Secure Req 15
<< Back to Baseline Functional Requirements Index
SECURE-15. SECURITY AUDITS
Entities MUST conduct regular audits of their compliance with their own information security policies and procedures, and any additional requirements of law, including a review of their logs, incident reports and credential loss occurrences, and MUST periodically review the effectiveness of their policies and procedures in light of that data.
Both internal and third-party audits are considered acceptable for conformance to this Requirement.
This Requirement does not dictate frequency of audits. However, the processes, policies, procedures for conducting audits, and audit findings, as well as those for defining the frequency of audits, must be documented. Additionally, a process for remediating and correcting deficiencies identified during audits must also be documented.
As an example: HIPAA Security Regulations regarding auditable controls and periodic review of logs: 45 CFR Part 164, § 164.308(a)(1)(ii)(D), § 164.312(b): http://www.ecfr.gov/cgi-bin/textidx?node=pt45.1.164&rgn=div5