Simple Privacy and Security Compliance Checklist for 2015
- Have you formally designated a person or position as your organization’s privacy and security officer?
- Do you have documented privacy and information security policies and procedures?
- Have they been reviewed and updated, where appropriate, in the last six months?
- Have the privacy and information security policies and procedures been communicated to all personnel, and made available for them to review at any time?
- Do you provide regular training and ongoing awareness communications for information security and privacy for all your workers?
- Have you done a formal information security risk assessment in the last 12 months?
- Do you regularly make backups of business information, and have documented disaster recovery and business continuity plans?
- Do you require all types of sensitive information, including personal information and health information, to be encrypted when it is sent through public networks and when it is stored on mobile computers and mobile storage devices?
- Do you require information, in all forms, to be disposed of using secure methods?
- Do you have a documented breach response and notification plan, and a team to support the plan?
If you answered no to any of these questions you have gaps in your security fence.
If you answered no to more than three, you need SIMBUS.
This is a very general assessment and works for Business Associates, Medical Offices, IT Companies and other small facilities. We have a much broader evaluation that covers the HIPAA Privacy and Security Rule and gives a more detailed assessment with findings, recommendations and over all risk level. The evaluation is 34 questions and takes about 15 minutes. Print a detailed graphical report when complete.
Every good compliance project starts with an Assessment. See what NIST has to say.
Risk assessment is one of the fundamental components of an organizational risk management process as described in NIST Special Publication 800-39. Risk assessments are used to identify, estimate, and prioritize risk to organizational operations (i.e.,mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation and use of information systems.
The purpose of risk assessments is to inform decision makers and support risk responses by identifying: (i) relevant threats to organizations or threats directed through organizations against other organizations; (ii) vulnerabilities both internal and external to organizations; (iii) impact (i.e.,harm) to organizations that may occur given the potential for threats exploiting vulnerabilities; and (iv) likelihood that harm will occur.
The end result is a determination of risk (i.e., typically a function of the degree of harm and likelihood of harm occurring). Risk assessments can be conducted at all three tiers in the risk management hierarchy — including Tier 1 (organization level), Tier 2 (mission/business process level), and Tier3 (information system level).
At Tiers 1 and 2, organizations use risk assessments to evaluate, for example, systemic information security – related risks associated with organizational governance and management activities, mission/business processes, enterprise architecture, or the funding of information security programs. At Tier 3, organizations use risk assessments to more effectively support the implementation of the Risk Management Framework (i.e., security categorization; security control selection, implementation, and assessment; information system and common control authorization; and security control monitoring). Courtesy NIST.org
To see more info on Security Compliant Checklists click here