This annex consolidates all regulatory and framework mappings referenced across the policy and procedure set. Individual documents should replace embedded mapping tables with a pointer to this annex.
How to use:
Use the framework sections below to see which document(s) implement each control. Section/step references point to the exact clause in the implementing policy/procedure. Mappings by Framework HITRUST CSF v11.2.0 Implementing Document Section/Steps SEC-PROC-002 Internal Audit Procedure 1-6 RES-PROC-003 Post-Incident Review Procedure 3 RES-PROC-007 BCDR Testing and Exercise Procedure 4
Implementing Document Section/Steps OP-PROC-006 Workforce Screening and Background Check Procedure 1-7
Implementing Document Section/Steps OP-POL-003 Data Retention and Disposal Policy 3.4 (03.b), 3.2 (03.c) OP-PROC-004 Secure Media Disposal and Sanitization Procedure 4.1 (NIST SP 800-88), 4.1-4.2
04.a–04.f — Mobile Device Security Implementing Document Section/Steps OP-POL-002 Mobile Device Security Policy Section A (04.a), 3.2 (04.b), 3.2, 3.6 (04.c), 3.3 (04.d), 3.7 (04.e), 3.8 (04.f) OP-PROC-002 Mobile Device Onboarding and Security Configuration Procedure 1-7 (04.b) OP-PROC-003 Lost or Stolen Mobile Device Response Procedure 1-5 (04.f)
05.a–05.b — Wireless Network Security Implementing Document Section/Steps ENG-POL-004 Network Security Policy 3.5 (05.a, 05.b)
06.a–06.d — Configuration and Change Control Implementing Document Section/Steps ENG-POL-002 Change Control Policy All (06.a); 3.1, 3.2 (06.b); 3.3 (06.c); 3.4 (06.d) ENG-POL-003 Cloud and Core Infrastructure Security Policy All (06.a); 3.4 (06.a) ENG-PROC-003 Standard Change Management Procedure 1-6 (12.a + SDLC) ENG-PROC-004 Emergency Change Management Procedure 1-5 (12.a)
06.e — Secure Development Implementing Document Section/Steps ENG-POL-001 Secure Software Development Lifecycle (SDLC) Policy 3.1 ENG-POL-005 Secure Coding and Testing Policy 3.1, 3.2 ENG-POL-006 Third-Party Component Management Policy 3.2
07.a–07.d — Vulnerability Management Implementing Document Section/Steps ENG-POL-001 SDLC Policy All (07.a) ENG-POL-005 Secure Coding and Testing Policy 3.1 (07.b); 3.2, 3.3 (07.c); 3.2.2 (07.d) ENG-POL-006 Third-Party Component Management Policy 3.1.1 (07.b); 3.1.2 (07.d) ENG-PROC-001 Application Security Testing Procedure 4.1-4.3 (07.a); 4.1 (07.b); 4.2 (07.c); 4.3 (07.d) ENG-PROC-002 Third-Party Component Security Review Procedure 1-5 (07.a); 2-3 (07.d) ENG-PROC-003 Standard Change Management Procedure 2-4 (07.b); 5 (07.c) ENG-PROC-004 Emergency Change Management Procedure 3 (07.b)
08.a–08.h — Network Protection Implementing Document Section/Steps ENG-POL-003 Cloud and Core Infrastructure Security Policy 3.1 (08.a) ENG-POL-004 Network Security Policy All (08.a); 3.1 (08.b); 3.2 (08.c); 3.7 (08.d); 3.3 (08.e); 3.4 (08.g); 3.1.1 (08.f, 08.h)
09.a–09.b — Data Protection and Cryptography Implementing Document Section/Steps ENG-POL-003 Cloud and Core Infrastructure Security Policy 3.3 (09.a); 3.5 (09.b) OP-POL-001 Encryption and Key Management Policy All (09.a, 09.b, 09.c)
10.c — Password Protection Systems Implementing Document Section/Steps SEC-PROC-003 Password Policy Exception Procedure 1-3
