Remediation Plan Sample PDF
Remediation Plan Sample PDF
Remediation Plan Sample PDF
E
1.2.A Do policies/ procedures cover the following areas:
No
Develop a Risk Management (RM) policy which should address objectives, Correct Risk Contracted with third party to develop 9/30/2013 Example of Risk Management policy and procedure with HIPAA
roles and responsibilities, what is considered an acceptable level of risk, policies. We will augment policies with any standards:
Risk Management and formal processes of identifying risk. procedures specific to Medical Practrice’s http://www.westhertshospitals.nhs.uk/documents/trust_policies/cu
Add policy specifying that no paper documents are to be removed from operations. rrent/info_risk_management_policy.pdf
No facility.
PL
Create or update sanction policies that focus on workforce member who Correct Risk Contracted with third party to develop 9/30/2013 Example of Sanctions policy and procedure:
fail to follow privacy or security policies and procedures for the policies. We will augment policies with any http://www.chpw.org/assets/file/Sanction‐Policy.pdf
Sanctions
organization. procedures specific to Medical Practrice’s
No operations.
Create policies that identify termination procedures for voluntary and in‐ Correct Risk 9/30/2013 Example of Termination policy and procedure:
Contracted with third party to develop
voluntary termination. Identify and provide details for step‐by‐step analysis http://www.creighton.edu/fileadmin/user/doit/docs/policies/hipaa/
policies. We will augment policies with any
Termination of business process termination from supervisors to Human Resources Termination.pdf
procedures specific to Medical Practrice’s
regarding employment termination procedures and account suspension.
operations.
No
Create an Acceptable Use Policy that end users must sign off that contains Correct Risk 9/30/2013 Insight: http://www.physicianspractice.com/blog/
Contracted with third party to develop
clear requirements and expectations for the use of mobile media and content/article/1462168/1867882
policies. We will augment policies with any
Mobile Media and Device Security devices, including corporate‐owned and personally‐owned devices that are
procedures specific to Medical Practrice’s
No
No
Information System Access
M
allowed access to enterprise resources.
Develop a Information System Access policy that identifies all employees
currently requiring information system access for authorized users. Specific
documentation should be collaborated for user validation for specified
applications and level of access rights for PHI, sensitive data, and
information systems from unauthorized access.
Develop a policy or update the existing Security Training and Awareness
Correct Risk
Correct Risk
operations.
Contracted with third party to develop
policies. We will augment policies with any
procedures specific to Medical Practrice’s
operations.
9/30/2013
9/30/2013
Policy Template: http://www.sans.org/security‐resources/policies/
Remote_Access.pdf
Example of Information System Access policy and procedure:
http://www.awphd.org/presentations/HIPAAproject/reference/ISacc
ess.pdf
Example of Security Training and Awareness policy and procedure:
SA
policy which requires all employees to periodically review a documented http://www.nyu.edu/content/dam/nyu/compliance/documents/HIP
program for security training and awareness (supporting confidentiality, Contracted with third party to develop AA6.SecAware‐Train.v8.041505Rev.020211.pdf
integrity, and availability) of organizational information. The security policies. We will augment policies with any
Security Training and Awareness
training and awareness policy should communicate the minimum procedures specific to Medical Practrice’s
requirements for all staff members regarding information security operations.
awareness and training.
No
Develop a policy and procedure process for anti‐malware that deploys a Correct Risk 9/30/2013 Example of Anti‐Malware policy and procedure:
centralized anti‐virus and management’s software for protection against Contracted with third party to develop http://it.ouhsc.edu/policies/documents/infosecurity/Anti‐
malicious software. The policy should describe procedural guidelines to policies. We will augment policies with any Virus%20Policy.pdf
Anti‐Malware
detecting, removing, and preventing malware through the anti‐virus or procedures specific to Medical Practrice’s
management system. operations.
No
Develop a policy or update the existing password policy for password Correct Risk 9/30/2013 Example of Passwords policy and procedure:
management regarding different levels of passwords (user and system). The http://www.sans.org/security‐
Contracted with third party to develop
policy should detail the standard for creating passwords, the protection of resources/policies/Password_Policy.pdf
policies. We will augment policies with any
Passwords those passwords, and the frequency of change. The duration of password
procedures specific to Medical Practrice’s
changes should be stated with quarterly basis for system‐level and semi‐
operations.
annually for user‐level passwords.
No
SAMPLE Remediation Plan
Create or update policies and procedures of security incidents should be Correct Risk 9/30/2013 Example of Security Incidents policy and procedure:
identified and presented. Developing security policy and Security Incident http://policy.iastate.edu/policy/it/incident/
Report Forms can help develop an Incident Response Unit focusing Contracted with third party to develop
primarily on exploitation of organizational information. This policy should policies. We will augment policies with any
Security Incidents
establish responsibility and accountability for all steps in the process of procedures specific to Medical Practrice’s
addressing computer security incidents which should be clearly identified, operations.
contained, investigated, and remedied.
No
Create policies that identify data backup and storage procedures, content, Correct Risk Contracted with third party to develop 9/30/2013 Example of Data Backup and Storage policy and procedure:
encryption types, backup types, and storage locations. This policy should policies. We will augment policies with any http://dept.wofford.edu/it/Data%20Backup%20Policy.pdf
Data Backup and Storage
outline data backup best practices and define what data needs to be procedures specific to Medical Practrice’s
No backed up. operations.
