governance Controls

A cybersecurity policy is established, approved, and communicated

Designate a security official responsible for developing and implementing security policies and procedures

Implement reasonable and appropriate policies and procedures to comply with the HIPAA Security Rule

Maintain written security policies, procedures, and records for six years from creation or last effective date

The organizational mission is understood and informs cybersecurity risk management

Internal and external stakeholders are understood, and their needs and expectations regarding cybersecurity risk management are understood and considered

Legal, regulatory, and contractual requirements regarding cybersecurity, including privacy and civil liberties obligations, are understood and managed

Critical objectives, capabilities, and services that external stakeholders depend on or expect from the organization are understood and communicated

Outcomes, capabilities, and services that the organization depends on are understood and communicated

Cybersecurity risk management strategy outcomes are reviewed to inform and adjust strategy

The cybersecurity risk management strategy is reviewed and adjusted to ensure coverage of organizational requirements and risks

Organizational cybersecurity risk management performance is evaluated and reviewed for adjustments

A cybersecurity risk management policy is established and enforced

The cybersecurity policy is reviewed and updated to reflect changes in requirements, threats, and technology

Risk management objectives are established and agreed to by organizational stakeholders

Risk appetite and risk tolerance statements are established, communicated, and maintained

Cybersecurity risk management activities and outcomes are included in enterprise risk management processes

Strategic direction that describes appropriate risk response options is established and communicated

Lines of communication across the organization are established for cybersecurity risks, including risks from suppliers and other third parties

A standardized method for calculating, documenting, categorizing, and prioritizing cybersecurity risks is established and communicated

Strategic opportunities (positive risks) are characterized and included in organizational cybersecurity risk discussions

Organizational leadership is responsible and accountable for cybersecurity risk

Cybersecurity roles, responsibilities, and authorities are established and enforced

Adequate resources are allocated to cybersecurity commensurate with risk

A cybersecurity supply chain risk management program is established

Cybersecurity roles and responsibilities for suppliers and partners are established and coordinated

Supply chain risk management is integrated into enterprise risk management processes

Changes and exceptions are managed, assessed for risk impact, and tracked

Commitment to integrity and ethical values is demonstrated

Board or equivalent body oversees security risk

Organizational structure and authority for security is defined

Controls are deployed through policies and procedures