 Physical and environmental protection Preventive
    Establish and maintain procedures for changing a visitor's access requirements. CC ID 12048 Physical and environmental protection Preventive
    Maintain and review facility access lists of personnel who have been granted authorized entry to (and within) facilities that contain restricted data or restricted information. CC ID 01436 Physical and environmental protection Preventive
    Authorize physical access to sensitive areas based on job functions. CC ID 12462 Physical and environmental protection Preventive
    Review facility access lists. CC ID 01251 Physical and environmental protection Detective
    Establish and maintain physical identification procedures. CC ID 00713 Physical and environmental protection Preventive
    Document all lost badges in a lost badge list. CC ID 12448 Physical and environmental protection Corrective
    Establish and maintain identification issuance procedures for identification cards or badges. CC ID 06598 Physical and environmental protection Preventive
    Include error handling controls in identification issuance procedures. CC ID 13709 Physical and environmental protection Preventive
    Include an identity registration process in the identification issuance procedures. CC ID 11671 Physical and environmental protection Preventive
    Establish and maintain identification renewal procedures for identification cards or badges. CC ID 06599 Physical and environmental protection Preventive
    Establish and maintain identification re-issuing procedures for identification cards or badges. CC ID 06596 Physical and environmental protection Preventive
    Establish and maintain identification mechanism termination procedures. CC ID 06306 Physical and environmental protection Preventive
    Establish and maintain Information Technology asset removal procedures. CC ID 04540 Physical and environmental protection Preventive
    Establish and maintain asset return procedures. CC ID 04537 Physical and environmental protection Preventive
    Establish and maintain a business continuity program. CC ID 13210 Operational and Systems Continuity Preventive
    Establish and maintain system continuity plan strategies for all in scope systems. CC ID 00735 Operational and Systems Continuity Preventive
    Include technical preparation considerations for backup operations in the continuity plan. CC ID 01250 Operational and Systems Continuity Preventive
    Define and assign the security staff roles and responsibilities. CC ID 11750
    [At a minimum, at least one individual shall be responsible for health information security within the organization. § 6.1.1 Health-specific control ¶ 2]
    Human Resources management Preventive
    Establish and maintain a personnel management program. CC ID 14018 Human Resources management Preventive
    Establish, implement, and maintain a personnel security program. CC ID 10628 Human Resources management Preventive
    Establish and maintain personnel screening procedures. CC ID 11700 Human Resources management Preventive
    Perform a criminal records check during personnel screening. CC ID 06643 Human Resources management Preventive
    Document any reasons a full criminal records check could not be performed. CC ID 13305 Human Resources management Preventive
    Perform an academic records check during personnel screening. CC ID 06647 Human Resources management Preventive
    Document the personnel risk assessment results. CC ID 11764 Human Resources management Detective
    Establish, implement, and maintain security clearance procedures. CC ID 00783 Human Resources management Preventive
    Document the security clearance procedure results. CC ID 01635 Human Resources management Detective
    Establish job categorization criteria, job recruitment criteria, and promotion criteria. CC ID 00781 Human Resources management Preventive
    Establish and implement training plans. CC ID 00828 Human Resources management Preventive
    Establish and maintain a security awareness program. CC ID 11746
    [In addition to implementing the control given by ISO/IEC 27002, organizations processing personal health information shall implement appropriate prevention, detection and response controls to protect against malicious software and shall implement appropriate user awareness training. § 12.2.1 Health-specific control]
    Human Resources management Preventive
    Establish, implement, and maintain a security awareness and training policy. CC ID 14022 Human Resources management Preventive
    Include compliance requirements in the security awareness and training policy. CC ID 14092 Human Resources management Preventive
    Include coordination amongst entities in the security awareness and training policy. CC ID 14091 Human Resources management Preventive
    Establish, implement, and maintain security awareness and training procedures. CC ID 14054 Human Resources management Preventive
    Review and update the security awareness and training procedures, as necessary. CC ID 14140 Human Resources management Corrective
    Review and update the security awareness and training policy, as necessary. CC ID 14050 Human Resources management Corrective
    Include management commitment in the security awareness and training policy. CC ID 14049 Human Resources management Preventive
    Include roles and responsibilities in the security awareness and training policy. CC ID 14048 Human Resources management Preventive
    Include the scope in the security awareness and training policy. CC ID 14047 Human Resources management Preventive
    Include the purpose in the security awareness and training policy. CC ID 14045 Human Resources management Preventive
    Include configuration management procedures in the security awareness program. CC ID 13967 Human Resources management Preventive
    Document security awareness requirements. CC ID 12146 Human Resources management Preventive
    Include safeguards for information systems in the security awareness program. CC ID 13046 Human Resources management Preventive
    Include security policies and security standards in the security awareness program. CC ID 13045 Human Resources management Preventive
    Include mobile device security guidelines in the security awareness program. CC ID 11803 Human Resources management Preventive
    Include training based on the participants' level of responsibility and access level in the security awareness program. CC ID 11802 Human Resources management Preventive
    Include a requirement to train all new hires and interested personnel in the security awareness program. CC ID 11800
    [In addition to implementing the control given by ISO/IEC 27002, all organizations processing personal health information shall ensure that information security education and training are provided on induction and, that regular updates in organizational security policies and procedures are provided to all employees and, where relevant, third-party contractors, researchers, students and volunteers who process personal health information. § 7.2.2 Health-specific control ¶ 1]
    Human Resources management Preventive
    Include remote access in the security awareness program. CC ID 13892 Human Resources management Preventive
    Document the goals of the security awareness program. CC ID 12145 Human Resources management Preventive
    Compare current security awareness assessment reports to the security awareness baseline. CC ID 12150 Human Resources management Preventive
    Document the scope of the security awareness program. CC ID 12148 Human Resources management Preventive
    Establish and maintain a security awareness baseline. CC ID 12147 Human Resources management Preventive
    Require personnel to acknowledge, through writing their signature, that they have read and understand the organization's security policies. CC ID 01363 Human Resources management Preventive
    Establish and maintain a Code of Conduct as a part of the Terms and Conditions of employment. CC ID 04897 Human Resources management Preventive
    Establish and maintain a Governance, Risk, and Compliance framework. CC ID 01406 Operational management Preventive
    Establish and maintain an information security program. CC ID 00812
    [have an information security management forum (ISMF) in place to ensure that there is clear direction and visible management support for security initiatives involving the security of health information, as described in B.3 and B.4. § 6.1.1 Health-specific control ¶ 1(b)]
    Operational management Preventive
    Include physical safeguards in the information security program. CC ID 12375 Operational management Preventive
    Include technical safeguards in the information security program. CC ID 12374 Operational management Preventive
    Include administrative safeguards in the information security program. CC ID 12373 Operational management Preventive
    Include system development in the information security program. CC ID 12389 Operational management Preventive
    Include system maintenance in the information security program. CC ID 12388 Operational management Preventive
    Include system acquisition in the information security program. CC ID 12387 Operational management Preventive
    Include access control in the information security program. CC ID 12386 Operational management Preventive
    Include operations management in the information security program. CC ID 12385 Operational management Preventive
    Include communication management in the information security program. CC ID 12384 Operational management Preventive
    Include environmental security in the information security program. CC ID 12383 Operational management Preventive
    Include physical security in the information security program. CC ID 12382 Operational management Preventive
    Include human resources security in the information security program. CC ID 12381 Operational management Preventive
    Include asset management in the information security program. CC ID 12380 Operational management Preventive
    Include a continuous monitoring program in the information security program. CC ID 14323 Operational management Preventive
    Include how the information security department is organized in the information security program. CC ID 12379 Operational management Preventive
    Include risk management in the information security program. CC ID 12378 Operational management Preventive
    Include mitigating supply chain risks in the Information Security Program. CC ID 13352 Operational management Preventive
    Establish and maintain an information security policy. CC ID 11740
    [Organizations processing health information, including personal health information, shall have a written information security policy that is approved by management, published, and then communicated to all employees and relevant external parties. § 5.1.1 Health-specific control
    Organizations processing health information, including personal health information, shall have a written information security policy that is approved by management, published, and then communicated to all employees and relevant external parties. § 5.1.1 Health-specific control]
    Operational management Preventive
    Include a commitment to the information security requirements in the information security policy. CC ID 13496 Operational management Preventive
    Include information security objectives in the information security policy. CC ID 13493 Operational management Preventive
    Include the use of Cloud Services in the information security policy. CC ID 13146 Operational management Preventive
    Review and update the information security policy, as necessary. CC ID 11741
    [{ongoing basis} The health organization's information security policy should be subject to ongoing, staged review, such that the totality of the policy is addressed at least annually. The policy should be reviewed after the occurrence of a serious security incident. § 5.1.2 Health-specific control
    {ongoing basis} The health organization's information security policy should be subject to ongoing, staged review, such that the totality of the policy is addressed at least annually. The policy should be reviewed after the occurrence of a serious security incident. § 5.1.2 Health-specific control]
    Operational management Corrective
    Document the roles and responsibilities for all activities that protect restricted data in the information security procedures. CC ID 12304 Operational management Preventive
    Describe the group activities that protect restricted data in the information security procedures. CC ID 12294 Operational management Preventive
    Assign information security responsibilities to interested personnel and affected parties in the information security program. CC ID 11885
    [clearly define and assign information security responsibilities; § 6.1.1 Health-specific control ¶ 1(a)]
    Operational management Preventive
    Establish and maintain a social media governance program. CC ID 06536 Operational management Preventive
    Include instant messaging, texting, and tweeting in the social media acceptable use policy. CC ID 04578 Operational management Preventive
    Include explicit restrictions in the social media acceptable use policy. CC ID 06655 Operational management Preventive
    Include contributive content sites in the social media acceptable use policy. CC ID 06656 Operational management Preventive
    Establish and maintain operational control procedures. CC ID 00831 Operational management Preventive
    Include assigning and approving operations in operational control procedures. CC ID 06382 Operational management Preventive
    Include startup processes in operational control procedures. CC ID 00833 Operational management Preventive
    Review and update the operational control procedures, as necessary. CC ID 14278 Operational management Corrective
    Establish and maintain a data processing run manual. CC ID 00832 Operational management Preventive
    Establish, implement, and maintain a Standard Operating Procedures Manual. CC ID 00826 Operational management Preventive
    Update operating procedures that contribute to user errors. CC ID 06935 Operational management Corrective
    Establish and maintain a job scheduling methodology. CC ID 00834 Operational management Preventive
    Establish and maintain a job schedule exceptions list. CC ID 00835 Operational management Preventive
    Establish and maintain a data processing continuity plan. CC ID 00836 Operational management Preventive
    Establish and maintain Voice over Internet Protocol operating procedures. CC ID 04583 Operational management Preventive
    Establish and maintain an Acceptable Use Policy. CC ID 01350
    [{health information asset} In addition to following the guidance given by ISO/IEC 27002, organizations processing personal health information should: have rules for acceptable use of these assets that are identified, documented and implemented. § 8.1.1 Health-specific control ¶ 1(c)]
    Operational management Preventive
    Include that explicit management authorization must be given for the use of all technologies and their documentation in the Acceptable Use Policy. CC ID 01351
    [In addition to implementing the control given by ISO/IEC 27002, organizations processing personal health information shall ensure that any use, outside its premises, of medical devices that record or report data has been authorized. This should include equipment used by remote workers, even where such usage is perpetual (i.e. where it forms a core feature of the employee's role, such as for ambulance personnel, therapists, etc.) § 11.2.6 Health-specific control]
    Operational management Preventive
    Include requiring users to protect restricted data in accordance with the Governance, Risk, and Compliance framework in the acceptable use policy. CC ID 11894 Operational management Preventive
    Include Bring Your Own Device usage in the Acceptable Use Policy. CC ID 12293 Operational management Preventive
    Include Bring Your Own Device security guidelines in the Acceptable Use Policy. CC ID 01352 Operational management Preventive
    Include asset tags in the Acceptable Use Policy. CC ID 01354 Operational management Preventive
    Include asset use policies in the Acceptable Use Policy. CC ID 01355 Operational management Preventive
    Include authority for access authorization lists for assets in all relevant Acceptable Use Policies. CC ID 11872 Operational management Preventive
    Include access control mechanisms in the Acceptable Use Policy. CC ID 01353 Operational management Preventive
    Include prohibiting copying or moving of restricted data from its original source onto local hard drives or removable storage media in the acceptable use policy. CC ID 11893 Operational management Preventive
    Correlate the Acceptable Use Policy with the network security policy. CC ID 01356 Operational management Preventive
    Include appropriate network locations for each technology in the acceptable use policy. CC ID 11881 Operational management Preventive
    Correlate the Acceptable Use Policy with the approved product list. CC ID 01357 Operational management Preventive
    Include facility access and facility use in the Acceptable Use Policy. CC ID 06441 Operational management Preventive
    Include disciplinary actions in the Acceptable Use Policy. CC ID 00296 Operational management Corrective
    Include a software installation policy in the Acceptable Use Policy. CC ID 06749 Operational management Preventive
    Document idle session termination and logout for remote access technologies in the Acceptable Use Policy. CC ID 12472 Operational management Preventive
    Review and update the acceptable use policy, as necessary. CC ID 14276 Operational management Corrective
    Require interested personnel and affected parties to sign Acceptable Use Policies. CC ID 06661 Operational management Preventive
    Require interested personnel and affected parties to re-sign Acceptable Use Policies, as necessary. CC ID 06663 Operational management Preventive
    Establish, implement, and maintain an Intellectual Property Right program. CC ID 00821 Operational management Preventive
    Establish and maintain Intellectual Property Rights protection procedures. CC ID 11512 Operational management Preventive
    Protect against circumvention of the organization's Intellectual Property Rights. CC ID 11513 Operational management Preventive
    Establish, implement, and maintain an e-mail policy. CC ID 06439 Operational management Preventive
    Protect policies, standards, and procedures from unauthorized modification or disclosure. CC ID 10603 Operational management Preventive
    Establish and maintain nondisclosure agreements. CC ID 04536
    [In addition to implementing the control given by ISO/IEC 27002, organizations processing personal health information shall have a confidentiality agreement in place that specifies the confidential nature of this information. The agreement shall be applicable to all personnel accessing health information. § 13.2.4 Health-specific control]
    Operational management Preventive
    Require interested personnel and affected parties to sign nondisclosure agreements. CC ID 06667 Operational management Preventive
    Require interested personnel and affected parties to re-sign nondisclosure agreements, as necessary. CC ID 06669 Operational management Preventive
    Record services for applicable assets in the asset inventory. CC ID 13733 Operational management Preventive
    Record protocols for applicable assets in the asset inventory. CC ID 13734 Operational management Preventive
    Include the software version for applicable assets in the asset inventory. CC ID 12196 Operational management Preventive
    Record the publisher for applicable assets in the asset inventory. CC ID 13725 Operational management Preventive
    Include authentication systems in the asset inventory. CC ID 13724 Operational management Preventive
    Tag unsupported assets in the asset inventory. CC ID 13723 Operational management Preventive
    Record the install date for applicable assets in the asset inventory. CC ID 13720 Operational management Preventive
    Record the make, model of device for applicable assets in the asset inventory. CC ID 12465 Operational management Preventive
    Record the asset tag for physical assets in the asset inventory. CC ID 06632 Operational management Preventive
    Record the host name of applicable assets in the asset inventory. CC ID 13722 Operational management Preventive
    Record network ports for applicable assets in the asset inventory. CC ID 13730 Operational management Preventive
    Record the MAC address for applicable assets in the asset inventory. CC ID 13721 Operational management Preventive
    Record the operating system type for applicable assets in the asset inventory. CC ID 06633 Operational management Preventive
    Record the department associated with the asset in the asset inventory. CC ID 12084 Operational management Preventive
    Record the physical location for applicable assets in the asset inventory. CC ID 06634 Operational management Preventive
    Record the manufacturer's serial number for applicable assets in the asset inventory. CC ID 06635 Operational management Preventive
    Record the firmware version for applicable assets in the asset inventory. CC ID 12195 Operational management Preventive
    Record the related business function for applicable assets in the asset inventory. CC ID 06636 Operational management Preventive
    Record the deployment environment for applicable assets in the asset inventory. CC ID 06637 Operational management Preventive
    Record the Internet Protocol address for applicable assets in the asset inventory. CC ID 06638 Operational management Preventive
    Link the software asset inventory to the hardware asset inventory. CC ID 12085 Operational management Preventive
    Record the owner for applicable assets in the asset inventory. CC ID 06640 Operational management Preventive
    Record all changes to assets in the asset inventory database. CC ID 12190 Operational management Preventive
    Include cloud service derived data in the asset inventory database. CC ID 13007 Operational management Preventive
    Include cloud service customer data in the asset inventory database, as necessary. CC ID 13006 Operational management Preventive
    Establish and maintain a customer service program. CC ID 00846 Operational management Preventive
    Include incident escalation procedures in the Incident Management program. CC ID 00856
    [{incident management procedures} In addition to following the guidance given by ISO/IEC 27002, organizations processing personal health information should establish security incident management responsibilities and procedures in order: to ensure that there is an effective and prioritized escalation path for incidents, such that crisis management and business continuity management plans can be invoked in the right circumstances and at the right time; § 16.1.2 Health-specific controls ¶ 1(b)]
    Operational management Preventive
    Include intrusion detection procedures in the Incident Management program. CC ID 00588 Operational management Preventive
    Include incident management procedures in the Incident Management program. CC ID 12689
    [{incident management procedures} In addition to following the guidance given by ISO/IEC 27002, organizations processing personal health information should establish security incident management responsibilities and procedures in order: § 16.1.2 Health-specific controls ¶ 1]
    Operational management Preventive
    Include temporary and emergency access authorization procedures in the Incident Management program. CC ID 00858 Operational management Corrective
    Establish and maintain an Incident Response program. CC ID 00579 Operational management Preventive
    Include incident response team structures in the Incident Response program. CC ID 01237 Operational management Preventive
    Assign establishing, implementing, and maintaining incident response procedures to the appropriate role in the incident response program. CC ID 12473 Operational management Preventive
    Establish and maintain incident response procedures. CC ID 01206
    [{incident management procedures} In addition to following the guidance given by ISO/IEC 27002, organizations processing personal health information should establish security incident management responsibilities and procedures in order: to ensure effective and timely response to security incidents; § 16.1.2 Health-specific controls ¶ 1(a)]
    Operational management Detective
    Include references to industry best practices in the incident response procedures. CC ID 11956 Operational management Preventive
    Include responding to alerts from security monitoring systems in the incident response procedures. CC ID 11949 Operational management Preventive
    Establish and maintain a change control program. CC ID 00886
    [In addition to implementing the control given by ISO/IEC 27002, organizations processing personal health information shall, by means of a formal and structured change control process, control changes to information processing facilities and systems that process personal health information to ensure the appropriate control of host applications and systems and continuity of patient care. § 12.1.2 Health-specific control]
    Operational management Preventive
    Include potential consequences of unintended changes in the change control program. CC ID 12243 Operational management Preventive
    Include version control in the change control program. CC ID 13119 Operational management Preventive
    Include service design and transition in the change control program. CC ID 13920 Operational management Preventive
    Establish and maintain a back-out plan. CC ID 13623 Operational management Preventive
    Establish back-out procedures for each proposed change in a change request. CC ID 00373 Operational management Preventive
    Review and approve back-out plans, as necessary. CC ID 13627 Operational management Corrective
    Include documentation of the impact level of proposed changes in the change request. CC ID 11942 Operational management Preventive
    Establish and maintain a change request approver list. CC ID 06795 Operational management Preventive
    Document all change requests in change request forms. CC ID 06794 Operational management Preventive
    Establish and maintain emergency change procedures. CC ID 00890 Operational management Preventive
    Log emergency changes after they have been performed. CC ID 12733 Operational management Preventive
    Provide audit trails for all approved changes. CC ID 13120 Operational management Preventive
    Document the sources of all software updates. CC ID 13316 Operational management Preventive
    Establish and maintain a patch log. CC ID 01642 Operational management Preventive
    Establish and maintain a software release policy. CC ID 00893 Operational management Preventive
    Establish and maintain approved change acceptance testing procedures. CC ID 06391 Operational management Detective
    Establish and maintain a change acceptance testing log. CC ID 06392 Operational management Corrective
    Update associated documentation after the system configuration has been changed. CC ID 00891 Operational management Preventive
    Document approved configuration deviations. CC ID 08711 Operational management Corrective
    Establish and maintain system hardening procedures. CC ID 12001 System hardening through configuration management Preventive
    Establish and maintain records management policies used to manage organizational records. CC ID 00903 Records management Preventive
    Define each system's preservation requirements for records and logs. CC ID 00904 Records management Detective
    Establish and maintain a data retention program. CC ID 00906 Records management Detective
    Establish and maintain records management procedures used to manage organizational records. CC ID 11619
    [Health information systems processing personal health information: shall be capable of merging duplicate or multiple records if it is determined that multiple records for the same subject of care have been created unintentionally or during a medical emergency. § 14.1.1.1 Health-specific control ¶ 1(b)]
