Stay current and compliant. Try our #1 ranked assessment tools risk free today!
Call +1 888-896-6207 to find out more.
The Continuum GRC ITAM SaaS platform has hundreds of plugin modules available such as:
Frameworks and Standards

The FedRAMP certification is the pinnacle for cloud service providers and provides the highest standard of certification assurances to your customers.
Modules include:
- System Security Plan (SSP) High-Moderate-Low-Tailored
- System Security Plan (SSP)
- Security Assessment Report (SAR)
- Security Assessment Plan (SAP)
- Plan of Action and Milestones (POA&M)
- Customer Responsibility Matrix
- Electronic Authentication (E-Authentication) Plan
- Privacy Impact Assessment (PIA)
- Rules of Behavior (RoB)
- Information System Contingency Plan (ISCP)
- CIS for SSP Low, Moderate, or High Baselines
- Federal Information Processing Standard (FIPS) 199 Categorization
- Integrated Inventory Workbook
- Information System Security Policies and Procedures
- Configuration Management (CM) Plan
- Control Implementation Summary (CIS)
- CIS Worksheet
- IT Contingency Plan (CP)
- Incident Response Plan (IRP)
- Rules of Behavior (ROB)
- AC Access Control
- AT Awareness and Training
- AU Audit and Accountability
- CA Certification, Accreditation, and Security Assessment
- CM Configuration Management
- CP Contingency Planning
- IA Identification and Authentication
- IR Incident Response
- MA Maintenance
- MP Media Protection
- PE Physical and Environmental Protection
- PL Planning
- PS Personnel Security
- RA Risk Assessment
- SA System and Services Acquisition
- SC System and Communications Protection
- SI System and Information Integrity
- PM Project Management
FedRAMP+ DoD IL
- FedRAMP+ System Security Plan Information Impact Level 2 (Non-Controlled Unclassified Information)
- FedRAMP+ System Security Plan Information Impact Level 4 (Controlled Unclassified Information)
- FedRAMP+ System Security Plan Information Impact Level 5 (Controlled Unclassified Information) - Do It Yourself
- FedRAMP+ System Security Plan Information Impact Level 5 (Controlled Unclassified Information) - Cybervisor Supported
ConMon
- Continuous Monitoring Activities & Deliverables: Continuous
- Continuous Monitoring Activities & Deliverables: Weekly
- Continuous Monitoring Activities & Deliverables: 10 days
- Continuous Monitoring Activities & Deliverables: Monthly
- Continuous Monitoring Activities & Deliverables: 60 days
- Continuous Monitoring Activities & Deliverables: Quarterly (90 days)
- Continuous Monitoring Activities & Deliverables: Annual
- Continuous Monitoring Activities & Deliverables: Every 2 years
- Continuous Monitoring Activities & Deliverables: Every 3 years
- Continuous Monitoring Activities & Deliverables: Every 5 years
- FedRAMP Significant Change Request Form
- FedRAMP Significant Change Request Form: Attachment A

