Information Security Area | Assessment Category | Scope | |
Management | |||
Governance | Personnel security, Physical security, Policies, Procedures | ||
Risk Management | Risk management processes | ||
Compliance and Audit | HIPAA, HITECH Act | ||
Information Management | ePHI management, Key management | ||
Business Associate Oversight | Policies, Access management | ||
Operations | |||
Incident Response | Intrusion detection/prevention, Response planning | ||
Business Continuity | Data backup, Disaster recovery, Business impact analysis | ||
Personnel Security | Workforce Security and Security Awareness and Training | ||
Physical Security | Facility Access Controls, Workstation Use, and Workstation Security | ||
Technical | |||
Data Security | Disposal, Encryption, Handling, Transit, Storage | ||
Network Security | Architecture, Access control, Device management, Monitoring and event management | ||
Systems Security | Access control, Policy review, Monitoring and event management, Virtualization management, System Hardening, Patch Management | ||