11.a — Access Control Policy Implementing Document Section/Steps ENG-POL-003 Cloud and Core Infrastructure Security Policy 3.2 ENG-POL-004 Network Security Policy 3.6 SEC-POL-001 Information Security Policy 3.4
12.a–12.f — Audit Logging and Monitoring Implementing Document Section/Steps RES-POL-003 Security Event Detection and Monitoring Policy 3.1 (12.a); 3.1.1 (12.d); 3.4 (12.c) ENG-POL-004 Network Security Policy 3.2, 3.6 (12.a) ENG-POL-003 Cloud and Core Infrastructure Security Policy 3.7 (12.b) SEC-PROC-002 Internal Audit Procedure 1-6 (12.f) ENG-PROC-003 Standard Change Management Procedure 1-6 (12.a) ENG-PROC-004 Emergency Change Management Procedure 1-5 (12.a)
13.a–13.e — Education, Training and Awareness; Disciplinary Implementing Document Section/Steps ENG-POL-001 SDLC Policy 3.4 (13.a) OP-PROC-006 Workforce Screening and Background Check Procedure 4-5 (13.b); 1-7 (02.b) OP-PROC-008 Security Policy Sanction Procedure 1-6 (13.e); 2-3 (13.b); 4-5 (13.d) OP-POL-004 Workforce Security Policy All (13.a–13.e)
14.a–14.g — Third Party Assurance and Supplier Management Implementing Document Section/Steps SEC-PROC-005 Vendor Risk Assessment and Onboarding Procedure 1-6 (14.b); 2-4 (14.f); 3 (14.a); 5-6 (14.c) ENG-POL-006 Third-Party Component Management Policy 3.3 (14.a); 3.1 (14.g) ENG-PROC-002 Third-Party Component Security Review Procedure 3-4 (14.f)
15.a–15.g — Incident Response Implementing Document Section/Steps RES-POL-001 Incident Response Framework and Team Management Policy All (15.a); 3.1, 3.2 (15.b); 3.1.2 (15.c); 3.5 (15.g) RES-POL-003 Security Event Detection and Monitoring Policy 3.3 (15.c) RES-POL-004 Incident Communication and Regulatory Compliance Policy All (15.d); 3.2 (15.e); 3.3 (15.f); 3.4 (15.g); 3.1 (15.c) ENG-PROC-004 Emergency Change Management Procedure 1-5 (15.a); 5 (15.f) RES-PROC-001 Incident Response Plan (IRP) 1-10 (15.a); 3-5 (15.b); 6-8 (15.c); 7 (15.d); 8 (15.e); 9-10 (15.f, 15.g) RES-PROC-002 HIPAA Breach Risk Assessment Procedure 1-3 (15.b, 15.f) RES-PROC-003 Post-Incident Review Procedure 1-4 (15.f, 15.g)
16.a–16.i — Business Continuity and Disaster Recovery Implementing Document Section/Steps RES-POL-002 Business Continuity Management Policy 3.1–3.6 (16.a–16.f) RES-POL-005 Disaster Recovery and Technical Operations Policy All (16.c); 3.1 (16.g); 3.2 (16.h); 3.3 (16.i); 3.5 (12.d) RES-PROC-004 Business Impact Analysis (BIA) Procedure 1-4 (16.b, 16.c, 16.a) RES-PROC-005 IT Disaster Recovery Plan (DRP) 1-8 (16.g, 16.c, 16.e) RES-PROC-006 Business Continuity Plan (BCP) 1-5 (16.d, 16.f, 16.a, 16.c) RES-PROC-007 BCDR Testing and Exercise Procedure 1-4 (16.e, 16.a, 16.d)
17.a–17.e — Risk Management Implementing Document Section/Steps SEC-PROC-004 Risk Assessment Procedure 1-6 (17.c); 1-2 (17.b); 3-4 (17.d); 5-6 (17.e) SEC-POL-001 Information Security Policy 3.2 (17.a) SEC-PROC-003 Password Policy Exception Procedure 2 (17.c)
19.e — Data Retention Requirements; 19.g — Privacy Impact Assessment Implementing Document Section/Steps OP-POL-003 Data Retention and Disposal Policy 3.1, 3.2 (19.e) RES-PROC-002 HIPAA Breach Risk Assessment Procedure 2-3 (19.g)
SOC 2 Trust Services Criteria CC6.1 — Logical Access Security Implementing Document Section/Steps SEC-POL-001 Information Security Policy 3.4 OP-PROC-002 Mobile Device Onboarding Procedure 1-7 OP-POL-002 Mobile Device Security Policy Section A ENG-POL-003 Cloud and Core Infrastructure Security Policy All ENG-POL-004 Network Security Policy All SEC-PROC-003 Password Policy Exception Procedure 1-3