    Records management Preventive
    Log the number of routine items received into the recordkeeping system. CC ID 11701 Records management Preventive
    Include record integrity techniques in the Records Management procedures. CC ID 06418
    [The integrity of publicly available health information should be protected to prevent unauthorized modification. § 14.1.3.1 Health-specific controls ¶ 2]
    Records management Preventive
    Incorporate desktop publishing into the organization's Records Management program. CC ID 06535 Records management Preventive
    Establish and maintain electronic storage media management procedures. CC ID 00931 Records management Preventive
    Establish and maintain storage media and record security label procedures. CC ID 06747 Records management Preventive
    Establish and maintain restricted material identification procedures. CC ID 01889 Records management Preventive
    Conspicuously locate the restricted record's overall classification. CC ID 01890 Records management Preventive
    Mark a restricted record's displayed pages or printed pages with the appropriate classification. CC ID 01891 Records management Preventive
    Mark a restricted record's components (appendices, annexes) with the appropriate classification. CC ID 01892 Records management Preventive
    Mark a restricted record's portions (paragraphs, sections) with the appropriate classification. CC ID 01893 Records management Preventive
    Mark a restricted record's subject line or title with the appropriate classification. CC ID 01894 Records management Preventive
    Establish the minimum originator requirements for security labels. CC ID 06579 Records management Preventive
    Establish the minimum intermediate system requirements for security labels. CC ID 06581 Records management Preventive
    Establish the minimum receiver requirements for records or electronic storage media marked with security labels. CC ID 06580 Records management Preventive
    Establish policy based processing rules to process incoming records or electronic storage media marked with security labels. CC ID 06582 Records management Preventive
    Establish and maintain a records lifecycle management program. CC ID 00951 Records management Preventive
    Establish and maintain information preservation procedures. CC ID 06277 Records management Preventive
    Establish and maintain an online availability plan that is commensurate with the electronic storage media. CC ID 00934 Records management Preventive
    Provide audit trails for all pertinent records. CC ID 00372 Records management Detective
    Include a unique identifier for each removable storage media asset in the removable storage media log. CC ID 12320 Records management Preventive
    Include the date and time in the removable storage media log. CC ID 12318 Records management Preventive
    Include the name and signature of the current custodian in the removable storage media log. CC ID 12315 Records management Preventive
    Record the number of physical media used for the data transfer in the removable storage media log. CC ID 12754 Records management Preventive
    Record the recipient's name for the data transfer in the removable storage media log. CC ID 12753 Records management Preventive
    Record the sender's name in the removable storage media log. CC ID 12752 Records management Preventive
    Record the type of physical media being used for the data transfer in the removable storage media log. CC ID 12751 Records management Preventive
    Include the reason for transfer in the removable storage media log. CC ID 12316 Records management Preventive
    Document all actions taken when downgrading electronic storage media. CC ID 10622 Records management Preventive
    Specify appropriate tools for the system development project. CC ID 06830 Systems design, build, and implementation Preventive
    Establish and maintain a system implementation standard. CC ID 01111 Systems design, build, and implementation Preventive
    Establish and maintain implementation plans. CC ID 01114
    [In addition to implementing the control given by ISO/IEC 27002, organizations processing personal health information shall separate (physically or virtually) development and testing environments for health information systems processing such information from operational environments hosting those health information systems. Rules for the migration of software from development to operational status shall be defined and documented by the organization hosting the affected application(s). § 12.1.4 Health-specific control]
    Systems design, build, and implementation Preventive
    Review and approve implementation plans, as necessary. CC ID 13628 Systems design, build, and implementation Corrective
    Establish and maintain facilities, assets, and services acceptance procedures. CC ID 01144
    [In addition to implementing the control given by ISO/IEC 27002, organizations processing personal health information shall establish acceptance criteria for planned new information systems, upgrades and new versions. They shall carry out suitable tests of the system prior to acceptance. § 14.2.9 Health-specific control ¶ 1]
    Acquisition or sale of facilities, technology, and services Preventive
    Establish and maintain a privacy framework that protects restricted data. CC ID 11850 Privacy protection for information and data Preventive
    Provide adequate structures, policies, procedures, and mechanisms to support direct access by the data subject to personal data that is provided upon request. CC ID 00393 Privacy protection for information and data Preventive
    Include individual's names to whom personal data may be disclosed in the disclosure accounting record. CC ID 13027
    [The organization should identify and document all parties with whom patient data is exchanged and contractual agreements should be made with these parties regulating access and privileges, prior to exchange of patient data. § 9.1.1 Health-specific control ¶ 5]
    Privacy protection for information and data Preventive
    Establish and maintain a personal data use limitation program. CC ID 13428 Privacy protection for information and data Preventive
    Establish, implement, and maintain a personal data use purpose specification. CC ID 00093 Privacy protection for information and data Preventive
    Establish and maintain personal data use limitation procedures. CC ID 00128 Privacy protection for information and data Preventive
    Document the conditions for the disclosure of Individually Identifiable Health Information by an organization providing healthcare services to organizations other than business associates or other covered entities. CC ID 00201 Privacy protection for information and data Preventive
    Establish and maintain a data handling program. CC ID 13427 Privacy protection for information and data Preventive
    Establish, implement, and maintain data handling policies. CC ID 00353 Privacy protection for information and data Preventive
    Establish and maintain data and information confidentiality policies. CC ID 00361
    [{confidential information} All health information systems processing personal health information should inform users of the confidentiality of personal health information accessible from the system (e.g. at start-up or log-in) and should label hardcopy output as confidential when it contains personal health information. § 8.2.2 Health-specific control]
    Privacy protection for information and data Preventive
    Establish and maintain suspicious document procedures. CC ID 04852 Privacy protection for information and data Detective
    Establish and maintain a supply chain management program. CC ID 11742 Third Party and supply chain oversight Preventive
    Include a description of the data or information to be covered in third party contracts. CC ID 06510 Third Party and supply chain oversight Preventive
    Include risk management procedures in the supply chain management policy. CC ID 08811 Third Party and supply chain oversight Preventive
    Include a determination on the risks third parties pose to Information Security in the supply chain risk assessment report. CC ID 10029
    [In addition to implementing the control given by ISO/IEC 27002, organizations processing health information shall assess the risks associated with access by external parties to these systems or the data they contain, and then implement security controls that are appropriate to the identified level of risk and to the technologies employed. § 15.1.1 Health-specific control]
    Third Party and supply chain oversight Preventive
  • Human Resources Management
    45
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Change access codes after personnel status changes. CC ID 12284 Technical security Preventive
    Assign roles and responsibilities for administering user account management. CC ID 11900 Technical security Preventive
    Disallow opting out of wearing or displaying identification cards or badges. CC ID 13030 Physical and environmental protection Preventive
    Direct each employee to be responsible for their identification card or badge. CC ID 12332 Physical and environmental protection Preventive
    Assign employees the responsibility for controlling their identification badges. CC ID 12333 Physical and environmental protection Preventive
    Establish and maintain an Information Technology steering committee. CC ID 12706 Human Resources management Preventive
    Convene the Information Technology steering committee, as necessary. CC ID 12730
    [The health information security forum shall meet regularly, on a monthly or near-to-monthly basis. (Typically, it is most effective to meet at the mid-point between the meetings of the governance body into which the forum reports. This allows emergency matters to be taken to a suitable meeting within a short period.) § 6.1.1 Health-specific control ¶ 3]
    Human Resources management Preventive
    Define and assign workforce roles and responsibilities. CC ID 13267
    [Special attention needs to be placed upon the roles and responsibilities of temporary or short-term staff such as locums, students, interns, etc. § 7.1.2 Health-specific control ¶ 2]
    Human Resources management Preventive
    Establish and maintain cybersecurity roles and responsibilities. CC ID 13201 Human Resources management Preventive
    Define and assign roles and responsibilities for those involved in risk management. CC ID 13660 Human Resources management Preventive
    Include the management structure in the duties and responsibilities for risk management. CC ID 13665 Human Resources management Preventive
    Assign the roles and responsibilities for the change control program. CC ID 13118 Human Resources management Preventive
    Assign responsibility for cyber threat intelligence. CC ID 12746 Human Resources management Preventive
    Assign the role of security leader to keep up to date on the latest threats. CC ID 12112 Human Resources management Preventive
    Define and assign the data processor's roles and responsibilities. CC ID 12607 Human Resources management Preventive
    Assign the data processor to assist the data controller in implementing security controls. CC ID 12677 Human Resources management Preventive
    Assign the role of data controller to be the Point of Contact for the supervisory authority. CC ID 12616 Human Resources management Preventive
    Assign the role of the Data Controller to cooperate with the supervisory authority. CC ID 12615 Human Resources management Preventive
    Assign the data controller to facilitate the exercise of the data subject's rights. CC ID 12666 Human Resources management Preventive
    Assign the role of data controller to provide advice, when requested. CC ID 12611 Human Resources management Preventive
    Assign the roles and responsibilities of security guards. CC ID 12543 Human Resources management Preventive
    Define and assign roles and responsibilities for dispute resolution. CC ID 13626 Human Resources management Preventive
    Define and assign the roles for Legal Support Workers. CC ID 13711 Human Resources management Preventive
    Perform security skills assessments for all critical employees. CC ID 12102
    [When an individual is hired for a specific information security role, organizations should make sure the candidate: can be trusted to take the role, especially if the role is critical for the organization. § 7.1.1 Health-specific controls ¶ 3(b)]
    Human Resources management Detective
    Perform a background check during personnel screening. CC ID 11758 Human Resources management Detective
    Perform a personal identification check during personnel screening. CC ID 06721
    [All organizations whose staff, contractors, or volunteers process (or are expected to process) personal health information should, as a minimum, verify the identity, current address and previous employment of such staff, contractors and volunteers at the time of job application. § 7.1.1 Health-specific controls ¶ 1]
    Human Resources management Preventive
    Perform a personal references check during personnel screening. CC ID 06645 Human Resources management Preventive
    Perform a credit check during personnel screening. CC ID 06646 Human Resources management Preventive
    Perform a resume check during personnel screening. CC ID 06659
    [All organizations whose staff, contractors, or volunteers process (or are expected to process) personal health information should, as a minimum, verify the identity, current address and previous employment of such staff, contractors and volunteers at the time of job application. § 7.1.1 Health-specific controls ¶ 1
    Background verification checks on all candidates for employment should include a verification of applicable health professional qualifications, where such qualifications are professionally accredited (e.g. physicians, nurses, etc.) § 7.1.1 Health-specific controls ¶ 2]
    Human Resources management Preventive
    Perform a curriculum vitae check during personnel screening. CC ID 06660 Human Resources management Preventive
    Allow personnel being screened to appeal findings and appeal decisions. CC ID 06720 Human Resources management Preventive
    Perform personnel screening procedures, as necessary. CC ID 11763 Human Resources management Preventive
    Perform periodic background checks on designated roles, as necessary. CC ID 11759 Human Resources management Detective
    Perform security clearance procedures, as necessary. CC ID 06644 Human Resources management Preventive
    Update security clearances, as necessary. CC ID 01634 Human Resources management Preventive
    Include a space for previous addresses and previous residences on the job application. CC ID 12302
    [All organizations whose staff, contractors, or volunteers process (or are expected to process) personal health information should, as a minimum, verify the identity, current address and previous employment of such staff, contractors and volunteers at the time of job application. § 7.1.1 Health-specific controls ¶ 1]
    Human Resources management Preventive
    Establish and maintain management's commitment to supporting the security awareness program. CC ID 12151 Human Resources management Preventive
    Establish and maintain a steering committee to guide the security awareness program. CC ID 12149 Human Resources management Preventive
    Encourage interested personnel to obtain security certification. CC ID 11804 Human Resources management Preventive
    Assign the responsibility for establishing, implementing, and maintaining the information security program to the appropriate role. CC ID 11884 Operational management Preventive
    Assign the responsibility for distributing the information security program to the appropriate role. CC ID 11883 Operational management Preventive
    Review nondisclosure agreements on a regular basis. CC ID 12437 Operational management Preventive
    Assign an information owner to organizational assets, as necessary. CC ID 12729
    [In addition to following the guidance given by ISO/IEC 27002, organizations processing personal health information should: have a designated custodian of these health information assets (see 8.1.2); § 8.1.1 Health-specific control ¶ 1(b)
    The source (authorship) of publicly available health information should be stated and its integrity should be protected. § 14.1.3.1 Health-specific controls ¶ 3]
    Operational management Preventive
    Assign ownership of maintaining the asset inventory, as necessary. CC ID 12344
    [{establish}{ownership} Assets maintained in the inventory should be owned. § 8.1.2 Control ¶ 2]
    Operational management Preventive
    Assign the distribution of security alerts to the appropriate role in the incident response program. CC ID 11887 Operational management Preventive
  • IT Impact Zone
    14
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Leadership and high level objectives CC ID 00597 Leadership and high level objectives IT Impact Zone
    Audits and risk management CC ID 00677 Audits and risk management IT Impact Zone
    Monitoring and measurement CC ID 00636 Monitoring and measurement IT Impact Zone
    Technical security CC ID 00508 Technical security IT Impact Zone
    Physical and environmental protection CC ID 00709 Physical and environmental protection IT Impact Zone
    Operational and Systems Continuity CC ID 00731 Operational and Systems Continuity IT Impact Zone
    Human Resources management CC ID 00763 Human Resources management IT Impact Zone
    Operational management CC ID 00805 Operational management IT Impact Zone
    System hardening through configuration management CC ID 00860 System hardening through configuration management IT Impact Zone
    Records management CC ID 00902 Records management IT Impact Zone
    Systems design, build, and implementation CC ID 00989 Systems design, build, and implementation IT Impact Zone
    Acquisition or sale of facilities, technology, and services CC ID 01123 Acquisition or sale of facilities, technology, and services IT Impact Zone
    Privacy protection for information and data CC ID 00008 Privacy protection for information and data IT Impact Zone
    Third Party and supply chain oversight CC ID 08807 Third Party and supply chain oversight IT Impact Zone
  • Investigate
    7
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Identify changes to in scope systems that could threaten communication between business units. CC ID 13173 Audits and risk management Detective
    Investigate alternative risk control strategies appropriate to the organization's risk appetite. CC ID 12887 Audits and risk management Preventive
    Follow up exceptions and anomalies identified when reviewing logs. CC ID 11925 Monitoring and measurement Corrective
    Assign monitoring and analyzing the security alert when a security alert is received to the appropriate role in the incident response program. CC ID 11886 Operational management Detective
    Analyze mitigating controls for vulnerabilities in the network when certifying the network. CC ID 13126 Operational management Detective
    Collect data about the network environment when certifying the network. CC ID 13125 Operational management Detective
    Perform an identity check prior to approving an account change request. CC ID 13670 Privacy protection for information and data Detective
  • Log Management
    37
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Establish, implement, and maintain logging and monitoring operations. CC ID 00637 Monitoring and measurement Detective
    Include a standard to collect and interpret event logs in the event logging procedures. CC ID 00643
    [{incident management procedures} In addition to following the guidance given by ISO/IEC 27002, organizations processing personal health information should establish security incident management responsibilities and procedures in order: to collect and preserve incident-related audit logs and other relevant evidence. § 16.1.2 Health-specific controls ¶ 1(c)]
    Monitoring and measurement Preventive
    Protect the event logs from failure. CC ID 06290 Monitoring and measurement Preventive
    Review event logs, Intrusion Detection System reports, security incident tracking reports, and other security logs regularly. CC ID 00596 Monitoring and measurement Detective
    Eliminate false positives in event logs, intrusion detection system reports, security incident tracking reports, and other security logs. CC ID 07047 Monitoring and measurement Corrective
    Correlate log entries to security controls to verify the security control's effectiveness. CC ID 13207 Monitoring and measurement Detective
    Reproduce the event log if a log failure is captured. CC ID 01426 Monitoring and measurement Preventive
    Protect logs from unauthorized activity. CC ID 01345
    [{use}{anti-tamper technology} Audit records shall be secure and tamper-proof. Access to system audit tools and audit trails shall be safeguarded to prevent misuse or compromise. § 12.4.2 Health-specific control
    {use}{anti-tamper technology} Audit records shall be secure and tamper-proof. Access to system audit tools and audit trails shall be safeguarded to prevent misuse or compromise. § 12.4.2 Health-specific control]
    Monitoring and measurement Preventive
    Preserve the identity of individuals in audit trails. CC ID 10594
    [Health information systems processing personal health information: shall ensure that each subject of care can be uniquely identified within the system; § 14.1.1.1 Health-specific control ¶ 1(a)]
    Monitoring and measurement Preventive
    Store system logs for in scope systems as digital forensic evidence after a security incident has been detected. CC ID 01754
    [{incident management procedures} In addition to following the guidance given by ISO/IEC 27002, organizations processing personal health information should establish security incident management responsibilities and procedures in order: to collect and preserve incident-related audit logs and other relevant evidence. § 16.1.2 Health-specific controls ¶ 1(c)]
    Operational management Corrective
    Log the date and time each item is received into the recordkeeping system. CC ID 11709 Records management Preventive
    Log the date and time in the recordkeeping system each item is made available. CC ID 11710 Records management Preventive
    Log the number of routine items in the organization's possession at the close of business for the month in the recordkeeping system. CC ID 11707 Records management Preventive
    Log the number of routine items received during the month that were turned around in the recordkeeping system. CC ID 11705 Records management Preventive
    Log the number of routine items received during the month that were not turned around within three business days of receipt in the recordkeeping system. CC ID 11703 Records management Preventive
    Log the date and time when a notice of refusal to perform the registrar function is received in the recordkeeping system. CC ID 11711 Records management Preventive
    Log inquiries concerning items in the recordkeeping system, annotating the date received. CC ID 11718 Records management Preventive
    Log responses to inquiries, annotating the send date for each response. CC ID 11719 Records management Preventive
    Log the number of non-routine items received into the recordkeeping system. CC ID 11706 Records management Preventive
    Log the documentation of determination that items received are not routine. CC ID 11716 Records management Preventive
    Log the number of non-routine items in the organization's possession at the close of business for the month in the recordkeeping system. CC ID 11708 Records management Preventive
    Log the number of non-routine items received during the month that were turned around in the recordkeeping system. CC ID 11704 Records management Preventive
    Log performance monitoring for the organization. CC ID 11724 Records management Preventive
    Log the number of inquiries pending as of the close of business. CC ID 11728 Records management Preventive
    Log the number of inquiries received but not responded to within the required time frame. CC ID 11727 Records management Preventive
    Log any notices filed by the organization. CC ID 11725 Records management Preventive
    Log telephone responses into a telephone log, annotating the date of each response. CC ID 11723 Records management Preventive
    Log the date each certificate is made available to the presentor. CC ID 11720 Records management Preventive
    Log the number of items not processed within the required time frame. CC ID 11717 Records management Preventive
    Log the appointments and termination of appointments of registered transfer agents. CC ID 11712 Records management Preventive
    Log the number of items processed within the required time frame. CC ID 11715 Records management Preventive
    Log any stop orders or notices of adverse claims. CC ID 11726 Records management Preventive
    Establish and maintain a removable storage media log. CC ID 12317
    [{physical safeguard} In addition to the guidance given by ISO/IEC 27002, media containing personal health information shall be either physically protected or else have their data encrypted. The status and location of media containing unencrypted personal health information shall be monitored. § 8.3.1 Health-specific control]
    Records management Preventive
    Log the disclosure of personal data. CC ID 06628 Privacy protection for information and data Preventive
    Log the modification of personal data. CC ID 11844 Privacy protection for information and data Preventive
    Log account access dates and report when dormant accounts suddenly exhibit unusual activity. CC ID 04874 Privacy protection for information and data Detective
    Log dates for account name changes or address changes. CC ID 04876 Privacy protection for information and data Detective
  • Maintenance
    1
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Separate the production environment from development environment or test environment for the change control process. CC ID 11864 Operational management Preventive
  • Monitor and Evaluate Occurrences
    12
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Analyze organizational objectives, functions, and activities. CC ID 00598 Leadership and high level objectives Preventive
    Enforce information flow control. CC ID 11781 Technical security Preventive
    Escort uncleared personnel who need to work in or access controlled access areas. CC ID 00747 Physical and environmental protection Preventive
    Monitor for unauthorized physical access at physical entry points. CC ID 06797 Physical and environmental protection Detective
    Monitor and measure the effectiveness of security awareness. CC ID 06262 Human Resources management Detective
    Monitor and review the effectiveness of the information security program. CC ID 12744 Operational management Preventive
    Establish and maintain online storage monitoring and reporting capabilities. CC ID 00935 Records management Detective
    Identify potential red flags to alert the organization before a data leakage has occurred. CC ID 04654 Privacy protection for information and data Preventive
    Establish and maintain suspicious user account activity procedures. CC ID 04854 Privacy protection for information and data Detective
    Report fraudulent account activity, unauthorized transactions, or discrepancies with current accounts. CC ID 04875 Privacy protection for information and data Corrective
    Review accounts that are changed for additional user requests. CC ID 11846 Privacy protection for information and data Detective
    Review monitored websites for data leakage. CC ID 10593 Privacy protection for information and data Detective
  • Physical and Environmental Protection
    23
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Control physical access to (and within) the facility. CC ID 01329
    [Organizations processing personal health information should use security perimeters to protect areas that contain information processing facilities supporting such health applications. These secure areas should be protected by appropriate entry controls to ensure that only authorized personnel are allowed access. § 11.1.1 Health-specific control]
