ClearPoint Metrics

Measure, Share, Compare.
CatalogHealthcare Compliance

Healthcare Compliance version 1.0

Scorecard Audience Description
Control 10.0 - Data at Rest Risk Management

The Data at Rest scorecard examines the management of data at rest. This scorecard presents the encryption coverage of devices and data retention rates. High percentages of devices exempt from encryption policy or devices not fully encrypted increase the organization's exposure to data leakage. A long retention rate indicates the organization's need to ensure that policies, processes, and procedures safeguard data during the entire retention period.
Control 10.0 - Host Vulnerability Risk Management

The Host Vulnerability scorecard evaluates the distribution of vulnerabilities across hosts in an organization. This scorecard examines the percentage of hosts in which vulnerabilities were identified. This information helps the organization deploy the most effective remediation strategies.
Control 10.0 - Patch Policy Risk Management

The Patch Policy scorecard evaluates the efficiency of the automated patch management system. This scorecard examines the average time to patch and the percentage of hosts patched within policy. This scorecard also trends the percentage of patches successfully applied, and identifies risk exposure due to missing critical patches.
Control 1.0 - Access Control Policies Risk Management

The Access Control Policies scorecard examines how efficiently the organization provisions accounts. This scorecard presents Overall Process Time (identification of the issue until closure) and Activity Time (support ticket duration). This information allows the organization to assess its incident response process in order to identify areas for improvement.
Control 1.0 - Access Removal Risk Management

The Access Removal scorecard examines the efficiency of the account deprovisioning process. This scorecard presents Overall Process Time (from identification of the issue until closure) and Activity Time (support ticket duration). This information allows the organization to assess its incident response process in order to identify areas for improvement.
Control 1.0 - Password Age Risk Management

The Password Age scorecard examines user adherence to the organization's password age policies. Accounts with expiring passwords, passwords expiring within policy, and password age are analyzed in order to determine overall risk and exposure.
Control 1.0 - Password Hygiene Risk Management

The Password Hygiene scorecard examines user adherence to the organization's password hygiene policies. The volume of perpetual passwords, their strength, and their age are analyzed in order to determine overall risk and exposure.
Control 11.0 - Alert Events Risk Management

The Alert Events scorecard examines the volume and severity of alerts triggered by sensors from a Network Intrusion Prevention System or Network Intrusion Detection System. The top five most active sensors are also displayed. This information allows the organization to assess the threats identified by the NIPS system and determine if changes to the NIPS or Firewall configuration are required.
Control 11.0 - Incident Response Risk Management

The Incident Response scorecard examines the efficiency of policies and procedures for security incident resolution. This scorecard presents the number of incidents closed within the Overall Process Time (identification of the issue until closure) and Activity Time (support ticket duration) policies. This information allows the organization to assess its incident response process and identify areas for improvement.
Control 11.0 - Vulnerability Management Risk Management

The Vulnerability Management scorecard examines discovered vulnerabilities. This scorecard presents vulnerabilities classified by impact and type, and the distribution of identified vulnerabilities. This information allows the organization to assess its management of vulnerabilities in order to identify areas for improvement.
Control 12.0 - Business Continuity Planning Risk Management

The Business Continuity Planning scorecard examines continuity plan coverage and the impact of interruptions. This scorecard presents the number of high value assets within the organization, the percentage covered by business continuity plan, the number of unplanned outages and the total downtime.
Control 12.0 - Disaster Recovery Risk Management

The Disaster Recovery scorecard examines how effectively the organization recovers from a disaster. This scorecard presents the mean time to recovery, the mean time between failures, and performance relative to the recovery time objective and recovery point objective.
Control 12.0 - Outage Incidents Risk Management

The Outage Incidents scorecard measures the frequency and duration of system outages, and examines how efficiently the organization recovers from outages. This scorecard presents the number of outages, the total downtime, the percentage of outages that were recovered from within policy, and the mean number of days between outages.
Control 2.0 - Access Control Policies Risk Management

The Access Control Policies scorecard examines how efficiently the organization provisions accounts. This scorecard presents Overall Process Time (identification of the issue until closure) and Activity Time (support ticket duration). This information allows the organization to assess its incident response process in order to identify areas for improvement.
Control 2.0 - Access Removal Risk Management

The Access Removal scorecard examines the efficiency of the account deprovisioning process. This scorecard presents Overall Process Time (from identification of the issue until closure) and Activity Time (support ticket duration). This information allows the organization to assess its incident response process in order to identify areas for improvement.
Control 3.0 - Residual Risk Levels Risk Management