PCI DSS QSA and SAQ
The PCI DSS certification is the only authorized compliance assessment for merchants and service providers who process credit cards. It is required for all businesses processing credit cards to be certified annually.
PCI DSS applies to all entities involved in payment card processing—including merchants, processors, acquirers, issuers, and service providers. PCI DSS also applies to all other entities that store, process or transmit cardholder data (CHD) and/or sensitive authentication data (SAD).
Modules include:
- Level 1 Merchant and Service Provider ROC and AOC
- Level 2, 3, and 4 SAQ A
- Level 2, 3, and 4 SAQ A-EP
- Level 2, 3, and 4 SAQ B
- Level 2, 3, and 4 SAQ B-IP
- Level 2, 3, and 4 SAQ C
- Level 2, 3, and 4 SAQ C-VT
- Level 2, 3, and 4 SAQ D Merchants
- Level 2, 3, and 4 SAQ D Service Providers
Level 1 Merchant
- PCI DSS RoC
PCI DSS AoC Merchants
PCI DSS Appendix E: Explanation of Requirements Not Tested
PCI DSS Appendix D: Explanation of Non-Applicability
PCI DSS Appendix C: Compensating Controls Worksheet
PCI DSS Appendix A: Additional Requirements for Shared Hosting Providers
PCI DSS Action Plan for Non-Compliant Requirements
Level 1 Service Provider
- PCI DSS RoC
PCI DSS AoC Service Providers
PCI DSS Appendix E: Explanation of Requirements Not Tested
PCI DSS Appendix D: Explanation of Non-Applicability
PCI DSS Appendix C: Compensating Controls Worksheet
PCI DSS Appendix A: Additional Requirements for Shared Hosting Providers
PCI DSS Action Plan for Non-Compliant Requirements
Level 2, 3 and 4
- SAQ A and AOC SAQ A: Card-not-present merchants (e-commerce or mail/telephone-order) that have fully outsourced all cardholder data functions to PCI DSS validated third-party service providers, with no electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises. Not applicable to face-to-face channels.
- SAQ A-EP and AOC SAQ A-EP: E-commerce merchants who outsource all payment processing to PCI DSS validated third parties, and who have a website(s) that doesn’t directly receive cardholder data but that can impact the security of the payment transaction. No electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises. Applicable only to e-commerce channels.
- SAQ B and AOC SAQ B: Merchants using only imprint machines with no electronic cardholder data storage; and/or standalone, dial-out terminals with no electronic cardholder data storage. Not applicable to e-commerce channels.
- SAQ B-IP and AOC SAQ B-IP: Merchants using only standalone, PTS-approved payment terminals with an IP connection to the payment processor, with no electronic cardholder data storage. Not applicable to e-commerce channels.
- SAQ C and AOC SAQ C: Merchants with payment application systems connected to the Internet, no electronic cardholder data storage. Not applicable to e-commerce channels.
- SAQ C-VT and AOC SAQ C-VT: Merchants who manually enter a single transaction at a time via a keyboard into an Internet-based virtual terminal solution that is provided and hosted by a PCI DSS validated third-party service provider. No electronic cardholder data storage. Not applicable to e-commerce channels.
- SAQ D Merchant and AOC SAQ D - Merchants: All merchants not included in descriptions for the above SAQ types.
- SAQ D Service Provider and AOC SAQ D - Service Providers AOC extra form for Service Providers - Section 2g: All service providers defined by a payment brand as eligible to complete a SAQ.

Cybersecurity Maturity Model Certification (CMMC)
CMMC is a program that enables DoD contracting organizations to meet and demonstrate the security requirements embedded with FISMA and the NIST publications so that an agency may conduct business with the confidence that its contract holder is meeting those requirements.
Modules include:
- Cybersecurity Maturity Model Certification (CMMC) Level 1
- Cybersecurity Maturity Model Certification (CMMC) Level 2
- Cybersecurity Maturity Model Certification (CMMC) Level 3
- Cybersecurity Maturity Model Certification (CMMC) Level 4
- Cybersecurity Maturity Model Certification (CMMC) Level 5

SSAE 18 (SOC 1), SOC 2, and SOC 3
The SOC 1, SOC 2, and SOC 3 attestations are globally recognized frameworks focused on Security, Availability, Privacy, Processing Integrity, Confidentiality, and Availability.
Modules include:
- AICPA SOC 1
- AICPA SOC 2 & 3