    Physical and environmental protection Preventive
    Meet the physical access requirements of disabled individuals, if reasonably possible. CC ID 00419 Physical and environmental protection Preventive
    Secure physical entry points with physical access controls or security guards. CC ID 01640 Physical and environmental protection Detective
    Configure the access control system to grant access only during authorized working hours. CC ID 12325 Physical and environmental protection Preventive
    Check the visitor's stated identity against a provided government issued identification. CC ID 06701 Physical and environmental protection Preventive
    Change access requirements to organizational assets for personnel and visitors, as necessary. CC ID 12463 Physical and environmental protection Corrective
    Issue photo identification badges to all employees. CC ID 12326 Physical and environmental protection Preventive
    Report lost badges, stolen badges, and broken badges to the Security Manager. CC ID 12334 Physical and environmental protection Preventive
    Manage visitor identification inside the facility. CC ID 11670 Physical and environmental protection Preventive
    Secure unissued visitor identification badges. CC ID 06712 Physical and environmental protection Preventive
    Include name, date of entry, and validity period on disposable identification cards or badges. CC ID 12331 Physical and environmental protection Preventive
    Restrict access to the badge system to authorized personnel. CC ID 12043 Physical and environmental protection Preventive
    Enforce dual control for badge assignments. CC ID 12328 Physical and environmental protection Preventive
    Enforce dual control for accessing unassigned identification cards or badges. CC ID 12327 Physical and environmental protection Preventive
    Refrain from imprinting the company name or company logo on identification cards or badges. CC ID 12282 Physical and environmental protection Preventive
    Prevent tailgating through physical entry points. CC ID 06685 Physical and environmental protection Preventive
    Implement physical security standards for mainframe rooms or data centers. CC ID 00749
    [Organizations processing personal health information should use security perimeters to protect areas that contain information processing facilities supporting such health applications. These secure areas should be protected by appropriate entry controls to ensure that only authorized personnel are allowed access. § 11.1.1 Health-specific control]
    Physical and environmental protection Preventive
    Establish and maintain equipment security cages in a shared space environment. CC ID 06711 Physical and environmental protection Preventive
    Secure systems in lockable equipment cabinets, as necessary. CC ID 06716 Physical and environmental protection Preventive
    Lock all lockable equipment cabinets. CC ID 11673 Physical and environmental protection Detective
    Establish and maintain physical security controls for distributed Information Technology assets. CC ID 00718 Physical and environmental protection Preventive
    Protect distributed Information Technology assets against theft. CC ID 06799 Physical and environmental protection Preventive
    Establish and maintain off-site electronic media storage facilities. CC ID 00957 Operational and Systems Continuity Preventive
  • Process or Activity
    28
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Analyze the effect of threats on organizational strategies and objectives. CC ID 12850 Audits and risk management Detective
    Analyze the effect of opportunities on organizational strategies and objectives. CC ID 12849 Audits and risk management Detective
    Review the Access Control policies, as necessary. CC ID 06416 Technical security Detective
    Implement physical identification processes. CC ID 13715 Physical and environmental protection Preventive
    Refrain from using knowledge-based authentication for in-person identity verification. CC ID 13717 Physical and environmental protection Preventive
    Record the assigned identification card or badge serial number when issuing an identification card or badge. CC ID 06714 Physical and environmental protection Preventive
    Include identity proofing processes in the identification issuance procedures. CC ID 06597 Physical and environmental protection Preventive
    Prohibit assets from being taken off-site absent prior authorization. CC ID 12027
    [In addition to implementing the control given by ISO/IEC 27002, organizations providing or using equipment, data or software to support a healthcare application containing personal health information shall not allow such equipment, data, or software to be removed from the site or relocated within it without authorization by the organization. § 11.2.5 Health-specific control]
    Physical and environmental protection Preventive
    Perform backup procedures for in scope systems. CC ID 11692 Operational and Systems Continuity Preventive
    Include all residences in the criminal records check. CC ID 13306 Human Resources management Preventive
    Review and approve access controls, as necessary. CC ID 13074 Operational management Detective
    Provide management direction and support for the information security program. CC ID 11999 Operational management Preventive
    Approve the information security policy at the organization's management level or higher. CC ID 11737
    [Organizations processing health information, including personal health information, shall have a written information security policy that is approved by management, published, and then communicated to all employees and relevant external parties. § 5.1.1 Health-specific control]
    Operational management Preventive
    Establish and maintain consequences for non-compliance with the organizational compliance framework. CC ID 11747
    [Employees of the organization and, where relevant, third-party contractors should be made aware of disciplinary processes and consequences with respect to breaches of information security. § 7.2.2 Health-specific control ¶ 2]
    Operational management Corrective
    Contain the incident to prevent further loss and preserve the system for forensic analysis. CC ID 01751 Operational management Corrective
    Perform emergency changes, as necessary. CC ID 12707 Operational management Preventive
    Back up emergency changes after the change has been performed. CC ID 12734 Operational management Preventive
    Conduct network certifications prior to approving change requests for networks. CC ID 13121 Operational management Detective
    Establish and maintain a patch management program. CC ID 00896 Operational management Preventive
    Review the information classification of the information that the organization collects, processes, and stores, as necessary. CC ID 13008 Records management Detective
    Review the electronic storage media for the information the organization collects and processes. CC ID 13009
    [{physical safeguard} In addition to the guidance given by ISO/IEC 27002, media containing personal health information shall be either physically protected or else have their data encrypted. The status and location of media containing unencrypted personal health information shall be monitored. § 8.3.1 Health-specific control]
    Records management Detective
    Process restricted information in a secure environment. CC ID 13058 Records management Preventive
    Establish and maintain storage media downgrading procedures. CC ID 10619 Records management Preventive
    Identify electronic storage media that require downgrading. CC ID 10620 Records management Detective
    Downgrade electronic storage media, as necessary. CC ID 10621 Records management Corrective
    Authorize new assets prior to putting them into the production environment. CC ID 13530 Acquisition or sale of facilities, technology, and services Preventive
    Search the Internet for evidence of data leakage. CC ID 10419 Privacy protection for information and data Detective
    Formalize client and third party relationships with contracts or nondisclosure agreements, as necessary. CC ID 00794 Third Party and supply chain oversight Detective
  • Records Management
    18
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Include information sharing procedures in standard operating procedures. CC ID 12974 Operational management Preventive
    Archive appropriate records, logs, and database tables. CC ID 06321
    [Publicly available health information (as distinct from personal health information) should be archived. § 14.1.3.1 Health-specific controls ¶ 1]
    Records management Preventive
    Maintain electronic records in an equivalent manner as printed records, as necessary. CC ID 11806 Records management Preventive
    Refrain from creating printed records as copies of electronic records. CC ID 11808 Records management Preventive
    Protect records from loss in accordance with applicable requirements. CC ID 12007 Records management Preventive
    Capture the records required by organizational compliance requirements. CC ID 00912 Records management Detective
    Log records as being received into the recordkeeping system. CC ID 11696 Records management Preventive
    Establish and maintain current a transfer journal. CC ID 11729 Records management Preventive
    Provide a receipt of records logged into the recordkeeping system. CC ID 11697 Records management Preventive
    Note in electronic records converted from printed records, the location of the original. CC ID 11809 Records management Preventive
    Provide structures for authorized parties to approve record updates in the Electronic Document and Records Management system. CC ID 11965 Records management Preventive
    Label printed output for specific record categories as directed by the organization's information classification standard. CC ID 01420
    [{confidential information} All health information systems processing personal health information should inform users of the confidentiality of personal health information accessible from the system (e.g. at start-up or log-in) and should label hardcopy output as confidential when it contains personal health information. § 8.2.2 Health-specific control]
    Records management Detective
    Establish and maintain access controls for all records. CC ID 00371 Records management Preventive
    Implement and maintain backups and duplicate copies of organizational records. CC ID 00953 Records management Preventive
    Implement and maintain a duplicate originals of record indexes. CC ID 00954 Records management Preventive
    Establish and maintain a transparent storage media strategy. CC ID 00932 Records management Preventive
    Establish and maintain security controls appropriate to the record types and electronic storage media in use. CC ID 00943 Records management Preventive
    Refrain from destroying records being inspected or reviewed. CC ID 13015 Privacy protection for information and data Preventive
  • Systems Continuity
    3
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Establish and maintain backup procedures for in scope systems. CC ID 01258 Operational and Systems Continuity Preventive
    Store backup vital records in a manner that is accessible for emergency retrieval. CC ID 12765
    [In addition to following the guidance given by ISO/IEC 27002, organizations processing personal health information shall back up all personal health information and store it in a physically secure environment to ensure its future availability. § 12.3.1 Health-specific control ¶ 1]
    Operational and Systems Continuity Preventive
    Back up all records. CC ID 11974
    [In addition to following the guidance given by ISO/IEC 27002, organizations processing personal health information shall back up all personal health information and store it in a physically secure environment to ensure its future availability. § 12.3.1 Health-specific control ¶ 1]
    Operational and Systems Continuity Preventive
  • Systems Design, Build, and Implementation
    4
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Validate the system before implementing approved changes. CC ID 01510 Operational management Preventive
    Initiate the System Development Life Cycle planning phase. CC ID 06266 Systems design, build, and implementation Preventive
    Separate the design and development environment from the production environment. CC ID 06088
    [In addition to implementing the control given by ISO/IEC 27002, organizations processing personal health information shall separate (physically or virtually) development and testing environments for health information systems processing such information from operational environments hosting those health information systems. Rules for the migration of software from development to operational status shall be defined and documented by the organization hosting the affected application(s). § 12.1.4 Health-specific control]
    Systems design, build, and implementation Preventive
    Initiate the System Development Life Cycle implementation phase. CC ID 06268 Systems design, build, and implementation Preventive
  • Technical Security
    52
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Identify cybersecurity events in event logs and audit logs. CC ID 13206 Monitoring and measurement Detective
    Restrict access to audit trails to a need to know basis. CC ID 11641
    [{use}{anti-tamper technology} Audit records shall be secure and tamper-proof. Access to system audit tools and audit trails shall be safeguarded to prevent misuse or compromise. § 12.4.2 Health-specific control]
    Monitoring and measurement Preventive
    Protect against misusing automated audit tools. CC ID 04547
    [{use}{anti-tamper technology} Audit records shall be secure and tamper-proof. Access to system audit tools and audit trails shall be safeguarded to prevent misuse or compromise. § 12.4.2 Health-specific control]
    Monitoring and measurement Preventive
    Evaluate the information technology products used for metrics. CC ID 11644 Monitoring and measurement Detective
    Identify information system users. CC ID 12081 Technical security Detective
    Review user accounts. CC ID 00525
    [User registration details shall be periodically reviewed to ensure that they are complete, accurate and that access is still required. § 9.2.1 Health-specific control ¶ 2]
    Technical security Detective
    Review each user's access capabilities when their role changes. CC ID 00524 Technical security Preventive
    Control access rights to organizational assets. CC ID 00004 Technical security Preventive
    Establish access rights based on least privilege. CC ID 01411
    [Access to health information systems that process personal health information shall be subject to a formal user registration process. User registration procedures shall ensure that the level of authentication required of claimed user identity is consistent with the level(s) of access that will become available to the user. § 9.2.1 Health-specific control ¶ 1]
    Technical security Preventive
    Assign user permissions based on job responsibilities. CC ID 00538 Technical security Preventive
    Assign user privileges after they have management sign off. CC ID 00542 Technical security Preventive
    Establish and maintain User Access Management procedures for all systems. CC ID 00514
    [{external requirements} The access control policy, as a component of the information security policy framework described in 5.1.1, shall reflect professional, ethical, legal and subject-of-care-related requirements and should take account of the tasks performed by health professionals and the task's workflow. § 9.1.1 Health-specific control ¶ 4]
    Technical security Preventive
    Review and approve logical access to all assets based upon organizational policies. CC ID 06641 Technical security Preventive
    Control the addition and modification of user identifiers, user credentials, or other object identifiers. CC ID 00515 Technical security Preventive
    Automate access control methods, as necessary. CC ID 11838 Technical security Preventive
    Automate Access Control Systems, as necessary. CC ID 06854 Technical security Preventive
    Refrain from storing logon credentials for third party applications. CC ID 13690 Technical security Preventive
    Refrain from allowing user access to identifiers and passwords used by applications. CC ID 10048 Technical security Preventive
    Remove inactive user accounts, as necessary. CC ID 00517 Technical security Corrective
    Remove temporary user accounts, as necessary. CC ID 11839 Technical security Corrective
    Terminate user accounts when notified that an individual is terminated. CC ID 11614 Technical security Corrective
    Terminate access rights when notified that an individual is terminated. CC ID 11826
    [All organizations that process personal health information shall, as soon as possible, terminate the user access privileges with respect to such information for any departing permanent or temporary employee, third-party contractor or volunteer upon termination of employment, contracting, or volunteer activities. § 9.2.6 Health-specific control]
    Technical security Corrective
    Use superuser accounts only in emergencies. CC ID 07064 Technical security Preventive
    Include Access Control procedures in the Access Control program. CC ID 00528
    [Access to health information systems that process personal health information shall be subject to a formal user registration process. User registration procedures shall ensure that the level of authentication required of claimed user identity is consistent with the level(s) of access that will become available to the user. § 9.2.1 Health-specific control ¶ 1]
    Technical security Preventive
    Implement out-of-band authentication, as necessary. CC ID 10606 Technical security Corrective
    Identify and control all network access controls. CC ID 00529 Technical security Preventive
    Segregate out of scope systems from in scope systems. CC ID 12546 Technical security Preventive
    Segregate servers that contain restricted data or restricted information from direct public access. CC ID 00533 Technical security Preventive
    Control all methods of remote access and teleworking. CC ID 00559 Technical security Preventive
    Establish, implement, and maintain segregation of duties compensating controls if segregation of duties is not practical. CC ID 06960 Human Resources management Preventive
    Include temporary activation of remote access technologies for third parties in the acceptable use policy. CC ID 11892 Operational management Preventive
    Link the authentication system to the asset inventory. CC ID 13718 Operational management Preventive
    Employ Dynamic Host Configuration Protocol server logging to detect systems not in the asset inventory. CC ID 12110 Operational management Detective
    Automatically respond when an integrity violation is detected. CC ID 10678 Operational management Corrective
    Shut down systems when an integrity violation is detected, as necessary. CC ID 10679 Operational management Corrective
    Restart systems when an integrity violation is detected, as necessary. CC ID 10680 Operational management Corrective
    Integrate configuration management procedures into the change control program. CC ID 13646 Operational management Preventive
    Implement patch management software, as necessary. CC ID 12094 Operational management Preventive
    Include updates and exceptions to hardened images as a part of the patch management program. CC ID 12087 Operational management Preventive
    Review the patch log for missing patches. CC ID 13186 Operational management Detective
    Patch software. CC ID 11825 Operational management Corrective
    Patch Operating System software. CC ID 11824 Operational management Corrective
    Implement cryptographic mechanisms to authenticate software and computer firmware before installation. CC ID 10682 Operational management Detective
    Establish and maintain electronic storage media security controls. CC ID 13204 Records management Preventive
    Establish and maintain label inheritance mechanisms for aggregate data sets. CC ID 06957 Records management Preventive
    Implement and maintain high availability storage, as necessary. CC ID 00952 Records management Preventive
    Establish and maintain online storage controls. CC ID 00942 Records management Preventive
    Provide encryption for different types of electronic storage media. CC ID 00945
    [{physical safeguard} In addition to the guidance given by ISO/IEC 27002, media containing personal health information shall be either physically protected or else have their data encrypted. The status and location of media containing unencrypted personal health information shall be monitored. § 8.3.1 Health-specific control]
    Records management Preventive
    Protect electronic messaging information. CC ID 12022 Privacy protection for information and data Preventive
    Render unrecoverable sensitive authentication data after authorization is approved. CC ID 11952 Privacy protection for information and data Preventive
    Encrypt, truncate, or tokenize data fields, as necessary. CC ID 06850 Privacy protection for information and data Preventive
    Implement security measures to protect personal data. CC ID 13606 Privacy protection for information and data Preventive
  • Testing
    34
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Supply each in scope asset with audit reduction tool and report generation capabilities to support after-the-fact investigations without altering the event logs. CC ID 01427 Monitoring and measurement Preventive
    Evaluate the measurement process used for metrics. CC ID 06920 Monitoring and measurement Detective
    Authorize visitors before granting entry to physical areas containing restricted data or restricted information. CC ID 01330 Physical and environmental protection Preventive
    Implement operational requirements for card readers. CC ID 02225 Physical and environmental protection Preventive
    Employ individuals who have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 00782
    [When an individual is hired for a specific information security role, organizations should make sure the candidate: has the necessary competence to perform the security role; § 7.1.1 Health-specific controls ¶ 3(a)]
    Human Resources management Detective
    Perform a drug test during personnel screening. CC ID 06648 Human Resources management Preventive
    Implement segregation of duties in roles and responsibilities. CC ID 00774
    [In addition to implementing the control given by ISO/IEC 27002, organizations processing personal health information should, where feasible, segregate duties and areas of responsibility in order to reduce opportunities for unauthorized modification or misuse of personal health information. § 6.1.2 Health-specific control]
    Human Resources management Detective
    Open a priority incident request after a security breach is detected. CC ID 04838 Operational management Corrective
    Activate the incident response notification procedures after a security breach is detected. CC ID 04839 Operational management Corrective
    Test proposed changes prior to their approval. CC ID 00548 Operational management Detective
    Perform risk assessments prior to approving change requests. CC ID 00888 Operational management Preventive
    Perform a patch test prior to deploying a patch. CC ID 00898 Operational management Detective
    Test software patches for any potential compromise of the system's security. CC ID 13175 Operational management Detective
    Review changes to computer firmware. CC ID 12226 Operational management Detective
    Certify changes to computer firmware are free of malicious logic. CC ID 12227 Operational management Detective
    Test the system's operational functionality after implementing approved changes. CC ID 06294 Operational management Detective
    Perform and pass acceptance testing before moving a system back into operation after an approved change has occurred. CC ID 04541 Operational management Detective
    Maintain continued integrity for all stored data and stored records. CC ID 00969
    [The source (authorship) of publicly available health information should be stated and its integrity should be protected. § 14.1.3.1 Health-specific controls ¶ 3]
    Records management Detective
    Store records on non-rewritable, non-erasable storage media formats, as necessary. CC ID 00944 Records management Detective
    Test the storage media downgrade for correct performance. CC ID 10623 Records management Detective
    Evaluate and determine whether or not the newly developed system meets users' system design requirements. CC ID 01120
    [Clinical users should be involved in the testing of clinically relevant system features. § 14.2.9 Health-specific control ¶ 2]
    Systems design, build, and implementation Detective
    Test new hardware or upgraded hardware and software against predefined performance requirements. CC ID 06740
    [In addition to implementing the control given by ISO/IEC 27002, organizations processing personal health information shall establish acceptance criteria for planned new information systems, upgrades and new versions. They shall carry out suitable tests of the system prior to acceptance. § 14.2.9 Health-specific control ¶ 1]
    Acquisition or sale of facilities, technology, and services Detective
    Test new hardware or upgraded hardware and software for error recovery and restart procedures. CC ID 06741 Acquisition or sale of facilities, technology, and services Detective
    Follow the system's operating procedures when testing new hardware or upgraded hardware and software. CC ID 06742 Acquisition or sale of facilities, technology, and services Detective
    Test new hardware or upgraded hardware and software for implementation of security controls. CC ID 06743 Acquisition or sale of facilities, technology, and services Detective
    Test new software or upgraded software for security vulnerabilities. CC ID 01898 Acquisition or sale of facilities, technology, and services Detective
    Test new software or upgraded software for compatibility with the current system. CC ID 11654 Acquisition or sale of facilities, technology, and services Detective
    Test new hardware or upgraded hardware for compatibility with the current system. CC ID 11655 Acquisition or sale of facilities, technology, and services Detective
    Test new hardware or upgraded hardware for security vulnerabilities. CC ID 01899 Acquisition or sale of facilities, technology, and services Detective
    Test new hardware or upgraded hardware and software for implementation of predefined continuity arrangements. CC ID 06744 Acquisition or sale of facilities, technology, and services Detective
    Refrain from storing data elements containing payment card full magnetic stripe data. CC ID 04757 Privacy protection for information and data Detective
    Implement physical controls to protect personal data. CC ID 00355 Privacy protection for information and data Preventive
    Conduct personal data risk assessments. CC ID 00357 Privacy protection for information and data Detective
    Perform a risk assessment prior to engaging a third party. CC ID 06454 Third Party and supply chain oversight Detective
  • Training
    3
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Include updates on emerging issues in the security awareness program. CC ID 13184 Human Resources management Preventive
    Include cybersecurity in the security awareness program. CC ID 13183 Human Resources management Preventive
    Train all personnel and third parties on how to recognize and report system failures. CC ID 13475 Human Resources management Preventive
Common Controls and
mandates by Classification
87 Mandated Controls - bold    
107 Implied Controls - italic     580 Implementation

There are three types of Common Control classifications; corrective, detective, and preventive. Common Controls at the top level have the default assignment of Impact Zone.

