HIPAA 164.308 (a) (1) (ii) (D): "Procedures to review system activity"
Audit Logs and Reporting for:
- Changes to File System Permissions
- Access to Files and Folders
- Files and Folders Created/Deleted/Changed
- Changes to Active Directory
- Changes to Group Policy Objects
- Server Logins
- Server Failed Logins
Document:
- Active Directory last logon report by Domain Controller
HIPAA 164.308 (a) (3) (ii) (C): "Procedures for terminating access"
Audit Logs and Reporting for:
- Active Directory accounts removed
Terminating access for:
- Auditing of disabled accounts
- Automatic de-provisioning of inactive accounts
- Automated disabling or removal of accounts (+ Home Directory and Exchange accounts)
- Reporting included if performed via DSRAZOR
HIPAA 164.308 (a) (4) (ii) (C): "Procedures for auditing and changing access rights and policies"
Audit Logs and Reporting for:
- Changes to File System Permissions
- Access to Files and Folders
- Files and Folders Created/Deleted/Changed
- Changes to Active Directory
- Changes to Group Policy Objects
Manage:
- Active Directory Object permissions
- Remove Active Directory Trustees
- File System Permissions
- Users – Delete/disable/change
- Groups – Delete/change
HIPAA 164.308 (a) (5) (ii) (C): "Procedures for recording login activity including failed login attempts"
Track:
- Logons/Logoffs per Workstation Name
- Logons/Logoffs per IP Address
- Failed Logon Attempts due to Invalid Account Name
- Failed Logon Attempts due to Bad Password
Document:
- Active Directory last logon report by Domain Controller
- Accounts where last logon failed
- Accounts that have never logged in
HIPAA 164.308 (a) (5) (ii) (D): "Procedures creating/changing passwords"
Audit:
- Changes to Active Directory Passwords
Create:
- Accounts with proper password settings
- Accounts with a template
- Accounts with required attributes
Find:
- Accounts where password is not required
- Accounts where password never expires
- Accounts where password not changed in X days
HIPAA 164.308 (a) (6) (ii) (D): "Identify and respond to suspected or known security incidents"
Audit:
- User and Administrator activities in Active Directory
- User and Administrator activities with the File System
- Configure alerts
- Configure reports to document security incidents
Manage:
- Active Directory Object permissions
- Remove Active Directory Trustees
- File System Permissions
- Users – Delete/disable/change
- Groups – Delete/change
HIPAA 164.312(a): "Procedures for access control"
Track:
- Changes to File System Permissions
- Changes to Active Directory Passwords
- Changes to Active Directory Group Membership
- Changes to Group Policy Objects
Block:
- Any File Type including MP3/MPG/EXE
- File Creates/Renames/Changes and Deletes
Document:
- ACL’s per AD and FS object
- Account Security Details
- Group Membership
- Directory/File Ownership
- AD Objects with GPO(s) defined
- GPO by Domain
Find:
- AD Trustees with “Allowed to Authenticate” Privileges
- AD Trustees with “Send As” Privileges
- Directory/File/AD Trustees with “Admin” Privileges
- Directory/File/AD Trustees with invalid SID
- Directories/Files with no Owner (invalid SID)
- FSMO Roles for selected Domain
- Accounts with password problems
- Accounts with Dial-in Permission
- Accounts with Allowed to Authenticate As Permission
- Accounts with Send As Permission
HIPAA 164.312(b): "Procedures for recording system activity"
Track:
- File Opens/Reads/Writes/Deletes and Creates
- File Renames/Permission Changes
- Any Active Directory Attribute Change
- Any Active Directory Password Change
- Any Active Directory Schema Change
- Any Active Directory Object Change
- Any Group Policy Object Change
Document:
- Active Directory last logon report by Domain Controller