RUST CSF Version 9.3.

1 Authoritative Sources Cross-Reference

damental to HITRUST’s mission is the availability of a framework that provides the needed structure, clarity, functionality, and cross-referen
uthoritative sources. This document provides detailed cross-references to the many standards and regulations incorporated into the
ework. The "CSF Cross-Reference" worksheet maps each control reference to applicable standards and regulations. Further, additional
ksheets provide mappings from the standard/regulation to applicable CSF control references.

019 HITRUST. All rights reserved. Any commercial uses or creations of derivative works are prohibited. No part of this publication may be
oduced or utilized other than being shared as is in full, in any form or by any means, electronical or mechanical, without HITRUST’s prior
tten permission.

© 2019 HITRUST. All rights reserved.

 HITRUST CSF v9.3
00.a Information Security Management
Program
01.a Access Control Policy
01.b User Registration
01.c Privilege Management
01.d User Password Management
01.e Review of User Access Rights
01.f Password Use
01.g Unattended User Equipment
01.h Clear Desk and Clear Screen Policy
01.i Policy on the Use of Network
Services
01.j User Authentication for External
Connections
01.k Equipment Identification in
Networks
01.l Remote Diagnostic and
Configuration Port Protection
01.m Segregation in Networks
01.n Network Connection Control
01.o Network Routing Control
01.p Secure Log-on Procedures
01.q User Identification and
Authentication
01.r Password Management System
01.s Use of System Utilities
01.t Session Time-out
01.u Limitation of Connection Time
01.v Information Access Restriction
© 2019 HITRUST. All rights reserved.
1 TAC 15 390.2
1 TAC § 390.2(a)(1)
1 TAC § 390.2(a)(1)
1 TAC § 390.2(a)(1)
1 TAC § 390.2(a)(1)
1 TAC § 390.2(a)(1)
1 TAC § 390.2(a)(4)(A)(xi)
1 TAC § 390.2(a)(1)
1 TAC § 390.2(a)(4)(A)(xi)
1 TAC § 390.2(a)(1)
1 TAC § 390.2(a)(4)(A)(xi)
1 TAC § 390.2(a)(1)
1 TAC § 390.2(a)(4)(A)(xi)
1 TAC § 390.2(a)(1)
1 TAC § 390.2(a)(4)(A)(xi)
1 TAC § 390.2(a)(1)
1 TAC § 390.2(a)(3) 16 CFR Part § 681 Appendix A III(b)
1 TAC § 390.2(a)(4)(A)(xi)
1 TAC § 390.2(a)(1)
1 TAC § 390.2(a)(4)(A)(xi)
1 TAC § 390.2(a)(4)(A)(xi)
1 TAC § 390.2(a)(1)
1 TAC § 390.2(a)(4)(A)(xi)
1 TAC § 390.2(a)(1)
1 TAC § 390.2(a)(4)(A)(xi)
1 TAC § 390.2(a)(1)
1 TAC § 390.2(a)(4)(A)(xi)
1 TAC § 390.2(a)(1)
1 TAC § 390.2(a)(4)(A)(xi)
1 TAC § 390.2(a)(1)
1 TAC § 390.2(a)(4)(A)(xi)
1 TAC § 390.2(a)(1)
1 TAC § 390.2(a)(4)(A)(xi)
1 TAC § 390.2(a)(1)
1 TAC § 390.2(a)(4)(A)(xi)
1 TAC § 390.2(a)(1)
1 TAC § 390.2(a)(4)(A)(xi)
1 TAC § 390.2(a)(1)
1 TAC § 390.2(a)(4)(A)(xi)
16 CFR 681 201 CMR 17.00 21 CFR 11 23 NYCRR 500 45 CFR HIPAA.BN 45 CFR HIPAA.GE 45 CFR HIPAA.PR 45 CFR HIPAA.SR
45 CFR Part § 164.308(a)(1)(i) HIPAA.SR
23 NYCRR 500.02(c) 45 CFR Part § 164.308(a)(1)(ii)(A) HIPAA.SR
23 NYCRR 500.02(d)
23 NYCRR 500.17(b) 45 CFR Part § 164.308(a)(1)(ii)(B) HIPAA.SR
45 CFR Part § 164.308(a)(8) HIPAA.SR
23 NYCRR 500.19(e) 45 CFR Part § 164.316(b)(1) HIPAA.SR
23 NYCRR 500.21 45 CFR Part § 164.316(b)(2)(iii) HIPAA.SR
45 CFR Part § 164.308(a)(3)(i) HIPAA.SR
45 CFR Part § 164.308(a)(3)(ii)(A) HIPAA.SR
45 CFR Part § 164.308(a)(4)(i) HIPAA.SR
21 CFR Part 11.10(d) 45 CFR Part § 164.308(a)(4)(ii)(A) HIPAA.SR
45 CFR Part § 164.308(a)(4)(ii)(B) HIPAA.SR
45 CFR Part § 164.312(a)(1) HIPAA.SR
45 CFR Part § 164.312(a)(2)(ii) HIPAA.SR
45 CFR Part § 164.308(a)(3)(ii)(A) HIPAA.SR
45 CFR Part § 164.308(a)(3)(ii)(B) HIPAA.SR
45 CFR Part § 164.308(a)(3)(ii)(C) HIPAA.SR
45 CFR Part § 164.308(a)(4)(i) HIPAA.SR
201 CMR 17.04(1)(d) 45 CFR Part § 164.308(a)(4)(ii)(B) HIPAA.SR
21 CFR Part 11.10(d)
201 CMR 17.04(2)(a) 21 CFR Part 11.10(g) 45 CFR Part § 164.308(a)(4)(ii)(C) HIPAA.SR
201 CMR 17.04(2)(b) 21 CFR Part 11.100(b) 45 CFR Part § 164.308(a)(5)(ii)(C) HIPAA.SR
201 CMR 17.04(2)(d) 45 CFR Part § 164.308(a)(5)(ii)(D) HIPAA.SR
45 CFR Part § 164.310(a)(2)(iii) HIPAA.SR
45 CFR Part § 164.312(a)(2)(i) HIPAA.SR
45 CFR Part § 164.312(a)(2)(ii) HIPAA.SR
45 CFR Part § 164.312(d) HIPAA.SR
45 CFR Part § 164.308(a)(3)(i) HIPAA.SR
45 CFR Part § 164.308(a)(3)(ii)(A) HIPAA.SR
45 CFR Part § 164.308(a)(4)(i) HIPAA.SR
45 CFR Part § 164.308(a)(4)(ii)(A) HIPAA.SR
201 CMR 17.04(2)(a) 21 CFR Part 11.10(d) 45 CFR Part § 164.308(a)(4)(ii)(B) HIPAA.SR
21 CFR Part 11.10(g) 45 CFR Part § 164.308(a)(4)(ii)(C) HIPAA.SR
45 CFR Part § 164.308(a)(5)(ii)(C) HIPAA.SR
45 CFR Part § 164.312(a)(1) HIPAA.SR
45 CFR Part § 164.312(a)(2)(i) HIPAA.SR
45 CFR Part § 164.312(a)(2)(ii) HIPAA.SR
21 CFR Part 11.200(a)
201 CMR 17.04(1)(b) 21 CFR Part 11.3 45 CFR Part § 164.308(a)(5)(ii)(D) HIPAA.SR
21 CFR Part 11.300
45 CFR Part § 164.308(a)(3)(ii)(A) HIPAA.SR
45 CFR Part § 164.308(a)(3)(ii)(B) HIPAA.SR
45 CFR Part § 164.308(a)(3)(ii)(C) HIPAA.SR
201 CMR 17.03(2)(h) 21 CFR Part 11.10(d) 45 CFR Part § 164.308(a)(4)(i) HIPAA.SR
45 CFR Part § 164.308(a)(4)(ii)(B) HIPAA.SR
45 CFR Part § 164.308(a)(4)(ii)(C) HIPAA.SR
45 CFR Part § 164.308(a)(5)(ii)(C) HIPAA.SR
45 CFR Part § 164.312(a)(1) HIPAA.SR
201 CMR 17.04(1)(b) 45 CFR Part § 164.308(a)(5)(ii)(D) HIPAA.SR
201 CMR 17.04(1)(e)
45 CFR Part § 164.310(a)(1) HIPAA.SR
45 CFR Part § 164.310(b) HIPAA.SR
45 CFR Part § 164.310(c) HIPAA.SR
45 CFR Part § 164.312(a)(2)(iii) HIPAA.SR
45 CFR Part § 164.310(b) HIPAA.SR
45 CFR Part § 164.310(c) HIPAA.SR
45 CFR Part § 164.312(a)(2)(i) HIPAA.SR
45 CFR Part § 164.312(a)(2)(iii) HIPAA.SR
45 CFR Part § 164.308(a)(3)(i) HIPAA.SR
45 CFR Part § 164.308(a)(3)(ii)(A) HIPAA.SR
45 CFR Part § 164.308(a)(4)(i) HIPAA.SR
45 CFR Part § 164.308(a)(4)(ii)(B) HIPAA.SR
45 CFR Part § 164.308(a)(4)(ii)(C) HIPAA.SR
45 CFR Part § 164.312(a)(1) HIPAA.SR
45 CFR Part § 164.310(b) HIPAA.SR
21 CFR Part 11.10(d)
45 CFR Part § 164.312(d) HIPAA.SR
45 CFR Part § 164.312(a)(2)(i) HIPAA.SR
45 CFR Part § 164.312(d) HIPAA.SR
45 CFR Part § 164.310(a)(2)(iii) HIPAA.SR
45 CFR Part § 164.310(b) HIPAA.SR
45 CFR Part § 164.310(c) HIPAA.SR
45 CFR Part § 164.308(a)(3)(ii)(A) HIPAA.SR
45 CFR Part § 164.308(a)(3)(ii)(B) HIPAA.SR
45 CFR Part § 164.308(a)(4)(i) HIPAA.SR
45 CFR Part § 164.310(b) HIPAA.SR
201 CMR 17.04(6) 45 CFR Part § 164.310(b) HIPAA.SR
45 CFR Part § 164.308(a)(3)(ii)(A) HIPAA.SR
45 CFR Part § 164.308(a)(3)(ii)(B) HIPAA.SR
45 CFR Part § 164.312(e)(1) HIPAA.S R
45 CFR Part § 164.308(a)(4)(ii)(B) HIPAA.SR
45 CFR Part § 164.308(a)(5)(ii)(D) HIPAA.SR
45 CFR Part § 164.312(d) HIPAA.SR
21 CFR Part 11.10(d)
21 CFR Part 11.10(g)
45 CFR Part § 164.308(a)(3)(i) HIPAA.SR
201 CMR 17.04(1)(a) 21 CFR Part 11.100(a) 45 CFR Part § 164.308(a)(5)(ii)(D) HIPAA.SR
21 CFR Part 11.200(b)
201 CMR 17.04(2)(b) 21 CFR Part 11.50(a) 45 CFR Part § 164.312(a)(2)(i) HIPAA.SR
21 CFR Part 11.50(b) 45 CFR Part § 164.312(d) HIPAA.SR
21 CFR Part 11.70
201 CMR 17.04(1)(b)
201 CMR 17.04(1)(c) 45 CFR Part § 164.308(a)(5)(ii)(D) HIPAA.SR
45 CFR Part § 164.308(a)(3)(i) HIPAA.SR
45 CFR Part § 164.308(a)(3)(ii)(A) HIPAA.SR
45 CFR Part § 164.308(a)(4)(i) HIPAA.SR
45 CFR Part § 164.308(a)(4)(ii)(A) HIPAA.SR
45 CFR Part § 164.308(a)(4)(ii)(B) HIPAA.SR
45 CFR Part § 164.308(a)(4)(ii)(C) HIPAA.SR
45 CFR Part § 164.310(a)(2)(iii) HIPAA.SR
45 CFR Part § 164.310(b) HIPAA.SR
45 CFR Part § 164.312(a)(1) HIPAA.SR
45 CFR Part § 164.312(a)(2)(i) HIPAA.SR
45 CFR Part § 164.312(a)(2)(ii) HIPAA.SR
45 CFR Part § 164.312(a)(2)(iv) HIPAA.SR
45 CFR Part § 164.312(b) HIPAA.SR
45 CFR Part § 164.310(b) HIPAA.SR
21 CFR Part 11.10(d)
45 CFR Part § 164.312(a)(2)(iii) HIPAA.SR
21 CFR Part 11.10(d)
45 CFR Part § 164.308(a)(3)(i) HIPAA.SR
45 CFR Part § 164.308(a)(3)(ii)(A) HIPAA.SR
45 CFR Part § 164.308(a)(4)(i) HIPAA.SR
45 CFR Part § 164.308(a)(4)(ii)(A) HIPAA.SR
45 CFR Part § 164.308(a)(4)(ii)(B) HIPAA.SR
45 CFR Part § 164.308(a)(4)(ii)(C) HIPAA.SR
45 CFR Part § 164.310(b) HIPAA.SR
45 CFR Part § 164.312(a)(1) HIPAA.SR
45 CFR Part § 164.312(a)(2)(i) HIPAA.SR
AICPA TSP 100 APEC CAQH Core Phase 1
AICPA 2017 CC1.2
CAQH Core Phase 1 102: Eligibility
AICPA 2017 CC2.3 and Benefits Certification Policy CAQHPolicy
AICPA 2017 CC3.1
AICPA 2017 CC4.1 v1.1.0 Subsection 3.4
AICPA 2017 CC5.2
AICPA 2017 CC6.1
AICPA 2017 CC6.2 CAQH Core Phase 1 102: Eligibility CAQH Core Phase 2 202: Certification
and Benefits Certification Policy
AICPA 2017 CC6.3 v1.1.0 Subsection 3.4
AICPA 2017 CC6.4
AICPA 2017 CC6.8
AICPA 2017 CC5.2 CAQH Core Phase 1 102: Eligibility
AICPA 2017 CC6.2 and Benefits Certification Policy CAQHPolicy