Create or update policies and procedures of Disaster Recovery within the Correct Risk 9/30/2013 Example of Disaster Recovery policy and procedure:
organization. Identifying the planning team is critical in developing disaster Contracted with third party to develop http://www.templatezone.com/pdfs/Disaster‐Recovery‐policy.pdf
recovery policies within different sectors of the organization: information policies. We will augment policies with any
Disaster Recovery
security, information technology, human resources, upper management, procedures specific to Medical Practrice’s
and operations. operations.
No
Communicate third parties and business associates information with Correct Risk 9/30/2013 Example of Third Parties and Business Associates policy and
E
policies and procedures for business associate agreement, provisions, Contracted with third party to develop procedures:
breaches, obligations and activities. The BA policy states what requirements policies. We will augment policies with any http://www.himss.org/content/files/Code%20165%20HIMSS%20Sa
Third Parties and Business Associates
are needed to establish a relationship with a third party in compliance with procedures specific to Medical Practrice’s mple%20BA%20Policy.pdf
the provisions of HIPAA. Identify third parties with whom BA contracts operations.
No should be established.
Establish or update policy and procedure documents for workstation Correct Risk 9/30/2013 Example of Workstation Acceptable Use policy and procedures:
acceptable use within the organization. The policy should cover General http://www.sans.org/security‐
PL
Contracted with third party to develop
Use and Ownership Information, Security and Proprietary Information, resources/policies/Acceptable_Use_Policy.pdf
policies. We will augment policies with any
Workstation Acceptable Use Unacceptable Use, Communication activities, and Enforcement of all
procedures specific to Medical Practrice’s
definitions of policies and procedures within Workstation Acceptable Use.
operations.
No
Create or update Disposal policies for computers and removable devices Correct Risk 9/30/2013 Example of Disposal policy and procedures:
Contracted with third party to develop
(computer systems, electronic devices, and electronic media). Identify http://www.savannahstate.edu/faculty‐staff/computer‐
policies. We will augment policies with any
Disposal procedures with media sanitization methods: disposal, wiping, destroying, services/docs/Policies/10‐9%20Media%20Disposal%20Policy.pdf
procedures specific to Medical Practrice’s
reformatting, and ghosting of all confidential information.
operations.
No
Policies involving Media Re‐use should detail reuse of hardware devices for Correct Risk 9/30/2013 Example of Media Re‐Use policy with HIPAA standards:
Contracted with third party to develop
reallocation of parts or entire device systems. This policy should define http://www.creighton.edu/fileadmin/user/doit/docs/policies/hipaa/
policies. We will augment policies with any
No
No
Media Re‐use
Unique User IDs
M
requirements for re‐using or re‐purposing media that contained prior data
which can be complied within the Disposal policy.
Access Control should be communicated within Unique User IDs policies
and procedures. The procedure of this policy should be effectively
communicated with System Administrators and Information Security
Officers.
Correct Risk
Create or update Person/ Entity Authentication for all workforce members Correct Risk
seeking access to network, system, applications with PHI information
procedures specific to Medical Practrice’s
operations.
Contracted with third party to develop
policies. We will augment policies with any
procedures specific to Medical Practrice’s
operations.
9/30/2013
9/30/2013
Media_disposal_and_reuse.pdf
Example of Unique User IDs policy with HIPAA standards:
http://www.creighton.edu/fileadmin/user/doit/docs/policies/hipaa/
Unique_ID.pdf
Example of Person / Entity Authentication policy with HIPAA
standards:
SA
through required authentically procedures. Policy should detail Contracted with third party to develop http://www.creighton.edu/fileadmin/user/doit/docs/policies/hipaa/
misrepresentation violations and no delegation of authorized access policies. We will augment policies with any Authentication.pdf
Person/ Entity Authentication
authentication information. State repercussion if policy is violated. Outline procedures specific to Medical Practrice’s
business process of authentication procedures within the organization. operations.
No
Develop or update the policy on PHI security, which should outline Correct Risk 9/30/2013 Website link for PHI Security policy:
Contracted with third party to develop
minimum standards for ensuring the confidentiality, integrity, and http://www.upenn.edu/computing/security/policy/ePHI_Policy.html
policies. We will augment policies with any
PHI Security (ePHI) availability of electronic protected health information (ePHI) received,
procedures specific to Medical Practrice’s
maintained or transmitted by the organization.
operations.
No
Develop or update the policy requiring the secure transmission of Correct Risk 9/30/2013 Website link for PHI Security policy:
confidential or sensitive information (e.g., PHI). All transmissions exchanged http://www.upenn.edu/computing/security/policy/ePHI_Policy.html
with a third party or which occur over open, public networks (e.g., the Contracted with third party to develop
Internet) shall be secured including email, FTP, and HTTP. Any transmissions policies. We will augment policies with any
PHI Transmission Protection (email)
sent shall be encrypted using modern standards with a minimum strength procedures specific to Medical Practrice’s
of 128‐bit. operations.
No
Develop or update policies and standards which should be approved by Correct Risk 9/30/2013 This Policy Development Guide outline Senior Management sign‐off
senior management to ensure that they are enforceable and are applicable Contracted with third party to develop approvals for information security policies and standard:
Does senior management sign off on the approval
across the entire organization. policies. We will augment policies with any http://www.sans.org/reading_room/whitepapers/policyissues/infor
1.3 of information security policies and standards for
procedures specific to Medical Practrice’s mation‐security‐policy‐development‐guide‐large‐small‐
the organization?
operations. companies_1331
No