0

I am a consultant and I have a client who is planning on dividing into two different companies.

Let's call the company "A" where no Hipaa will be required and "B" for which it will be required.

Currently the company is sharing an active directory profile and we plan to split it but the concern remains that an admin from the "A" company has physical access to the server closet.

While he might need access to the closet for switch configuration and such, he will not need access to the servers that will be used by company "B" .

In short, what can be done for two companies under one roof that need to share a server room when one needs to be Hipaa compliant?

What kind of contract or requirements should exist to maintain HIPAA?

LUser
  • 824
  • 6
  • 12
  • You are missing a LOT of context here: "their admin" - whose admin? "the server closet" - whose closet? What is stored on the servers? Why is the AD config relevant to the question, which seems to be about someone's physical access to servers? – schroeder Nov 29 '18 at 13:53
  • I googled "hipaa physical security" and got gudies and checklists that appear relevant to what I imagine your situation is. – schroeder Nov 29 '18 at 13:54
  • The questions came up when I was going through one of the checklists in physical security. – LUser Nov 29 '18 at 17:28
  • Then you know that the advice is to "have proper physical and logical controls to prevent unauthorised access to systems". Access to the closet is not enough context there. What controls are in place once the closet is opened? That's the only important bit. – schroeder Nov 29 '18 at 17:40
  • Not many apart access controls from local credentials would be needed to prevent crash-carting the db (main thing we want to protect) – LUser Nov 29 '18 at 17:51
  • I was trying to avoid having to exclude admin A from the room.. but it looks like it might be unavoidable . – LUser Nov 29 '18 at 17:52
  • Full disk encryption, cages, port locks, 4 eyes, there are options. – schroeder Nov 29 '18 at 17:57

0 Answers0