AICPA 2017 CC6.3 v1.1.0 Subsection 3.4
AICPA 2017 CC6.2 CAQH Core Phase 1 102: Eligibility
AICPA 2017 CC6.3 and Benefits Certification Policy CAQHPolicy
AICPA 2017 CC6.8 v1.1.0 Subsection 3.4
CAQH Core Phase 1 102: Eligibility
and Benefits Certification Policy
AICPA 2017 CC6.6 v1.1.0 Subsection 3.4
CAQH Core Phase 1 153: Eligibility
and Benefits Connectivity Rule
v1.1.0 Subsection 5.2
CAQH Core Phase 1 102: Eligibility
and Benefits Certification Policy CAQHPolicy
v1.1.0 Subsection 3.4
CAQH Core Phase 1 102: Eligibility
and Benefits Certification Policy
v1.1.0 Subsection 3.4
CAQH Core Phase 1 153: Eligibility
and Benefits Connectivity Rule
v1.1.0 Subsection 5.2
CAQH Core Phase 1 102: Eligibility CAQH Core Phase 2 202: Certification
and Benefits Certification Policy
v1.1.0 Subsection 3.4
CAQH Core Phase 1 102: Eligibility CAQH Core Phase 2 202: Certification
AICPA 2017 CC6.1 and Benefits Certification Policy
v1.1.0 Subsection 3.4
AICPA 2017 CC6.1
AICPA 2017 CC6.6
AICPA 2017 CC6.1
AICPA 2017 CC6.1
AICPA 2017 CC6.8
AICPA 2017 CC6.1
AICPA 2017 CC6.6
AICPA 2017 CC6.6
CAQH Core Phase 1 102: Eligibility
and Benefits Certification Policy
v1.1.0 Subsection 3.4
AICPA 2017 CC6.1
CAQH Core Phase 1 153: Eligibility
and Benefits Connectivity Rule
v1.1.0 Subsection 5.2
CAQH Core Phase 1 102: Eligibility
and Benefits Certification Policy
v1.1.0 Subsection 3.4
CAQH Core Phase 1 153: Eligibility
and Benefits Connectivity Rule
v1.1.0 Subsection 5.2
AICPA 2017 CC6.1
AICPA 2017 CC6.2
CAQH Core Phase 1 102: Eligibility CAQH Core Phase 2 202: Certification
and Benefits Certification Policy
v1.1.0 Subsection 3.4
CAQH Core Phase 1 102: Eligibility CAQH Core Phase 2 202: Certification
and Benefits Certification Policy
v1.1.0 Subsection 3.4
CAQH Core Phase 2
Core Phase 2 202: Certification
v2.1.0 Subsection 3.4
Policy v2.1.0 Subsection 3.4
Core Phase 2 202: Certification
v2.1.0 Subsection 3.4
Core Phase 2 202: Certification
v2.1.0 Subsection 3.4
Core Phase 2 202: Certification
v2.1.0 Subsection 3.4
CAQH Core Phase 2 202: Certification
Policy v2.1.0 Subsection 3.4
Policy v2.1.0 Subsection 3.4
Policy v2.1.0 Subsection 3.4
Policy v2.1.0 Subsection 3.4
Policy v2.1.0 Subsection 3.4
CCPA 1798 CIS Controls v7.1 CMS ARS v3.1
CMSRs v3.1 PM- 01 (HIGH; MOD)
CMSRs v3.1 PM- 02 (HIGH; MOD)
CMSRs v3.1 PM- 03 (HIGH; MOD)
CMSRs v3.1 PM- 04 (HIGH; MOD)
CMSRs v3.1 PM- 06 (HIGH; MOD)
CMSRs v3.1 PM- 09 (HIGH; MOD)
CMSRs v3.1 PM- 13 (HIGH; MOD)
CMSRs v3.1 AC-01 (HIGH; MOD)
CMSRs v3.1 AC-02 (HIGH; MOD)
CMSRs v3.1 AC-02 (HIGH; MOD)
CMSRs v3.1 AC-02(01) (HIGH; MOD)
CMSRs v3.1 AC-02(02) (HIGH; MOD)
CMSRs v3.1 AC-02(03) (HIGH; MOD)
CIS CSC v7.1 16.7 CMSRs v3.1 AC-02(13) (HIGH)
CIS CSC v7.1 16.10 CMSRs v3.1 IA-01 (HIGH; MOD)
CMSRs v3.1 IA-04 (HIGH; MOD)
CMSRs v3.1 IA-05 (HIGH; MOD)
CMSRs v3.1 IA-05(03) (HIGH; MOD)
CMSRs v3.1 AC-02 (HIGH; MOD)
CMSRs v3.1 AC-06 (HIGH; MOD)
CMSRs v3.1 AC-06(01) (HIGH; MOD)
CMSRs v3.1 AC-06(02) (HIGH; MOD)
CIS CSC v7.1 4.1 CMSRs v3.1 AC-06(03) (HIGH)
CIS CSC v7.1 4.3
CIS CSC v7.1 4.6 CMSRs v3.1 AC-06(03) (HIGH; MOD)
CIS CSC v7.1 11.6 CMSRs v3.1 AC-06(05) (HIGH; MOD)
CIS CSC v7.1 14.6 CMSRs v3.1 AC-06(09) (HIGH; MOD)
CMSRs v3.1 AC-06(10) (HIGH; MOD)
CMSRs v3.1 AC-10 (HIGH)
CMSRs v3.1 AC-21 (HIGH; MOD)
CMSRs v3.1 CM-07 (HIGH; MOD)
CMSRs v3.1 IA-05 (HIGH)
CIS CSC v7.1 16.5 CMSRs v3.1 IA-05 (HIGH; MOD)
CIS CSC v7.1 4.2 CMSRs v3.1 IA-05(01) (HIGH; MOD)
CIS CSC v7.1 16.7
CIS CSC v7.1 16.8 CMSRs v3.1 AC-02 (HIGH; MOD)
CIS CSC v7.1 16.9 CMSRs v3.1 PS-05 (HIGH; MOD)
CIS CSC v7.1 16.10
CMSRs v3.1 IA-05 (HIGH; MOD)
CMSRs v3.1 AC-11 (HIGH; MOD)
CMSRs v3.1 PE-05 (HIGH; MOD)
CMSRs v3.1 AC-11 (HIGH; MOD)
CMSRs v3.1 MP-03 (HIGH; MOD)
CMSRs v3.1 AC-01 (HIGH; MOD)
CIS CSC v7.1 13.4 CMSRs v3.1 AC-20 (HIGH; MOD)
CMSRs v3.1 CM-07 (HIGH; MOD)
CMSRs v3.1 AC-02 (HIGH; MOD)
CMSRs v3.1 AC-06(03) (HIGH)
CMSRs v3.1 AC-17 (HIGH; MOD)
CMSRs v3.1 AC-17(01) (HIGH; MOD)
CMSRs v3.1 AC-17(02) (HIGH; MOD)
CMSRs v3.1 AC-17(03) (HIGH; MOD)
CMSRs v3.1 AC-17(04) (HIGH; MOD)
CMSRs v3.1 AC-18 (HIGH; MOD)
CIS CSC v7.1 12.11 CMSRs v3.1 AC-18(01) (HIGH; MOD)
CIS CSC v7.1 15.8 CMSRs v3.1 CM-02 (HIGH; MOD)
CIS CSC v7.1 4.5 CMSRs v3.1 CM-02(02) (HIGH)
CMSRs v3.1 IA-(08) (HIGH; MOD)
CMSRs v3.1 IA-02 (HIGH; MOD)
CMSRs v3.1 IA-08 (HIGH; MOD)
CMSRs v3.1 IA-08(01) (HIGH; MOD)
CMSRs v3.1 IA-08(02) (HIGH; MOD)
CMSRs v3.1 IA-08(03) (HIGH; MOD)
CMSRs v3.1 IA-08(04) (HIGH; MOD)
CMSRs v3.1 MA-04 (HIGH; MOD)
CMSRs v3.1 IA-03 (HIGH; MOD)
CMSRs v3.1 IA-05 (HIGH; MOD)
CMSRs v3.1 CM-07 (HIGH; MOD)
CMSRs v3.1 CM-07(01) (HIGH; MOD)
CIS CSC v7.1 15.6 CMSRs v3.1 CM-07(02) (HIGH; MOD)
CIS CSC v7.1 2.1 CMSRs v3.1 CM-07(05) (HIGH)
CIS CSC v7.1 8.4 CMSRs v3.1 MA-04 (HIGH; MOD)
CIS CSC v7.1 9.2 CMSRs v3.1 MA-04(02) (HIGH; MOD)
CIS CSC v7.1 9.3 CMSRs v3.1 MA-04(03) (HIGH)
CMSRs v3.1 PE-03(01) (HIGH)
CMSRs v3.1 SC-15(01) (HIGH; MOD)
CIS CSC v7.1 11.17
CIS CSC v7.1 11.6 CMSRs v3.1 AC-04 (HIGH; MOD)
CIS CSC v7.1 11.7 CMSRs v3.1 SC-07 (HIGH; MOD)
CIS CSC v7.1 14.1 CMSRs v3.1 SC-07(13) (HIGH)
CMSRs v3.1 SC-07(21) (HIGH)
CIS CSC v7.1 15.10 CMSRs v3.1 SC-32 (HIGH)
CIS CSC v7.1 2.10
CMSRs v3.1 AC-02(11) (HIGH)
CMSRs v3.1 AC-17(03) (HIGH; MOD)
CMSRs v3.1 SC-07 (HIGH; MOD)
CIS CSC v7.1 12.9 CMSRs v3.1 SC-07(03) (HIGH; MOD)
CIS CSC v7.1 16.5 CMSRs v3.1 SC-07(04) (HIGH; MOD)
CMSRs v3.1 SC-07(05) (HIGH; MOD)
CMSRs v3.1 SC-07(07) (HIGH; MOD)
CMSRs v3.1 SC-07(08) (HIGH)
CMSRs v3.1 SC-08 (HIGH; MOD)
CIS CSC v7.1 12.9 CMSRs v3.1 AC-04 (HIGH; MOD)
CIS CSC v7.1 14.3 CMSRs v3.1 SC-07 (HIGH; MOD)
CMSRs v3.1 AC-07 (HIGH)
CMSRs v3.1 AC-07 (HIGH; MOD)
CMSRs v3.1 AC-08 (HIGH; MOD)
CMSRs v3.1 AC-09 (HIGH)
CIS CSC v7.1 16.5 CMSRs v3.1 AC-10 (HIGH)
CMSRs v3.1 AT-02 (HIGH; MOD)
CMSRs v3.1 AU-02 (HIGH; MOD)
CMSRs v3.1 AU-12 (HIGH; MOD)
CMSRs v3.1 IA-06 (HIGH; MOD)
CMSRs v3.1 AC-06(02) (HIGH; MOD)
CMSRs v3.1 CM-08(03) (HIGH; MOD)
CMSRs v3.1 IA-02 (HIGH; MOD)
CMSRs v3.1 IA-02(01) (HIGH; MOD)
CMSRs v3.1 IA-02(02) (HIGH; MOD)
CMSRs v3.1 IA-02(03) (HIGH; MOD)
CMSRs v3.1 IA-02(04) (HIGH)
CIS CSC v7.1 11.5 CMSRs v3.1 IA-02(08) (HIGH; MOD)
CIS CSC v7.1 16.10 CMSRs v3.1 IA-02(09) (HIGH)
CIS CSC v7.1 16.2 CMSRs v3.1 IA-02(11) (HIGH)
CIS CSC v7.1 4.5 CMSRs v3.1 IA-02(11) (HIGH; MOD)
CMSRs v3.1 IA-02(12) (HIGH; MOD)
CMSRs v3.1 IA-04 (HIGH; MOD)
CMSRs v3.1 IA-05 (HIGH; MOD)
CMSRs v3.1 IA-05(02) (HIGH; MOD)
CMSRs v3.1 IA-05(03) (HIGH; MOD)
CMSRs v3.1 IA-05(11) (HIGH; MOD)
CMSRs v3.1 IA-08 (HIGH; MOD)
CMSRs v3.1 IA-05 (HIGH; MOD)
CMSRs v3.1 IA-05(01) (HIGH; MOD)
CMSRs v3.1 IA-05(02) (HIGH; MOD)
CMSRs v3.1 AC-03 (HIGH; MOD)
CMSRs v3.1 AC-06 (HIGH; MOD)
CMSRs v3.1 AC-02(05) (HIGH)
CMSRs v3.1 AC-11 (HIGH; MOD)
CIS CSC v7.1 16.11 CMSRs v3.1 AC-11(01) (HIGH; MOD)
CMSRs v3.1 AC-12 (HIGH; MOD)
CMSRs v3.1 SC-10 (HIGH; MOD)
CMSRs v3.1 AC-03 (HIGH; MOD)
CMSRs v3.1 AC-06 (HIGH; MOD)
CIS CSC v7.1 14.6 CMSRs v3.1 AC-14 (HIGH; MOD)
CMS Rs v3.1 DM-01 (HIGH; MOD)
CMSRs v3.1 SC-15 (HIGH; MOD)
COBIT 5 CSA CCM v3.0.1 DHS CISA CRR (2016) EHNAC EU GDPR FedRAMP FFIEC IS HITRUST HITRUST De-ID Framework v1 IRS Pub 1075 (2016) ISO/IEC 27001:2013 ISO/IEC 27002:2013 ISO/IEC 27799:2016 ISO/IEC 29100:2011 ISO/IEC 29151:2017 MARS-E v2 NIST Cybersecurity Framework v1.1 NIST SP 800-122
ISO/IEC 27001:2013 4.1
ISO/IEC 27001:2013 4.2(b)
ISO/IEC 27001:2013 4.4
ISO/IEC 27001:2013 5.1(a)
ISO/IEC 27001:2013 5.1(c)
ISO/IEC 27001:2013 5.1(d)
ISO/IEC 27001:2013 5.1(e)
ISO/IEC 27001:2013 5.1(f)
ISO/IEC 27001:2013 5.1(g)
ISO/IEC 27001:2013 5.2
ISO/IEC 27001:2013 5.3
ISO/IEC 27001:2013 6.1.1
IS O/IEC 27001:2013 6.1.1(c)
CRR v2016 CM:G1.Q1 ISO/IEC 27001:2013 6.1.1(d) NIST Cybersecurity Framework v1.1 ID.AM-6
CRR v2016 CM:G2.Q1 FFIEC IS v2016 A.1.4 ISO/IEC 27001:2013 6.1.1(e) MARS-E v2 PM- 1 NIST Cybersecurity F ramework v1.1 ID.GV-1
CRR v2016 CM:G4.Q1 FFIEC IS v2016 A.2.2 ISO/IEC 27001:2013 6.2 MARS-E v2 PM- 2 NIST Cybersecurity F ramework v1.1 ID.GV-4
CRR v2016 CM:MIL2.Q1 FFIEC IS v2016 A.2.3 ISO/IEC 27001:2013 6.2(e) MARS-E v2 PM- 3 NIST Cybersecurity Framework v1.1 PR.AT-1
COBIT 5 APO13.02 CSA CCM v3.0.1 GRM-04 CRR v2016 CM:MIL2.Q2 EHNAC Accreditation Committee FFIEC IS v2016 A.2.8 De-ID Framework v1 Privacy and Security IRS Pub 1075 v2016 9.3.18.1 ISO/IEC 27001:2013 7.1 MARS-E v2 PM- 4 NIST Cybersecurity Framework v1.1 PR.AT-2
COBIT 5 DSS05.07 Program: General
CRR v2016 CM:MIL2.Q4 FFIEC IS v2016 A.6.1 ISO/IEC 27001:2013 7.2 MARS-E v2 PM- 6 NIST Cybersecurity Framework v1.1 PR.AT-3
CRR v2016 SA:MIL2.Q2 FFIEC IS v2016 A.7.4(a) ISO/IEC 27001:2013 7.3(b) MARS-E v2 PM- 9 NIST Cybersecurity Framework v1.1 PR.AT-4
