Risk: Not having policies and procedures for the review of information system activity.
Explanation: Reviewing the activity of information system enables one to identify and investigate irregular use of system, which might be due to some breach in your security protocols or maybe a violation of your security policies. Reviewing the activity of information system includes:
- Analyzing the audit reviews.
- Analyzing system activities and incident reports.
- Analyzing the audit logs.
- Reviewing the exception reports.
If you don’t have defined procedures or policies to analyze these activities, you might not be able to detect and analyze security violations, unauthorized disclosure or use of ePHI.
Mitigation: Establish a system for reviewing the records of activity of information security system. This includes reviewing incident tracking reports, audit logs, access reports and so on.
Success Criteria: Being able to detect and analyze any anomalies after reviewing information security system activity records.