1. How to send HIPAA compliant emails?

To send HIPAA compliant emails, the sender drafts an email on their workstation, which is then
transmitted to the sender's email server. Then, the sender's email server sends an email to the
recipieAlong the way, there are unarguably chances of data breach or non-compliance. Hence, you
should consider the following things to send HIPAA compliant emails.nt's email server, which is retrieved
by the recipient.

Have end-to-end encryption

The Data Encryption Standard (DES) was once thought to be secure, but this is no longer the case. For
assistance on appropriate encryption standards, you should contact the National Institute of Standards
and Technology. AES 192 or 256-bit encryption are encryptions you may consider as an alternative to
DES.

The communication must be encrypted if the PHI is in the body text. If it's part of an attachment, you
can encrypt the attachment instead.

Sign a Business Associate Agreement

If you use a third-party email provider to send electronic protected health information (ePHI), you
should get a business associate agreement before using the service. The business associate agreement
explains the service provider's responsibilities and specifies that physical, technical and administrative
measures would be implemented to preserve the confidentiality of ePHI.

In general, free internet-based mail services like Gmail and Hotmail are not secure for transmitting
personal information. If you insist on using an internet-based email provider, make sure you have them
sign a Business Associate Agreement (BAA).

Ensure your email is configured

Using a BAA-protected email service does not automatically make your email HIPAA-compliant.

In general, free internet-based mail services like Gmail and Hotmail are not secure for transmitting
personal information. If you insist on using an internet-based email provider, make sure you have them
sign a Business Associate Agreement (BAA).

Ensure your email is configured

Using a BAA-protected email service does not automatically make your email HIPAA-compliant.

If G Suite is used in conjunction with a business domain, email can be made HIPAA compliant. Even if
you wish to use G Suite, you must configure the service carefully to assure end-to-end encryption.

It's important to note that G Suite isn't the same as Gmail. Gmail isn't designed for corporate use, and it
can't be configured to comply with HIPAA. Google only signs a BAA for its premium services, not for its
free ones.

3. What is COBIT (Control Objectives for Information and Related Technologies)?

COBIT is an IT governance framework for businesses wanting to implement, monitor and improve IT
management best practices. COBIT is the acronym for Control Objectives for Information and Related
Technologies.

The COBIT framework was created by ISACA to bridge the crucial gap between technical issues, business
risks and control requirements.

COBIT can be implemented in any organization from any industry to ensure quality, control and
reliability of information systems.

In the United States, COBIT is the most commonly used framework for achieving compliance with the
Sarbanes-Oxley Act (SOX).

4. What is ISACA?

ISACA sets and develops guidance and controls for information governance, control, security and audit
professionals.

The global organization sponsors and drives the COBIT framework. ISACA originally stood for
"Information Systems Audit and Control Association," but the organization now simply goes by ISACA.

What is the history of COBIT?

The original version of COBIT was published in 1996 for financial auditors to better navigate the growth
of IT environments.

ISACA released a more comprehensive version in 1998 that covered areas beyond audit controls.
Versions 3 and 4, released in the 2000s, included further management guidelines around cybersecurity.

Released in 2013, COBIT 5 focused on providing tools, best practices and objectives that were universally
applicable to all enterprise IT operations.

COBIT 5 expanded on COBIT 4 by integrating related standards from the International Organization for
Standardization (ISO), including IT Infrastructure Library (ITIL).

In 2019, ISACA announced the current COBIT version: COBIT 2019. This current version is a more
generic, comprehensive and flexible tool that can be used by all enterprises regardless of their size or
immediate goals.

It also better addresses rapidly changing technology and is designed to evolve with more frequent
updates.

Why is COBIT important?

The goal of the COBIT framework is to provide a common language for IT professionals, business
executives and compliance auditors to communicate with each other about IT controls, goals, objectives
and outcomes.

Without a common language, an enterprise under audit runs the risk of having to educate individual
auditors about when, where, how and why specific IT controls were created.

What are the COBIT framework basics?

COBIT incorporates more than just technical standards for IT managers. The framework supports
business requirements through the combined application of IT, related sources and processes. Two main
parameters provided are:

Control. Includes IT management procedures, practices, policies and structures designed to provide an
acceptable level of assurance that business goals will be met.