CRR v2016 TA:MIL3.Q1 FFIEC IS v2016 A.7.4(b) ISO/IEC 27001:2013 7.3(c) MARS-E v2 PM-13 NIST Cybersecurity Framework v1.1 PR.AT-5
CRR v2016 VM:MIL3.Q1 ISO/IEC 27001:2013 7.4 NIST Cybersecurity Framework v1.1 PR.IP-7
ISO/IEC 27001:2013 7.5.1(a)
ISO/IEC 27001:2013 7.5.2
ISO/IEC 27001:2013 7.5.3
ISO/IEC 27001:2013 8.1
ISO/IEC 27001:2013 8.2
ISO/IEC 27001:2013 8.3
ISO/IEC 27001:2013 9.1
ISO/IEC 27001:2013 9.2
ISO/IEC 27001:2013 9.3
ISO/IEC 27001:2013 9.3(b)
ISO/IEC 27001:2013 9.3(f)
ISO/IEC 27001:2013 10.1(c)
ISO/IEC 27001:2013 10.2
NIST Cybersecurity Framework v1.1 ID.AM-5
ISO/IEC 27002:2013 9.1.1 NIST Cybersecurity Framework v1.1 ID.AM-6
CRR v2016 CCM:G2.Q4 FedRAMP AC-1 FFIEC IS v2016 A.6.22(d) IRS Pub 1075 v2016 9.3.1.1 ISO/IEC 27002:2013 9.1.2 ISO/IEC 27799:2016 9.1.1 MARS-E v2 AC-1 NIST Cybersecurity F ramework v1.1 ID.GV-3
CSA CCM v3.0.1 IAM-02 CRR v2016 CCM:G2.Q8 De-ID Framework v1 Access Control: General ISO/IEC 27002:2013 9.2.1 ISO/IEC 27799:2016 9.1.2 NIST Cybersecurity F ramework v1.1 ID.GV-4
CRR v2016 CCM:G2.Q10 FedRAMP AC-2 FFIEC IS v2016 A.6.8(c) IRS Pub 1075 v2016 9.3.1.2 ISO/IEC 27002:2013 9.2.2 ISO/IEC 27799:2016 9.2.1 MARS-E v2 AC-2 NIST Cybersecurity Framework v1.1 PR.AC-1
ISO/IEC 27002:2013 9.2.3 NIST Cybersecurity Framework v1.1 PR.AC-4
NIST Cybersecurity Framework v1.1 PR.AC-6
NIST Cybersecurity Framework v1.1 PR.IP- 11
NIST Cybersecurity Framework v1.1 PR.SC-6
FedRAMP AC-2
FedRAMP AC-2(1)
FedRAMP AC-2(10) MARS-E v2 AC-2 NIST Cybersecurity Framework v1.1 DE.CM-3
FedRAMP AC-2(2) MARS-E v2 AC-2(1)
FedRAMP AC-2(3) FFIEC IS v2016 A.6.20(a) MARS-E v2 AC-2(2) NIST Cybersecurity Framework v1.1 PR.AC-1
IRS Pub 1075 v2016 9.3.1.2 NIST Cybersecurity Framework v1.1 PR.AC-4
COBIT 5 DSS05.03 CSA CCM v3.0.1 IAM-08 EHNAC Accreditation Committee FedRAMP AC-2(4) FFIEC IS v2016 A.6.20(b) IRS Pub 1075 v2016 9.3.7.4 ISO/IEC 27001:2013 9.2.1 ISO/IEC 27002:2013 9.2.1 ISO/IEC 27799:2016 9.2.1 MARS-E v2 AC-2(3) NIST Cybersecurity Framework v1.1 PR.AC-6
COBIT 5 DSS05.04 CSA CCM v3.0.1 IAM-09 FedRAMP AC-2(9) FFIEC IS v2016 A.6.20(e) IRS Pub 1075 v2016 9.3.7.5 ISO/IEC 27002:2013 9.2.2 ISO/IEC 27799:2016 9.2.2 MARS-E v2 IA-1 NIST Cybersecurity Framework v1.1 PR.IP- 11
FedRAMP IA-1 FFIEC IS v2016 A.6.27(c) MARS-E v2 IA-4 NIST Cybersecurity Framework v1.1 RS.MI-1
FedRAMP IA-4 MARS-E v2 IA-5
FedRAMP IA-5 MARS-E v2 IA-5(3) NIST Cybersecurity Framework v1.1 RS.MI-2
FedRAMP IA-5(3)
FedRAMP PS-4
IRS Pub 1075 v2016 9.3.1.16 MARS-E v2 AC-10 NIST Cybersecurity Framework v1.1 DE.CM-3
FedRAMP AC-2 IRS Pub 1075 v2016 9.3.1.2 MARS-E v2 AC-2 NIST Cybersecurity Framework v1.1 ID.AM-6
FedRAMP AC-2(7) IRS Pub 1075 v2016 9.3.1.6 MARS-E v2 AC-2(7) NIST Cybersecurity F ramework v1.1 ID.RM-1
FedRAMP AC-21 FFIEC IS v2016 A.6.20(d)
FedRAMP AC-6 FFIEC IS v2016 A.6.21(a) De-ID Framework v1 Access Control: Access IRS Pub 1075 v2016 9.3.10.6 MARS-E v2 AC-3(9) NIST Cybersecurity Framework v1.1 PR.AC-1
CSA CCM v3.0.1 IAM-04 CRR v2016 AM:G5.Q5 Policies IRS Pub 1075 v2016 9.3.5.7 ISO/IEC 27002:2013 9.1.1 MARS-E v2 AC-6 NIST Cybersecurity Framework v1.1 PR.AC-4
COBIT 5 DSS05.04 CSA CCM v3.0.1 IAM-09 CRR v2016 CCM:G2.Q4 FedRAMP AC-6(1) FFIEC IS v2016 A.6.22(b) De-ID F ramework v1 Identification and IRS Pub 1075 v2016 9.3.7.5 ISO/IEC 27002:2013 9.2.3 ISO/IEC 27799:2016 9.1.1 MARS-E v2 AC-6(1) NIST Cybersecurity Framework v1.1 PR.AC-6
CSA CCM v3.0.1 IVS-11 CRR v2016 CM:G2.Q10 FedRAMP AC-6(10) FFIEC IS v2016 A.6.27(b) Authentication (Application-level): IRS Pub 1075 v2016 9.4.11 ISO/IEC 27002:2013 9.2.3(b) ISO/IEC 27799:2016 9.2.3 MARS-E v2 AC-6(10) NIST Cybersecurity Framework v1.1 PR.DS-5
FedRAMP AC-6(2) FFIEC IS v2016 A.6.29 Authentication Policy IRS Pub 1075 v2016 9.4.13 MARS-E v2 AC-6(2) NIST Cybersecurity Framework v1.1 PR.IP- 11
FedRAMP AC-6(5) FFIEC IS v2016 A.6.8(c)
FedRAMP AC-6(9) IRS Pub 1075 v2016 9.4.14 MARS-E v2 AC-6(5) NIST Cybersecurity Framework v1.1 PR.PT-1
IRS Pub 1075 v2016 9.4.9 MARS-E v2 AC-6(9) NIST Cybersecurity Framework v1.1 PR.PT-2
FedRAMP CM-7 IRS Pub 1075 v2016 Exhibit 10 MARS-E v2 CM-7 NIST Cybersecurity Framework v1.1 PR.PT-4
FedRAMP IA-5 ISO/IEC 27002:2013 9.2.4 ISO/IEC 27799:2016 9.2.4 NIST Cybersecurity Framework v1.1 PR.AC-1
FedRAMP IA-5(1) MARS-E v2 IA-5
CSA CCM v3.0.1 IAM-12 FedRAMP IA-5(4) FFIEC IS v2016 A.6.22(a) HITRUST IRS Pub 1075 v2016 9.3.1.16 ISO/IEC 27002:2013 9.3.1 ISO/IEC 27799:2016 9.3.1 MARS-E v2 IA-5(1) NIST Cybersecurity Framework v1.1 PR.DS-1
CSA CCM v3.0.1 MOS-16 FedRAMP IA-5(6) IRS Pub 1075 v2016 9.3.7.5 ISO/IEC 27002:2013 9.4.2 ISO/IEC 27799:2016 9.4.2 MARS-E v2 IA-5(7) NIST Cybersecurity Framework v1.1 PR.DS-2
FedRAMP IA-5(7) ISO/IEC 27002:2013 9.4.3 ISO/IEC 27799:2016 9.4.3 NIST Cybersecurity Framework v1.1 PR.IP- 11
FedRAMP AC-2 F FIEC IS v2016 A.6.20(c) MARS-E v2 AC-2
COBIT 5 DSS05.04 CSA CCM v3.0.1 IAM-10 FedRAMP CM-5(5) FFIEC IS v2016 A.6.20(d) IRS Pub 1075 v2016 9.3.1.2 ISO/IEC 27001:2013 A.9.2.6 ISO/IEC 27002:2013 9.2.5 ISO/IEC 27799:2016 9.2.5 MARS-E v2 AC-2(7) NIST Cybersecurity Framework v1.1 PR.AC-1
FedRAMP PS-5 F FIEC IS v2016 A.6.22(c) MARS-E v2 PS-5 NIST Cybersecurity Framework v1.1 PR.AC-4
FF IEC IS v2016 A.6.8(c)
FedRAMP IA-5 IRS Pub 1075 v2016 9.3.7.5 ISO/IEC 27002:2013 9.3.1 ISO/IEC 27799:2016 9.3.1 MARS-E v2 IA-5 NIST Cybersecurity Framework v1.1 PR.AC-1
NIST Cybersecurity Framework v1.1 PR.AT-1
IRS Pub 1075 v2016 4.3.2 NIST Cybersecurity Framework v1.1 PR.AC-2
CSA CCM v3.0.1 HRS-10 FedRAMP PE-5 IRS Pub 1075 v2016 9.3.1.9 ISO/IEC 27002:2013 11.2.8 ISO/IEC 27799:2016 11.2.8 MARS-E v2 AC-11 NIST Cybersecurity Framework v1.1 PR.AT-1
IRS Pub 1075 v2016 9.3.11.5 MARS-E v2 PE-5 NIST Cybersecurity Framework v1.1 PR.IP-5
NIST Cybersecurity Framework v1.1 PR.PT-2
IRS Pub 1075 v2016 9.3.1.9 ISO/IEC 27002:2013 11.2.9 ISO/IEC 27799:2016 11.2.9 MARS-E v2 AC-11
CSA CCM v3.0.1 HRS-11 HITRUST De-ID Framework v1 Physical Security: General NIST Cybersecurity Framework v1.1 PR.PT-2
IRS Pub 1075 v2016 9.3.10.3 ISO/IEC 27002:2013 8.2.3 ISO/IEC 27799:2016 8.2.3 MARS-E v2 MP-3
NIST Cybersecurity Framework v1.1 DE.AE-1
CSA CCM v3.0.1 IAM-09 FedRAMP AC-20 FFIEC IS v2016 A.6.7(a) IRS Pub 1075 v2016 9.3.1.1 MARS-E v2 AC-1 NIST Cybersecurity Framework v1.1 ID.AM-4
CRR v2016 CM:G2.Q8 FFIEC IS v2016 A.6.7(b) IRS Pub 1075 v2016 9.3.1.15 ISO/IEC 27001:2013 9.1.2 ISO/IEC 27002:2013 9.1.2 ISO/IEC 27799:2016 9.1.2 MARS-E v2 AC-20
CSA CCM v3.0.1 IVS-06 FedRAMP CM-7 FFIEC IS v2016 A.6.7(c) IRS Pub 1075 v2016 9.3.5.7 MARS-E v2 CM-7 NIST Cybersecurity Framework v1.1 PR.IP-1
NIST Cybersecurity Framework v1.1 PR.PT-3
FedRAMP AC-17
FedRAMP AC-17(1) MARS-E v2 AC-17
FedRAMP AC-17(2)
FedRAMP AC-17(3) IRS Pub 1075 v2016 9.3.1.12 MARS-E v2 AC-17(1)
FedRAMP AC-17(4) IRS Pub 1075 v2016 9.3.1.13 MARS-E v2 AC-17(2) NIST Cybersecurity Framework v1.1 DE.AE-3
FedRAMP AC-17(9) IRS Pub 1075 v2016 9.3.1.2 MARS-E v2 AC-17(3) NIST Cybersecurity Framework v1.1 DE.CM-1
IRS Pub 1075 v2016 9.3.7.2 MARS-E v2 AC-18 NIST Cybersecurity Framework v1.1 PR.AC-1
FedRAMP AC-18 FFIEC IS v2016 A.6.21(e) De-ID Framework v1 Remote Access: IRS Pub 1075 v2016 9.3.7.5 MARS-E v2 AC-18(1) NIST Cybersecurity Framework v1.1 PR.AC-3
CRR v2016 CCM:G2.Q11 FedRAMP AC-18(1) FFIEC IS v2016 A.6.23 HITRUST
FedRAMP AC-2 FFIEC IS v2016 A.6.24 Applicability IRS Pub 1075 v2016 9.3.7.8 MARS-E v2 AC-2 NIST Cybersecurity Framework v1.1 PR.DS-1
FedRAMP IA-2 IRS Pub 1075 v2016 9.3.9.4 MARS-E v2 IA-2 NIST Cybersecurity Framework v1.1 PR.DS-2
FedRAMP IA-8(1) IRS Pub 1075 v2016 9.4.13 MARS-E v2 IA-5(11) NIST Cybersecurity Framework v1.1 PR.MA-2
IRS Pub 1075 v2016 9.4.18 MARS-E v2 IA-8 NIST Cybersecurity Framework v1.1 PR.PT-4
FedRAMP IA-8(2) IRS Pub 1075 v2016 Exhibit 10 MARS-E v2 ICM-2
FedRAMP IA-8(3)
FedRAMP IA-8(4) MARS-E v2 MA-4
FedRAMP MA-4
FedRAMP IA-3 IRS Pub 1075 v2016 9.3.7.3 MARS-E v2 IA-3 NIST Cybersecurity Framework v1.1 PR.AC-1
COBIT 5 DSS05.05 CSA CCM v3.0.1 DCS-03 FedRAMP IA-5 IRS Pub 1075 v2016 9.3.7.5 MARS-E v2 IA-5 NIST Cybersecurity Framework v1.1 PR.AC-2
NIST Cybersecurity Framework v1.1 PR.DS-1
NIST Cybersecurity Framework v1.1 DE.AE-1
NIST Cybersecurity Framework v1.1 ID.AM-2
FedRAMP CM-7 NIST Cybersecurity Framework v1.1 ID.AM-3
FedRAMP CM-7(1) MARS-E v2 CM-7 NIST Cybersecurity Framework v1.1 IS.AM-3
CSA CCM v3.0.1 IAM-03 FedRAMP CM-7(2) IRS Pub 1075 v2016 9.3.5.7 MARS-E v2 CM-7(1) NIST Cybersecurity Framework v1.1 PR.AC-2
