Skip to main content
All CollectionsComplianceExample Evidence for Not Monitored Controls
Example Evidence for Not Monitored Controls (HIPAA)
Example Evidence for Not Monitored Controls (HIPAA)

Example Evidence for Not Monitored Controls (HIPAA)

Jane Baik avatar
Written by Jane Baik
Updated over a week ago

The following is a list of example evidence for controls not monitored in Drata for HIPAA.

Please note: An auditor may request additional evidence for each control.

Code

Name

Example Evidence

DCF-1

Customer Data Policies

Asset Management Policy,Information Security Policy,Acceptable Use Policy,Data Protection Policy,ISMS Plan (2013 and 2022)

DCF-2

Least-Privileged Policy for Sensitive Data Access

System Access Control Policy

DCF-9

Internal Communication Channels

Screenshots from communication tools (Slack, PagerDuty) showing the process for security events to be communicated to appropriate personnel.

DCF-11

Periodic Access Reviews

1. Tickets documenting the access control lists that were reviewed for in scope cloud environments, SaaS applications, infrastructure as code tools, and security protection tools (as applicable)

- and -

2. Tickets should be marked as completed/closed and the reviewer should provide comments on the results of the reviews.

DCF-16

Periodic Risk Assessment

Most recently completed risk assessment report.

DCF-17

Risk Treatment Plan

Documented remediation plans for risks identified during the risk assessment.

DCF-19

Penetration Tests

Most recently completed annual penetration test.

DCF-20

Asset Inventory

1. Formal, documented listing of all assets (workstations, mobile devices, servers, databases, etc.)

- and -

2. For cloud infrastructure, screenshots from cloud environments listing all infrastructure

DCF-21

Architectural Diagram

Approved Architectural Diagram

DCF-22

Network Diagram

Formal, documented network/architecture diagram evidencing network segmentation of your cloud environments.

DCF-26

BCP/DR Tests

Most recently completed BCP/DR test.

DCF-29

Incident Response Team

Provide the documented list of Incident Response team members who have the responsibility and authority to coordinate and execute incident response procedures.

DCF-34

Security Team/Steering Committee

Evidence that a Security Team has been assigned for the design, implementation, management, and review of the organization's security policies, standards, baselines, procedures, and guidelines.

DCF-35

Security Team Communicates in a Timely Manner

Screenshots from communication tools (Slack, PagerDuty) showing the process for security events to be communicated to appropriate personnel.

DCF-40

Contractor Requirements

Executed Agreement/contract between the entity and key vendors.

DCF-43

Termination/Offboarding Checklist

Formal documented termination checklist/help desk ticket for a recent terminated employee.

DCF-53

Cryptography Policies

1. List of all locations where data is transmitted or received over open, public networks.

- and -

2. Documented standards which detail the level of security protocols and cryptographic algorithms used to protect this data.

- and -

3. Screenshots from the system configurations of the systems receiving this data showing the implementation of these security protocols and encryption algorithms

DCF-56

Vendor Register and Agreements

Executed Agreement/contract between the entity and key vendors.

DCF-58

Authentication Protocol

1. If SSO is an option, screenshots of a user logging in with SSO.

- and -

2. If username and password is an option, screenshots of a user logging in with a username and password.

- and -

3. Screenshots of MFA being required for employee users.

- and -

4. If users have the option to enable MFA, screenshots showing they are provided the option to enable MFA.

DCF-60

Secure Password Storage

If username and password is required, screenshots from the database showing that password are stored using a salted hash.

DCF-62

Inactivity and Browser Exit Logout

1. Screenshots of users being logged out of the application when browser/tab is closed and being forced to reauthenticate upon next login.

- and -

2. Screenshots showing that a user is logged out after pre-defined activity timeout and being forced to reauthenticate upon next login.

DCF-64

Commitments Communicated to Customers

1. Upload evidence of a recently executed service agreement with a customer.

- and -

2. Upload evidence of your terms of service available online, as well as screenshots of the account sign up process showing users are required to accept the terms of service prior to using the system.

