AC-2 Account Management
Control: The organization manages system accounts, including establishing, activating, modifying, reviewing, disabling, and removing accounts.
Illustrative Controls and TIBCO LogLogic Solution
Requesting, establishing, issuing, suspending, modifying and closing user accounts and related user privileges are addressed by user account management. An approval procedure requiring the data or system owner to grant access privileges to new and existing users should be included. These procedures apply to all users, including administrators (privileged users), internal and external users, in both normal and emergency situations. Rights and obligations relative to access to enterprise systems and information are contractually arranged for all types of users.
Perform regular management review of all accounts and related privileges. Demonstrate that procedures exist for the registration, change, and deletion of users from electronic protected health systems and subsystems on a timely basis and confirm that the procedures are followed. Procedures must exist and be followed to ensure timely action relating to requesting, establishing, issuing, suspending, and closing user accounts.
To satisfy this requirement, administrators must ensure that permissions have been granted to the appropriate users, and to ensure that all network and application access requests are adequately documented and approved by appropriate Management personnel. As a proof, administrators can select a sample of terminated employees and to ensure the accounts for these employees have been terminated in a timely manner.
Administrators must review reports that detail the access policy on all servers and applications. They must be configured to ensure password policies are enforced and access activity recorded. Server and application logs must be reviewed to ensure passwords are changed periodically and in accordance with corporate policy.
TIBCO LogLogic reports augment processes and procedures for granting access by allowing the validation of new users, elevated privileges on network devices and systems that provide access to electronic health information. The addition or modification of accounts captured by the TIBCO LogLogic Compliance Suite provides specific information regarding who’s been given access to electronic health information while account activities can be monitored to ensure that access has been implemented appropriately. Special access through VPNs, the Internet, and other subnets can also validate that remote access privileges are implemented as desired.