CC6.6 — Network Security; CC6.7 — Data Transmission; CC6.8 — System Security Implementing Document Section/Steps ENG-POL-004 Network Security Policy 3.1 (CC6.6); All (CC6.7) ENG-POL-003 Cloud and Core Infrastructure Security Policy 3.3 (CC6.7) OP-POL-001 Encryption and Key Management Policy 3.2, 3.2.4 (CC6.8) ENG-POL-005 Secure Coding and Testing Policy 3.1 (CC6.8)
CC7.1–CC7.2 — System Monitoring Implementing Document Section/Steps RES-POL-003 Security Event Detection and Monitoring Policy All (CC7.1); 3.1.1 (CC7.2) ENG-POL-003 Cloud and Core Infrastructure Security Policy 3.7 (CC7.1) ENG-POL-004 Network Security Policy 3.2, 3.6 (CC7.2); 3.2, 3.3 (CC7.1) SEC-PROC-008/009 Vulnerability Management (Std/Exception) Procedures 1-6 (CC7.1) RES-PROC-001 Incident Response Plan (IRP) 1-10 (CC7.1, CC7.2)
CC8.1 — Change Management Implementing Document Section/Steps ENG-POL-001 SDLC Policy All ENG-POL-002 Change Control Policy All ENG-POL-003 Cloud and Core Infrastructure Security Policy 3.4 ENG-POL-004 Network Security Policy 3.4 ENG-PROC-001 AppSec Testing Procedure 4.1-4.3 ENG-PROC-003 Standard Change Management Procedure 1-6 ENG-PROC-004 Emergency Change Management Procedure 1-5
A1.1–A1.3 — Availability Implementing Document Section/Steps RES-POL-002 Business Continuity Management Policy 3.1, 3.4 (A1.1); 3.3, 3.4 (A1.2); 3.5 (A1.3) RES-POL-005 Disaster Recovery and Technical Operations Policy All (A1.1); 3.1 (A1.2); 3.5 (A1.3) RES-PROC-004/006/007 BIA/BCP/BCDR Tests 1-4/1-5/1-4
PI1.1–PI1.2 — Processing Integrity (from OP-POL-002) Implementing Document Section/Steps OP-POL-002 Mobile Device Security Policy 3.5 (PI1.1, PI1.2)
Implementing Document Section/Steps SEC-POL-001 Information Security Policy 3.1 (CC2.1) RES-POL-001 Incident Response Framework 3.5 (CC2.1) RES-POL-004 Incident Communication and Regulatory Compliance Policy 3.3 (CC2.1); 3.4 (CC2.2) SEC-PROC-001 InfoSec Committee Charter Procedure 1-5 (CC2.1) OP-POL-004 Workforce Security Policy 3.1, 3.2 (CC2.1, CC2.2)
HIPAA Security Rule (45 CFR § 164) § 164.308(a)(1) — Security Management Process Implementing Document Section/Steps SEC-POL-008 Vulnerability Management Policy All ENG-POL-003 Cloud and Core Infrastructure Security Policy All ENG-POL-005 Secure Coding and Testing Policy All ENG-POL-006 Third-Party Component Management Policy All
Implementing Document Section/Steps SEC-POL-001 Information Security Policy 3.1 (a)(2); 3.4 (a)(4); 3.5 (a)(5); 3.6 (a)(6); 3.7 (a)(7); 3.9 (a)(8) OP-POL-004 Workforce Security Policy All (a)(3) OP-PROC-006 Workforce Screening Procedure 1-7 (a)(3) RES-POL-001 Incident Response Framework All (a)(6) RES-PROC-001 Incident Response Plan 1-10 (a)(6) RES-POL-002/RES-POL-005 BCM/DR As mapped (a)(7) ENG-POL-001 SDLC Policy 3.4 (a)(5) ENG-PROC-001 AppSec Testing Procedure 4.1-4.3 (a)(8)
Implementing Document Section/Steps OP-PROC-004 Secure Media Disposal and Sanitization Procedure 4.1-4.2