HIPAA NIST 800-66
The HIPAA attestation is the only authorized compliance assessment for healthcare providers and provides the highest standard of assurances to your customers.
Buyer Beware! HITRUST is not the official standard recognized by HHS.
Modules include:
- HIPAA NIST 800-66 System Security Plan (SSP)
- HIPAA NIST 800-66 Security Assessment Report (SAR)
- HITECH – Health Information Technology for Economic and Clinical Health (HITECH) Act
- Meaningful Use Stage 1
- Meaningful Use Stage 2
- Meaningful Use Stage 3
- Federal Information Processing Standard (FIPS) 199 Categorization
HIPAA Awareness & Compliance Survey
Quiz-summary
0 of 38 questions completed
Questions:
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
Information
The HIPAA Awareness & Compliance Survey helps to determine your office’s degree of HIPAA compliance and awareness.
Topics covered in this review:
- Policies & Procedural Awareness
- Audit & Compliance Awareness
- Risk Assessment & Management Awareness
- Cyber Security Awareness
- Incident Response & Business Continuity Awareness
You have already completed the quiz before. Hence you can not start it again.
Quiz is loading...
You must sign in or sign up to start the quiz.
You have to finish following quiz, to start this quiz:
Results
0 of 38 questions answered correctly
Your time:
Time has elapsed
You have reached 0 of 0 points, (0)
Average score |
|
Your score |
|
Categories
- Not categorized 0%
-
Congratulations!
You have just completed the HIPAA Awareness & Compliance Survey for your organization. All organizations need assistance in improving some area, or many facets, of their business as it pertains to Audit & Compliance, Risk Assessment & Management, Governance & Policies, and Cyber Security.
We have some suggestions for you!
- Continuum GRC: HIPAA, HITECH, NIST 800-66, and Meaningful Use tools and resources.
- Lazarus Alliance: HIPAA, HITECH, NIST 800-66, and Meaningful Use Assessment and Audit Services.
Thank You!
This concludes the HIPAA Awareness & Compliance Survey. Please click the Exit Course button, or close this browser window to finish the survey.
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- Answered
- Review
-
Question 1 of 38
1. Question
When did you last conduct a review of security policies and procedures?
Correct
Incorrect
-
Question 2 of 38
2. Question
Privacy Policies and Procedures – Have you created and do you regularly review and update written privacy policies and procedures as required by law?
Correct
Incorrect
-
Question 3 of 38
3. Question
Information Management and Security Program – Do you have written policies and procedures for information management and security?
Correct
Incorrect
-
Question 4 of 38
4. Question
Confidentiality Agreements – Do you have signed confidentiality agreements with employees, partners, and other businesses with access to confidential information (such as “business associate agreements”) and do you keep copies of these agreements?
Correct
Incorrect
-
Question 5 of 38
5. Question
Notice of Privacy Policy and Procedures – If you are a health care practitioner, do you obtain a signed acknowledgement of receipt of your privacy policies and procedures when required?
Correct
Incorrect
-
Question 6 of 38
6. Question
Risk Assessment – Have you conducted an information security risk assessment?
Correct
Incorrect
-
Question 7 of 38
7. Question
When did you last conduct an information security risk assessment?
Correct
Incorrect
-
Question 8 of 38
8. Question
Annual Review – Do you annually review your information security policy and procedures to ensure the suitability and effectiveness of information security?
Correct
Incorrect
-
Question 9 of 38
9. Question
Forms Review – Do you annually review your standard forms for compliance with state and federal regulations?
Correct
Incorrect
-
Question 10 of 38
10. Question
When did you last review or update your practice forms?
Correct
Incorrect
-
Question 11 of 38
11. Question
Authorization – Do you obtain proper authorization for disclosure of personal information when needed and maintain a record of these authorizations?
Correct
Incorrect
-
Question 12 of 38
12. Question
Authorization – Do you obtain proper authorization for disclosure of personal information when needed and maintain a record of these authorizations?
Correct
Incorrect
-
Question 13 of 38
13. Question
Complaints – Do you have a privacy complaint form that you provide when someone has a problem related to your use or disclosure of information?
Correct
Incorrect
-
Question 14 of 38
14. Question
Information Privacy and Security Training – Do you provide annual training to all employees that covers information privacy and security requirements and consequences of legal and policy violations?
Correct
Incorrect
-
Question 15 of 38
15. Question
When did you last conduct training?
Correct
Incorrect
-
Question 16 of 38
16. Question
