§164.308(a)(5)(ii)(A): Periodic security updates.
Does the entity have policies and procedures in place regarding a process to provide periodic security reminders and updates?
Does the entity appropriately communicate security updates to all members of its workforce and, if appropriate, contractors periodically?
Obtain and review documentation demonstrating how periodic security updates are conducted.
Elements to review may include but are not limited to:
• Frequency of the periodic security updates
• Methods of communication used for security updates (i.e. emails, newsletters, posters)
Obtain and review documentation demonstrating that periodic security updates are conducted. Evaluate and determine if periodic security updates are accessible and communicated to workforce members.
Has the entity chosen to implement an alternative measure?
If yes, obtain and review entity documentation of why it has determined that the implementation specification is not a reasonable and appropriate safeguard and what equivalent alternative measure has been implemented instead.
Evaluate documentation and assess whether the alternative measure implemented is equivalent to the protections afforded by the implementation specification.