IT control objective. Defines the level of acceptable results to be attained by implementing control
procedures concerning a particular IT operation.

What are the principles of COBIT?

COBIT is based on five key principles for IT enterprise governance:

Principle 1: Meeting Stakeholder Needs

Principle 2: Covering the Enterprise End-to-End

Principle 3: Applying a Single Integrated Framework

Principle 4: Enabling a Holistic Approach

Principle 5: Separating Governance from Management

The framework also identifies seven aspects of governance that need to align in order to support the
five principles above:

Principles, Policies and Frameworks

Processes

Organizational Structures

Culture, Ethics and Behavior

Information

Services, Infrastructure and Applications

People, Skills and Competencies

What do you need to know before using COBIT?

COBIT 2019 is not a cheat sheet but a generic tool to support business decisions.

Objectives. COBIT 2019 contains over 40 business management and governance objectives. IT managers
can prioritize or ignore these objectives based on the needs of different stakeholders.

Domains. COBIT objectives are grouped into specific domains. The domains map to different business
processes like planning, building and monitoring.

Goals cascade. This defines the connection between needs and business goals.

Components. Components or enablers are generic elements like skills, infrastructure, process
descriptions and structures that influence IT.

Design factors. These include contextual, strategic and tactical factors that help define the needs of an
organization and how they must be addressed in a framework. These factors drive implementation
choices regarding technology (such as cloud data), methods (such as DevOps, ITIL 4 or Agile) and
outsourcing.

5. The ISO/IEC 27000-series (also known as the 'ISMS Family of Standards' or 'ISO27K' for short)
comprises information security standards published jointly by the International Organization for
Standardization (ISO) and the International Electrotechnical Commission (IEC).[1]

The series provides best practice recommendations on information security management—the

management of information risks through information security controls—within the context of an
overall Information security management system (ISMS), similar in design to management systems for
quality assurance (the ISO 9000 series), environmental protection (the ISO 14000 series) and other
management systems.[2][3]

The series is deliberately broad in scope, covering more than just privacy, confidentiality and
IT/technical/cybersecurity issues. It is applicable to organizations of all shapes and sizes. All
organizations are encouraged to assess their information risks, then treat them (typically using
information security controls) according to their needs, using the guidance and suggestions where
relevant. Given the dynamic nature of information risk and security, the ISMS concept incorporates
continuous feedback and improvement activities to respond to changes in the threats, vulnerabilities or
impacts of incidents.
The standards are the product of ISO/IEC JTC1 (Joint Technical Committee 1) SC27 (Subcommittee 27),
an international body that meets in person twice a year.

The ISO/IEC standards are sold directly by ISO, mostly in English, French and Chinese. Sales outlets
associated with various national standards bodies also sell directly translated versions in other
languages.

The ISO/IEC 27000-series (also known as the 'ISMS Family of Standards' or 'ISO27K' for short) comprises
information security standards published jointly by the International Organization for Standardization
(ISO) and the International Electrotechnical Commission (IEC).[1]

The series provides best practice recommendations on information security management—the

management of information risks through information security controls—within the context of an
overall Information security management system (ISMS), similar in design to management systems for
quality assurance (the ISO 9000 series), environmental protection (the ISO 14000 series) and other
management systems.[2][3]

The series is deliberately broad in scope, covering more than just privacy, confidentiality and
IT/technical/cybersecurity issues. It is applicable to organizations of all shapes and sizes. All
organizations are encouraged to assess their information risks, then treat them (typically using
information security controls) according to their needs, using the guidance and suggestions where
relevant. Given the dynamic nature of information risk and security, the ISMS concept incorporates
continuous feedback and improvement activities to respond to changes in the threats, vulnerabilities or
impacts of incidents.

The standards are the product of ISO/IEC JTC1 (Joint Technical Committee 1) SC27 (Subcommittee 27),
an international body that meets in person twice a year.

