We’re continuing our discussion from the previous blog post, “The Importance of Separation of Duties”, and getting into more details surrounding documenting and tracking your processes.  

  • Document the separation of duties: 
      • It should be formally documented who from your organization is responsible for each information system and those responsibilities should be spread out to different individuals.  
          • Specifically, who is responsible for configuring, auditing, and granting access to systems? 
          • You can define this by job title or specific person. We suggest job title to avoid having to change your policy and procedure documents every time there is a staff change. 
  • Documentation and tracking of requests: 
      • Using a ticketing system to track access requests, auditing of systems, or support incidents will track that the separation of duties is being executed properly.  
      • Audit logs could be used to identify who is doing what and corroborate compliance with separation of duties standards. 
      • It’s important to make sure the records are being kept for an appropriate amount of time and are reviewed with a defined cadence.  

https://nvd.nist.gov/800-53/Rev4/control/AC-5 

HIPAA Security Rule 45 C.F.R. §§ 164.308(a)(4)(ii)(B), 164.310(a)(1), 164.310(b), 164.312(a)(1), 164.312(b), 164.312(c), 164.312(e) 

Learn how BlueOrange Compliance can help you protect your organization and the people you serve by calling 855.500.6272, or request a free consult.

Request A Consult