Control Mappings
Framework coverage details for compliance validation.
SOC 2 Trust Services Criteria
Coverage across Minimal SOC2, Health Tech, and Streaming policy sets.
| Criteria | Minimal SOC2 | Health Tech | Streaming |
|---|---|---|---|
| CC1 - Control Environment | ✓ | ✓ | ✓ |
| CC2 - Communication & Information | ✓ | ✓ | ✓ |
| CC3 - Risk Assessment | ✓ | ✓ | ✓ |
| CC4 - Monitoring Activities | ✓ | ✓ | ✓ |
| CC5 - Control Activities | ✓ | ✓ | ✓ |
| CC6 - Logical & Physical Access | ✓ | ✓ | ✓ |
| CC7 - System Operations | ✓ | ✓ | ✓ |
| CC8 - Change Management | ✓ | ✓ | ✓ |
| CC9 - Risk Mitigation | ✓ | ✓ | ✓ |
HIPAA Security Rule
Coverage in the Health Tech policy set.
| Safeguard | §164.308 Administrative | §164.310 Physical | §164.312 Technical |
|---|---|---|---|
| Access Control | ✓ | ✓ | ✓ |
| Audit Controls | ✓ | — | ✓ |
| Integrity Controls | ✓ | ✓ | ✓ |
| Transmission Security | — | — | ✓ |
| Facility Access | — | ✓ | — |
| Workstation Security | ✓ | ✓ | — |
| Contingency Planning | ✓ | — | — |
HITRUST CSF Domains
The Health Tech (HITRUST) policy set maps to all 19 control domains:
- Domain 0: Information Security Management Program
- Domain 1: Access Control
- Domain 2: Human Resources Security
- Domain 3: Risk Management
- Domain 4: Security Policy
- Domain 5: Organization of Information Security
- Domain 6: Compliance
- Domain 7: Asset Management
- Domain 8: Physical & Environmental Security
- Domain 9: Communications & Operations Management
- Domain 10: Information Systems Acquisition & Development
- Domain 11: Information Security Incident Management
- Domain 12: Business Continuity Management
- Domain 13: Privacy Practices
Full mapping spreadsheets (Excel/CSV) are available in each repository's
/docs folder.