Number of Controls
774 Total
  • Corrective
    54
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE TYPE
    Update the information classification standard regularly or when new threats are discovered. CC ID 07048 Leadership and high level objectives Establish/Maintain Documentation
    Provide predefined suspicious activity reports for suspicious activity discovered in the event log. CC ID 06774 Monitoring and measurement Establish/Maintain Documentation
    Eliminate false positives in event logs, intrusion detection system reports, security incident tracking reports, and other security logs. CC ID 07047 Monitoring and measurement Log Management
    Follow up exceptions and anomalies identified when reviewing logs. CC ID 11925 Monitoring and measurement Investigate
    Identify and communicate improvements in metrics reporting. CC ID 06921 Monitoring and measurement Establish/Maintain Documentation
    Review and update accounts and access rights when notified of personnel status changes. CC ID 00788 Technical security Behavior
    Remove inactive user accounts, as necessary. CC ID 00517 Technical security Technical Security
    Remove temporary user accounts, as necessary. CC ID 11839 Technical security Technical Security
    Terminate user accounts when notified that an individual is terminated. CC ID 11614 Technical security Technical Security
    Terminate access rights when notified that an individual is terminated. CC ID 11826
    [All organizations that process personal health information shall, as soon as possible, terminate the user access privileges with respect to such information for any departing permanent or temporary employee, third-party contractor or volunteer upon termination of employment, contracting, or volunteer activities. § 9.2.6 Health-specific control]
    Technical security Technical Security
    Revoke asset access when an individual is terminated. CC ID 00516 Technical security Behavior
    Deny access to restricted data or restricted information when an individual is terminated. CC ID 01309 Technical security Data and Information Management
    Implement out-of-band authentication, as necessary. CC ID 10606 Technical security Technical Security
    Change access requirements to organizational assets for personnel and visitors, as necessary. CC ID 12463 Physical and environmental protection Physical and Environmental Protection
    Document all lost badges in a lost badge list. CC ID 12448 Physical and environmental protection Establish/Maintain Documentation
    Review and update the security awareness and training procedures, as necessary. CC ID 14140 Human Resources management Establish/Maintain Documentation
    Review and update the security awareness and training policy, as necessary. CC ID 14050 Human Resources management Establish/Maintain Documentation
    Implement a sanctions process for personnel who fail to comply to the organizational compliance program. CC ID 01442
    [Employees of the organization and, where relevant, third-party contractors should be made aware of disciplinary processes and consequences with respect to breaches of information security. § 7.2.2 Health-specific control ¶ 2]
    Human Resources management Behavior
    Review and update the information security policy, as necessary. CC ID 11741
    [{ongoing basis} The health organization's information security policy should be subject to ongoing, staged review, such that the totality of the policy is addressed at least annually. The policy should be reviewed after the occurrence of a serious security incident. § 5.1.2 Health-specific control
    {ongoing basis} The health organization's information security policy should be subject to ongoing, staged review, such that the totality of the policy is addressed at least annually. The policy should be reviewed after the occurrence of a serious security incident. § 5.1.2 Health-specific control]
    Operational management Establish/Maintain Documentation
    Review and update the operational control procedures, as necessary. CC ID 14278 Operational management Establish/Maintain Documentation
    Update operating procedures that contribute to user errors. CC ID 06935 Operational management Establish/Maintain Documentation
    Include disciplinary actions in the Acceptable Use Policy. CC ID 00296 Operational management Establish/Maintain Documentation
    Review and update the acceptable use policy, as necessary. CC ID 14276 Operational management Establish/Maintain Documentation
    Establish and maintain consequences for non-compliance with the organizational compliance framework. CC ID 11747
    [Employees of the organization and, where relevant, third-party contractors should be made aware of disciplinary processes and consequences with respect to breaches of information security. § 7.2.2 Health-specific control ¶ 2]
    Operational management Process or Activity
    Contain the incident to prevent further loss and preserve the system for forensic analysis. CC ID 01751 Operational management Process or Activity
    Store system logs for in scope systems as digital forensic evidence after a security incident has been detected. CC ID 01754
    [{incident management procedures} In addition to following the guidance given by ISO/IEC 27002, organizations processing personal health information should establish security incident management responsibilities and procedures in order: to collect and preserve incident-related audit logs and other relevant evidence. § 16.1.2 Health-specific controls ¶ 1(c)]
    Operational management Log Management
    Include temporary and emergency access authorization procedures in the Incident Management program. CC ID 00858 Operational management Establish/Maintain Documentation
    Open a priority incident request after a security breach is detected. CC ID 04838 Operational management Testing
    Activate the incident response notification procedures after a security breach is detected. CC ID 04839 Operational management Testing
    Notify interested personnel and affected parties that a security breach was detected. CC ID 11788 Operational management Communicate
    Automatically respond when an integrity violation is detected. CC ID 10678 Operational management Technical Security
    Shut down systems when an integrity violation is detected, as necessary. CC ID 10679 Operational management Technical Security
    Restart systems when an integrity violation is detected, as necessary. CC ID 10680 Operational management Technical Security
    Review and approve back-out plans, as necessary. CC ID 13627 Operational management Establish/Maintain Documentation
    Deploy software patches. CC ID 07032 Operational management Configuration
    Patch software. CC ID 11825 Operational management Technical Security
    Patch Operating System software. CC ID 11824 Operational management Technical Security
    Deploy software patches in the disaster recovery environment to mirror those in the production environment. CC ID 13174 Operational management Configuration
    Remove outdated software after software has been updated. CC ID 11792 Operational management Configuration
    Update computer firmware. CC ID 11755 Operational management Configuration
    Remove outdated computer firmware after the computer firmware has been updated. CC ID 10671 Operational management Configuration
    Mitigate the adverse effects of unauthorized changes. CC ID 12244 Operational management Business Processes
    Establish and maintain a change acceptance testing log. CC ID 06392 Operational management Establish/Maintain Documentation
    Document approved configuration deviations. CC ID 08711 Operational management Establish/Maintain Documentation
    Remove non-public information from publicly accessible systems. CC ID 14246 Records management Data and Information Management
    Downgrade electronic storage media, as necessary. CC ID 10621 Records management Process or Activity
    Review and approve implementation plans, as necessary. CC ID 13628 Systems design, build, and implementation Establish/Maintain Documentation
    Correct defective acquired goods or services. CC ID 06911 Acquisition or sale of facilities, technology, and services Acquisition/Sale of Assets or Services
    Notify the subject of care when a lack of availability of health information systems might have adversely affected their care. CC ID 13990
    [Organizations should inform the subject of care whenever lack of availability of health information systems may have adversely affected their care. § 16.1.2 Health-specific controls ¶ 4]
    Privacy protection for information and data Communicate
    Notify the data subject when personal data has been inadvertently disclosed. CC ID 13989
    [Organizations should inform the subject of care whenever personal health information has been unintentionally disclosed. § 16.1.2 Health-specific controls ¶ 3]
    Privacy protection for information and data Communicate
    Report fraudulent account activity, unauthorized transactions, or discrepancies with current accounts. CC ID 04875 Privacy protection for information and data Monitor and Evaluate Occurrences
    Change or destroy any personal data that is incorrect. CC ID 00462
    [In addition to implementing the control given by ISO/IEC 27002, all employees and contractors, upon termination of employment, shall return all personal health information in their possession that is in non-electronic form and ensure that all personal health information in their possession in electronic form is updated on relevant systems and then securely deleted from any devices on which it has resided. § 8.1.4 Health-specific control]
    Privacy protection for information and data Data and Information Management
    Notify the data subject of changes made to personal data as the result of a dispute. CC ID 00463 Privacy protection for information and data Behavior
    Escalate the appeal process to change personal data when the data controller fails to make changes to the disputed data. CC ID 00465 Privacy protection for information and data Data and Information Management
  • Detective
    103
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE TYPE
    Analyze organizational policies, as necessary. CC ID 14037 Leadership and high level objectives Establish/Maintain Documentation
    Map in scope assets and in scope records to external requirements. CC ID 12189 Leadership and high level objectives Establish/Maintain Documentation
    Include the counterterror protective security plan test results in the annual Statement on Internal Control. CC ID 06867 Leadership and high level objectives Establish/Maintain Documentation
    Document compliance exceptions, as necessary. CC ID 01630 Leadership and high level objectives Establish/Maintain Documentation
    Assess the potential level of business impact risk associated with each business process. CC ID 06463 Audits and risk management Audits and Risk Management
    Assess the potential level of business impact risk associated with the business environment. CC ID 06464 Audits and risk management Audits and Risk Management
    Assess the potential level of business impact risk associated with business information of in scope systems. CC ID 06465 Audits and risk management Audits and Risk Management
    Identify changes to in scope systems that could threaten communication between business units. CC ID 13173 Audits and risk management Investigate
    Assess the potential business impact risk of in scope systems caused by deliberate threats to their confidentiality, integrity, and availability. CC ID 06466 Audits and risk management Audits and Risk Management
    Assess the potential level of business impact risk caused by accidental threats to the confidentiality, integrity and availability of critical systems. CC ID 06467 Audits and risk management Audits and Risk Management
    Assess the potential level of business impact risk associated with insider threats. CC ID 06468 Audits and risk management Audits and Risk Management
    Assess the potential level of business impact risk associated with external entities. CC ID 06469 Audits and risk management Audits and Risk Management
    Assess the potential level of business impact risk associated with natural disasters. CC ID 06470 Audits and risk management Actionable Reports or Measurements
    Assess the potential level of business impact risk associated with control weaknesses. CC ID 06471 Audits and risk management Audits and Risk Management
    Perform a gap analysis to review in scope controls for identified risks and implement new controls, as necessary. CC ID 00704 Audits and risk management Establish/Maintain Documentation
    Analyze the effect of threats on organizational strategies and objectives. CC ID 12850 Audits and risk management Process or Activity
    Analyze the effect of opportunities on organizational strategies and objectives. CC ID 12849 Audits and risk management Process or Activity
    Establish, implement, and maintain logging and monitoring operations. CC ID 00637 Monitoring and measurement Log Management
    Review event logs, Intrusion Detection System reports, security incident tracking reports, and other security logs regularly. CC ID 00596 Monitoring and measurement Log Management
    Correlate log entries to security controls to verify the security control's effectiveness. CC ID 13207 Monitoring and measurement Log Management
    Identify cybersecurity events in event logs and audit logs. CC ID 13206 Monitoring and measurement Technical Security
    Evaluate the measurement process used for metrics. CC ID 06920 Monitoring and measurement Testing
    Evaluate the information technology products used for metrics. CC ID 11644 Monitoring and measurement Technical Security
    Review the Access Control policies, as necessary. CC ID 06416 Technical security Process or Activity
    Identify information system users. CC ID 12081 Technical security Technical Security
    Review user accounts. CC ID 00525
    [User registration details shall be periodically reviewed to ensure that they are complete, accurate and that access is still required. § 9.2.1 Health-specific control ¶ 2]
    Technical security Technical Security
    Match user accounts to authorized parties. CC ID 12126 Technical security Configuration
    Notify interested personnel when user accounts are added or deleted. CC ID 14327 Technical security Communicate
    Secure physical entry points with physical access controls or security guards. CC ID 01640 Physical and environmental protection Physical and Environmental Protection
    Review facility access lists. CC ID 01251 Physical and environmental protection Establish/Maintain Documentation
    Monitor for unauthorized physical access at physical entry points. CC ID 06797 Physical and environmental protection Monitor and Evaluate Occurrences
    Lock all lockable equipment cabinets. CC ID 11673 Physical and environmental protection Physical and Environmental Protection
    Employ individuals who have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 00782
    [When an individual is hired for a specific information security role, organizations should make sure the candidate: has the necessary competence to perform the security role; § 7.1.1 Health-specific controls ¶ 3(a)]
    Human Resources management Testing
    Perform security skills assessments for all critical employees. CC ID 12102
    [When an individual is hired for a specific information security role, organizations should make sure the candidate: can be trusted to take the role, especially if the role is critical for the organization. § 7.1.1 Health-specific controls ¶ 3(b)]
    Human Resources management Human Resources Management
    Perform a background check during personnel screening. CC ID 11758 Human Resources management Human Resources Management
    Document the personnel risk assessment results. CC ID 11764 Human Resources management Establish/Maintain Documentation
    Perform periodic background checks on designated roles, as necessary. CC ID 11759 Human Resources management Human Resources Management
    Document the security clearance procedure results. CC ID 01635 Human Resources management Establish/Maintain Documentation
    Document and communicate role descriptions to all applicable personnel. CC ID 00776
    [In addition to the control given by ISO/IEC 27002, all organizations whose staff members are involved in processing personal health information should document such involvement in relevant job descriptions. Security roles and responsibilities, as laid down in the organization's information security policy, should also be documented in relevant job descriptions. § 7.1.2 Health-specific control ¶ 1
    In addition to the control given by ISO/IEC 27002, all organizations whose staff members are involved in processing personal health information should document such involvement in relevant job descriptions. Security roles and responsibilities, as laid down in the organization's information security policy, should also be documented in relevant job descriptions. § 7.1.2 Health-specific control ¶ 1]
    Human Resources management Establish Roles
    Implement segregation of duties in roles and responsibilities. CC ID 00774
    [In addition to implementing the control given by ISO/IEC 27002, organizations processing personal health information should, where feasible, segregate duties and areas of responsibility in order to reduce opportunities for unauthorized modification or misuse of personal health information. § 6.1.2 Health-specific control]
    Human Resources management Testing
    Monitor and measure the effectiveness of security awareness. CC ID 06262 Human Resources management Monitor and Evaluate Occurrences
    Review and approve access controls, as necessary. CC ID 13074 Operational management Process or Activity
    Employ Dynamic Host Configuration Protocol server logging to detect systems not in the asset inventory. CC ID 12110 Operational management Technical Security
    Assign monitoring and analyzing the security alert when a security alert is received to the appropriate role in the incident response program. CC ID 11886 Operational management Investigate
    Establish and maintain incident response procedures. CC ID 01206
    [{incident management procedures} In addition to following the guidance given by ISO/IEC 27002, organizations processing personal health information should establish security incident management responsibilities and procedures in order: to ensure effective and timely response to security incidents; § 16.1.2 Health-specific controls ¶ 1(a)]
    Operational management Establish/Maintain Documentation
    Test proposed changes prior to their approval. CC ID 00548 Operational management Testing
    Examine all changes to ensure they correspond with the change request. CC ID 12345 Operational management Business Processes
    Conduct network certifications prior to approving change requests for networks. CC ID 13121 Operational management Process or Activity
    Analyze mitigating controls for vulnerabilities in the network when certifying the network. CC ID 13126 Operational management Investigate
    Collect data about the network environment when certifying the network. CC ID 13125 Operational management Investigate
    Review the patch log for missing patches. CC ID 13186 Operational management Technical Security
    Perform a patch test prior to deploying a patch. CC ID 00898 Operational management Testing
    Test software patches for any potential compromise of the system's security. CC ID 13175 Operational management Testing
    Review changes to computer firmware. CC ID 12226 Operational management Testing
    Certify changes to computer firmware are free of malicious logic. CC ID 12227 Operational management Testing
    Implement cryptographic mechanisms to authenticate software and computer firmware before installation. CC ID 10682 Operational management Technical Security
    Establish and maintain approved change acceptance testing procedures. CC ID 06391 Operational management Establish/Maintain Documentation
    Test the system's operational functionality after implementing approved changes. CC ID 06294 Operational management Testing
    Perform and pass acceptance testing before moving a system back into operation after an approved change has occurred. CC ID 04541 Operational management Testing
    Establish and maintain a configuration change log. CC ID 08710 Operational management Configuration
    Review the configuration change log. CC ID 11754 Operational management Configuration
    Define each system's preservation requirements for records and logs. CC ID 00904 Records management Establish/Maintain Documentation
    Establish and maintain a data retention program. CC ID 00906 Records management Establish/Maintain Documentation
    Maintain continued integrity for all stored data and stored records. CC ID 00969
    [The source (authorship) of publicly available health information should be stated and its integrity should be protected. § 14.1.3.1 Health-specific controls ¶ 3]
    Records management Testing
    Review the information that the organization collects, processes, and stores, as necessary. CC ID 12988 Records management Business Processes
    Review the information classification of the information that the organization collects, processes, and stores, as necessary. CC ID 13008 Records management Process or Activity
    Review the electronic storage media for the information the organization collects and processes. CC ID 13009
    [{physical safeguard} In addition to the guidance given by ISO/IEC 27002, media containing personal health information shall be either physically protected or else have their data encrypted. The status and location of media containing unencrypted personal health information shall be monitored. § 8.3.1 Health-specific control]
    Records management Process or Activity
    Capture the records required by organizational compliance requirements. CC ID 00912 Records management Records Management
    Assign the appropriate information classification to records imported into the Records Management system. CC ID 04555 Records management Data and Information Management
    Classify restricted data or restricted information in Records Management systems according to the data or information's sensitivity. CC ID 04720 Records management Data and Information Management
    Label printed output for specific record categories as directed by the organization's information classification standard. CC ID 01420
    [{confidential information} All health information systems processing personal health information should inform users of the confidentiality of personal health information accessible from the system (e.g. at start-up or log-in) and should label hardcopy output as confidential when it contains personal health information. § 8.2.2 Health-specific control]
    Records management Records Management
    Establish and maintain online storage monitoring and reporting capabilities. CC ID 00935 Records management Monitor and Evaluate Occurrences
    Store records on non-rewritable, non-erasable storage media formats, as necessary. CC ID 00944 Records management Testing
    Provide audit trails for all pertinent records. CC ID 00372 Records management Establish/Maintain Documentation
    Identify electronic storage media that require downgrading. CC ID 10620 Records management Process or Activity
    Test the storage media downgrade for correct performance. CC ID 10623 Records management Testing
    Evaluate and determine whether or not the newly developed system meets users' system design requirements. CC ID 01120
    [Clinical users should be involved in the testing of clinically relevant system features. § 14.2.9 Health-specific control ¶ 2]
    Systems design, build, and implementation Testing
    Test new hardware or upgraded hardware and software against predefined performance requirements. CC ID 06740
    [In addition to implementing the control given by ISO/IEC 27002, organizations processing personal health information shall establish acceptance criteria for planned new information systems, upgrades and new versions. They shall carry out suitable tests of the system prior to acceptance. § 14.2.9 Health-specific control ¶ 1]
    Acquisition or sale of facilities, technology, and services Testing
    Test new hardware or upgraded hardware and software for error recovery and restart procedures. CC ID 06741 Acquisition or sale of facilities, technology, and services Testing
    Follow the system's operating procedures when testing new hardware or upgraded hardware and software. CC ID 06742 Acquisition or sale of facilities, technology, and services Testing
    Test new hardware or upgraded hardware and software for implementation of security controls. CC ID 06743 Acquisition or sale of facilities, technology, and services Testing
    Test new software or upgraded software for security vulnerabilities. CC ID 01898 Acquisition or sale of facilities, technology, and services Testing
    Test new software or upgraded software for compatibility with the current system. CC ID 11654 Acquisition or sale of facilities, technology, and services Testing
    Test new hardware or upgraded hardware for compatibility with the current system. CC ID 11655 Acquisition or sale of facilities, technology, and services Testing
    Test new hardware or upgraded hardware for security vulnerabilities. CC ID 01899 Acquisition or sale of facilities, technology, and services Testing
    Test new hardware or upgraded hardware and software for implementation of predefined continuity arrangements. CC ID 06744 Acquisition or sale of facilities, technology, and services Testing
    Refrain from storing data elements containing payment card full magnetic stripe data. CC ID 04757 Privacy protection for information and data Testing
    Conduct personal data risk assessments. CC ID 00357 Privacy protection for information and data Testing
    Establish and maintain suspicious document procedures. CC ID 04852 Privacy protection for information and data Establish/Maintain Documentation
    Establish and maintain suspicious personal data procedures. CC ID 04853 Privacy protection for information and data Data and Information Management
    Compare certain personal data such as name, date of birth, address, driver's license, or other identification against personal data on file for the applicant. CC ID 04855 Privacy protection for information and data Data and Information Management
    Establish and maintain suspicious user account activity procedures. CC ID 04854 Privacy protection for information and data Monitor and Evaluate Occurrences
    Perform an identity check prior to approving an account change request. CC ID 13670 Privacy protection for information and data Investigate
    Use the contact information on file to contact the individual identified in an account change request. CC ID 04857 Privacy protection for information and data Behavior
    Match consumer reports with current accounts on file to ensure account misuse or information misuse has not occurred. CC ID 04873 Privacy protection for information and data Data and Information Management
    Log account access dates and report when dormant accounts suddenly exhibit unusual activity. CC ID 04874 Privacy protection for information and data Log Management
    Log dates for account name changes or address changes. CC ID 04876 Privacy protection for information and data Log Management
    Review accounts that are changed for additional user requests. CC ID 11846 Privacy protection for information and data Monitor and Evaluate Occurrences
    Send change notices for change of address requests to the old address and the new address. CC ID 04877 Privacy protection for information and data Data and Information Management
    Search the Internet for evidence of data leakage. CC ID 10419 Privacy protection for information and data Process or Activity
    Review monitored websites for data leakage. CC ID 10593 Privacy protection for information and data Monitor and Evaluate Occurrences
    Formalize client and third party relationships with contracts or nondisclosure agreements, as necessary. CC ID 00794 Third Party and supply chain oversight Process or Activity
    Perform a risk assessment prior to engaging a third party. CC ID 06454 Third Party and supply chain oversight Testing
  • IT Impact Zone
    14