Access Limits – Do you have procedures for limiting the disclosure of information to the minimum necessary needed for each job function?
Correct
Incorrect
-
Question 17 of 38
17. Question
Access Termination – Do you have a written checklist that you follow to restrict a person’s access to information and the facility (keys, passwords) when the person leaves or changes their employment role?
Correct
Incorrect
-
Question 18 of 38
18. Question
Personnel Screening – Do you request and verify employee background and work history for employees who will have access to confidential or personal information?
Correct
Incorrect
-
Question 19 of 38
19. Question
Physical Assessment – Have you conducted a review of your facility’s physical and environmental security, such as building entry controls, alarms, fire detection, and temperature controls?
Correct
Incorrect
-
Question 20 of 38
20. Question
When did you last conduct this review?
Correct
Incorrect
-
Question 21 of 38
21. Question
Physical Access Control – Do you have procedures to monitor and control physical access to facilities?
Correct
Incorrect
-
Question 22 of 38
22. Question
Environmental Controls – Do you maintain systems for backup power for an orderly computer shutdown process, fire detection, temperature and humidity controls and water damage detection?
Correct
Incorrect
-
Question 23 of 38
23. Question
Disaster Recovery Plan – Check each of the following disaster recovery options you have to support your ability to continue your business in the event of a catastrophic loss of information:
Correct
Incorrect
-
Question 24 of 38
24. Question
Monitoring – Do you maintain an unalterable computer system log and routinely audit logs, security events and system use?
Correct
Incorrect
-
Question 25 of 38
25. Question
Data Classification – Do you maintain policies and procedures to classify information by its value, sensitivity, and critical need to your business?
Correct
Incorrect
-
Question 26 of 38
26. Question
Access Controls – Check each of the following procedures you use to limit or prevent access to information:
Correct
Incorrect
-
Question 27 of 38
27. Question
Data Storage and Portable Media Protection – Do you follow written policies and procedures to protect data on electronic storage media, including CDs and DVDs, USB storage devices and portable hard drives?
Correct
Incorrect
-
Question 28 of 38
28. Question
Lock-Out for Inactive Computing Devices – Do you configure devices to automatically lock after a period of inactivity is enforced?
Correct
Incorrect
-
Question 29 of 38
29. Question
Anti-Virus Protection – Do you regularly use and update security software to protect against computer viruses and malware?
Correct
Incorrect
-
Question 30 of 38
30. Question
Software Changes – Is your software and systems designed to detect and protect against unauthorized changes to software and information?
Correct
Incorrect
-
Question 31 of 38
31. Question
Information Input – Do you have policies and procedures to verify information for accuracy, completeness, and validity?
Correct
Incorrect
-
Question 32 of 38
32. Question
Information Correction – Do you have a policy and procedure for identification, reporting, and correction of information errors?
Correct
Incorrect
-
Question 33 of 38
33. Question
Software Usage Restrictions – Do you have procedures to comply with software usage restrictions in accordance with contact agreements and copyright laws?
Correct
Incorrect
-
Question 34 of 38
34. Question
User Installed Software – Do you have an explicit policy governing the downloading and installation of software by users?
Correct
Incorrect
-
Question 35 of 38
35. Question
Outsourced Information Services – Do you ensure that third-party providers of information system services employ adequate security controls in accordance with applicable laws, your policies and service agreements?
Correct
Incorrect
-
Question 36 of 38
36. Question
Device Security – Do you apply operating system and application updates, patches, and fixes as soon as they become available?
Correct
Incorrect
-
Question 37 of 38
37. Question
Incident Response – Do you have and follow a written information breach notification process and incident response policy and procedure?
Correct
Incorrect
-
Question 38 of 38
38. Question
Breach Assessment – Do you have a procedure and guidelines for conducting a breach assessment to determine whether you must provide breach notification under state or federal law?
Correct
Incorrect
FREE HIPAA Business Associate Agreement (BAA)
If you are in need of a HIPAA compliant Business Associate Agreement (BAA), we can provide one to you for free. Create an account in the ITAM IT audit software demonstration system and subscribe to the HIPAA Business Associate Contract. After answering a few simple questions you will be able to immediately download a perfectly prepared HIPAA Business Associate Agreement (BAA) that may be given to your business associates.