DCF-69

Access Provisioning

Formal, documented access request form/help desk ticket for a recent new hire.

DCF-72

Root Access Control

Screenshots of a user logging into the production systems, showing that they have to use a unique SSH account.

- or -

Screenshot of the setting from the production servers showing that the "root" account cannot be used to login to production.

DCF-79

Logging System

Screenshots from the location where logs of system activity are stored.

DCF-80

Log Management System

1. Screenshots of logging software alert configuration

- and -

2. Screenshots from the location where logs of system activity are stored.

- and -

3. Evidence of corrective action being taken when alerted

DCF-81

Databases Monitored and Alarmed

1. Screenshots from the tool (or solution) showing that it is configured to monitor databases and alert/notify personnel of any identified incidents

- and -

2. Evidence that any identified incidents were escalated per policy.

DCF-82

Messaging Queues Monitored and Alarmed

1. Screenshots from the tool (or solution) showing that it is configured to monitor messaging queues and alert/notify personnel of any identified incidents

- and -

2. Evidence that any identified incidents were escalated per policy.

DCF-83

NoSQL Database Monitored and Alarmed

1. Screenshots from the tool (or solution) showing that it is configured to monitor NoSQL databases and alert/notify personnel of any identified incidents

- and -

2. Evidence that any identified incidents were escalated per policy.

DCF-84

Servers Monitored and Alarmed

1. Screenshots from the tool (or solution) showing that it is configured to monitor servers and alert/notify personnel of any identified incidents

- and -

2. Evidence that any identified incidents were escalated per policy.

DCF-91

Intrusion Detection/Prevention System

1. Screenshots from AWS GuardDuty, Azure Sentinel, GCP Security Command Center or equivalent monitoring tool showing that the service is enabled.

- and -

2. Screenshots from the mentioned applications/tools/services showing the types of threats that would be detected.

- and -

3. Screenshots from the mentioned applications/tools/services showing how personnel would be alerted and who would be alerted when threats are detected.

DCF-92

Encrypted Remote Production Access

1. Screenshots of a user trying to access production systems without being connected to a VPN and providing access is denied.

- and -

2. Screenshots of a user accessing production after connecting to a VPN to show a successful connection.

DCF-93

Credential Keys Managed

1. Key Management procedures included in the Encryption Policy

- and -

2. Evidence of the cryptographic technique used to manage keys

DCF-98

Daily Backup Statuses Monitored

Tickets showing that backup failures were monitored and resolved.

DCF-99

Failed Backup Alert and Action

1. Automated configurations from the backup service for notifying personnel when backup processes fail.

- and -

2. Example email for a failed backup and ticket documenting resolution.

DCF-100

Backup Restore Testing

1. Screenshots showing a backup snapshot was restored completely and accurately.

- and -

2. Evidence from the annual DR tests showing that backups were restored completely and accurately.

DCF-103

Customer Data Deletion Upon Termination

1. For a recently churned customer, upload evidence showing that customer data disposal was conducted in accordance with the contractual agreements with the customer (such as evidence of logs showing data was disposed of, screenshots from production resources such as storage buckets and databases showing customer-specific resources were decommissioned.).

-and-

2. Upload evidence of the agreement with the former customer to show the specific data disposal requirements and commitments.

DCF-106

Clean Desk and Clear Screen Policies and Procedures

1. Acceptable Use Policy

- and -

2. (If applicable) Acknowledgement of the Acceptable Use Policy

DCF-107

Disposal of Sensitive Data on Paper

Observation of hard copy material being disposed

Note: This can be performed by auditors on-site, or via virtual meeting.

DCF-108

Secure Storage Mechanisms

Pictures of secure storage bins from office locations.

DCF-109

Disposal of Sensitive Data on Hardware

Data Retention Policy or equivalent policy documenting this policy and procedure.

DCF-112

Notice and Acknowledgement of Privacy Practices

Screenshots of the new user registration process where new users are provided the notice of privacy practices before completing the registration process.

DCF-113

Review Privacy Notice Annually

Meeting minutes from management's annual meeting to review privacy practices.