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE TYPE
    Leadership and high level objectives CC ID 00597 Leadership and high level objectives IT Impact Zone
    Audits and risk management CC ID 00677 Audits and risk management IT Impact Zone
    Monitoring and measurement CC ID 00636 Monitoring and measurement IT Impact Zone
    Technical security CC ID 00508 Technical security IT Impact Zone
    Physical and environmental protection CC ID 00709 Physical and environmental protection IT Impact Zone
    Operational and Systems Continuity CC ID 00731 Operational and Systems Continuity IT Impact Zone
    Human Resources management CC ID 00763 Human Resources management IT Impact Zone
    Operational management CC ID 00805 Operational management IT Impact Zone
    System hardening through configuration management CC ID 00860 System hardening through configuration management IT Impact Zone
    Records management CC ID 00902 Records management IT Impact Zone
    Systems design, build, and implementation CC ID 00989 Systems design, build, and implementation IT Impact Zone
    Acquisition or sale of facilities, technology, and services CC ID 01123 Acquisition or sale of facilities, technology, and services IT Impact Zone
    Privacy protection for information and data CC ID 00008 Privacy protection for information and data IT Impact Zone
    Third Party and supply chain oversight CC ID 08807 Third Party and supply chain oversight IT Impact Zone
  • Preventive
    603
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE TYPE
    Analyze organizational objectives, functions, and activities. CC ID 00598 Leadership and high level objectives Monitor and Evaluate Occurrences
    Establish, implement, and maintain an information classification standard. CC ID 00601
    [{confidential information} In addition to following the guidance given by ISO/IEC 27002, organizations processing personal health information should uniformly classify such data as confidential. § 8.2.1 Health-specific control]
    Leadership and high level objectives Establish/Maintain Documentation
    Take into account the accessibility to and location of the data or information when establishing information impact levels. CC ID 04787 Leadership and high level objectives Data and Information Management
    Take into account the organization's obligation to protect data or information when establishing information impact levels. CC ID 04786 Leadership and high level objectives Data and Information Management
    Take into account the context of use for data or information when establishing information impact levels. CC ID 04785 Leadership and high level objectives Data and Information Management
    Take into account the potential aggregation of restricted data fields when establishing information impact levels. CC ID 04784 Leadership and high level objectives Data and Information Management
    Classify the sensitivity to unauthorized disclosure or modification of information in the information classification standard. CC ID 11997 Leadership and high level objectives Data and Information Management
    Take into account the distinguishability factor when establishing information impact levels. CC ID 04783 Leadership and high level objectives Data and Information Management
    Classify the criticality to unauthorized disclosure or modification of information in the information classification standard. CC ID 11996 Leadership and high level objectives Data and Information Management
    Classify the value of information in the information classification standard. CC ID 11995 Leadership and high level objectives Data and Information Management
    Classify the legal requirements of information in the information classification standard. CC ID 11994 Leadership and high level objectives Data and Information Management
    Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241
    [A formal scope statement shall be produced that defines the boundary of compliance activity in terms of people, processes, places, platforms and applications. § 6.1.1 Health-specific control ¶ 4]
    Leadership and high level objectives Establish/Maintain Documentation
    Define the scope of the security policy. CC ID 07145 Leadership and high level objectives Data and Information Management
    Identify roles, tasks, information, systems, and assets that fall under the organization's mandated Authority Documents. CC ID 00688 Leadership and high level objectives Business Processes
    Establish and maintain an Information Systems Assurance Categories Definitions document. CC ID 01608 Leadership and high level objectives Establish/Maintain Documentation
    Correlate Information Systems with applicable controls. CC ID 01621 Leadership and high level objectives Establish/Maintain Documentation
    Establish and maintain an organizational policy and procedure management program. CC ID 06285 Leadership and high level objectives Establish/Maintain Documentation
    Include the effective date on all organizational policies. CC ID 06820 Leadership and high level objectives Establish/Maintain Documentation
    Implement organizational policies, standards, and procedures. CC ID 12893 Leadership and high level objectives Business Processes
    Include requirements in the organization’s policies, standards, and procedures. CC ID 12956 Leadership and high level objectives Establish/Maintain Documentation
    Include threats in the organization’s policies, standards, and procedures. CC ID 12953 Leadership and high level objectives Establish/Maintain Documentation
    Include opportunities in the organization’s policies, standards, and procedures. CC ID 12945 Leadership and high level objectives Establish/Maintain Documentation
    Establish and maintain a list of compliance documents. CC ID 07113 Leadership and high level objectives Establish/Maintain Documentation
    Document organizational procedures that harmonize external requirements, including all legal requirements. CC ID 00623 Leadership and high level objectives Establish/Maintain Documentation
    Establish, implement, and maintain full documentation of all policies, standards, and procedures that support the organization's compliance framework. CC ID 01636 Leadership and high level objectives Establish/Maintain Documentation
    Disseminate and communicate the organization’s policies, standards, and procedures to all interested personnel and affected parties. CC ID 12901 Leadership and high level objectives Communicate
    Disseminate and communicate the list of Authority Documents that support the organization's compliance framework to interested personnel and affected parties. CC ID 01312 Leadership and high level objectives Establish/Maintain Documentation
    Classify controls according to their preventive, detective, or corrective status. CC ID 06436 Leadership and high level objectives Establish/Maintain Documentation
    Publish and disseminate and communicate an annual Statement on Internal Control. CC ID 06727 Leadership and high level objectives Establish/Maintain Documentation
    Include confirmation of any significant weaknesses in the annual Statement on Internal Control. CC ID 06861 Leadership and high level objectives Establish/Maintain Documentation
    Include an assurance statement regarding the organization's counterterror protective security plan in the annual Statement on Internal Control. CC ID 06866 Leadership and high level objectives Establish/Maintain Documentation
    Assign legislative body jurisdiction to the organization's assets, as necessary. CC ID 06956 Leadership and high level objectives Establish Roles
    Approve all compliance documents. CC ID 06286 Leadership and high level objectives Establish/Maintain Documentation
    Align the list of compliance documents with applicable laws, regulations, and contractual obligations. CC ID 06288 Leadership and high level objectives Establish/Maintain Documentation
    Assign the appropriate roles to all applicable compliance documents. CC ID 06284 Leadership and high level objectives Establish Roles
    Identify and document the Designated Approval Authority for compliance documents. CC ID 07114 Leadership and high level objectives Establish/Maintain Documentation
    Establish and maintain a Compliance Exception standard for compliance exceptions. CC ID 01628 Leadership and high level objectives Establish/Maintain Documentation
    Include the authority for granting exemptions in the compliance exception standard. CC ID 14329 Leadership and high level objectives Establish/Maintain Documentation
    Include explanations, compensating controls, or risk acceptance in the compliance exceptions Exceptions document. CC ID 01631 Leadership and high level objectives Establish/Maintain Documentation
    Review the compliance exceptions in the exceptions document, as necessary. CC ID 01632 Leadership and high level objectives Business Processes
    Include when exemptions expire in the compliance exception standard. CC ID 14330 Leadership and high level objectives Establish/Maintain Documentation
    Assign the approval of compliance exceptions to the appropriate roles inside the organization. CC ID 06443 Leadership and high level objectives Establish Roles
    Include management of the exemption register in the compliance exception standard. CC ID 14328 Leadership and high level objectives Establish/Maintain Documentation
    Disseminate and communicate compliance documents to all interested personnel and affected parties. CC ID 06282 Leadership and high level objectives Behavior
    Disseminate and communicate any compliance document changes when the documents are updated to interested personnel and affected parties. CC ID 06283 Leadership and high level objectives Behavior
    Estimate the costs of implementing the compliance framework. CC ID 07191 Leadership and high level objectives Business Processes
    Establish and maintain a risk management program. CC ID 12051 Audits and risk management Establish/Maintain Documentation
    Establish and maintain the risk assessment framework. CC ID 00685 Audits and risk management Establish/Maintain Documentation
    Correlate the business impact of identified risks in the risk assessment report. CC ID 00686 Audits and risk management Audits and Risk Management
    Analyze and quantify the risks to in scope systems and information. CC ID 00701
    [Healthcare project management should consider patient safety as a project risk in any project involving the processing of personal health information. § 6.1.5 Health-specific control]
    Audits and risk management Audits and Risk Management
    Establish and maintain a Risk Scoping and Measurement Definitions Document. CC ID 00703 Audits and risk management Audits and Risk Management
    Identify the material risks in the risk assessment report. CC ID 06482 Audits and risk management Audits and Risk Management
    Establish a risk acceptance level that is appropriate to the organization's risk appetite. CC ID 00706 Audits and risk management Establish/Maintain Documentation
    Investigate alternative risk control strategies appropriate to the organization's risk appetite. CC ID 12887 Audits and risk management Investigate
    Select the appropriate risk treatment option for each identified risk in the risk register. CC ID 06483 Audits and risk management Establish/Maintain Documentation
    Disseminate and communicate the risk acceptance level in the risk treatment plan to all interested personnel and affected parties. CC ID 06849 Audits and risk management Behavior
    Prioritize and select controls based on the risk assessment findings. CC ID 00707
    [In addition to implementing the control given by ISO/IEC 27002, organizations processing health information shall assess the risks associated with access by external parties to these systems or the data they contain, and then implement security controls that are appropriate to the identified level of risk and to the technologies employed. § 15.1.1 Health-specific control]
    Audits and risk management Audits and Risk Management
    Prioritize and categorize the effects of opportunities, threats and requirements on control activities. CC ID 12822 Audits and risk management Audits and Risk Management
    Include a standard to collect and interpret event logs in the event logging procedures. CC ID 00643
    [{incident management procedures} In addition to following the guidance given by ISO/IEC 27002, organizations processing personal health information should establish security incident management responsibilities and procedures in order: to collect and preserve incident-related audit logs and other relevant evidence. § 16.1.2 Health-specific controls ¶ 1(c)]
    Monitoring and measurement Log Management
    Protect the event logs from failure. CC ID 06290 Monitoring and measurement Log Management
    Overwrite the oldest records when audit logging fails. CC ID 14308 Monitoring and measurement Data and Information Management
    Supply each in scope asset with audit reduction tool and report generation capabilities to support after-the-fact investigations without altering the event logs. CC ID 01427 Monitoring and measurement Testing
    Compile the event logs of multiple components into a system-wide time-correlated audit trail. CC ID 01424 Monitoring and measurement Audits and Risk Management
    Reproduce the event log if a log failure is captured. CC ID 01426 Monitoring and measurement Log Management
    Establish and maintain a compliance monitoring policy. CC ID 00671 Monitoring and measurement Establish/Maintain Documentation
    Establish and maintain a log management program. CC ID 00673 Monitoring and measurement Establish/Maintain Documentation
    Restrict access to audit trails to a need to know basis. CC ID 11641
    [{use}{anti-tamper technology} Audit records shall be secure and tamper-proof. Access to system audit tools and audit trails shall be safeguarded to prevent misuse or compromise. § 12.4.2 Health-specific control]
    Monitoring and measurement Technical Security
    Protect logs from unauthorized activity. CC ID 01345
    [{use}{anti-tamper technology} Audit records shall be secure and tamper-proof. Access to system audit tools and audit trails shall be safeguarded to prevent misuse or compromise. § 12.4.2 Health-specific control
    {use}{anti-tamper technology} Audit records shall be secure and tamper-proof. Access to system audit tools and audit trails shall be safeguarded to prevent misuse or compromise. § 12.4.2 Health-specific control]
    Monitoring and measurement Log Management
    Preserve the identity of individuals in audit trails. CC ID 10594
    [Health information systems processing personal health information: shall ensure that each subject of care can be uniquely identified within the system; § 14.1.1.1 Health-specific control ¶ 1(a)]
    Monitoring and measurement Log Management
    Protect against misusing automated audit tools. CC ID 04547
    [{use}{anti-tamper technology} Audit records shall be secure and tamper-proof. Access to system audit tools and audit trails shall be safeguarded to prevent misuse or compromise. § 12.4.2 Health-specific control]
    Monitoring and measurement Technical Security
    Establish and maintain an access control program. CC ID 11702 Technical security Establish/Maintain Documentation
    Establish, implement, and maintain access control policies. CC ID 00512
    [Organizations processing personal health information shall have an access control policy governing access to these data. § 9.1.1 Health-specific control ¶ 2
    {external requirements} The access control policy, as a component of the information security policy framework described in 5.1.1, shall reflect professional, ethical, legal and subject-of-care-related requirements and should take account of the tasks performed by health professionals and the task's workflow. § 9.1.1 Health-specific control ¶ 4
    The organization's policy on access control should be established on the basis of predefined roles with associated authorities which are consistent with, but limited to, the needs of that role. § 9.1.1 Health-specific control ¶ 3]
    Technical security Establish/Maintain Documentation
    Include compliance requirements in the access control policy. CC ID 14006 Technical security Establish/Maintain Documentation
    Include coordination amongst entities in the access control policy. CC ID 14005 Technical security Establish/Maintain Documentation
    Include management commitment in the access control policy. CC ID 14004 Technical security Establish/Maintain Documentation
    Include roles and responsibilities in the access control policy. CC ID 14003 Technical security Establish/Maintain Documentation
    Include the scope in the access control policy. CC ID 14002 Technical security Establish/Maintain Documentation
    Include the purpose in the access control policy. CC ID 14001 Technical security Establish/Maintain Documentation
    Establish and maintain an instant messaging and chat system usage policy. CC ID 11815 Technical security Establish/Maintain Documentation
    Disseminate and communicate the Access Control policies to all interested personnel and affected parties. CC ID 10061 Technical security Establish/Maintain Documentation
    Establish and maintain an access rights management plan. CC ID 00513 Technical security Establish/Maintain Documentation
    Change access codes after personnel status changes. CC ID 12284 Technical security Human Resources Management
    Review each user's access capabilities when their role changes. CC ID 00524 Technical security Technical Security
    Control access rights to organizational assets. CC ID 00004 Technical security Technical Security
    Establish access rights based on least privilege. CC ID 01411
    [Access to health information systems that process personal health information shall be subject to a formal user registration process. User registration procedures shall ensure that the level of authentication required of claimed user identity is consistent with the level(s) of access that will become available to the user. § 9.2.1 Health-specific control ¶ 1]
    Technical security Technical Security
    Assign user permissions based on job responsibilities. CC ID 00538 Technical security Technical Security
    Assign user privileges after they have management sign off. CC ID 00542 Technical security Technical Security
    Separate processing domains to segregate user privileges and enhance information flow control. CC ID 06767 Technical security Configuration
    Assign Information System access authorizations if implementing segregation of duties. CC ID 06323 Technical security Establish Roles
    Enforce access restrictions for restricted data. CC ID 01921
    [Organizations processing personal health information shall control access to such information. In general, users of health information systems should only access personal health information: § 9.1.1 Health-specific control ¶ 1]
    Technical security Data and Information Management
    Establish and maintain User Access Management procedures for all systems. CC ID 00514
    [{external requirements} The access control policy, as a component of the information security policy framework described in 5.1.1, shall reflect professional, ethical, legal and subject-of-care-related requirements and should take account of the tasks performed by health professionals and the task's workflow. § 9.1.1 Health-specific control ¶ 4]
    Technical security Technical Security
    Establish, implement, and maintain an authority for access authorization list. CC ID 06782 Technical security Establish/Maintain Documentation
    Review and approve logical access to all assets based upon organizational policies. CC ID 06641 Technical security Technical Security
    Control the addition and modification of user identifiers, user credentials, or other object identifiers. CC ID 00515 Technical security Technical Security
    Assign roles and responsibilities for administering user account management. CC ID 11900 Technical security Human Resources Management
    Automate access control methods, as necessary. CC ID 11838 Technical security Technical Security
    Automate Access Control Systems, as necessary. CC ID 06854 Technical security Technical Security
    Refrain from storing logon credentials for third party applications. CC ID 13690 Technical security Technical Security
    Refrain from allowing user access to identifiers and passwords used by applications. CC ID 10048 Technical security Technical Security
    Encrypt files and move them to a secure file server when a user account is disabled. CC ID 07065 Technical security Configuration
    Disseminate and communicate the password policies and password procedures to all users who have access to restricted data or restricted information. CC ID 00518 Technical security Establish/Maintain Documentation
    Limit superuser accounts to designated System Administrators. CC ID 06766 Technical security Configuration
    Use superuser accounts only in emergencies. CC ID 07064 Technical security Technical Security
    Establish and maintain access control procedures. CC ID 11663 Technical security Establish/Maintain Documentation
    Include Access Control procedures in the Access Control program. CC ID 00528
    [Access to health information systems that process personal health information shall be subject to a formal user registration process. User registration procedures shall ensure that the level of authentication required of claimed user identity is consistent with the level(s) of access that will become available to the user. § 9.2.1 Health-specific control ¶ 1]
    Technical security Technical Security
    Identify and control all network access controls. CC ID 00529 Technical security Technical Security
    Establish and maintain a Boundary Defense program. CC ID 00544 Technical security Establish/Maintain Documentation
    Segregate out of scope systems from in scope systems. CC ID 12546 Technical security Technical Security
    Segregate servers that contain restricted data or restricted information from direct public access. CC ID 00533 Technical security Technical Security
    Segregate applications and databases that contain restricted data or restricted information in an internal network zone. CC ID 01289
    [{processing architecture} Access to information and application system functions related to the processing personal health information should be isolated from (and separate to) access to information processing infrastructure that is unrelated to the processing of personal health information. § 9.4.1 Health-specific control ¶ 2
    {processing architecture} Access to information and application system functions related to the processing personal health information should be isolated from (and separate to) access to information processing infrastructure that is unrelated to the processing of personal health information. § 9.4.1 Health-specific control ¶ 2]
    Technical security Data and Information Management
    Enforce information flow control. CC ID 11781 Technical security Monitor and Evaluate Occurrences
    Establish and maintain information flow control configuration standards. CC ID 01924 Technical security Establish/Maintain Documentation
    Constrain the information flow of restricted data or restricted information. CC ID 06763 Technical security Data and Information Management
    Restrict access to restricted data and restricted information on a need to know basis. CC ID 12453
    [Organizations processing personal health information shall control access to such information. In general, users of health information systems should only access personal health information: when there is a need for specific data to support this activity. § 9.1.1 Health-specific control ¶ 1(c)]
    Technical security Data and Information Management
    Establish, implement, and maintain information flow control policies inside the system and between interconnected systems. CC ID 01410 Technical security Establish/Maintain Documentation
    Establish and maintain information flow procedures. CC ID 04542
    [{external requirements} The access control policy, as a component of the information security policy framework described in 5.1.1, shall reflect professional, ethical, legal and subject-of-care-related requirements and should take account of the tasks performed by health professionals and the task's workflow. § 9.1.1 Health-specific control ¶ 4]
    Technical security Establish/Maintain Documentation
    Disclose non-privacy related restricted information after a court makes a determination the information is material to a court case. CC ID 06242 Technical security Data and Information Management
    Exchange non-privacy related restricted information with approved third parties if the information supports an approved activity. CC ID 06243 Technical security Data and Information Management
    Control all methods of remote access and teleworking. CC ID 00559 Technical security Technical Security
    Implement two-factor authentication techniques. CC ID 00561
    [{multifactor authentication} Health information systems processing personal health information shall authenticate users and should do so by means of authentication involving at least two factors. § 9.4.1 Health-specific control ¶ 1]
    Technical security Configuration
    Establish, implement, and maintain a malicious code protection program. CC ID 00574 Technical security Establish/Maintain Documentation
    Install security and protection software on all systems. CC ID 00575
    [In addition to implementing the control given by ISO/IEC 27002, organizations processing personal health information shall implement appropriate prevention, detection and response controls to protect against malicious software and shall implement appropriate user awareness training. § 12.2.1 Health-specific control]
    Technical security Configuration
    Establish and maintain a physical security program. CC ID 11757 Physical and environmental protection Establish/Maintain Documentation
    Establish and maintain a facility physical security program. CC ID 00711 Physical and environmental protection Establish/Maintain Documentation
    Identify and document physical access controls for all physical entry points. CC ID 01637 Physical and environmental protection Establish/Maintain Documentation
    Control physical access to (and within) the facility. CC ID 01329
    [Organizations processing personal health information should use security perimeters to protect areas that contain information processing facilities supporting such health applications. These secure areas should be protected by appropriate entry controls to ensure that only authorized personnel are allowed access. § 11.1.1 Health-specific control]
    Physical and environmental protection Physical and Environmental Protection
    Define and implement access procedures for all organizational facilities and controlled access areas. CC ID 13629 Physical and environmental protection Establish/Maintain Documentation
    Meet the physical access requirements of disabled individuals, if reasonably possible. CC ID 00419 Physical and environmental protection Physical and Environmental Protection
    Configure the access control system to grant access only during authorized working hours. CC ID 12325 Physical and environmental protection Physical and Environmental Protection
    Establish and maintain a visitor access permissions policy. CC ID 06699 Physical and environmental protection Establish/Maintain Documentation
    Escort visitors within the facility, as necessary. CC ID 06417 Physical and environmental protection Establish/Maintain Documentation
    Check the visitor's stated identity against a provided government issued identification. CC ID 06701 Physical and environmental protection Physical and Environmental Protection
    Authorize visitors before granting entry to physical areas containing restricted data or restricted information. CC ID 01330 Physical and environmental protection Testing
    Disseminate and communicate the right of the organization to search visitors while at the facility. CC ID 06702 Physical and environmental protection Behavior
    Establish and maintain procedures for changing a visitor's access requirements. CC ID 12048 Physical and environmental protection Establish/Maintain Documentation
