Covered Components who have servers which fall under the University’s HIPAA policies and procedures must be audited for operating system security. The operating system is audited via software purchased by Information Security. The auditing of an operating system can be random, but must be done at least once a year.