COBIT 5 DSS05.05 CSA CCM v3.0.1 IVS-07 FedRAMP CM-7(5) IRS Pub 1075 v2016 9.3.9.4 MARS-E v2 MA-4 NIST Cybersecurity Framework v1.1 PR.IP-1
IRS Pub 1075 v2016 9.4.9 MARS-E v2 MA-4(2)
FedRAMP CM-8(3) MARS-E v2 MA-4(3) NIST Cybersecurity Framework v1.1 PR.IP-3
FedRAMP MA-4 NIST Cybersecurity Framework v1.1 PR.MA-1
NIST Cybersecurity Framework v1.1 PR.PT-3
NIST Cybersecurity Framework v1.1 PR.PT-4
IRS Pub 1075 v2016 9.3.1.4
IRS Pub 1075 v2016 9.3.16.5 NIST Cybersecurity Framework v1.1 DE.AE-1
CSA CCM v3.0.1 DSI-02 IRS Pub 1075 v2016 9.4.10 NIST Cybersecurity Framework v1.1 ID.AM-3
CSA CCM v3.0.1 IVS-06 CRR v2016 CM:G2.Q2 FedRAMP AC-4(21) FFIEC IS v2016 A.6.10 IRS Pub 1075 v2016 9.4.11 MARS-E v2 SC-32 NIST Cybersecurity Framework v1.1 PR.AC-4
COBIT 5 DSS05.02 CSA CCM v3.0.1 IVS-09 CRR v2016 CM:G2.Q8 FedRAMP SC-7 FFIEC IS v2016 A.6.17 IRS Pub 1075 v2016 9.4.13 ISO/IEC 27002:2013 13.1.3 ISO/IEC 27799:2016 13.1.3 MARS-E v2 SC-7 NIST Cybersecurity Framework v1.1 PR.AC-5
FedRAMP SC-7(13) IRS Pub 1075 v2016 9.4.14 MARS-E v2 SC-7(13) NIST Cybersecurity Framework v1.1 PR.DS-5
CSA CCM v3.0.1 IVS-10 IRS Pub 1075 v2016 9.4.15 NIST Cybersecurity Framework v1.1 PR.IP-1
IRS Pub 1075 v2016 9.4.18 NIST Cybersecurity Framework v1.1 PR.PT-4
IRS Pub 1075 v2016 9.4.5
FedRAMP AC-17 MARS-E v2 AC-17
FedRAMP AC-17(3) IRS Pub 1075 v2016 9.3.1.12 MARS-E v2 AC-17(3) NIST Cybersecurity Framework v1.1 DE.AE-1
IRS Pub 1075 v2016 9.3.1.4 NIST Cybersecurity Framework v1.1 DE.CM-1
FedRAMP SC-7 IRS Pub 1075 v2016 9.3.16.5 MARS-E v2 SC-7 NIST Cybersecurity Framework v1.1 PR.AC-3
CSA CCM v3.0.1 IVS-06 CRR v2016 CM:G2.Q2 FedRAMP SC-7(3) De-ID Framework v1 Transmission Encryption: IRS Pub 1075 v2016 9.4.10 MARS-E v2 SC-7(3) NIST Cybersecurity Framework v1.1 PR.AC-5
COBIT 5 DSS05.02 CSA CCM v3.0.1 IVS-09 CRR v2016 CM:G2.Q4 FedRAMP SC-7(4) Policies IRS Pub 1075 v2016 9.4.13 MARS-E v2 SC-7(4) NIST Cybersecurity Framework v1.1 PR.DS-2
CRR v2016 CM:G2.Q8 FedRAMP SC-7(5) MARS-E v2 SC-7(5)
FedRAMP SC-7(7) IRS Pub 1075 v2016 9.4.14 MARS-E v2 SC-7(7) NIST Cybersecurity Framework v1.1 PR.DS-5
IRS Pub 1075 v2016 9.4.16 NIST Cybersecurity Framework v1.1 PR.IP-3
FedRAMP SC-7(8) IRS Pub 1075 v2016 9.4.17 MARS-E v2 SC-7(8) NIST Cybersecurity Framework v1.1 PR.PT-4
FedRAMP SC-8 MARS-E v2 SC-8
IRS Pub 1075 v2016 9.3.1.4 NIST Cybersecurity Framework v1.1 ID.AM-3
CRR v2016 CM:G2.Q2 FedRAMP AC-4 MARS-E v2 AC-4 NIST Cybersecurity Framework v1.1 PR.AC-5
CRR v2016 CM:G2.Q8 FedRAMP SC-7 IRS Pub 1075 v2016 9.3.16.5 ISO/IEC 27002:2013 13.1.3 ISO/IEC 27799:2016 13.1.3 MARS-E v2 SC-7 NIST Cybersecurity Framework v1.1 PR.DS-5
IRS Pub 1075 v2016 9.4.10
NIST Cybersecurity Framework v1.1 PR.PT-4
MARS-E v2 AC-10
FedRAMP AC-10 IRS Pub 1075 v2016 9.3.1.7 MARS-E v2 AC-7 NIST Cybersecurity Framework v1.1 PR.AC-1
FedRAMP AC-7 IRS Pub 1075 v2016 9.3.1.8 ISO/IEC 27002:2013 7.2.2 ISO/IEC 27799:2016 7.2.2 MARS-E v2 AC-9 NIST Cybersecurity Framework v1.1 PR.AC-4
FedRAMP AT-2 HITRUST MARS-E v2 AT-2
FedRAMP AU-12 IRS Pub 1075 v2016 9.3.3.3 ISO/IEC 27002:2013 9.4.2 ISO/IEC 27799:2016 9.4.2 MARS-E v2 AU-12 NIST Cybersecurity Framework v1.1 PR.AT-1
FedRAMP IA-6 IRS Pub 1075 v2016 9.3.7.6 MARS-E v2 AU-2 NIST Cybersecurity Framework v1.1 PR.DS-5
MARS-E v2 IA-6
FedRAMP AC-6(2)
FedRAMP CP-9(3)
FedRAMP IA-2
FedRAMP IA-2(1) MARS-E v2 AC-6(2)
MARS-E v2 AU-5(1)
FedRAMP IA-2(11) MARS-E v2 IA-2
FedRAMP IA-2(12) MARS-E v2 IA-2(1)
FedRAMP IA-2(2) De-ID F ramework v1 Identification and IRS Pub 1075 v2016 9.3.1.12 MARS-E v2 IA-2(11) NIST Cybersecurity F ramework v1.1 ID.GV-4
FedRAMP IA-2(3) IRS Pub 1075 v2016 9.3.7.2 NIST Cybersecurity Framework v1.1 PR.AC-1
FedRAMP IA-2(5) Authentication (System-level): Authentication IRS Pub 1075 v2016 9.3.7.4 ISO/IEC 27002:2013 9.2.1 ISO/IEC 27799:2016 9.2.1 MARS-E v2 IA-2(2) NIST Cybersecurity Framework v1.1 PR.AC-3
COBIT 5 DSS05.04 CSA CCM v3.0.1 IAM-04 CRR v2016 CCM:G2.Q4 Policy MARS-E v2 IA-2(3)
FedRAMP IA-2(8) De-ID F ramework v1 Identification and IRS Pub 1075 v2016 9.3.7.5 ISO/IEC 27002:2013 9.2.3 ISO/IEC 27799:2016 9.2.3 MARS-E v2 IA-2(8) NIST Cybersecurity Framework v1.1 PR.AC-7
FedRAMP IA-3 Authentication: Authentication Policy IRS Pub 1075 v2016 9.3.7.8 MARS-E v2 IA-4 NIST Cybersecurity Framework v1.1 PR.AT-2
FedRAMP IA-4 IRS Pub 1075 v2016 Exhibit 10 MARS-E v2 IA-5 NIST Cybersecurity Framework v1.1 PR.MA-2
FedRAMP IA-4(4)
FedRAMP IA-5 MARS-E v2 IA-5(2)
MARS-E v2 IA-5(3)
FedRAMP IA-5(11) MARS-E v2 IA-8
FedRAMP IA-5(2)
FedRAMP IA-5(3)
FedRAMP IA-8
NIST Cybersecurity Framework v1.1 PR.AC-1
ISO/IEC 27002:2013 9.2.4 ISO/IEC 27799:2016 9.2.4 MARS-E v2 IA-5
FedRAMP IA-5 IRS Pub 1075 v2016 9.3.7.5 ISO/IEC 27002:2013 9.4.3 ISO/IEC 27799:2016 9.4.3 MARS-E v2 IA-5(1) NIST Cybersecurity Framework v1.1 PR.DS-2
NIST Cybersecurity Framework v1.1 PR.DS-5
FedRAMP AC-3 IRS Pub 1075 v2016 9.3.1.3 MARS-E v2 AC-3 NIST Cybersecurity Framework v1.1 PR.AC-4
COBIT 5 DSS05.05 CSA CCM v3.0.1 IAM-13 FFIEC IS v2016 A.6.21(a) ISO/IEC 27002:2013 9.4.4 ISO/IEC 27799:2016 9.4.4 NIST Cybersecurity Framework v1.1 PR.DS-5
FedRAMP AC-6 IRS Pub 1075 v2016 9.3.1.6 MARS-E v2 AC-6 NIST Cybersecurity Framework v1.1 PR.PT-3
FedRAMP AC-11 MARS-E v2 AC-11
CSA CCM v3.0.1 AIS-04 FedRAMP AC-11(1) IRS Pub 1075 v2016 9.3.1.10 MARS-E v2 AC-11(1) NIST Cybersecurity Framework v1.1 PR.DS-5
FedRAMP AC-12 IRS Pub 1075 v2016 9.3.1.9 ISO/IEC 27002:2013 9.4.2 ISO/IEC 27799:2016 9.4.2
CSA CCM v3.0.1 MOS-14 FedRAMP AC-2(5) IRS Pub 1075 v2016 9.3.16.7 MARS-E v2 AC-12 NIST Cybersecurity Framework v1.1 PR.PT-4
FedRAMP SC-10 MARS-E v2 SC-10
NIST Cybersecurity Framework v1.1 PR.DS-5
FFIEC IS v2016 A.6.22(e) ISO/IEC 27002:2013 9.4.2 ISO/IEC 27799:2016 9.4.2 NIST Cybersecurity Framework v1.1 PR.PT-3
NIST Cybersecurity Framework v1.1 PR.PT-4
IRS Pub 1075 v2016 4.7.2 NIST Cybersecurity Framework v1.1 PR.AC-1
IRS Pub 1075 v2016 9.3.1.11 NIST Cybersecurity Framework v1.1 PR.AC-2
FFIEC IS v2016 A.6.22(b) IRS Pub 1075 v2016 9.3.1.2 MARS-E v2 AC-14 NIST Cybersecurity Framework v1.1 PR.AC-3
CRR v2016 CCM:G2.Q4 FedRAMP AC-4 FFIEC IS v2016 A.6.27(b) IRS Pub 1075 v2016 9.3.1.3 MARS-E v2 AC-3 NIST Cybersecurity Framework v1.1 PR.AC-4
CSA CCM v3.0.1 IAM-09 CRR v2016 CM:G2.Q3 FedRAMP AC-6 FFIEC IS v2016 A.6.8(a) IRS Pub 1075 v2016 9.3.1.4 ISO/IEC 27002:2013 9.4.1 ISO/IEC 27799:2016 9.4.1 MARS-E v2 AC-6 NIST Cybersecurity Framework v1.1 PR.AC-7
FedRAMP SC-15 FFIEC IS v2016 A.6.8(c) IRS Pub 1075 v2016 9.3.1.6 MARS-E v2 DM-1 NIST Cybersecurity Framework v1.1 PR.DS-1
FFIEC IS v2016 A.8.1(k) IRS Pub 1075 v2016 9.3.16.10 MARS-E v2 SC-15 NIST Cybersecurity Framework v1.1 PR.DS-5
IRS Pub 1075 v2016 9.4.14 NIST Cybersecurity Framework v1.1 PR.PT-2
IRS Pub 1075 v2016 Exhibit 10 NIST Cybersecurity Framework v1.1 PR.PT-3

01.w Sensitive System Isolation 1 TAC § 390.2(a)(4)(A)(xi)
01.x Mobile Computing and 1 TAC § 390.2(a)(1)
Communications 1 TAC § 390.2(a)(4)(A)(xi)
01.y Teleworking 1 TAC § 390.2(a)(1)
1 TAC § 390.2(a)(4)(A)(xi)
02.a Roles and Responsibilities 1 TAC § 390.2(a)(1)
1 TAC § 390.2(a)(4)(A)(xi)
02.b Screening 1 TAC § 390.2(a)(1)
1 TAC § 390.2(a)(4)(A)(xi)
02.c Terms and Conditions of 1 TAC § 390.2(a)(1)
Employment 1 TAC § 390.2(a)(4)(A)(xi)
02.d Management Responsibilities 1 TAC § 390.2(a)(1)
1 TAC § 390.2(a)(4)(A)(xi)
1 TAC § 390.2(a)(1)
02.e Information Security Awareness,
Education, and Training 1 TAC § 390.2(a)(3)
1 TAC § 390.2(a)(4)(A)(xi)
1 TAC § 390.2(a)(1)
1 TAC § 390.2(a)(4)(A)(xi)
02.f Disciplinary Process 1 TAC § 390.2(a)(4)(B)(xviii)(I)
1 TAC § 390.2(a)(4)(B)(xviii)(II)
1 TAC § 390.2(a)(4)(B)(xviii)(III)
02.g Termination or Change 1 TAC § 390.2(a)(1)
Responsibilities 1 TAC § 390.2(a)(4)(A)(xi)
1 TAC § 390.2(a)(1)
02.h Return of Assets
1 TAC § 390.2(a)(4)(A)(xi)
02.i Removal of Access Rights 1 TAC § 390.2(a)(1)
1 TAC § 390.2(a)(4)(A)(xi)
1 TAC § 390.2(a)(1)
03.a Risk Management Program 1 TAC § 390.2(a)(3)
Development 1 TAC § 390.2(a)(4)(A)(xi)
1 TAC § 390.2(b)
1 TAC § 390.2(a)(1)
03.b Performing Risk Assessments 1 TAC § 390.2(a)(3)
1 TAC § 390.2(a)(4)(A)(xi)
03.c Risk Mitigation 1 TAC § 390.2(a)(1)
1 TAC § 390.2(a)(4)(A)(xi)
03.d Risk Evaluation 1 TAC § 390.2(a)(3)
1 TAC § 390.2(a)(4)(A)(xi)
04.a Information Security Policy 1 TAC § 390.2(a)(1)
Document 1 TAC § 390.2(a)(4)(A)(xi)
04.b Review of the Information Security 1 TAC § 390.2(a)(1)
Policy 1 TAC § 390.2(a)(4)(A)(xi)
1 TAC § 390.2(a)(1)
05.a Management Commitment to 1 TAC § 390.2(a)(3)
Information Security 1 TAC § 390.2(a)(4)(A)(xi)
© 2019 HITRUST. All rights reserved.