    Maintain and review facility access lists of personnel who have been granted authorized entry to (and within) facilities that contain restricted data or restricted information. CC ID 01436 Physical and environmental protection Establish/Maintain Documentation
    Authorize physical access to sensitive areas based on job functions. CC ID 12462 Physical and environmental protection Establish/Maintain Documentation
    Escort uncleared personnel who need to work in or access controlled access areas. CC ID 00747 Physical and environmental protection Monitor and Evaluate Occurrences
    Establish and maintain physical identification procedures. CC ID 00713 Physical and environmental protection Establish/Maintain Documentation
    Disallow opting out of wearing or displaying identification cards or badges. CC ID 13030 Physical and environmental protection Human Resources Management
    Implement physical identification processes. CC ID 13715 Physical and environmental protection Process or Activity
    Refrain from using knowledge-based authentication for in-person identity verification. CC ID 13717 Physical and environmental protection Process or Activity
    Issue photo identification badges to all employees. CC ID 12326 Physical and environmental protection Physical and Environmental Protection
    Implement operational requirements for card readers. CC ID 02225 Physical and environmental protection Testing
    Report lost badges, stolen badges, and broken badges to the Security Manager. CC ID 12334 Physical and environmental protection Physical and Environmental Protection
    Manage constituent identification inside the facility. CC ID 02215 Physical and environmental protection Behavior
    Direct each employee to be responsible for their identification card or badge. CC ID 12332 Physical and environmental protection Human Resources Management
    Manage visitor identification inside the facility. CC ID 11670 Physical and environmental protection Physical and Environmental Protection
    Issue visitor identification badges to all non-employees. CC ID 00543 Physical and environmental protection Behavior
    Secure unissued visitor identification badges. CC ID 06712 Physical and environmental protection Physical and Environmental Protection
    Retrieve visitor identification badges prior to the exit of a visitor from the facility. CC ID 01331 Physical and environmental protection Behavior
    Include name, date of entry, and validity period on disposable identification cards or badges. CC ID 12331 Physical and environmental protection Physical and Environmental Protection
    Establish and maintain identification issuance procedures for identification cards or badges. CC ID 06598 Physical and environmental protection Establish/Maintain Documentation
    Record the assigned identification card or badge serial number when issuing an identification card or badge. CC ID 06714 Physical and environmental protection Process or Activity
    Include error handling controls in identification issuance procedures. CC ID 13709 Physical and environmental protection Establish/Maintain Documentation
    Include identity proofing processes in the identification issuance procedures. CC ID 06597 Physical and environmental protection Process or Activity
    Include an identity registration process in the identification issuance procedures. CC ID 11671 Physical and environmental protection Establish/Maintain Documentation
    Restrict access to the badge system to authorized personnel. CC ID 12043 Physical and environmental protection Physical and Environmental Protection
    Enforce dual control for badge assignments. CC ID 12328 Physical and environmental protection Physical and Environmental Protection
    Enforce dual control for accessing unassigned identification cards or badges. CC ID 12327 Physical and environmental protection Physical and Environmental Protection
    Refrain from imprinting the company name or company logo on identification cards or badges. CC ID 12282 Physical and environmental protection Physical and Environmental Protection
    Establish and maintain identification renewal procedures for identification cards or badges. CC ID 06599 Physical and environmental protection Establish/Maintain Documentation
    Assign employees the responsibility for controlling their identification badges. CC ID 12333 Physical and environmental protection Human Resources Management
    Establish and maintain identification re-issuing procedures for identification cards or badges. CC ID 06596 Physical and environmental protection Establish/Maintain Documentation
    Establish and maintain identification mechanism termination procedures. CC ID 06306 Physical and environmental protection Establish/Maintain Documentation
    Prevent tailgating through physical entry points. CC ID 06685 Physical and environmental protection Physical and Environmental Protection
    Implement physical security standards for mainframe rooms or data centers. CC ID 00749
    [Organizations processing personal health information should use security perimeters to protect areas that contain information processing facilities supporting such health applications. These secure areas should be protected by appropriate entry controls to ensure that only authorized personnel are allowed access. § 11.1.1 Health-specific control]
    Physical and environmental protection Physical and Environmental Protection
    Establish and maintain equipment security cages in a shared space environment. CC ID 06711 Physical and environmental protection Physical and Environmental Protection
    Secure systems in lockable equipment cabinets, as necessary. CC ID 06716 Physical and environmental protection Physical and Environmental Protection
    Establish and maintain physical security controls for distributed Information Technology assets. CC ID 00718 Physical and environmental protection Physical and Environmental Protection
    Protect distributed Information Technology assets against theft. CC ID 06799 Physical and environmental protection Physical and Environmental Protection
    Establish and maintain Information Technology asset removal procedures. CC ID 04540 Physical and environmental protection Establish/Maintain Documentation
    Prohibit assets from being taken off-site absent prior authorization. CC ID 12027
    [In addition to implementing the control given by ISO/IEC 27002, organizations providing or using equipment, data or software to support a healthcare application containing personal health information shall not allow such equipment, data, or software to be removed from the site or relocated within it without authorization by the organization. § 11.2.5 Health-specific control]
    Physical and environmental protection Process or Activity
    Establish and maintain asset return procedures. CC ID 04537 Physical and environmental protection Establish/Maintain Documentation
    Require the return of all assets upon notification an individual is terminated. CC ID 06679
    [In addition to implementing the control given by ISO/IEC 27002, all employees and contractors, upon termination of employment, shall return all personal health information in their possession that is in non-electronic form and ensure that all personal health information in their possession in electronic form is updated on relevant systems and then securely deleted from any devices on which it has resided. § 8.1.4 Health-specific control]
    Physical and environmental protection Behavior
    Establish and maintain a business continuity program. CC ID 13210 Operational and Systems Continuity Establish/Maintain Documentation
    Establish and maintain system continuity plan strategies for all in scope systems. CC ID 00735 Operational and Systems Continuity Establish/Maintain Documentation
    Include technical preparation considerations for backup operations in the continuity plan. CC ID 01250 Operational and Systems Continuity Establish/Maintain Documentation
    Establish and maintain backup procedures for in scope systems. CC ID 01258 Operational and Systems Continuity Systems Continuity
    Establish and maintain off-site electronic media storage facilities. CC ID 00957 Operational and Systems Continuity Physical and Environmental Protection
    Store backup media at an off-site electronic media storage facility. CC ID 01332
    [In addition to following the guidance given by ISO/IEC 27002, organizations processing personal health information shall back up all personal health information and store it in a physically secure environment to ensure its future availability. § 12.3.1 Health-specific control ¶ 1]
    Operational and Systems Continuity Data and Information Management
    Transport backup media in lockable electronic media storage containers. CC ID 01264 Operational and Systems Continuity Data and Information Management
    Identify the access methods for backup media at both the primary facility and the off-site electronic media storage facility. CC ID 01257 Operational and Systems Continuity Data and Information Management
    Store backup vital records in a manner that is accessible for emergency retrieval. CC ID 12765
    [In addition to following the guidance given by ISO/IEC 27002, organizations processing personal health information shall back up all personal health information and store it in a physically secure environment to ensure its future availability. § 12.3.1 Health-specific control ¶ 1]
    Operational and Systems Continuity Systems Continuity
    Perform backup procedures for in scope systems. CC ID 11692 Operational and Systems Continuity Process or Activity
    Back up all records. CC ID 11974
    [In addition to following the guidance given by ISO/IEC 27002, organizations processing personal health information shall back up all personal health information and store it in a physically secure environment to ensure its future availability. § 12.3.1 Health-specific control ¶ 1]
    Operational and Systems Continuity Systems Continuity
    Encrypt backup data. CC ID 00958
    [To protect its confidentiality, personal health information should be backed up in an encrypted format. § 12.3.1 Health-specific control ¶ 2]
    Operational and Systems Continuity Configuration
    Establish and maintain high level operational roles and responsibilities. CC ID 00806 Human Resources management Establish Roles
    Define and assign the security staff roles and responsibilities. CC ID 11750
    [At a minimum, at least one individual shall be responsible for health information security within the organization. § 6.1.1 Health-specific control ¶ 2]
    Human Resources management Establish/Maintain Documentation
    Establish and maintain an Information Technology steering committee. CC ID 12706 Human Resources management Human Resources Management
    Convene the Information Technology steering committee, as necessary. CC ID 12730
    [The health information security forum shall meet regularly, on a monthly or near-to-monthly basis. (Typically, it is most effective to meet at the mid-point between the meetings of the governance body into which the forum reports. This allows emergency matters to be taken to a suitable meeting within a short period.) § 6.1.1 Health-specific control ¶ 3]
    Human Resources management Human Resources Management
    Define and assign workforce roles and responsibilities. CC ID 13267
    [Special attention needs to be placed upon the roles and responsibilities of temporary or short-term staff such as locums, students, interns, etc. § 7.1.2 Health-specific control ¶ 2]
    Human Resources management Human Resources Management
    Establish and maintain cybersecurity roles and responsibilities. CC ID 13201 Human Resources management Human Resources Management
    Assign roles and responsibilities for physical security, as necessary. CC ID 13113 Human Resources management Establish Roles
    Define and assign roles and responsibilities for those involved in risk management. CC ID 13660 Human Resources management Human Resources Management
    Include the management structure in the duties and responsibilities for risk management. CC ID 13665 Human Resources management Human Resources Management
    Assign the roles and responsibilities for the change control program. CC ID 13118 Human Resources management Human Resources Management
    Identify and define all key Information Technology roles. CC ID 00777 Human Resources management Establish Roles
    Assign cybersecurity reporting responsibilities to qualified personnel. CC ID 12739 Human Resources management Establish Roles
    Assign responsibility for cyber threat intelligence. CC ID 12746 Human Resources management Human Resources Management
    Assign the role of security management to applicable controls. CC ID 06444 Human Resources management Establish Roles
    Assign the role of security leader to keep up to date on the latest threats. CC ID 12112 Human Resources management Human Resources Management
    Define and assign the data processor's roles and responsibilities. CC ID 12607 Human Resources management Human Resources Management
    Assign the data processor to assist the data controller in implementing security controls. CC ID 12677 Human Resources management Human Resources Management
    Assign the data processor to notify the data controller when personal data processing could infringe on regulations. CC ID 12617 Human Resources management Communicate
    Define and assign the data controller's roles and responsibilities. CC ID 00471 Human Resources management Establish Roles
    Assign the role of data controller to be the Point of Contact for the supervisory authority. CC ID 12616 Human Resources management Human Resources Management
    Assign the role of the Data Controller to cooperate with the supervisory authority. CC ID 12615 Human Resources management Human Resources Management
    Assign the data controller to facilitate the exercise of the data subject's rights. CC ID 12666 Human Resources management Human Resources Management
    Assign the role of data controller to applicable controls. CC ID 00354 Human Resources management Establish Roles
    Assign the role of data controller to provide advice, when requested. CC ID 12611 Human Resources management Human Resources Management
    Assign the role of data controller to additional personnel, as necessary. CC ID 00473 Human Resources management Establish Roles
    Assign the role of Information Technology operations to applicable controls. CC ID 00682 Human Resources management Establish Roles
    Assign the role of logical access control to applicable controls. CC ID 00772 Human Resources management Establish Roles
    Assign the role of asset physical security to applicable controls. CC ID 00770 Human Resources management Establish Roles
    Assign the role of data custodian to applicable controls. CC ID 04789 Human Resources management Establish Roles
    Assign the role of the Quality Management committee to applicable controls. CC ID 00769 Human Resources management Establish Roles
    Assign interested personnel to the Quality Management committee. CC ID 07193 Human Resources management Establish Roles
    Assign personnel to a crime prevention unit and announce the members of the unit. CC ID 06348 Human Resources management Establish Roles
    Assign the role of fire protection management to applicable controls. CC ID 04891 Human Resources management Establish Roles
    Assign the role of Information Technology Service Continuity Management to applicable controls. CC ID 04894 Human Resources management Establish Roles
    Assign the role of the Computer Emergency Response Team to applicable controls. CC ID 04895 Human Resources management Establish Roles
    Assign the role of CRYPTO custodian to applicable controls. CC ID 06723 Human Resources management Establish Roles
    Assign the roles and responsibilities of security guards. CC ID 12543 Human Resources management Human Resources Management
    Define and assign roles and responsibilities for dispute resolution. CC ID 13626 Human Resources management Human Resources Management
    Define and assign the roles for Legal Support Workers. CC ID 13711 Human Resources management Human Resources Management
    Establish and maintain a personnel management program. CC ID 14018 Human Resources management Establish/Maintain Documentation
    Establish, implement, and maintain a personnel security program. CC ID 10628 Human Resources management Establish/Maintain Documentation
    Assign security clearance procedures to qualified personnel. CC ID 06812 Human Resources management Establish Roles
    Assign personnel screening procedures to qualified personnel. CC ID 11699 Human Resources management Establish Roles
    Establish and maintain personnel screening procedures. CC ID 11700 Human Resources management Establish/Maintain Documentation
    Perform a personal identification check during personnel screening. CC ID 06721
    [All organizations whose staff, contractors, or volunteers process (or are expected to process) personal health information should, as a minimum, verify the identity, current address and previous employment of such staff, contractors and volunteers at the time of job application. § 7.1.1 Health-specific controls ¶ 1]
    Human Resources management Human Resources Management
    Perform a criminal records check during personnel screening. CC ID 06643 Human Resources management Establish/Maintain Documentation
    Include all residences in the criminal records check. CC ID 13306 Human Resources management Process or Activity
    Document any reasons a full criminal records check could not be performed. CC ID 13305 Human Resources management Establish/Maintain Documentation
    Perform a personal references check during personnel screening. CC ID 06645 Human Resources management Human Resources Management
    Perform a credit check during personnel screening. CC ID 06646 Human Resources management Human Resources Management
    Perform an academic records check during personnel screening. CC ID 06647 Human Resources management Establish/Maintain Documentation
    Perform a drug test during personnel screening. CC ID 06648 Human Resources management Testing
    Perform a resume check during personnel screening. CC ID 06659
    [All organizations whose staff, contractors, or volunteers process (or are expected to process) personal health information should, as a minimum, verify the identity, current address and previous employment of such staff, contractors and volunteers at the time of job application. § 7.1.1 Health-specific controls ¶ 1
    Background verification checks on all candidates for employment should include a verification of applicable health professional qualifications, where such qualifications are professionally accredited (e.g. physicians, nurses, etc.) § 7.1.1 Health-specific controls ¶ 2]
    Human Resources management Human Resources Management
    Perform a curriculum vitae check during personnel screening. CC ID 06660 Human Resources management Human Resources Management
    Allow personnel being screened to appeal findings and appeal decisions. CC ID 06720 Human Resources management Human Resources Management
    Perform personnel screening procedures, as necessary. CC ID 11763 Human Resources management Human Resources Management
    Establish, implement, and maintain security clearance procedures. CC ID 00783 Human Resources management Establish/Maintain Documentation
    Perform security clearance procedures, as necessary. CC ID 06644 Human Resources management Human Resources Management
    Update security clearances, as necessary. CC ID 01634 Human Resources management Human Resources Management
    Establish and maintain the Information Technology staff structure in line with the Strategic Information Technology Plan. CC ID 00764 Human Resources management Establish Roles
    Establish, implement, and maintain segregation of duties compensating controls if segregation of duties is not practical. CC ID 06960 Human Resources management Technical Security
    Establish job categorization criteria, job recruitment criteria, and promotion criteria. CC ID 00781 Human Resources management Establish/Maintain Documentation
    Include a space for previous addresses and previous residences on the job application. CC ID 12302
    [All organizations whose staff, contractors, or volunteers process (or are expected to process) personal health information should, as a minimum, verify the identity, current address and previous employment of such staff, contractors and volunteers at the time of job application. § 7.1.1 Health-specific controls ¶ 1]
    Human Resources management Human Resources Management
    Train all personnel and third parties, as necessary. CC ID 00785 Human Resources management Behavior
    Establish and implement training plans. CC ID 00828 Human Resources management Establish/Maintain Documentation
    Establish and maintain a security awareness program. CC ID 11746
    [In addition to implementing the control given by ISO/IEC 27002, organizations processing personal health information shall implement appropriate prevention, detection and response controls to protect against malicious software and shall implement appropriate user awareness training. § 12.2.1 Health-specific control]
    Human Resources management Establish/Maintain Documentation
    Establish, implement, and maintain a security awareness and training policy. CC ID 14022 Human Resources management Establish/Maintain Documentation
    Include compliance requirements in the security awareness and training policy. CC ID 14092 Human Resources management Establish/Maintain Documentation
    Include coordination amongst entities in the security awareness and training policy. CC ID 14091 Human Resources management Establish/Maintain Documentation
    Establish, implement, and maintain security awareness and training procedures. CC ID 14054 Human Resources management Establish/Maintain Documentation
    Disseminate and communicate the security awareness and training procedures to interested personnel and affected parties. CC ID 14138 Human Resources management Communicate
    Include management commitment in the security awareness and training policy. CC ID 14049 Human Resources management Establish/Maintain Documentation
    Include roles and responsibilities in the security awareness and training policy. CC ID 14048 Human Resources management Establish/Maintain Documentation
    Include the scope in the security awareness and training policy. CC ID 14047 Human Resources management Establish/Maintain Documentation
    Include the purpose in the security awareness and training policy. CC ID 14045 Human Resources management Establish/Maintain Documentation
    Include configuration management procedures in the security awareness program. CC ID 13967 Human Resources management Establish/Maintain Documentation
    Document security awareness requirements. CC ID 12146 Human Resources management Establish/Maintain Documentation
    Include safeguards for information systems in the security awareness program. CC ID 13046 Human Resources management Establish/Maintain Documentation
    Include security policies and security standards in the security awareness program. CC ID 13045 Human Resources management Establish/Maintain Documentation
    Include mobile device security guidelines in the security awareness program. CC ID 11803 Human Resources management Establish/Maintain Documentation
    Include updates on emerging issues in the security awareness program. CC ID 13184 Human Resources management Training
    Include cybersecurity in the security awareness program. CC ID 13183 Human Resources management Training
    Include training based on the participants' level of responsibility and access level in the security awareness program. CC ID 11802 Human Resources management Establish/Maintain Documentation
    Include a requirement to train all new hires and interested personnel in the security awareness program. CC ID 11800
    [In addition to implementing the control given by ISO/IEC 27002, all organizations processing personal health information shall ensure that information security education and training are provided on induction and, that regular updates in organizational security policies and procedures are provided to all employees and, where relevant, third-party contractors, researchers, students and volunteers who process personal health information. § 7.2.2 Health-specific control ¶ 1]
    Human Resources management Establish/Maintain Documentation
    Include remote access in the security awareness program. CC ID 13892 Human Resources management Establish/Maintain Documentation
    Document the goals of the security awareness program. CC ID 12145 Human Resources management Establish/Maintain Documentation
    Compare current security awareness assessment reports to the security awareness baseline. CC ID 12150 Human Resources management Establish/Maintain Documentation
    Establish and maintain management's commitment to supporting the security awareness program. CC ID 12151 Human Resources management Human Resources Management
    Establish and maintain a steering committee to guide the security awareness program. CC ID 12149 Human Resources management Human Resources Management
    Document the scope of the security awareness program. CC ID 12148 Human Resources management Establish/Maintain Documentation
    Establish and maintain a security awareness baseline. CC ID 12147 Human Resources management Establish/Maintain Documentation
    Encourage interested personnel to obtain security certification. CC ID 11804 Human Resources management Human Resources Management
    Disseminate and communicate security awareness and the internal control framework to all interested personnel and affected parties. CC ID 00823 Human Resources management Behavior
    Train all personnel and third parties on how to recognize and report security incidents. CC ID 01211 Human Resources management Behavior
    Train all personnel and third parties on how to recognize and report system failures. CC ID 13475 Human Resources management Training
    Require personnel to acknowledge, through writing their signature, that they have read and understand the organization's security policies. CC ID 01363 Human Resources management Establish/Maintain Documentation
    Establish and maintain a Code of Conduct as a part of the Terms and Conditions of employment. CC ID 04897 Human Resources management Establish/Maintain Documentation
    Notify designated personnel when a formal personnel sanctions process is initiated. CC ID 10632 Human Resources management Communicate
    Establish and maintain a Governance, Risk, and Compliance framework. CC ID 01406 Operational management Establish/Maintain Documentation
    Establish and maintain a positive information control environment. CC ID 00813
    [have an information security management forum (ISMF) in place to ensure that there is clear direction and visible management support for security initiatives involving the security of health information, as described in B.3 and B.4. § 6.1.1 Health-specific control ¶ 1(b)]
    Operational management Business Processes
    Make compliance and governance decisions in a timely manner. CC ID 06490 Operational management Behavior
    Establish and maintain an information security program. CC ID 00812
    [have an information security management forum (ISMF) in place to ensure that there is clear direction and visible management support for security initiatives involving the security of health information, as described in B.3 and B.4. § 6.1.1 Health-specific control ¶ 1(b)]
    Operational management Establish/Maintain Documentation
    Include physical safeguards in the information security program. CC ID 12375 Operational management Establish/Maintain Documentation
    Include technical safeguards in the information security program. CC ID 12374 Operational management Establish/Maintain Documentation
    Include administrative safeguards in the information security program. CC ID 12373 Operational management Establish/Maintain Documentation
    Include system development in the information security program. CC ID 12389 Operational management Establish/Maintain Documentation
    Include system maintenance in the information security program. CC ID 12388 Operational management Establish/Maintain Documentation
    Include system acquisition in the information security program. CC ID 12387 Operational management Establish/Maintain Documentation
