>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

RM-03Risk Assessment: HIPAA Criteria

>Control Description

Organization's periodic risk assessment for systems that process, transmit or store Protected Health Information (PHI) includes the following: • identify and classify assets • identify threats • identify vulnerabilities • identify controls • perform threat likelihood analysis • perform threat impact analysis • identify residual risk • identify appropriate safeguards

Theme

Process

Type

Detective

Policy/Standard

Risk Management Standard

>Implementation Guidance

1. Ensure risk assessment for systems that process, transmit or store Protected Health Information (PHI) shall be in place and includes the information listed below: • identify and classify assets • identify threats • identify vulnerabilities • identify controls • perform threat likelihood analysis • perform threat impact analysis • identify residual risk • identify appropriate safeguards

>Testing Procedure

1. Review Risk Assessment for a sample system that process, transmit or store Protected Health Information (PHI) and validate whether it includes the following: • identify and classify assets • identify threats • identify vulnerabilities • identify controls • perform threat likelihood analysis • perform threat impact analysis • identify residual risk • identify appropriate safeguards

>Audit Artifacts

E-RM-06

>Framework Mappings

Cross-framework mappings provided by Adobe CCF Open Source under Creative Commons License.

HIPAA Security Rule
3

164.308(a)(1)(ii)(A)
164.308(a)(1)(ii)(B)
164.308(a)(8)

Ask AI

Configure your API key to use AI features.