The ISO/IEC standards are sold directly by ISO, mostly in English, French and Chinese. Sales outlets
associated with various national standards bodies also sell directly translated versions in other
languages.
6. The statement of applicability (SoA) is the main link between risk assessment and risk treatment in an
enterprise or in an organization within an enterprise and, therefore, is a requirement for information
security management system (ISMS) implementations. The SoA is a continuously updated and controlled
document that provides an overview of information security implementation.

ISO 27001:2013 includes a documented statement (the SoA) with 35 control objectives and 114
comprehensive controls to implement in an organizational ISMS.1 The SoA should provide a reason for
including or excluding any of the SoA controls in the ISMS. Some organizations may not require all
controls listed under the SoA. For example, an organization that does not allow staff to work remotely
does not need to implement telecommuting-related controls. Likewise, implementing only the ISO
27001:2013 controls may not sufficiently secure enterprise systems. For example, an enterprise that
subscribes to cloud services might require additional controls.

SoA preparation at the enterprise level requires significant coordination, time, effort and upper-
management commitment. The resulting SoA should be a short chart of controls. The SoA must be
reviewed and approved by top management or an appropriate authority of the organization. Enterprises
are often very anxious about audits, and top management can put great pressure on information
security roles to eliminate nonconformity in an audit. The scenario at most enterprises is often quite
dramatic when an audit is nearing and during the audit. Full attention and focus on the SoA during its
preparation should result in few or no surprises. If the SoA is created correctly, nothing major can fall
through the cracks regarding conformance to information security requirements. Any
nonconformance/noncompliance found by the auditors could be considered as extra resources that
would help organizations toward continual improvements.

The process for producing the SoA and implementing the ISMS is very simple to understand:

The International Organization for Standardization (ISO) says that all activities must follow a method.

That method or process must be documented.

Processes must have controls, such as audits and reviews.

The enterprise must have a security goal, which is stated in the information security policy.

The enterprise must continuously verify and continuously improve the processes and controls.
To implement the ISMS, the enterprise requires written policies, procedures and work instructions—
adhering to these policies and methods fills most information security gaps. Enterprises’ top
management should be prepared to answer the following questions:

Why is the ISMS being implemented?

How is the ISMS being implemented?

The purpose of information security is to ensure the protection of confidentiality, integrity and
availability (CIA). An ISMS is a systematic risk approach to establish, implement, operate, monitor,
review, maintain and improve information security. An ISMS can be implemented as the result of risk
analysis to eliminate or reduce risk to an acceptable level. The basics of information security are the
preservation of CIA:

Confidentiality—Ensuring that the information is accessible only to those authorized to access it

Integrity—Ensuring that the information is accurate and complete and that the information is not
modified without authorization

Availability—Ensuring that the information is accessible to authorized users when required

The SoA serves as a checklist to implement ISMS in the organization so that no necessary controls are
omitted. The SoA controls identify all relevant regulatory and legal requirements, and must address
contractual obligations and controls that are related to the business needs.2 The SoA should be unique
to the enterprise and must be relevant to its business.

The advantages of the SoA are that it explains the controls succinctly and is acceptable to the auditor
who assesses the enterprise. ISO seldom dictates writing 100-page policy documents for each control.

The first step to an SoA is an information security risk assessment with a mapped risk acceptance
criteria. The risk assessment process is associated with the loss of confidentiality, integrity and
availability of information, which must include:

People

Software
Hardware

Data and databases

Information

History of attacks

Previous audits

Current and planned controls to decrease risk

External vulnerability, assessment and penetration test (VA/PT) exercise

Subject matter experts

Procedures or work instructions to which staff must adhere

Each risk must be identified, analyzed to determine levels of risk, evaluated for the significance of the
risk, recorded and reviewed. One size does not fit all. The enterprise must avoid the risk of using
borrowed/downloaded sample documents as its own. Performing real-life risk treatment processes
begins when the SoA document is completed. For each risk that is identified in the risk assessment, the
risk treatment identifies whether the enterprise accepts, avoids, reduces, shares the source of, changes
the likelihood of or changes the consequence of the risk. Data classification, media handling, backup,
insurance, asset management, continuous monitoring and reporting are strategies to mitigate the risk.
The information security risk treatment plan is often documented in the risk register, which must
include all likely threats and impacts. Evaluation of risk, remedial risk strategies and follow-up can only
be related with a comprehensive SoA.