    Include access control in the information security program. CC ID 12386 Operational management Establish/Maintain Documentation
    Include operations management in the information security program. CC ID 12385 Operational management Establish/Maintain Documentation
    Include communication management in the information security program. CC ID 12384 Operational management Establish/Maintain Documentation
    Include environmental security in the information security program. CC ID 12383 Operational management Establish/Maintain Documentation
    Include physical security in the information security program. CC ID 12382 Operational management Establish/Maintain Documentation
    Include human resources security in the information security program. CC ID 12381 Operational management Establish/Maintain Documentation
    Include asset management in the information security program. CC ID 12380 Operational management Establish/Maintain Documentation
    Include a continuous monitoring program in the information security program. CC ID 14323 Operational management Establish/Maintain Documentation
    Include how the information security department is organized in the information security program. CC ID 12379 Operational management Establish/Maintain Documentation
    Include risk management in the information security program. CC ID 12378 Operational management Establish/Maintain Documentation
    Include mitigating supply chain risks in the Information Security Program. CC ID 13352 Operational management Establish/Maintain Documentation
    Provide management direction and support for the information security program. CC ID 11999 Operational management Process or Activity
    Monitor and review the effectiveness of the information security program. CC ID 12744 Operational management Monitor and Evaluate Occurrences
    Establish and maintain an information security policy. CC ID 11740
    [Organizations processing health information, including personal health information, shall have a written information security policy that is approved by management, published, and then communicated to all employees and relevant external parties. § 5.1.1 Health-specific control
    Organizations processing health information, including personal health information, shall have a written information security policy that is approved by management, published, and then communicated to all employees and relevant external parties. § 5.1.1 Health-specific control]
    Operational management Establish/Maintain Documentation
    Align the information security policy with the organization's risk acceptance level. CC ID 13042 Operational management Business Processes
    Include a commitment to the information security requirements in the information security policy. CC ID 13496 Operational management Establish/Maintain Documentation
    Include information security objectives in the information security policy. CC ID 13493 Operational management Establish/Maintain Documentation
    Include the use of Cloud Services in the information security policy. CC ID 13146 Operational management Establish/Maintain Documentation
    Review the information security procedures, as necessary. CC ID 12006 Operational management Business Processes
    Approve the information security policy at the organization's management level or higher. CC ID 11737
    [Organizations processing health information, including personal health information, shall have a written information security policy that is approved by management, published, and then communicated to all employees and relevant external parties. § 5.1.1 Health-specific control]
    Operational management Process or Activity
    Document the roles and responsibilities for all activities that protect restricted data in the information security procedures. CC ID 12304 Operational management Establish/Maintain Documentation
    Describe the group activities that protect restricted data in the information security procedures. CC ID 12294 Operational management Establish/Maintain Documentation
    Assign ownership of the information security program to the appropriate role. CC ID 00814 Operational management Establish Roles
    Assign the responsibility for establishing, implementing, and maintaining the information security program to the appropriate role. CC ID 11884 Operational management Human Resources Management
    Assign information security responsibilities to interested personnel and affected parties in the information security program. CC ID 11885
    [clearly define and assign information security responsibilities; § 6.1.1 Health-specific control ¶ 1(a)]
    Operational management Establish/Maintain Documentation
    Assign the responsibility for distributing the information security program to the appropriate role. CC ID 11883 Operational management Human Resources Management
    Disseminate and communicate the information security policy to interested personnel and affected parties. CC ID 11739
    [Organizations processing health information, including personal health information, shall have a written information security policy that is approved by management, published, and then communicated to all employees and relevant external parties. § 5.1.1 Health-specific control
    In addition to implementing the control given by ISO/IEC 27002, all organizations processing personal health information shall ensure that information security education and training are provided on induction and, that regular updates in organizational security policies and procedures are provided to all employees and, where relevant, third-party contractors, researchers, students and volunteers who process personal health information. § 7.2.2 Health-specific control ¶ 1]
    Operational management Communicate
    Establish and maintain a social media governance program. CC ID 06536 Operational management Establish/Maintain Documentation
    Refrain from requiring supervision when users are accessing social media applications. CC ID 14011 Operational management Business Processes
    Refrain from requiring users to disclose social media account usernames or passwords. CC ID 14009 Operational management Business Processes
    Refrain from accepting instant messages from unknown senders. CC ID 12537 Operational management Behavior
    Include instant messaging, texting, and tweeting in the social media acceptable use policy. CC ID 04578 Operational management Establish/Maintain Documentation
    Include explicit restrictions in the social media acceptable use policy. CC ID 06655 Operational management Establish/Maintain Documentation
    Include contributive content sites in the social media acceptable use policy. CC ID 06656 Operational management Establish/Maintain Documentation
    Establish and maintain operational control procedures. CC ID 00831 Operational management Establish/Maintain Documentation
    Include assigning and approving operations in operational control procedures. CC ID 06382 Operational management Establish/Maintain Documentation
    Include startup processes in operational control procedures. CC ID 00833 Operational management Establish/Maintain Documentation
    Establish and maintain a data processing run manual. CC ID 00832 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain a Standard Operating Procedures Manual. CC ID 00826 Operational management Establish/Maintain Documentation
    Include information sharing procedures in standard operating procedures. CC ID 12974 Operational management Records Management
    Adhere to operating procedures as defined in the Standard Operating Procedures Manual. CC ID 06328 Operational management Business Processes
    Disseminate and communicate the Standard Operating Procedures Manual to all interested personnel and affected parties. CC ID 12026 Operational management Communicate
    Establish and maintain a job scheduling methodology. CC ID 00834 Operational management Establish/Maintain Documentation
    Establish and maintain a job schedule exceptions list. CC ID 00835 Operational management Establish/Maintain Documentation
    Establish and maintain a data processing continuity plan. CC ID 00836 Operational management Establish/Maintain Documentation
    Establish and maintain Voice over Internet Protocol operating procedures. CC ID 04583 Operational management Establish/Maintain Documentation
    Establish and maintain an Acceptable Use Policy. CC ID 01350
    [{health information asset} In addition to following the guidance given by ISO/IEC 27002, organizations processing personal health information should: have rules for acceptable use of these assets that are identified, documented and implemented. § 8.1.1 Health-specific control ¶ 1(c)]
    Operational management Establish/Maintain Documentation
    Include that explicit management authorization must be given for the use of all technologies and their documentation in the Acceptable Use Policy. CC ID 01351
    [In addition to implementing the control given by ISO/IEC 27002, organizations processing personal health information shall ensure that any use, outside its premises, of medical devices that record or report data has been authorized. This should include equipment used by remote workers, even where such usage is perpetual (i.e. where it forms a core feature of the employee's role, such as for ambulance personnel, therapists, etc.) § 11.2.6 Health-specific control]
    Operational management Establish/Maintain Documentation
    Include requiring users to protect restricted data in accordance with the Governance, Risk, and Compliance framework in the acceptable use policy. CC ID 11894 Operational management Establish/Maintain Documentation
    Include Bring Your Own Device usage in the Acceptable Use Policy. CC ID 12293 Operational management Establish/Maintain Documentation
    Include Bring Your Own Device security guidelines in the Acceptable Use Policy. CC ID 01352 Operational management Establish/Maintain Documentation
    Include asset tags in the Acceptable Use Policy. CC ID 01354 Operational management Establish/Maintain Documentation
    Include asset use policies in the Acceptable Use Policy. CC ID 01355 Operational management Establish/Maintain Documentation
    Include authority for access authorization lists for assets in all relevant Acceptable Use Policies. CC ID 11872 Operational management Establish/Maintain Documentation
    Include access control mechanisms in the Acceptable Use Policy. CC ID 01353 Operational management Establish/Maintain Documentation
    Include temporary activation of remote access technologies for third parties in the acceptable use policy. CC ID 11892 Operational management Technical Security
    Include prohibiting copying or moving of restricted data from its original source onto local hard drives or removable storage media in the acceptable use policy. CC ID 11893 Operational management Establish/Maintain Documentation
    Include a removable storage media use policy in the Acceptable Use Policy. CC ID 06772 Operational management Data and Information Management
    Correlate the Acceptable Use Policy with the network security policy. CC ID 01356 Operational management Establish/Maintain Documentation
    Include appropriate network locations for each technology in the acceptable use policy. CC ID 11881 Operational management Establish/Maintain Documentation
    Correlate the Acceptable Use Policy with the approved product list. CC ID 01357 Operational management Establish/Maintain Documentation
    Include facility access and facility use in the Acceptable Use Policy. CC ID 06441 Operational management Establish/Maintain Documentation
    Include a software installation policy in the Acceptable Use Policy. CC ID 06749 Operational management Establish/Maintain Documentation
    Document idle session termination and logout for remote access technologies in the Acceptable Use Policy. CC ID 12472 Operational management Establish/Maintain Documentation
    Disseminate and communicate the Acceptable Use Policy to all interested personnel and affected parties. CC ID 12431 Operational management Communicate
    Require interested personnel and affected parties to sign Acceptable Use Policies. CC ID 06661 Operational management Establish/Maintain Documentation
    Require interested personnel and affected parties to re-sign Acceptable Use Policies, as necessary. CC ID 06663 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain an Intellectual Property Right program. CC ID 00821 Operational management Establish/Maintain Documentation
    Establish and maintain domain name registration and renewal procedures. CC ID 07075 Operational management Business Processes
    Establish and maintain Intellectual Property Rights protection procedures. CC ID 11512 Operational management Establish/Maintain Documentation
    Protect against circumvention of the organization's Intellectual Property Rights. CC ID 11513 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain an e-mail policy. CC ID 06439 Operational management Establish/Maintain Documentation
    Identify the sender in all electronic messages. CC ID 13996 Operational management Data and Information Management
    Protect policies, standards, and procedures from unauthorized modification or disclosure. CC ID 10603 Operational management Establish/Maintain Documentation
    Establish and maintain nondisclosure agreements. CC ID 04536
    [In addition to implementing the control given by ISO/IEC 27002, organizations processing personal health information shall have a confidentiality agreement in place that specifies the confidential nature of this information. The agreement shall be applicable to all personnel accessing health information. § 13.2.4 Health-specific control]
    Operational management Establish/Maintain Documentation
    Require interested personnel and affected parties to sign nondisclosure agreements. CC ID 06667 Operational management Establish/Maintain Documentation
    Require interested personnel and affected parties to re-sign nondisclosure agreements, as necessary. CC ID 06669 Operational management Establish/Maintain Documentation
    Review nondisclosure agreements on a regular basis. CC ID 12437 Operational management Human Resources Management
    Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818 Operational management Business Processes
    Establish and maintain an Asset Management program. CC ID 06630 Operational management Business Processes
    Assign an information owner to organizational assets, as necessary. CC ID 12729
    [In addition to following the guidance given by ISO/IEC 27002, organizations processing personal health information should: have a designated custodian of these health information assets (see 8.1.2); § 8.1.1 Health-specific control ¶ 1(b)
    The source (authorship) of publicly available health information should be stated and its integrity should be protected. § 14.1.3.1 Health-specific controls ¶ 3]
    Operational management Human Resources Management
    Establish, implement, and maintain an asset inventory database. CC ID 06631
    [In addition to following the guidance given by ISO/IEC 27002, organizations processing personal health information should: account for health information assets (i.e. maintain an inventory of such assets); § 8.1.1 Health-specific control ¶ 1(a)]
    Operational management Business Processes
    Link the authentication system to the asset inventory. CC ID 13718 Operational management Technical Security
    Assign ownership of maintaining the asset inventory, as necessary. CC ID 12344
    [{establish}{ownership} Assets maintained in the inventory should be owned. § 8.1.2 Control ¶ 2]
    Operational management Human Resources Management
    Record software license information for each asset in the asset inventory. CC ID 11736 Operational management Data and Information Management
    Record services for applicable assets in the asset inventory. CC ID 13733 Operational management Establish/Maintain Documentation
    Record protocols for applicable assets in the asset inventory. CC ID 13734 Operational management Establish/Maintain Documentation
    Include the software version for applicable assets in the asset inventory. CC ID 12196 Operational management Establish/Maintain Documentation
    Record the publisher for applicable assets in the asset inventory. CC ID 13725 Operational management Establish/Maintain Documentation
    Include authentication systems in the asset inventory. CC ID 13724 Operational management Establish/Maintain Documentation
    Tag unsupported assets in the asset inventory. CC ID 13723 Operational management Establish/Maintain Documentation
    Record the install date for applicable assets in the asset inventory. CC ID 13720 Operational management Establish/Maintain Documentation
    Record the make, model of device for applicable assets in the asset inventory. CC ID 12465 Operational management Establish/Maintain Documentation
    Record the asset tag for physical assets in the asset inventory. CC ID 06632 Operational management Establish/Maintain Documentation
    Record the host name of applicable assets in the asset inventory. CC ID 13722 Operational management Establish/Maintain Documentation
    Record network ports for applicable assets in the asset inventory. CC ID 13730 Operational management Establish/Maintain Documentation
    Record the MAC address for applicable assets in the asset inventory. CC ID 13721 Operational management Establish/Maintain Documentation
    Record the operating system version for applicable assets in the asset inventory. CC ID 11748 Operational management Data and Information Management
    Record the operating system type for applicable assets in the asset inventory. CC ID 06633 Operational management Establish/Maintain Documentation
    Record the department associated with the asset in the asset inventory. CC ID 12084 Operational management Establish/Maintain Documentation
    Record the physical location for applicable assets in the asset inventory. CC ID 06634 Operational management Establish/Maintain Documentation
    Record the manufacturer's serial number for applicable assets in the asset inventory. CC ID 06635 Operational management Establish/Maintain Documentation
    Record the firmware version for applicable assets in the asset inventory. CC ID 12195 Operational management Establish/Maintain Documentation
    Record the related business function for applicable assets in the asset inventory. CC ID 06636 Operational management Establish/Maintain Documentation
    Record the deployment environment for applicable assets in the asset inventory. CC ID 06637 Operational management Establish/Maintain Documentation
    Record the Internet Protocol address for applicable assets in the asset inventory. CC ID 06638 Operational management Establish/Maintain Documentation
    Link the software asset inventory to the hardware asset inventory. CC ID 12085 Operational management Establish/Maintain Documentation
    Record the owner for applicable assets in the asset inventory. CC ID 06640 Operational management Establish/Maintain Documentation
    Record all changes to assets in the asset inventory database. CC ID 12190 Operational management Establish/Maintain Documentation
    Include cloud service derived data in the asset inventory database. CC ID 13007 Operational management Establish/Maintain Documentation
    Include cloud service customer data in the asset inventory database, as necessary. CC ID 13006 Operational management Establish/Maintain Documentation
    Establish and maintain a customer service program. CC ID 00846 Operational management Establish/Maintain Documentation
    Establish and maintain an Incident Management program. CC ID 00853 Operational management Business Processes
    Include incident escalation procedures in the Incident Management program. CC ID 00856
    [{incident management procedures} In addition to following the guidance given by ISO/IEC 27002, organizations processing personal health information should establish security incident management responsibilities and procedures in order: to ensure that there is an effective and prioritized escalation path for incidents, such that crisis management and business continuity management plans can be invoked in the right circumstances and at the right time; § 16.1.2 Health-specific controls ¶ 1(b)]
    Operational management Establish/Maintain Documentation
    Include intrusion detection procedures in the Incident Management program. CC ID 00588 Operational management Establish/Maintain Documentation
    Include incident management procedures in the Incident Management program. CC ID 12689
    [{incident management procedures} In addition to following the guidance given by ISO/IEC 27002, organizations processing personal health information should establish security incident management responsibilities and procedures in order: § 16.1.2 Health-specific controls ¶ 1]
    Operational management Establish/Maintain Documentation
    Establish and maintain an Incident Response program. CC ID 00579 Operational management Establish/Maintain Documentation
    Include incident response team structures in the Incident Response program. CC ID 01237 Operational management Establish/Maintain Documentation
    Include the incident response team member's roles and responsibilities in the Incident Response program. CC ID 01652
    [{incident management procedures} In addition to following the guidance given by ISO/IEC 27002, organizations processing personal health information should establish security incident management responsibilities and procedures in order: § 16.1.2 Health-specific controls ¶ 1]
    Operational management Establish Roles
    Include the incident response point of contact's roles and responsibilities in the Incident Response program. CC ID 01877 Operational management Establish Roles
    Include the head of information security's roles and responsibilities in the Incident Response program. CC ID 01878 Operational management Establish Roles
    Include the customer database owner's roles and responsibilities in the Incident Response program. CC ID 01879 Operational management Establish Roles
    Include the online sales department's roles and responsibilities in the Incident Response program. CC ID 01880 Operational management Establish Roles
    Include the incident response point of contact for credit card payment system's roles and responsibilities in the Incident Response program. CC ID 01881 Operational management Establish Roles
    Include the organizational legal counsel's roles and responsibilities in the Incident Response program. CC ID 01882 Operational management Establish Roles
    Include the Human Resources point of contact's roles and responsibilities in the Incident Response program. CC ID 01883 Operational management Establish Roles
    Include the organizational incident response network architecture point of contact's roles and responsibilities in the Incident Response program. CC ID 01884 Operational management Establish Roles
    Include the organizational incident response public relations point of contact's roles and responsibilities in the Incident Response program. CC ID 01885 Operational management Establish Roles
    Include the organizational incident response location manager's roles and responsibilities in the Incident Response program. CC ID 01886 Operational management Establish Roles
    Assign the distribution of security alerts to the appropriate role in the incident response program. CC ID 11887 Operational management Human Resources Management
    Assign establishing, implementing, and maintaining incident response procedures to the appropriate role in the incident response program. CC ID 12473 Operational management Establish/Maintain Documentation
    Assign the distribution of incident response procedures to the appropriate role in the incident response program. CC ID 12474 Operational management Communicate
    Include references to industry best practices in the incident response procedures. CC ID 11956 Operational management Establish/Maintain Documentation
    Include responding to alerts from security monitoring systems in the incident response procedures. CC ID 11949 Operational management Establish/Maintain Documentation
    Establish and maintain a change control program. CC ID 00886
    [In addition to implementing the control given by ISO/IEC 27002, organizations processing personal health information shall, by means of a formal and structured change control process, control changes to information processing facilities and systems that process personal health information to ensure the appropriate control of host applications and systems and continuity of patient care. § 12.1.2 Health-specific control]
    Operational management Establish/Maintain Documentation
    Include potential consequences of unintended changes in the change control program. CC ID 12243 Operational management Establish/Maintain Documentation
    Include version control in the change control program. CC ID 13119 Operational management Establish/Maintain Documentation
    Include service design and transition in the change control program. CC ID 13920 Operational management Establish/Maintain Documentation
    Separate the production environment from development environment or test environment for the change control process. CC ID 11864 Operational management Maintenance
    Integrate configuration management procedures into the change control program. CC ID 13646 Operational management Technical Security
    Establish and maintain a back-out plan. CC ID 13623 Operational management Establish/Maintain Documentation
    Establish back-out procedures for each proposed change in a change request. CC ID 00373 Operational management Establish/Maintain Documentation
    Manage change requests. CC ID 00887
    [In addition to implementing the control given by ISO/IEC 27002, organizations processing personal health information shall, by means of a formal and structured change control process, control changes to information processing facilities and systems that process personal health information to ensure the appropriate control of host applications and systems and continuity of patient care. § 12.1.2 Health-specific control]
    Operational management Business Processes
    Include documentation of the impact level of proposed changes in the change request. CC ID 11942 Operational management Establish/Maintain Documentation
    Establish and maintain a change request approver list. CC ID 06795 Operational management Establish/Maintain Documentation
    Document all change requests in change request forms. CC ID 06794 Operational management Establish/Maintain Documentation
    Approve tested change requests. CC ID 11783 Operational management Data and Information Management
    Validate the system before implementing approved changes. CC ID 01510 Operational management Systems Design, Build, and Implementation
    Disseminate and communicate proposed changes to all interested personnel and affected parties. CC ID 06807 Operational management Behavior
    Establish and maintain emergency change procedures. CC ID 00890 Operational management Establish/Maintain Documentation
    Perform emergency changes, as necessary. CC ID 12707 Operational management Process or Activity
    Back up emergency changes after the change has been performed. CC ID 12734 Operational management Process or Activity
    Log emergency changes after they have been performed. CC ID 12733 Operational management Establish/Maintain Documentation
    Perform risk assessments prior to approving change requests. CC ID 00888 Operational management Testing
    Implement changes according to the change control program. CC ID 11776 Operational management Business Processes
    Provide audit trails for all approved changes. CC ID 13120 Operational management Establish/Maintain Documentation
    Establish and maintain a patch management program. CC ID 00896 Operational management Process or Activity
    Document the sources of all software updates. CC ID 13316 Operational management Establish/Maintain Documentation
    Implement patch management software, as necessary. CC ID 12094 Operational management Technical Security
    Include updates and exceptions to hardened images as a part of the patch management program. CC ID 12087 Operational management Technical Security