16 CFR Part § 681.1 (e)(3)
16 CFR Part § 681 Appendix A I
16 CFR Part § 681 Appendix A II
16 CFR Part § 681 Appendix A V
16 CFR Part § 681.1 (b)(3)
16 CFR Part § 681.1 (d)(1)
16 CFR Part § 681.1 (d)(2)
16 CFR Part § 681.1 (f)
16 CFR Part § 681 Appendix A II(b)
16 CFR Part § 681.1 (c)
16 CFR Part § 681 Appendix A V
16 CFR Part § 681 Appendix A V(a)
16 CFR Part § 681 Appendix A V(b)
16 CFR Part § 681 Appendix A V(c)
16 CFR Part § 681 Appendix A V(d)
16 CFR Part § 681 Appendix A V(e)
16 CFR Part § 681.1 (e)(1)
16 CFR Part § 681.1 (e)(2)
NIST Cybersecurity Framework v1.1 ID.AM-5
CMSRs v3.1 RA-02 (HIGH; MOD) IRS Pub 1075 v2016 3.2 NIST Cybersecurity Framework v1.1 ID.BE-3
AICPA 2017 CC6.1 CMSRs v3.1 SC-04 (HIGH) CRR v2016 CM:G2.Q2 FedRAMP RA-2 ISO/IEC 27002:2013 9.1.1 ISO/IEC 27799:2016 9.1.1 MARS-E v2 RA-2 NIST Cybersecurity F ramework v1.1 ID.GV-4
CMSRs v3.1 SC-04 (HIGH; MOD) FedRAMP SC-4 IRS Pub 1075 v2016 9.3.16.3 MARS-E v2 SC-4 NIST Cybersecurity Framework v1.1 PR.AC-5
IRS Pub 1075 v2016 9.4.1
CMSRs v3.1 SC-07(21) (HIGH) NIST Cybersecurity Framework v1.1 PR.DS-5
NIST Cybersecurity Framework v1.1 PR.IP-1
CSA CCM v3.0.1 HRS-05
CSA CCM v3.0.1 MOS-02 NIST Cybersecurity Framework v1.1 DE.CM-7
CMSRs v3.1 AC-19 (HIGH) CSA CCM v3.0.1 MOS-03 NIST Cybersecurity F ramework v1.1 ID.GV-4
CIS CSC v7.1 12.12 CMSRs v3.1 AC-19 (HIGH; MOD) CSA CCM v3.0.1 MOS-05 FedRAMP AC-19 IRS Pub 1075 v2016 4.5 MARS-E v2 AC-19 NIST Cybersecurity Framework v1.1 PR.AC-2
45 CFR Part § 164.310(b) HIPAA.SR CSA CCM v3.0.1 MOS-10 FedRAMP AC-19(5) FFIEC IS v2016 A.6.24 ISO/IEC 27002:2013 6.2.1 ISO/IEC 27799:2016 6.2.1 NIST Cybersecurity Framework v1.1 PR.AC-4
45 CFR Part § 164.310(c) HIPAA.SR CIS CSC v7.1 13.6 CMSRs v3.1 AC-19(05) (HIGH; MOD) CSA CCM v3.0.1 MOS-11 FedRAMP CM-2(7) IRS Pub 1075 v2016 9.3.1.14 MARS-E v2 AC-19(5) NIST Cybersecurity Framework v1.1 PR.AT-1
CIS CSC v7.1 8.1 CMSRs v3.1 CM-02(07) (HIGH; MOD) IRS Pub 1075 v2016 9.4.8 MARS-E v2 SC-7(12)
CMSRs v3.1 SI-04 (HIGH; MOD) CSA CCM v3.0.1 MOS-12 FedRAMP SC-7(12) NIST Cybersecurity Framework v1.1 PR.DS-1
CSA CCM v3.0.1 MOS-17 NIST Cybersecurity Framework v1.1 PR.DS-2
CSA CCM v3.0.1 MOS-18 NIST Cybersecurity Framework v1.1 PR.IP-1
CSA CCM v3.0.1 MOS-19
NIST Cybersecurity F ramework v1.1 ID.GV-4
45 CFR Part § 164.308(a)(3)(i) HIPAA.SR CMSRs v3.1 AC-06 (HIGH; MOD) FedRAMP AC-17 IRS Pub 1075 v2016 4.5 MARS-E v2 AC-17 NIST Cybersecurity Framework v1.1 PR.AC-2
CMSRs v3.1 AC-17 (HIGH; MOD) FedRAMP AC-17(2) IRS Pub 1075 v2016 4.7 MARS-E v2 AC-17(2) NIST Cybersecurity Framework v1.1 PR.AC-3
45 CFR Part § 164.308(a)(3)(ii)(B) HIPAA.SR CMSRs v3.1 AC-17(02) (HIGH; MOD) FedRAMP AC-20 IRS Pub 1075 v2016 4.7.1 MARS-E v2 AC-20 NIST Cybersecurity Framework v1.1 PR.AT-1
45 CFR Part § 164.308(a)(4)(ii)(B) HIPAA.SR FFIEC IS v2016 A.6.23 ISO/IEC 27002:2013 6.2.1 ISO/IEC 27799:2016 6.2.1
45 CFR Part § 164.308(a)(4)(ii)(C) HIPAA.SR CMSRs v3.1 AC-20 (HIGH; MOD) FedRAMP AC-6 FFIEC IS v2016 A.6.24 IRS Pub 1075 v2016 4.7.2 ISO/IEC 27002:2013 6.2.2 ISO/IEC 27799:2016 6.2.2 MARS-E v2 AC-6 NIST Cybersecurity Framework v1.1 PR.DS-1
CMSRs v3.1 AT-02 (HIGH; MOD) FedRAMP AT-2 IRS Pub 1075 v2016 9.3.1.12 MARS-E v2 AT-2 NIST Cybersecurity Framework v1.1 PR.DS-2
45 CFR Part § 164.310(a)(2)(i) HIPAA.SR CMSRs v3.1 IA-02 (HIGH; MOD) FedRAMP IA-2 IRS Pub 1075 v2016 9.3.1.6 MARS-E v2 IA-2 NIST Cybersecurity Framework v1.1 PR.DS-3
45 CFR Part § 164.310(b) HIPAA.SR CMSRs v3.1 PE-17 (HIGH; MOD) FedRAMP PE-17 IRS Pub 1075 v2016 9.3.11.9 MARS-E v2 PE-17 NIST Cybersecurity Framework v1.1 PR.IP-1
NIST Cybersecurity Framework v1.1 PR.IP-5
CRR v2016 CCM:MIL3.Q2
45 CFR Part § 164.308(a)(1)(i) HIPAA.SR CRR v2016 CM:G2.Q9
45 CFR Part § 164.308(a)(3)(i) HIPAA.SR CRR v2016 CM:MIL3.Q2 FedRAMP AC-1 NIST Cybersecurity Framework v1.1 DE.DP- 1
AICPA 2017 CC1.4 CMSRs v3.1 PS-01 (HIGH; MOD) CSA CCM v3.0.1 HRS-07 FFIEC IS v2016 A.2.7 IRS Pub 1075 v2016 9.3.13.1 ISO/IEC 27002:2013 6.1.1 ISO/IEC 27799:2016 6.1.1 MARS-E v2 PS-1 NIST Cybersecurity Framework v1.1 ID.AM-6
45 CFR Part § 164.308(a)(3)(ii)(A) HIPAA.SR CMSRs v3.1 PS-02 (HIGH; MOD) CRR v2016 EDM:MIL3.Q2 FedRAMP PS-1 FFIEC IS v2016 A.2.9 IRS Pub 1075 v2016 9.3.13.2 ISO/IEC 27002:2013 7.1.2 ISO/IEC 27799:2016 7.1.2 MARS-E v2 PS-2 NIST Cybersecurity F ramework v1.1 ID.GV-3
45 CFR Part § 164.308(a)(3)(ii)(B) HIPAA.SR CRR v2016 RM:MIL3.Q2 FedRAMP PS-2
45 CFR Part § 164.308(a)(3)(ii)(C) HIPAA.SR CRR v2016 SCM:MIL3.Q2 NIST Cybersecurity Framework v1.1 PR.IP- 11
CRR v2016 VM:MIL3.Q2
CMSRs v3.1 PS-01 (HIGH; MOD) FedRAMP PS-1 IRS Pub 1075 v2016 9.3.13.2 MARS-E v2 PS-1 NIST Cybersecurity Framework v1.1 ID.AM-6
AICPA 2017 CC1.4 CSA CCM v3.0.1 HRS-02 CRR v2016 CM:G2.Q9 FedRAMP PS-2 FFIEC IS v2016 A.6.8(b) HITRUST ISO/IEC 27002:2013 7.1.1 ISO/IEC 27799:2016 7.1.1 NIST Cybersecurity F ramework v1.1 ID.GV-3
45 CFR Part § 164.308(a)(3)(ii)(B) HIPAA.SR CMSRs v3.1 PS-02 (HIGH; MOD) FedRAMP PS-3 IRS Pub 1075 v2016 9.3.13.3 MARS-E v2 PS-2 NIST Cybersecurity Framework v1.1 PR.DS-5
CMSRs v3.1 PS-03 (HIGH; MOD) IRS Pub 1075 v2016 Exhibit 10 MARS-E v2 PS-3
FedRAMP PS-3(3) NIST Cybersecurity Framework v1.1 PR.IP- 11
45 CFR Part § 164.308(a)(3)(ii)(A) HIPAA.SR
45 CFR Part § 164.308(a)(3)(ii)(B) HIPAA.SR
45 CFR Part § 164.308(a)(4)(ii)(B) HIPAA.SR FedRAMP PL-4 IRS Pub 1075 v2016 9.3.12.3 NIST Cybersecurity Framework v1.1 ID.AM-6
45 CFR Part § 164.310(b) HIPAA.SR AICPA 2017 CC1.4 CMSRs v3.1 PL-04 (HIGH; MOD) CSA CCM v3.0.1 HRS-03 FFIEC IS v2016 A.2.7 De-ID Framework v1 Non-disclosure and ISO/IEC 27002:2013 7.1.2 ISO/IEC 27799:2016 7.1.2 MARS-E v2 PL-4 NIST Cybersecurity F ramework v1.1 ID.GV-3
45 CFR Part § 164.310(d)(2)(iii) HIPAA.SR CMSRs v3.1 PS-06 (HIGH; MOD) FedRAMP PS-6 FFIEC IS v2016 A.2.9 Confidentiality: Policy IRS Pub 1075 v2016 9.3.13.5 MARS-E v2 PS-6 NIST Cybersecurity Framework v1.1 PR.DS-5
FedRAMP PS-7 IRS Pub 1075 v2016 9.3.13.6
45 CFR Part § 164.314(a)(1) HIPAA.SR NIST Cybersecurity Framework v1.1 PR.IP- 11
45 CFR Part § 164.314(a)(2)(i) HIPAA.SR
45 CFR Part § 164.314(a)(2)(ii) HIPAA.SR
CRR v2016 AM:G6.Q4
CRR v2016 AM:MIL3.Q2
CRR v2016 CCM:MIL3.Q2
CRR v2016 CM:MIL3.Q2 IRS Pub 1075 v2016 9.3.12.3
CSA CCM v3.0.1 GRM-03 CRR v2016 EDM:MIL3.Q2 IRS Pub 1075 v2016 9.3.12.3.1 MARS-E v2 AT-3 NIST Cybersecurity Framework v1.1 ID.AM-6
45 CFR Part § 164.308(a)(3)(ii)(A) HIPAA.SR CMSRs v3.1 AT-03 (HIGH; MOD) CSA CCM v3.0.1 HRS-10 CRR v2016 IM:MIL3.Q2 IRS Pub 1075 v2016 9.3.12.3.2 MARS-E v2 PL-4 NIST Cybersecurity Framework v1.1 PR.AT-1
45 CFR Part § 164.308(a)(4)(ii)(B) HIPAA.SR AICPA 2017 CC1.2 CMSRs v3.1 PL-04 (HIGH; MOD) CSA CCM v3.0.1 MOS-04 CRR v2016 RM:MIL3.Q2 FedRAMP AT-3 FFIEC IS v2016 A.2.10 IRS Pub 1075 v2016 9.3.12.3.6 MARS-E v2 PM-13 NIST Cybersecurity Framework v1.1 PR.AT-2
45 CFR Part § 164.308(b)(1) HIPAA.SR AICPA 2017 CC1.4 CMSRs v3.1 PM- 02 (HIGH; MOD) CRR v2016 SA:G1.Q2 ISO/IEC 27002:2013 7.2.1 ISO/IEC 27799:2016 7.2.1
45 CFR Part § 164.314(a)(1) HIPAA.SR AICPA 2017 CC2.2 CMSRs v3.1 PM- 13 (HIGH; MOD) CSA CCM v3.0.1 MOS-06 CRR v2016 SA:G3.Q3 FedRAMP PL-4 FFIEC IS v2016 A.2.7 IRS Pub 1075 v2016 9.3.12.3.7 MARS-E v2 PM-14 NIST Cybersecurity Framework v1.1 PR.AT-3
CSA CCM v3.0.1 MOS-08 FedRAMP PS-7 FFIEC IS v2016 A.2.9 IRS Pub 1075 v2016 9.3.13.7 MARS-E v2 PM-15 NIST Cybersecurity Framework v1.1 PR.AT-4
45 CFR Part § 164.314(a)(2)(i) HIPAA.SR AICPA 2017 CC3.2 CMSRs v3.1 PM- 14 (HIGH; MOD) CSA CCM v3.0.1 MOS-13 CRR v2016 SA:MIL3.Q2 IRS Pub 1075 v2016 9.3.18.1 MARS-E v2 PM- 2 NIST Cybersecurity Framework v1.1 PR.AT-5
45 CFR Part § 164.314(a)(2)(ii) HIPAA.SR CMSRs v3.1 PM- 15 (HIGH; MOD) CSA CCM v3.0.1 MOS-20 CRR v2016 SCM:MIL3.Q2 IRS Pub 1075 v2016 9.3.2.3 MARS-E v2 PS-7 NIST Cybersecurity Framework v1.1 PR.IP- 11
CRR v2016 TA:G1.Q2 IRS Pub 1075 v2016 Exhibit 10
CRR v2016 TA:MIL2.Q2
CRR v2016 TA:MIL3.Q2
CRR v2016 TA:MIL4.Q2
CRR v2016 VM:MIL3.Q2
CMSRs v3.1 AR-05 (HIGH; MOD)
CMSRs v3.1 AT-01 (HIGH; MOD) CRR v2016 SA:G3.Q3
CMSRs v3.1 AT-02 (HIGH; MOD) CRR v2016 TA:G1.Q1 MARS-E v2 AR-5
CMSRs v3.1 AT-02(02) (HIGH; MOD) CRR v2016 TA:G1.Q2 MARS-E v2 AT-1
CMSRs v3.1 AT-03 (HIGH; MOD) CRR v2016 TA:G1.Q3 FedRAMP AT-1 IRS Pub 1075 v2016 6.3 NIST Cybersecurity Framework v1.1 ID.AM-6
CMSRs v3.1 AT-04 (HIGH; MOD) CRR v2016 TA:G1.Q4 FedRAMP AT-2 IRS Pub 1075 v2016 9.3.12.3 MARS-E v2 AT-2 NIST Cybersecurity F ramework v1.1 ID.GV-3
45 CFR Part § 164.308(a)(5)(i) HIPAA.SR CMSRs v3.1 CP-03 (HIGH; MOD) CRR v2016 TA:G2.Q1 FedRAMP AT-2(2) De-ID Framework v1 Perimeter Security IRS Pub 1075 v2016 9.3.2.1 MARS-E v2 AT-2(2) NIST Cybersecurity F ramework v1.1 ID.GV-4
45 CFR Part § 164.308(a)(5)(ii)(A) HIPAA.SR AICPA 2017 CC1.1 CAQH Core Phase 1 102: Eligibility CAQH Core Phase 2 202: Certification CIS CSC v7.1 17.1 CMSRs v3.1 CP-03(01) (HIGH; MOD) CSA CCM v3.0.1 HRS-09 CRR v2016 TA:G2.Q2 FedRAMP AT-3 (Alarms): Testing IRS Pub 1075 v2016 9.3.2.2 MARS-E v2 AT-3 NIST Cybersecurity Framework v1.1 PR.AT-1