The Residual Risk Level scorecard evaluates potential risks and exposure of unpatched assets. Risk is measured by identifying the percentage of hosts that are not fully patched (missing a required patch). Open support tickets are also examined to determine potential risk.
Control 3.0 - Scan Configuration

The Scan Configuration scorecard examines the frequency and coverage of vulnerability scanning. This scorecard presents the average time elapsed since the last scan and determines the number of hosts that were scanned within policy.
Control 4.0 - Risk Analysis Risk Management

The Risk Analysis scorecard evaluates potential exposure of assets to risk. This scorecard examines asset location, user access, and vulnerabilities. Overall risk ratings and risk scores are calculated and wieighted by asset value.
Control 5.0 - Data at Rest Risk Management

The Data at Rest scorecard examines the management of data at rest. This scorecard presents the encryption coverage of devices and data retention rates. High percentages of devices exempt from encryption policy or devices not fully encrypted increase the organization's exposure to data leakage. A long retention rate indicates the organization's need to ensure that policies, processes, and procedures safeguard data during the entire retention period.
Control 5.0 - Data in Motion Risk Management

The Data in Motion scorecard examines the management of data while in motion. This scorecard illustrates the encryption coverage of email and transactions. High percentages of unencrypted emails will likely increase the organization's exposure, as these can be sent to or intercepted by inappropriate entities. Transactions containing sensitive data should be fully encrypted to ensure their confidentiality and integrity.
Control 5.0 - Data in Use Risk Management

The Data in Use scorecard examines the management of data in use. This scorecard presents the location of data and authorization of users to copy data. This information demonstrates the organization's awareness of sensitive data and confirms the deployment of controls to ensure that data cannot be inadvertently copied to unauthorized devices.
Control 6.0 - Data at Rest Risk Management

The Data at Rest scorecard examines the management of data at rest. This scorecard presents the encryption coverage of devices and data retention rates. High percentages of devices exempt from encryption policy or devices not fully encrypted increase the organization's exposure to data leakage. A long retention rate indicates the organization's need to ensure that policies, processes, and procedures safeguard data during the entire retention period.
Control 7.0 - Asset Portfolio Profile Risk Management

The Asset Portfolio Profile scorecard illustrates risk associated with assets managed by the organization. This scorecard identifies concentration of risk by examining the number and location of assets containing sensitive data.
Control 8.0 - Physical and Environmental Security Risk Management

The Physical and Environmental Security scorecard presents evidence for policies and controls to protect sensitive information and critical devices.
Control 8.0 - Physical Security of Assets Risk Management

The Physical Security of Assets scorecard examines the number, location, and user accessibility of critical assets under management. This scorecard addresses the requirement for assets to be located in a secure location with locks on doors and systems in place to limit access to these assets. In order to determine if assets reside in secure locations, it is critical to look at the number of assets under management by asset classification, then to see where the high value assets are located.
Control 9.0 - Data in Motion

The Data in Motion scorecard examines the management of data while in motion. This scorecard illustrates the encryption coverage of email and transactions. High percentages of unencrypted emails will likely increase the organization's exposure, as these can be sent to or intercepted by inappropriate entities. Transactions containing sensitive data should be fully encrypted to ensure their confidentiality and integrity.
Control 9.0 - Device Management Risk Management

The Device Management scorecard examines the management of devices containing sensitive data. This scorecard demonstrates adherence to device decommission and removable media policies. This information allows the organization to determine if appropriate measures have been taken to safeguard devices that have a greater probability of being compromised. An organization can also use this scorecard to determine its exposure and forecast the likelihood of data breaches involving its devices.
Control 9.0 - Firewall Activity Risk Management

The Firewall Activity scorecard examines the firewall coverage of assets and networks. Protection is assessed by the volume of inbound and outbound denied connections. This information allows the organization to determine the effectiveness of the firewall configuration and network deployment.
Control 9.0 - Logins Risk Management

The Logins scorecard counts attempts to access corporate information systems in order to identify unauthorized access attempts, identify accounts which may be candidates for removal, and ensure that current policies provide high availability.

Do it...

Contact Us

Tell me...

What am I looking at?

How do I use this page?


Community content licensed under Creative Commons :: Privacy Policy :: Terms of Use :: Contact Us

ABOUT SSL CERTIFICATES

8 New England Executive Park, 3rd Floor | Suite 390, Burlington MA 01803 | Main Number 617-456-1900
ClearPoint is the IT security measurement Company for Governance, Compliance and Risk
Copyright © 2005-2010 ClearPoint Metrics. Inc. All rights reserved