    Establish and maintain a patch log. CC ID 01642 Operational management Establish/Maintain Documentation
    Prioritize deploying patches according to vulnerability risk metrics. CC ID 06796 Operational management Business Processes
    Update computer firmware to the latest version once upgrade notification has been received. CC ID 06081 Operational management Configuration
    Establish and maintain a software release policy. CC ID 00893 Operational management Establish/Maintain Documentation
    Disseminate and communicate software update information to users and regulators. CC ID 06602 Operational management Behavior
    Allow interested personnel and affected parties to opt out of specific version releases and software updates. CC ID 06809 Operational management Data and Information Management
    Update associated documentation after the system configuration has been changed. CC ID 00891 Operational management Establish/Maintain Documentation
    Update the system's backup procedures after an approved change has occurred. CC ID 04498 Operational management Data and Information Management
    Establish and maintain system hardening procedures. CC ID 12001 System hardening through configuration management Establish/Maintain Documentation
    Configure the time server in accordance with organizational standards. CC ID 06426 System hardening through configuration management Configuration
    Configure the time server to synchronize with specifically designated hosts. CC ID 06427
    [Health information systems supporting time-critical-shared care activities shall provide time synchronization services to support tracing and reconstitution of activity timelines where required. § 12.4.4 Health-specific control]
    System hardening through configuration management Configuration
    Establish and maintain records management policies used to manage organizational records. CC ID 00903 Records management Establish/Maintain Documentation
    Archive appropriate records, logs, and database tables. CC ID 06321
    [Publicly available health information (as distinct from personal health information) should be archived. § 14.1.3.1 Health-specific controls ¶ 1]
    Records management Records Management
    Establish and maintain records management procedures used to manage organizational records. CC ID 11619
    [Health information systems processing personal health information: shall be capable of merging duplicate or multiple records if it is determined that multiple records for the same subject of care have been created unintentionally or during a medical emergency. § 14.1.1.1 Health-specific control ¶ 1(b)]
    Records management Establish/Maintain Documentation
    Maintain electronic records in an equivalent manner as printed records, as necessary. CC ID 11806 Records management Records Management
    Process restricted information in a secure environment. CC ID 13058 Records management Process or Activity
    Refrain from creating printed records as copies of electronic records. CC ID 11808 Records management Records Management
    Protect records from loss in accordance with applicable requirements. CC ID 12007 Records management Records Management
    Log records as being received into the recordkeeping system. CC ID 11696 Records management Records Management
    Log the date and time each item is received into the recordkeeping system. CC ID 11709 Records management Log Management
    Log the date and time in the recordkeeping system each item is made available. CC ID 11710 Records management Log Management
    Log the number of routine items received into the recordkeeping system. CC ID 11701 Records management Establish/Maintain Documentation
    Log the number of routine items in the organization's possession at the close of business for the month in the recordkeeping system. CC ID 11707 Records management Log Management
    Log the number of routine items received during the month that were turned around in the recordkeeping system. CC ID 11705 Records management Log Management
    Log the number of routine items received during the month that were not turned around within three business days of receipt in the recordkeeping system. CC ID 11703 Records management Log Management
    Log the date and time when a notice of refusal to perform the registrar function is received in the recordkeeping system. CC ID 11711 Records management Log Management
    Log inquiries concerning items in the recordkeeping system, annotating the date received. CC ID 11718 Records management Log Management
    Log responses to inquiries, annotating the send date for each response. CC ID 11719 Records management Log Management
    Log the number of non-routine items received into the recordkeeping system. CC ID 11706 Records management Log Management
    Log the documentation of determination that items received are not routine. CC ID 11716 Records management Log Management
    Log the number of non-routine items in the organization's possession at the close of business for the month in the recordkeeping system. CC ID 11708 Records management Log Management
    Log the number of non-routine items received during the month that were turned around in the recordkeeping system. CC ID 11704 Records management Log Management
    Log performance monitoring for the organization. CC ID 11724 Records management Log Management
    Log the number of inquiries pending as of the close of business. CC ID 11728 Records management Log Management
    Log the number of inquiries received but not responded to within the required time frame. CC ID 11727 Records management Log Management
    Establish and maintain current a transfer journal. CC ID 11729 Records management Records Management
    Log any notices filed by the organization. CC ID 11725 Records management Log Management
    Log telephone responses into a telephone log, annotating the date of each response. CC ID 11723 Records management Log Management
    Log the date each certificate is made available to the presentor. CC ID 11720 Records management Log Management
    Log the number of items not processed within the required time frame. CC ID 11717 Records management Log Management
    Provide a receipt of records logged into the recordkeeping system. CC ID 11697 Records management Records Management
    Log the appointments and termination of appointments of registered transfer agents. CC ID 11712 Records management Log Management
    Log the number of items processed within the required time frame. CC ID 11715 Records management Log Management
    Log any stop orders or notices of adverse claims. CC ID 11726 Records management Log Management
    Include record integrity techniques in the Records Management procedures. CC ID 06418
    [The integrity of publicly available health information should be protected to prevent unauthorized modification. § 14.1.3.1 Health-specific controls ¶ 2]
    Records management Establish/Maintain Documentation
    Note in electronic records converted from printed records, the location of the original. CC ID 11809 Records management Records Management
    Incorporate desktop publishing into the organization's Records Management program. CC ID 06535 Records management Establish/Maintain Documentation
    Provide structures for browsing records stored in the Electronic Document and Records Management system. CC ID 10009 Records management Business Processes
    Provide structures for searching for items stored in the Electronic Document and Records Management system. CC ID 10010 Records management Business Processes
    Provide structures for downloading records from the Electronic Document and Records Management system. CC ID 10011 Records management Business Processes
    Provide structures for managing e-mail stored in the Electronic Document and Records Management system. CC ID 10012 Records management Business Processes
    Provide structures for authorized parties to approve record updates in the Electronic Document and Records Management system. CC ID 11965 Records management Records Management
    Provide structures for version control of records stored in the Electronic Document and Records Management system. CC ID 10013 Records management Business Processes
    Establish and maintain electronic storage media security controls. CC ID 13204 Records management Technical Security
    Establish and maintain electronic storage media management procedures. CC ID 00931 Records management Establish/Maintain Documentation
    Establish and maintain storage media and record security label procedures. CC ID 06747 Records management Establish/Maintain Documentation
    Label restricted storage media appropriately. CC ID 00966 Records management Data and Information Management
    Establish and maintain restricted material identification procedures. CC ID 01889 Records management Establish/Maintain Documentation
    Conspicuously locate the restricted record's overall classification. CC ID 01890 Records management Establish/Maintain Documentation
    Mark a restricted record's displayed pages or printed pages with the appropriate classification. CC ID 01891 Records management Establish/Maintain Documentation
    Mark a restricted record's components (appendices, annexes) with the appropriate classification. CC ID 01892 Records management Establish/Maintain Documentation
    Mark a restricted record's portions (paragraphs, sections) with the appropriate classification. CC ID 01893 Records management Establish/Maintain Documentation
    Mark a restricted record's subject line or title with the appropriate classification. CC ID 01894 Records management Establish/Maintain Documentation
    Mark all forms of electronic messages that contain restricted data or restricted information with the appropriate classification. CC ID 01896 Records management Data and Information Management
    Establish and maintain label inheritance mechanisms for aggregate data sets. CC ID 06957 Records management Technical Security
    Establish the minimum originator requirements for security labels. CC ID 06579 Records management Establish/Maintain Documentation
    Establish the minimum intermediate system requirements for security labels. CC ID 06581 Records management Establish/Maintain Documentation
    Establish the minimum receiver requirements for records or electronic storage media marked with security labels. CC ID 06580 Records management Establish/Maintain Documentation
    Establish policy based processing rules to process incoming records or electronic storage media marked with security labels. CC ID 06582 Records management Establish/Maintain Documentation
    Establish and maintain access controls for all records. CC ID 00371 Records management Records Management
    Reproduce materials containing restricted data or restricted information in accordance with compliance requirements. CC ID 02202 Records management Data and Information Management
    Establish and maintain a records lifecycle management program. CC ID 00951 Records management Establish/Maintain Documentation
    Establish and maintain information preservation procedures. CC ID 06277 Records management Establish/Maintain Documentation
    Implement and maintain high availability storage, as necessary. CC ID 00952 Records management Technical Security
    Implement and maintain backups and duplicate copies of organizational records. CC ID 00953 Records management Records Management
    Implement and maintain a duplicate originals of record indexes. CC ID 00954 Records management Records Management
    Establish and maintain a transparent storage media strategy. CC ID 00932 Records management Records Management
    Establish and maintain an online availability plan that is commensurate with the electronic storage media. CC ID 00934 Records management Establish/Maintain Documentation
    Establish and maintain online storage controls. CC ID 00942 Records management Technical Security
    Establish and maintain security controls appropriate to the record types and electronic storage media in use. CC ID 00943 Records management Records Management
    Provide encryption for different types of electronic storage media. CC ID 00945
    [{physical safeguard} In addition to the guidance given by ISO/IEC 27002, media containing personal health information shall be either physically protected or else have their data encrypted. The status and location of media containing unencrypted personal health information shall be monitored. § 8.3.1 Health-specific control]
    Records management Technical Security
    Implement electronic storage media integrity controls. CC ID 00946 Records management Configuration
    Automate electronic storage media integrity check controls. CC ID 00948 Records management Configuration
    Provide capacity for indexes on electronic storage media, as necessary. CC ID 00950 Records management Configuration
    Establish and maintain a removable storage media log. CC ID 12317
    [{physical safeguard} In addition to the guidance given by ISO/IEC 27002, media containing personal health information shall be either physically protected or else have their data encrypted. The status and location of media containing unencrypted personal health information shall be monitored. § 8.3.1 Health-specific control]
    Records management Log Management
    Include a unique identifier for each removable storage media asset in the removable storage media log. CC ID 12320 Records management Establish/Maintain Documentation
    Include the date and time in the removable storage media log. CC ID 12318 Records management Establish/Maintain Documentation
    Include the name and signature of the current custodian in the removable storage media log. CC ID 12315 Records management Establish/Maintain Documentation
    Record the number of physical media used for the data transfer in the removable storage media log. CC ID 12754 Records management Establish/Maintain Documentation
    Record the recipient's name for the data transfer in the removable storage media log. CC ID 12753 Records management Establish/Maintain Documentation
    Record the sender's name in the removable storage media log. CC ID 12752 Records management Establish/Maintain Documentation
    Record the type of physical media being used for the data transfer in the removable storage media log. CC ID 12751 Records management Establish/Maintain Documentation
    Include the reason for transfer in the removable storage media log. CC ID 12316 Records management Establish/Maintain Documentation
    Establish and maintain storage media downgrading procedures. CC ID 10619 Records management Process or Activity
    Document all actions taken when downgrading electronic storage media. CC ID 10622 Records management Establish/Maintain Documentation
    Initiate the System Development Life Cycle planning phase. CC ID 06266 Systems design, build, and implementation Systems Design, Build, and Implementation
    Separate the design and development environment from the production environment. CC ID 06088
    [In addition to implementing the control given by ISO/IEC 27002, organizations processing personal health information shall separate (physically or virtually) development and testing environments for health information systems processing such information from operational environments hosting those health information systems. Rules for the migration of software from development to operational status shall be defined and documented by the organization hosting the affected application(s). § 12.1.4 Health-specific control]
    Systems design, build, and implementation Systems Design, Build, and Implementation
    Specify appropriate tools for the system development project. CC ID 06830 Systems design, build, and implementation Establish/Maintain Documentation
    Initiate the System Development Life Cycle implementation phase. CC ID 06268 Systems design, build, and implementation Systems Design, Build, and Implementation
    Establish and maintain a system implementation standard. CC ID 01111 Systems design, build, and implementation Establish/Maintain Documentation
    Establish and maintain implementation plans. CC ID 01114
    [In addition to implementing the control given by ISO/IEC 27002, organizations processing personal health information shall separate (physically or virtually) development and testing environments for health information systems processing such information from operational environments hosting those health information systems. Rules for the migration of software from development to operational status shall be defined and documented by the organization hosting the affected application(s). § 12.1.4 Health-specific control]
    Systems design, build, and implementation Establish/Maintain Documentation
    Manage the system implementation process. CC ID 01115 Systems design, build, and implementation Behavior
    Establish and maintain facilities, assets, and services acceptance procedures. CC ID 01144
    [In addition to implementing the control given by ISO/IEC 27002, organizations processing personal health information shall establish acceptance criteria for planned new information systems, upgrades and new versions. They shall carry out suitable tests of the system prior to acceptance. § 14.2.9 Health-specific control ¶ 1]
    Acquisition or sale of facilities, technology, and services Establish/Maintain Documentation
    Authorize new assets prior to putting them into the production environment. CC ID 13530 Acquisition or sale of facilities, technology, and services Process or Activity
    Establish and maintain a privacy framework that protects restricted data. CC ID 11850 Privacy protection for information and data Establish/Maintain Documentation
    Establish and maintain a personal data transparency and openness program. CC ID 00375 Privacy protection for information and data Data and Information Management
    Provide adequate structures, policies, procedures, and mechanisms to support direct access by the data subject to personal data that is provided upon request. CC ID 00393 Privacy protection for information and data Establish/Maintain Documentation
    Provide the data subject with what personal data is made available to related organizations or subsidiaries. CC ID 00399 Privacy protection for information and data Data and Information Management
    Include individual's names to whom personal data may be disclosed in the disclosure accounting record. CC ID 13027
    [The organization should identify and document all parties with whom patient data is exchanged and contractual agreements should be made with these parties regulating access and privileges, prior to exchange of patient data. § 9.1.1 Health-specific control ¶ 5]
    Privacy protection for information and data Establish/Maintain Documentation
    Establish and maintain a personal data use limitation program. CC ID 13428 Privacy protection for information and data Establish/Maintain Documentation
    Establish, implement, and maintain a personal data use purpose specification. CC ID 00093 Privacy protection for information and data Establish/Maintain Documentation
    Dispose of media and personal data in a timely manner. CC ID 00125
    [In addition to implementing the control given by ISO/IEC 27002, all employees and contractors, upon termination of employment, shall return all personal health information in their possession that is in non-electronic form and ensure that all personal health information in their possession in electronic form is updated on relevant systems and then securely deleted from any devices on which it has resided. § 8.1.4 Health-specific control
    In addition to implementing the control given by ISO/IEC 27002, organizations processing health information applications shall securely erase or else destroy all media containing health information application software or personal health information when the media are no longer required for use. § 11.2.7 Health-specific control
    In addition to implementing the control given by ISO/IEC 27002, all personal health information shall be securely erased or else the media destroyed when no longer required for use. § 8.3.2 Health-specific control
    In addition to implementing the control given by ISO/IEC 27002, all personal health information shall be securely erased or else the media destroyed when no longer required for use. § 8.3.2 Health-specific control]
    Privacy protection for information and data Data and Information Management
    Refrain from destroying records being inspected or reviewed. CC ID 13015 Privacy protection for information and data Records Management
    Notify the data subject after their personal data is disposed, as necessary. CC ID 13502 Privacy protection for information and data Communicate
    Establish and maintain personal data use limitation procedures. CC ID 00128 Privacy protection for information and data Establish/Maintain Documentation
    Process personal data lawfully and carefully. CC ID 00086 Privacy protection for information and data Establish Roles
    Process personal data pertaining to a patient's health in order to treat those patients. CC ID 00200 Privacy protection for information and data Data and Information Management
    Document the conditions for the disclosure of Individually Identifiable Health Information by an organization providing healthcare services to organizations other than business associates or other covered entities. CC ID 00201 Privacy protection for information and data Establish/Maintain Documentation
    Disclose Individually Identifiable Health Information in order to carry out treatment when the disclosing organization is a healthcare provider. CC ID 00207
    [Health information systems processing personal health information shall provide personally identifying information to assist health professionals in confirming that the electronic health record retrieved matches the subject of care under treatment. § 14.1.1.2 Health-specific control
    Organizations processing personal health information shall control access to such information. In general, users of health information systems should only access personal health information: when a healthcare relationship exists between the user and the data subject (the subject of care whose personal health information is being accessed); § 9.1.1 Health-specific control ¶ 1(a)]
    Privacy protection for information and data Data and Information Management
    Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject has provided consent and the disclosing organization is a healthcare provider. CC ID 00208 Privacy protection for information and data Data and Information Management
    Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject's guardian or representative has provided consent and the disclosing organization is a healthcare provider. CC ID 00209
    [Organizations processing personal health information shall control access to such information. In general, users of health information systems should only access personal health information: when the user is carrying out an activity on behalf of the data subject; § 9.1.1 Health-specific control ¶ 1(b)]
    Privacy protection for information and data Data and Information Management
    Establish and maintain a data handling program. CC ID 13427 Privacy protection for information and data Establish/Maintain Documentation
    Establish, implement, and maintain data handling policies. CC ID 00353 Privacy protection for information and data Establish/Maintain Documentation
    Establish and maintain data and information confidentiality policies. CC ID 00361
    [{confidential information} All health information systems processing personal health information should inform users of the confidentiality of personal health information accessible from the system (e.g. at start-up or log-in) and should label hardcopy output as confidential when it contains personal health information. § 8.2.2 Health-specific control]
    Privacy protection for information and data Establish/Maintain Documentation
    Prohibit personal data from being sent by e-mail or instant messaging. CC ID 00565 Privacy protection for information and data Data and Information Management
    Protect electronic messaging information. CC ID 12022 Privacy protection for information and data Technical Security
    Establish, implement, and maintain record structures to support information confidentiality. CC ID 00360 Privacy protection for information and data Data and Information Management
    Include passwords, Personal Identification Numbers, and card security codes in the personal data definition. CC ID 04699 Privacy protection for information and data Configuration
    Store payment card data in secure chips, if possible. CC ID 13065 Privacy protection for information and data Configuration
    Refrain from storing data elements containing sensitive authentication data after authorization is approved. CC ID 04758 Privacy protection for information and data Configuration
    Render unrecoverable sensitive authentication data after authorization is approved. CC ID 11952 Privacy protection for information and data Technical Security
    Automate the disposition process for records that contain "do not store" data or "delete after transaction process" data. CC ID 06083 Privacy protection for information and data Data and Information Management
    Log the disclosure of personal data. CC ID 06628 Privacy protection for information and data Log Management
    Log the modification of personal data. CC ID 11844 Privacy protection for information and data Log Management
    Encrypt, truncate, or tokenize data fields, as necessary. CC ID 06850 Privacy protection for information and data Technical Security
    Implement security measures to protect personal data. CC ID 13606 Privacy protection for information and data Technical Security
    Implement physical controls to protect personal data. CC ID 00355 Privacy protection for information and data Testing
    Limit data leakage. CC ID 00356 Privacy protection for information and data Data and Information Management
    Identify potential red flags to alert the organization before a data leakage has occurred. CC ID 04654 Privacy protection for information and data Monitor and Evaluate Occurrences
    Establish, implement, and maintain Consumer Reporting Agency notification procedures. CC ID 04851 Privacy protection for information and data Business Processes
    Acquire enough insurance to cover the liability for damages due to data leakage. CC ID 06408 Privacy protection for information and data Acquisition/Sale of Assets or Services
    Develop remedies and sanctions for privacy policy violations. CC ID 00474 Privacy protection for information and data Data and Information Management
    Refrain from updating personal data on a regular basis, unless it is necessary for the purposes it was collected. CC ID 13610 Privacy protection for information and data Data and Information Management
    Establish and maintain a supply chain management program. CC ID 11742 Third Party and supply chain oversight Establish/Maintain Documentation
    Include a description of the data or information to be covered in third party contracts. CC ID 06510 Third Party and supply chain oversight Establish/Maintain Documentation
    Include text about access, use, disclosure, and transfer of data or information in third party contracts. CC ID 11610
    [The organization should identify and document all parties with whom patient data is exchanged and contractual agreements should be made with these parties regulating access and privileges, prior to exchange of patient data. § 9.1.1 Health-specific control ¶ 5]
    Third Party and supply chain oversight Business Processes
    Include risk management procedures in the supply chain management policy. CC ID 08811 Third Party and supply chain oversight Establish/Maintain Documentation
    Include a determination on the risks third parties pose to Information Security in the supply chain risk assessment report. CC ID 10029
    [In addition to implementing the control given by ISO/IEC 27002, organizations processing health information shall assess the risks associated with access by external parties to these systems or the data they contain, and then implement security controls that are appropriate to the identified level of risk and to the technologies employed. § 15.1.1 Health-specific control]
    Third Party and supply chain oversight Establish/Maintain Documentation