DCF-114

Privacy Policy Publicly Available

Screenshot of privacy practices posted on the entity's website.

DCF-119

Allowable Use and Disclosure

Section from privacy practices/policy that covers this item.

DCF-120

Periodic Review of Privacy Policy

Meeting minutes for management's annual review of privacy policies

DCF-123

Procedures for Information Disposal

Formal, documented data deletion policy.

DCF-124

Require Authentication for Access

Screenshots of a user authenticating to the application prior to seeing their information.

DCF-125

Users Can Access All Their Information

Screenshots of where a user can find their information within the platform (i.e. user profile).

DCF-126

Personal Information Accessible Through System Authentication

Screenshots of a user modifying their personal information within the application.

DCF-127

Privacy Requirements Communicated to Third parties

Evidence to support that third parties with whom PII is sent to, were provided requirements for how PII should be handled, according to your requirements.

DCF-128

Disclosure with 3rd Parties

Example executed contracts with third parties that receive PII showing that contracts included provisions for third parties to protect personal information.

DCF-129

PII with 3rd Parties and Vendors

Formal, documented authorized list of third parties that can receive or access PII.

DCF-131

Incident Report Template and Process

Formal, documented incident response procedures.

DCF-132

Privacy and Security Requirements in Third-Party Agreements

Executed agreements (such Data Processing Agreements, Business Associates Agreements, Service Provider Agreements) with third parties and vendors that are provided access to personal data.

DCF-133

Unauthorized Disclosures by 3rd Parties

Example executed contracts with third parties that receive PII showing that contracts included provisions for third parties to protect personal information.

DCF-134

3rd Parties and Vendors Given Instructions on Breach Reporting

Executed contracts with third parties that are provided access to PII to confirm that third parties are provided with information on how to report breaches of PII to the entity.

DCF-135

Notification of Incidents or Breaches

1. Formal, documented breach notification procedures.

- and -

2. Breach Notification Template

DCF-136

Use of Subprocessors Communicated

Section from privacy practices on your website showing that 3rd parties that receive PII are listed.

DCF-139

Contact Information for Privacy Concerns

Section from privacy practices on your website showing contact information for how external personnel contact you with inquiries, complaints, and disputes.

DCF-140

Point of Contact for Privacy Inquiries

Screenshots of how a customer can submit inquiries, complaints or disputes about privacy issues.

DCF-141

Privacy Inquiries Tracked

1. Screenshots of the incident tracking system used to track users' complaints, inquiries and disputes.

- and -

2. Example submitted inquiries, complaints or disputes and evidence that resolution was communicated to the customer and corrective actions were performed, as necessary.

DCF-142

Quarterly Review of Privacy Compliance

Meeting minutes from quarterly management meetings for tracking compliance with privacy practices and privacy regulations.

DCF-143

Board Oversight Briefings Conducted

Meeting minutes from the Board of Directors meeting showing that the state of cybersecurity and privacy risks were discussed.

DCF-147

Physical Access to Facilities is Protected

Physical Access Control Policy

DCF-149

Removable Media Device Encryption

If removable media devices are issued by the company to employees, provide evidence that removable media devices are encrypted.

DCF-150

Data Loss Prevention (DLP) Mechanisms

1. Screenshots of DLP software.

- and -

2. Example of emails being blocked when they contain sensitive data

DCF-151

FIM (File Integrity Monitoring) Software in Place

1. Screenshots of FIM software.

- and -

2. Examples of FIM detecting changes.

DCF-153

Conduct Control Self-Assessments

1. Annual internal control assessment report with any identified findings

(Note: Drata can also be used as evidence for continuous control assessment)

- and -

2. Evidence that corrective actions were taken for the identified findings

DCF-154

Incident Response Test

Most recently completed incident response tabletop test.

DCF-166

Business Continuity Plan

Business Continuity Plan.

DCF-167

Business Impact Analysis

Business Impact Analysis (Typically part of the business continuity plan).