201 CMR 17.04(8) 21 CFR Part 11.10(i) 23 NYCRR 500.14(b) 45 CFR Part § 164.414(a) HIPAA.BN 45 CFR Part § 164.530(b)(1) HIPAA.PR 45 CFR Part § 164.308(a)(5)(ii)(B) HIPAA.SR AICPA 2017 CC1.4 CIS CSC v7.1 17.2 CSA CCM v3.0.1 MOS-01 EHNAC Accreditation Committee FFIEC IS v2016 A.6.8(f) De-ID Framework v1 Privacy and Security ISO/IEC 27002:2013 7.2.2 ISO/IEC 27799:2016 7.2.2 MARS-E v2 AT-4
45 CFR Part § 164.530(b)(2) HIPAA.PR 45 CFR Part § 164.308(a)(5)(ii)(C) HIPAA.SR AICPA 2017 CC2.2 and Benefits Certification Policy Policy v2.1.0 Subsection 3.4 CIS CSC v7.1 17.3 CMSRs v3.1 CP-04 (HIGH) CSA CCM v3.0.1 MOS-04 CRR v2016 TA:G2.Q3 FedRAMP AT-4 Training: General IRS Pub 1075 v2016 9.3.2.3 MARS-E v2 CP-3 NIST Cybersecurity Framework v1.1 PR.AT-2
v1.1.0 Subsection 3.4 CMSRs v3.1 IR-02 (HIGH; MOD) CRR v2016 TA:G2.Q4 FedRAMP CP-3 IRS Pub 1075 v2016 9.3.2.4 NIST Cybersecurity Framework v1.1 PR.AT-4
45 CFR Part § 164.308(a)(6)(i) HIPAA.SR AICPA 2017 CC2.3 CIS CSC v7.1 18.6 CMSRs v3.1 IR-02(01) (HIGH) CSA CCM v3.0.1 MOS-05 CRR v2016 TA:G2.Q5 FedRAMP CP-4 De-ID Framework v1 Storage (Minimal IRS Pub 1075 v2016 9.3.6.3 MARS-E v2 CP-4 NIST Cybersecurity Framework v1.1 PR.AT-5
45 CFR Part § 164.308(a)(7)(ii)(D) HIPAA.SR CMSRs v3.1 IR-02(02) (HIGH) CRR v2016 TA:G2.Q6 FedRAMP IR-2 Locations Authorized): Implementation IRS Pub 1075 v2016 9.3.8.2 MARS-E v2 IR-2 NIST Cybersecurity Framework v1.1 PR.IP- 11
CMSRs v3.1 PL-04 (HIGH; MOD) CRR v2016 TA:G2.Q7 FedRAMP PL-4 IRS Pub 1075 v2016 Exhibit 10 MARS-E v2 PL-4 NIST Cybersecurity Framework v1.1 RS.CO-1
MARS-E v2 PM-14
CMSRs v3.1 PL-4 (HIGH; MOD) CRR v2016 TA:MIL2.Q1 MARS-E v2 PM- 6
CMSRs v3.1 PM- 06 (HIGH; MOD) CRR v2016 TA:MIL2.Q4
CMSRs v3.1 PM- 14 (HIGH; MOD) CRR v2016 TA:MIL4.Q1
CMSRs v3.1 SA-16 (HIGH)
AICPA 2017 CC1.1
45 CFR Part § 164.530(e) HIPAA.PR AICPA 2017 CC1.5 CAQH Core Phase 1 102: Eligibility CAQH Core Phase 2 202: Certification CMSRs v3.1 IR-05 (HIGH; MOD) FedRAMP IR-5 IRS Pub 1075 v2016 9.3.13.8 MARS-E v2 IR-5
201 CMR 17.03(2)(d) 21 CFR Part 11.10(j) 45 CFR Part § 164.414(a) HIPAA.BN 45 CFR Part § 164.530(e)(1) HIPAA.PR 45 CFR Part § 164.308(a)(1)(ii)(C) HIPAA.SR AICPA 2017 CC5.3 and Benefits Certification Policy Policy v2.1.0 Subsection 3.4 CMSRs v3.1 PS-08 (HIGH) CSA CCM v3.0.1 GRM-07 EHNAC Accreditation Committee FedRAMP PS-8 HITRUST De-ID Framework v1 Sanctions: General IRS Pub 1075 v2016 9.3.8.5 ISO/IEC 27002:2013 7.2.3 ISO/IEC 27799:2016 7.2.3 MARS-E v2 PS-8 NIST Cybersecurity Framework v1.1 PR.IP-11
45 CFR Part § 164.530(e)(2) HIPAA.PR AICPA 2017 CC7.4 v1.1.0 Subsection 3.4 CMSRs v3.1 PS-08 (HIGH; MOD)
CAQH Core Phase 1 102: Eligibility CAQH Core Phase 2 202: Certification ISO/IEC 27002:2013 6.1.1 ISO/IEC 27799:2016 6.1.1 NIST Cybersecurity Framework v1.1 PR.AC-1
45 CFR Part § 164.308(a)(3)(ii)(B) HIPAA.SR AICPA 2017 CC6.4 CIS CSC v7.1 16.7 CMSRs v3.1 PS-04 (HIGH; MOD) CSA CCM v3.0.1 HRS-04 FedRAMP PS-4 FFIEC IS v2016 A.6.8(c) HITRUST IRS Pub 1075 v2016 9.3.13.4 ISO/IEC 27002:2013 7.3.1 MARS-E v2 PS-4
45 CFR Part § 164.308(a)(3)(ii)(C) HIPAA.SR and Benefits Certification Policy Policy v2.1.0 Subsection 3.4 CMSRs v3.1 PS-05 (HIGH; MOD) CSA CCM v3.0.1 IAM-11 FedRAMP PS-5 IRS Pub 1075 v2016 9.3.13.5 ISO/IEC 27002:2013 9.2.5 ISO/IEC 27799:2016 7.3.1 MARS-E v2 PS-5 NIST Cybersecurity Framework v1.1 PR.AC-4
v1.1.0 Subsection 3.4 ISO/IEC 27799:2016 9.2.6 NIST Cybersecurity Framework v1.1 PR.IP- 11
ISO/IEC 27002:2013 9.2.6
CAQH Core Phase 1 102: Eligibility CAQH Core Phase 2 202: Certification
201 CMR 17.03(2)(e) 45 CFR Part § 164.308(a)(3)(ii)(C) HIPAA.SR and Benefits Certification Policy CMSRs v3.1 PS-04 (HIGH; MOD) CSA CCM v3.0.1 HRS-01 FedRAMP PS-4 IRS Pub 1075 v2016 9.3.13.4 ISO/IEC 27002:2013 8.1.4 ISO/IEC 27799:2016 8.1.4 MARS-E v2 PS-4 NIST Cybersecurity Framework v1.1 PR.IP-11
v1.1.0 Subsection 3.4 Policy v2.1.0 Subsection 3.4
45 CFR Part § 164.308(a)(3)(ii)(A) HIPAA.SR
45 CFR Part § 164.308(a)(3)(ii)(B) HIPAA.SR
45 CFR Part § 164.308(a)(3)(ii)(C) HIPAA.SR CAQH Core Phase 1 102: Eligibility CAQH Core Phase 2 202: Certification CMSRs v3.1 AC-2 (HIGH; MOD) FedRAMP AC-2 IRS Pub 1075 v2016 9.3.1.2 MARS-E v2 AC-2 NIST Cybersecurity Framework v1.1 PR.AC-1
CMSRs v3.1 PS-04 (HIGH; MOD) CSA CCM v3.0.1 IAM-11 ISO/IEC 27002:2013 9.2.6 ISO/IEC 27799:2016 9.2.6
45 CFR Part § 164.308(a)(4)(i) HIPAA.SR and Benefits Certification Policy Policy v2.1.0 Subsection 3.4 CMSRs v3.1 PS- 04(02) (HIGH) FedRAMP PS-4 IRS Pub 1075 v2016 9.3.13.4 MARS-E v2 PS-4 NIST Cybersecurity Framework v1.1 PR.AC-4
45 CFR Part § 164.308(a)(4)(ii)(B) HIPAA.SR v1.1.0 Subsection 3.4 FedRAMP PS-5 IRS Pub 1075 v2016 9.3.13.5 MARS-E v2 PS-5 NIST Cybersecurity Framework v1.1 PR.IP- 11
45 CFR Part § 164.308(a)(4)(ii)(C) HIPAA.SR CMSRs v3.1 PS-05 (HIGH; MOD)
45 CFR Part § 164.312(a)(2)(ii) HIPAA.SR
CRR v2016 AM:MIL3.Q4
CRR v2016 CM:G1.Q2
CRR v2016 CM:MIL2.Q4
CRR v2016 CM:MIL3.Q4
CRR v2016 EDM:MIL2.Q2
CRR v2016 EDM:MIL3.Q4
CRR v2016 IM:MIL3.Q4
CRR v2016 RM:G1.Q1
CRR v2016 RM:G1.Q2
CRR v2016 RM:G1.Q3 NIST Cybersecurity Framework v1.1 ID.BE-3
CMSRs v3.1 AR-02 (HIGH; MOD) CRR v2016 RM:G1.Q4 FFIEC IS v2016 A.2.11 MARS-E v2 AR-2 NIST Cybersecurity F ramework v1.1 ID.GV-3
45 CFR Part § 164.308(a)(1)(i) HIPAA.SR CAQH Core Phase 1 102: Eligibility CAQH Core Phase 2 202: Certification CMSRs v3.1 PM- 04 (HIGH; MOD) CRR v2016 RM:G2.Q3 FFIEC IS v2016 A.3.1 MARS-E v2 PM-11 NIST Cybersecurity F ramework v1.1 ID.GV-4
45 CFR Part § 164.308(a)(1)(ii)(A) HIPAA.SR AICPA 2017 CC3.3 CMSRs v3.1 PM- 09 (HIGH; MOD) CSA CCM v3.0.1 GRM-11 CRR v2016 RM:G2.Q4 EHNAC Accreditation Committee EU GDPR Article 32(2) FedRAMP RA-1 FFIEC IS v2016 A.6.4(a) De-ID Framework v1 Risk Assessments: IRS Pub 1075 v2016 9.3.14.1 MARS-E v2 PM- 4 NIST Cybersecurity F ramework v1.1 ID.RM-1
45 CFR Part § 164.308(a)(1)(ii)(B) HIPAA.SR AICPA 2017 CC9.2 and Benefits Certification Policy Policy v2.1.0 Subsection 3.4 CMSRs v3.1 PM- 11 (HIGH; MOD) CSA CCM v3.0.1 STA-06 CRR v2016 RM:G3.Q1 EU GDPR Article 4(1) FedRAMP RA-3 FFIEC IS v2016 A.7.1 Assessments IRS Pub 1075 v2016 9.3.14.2 MARS-E v2 PM- 9 NIST Cybersecurity F ramework v1.1 ID.RM-2
v1.1.0 Subsection 3.4
45 CFR Part § 164.316(a) HIPAA.SR CMSRs v3.1 RA-01 (HIGH; MOD) CRR v2016 RM:G5.Q1 FFIEC IS v2016 A.7.2 MARS-E v2 RA-1 NIST Cybersecurity F ramework v1.1 ID.RM-3
CMSRs v3.1 RA-03 (HIGH; MOD) CRR v2016 RM:G5.Q2 FFIEC IS v2016 A.7.3 MARS-E v2 RA-3 NIST Cybersecurity Framework v1.1 ID.SC-2
CRR v2016 RM:MIL2.Q4 NIST Cybersecurity Framework v1.1 RS.MI-3
CRR v2016 RM:MIL3.Q4
CRR v2016 RM:MIL4.Q3
CRR v2016 SA:G1.Q2
CRR v2016 SA:MIL2.Q1
CRR v2016 SA:MIL2.Q4
CRR v2016 SA:MIL3.Q4
CRR v2016 TA:MIL3.Q4
CRR v2016 VM:G2.Q6
CRR v2016 VM:MIL2.Q1
CRR v2016 AM:MIL3.Q4
CRR v2016 AM:MIL4.Q1
CRR v2016 AM:MIL4.Q2
CRR v2016 CCM:MIL3.Q4
CRR v2016 CCM:MIL4.Q1
CRR v2016 CCM:MIL4.Q2
CRR v2016 CM:MIL3.Q4
CRR v2016 CM:MIL4.Q1 EU GDPR Article 35(1) FFIEC IS v2016 A.4.1
CRR v2016 CM:MIL4.Q2 EU GDPR Article 35(10) FFIEC IS v2016 A.4.2
CRR v2016 EDM:MIL4.Q1 NIST Cybersecurity F ramework v1.1 ID.GV-4
45 CFR Part § 164.308(a)(1)(ii)(A) HIPAA.SR CRR v2016 IM:MIL4.Q1 EU GDPR Article 35(11) FFIEC IS v2016 A.4.3 IRS Pub 1075 v2016 9.3.14.2 NIST Cybersecurity Framework v1.1 ID.RA-1
EU GDPR Article 35(2) F FIEC IS v2016 A.6.28(c) IRS Pub 1075 v2016 9.3.4.2
45 CFR Part § 164.308(a)(1)(ii)(B) HIPAA.SR AICPA 2017 CC3.2 CAQH Core Phase 1 102: Eligibility CAQH Core Phase 2 202: Certification CMSRs v3.1 CA-02 (HIGH; MOD) CSA CCM v3.0.1 GRM-02 CRR v2016 IM:MIL4.Q2 EU GDPR Article 35(3) FedRAMP CA-2 FFIEC IS v2016 A.6.4(a) De-ID Framework v1 Risk Assessments: IRS Pub 1075 v2016 9.3.5.6 ISO/IEC 27002:2013 12.6.1 ISO/IEC 27799:2016 12.6.1 MARS-E v2 CA-2 NIST Cybersecurity Framework v1.1 ID.RA-3
201 CMR 17.03(2)(b) 23 NYCRR 500.09(b)(1) 45 CFR Part § 164.402(2) HIPAA.BN 45 CFR Part § 164.308(a)(2) HIPAA.SR AICPA 2017 CC3.4 and Benefits Certification Policy Policy v2.1.0 Subsection 3.4 CMSRs v3.1 CA-02(01) (HIGH; MOD) CSA CCM v3.0.1 GRM-10 CRR v2016 RM:G2.Q1 EU GDPR Article 35(5) FedRAMP CA-2(3) FFIEC IS v2016 A.7.1 HITRUST Assessments IRS Pub 1075 v2016 9.4.1 ISO/IEC 27002:2013 17.1.1 ISO/IEC 27799:2016 17.1.1 MARS-E v2 CA-2(1) NIST Cybersecurity Framework v1.1 ID.RA-4
45 CFR Part § 164.308(a)(7)(ii)(E) HIPAA.S R AICPA 2017 CC4.1 v1.1.0 Subsection 3.4 CMSRs v3.1 RA-03 (HIGH; MOD) CRR v2016 RM:G3.Q1 EU GDPR Article 35(7) FedRAMP RA-3 FFIEC IS v2016 A.7.2 IRS Pub 1075 v2016 9.4.2 MARS-E v2 RA-3 NIST Cybersecurity Framework v1.1 ID.RA-5
45 CFR Part § 164.316(a) HIPAA.SR CRR v2016 RM:G4.Q1 NIST Cybersecurity F ramework v1.1 ID.RM-1
CRR v2016 RM:G5.Q1 EU GDPR Article 35(9) FFIEC IS v2016 A.7.3 IRS Pub 1075 v2016 Exhibit 10 NIST Cybersecurity Framework v1.1 RS.CO-5
