Where are the UCSF Minimum Security Standards? https://it.ucsf.edu/sites/it.ucsf.edu/files/650-16_minimum_security_standards_checklist-v5.pdf

My users use the same username and password to the application as they do their computer, what authentication mechanism should I check, Active Directory or MyAccess? In this case, Active Directory. 

What is a BAA? A BAA is a Business Associate Agreement. It is a written contract between a Business Associate and a Covered Entity that specifies the permitted access, uses and disclosures and the safeguards required for PHI by a Business Associate in order to perform a function or activity or to provide a service on behalf of the Covered Entity. More information: https://policies.ucsf.edu/definitions/business-associate-agreement-baa

I’m not sure what my data classification should be for the server. Please visit https://it.ucsf.edu/news/data-classification-standard-device-registration to find out the classification type and verify in CMDB to make sure it matches. 

Is a connection to a UCSF remote site count as a resource outside the UCSF network? Depends. Please verify with the network team to find out what network is used at that location.

Question 12 on the Server & Network survey: I do not have a process for backup, restore and retention.  You might want to answer No since you don’t have one.

What is a BAA and do I need one? A written contract between a Business Associate and a Covered Entity that specifies the permitted access, uses and disclosures and the safeguards required for PHI by a Business Associate in order to perform a function or activity or to provide a service on behalf of the Covered Entity. If you do not have PHI data on your application, you do not need a BAA.

When I print my results, I do not see the application name. This is a known issue. We will print a PDF of the results and attach it to the CMDB record of your application. RedCap will also serve as a repository for the results.