438
A Practical Guide to Security Assessments
4. Do sanctions for noncompliance exist and are they based on severity?
Guidance:
Sanctions are a key component of handling noncompliance is-
sues. Without sanctions, no repercussion exists for personnel who do not
follow the policy. Ideally, the sanctions should be based on severity and
other relevant circumstances.
Client Response:
5. Is an internal audit process in place?
Guidance:
Internal audit will be covered later in this checklist; however,
it is an important point when discussing sanctions. Audits provide manage-
ment with a view of where some of the control weaknesses and noncom-
pliance issues are. The audit process is also an excellent way to enforce
HIPAA security requirements. Ideally, the internal audit process should
audit for many of the HIPAA security requirements to help ensure compli-
ance with HIPAA security.
Client Response:
iv. Information Systems Activity Review
“Implement procedures to regularly review records of information system activity, such
as audit logs, access reports, and security incident tracking reports.”
5
This specification is a “monitoring” requirement as it pertains to ensuring that
information systems and data remain secure. Below are some questions to help
determine compliance with this requirement.
1. Do documented procedures detail what reports should be reviewed to
effectively monitor the systems (e.g., system logs, audit logs)?
Guidance: Activity review should be a planned activity that is document-
ed. The level of review should be based on the criticality of systems, the
level of activity on the relevant systems, and any other relevant factors. De-
pending on the amount of information generated, it might make sense to
recommend that the entity use third-party tools to automate the log review
process and provide exception reports. There should also be a process that
outlines the frequency and nature of review based on the risk.
AU1706_book.fm Page 438 Tuesday, August 17, 2004 11:02 AM