CRR v2016 RM:MIL2.Q1 EU GDPR Article 36(1) FFIEC IS v2016 A.7.4(e)
CRR v2016 RM:MIL2.Q4 EU GDPR Article 36(3) FFIEC IS v2016 A.8.1(i)
CRR v2016 RM:MIL4.Q1
CRR v2016 RM:MIL5.Q2
CRR v2016 SA:MIL4.Q1
CRR v2016 SCM:MIL4.Q1
CRR v2016 TA:MIL4.Q1
CRR v2016 VM:MIL3.Q4
CRR v2016 VM:MIL4.Q1c
CRR v2016 CCM:MIL3.Q4
CRR v2016 CM:G1.Q2
CRR v2016 CM:G4.Q1
CRR v2016 CM:G4.Q2
CRR v2016 EDM:MIL3.Q4
CRR v2016 IM:MIL3.Q4
CRR v2016 RM:G1.Q3
AICPA 2017 CC3.1 CRR v2016 RM:G2.Q3 FFIEC IS v2016 A.5.1
AICPA 2017 CC4.2 CAQH Core Phase 1 102: Eligibility CAQH Core Phase 2 202: Certification CRR v2016 RM:G4.Q2 FFIEC IS v2016 A.6.4 ISO/IEC 27002:2013 12.6.1 ISO/IEC 27799:2016 12.6.1 MARS-E v2 CA-5 NIST Cybersecurity Framework v1.1 ID.RA-6
45 CFR Part § 164.530(f) HIPAA.PR 45 CFR Part § 164.306(e) HIPAA.SR AICPA 2017 CC5.1 CMSRs v3.1 CA-05 (HIGH; MOD) CSA CCM v3.0.1 GRM-11 CRR v2016 RM:MIL2.Q4 FedRAMP CA-5 FFIEC IS v2016 A.6.4(a) IRS Pub 1075 v2016 7.3.1
45 CFR Part § 164.308(a)(1)(ii)(B) HIPAA.SR AICPA 2017 P6.4 and Benefits Certification Policy Policy v2.1.0 Subsection 3.4 CMSRs v3.1 PM- 04 (HIGH; MOD) CRR v2016 RM:MIL3.Q1 FFIEC IS v2016 A.7.1 IRS Pub 1075 v2016 9.3.4.4 ISO/IEC 27002:2013 12.7.1 ISO/IEC 27799:2016 12.7.1 MARS-E v2 CA-5(1) NIST Cybersecurity Framework v1.1 PR.IP- 12
AICPA 2017 P6.5 v1.1.0 Subsection 3.4 CRR v2016 RM:MIL4.Q1 FFIEC IS v2016 A.7.2 ISO/IEC 27002:2013 17.1.1 ISO/IEC 27799:2016 17.1.1 MARS-E v2 PM- 4 NIST Cybersecurity Framework v1.1 RS.MI-3
AICPA 2017 P6.6 CRR v2016 RM:MIL4.Q2 FFIEC IS v2016 A.7.3
CRR v2016 RM:MIL5.Q2
CRR v2016 SA:MIL3.Q4
CRR v2016 TA:MIL3.Q4
CRR v2016 VM:G3.Q1
CRR v2016 VM:G3.Q2
CRR v2016 VM:G4.Q1
CRR v2016 VM:MIL3.Q4
NIST Cybersecurity F ramework v1.1 ID.GV-4
AICPA 2017 CC3.4 NIST Cybersecurity Framework v1.1 ID.RA-1
45 CFR Part § 164.308(a)(1)(ii)(A) HIPAA.SR AICPA 2017 CC4.1 CMSRs v3.1 CM-03 (HIGH; MOD) CSA CCM v3.0.1 GRM-08 CRR v2016 RM:MIL4.Q2 FedRAMP CM-3 FFIEC IS v2016 A.7.1 IRS Pub 1075 v2016 9.3.14.2 ISO/IEC 27002:2013 12.1.2 ISO/IEC 27799:2016 12.1.2 MARS-E v2 CM-3 NIST Cybersecurity Framework v1.1 ID.RA-3
CMSRs v3.1 RA-03 (HIGH; MOD) CRR v2016 RM:MIL4.Q3 FedRAMP RA-3 MARS-E v2 RA-3
AICPA 2017 CC8.1 NIST Cybersecurity Framework v1.1 ID.RA-4
NIST Cybersecurity Framework v1.1 ID.RA-5
IRS Pub 1075 v2016 9.3.1.1
IRS Pub 1075 v2016 9.3.10.1
CMSRs v3.1 AC-01 (HIGH; MOD) CRR v2016 AM:G1.Q3 FedRAMP AT-1 IRS Pub 1075 v2016 9.3.11.1 MARS-E v2 AC-1
CRR v2016 AM:MIL5.Q1
CMSRs v3.1 AT-01 (HIGH; MOD) CRR v2016 CCM:MIL5.Q1 FedRAMP AU-1 IRS Pub 1075 v2016 9.3.12.1 MARS-E v2 AT-1
CMSRs v3.1 AU-01 (HIGH; MOD) FedRAMP CA-1 IRS Pub 1075 v2016 9.3.13.1 MARS-E v2 AU-1
CMSRs v3.1 CA-01 (HIGH; MOD) CRR v2016 CM:G1.Q1 FedRAMP CM-1 IRS Pub 1075 v2016 9.3.14.1 MARS-E v2 CA-1
CMSRs v3.1 CM-01 (HIGH; MOD) CRR v2016 CM:G2.Q1 FedRAMP CP-1 IRS Pub 1075 v2016 9.3.15.1 MARS-E v2 CM-1
CMSRs v3.1 CP-01 (HIGH; MOD) CRR v2016 CM:MIL2.Q1 FedRAMP IA-1 IRS Pub 1075 v2016 9.3.16.1 MARS-E v2 CP-1
AICPA 2017 CC1.3 CRR v2016 CM:MIL5.Q1
45 CFR Part § 164.312(c)(1) HIPAA.SR AICPA 2017 CC2.2 CAQH Core Phase 1 102: Eligibility CAQH Core Phase 2 202: Certification CMSRs v3.1 IA-01 (HIGH; MOD) CRR v2016 EDM:MIL5.Q1 FedRAMP IR-1 IRS Pub 1075 v2016 9.3.17.1 MARS-E v2 IA-1 NIST Cybersecurity F ramework v1.1 ID.GV-1
45 CFR Part § 164.414(a) HIPAA.BN 45 CFR Part § 164.530(i) HIPAA.PR 45 CFR Part § 164.316(a) HIPAA.SR CMSRs v3.1 MA-01 (HIGH; MOD) COBIT 5 APO13.02 CSA CCM v3.0.1 GRM-06 FedRAMP MA-1 HITRUST IRS Pub 1075 v2016 9.3.2.1 ISO/IEC 27002:2013 5.1.1 ISO/IEC 27799:2016 5.1.1 MARS-E v2 IR-1 NIST Cybersecurity F ramework v1.1 ID.GV-2
45 CFR Part § 164.316(b)(2)(i) HIPAA.SR AICPA 2017 CC2.3 and Benefits Certification Policy Policy v2.1.0 Subsection 3.4 CMSRs v3.1 PE-01 (HIGH; MOD) CRR v2016 IM:MIL5.Q1 FedRAMP MP-1 IRS Pub 1075 v2016 9.3.3.1 MARS-E v2 MA-1 NIST Cybersecurity F ramework v1.1 ID.GV-3
45 CFR Part § 164.316(b)(2)(ii) HIPAA.SR AICPA 2017 CC3.1 v1.1.0 Subsection 3.4 CMSRs v3.1 PL-01 (HIGH; MOD) CRR v2016 RM:MIL2.Q2 FedRAMP PE-1 IRS Pub 1075 v2016 9.3.4.1 MARS-E v2 PE-1 NIST Cybersecurity F ramework v1.1 ID.GV-4
AICPA 2017 CC5.1 CMSRs v3.1 PM- 01 (HIGH; MOD) CRR v2016 RM:MIL5.Q1 FedRAMP PL-1 IRS Pub 1075 v2016 9.3.5.1 MARS-E v2 PL-1
CRR v2016 SA:MIL2.Q2
CMSRs v3.1 PS-01 (HIGH; MOD) CRR v2016 SA:MIL2.Q4 FedRAMP PS-1 IRS Pub 1075 v2016 9.3.6.1 MARS-E v2 PM- 1
CMSRs v3.1 RA-01 (HIGH; MOD) FedRAMP RA-1 IRS Pub 1075 v2016 9.3.7.1 MARS-E v2 PS-1
CMSRs v3.1 SA-01 (HIGH; MOD) CRR v2016 SA:MIL5.Q1 FedRAMP SA-1 IRS Pub 1075 v2016 9.3.8.1 MARS-E v2 RA-1
CMSRs v3.1 SC-01 (HIGH; MOD) CRR v2016 SCM:MIL5.Q1 FedRAMP SC-1 IRS Pub 1075 v2016 9.3.9.1 MARS-E v2 SC-1
CMSRs v3.1 SI-01 (HIGH; MOD) CRR v2016 TA:MIL5.Q1 FedRAMP SI-1 IRS Pub 1075 v2016 9.4.2 MARS-E v2 SI-1
CRR v2016 VM:MIL5.Q1
IRS Pub 1075 v2016 Exhibit 9
IRS Pub 1075 v2016 Exhibit 10
CMSRs v3.1 AC-01 (HIGH; MOD) IRS Pub 1075 v2016 9.3.1.1 MARS-E v2 AC-1
IRS Pub 1075 v2016 9.3.10.1
CMSRs v3.1 AR-02 (HIGH; MOD) FedRAMP AT-1 IRS Pub 1075 v2016 9.3.11.1 MARS-E v2 AR-1
CMSRs v3.1 AT-01 (HIGH; MOD) FedRAMP AU-1 IRS Pub 1075 v2016 9.3.12.1 MARS-E v2 AR-2
CMSRs v3.1 AU-01 (HIGH; MOD) FedRAMP CA-1 IRS Pub 1075 v2016 9.3.13.1 MARS-E v2 AT-1
CMSRs v3.1 CA-01 (HIGH; MOD) FedRAMP CM-1 MARS-E v2 AU-1
CMSRs v3.1 CM-01 (HIGH; MOD) FedRAMP CP-1 IRS Pub 1075 v2016 9.3.14.1 MARS-E v2 CA-1
IRS Pub 1075 v2016 9.3.15.1
45 CFR Part § 164.530(d)(1) HIPAA.PR CMSRs v3.1 CP-01 (HIGH; MOD) FedRAMP IA-1 IRS Pub 1075 v2016 9.3.16.1 MARS-E v2 CM-1
45 CFR Part § 164.530(i) HIPAA.PR AICPA 2017 CC1.4 CAQH Core Phase 1 102: Eligibility CMSRs v3.1 IA-01 (HIGH; MOD) FedRAMP IR-1 IRS Pub 1075 v2016 9.3.17.1 MARS-E v2 CP-1 NIST Cybersecurity F ramework v1.1 ID.GV-1
45 CFR Part § 164.414(a) HIPAA.BN 45 CFR Part § 164.530(i)(2) HIPAA.PR 45 CFR Part § 164.308(a)(8) HIPAA.SR AICPA 2017 CC5.2 and Benefits Certification Policy CAQHPolicy
Core Phase 2 202: Certification CMSRs v3.1 IP-04 (HIGH; MOD) CSA CCM v3.0.1 GRM-09 CRR v2016 CM:G4.Q1 FedRAMP MA-1 FFIEC IS v2016 A.4.5 IRS Pub 1075 v2016 9.3.2.1 ISO/IEC 27002:2013 5.1.2 ISO/IEC 27799:2016 5.1.2 MARS-E v2 IA-1 NIST Cybersecurity F ramework v1.1 ID.GV-3
45 CFR Part § 164.316(a) HIPAA.SR v2.1.0 Subsection 3.4 CMSRs v3.1 MA-01 (HIGH; MOD) FedRAMP MP-1 MARS-E v2 IR-1
45 CFR Part § 164.530(i)(3) HIPAA.PR AICPA 2017 CC5.3 v1.1.0 Subsection 3.4 CMSRs v3.1 PE-01 (HIGH; MOD) FedRAMP PE-1 IRS Pub 1075 v2016 9.3.3.1 MARS-E v2 MA-1 NIST Cybersecurity F ramework v1.1 ID.GV-4
45 CFR Part § 164.530(i)(5) HIPAA.PR IRS Pub 1075 v2016 9.3.4.1
CMSRs v3.1 PL-01 (HIGH; MOD) FedRAMP PL-1 IRS Pub 1075 v2016 9.3.5.1 MARS-E v2 PE-1
CMSRs v3.1 PM- 01 (HIGH; MOD) FedRAMP PS-1 IRS Pub 1075 v2016 9.3.6.1 MARS-E v2 PL-1
CMSRs v3.1 PS-01 (HIGH; MOD) FedRAMP RA-1 IRS Pub 1075 v2016 9.3.7.1 MARS-E v2 PM- 1
CMSRs v3.1 RA-01 (HIGH; MOD) FedRAMP SA-1 MARS-E v2 PS-1
CMSRs v3.1 SA-01 (HIGH; MOD) FedRAMP SC-1 IRS Pub 1075 v2016 9.3.8.1 MARS-E v2 RA-1
IRS Pub 1075 v2016 9.3.9.1
CMSRs v3.1 SC-01 (HIGH; MOD) FedRAMP SI-1 IRS Pub 1075 v2016 Exhibit 9 MARS-E v2 SC-1
CMSRs v3.1 SI-01 (HIGH; MOD) IRS Pub 1075 v2016 Exhibit 10 MARS-E v2 SI-1
CRR v2016 CCM:MIL3.Q2
CRR v2016 CCM:MIL3.Q3
CRR v2016 CCM:MIL4.Q1
CRR v2016 CCM:MIL4.Q2
CRR v2016 CCM:MIL4.Q3
CRR v2016 CM:MIL2.Q3
CRR v2016 CM:MIL3.Q1
CMSRs v3.1 AC-01 (HIGH; MOD) CRR v2016 CM:MIL3.Q3 MARS-E v2 AC-1
CMSRs v3.1 AR-01 (HIGH; MOD) CRR v2016 CM:MIL4.Q1 MARS-E v2 AR-1
CMSRs v3.1 AT-01 (HIGH; MOD) CRR v2016 CM:MIL4.Q2 IRS Pub 1075 v2016 9.3.1.1 MARS-E v2 AT-1
CRR v2016 CM:MIL4.Q3
CMSRs v3.1 AU-01 (HIGH; MOD) CRR v2016 EDM:MIL2.Q3 FedRAMP AT-1 IRS Pub 1075 v2016 9.3.10.1 MARS-E v2 AU-1
CMSRs v3.1 CA-01 (HIGH; MOD) FedRAMP AU-1 IRS Pub 1075 v2016 9.3.11.1 MARS-E v2 CA-1
CMSRs v3.1 CA-02 (HIGH; MOD) CRR v2016 EDM:MIL3.Q1 FedRAMP CA-1 IRS Pub 1075 v2016 9.3.12.1 MARS-E v2 CA-2
CMSRs v3.1 CA-02(01) (HIGH; MOD) CRR v2016 EDM:MIL3.Q3 FedRAMP CA-2 IRS Pub 1075 v2016 9.3.13.1 MARS-E v2 CA-2(1)
23 NYCRR 500.04(a)(1) CMSRs v3.1 CM-01 (HIGH; MOD) CRR v2016 EDM:MIL4.Q1 FedRAMP CA-2(1) IRS Pub 1075 v2016 9.3.14.1 MARS-E v2 CM-1 NIST Cybersecurity Framework v1.1 ID.BE-2
CRR v2016 EDM:MIL4.Q2 FFIEC IS v2016 A.1.5
23 NYCRR 500.04(a)(2) CMSRs v3.1 CP-01 (HIGH; MOD) CRR v2016 EDM:MIL4.Q3 FedRAMP CM-1 FFIEC IS v2016 A.2.10 IRS Pub 1075 v2016 9.3.15.1 MARS-E v2 CP-1 NIST Cybersecurity Framework v1.1 ID.BE-3
23 NYCRR 500.04(a)(3) AICPA 2017 CC1.4 CMSRs v3.1 IA-01 (HIGH; MOD) FedRAMP CP-1 De-ID Framework v1 Accountable Individuals: IRS Pub 1075 v2016 9.3.16.1 MARS-E v2 IA-1 NIST Cybersecurity F ramework v1.1 ID.GV-1
23 NYCRR 500.04(b) 45 CFR Part § 164.308(a)(1)(i) HIPAA.SR AICPA 2017 CC2.2 CAQH Core Phase 1 102: Eligibility CAQH Core Phase 2 202: Certification CMSRs v3.1 MA-01 (HIGH; MOD) CSA CCM v3.0.1 GRM-04 CRR v2016 IM:MIL4.Q2 FedRAMP IA-1 FFIEC IS v2016 A.2.2 General IRS Pub 1075 v2016 9.3.17.1 MARS-E v2 IR-1 NIST Cybersecurity F ramework v1.1 ID.GV-2