The SoA is the central document that information security auditors use to walk through the ISMS
process controls. Every control that the SoA explains must be understood by all management and all
staff. The SoA explains succinctly the information security controls that are relevant to any enterprise
business. The time that an enterprise spends preparing the SoA, systematically keeping it up to date,
including SoA in their internal audit scope and conducting management reviews will always be
beneficial.

The statement of applicability (SoA) is the main link between risk assessment and risk treatment in an
enterprise or in an organization within an enterprise and, therefore, is a requirement for information
security management system (ISMS) implementations. The SoA is a continuously updated and controlled
document that provides an overview of information security implementation.
ISO 27001:2013 includes a documented statement (the SoA) with 35 control objectives and 114
comprehensive controls to implement in an organizational ISMS.1 The SoA should provide a reason for
including or excluding any of the SoA controls in the ISMS. Some organizations may not require all
controls listed under the SoA. For example, an organization that does not allow staff to work remotely
does not need to implement telecommuting-related controls. Likewise, implementing only the ISO
27001:2013 controls may not sufficiently secure enterprise systems. For example, an enterprise that
subscribes to cloud services might require additional controls.

SoA preparation at the enterprise level requires significant coordination, time, effort and upper-
management commitment. The resulting SoA should be a short chart of controls. The SoA must be
reviewed and approved by top management or an appropriate authority of the organization. Enterprises
are often very anxious about audits, and top management can put great pressure on information
security roles to eliminate nonconformity in an audit. The scenario at most enterprises is often quite
dramatic when an audit is nearing and during the audit. Full attention and focus on the SoA during

7. System Audit: The data and information generated in companies today are endless. The information
that is processed and processed within a company is incalculable. Companies, increasingly, need
technology to work, requiring complex software and computerized equipment to develop their activity
in an optimized and efficient manner..

That prevailing presence of software and technology causes the need for systems auditing. The main
objective of systems auditing is to validate the integrity of the information and data stored in the
databases of the information systems and their processing. It is one of the types of audits that go
beyond the economic factor.

What is a System Audit?

The audit of systems involves the review and evaluation of controls and computer systems, as well as
their use, efficiency, and security in the company, which processes the information. Thanks to the audit
of systems as an alternative to control, follow-up, and review, the computer process and technologies
are used more efficiently and safely, guaranteeing adequate decision-making.

In short, the systems audit consists of:

Verification of controls in the processing of information and installation of systems, in order to evaluate
their effectiveness and also present some recommendation and advice

Verify and judge the information objectively

Examination and evaluation of the processes in terms of computerization and data processing. In
addition, the number of resources invested, the profitability of each process and its effectiveness and
efficiency are evaluated

The analysis and evaluation carried out through the systems audit must be objective, critical, systematic,
and impartial. The final audit report should be a clear example of the reality of the company in terms of
processes and computerization, to make better decisions and improve the business.

Objectives of the System Audit

The presence of technology in more and more business areas requires a control, monitoring, and
analysis system, such as systems auditing. In the first place, it is necessary to guarantee security when
dealing with data, providing them with privacy and good use. Second to make the computer system, a
much more efficient and profitable process, allowing detecting errors and making decisions
immediately.

Thus, we can say that the objectives of the systems audit are:

Improve the cost-benefit ratio of information systems

Increase the satisfaction and security of the users of these computerized systems

Guarantee confidentiality and integrity through professional security and control systems

Minimize the existence of risks, such as viruses or hackers, for example

Optimize and streamline decision making

Educate on the control of information systems, since it is a very changing and relatively new sector, so it
is necessary to educate users of these computerized processes.

Therefore, systems auditing is a way of monitoring and evaluating not only the computer equipment
itself. Its field of action also revolves around the control of the entry systems to this equipment (think,
for example, of access codes and codes), archives and security thereof, etc.

Bottom Line

The audit of systems is fundamental to guarantee the performance and security of the computer
systems of a company, which are reliable when using them and guarantee the maximum possible
privacy.