DCF-168

Vendor Management Policy

Vendor Management Policy

DCF-177

Event Logging

Section from the Data Protection Policy

DCF-179

Competence Records

1. Upload documented job descriptions for both a recently hired personnel and an existing personnel.

-and-

2. Upload evidence of the formal interview/recruitment process for a recently hired personnel (for example calendar invites for interviews, documented feedback notes from interviewers, exports from the candidate's profile within the applicant tracking system, evidence of evaluation of resume and professional credentials .).

-and-

3. Upload an example of a completed performance evaluation for a sample personnel performed within the past year showing components of the evaluation process (for example, self-reviews, peer-reviews, manager-reviews).

-and-

4. Upload evidence for an example personnel with assigned roles within the management system(s) showing that they have the necessary competence to fulfill their duties on the basis of appropriate education, training, or experience.

Note: Example evidence may include, but is not limited to:

- records of education, certifications, and professional credentials

- records of training programs, courses and educational activities

- records of actions taken to acquire and retain the necessary competence as it relates to the management system

DCF-182

Asset Management Policy

Asset Management Policy

DCF-189

Activity Review

For this control, your organization will have to define a frequency for each of the three covered activities. This could be weekly, monthly, quarterly, it will depend on the size of your organization and what makes sense for each of the three areas:

1. Audit log reviews - A ticket from the ticketing system documenting which audit logs were reviewed, who reviewed them, and when the review was completed.

-and-

2. Security Incident Tracking Reports - A ticket documenting the review of incident reports including who completed the review and when the review was completed. Or meeting minutes demonstrating that incident reports were reviewed including who attended the meeting and the date.

-and-

3. Ticket documenting which system activity logs were reviewed, who reviewed these activity reports, and when the review was completed.

DCF-190

Designated Security Officials

Information Security Policy

or

Job description of designated Security Official(s) outlining their responsibility for overseeing the organizations’ compliance with the security rule.

DCF-191

Security Updates

Information Security Policy

DCF-192

Privacy, Use, and Disclosure

Privacy, Use, and Disclosure Policy

DCF-193

Breach Notification

Breach Notification Policy

DCF-194

Group Health Plans

Plan documents outlining the requirements mapped to the controls. If you are not a Group Health Plan, then mark this control out of scope.

DCF-195

Business Associate Agreements

1. Vendor Management Policy

-and-

2. Business Associate Policy

-and-

3. BAA template (if not contained within the Business Associate Policy)

DCF-196

HIPAA Awareness Training

Privacy, Use, and Disclosure Policy

If HIPAA training is not completed inside of Drata, screenshots showing a certificate of completion from the HIPAA training provider.

Any other evidence supporting training on policies and procedures for handling PHI, as applicable.

DCF-197

Document Retention Period

1. Data Protection Policy

-and-

2. A document retention schedule should additionally be drawn up listing specific types of records, such as Business Associate Agreements, and the retention period such as 7 years. This should be uploaded to the Evidence Library page, and then linked to this control.

-and-

3. Any other policies supporting document retention requirements, as applicable

DCF-253

Data Secure Disposal

Policies and procedures for data disposal.

DCF-339

Account Lockout after Failed Logins

Upload evidence of the account lockout configurations after failed login attempts for relevant systems where this is a configurable attribute, showing number of attempts that trigger the lockout and lockout duration.

DCF-350

Password History Enforcement

Screenshots of system configurations showing that passwords must be different from the previous 4 passwords.

DCF-386

Management Approval for Media Transfer

Documentation from a recent media transfer (including media distribution to individuals) showing that the transfer was approved by an authorized member of management.

DCF-503

Multiple Methods for Security Awareness

Upload evidence showing that periodic security updates are provided to personnel through different mechanisms (such as screenshots of internal newsletters or intranet with security reminders, security updates sent out via Slack or other internal communication channels)

DCF-681

Phishing Simulations

Upload evidence showing phishing simulations are conducted as part of the company's security awareness initiatives (such as screenshots from phishing simulation campaign configurations, screenshots of dashboards showing results of the campaign, screenshot showing example simulated phishing email)

DCF-741

Logging and Monitoring Policy

Logging and Monitoring Policy

Did this answer your question?