Secure Req 15

From IDESG Wiki
Jump to: navigation, search

<< Back to Baseline Functional Requirements Index

SECURE-15. SECURITY AUDITS

Entities MUST conduct regular audits of their compliance with their own information security policies and procedures, and any additional requirements of law, including a review of their logs, incident reports and credential loss occurrences, and MUST periodically review the effectiveness of their policies and procedures in light of that data.

SUPPLEMENTAL GUIDANCE

Both internal and third-party audits are considered acceptable for conformance to this Requirement.

This Requirement does not dictate frequency of audits. However, the processes, policies, procedures for conducting audits, and audit findings, as well as those for defining the frequency of audits, must be documented. Additionally, a process for remediating and correcting deficiencies identified during audits must also be documented.

REFERENCES

As an example: HIPAA Security Regulations regarding auditable controls and periodic review of logs: 45 CFR Part 164, § 164.308(a)(1)(ii)(D), § 164.312(b): http://www.ecfr.gov/cgi-bin/textidx?node=pt45.1.164&rgn=div5

APPLIES TO ACTIVITIES

REGISTRATION, CREDENTIALING, AUTHENTICATION, AUTHORIZATION, INTERMEDIATION

KEYWORDS

AUDIT, LOGS, POLICIES, PROCESS, SECURITY



Quick Links: SALS | Baseline Functional Requirements v1.0 | Glossary |