Collection

Proof of completed access review

Access request tickets tracked

Incident report review maintained

AWS accounts deprovisioned when employees leave

MFA on AWS

Background checks on employees

Windows computer screenlock configured

Employee account permissions managed with AWS groups

System updates communicated internally

Application session timeout ensured

Low, moderate, high, and critical vulnerabilities identified in Github Repo are addressed

Task tracker configured

Security issues in task tracker assigned owners and priorities

Priority 3 security issues in task tracker resolved

Employees have unique IAM accounts

Malware detection on Windows workstations

MFA on Google Workspace

GitHub accounts monitored

No IAM policies directly attached to users

Application access request denied logs kept

Old AWS accounts disabled

HIPAA Security Officer is an active employee

MFA on root AWS accounts

AWS accounts reviewed

HIPAA security awareness training completed

General security awareness trainings completed

Proof of media/device disposal collected

Public change log or release notes published

Employee exit process established

Vendor security reviews completed and risk levels assigned

MacOS computer screenlock configured

Employee computer hard disk encrypted

Password manager utilized

Tabletop disaster recovery exercise completed

Github vulnerability scanning enabled

Low, medium, high, and critical vulnerabilities in AWS Container packages addressed

Exit interviews conducted for ex-employees

S3 Block Public Access feature enabled

S3 server access logs enabled

SSL certificate has not expired

SSL configuration has no known issues

Strong SSL/TLS ciphers used

User data is encrypted at rest

AWS vulnerability scanning is enabled

SSL enforced on company website

Daily AWS RDS database backups enabled

Load balancers redirect HTTP to HTTPS

AWS RDS instance IP restricted

Root AWS account unused

Automated log alerting enabled

Server logs retained for 365 days

ECS public ports restricted

CloudTrail enabled

ECS unwanted traffic filtered

CloudTrail trails have log file integrity validation enabled

Inventory items have descriptions

ECS public SSH denied

Load balancer used

Only authorized users can access logging buckets

Business associate agreements signed

Data restore test passed

Penetration test report passed

Privacy policy publicly available

HIPAA risks reviewed annually

Template business associate agreement created

Categorized and prioritized asset inventory maintained

IDS/IPS systems in place for continuous monitoring

GitHub accounts deprovisioned when employees leave

Passwords meet company password standards

Firewalls implemented

Employee role transfer process established

Breach reporting email templates maintained