§ 164.312 — Technical Safeguards Implementing Document Section/Steps Access Control (a)(1), (a)(2)(i), (a)(2)(iv) ENG-POL-005 3.1 (a)(1); ENG-POL-005 3.1.1 (a)(2)(i); OP-POL-001 3.1.1, 3.2.4 (a)(2)(iv); ENG-POL-003 3.3 (a)(2)(iv) Audit Controls (b) ENG-POL-003 3.7; ENG-POL-004 3.2, 3.5, 3.6; RES-POL-003 3.1; RES-POL-004 3.2.3; ENG/RES Procedures as mapped Integrity (c)(1) ENG-POL-002 3.1, 3.2; ENG-PROC-003 1-6 Transmission Security (e)(1), (e)(2)(ii) OP-POL-001 3.1.1, 3.2.4; ENG-POL-003 3.3; ENG-POL-004 3.5, 3.6 Business Associate (164.314(a)(1)) ENG-POL-006 3.3
HIPAA Breach Notification Rule — § 164.400–414 Implementing Document Section/Steps RES-POL-004 Incident Communication and Regulatory Compliance Policy 3.2.1 RES-PROC-002 HIPAA Breach Risk Assessment Procedure 1-3
NIST Cybersecurity Framework (CSF) PR.AC — Identity Management and Access Control Implementing Document Section/Steps ENG-POL-003 Cloud and Core Infrastructure Security Policy All ENG-POL-004 Network Security Policy All OP-POL-002 Mobile Device Security Policy 3.2
PR.DS — Data Security; PR.IP-1 — Baseline Security; PR.PT — Protective Technology; PR.AT-1 — Awareness & Training Implementing Document Section/Steps ENG-POL-003 Cloud and Core Infrastructure Security Policy 3.3 (PR.DS); 3.5 (PR.PT) ENG-POL-005 Secure Coding and Testing Policy All (PR.IP-1) ENG-POL-001 SDLC Policy All (PR.IP-1); 3.4 (PR.AT-1) OP-POL-002 Mobile Device Security Policy 3.11 (PR.AT)
DE.CM — Security Continuous Monitoring; DE.AE — Anomalies and Events Implementing Document Section/Steps ENG-POL-003 Cloud and Core Infrastructure Security Policy 3.7 (DE.CM, DE.AE) ENG-POL-004 Network Security Policy 3.2 (DE.CM); 3.2, 3.3 (DE.AE) RES-POL-003 Security Event Detection and Monitoring Policy All (DE.CM); 3.1 (DE.AE)
RS.MI — Mitigation; RS.CO — Communications; RS.RP — Response Planning; RC.IM — Improvements; RC.RP — Recovery Planning; RC.CO — Recovery Communications Implementing Document Section/Steps ENG-POL-003 Cloud and Core Infrastructure Security Policy 3.7 (RS.MI) RES-POL-003 Security Event Detection and Monitoring Policy 3.3 (RS.CO) RES-POL-004 Incident Communication and Regulatory Compliance Policy All (RS.CO); 3.1 (RS.RP); 3.4 (RC.IM) RES-POL-002/RES-POL-005 BCM/DR All (RC.RP); 3.3 (RC.CO); 3.5 (RC.IM) RES-PROC-001/004/005/006/007 IRP/BIA/DRP/BCP/BCDR Tests As mapped
ISO/IEC 27001:2013 Implementing Document Section/Steps RES-POL-002 Business Continuity Management Policy 3.1, 3.2 RES-PROC-007 BCDR Testing and Exercise Procedure 1-4 (verify/review)
Implementing Document Section/Steps RES-POL-002 Business Continuity Management Policy 3.2, 3.3 (A.17.1.1); 3.5 (A.17.1.3)
Other Referenced Frameworks and Standards CIS Controls — Control 4, 5 Implementing Document Section/Steps ENG-POL-003 Cloud and Core Infrastructure Security Policy 3.1.2
OWASP SAMM; OWASP Top 10 Implementing Document Section/Steps ENG-POL-001 SDLC Policy All (OWASP SAMM) ENG-POL-005 Secure Coding and Testing Policy 3.1 (OWASP Top 10)
Implementing Document Section/Steps OP-PROC-004 Secure Media Disposal and Sanitization Procedure 4.1
NIST SP 800-34 Rev. 1 — Business Process Contingency Planning Implementing Document Section/Steps RES-POL-002 Business Continuity Management Policy 3.4, 3.5
NIST SP 800-161 — Supply Chain Risk Management; NIST SP 800-218 — SSDF Implementing Document Section/Steps ENG-POL-006 Third-Party Component Management Policy 3.1 (800-161); 3.2 (800-218)