International Organization for Standardization (ISO)
Continuum GRC created the number one ranked IRM GRC audit software solution for ISO audits that empowers you to prepare for an ISO audit effectively while dramatically reducing costs in preparation for working with a third-party assessment organization.
Modules include:
- ISO 27001
- ISO 27002
- ISO 27005
- ISO 27017
- ISO 27018
- ISO 17020
- ISO 17021

Criminal Justice Information Services (CJIS)
The CJIS attestation is the only authorized compliance assessment for service providers in the law enforcement industry and provides the highest standard of assurances to your customers.
Modules include:
- CJIS System Security Plan (SSP)
- CJIS Security Assessment Report (SAR)
- Plan of Action and Milestones (POA&M)
- Federal Information Processing Standard (FIPS) 199 Categorization

Defense Federal Acquisition Regulation Supplement (DFARS) and NIST 800-171
Continuum GRC is completely committed to you and your business’ Defense Federal Acquisition Regulation Supplement (DFARS) and NIST 800-171 audit success. Regardless of whether you represent the private sector or the public sector, we stand ready to partner with your organizations.
Modules include:
- DFARS NIST 800-171 System Security Plan (SSP)
- DFARS NIST 800-171 Security Assessment Report (SAR)
- Federal Information Processing Standard (FIPS) 199 Categorization
- Plan of Action and Milestones (POA&M)

Cloud Computing Compliance Controls Catalog (C5)
The German Government-backed attestation scheme introduced in Germany by the Federal Office for Information Security (BSI) to help organizations demonstrate operational security against common cyber-attacks within the context of the German Government's "Security Recommendations for Cloud Providers".
Modules include:
- Cloud Computing Compliance Controls Catalog (C5)

NIST 800-53 High-Moderate-Low
The 800-53 attestation is the most rigorous assessment available and provides the highest standard of attestation assurances to your customers.
Modules include:
- NIST 800-53 System Security Plan (SSP)
- NIST 800-53 Security Assessment Report (SAR)
- Federal Information Processing Standard (FIPS) 199 Categorization
- Plan of Action and Milestones (POA&M)
- AC Access Control
- AT Awareness and Training
- AU Audit and Accountability
- CA Certification, Accreditation, and Security Assessment
- CM Configuration Management
- CP Contingency Planning
- IA Identification and Authentication
- IR Incident Response
- MA Maintenance
- MP Media Protection
- PE Physical and Environmental Protection
- PL Planning
- PM Program Management
- PS Personnel Security
- RA Risk Assessment
- SA System and Services Acquisition
- SC System and Communications Protection
- SI System and Information Integrity
- SR Supply Chain Risk Management
- PM Project Management

NERC CIP & 693
Continuum GRC created the number one ranked IRM GRC audit software solution for NERC CIP audits that empowers you to prepare for a NERC CIP audit effectively while dramatically reducing costs in preparation for working with a third-party assessment organization.
Modules include:
- NERC CIP-004: Personnel and Training
- NERC CIP-006: Physical Security of Critical Cyber Assets
- NERC CIP-010: Configuration Change Management and Vulnerability Assessment

Securities Exchange Commission (SEC)
The SOX attestation based on the COSO framework is the only authorized compliance assessment for SEC registered companies and provides the highest standard of assurances to your customers.
Modules include:
- Enterprise Risk Management – Integrated Framework
- Internal Control – Integrated Framework

NIST Cyber Security Framework (CSF)
All businesses within the public-private sectors concerned about security will find the NIST CSF indispensable for both national and economic security. Even if you are not seeking FISMA attestation or certifications, the NIST CSF is the best place to start securing your organization.
Modules include:
- NIST CSF System Security Plan (SSP)
- NIST CSF Security Assessment Report (SAR)
- Federal Information Processing Standard (FIPS) 199 Categorization
- Plan of Action and Milestones (POA&M)

SEC, NFA & FINRA
Continuum GRC created the number one ranked IRM GRC audit software solution for SEC, NFA & FINRA audits that empowers you to prepare for a SEC, NFA & FINRA audit effectively while dramatically reducing costs in preparation for working with a third-party assessment organization.
Modules include:
- FINRA SEC Cyber Security Report Card
- FINRA - Small Firm Cybersecurity Checklist
- COSO Summary of Deficiencies
- COSO Enterprise Risk Management – Integrated Framework
- COSO Internal Control – Integrated Framework

StateRAMP is coming!
We will be ready. Will you?
What are you waiting for?
You are just a conversation away from putting the power of Continuum GRC to work for you. Contact us using the form below or calling us at 1-888-896-6207 for immediate assistance.