201 CMR 17.03(2)(a) 23 NYCRR 500.04(b)(1) 45 CFR Part § 164.308(a)(2) HIPAA.SR AICPA 2017 CC3.1 and Benefits Certification Policy CMSRs v3.1 PE-01 (HIGH; MOD) COBIT 5 APO13.01 CSA CCM v3.0.1 GRM-05 CRR v2016 IM:MIL4.Q3 FedRAMP IR-1 FFIEC IS v2016 A.2.3 HITRUST De-ID Framework v1 Governance: General IRS Pub 1075 v2016 9.3.18.1 ISO/IEC 27002:2013 18.2.1 ISO/IEC 27799:2016 18.2.1 MARS-E v2 MA-1 NIST Cybersecurity F ramework v1.1 ID.GV-3
23 NYCRR 500.04(b)(2) 45 CFR Part § 164.308(a)(8) HIPAA.SR AICPA 2017 CC3.2 v1.1.0 Subsection 3.4 Policy v2.1.0 Subsection 3.4 CMSRs v3.1 PL-01 (HIGH; MOD) COBIT 5 APO13.02 CSA CCM v3.0.1 GRM-11 CRR v2016 RM:MIL2.Q3 FedRAMP MA-1 FFIEC IS v2016 A.2.6 De-ID Framework v1 Security Points of Contact: IRS Pub 1075 v2016 9.3.2.1 ISO/IEC 27002:2013 5.1.1 ISO/IEC 27799:2016 5.1.1 MARS-E v2 PE-1 NIST Cybersecurity F ramework v1.1 ID.GV-4
45 CFR Part § 164.316(a) HIPAA.SR CRR v2016 RM:MIL3.Q1 FFIEC IS v2016 A.2.9
23 NYCRR 500.04(b)(3) AICPA 2017 CC5.3 CMSRs v3.1 PM- 01 (HIGH; MOD) CRR v2016 RM:MIL3.Q2 FedRAMP PE-1 FFIEC IS v2016 A.6.2 General IRS Pub 1075 v2016 9.3.3.1 MARS-E v2 PL-1 NIST Cybersecurity F ramework v1.1 ID.RM-1
23 NYCRR 500.04(b)(4) CMSRs v3.1 PM- 02 (HIGH; MOD) FedRAMP PL-1 IRS Pub 1075 v2016 9.3.4.1 MARS-E v2 PM- 1 NIST Cybersecurity Framework v1.1 PR.AT-4
23 NYCRR 500.04(b)(5) CMSRs v3.1 PM- 03 (HIGH; MOD) CRR v2016 RM:MIL3.Q3 FedRAMP PS-1 FFIEC IS v2016 A.6.4(b) IRS Pub 1075 v2016 9.3.4.2 MARS-E v2 PM-13 NIST Cybersecurity Framework v1.1 PR.AT-5
CMSRs v3.1 PM- 09 (HIGH; MOD) CRR v2016 RM:MIL4.Q3 FedRAMP RA-1 IRS Pub 1075 v2016 9.3.5.1 MARS-E v2 PM- 2
CMSRs v3.1 PM- 13 (HIGH; MOD) CRR v2016 SA:G1.Q3 FedRAMP SA-1 IRS Pub 1075 v2016 9.3.6.1 MARS-E v2 PM- 3
CRR v2016 SA:MIL2.Q3
CMSRs v3.1 PS-01 (HIGH; MOD) CRR v2016 SA:MIL3.Q1 FedRAMP SC-1 IRS Pub 1075 v2016 9.3.7.1 MARS-E v2 PM- 9
CMSRs v3.1 RA-01 (HIGH; MOD) FedRAMP SI-1 IRS Pub 1075 v2016 9.3.8.1 MARS-E v2 PS-1
CMSRs v3.1 SA-01 (HIGH; MOD) CRR v2016 SA:MIL3.Q3 IRS Pub 1075 v2016 9.3.9.1 MARS-E v2 RA-1
CMSRs v3.1 SC-01 (HIGH; MOD) CRR v2016 SA:MIL4.Q1 MARS-E v2 SC-1
CMSRs v3.1 SI-01 (HIGH; MOD) CRR v2016 SA:MIL4.Q2 MARS-E v2 SI-1
CRR v2016 SA:MIL4.Q3
CRR v2016 SCM:MIL3.Q1
CRR v2016 SCM:MIL3.Q3
CRR v2016 SCM:MIL4.Q2
CRR v2016 SCM:MIL4.Q3
CRR v2016 TA:G2.Q6
CRR v2016 TA:MIL2.Q3
CRR v2016 TA:MIL3.Q1

05.b Information Security Coordination
05.c Allocation of Information Security
Responsibilities
05.d Authorization Process for
Information Assets and Facilities
05.e Confidentiality Agreements
05.f Contact with Authorities
05.g Contact with Special Interest Groups
05.h Independent Review of Information
Security
05.i Identification of Risks Related to
External Parties
05.j Addressing Security When Dealing
with Customers
05.k Addressing Security in Third Party
Agreements
06.a Identification of Applicable
Legislation
06.b Intellectual Property Rights
06.c Protection of Organizational Records
06.d Data Protection and Privacy of
Covered Information
06.e Prevention of Misuse of Information
Assets
06.f Regulation of Cryptographic Controls
06.g Compliance with Security Policies
and Standards
06.h Technical Compliance Checking
06.i Information Systems Audit Controls
06.j Protection of Information Systems
Audit Tools
07.a Inventory of Assets
07.b Ownership of Assets
07.c Acceptable Use of Assets
07.d Classification Guidelines
07.e Information Labeling and Handling
08.a Physical Security Perimeter
© 2019 HITRUST. All rights reserved.
1 TAC § 390.2(a)(1)
1 TAC § 390.2(a)(4)(A)(xi)
1 TAC § 390.2(a)(1)
1 TAC § 390.2(a)(3)
1 TAC § 390.2(a)(4)(A)(xi)
1 TAC § 390.2(a)(1)
1 TAC § 390.2(a)(4)(A)(xi)
1 TAC § 390.2(a)(4)(A)(xi)
1 TAC § 390.2(a)(1)
1 TAC § 390.2(a)(4)(A)(xi)
1 TAC § 390.2(a)(1)
1 TAC § 390.2(a)(4)(A)(xi)
1 TAC § 390.2(a)(1)
1 TAC § 390.2(a)(3)
1 TAC § 390.2(a)(4)(A)(xi)
1 TAC § 390.2(a)(1)
1 TAC § 390.2(a)(4)(A)(xi)
1 TAC § 390.2(a)(1)
1 TAC § 390.2(a)(4)(A)(xi)
1 TAC § 390.2(a)(3)
1 TAC § 390.2(a)(4)(B)(xviii)(I)
1 TAC § 390.2(a)(4)(A)(xi)
1 TAC § 390.2(a)(1)
1 TAC § 390.2(a)(3)
1 TAC § 390.2(a)(4)(A)(xi)
1 TAC § 390.2(a)(4)
1 TAC § 390.2(a)(4)(A)(i)
1 TAC § 390.2(a)(4)(A)(xi)
1 TAC § 390.2(a)(4)(A)(xv)
1 TAC § 390.2(a)(1)
1 TAC § 390.2(a)(4)(A)(xi)
1 TAC § 390.2(a)(1)
1 TAC § 390.2(a)(4)(A)(xi)
1 TAC § 390.2(a)(1)
1 TAC § 390.2(a)(4)(A)(xi)
1 TAC § 390.2(a)(1)
1 TAC § 390.2(a)(4)(A)(xi)
1 TAC § 390.2(a)(1)
1 TAC § 390.2(a)(4)(A)(xi)
1 TAC § 390.2(a)(4)(A)(xi)
1 TAC § 390.2(a)(1)
1 TAC § 390.2(a)(4)(A)(xi)
1 TAC § 390.2(a)(1)
1 TAC § 390.2(a)(4)(A)(xi)
1 TAC § 390.2(a)(4)(A)(xi)
1 TAC § 390.2(a)(1)
1 TAC § 390.2(a)(4)(A)(xi)
1 TAC § 390.2(a)(1)
1 TAC § 390.2(a)(4)(A)(ii)
1 TAC § 390.2(a)(4)(A)(vi)
1 TAC § 390.2(a)(4)(A)(vii)
1 TAC § 390.2(a)(4)(A)(xi)
1 TAC § 390.2(a)(4)(B)(iv)
1 TAC § 390.2(a)(1)
1 TAC § 390.2(a)(4)(A)(xi)
16 CFR Part § 681 Appendix A VI(a)
16 CFR Part § 681 Appendix A VI(b)
16 CFR Part § 681.1 (e)(4)
16 CFR Part § 681.1 (e)(4)
16 CFR Part § 681 Appendix A
VII(a)
16 CFR Part § 681 Appendix A
VII(b)
16 CFR Part § 681 Appendix A
VII(c)
16 CFR Part § 681 Appendix A
VII(d)
45 CFR Part § 164.308(a)(1)(ii)(B) HIPAA.SR
45 CFR Part § 164.308(a)(8) HIPAA.SR
45 CFR Part § 164.310(a)(2)(ii) HIPAA.SR
45 CFR Part § 164.316(a) HIPAA.SR
45 CFR Part § 164.316(b)(1) HIPAA.SR
45 CFR Part § 164.316(b)(2)(iii) HIPAA.SR
45 CFR Part § 164.308(a)(2) HIPAA.SR
45 CFR Part § 164.308(a)(5)(i) HIPAA.SR
45 CFR Part § 164.308(a)(2) HIPAA.SR
45 CFR Part § 164.308(a)(4)(ii)(B) HIPAA.SR
45 CFR Part § 164.308(a)(8) HIPAA.SR
45 CFR Part § 164.308(a)(3)(ii)(A) HIPAA.SR
45 CFR Part § 164.308(b)(3) HIPAA.SR
45 CFR Part § 164.310(b) HIPAA.SR
45 CFR Part § 164.308(a)(6)(ii) HIPAA.SR
45 CFR Part § 164.308(a)(5)(ii)(A) HIPAA.SR
201 CMR 17.03(2)(a) 45 CFR Part § 164.308(a)(1)(i) HIPAA.SR
45 CFR Part § 164.308(a)(1)(ii)(D) HIPAA.SR
201 CMR 17.03(2)(b) 45 CFR Part § 164.308(a)(8) HIPAA.SR
45 CFR Part § 164.308(a)(1)(ii)(A) HIPAA.SR
45 CFR Part § 164.308(a)(1)(ii)(B) HIPAA.SR
45 CFR Part § 164.308(b)(1) HIPAA.SR
45 CFR Part § 164.308(b)(3) HIPAA.SR
45 CFR Part § 164.314(a)(1) HIPAA.SR
45 CFR Part § 164.314(a)(2)(i) HIPAA.SR
45 CFR Part § 164.314(a)(2)(ii) HIPAA.SR
45 CFR Part § 164.510 HIPAA.PR
45 CFR Part § 164.528(a) HIPAA.PR
45 CFR Part § 164.308(a)(3)(ii)(A) HIPAA.SR
45 CFR Part § 164.308(a)(4)(ii)(B) HIPAA.SR
45 CFR Part § 164.404(b) HIPAA.BN 45 CFR Part § 164.308(b)(1) HIPAA.SR
45 CFR Part § 164.410(a)(1) HIPAA.BN 45 CFR Part § 164.308(b)(3) HIPAA.SR
45 CFR Part § 164.410(a)(2) HIPAA.BN 45 CFR Part § 164.314(a)(1) HIPAA.SR
201 CMR 17.03(2)(f) 45 CFR Part § 164.410(b) HIPAA.BN 45 CFR Part § 164.314(a)(2)(i) HIPAA.SR
45 CFR Part § 164.410(c)(1) HIPAA.BN 45 CFR Part § 164.314(a)(2)(ii) HIPAA.SR
45 CFR Part § 164.410(c)(2) HIPAA.BN 45 CFR Part § 164.314(b)(1) HIPAA.SR
45 CFR Part § 164.414(b) HIPAA.BN 45 CFR Part § 164.314(b)(2)(i) HIPAA.SR
45 CFR Part § 164.314(b)(2)(iii) HIPAA.SR
45 CFR Part § 164.314(b)(2)(iv) HIPAA.SR
201 CMR 17.03(1)
45 CFR Part § 164.502(f) HIPAA.PR
45 CFR Part § 164.520(e) HIPAA.PR
21 CFR Part 11.10(c) 45 CFR Part § 164.522(a)(3) HIPAA.PR
201 CMR 17.03(2)(g) 45 CFR Part § 164.414(a) HIPAA.BN 45 CFR Part § 160.103 HIPAA.GE 45 CFR Part § 164.524(e) HIPAA.PR
21 CFR Part 11.30 45 CFR Part § 164.528(d) HIPAA.PR
45 CFR Part § 164.530(j) HIPAA.PR
45 CFR Part § 164.530(j)(2) HIPAA.PR
45 CFR Part § 164.530(a) HIPAA.PR
45 CF R Part § 164.530(a)(2)(i) HIPAA.PR
21 CFR Part 11.30 23 NYCRR 500.15(a)(1)
45 CFR Part § 164.530(b) HIPAA.PR
45 CFR Part § 164.530(c)(1) HIPAA.PR
45 CFR Part § 164.308(a)(1)(ii)(C) HIPAA.SR
45 CFR Part § 164.308(a)(1)(ii)(D) HIPAA.SR
45 CFR Part § 164.308(a)(3)(ii)(A) HIPAA.SR
45 CFR Part § 164.308(a)(4)(i) HIPAA.SR
45 CFR Part § 164.308(a)(4)(ii)(B) HIPAA.SR
45 CFR Part § 164.310(b) HIPAA.SR
45 CFR Part § 164.308(a)(1)(ii)(D) HIPAA.SR
45 CFR Part § 164.312(a)(2)(iv) HIPAA.SR
45 CFR Part § 164.312(e)(2)(ii) HIPAA.SR
45 CFR Part § 164.308(a)(1)(ii)(D) HIPAA.SR
45 CFR Part § 164.308(a)(2) HIPAA.SR
45 CFR Part § 164.308(a)(8) HIPAA.SR
45 CFR Part § 164.308(a)(1)(ii)(D) HIPAA.SR
45 CFR Part § 164.308(a)(8) HIPAA.SR
45 CFR Part § 164.308(a)(1)(ii)(B) HIPAA.SR
45 CFR Part § 164.308(a)(1)(ii)(D) HIPAA.SR
45 CFR Part § 164.310(a)(2)(ii) HIPAA.SR
45 CFR Part § 164.312(b) HIPAA.SR
45 CFR Part § 164.316(a) HIPAA.SR
45 CFR Part § 164.316(b)(1) HIPAA.SR
45 CFR Part § 164.316(b)(2)(iii) HIPAA.SR
45 CFR Part § 164.310(d)(1) HIPAA.SR
45 CFR Part § 164.310(d)(2)(i) HIPAA.SR
45 CFR Part § 164.310(d)(2)(iii) HIPAA.SR
45 CFR Part § 164.310(d)(1) HIPAA.SR
45 CFR Part § 164.310(d)(2)(iii) HIPAA.SR
201 CMR 17.03(2)(c)
45 CFR Part § 164.308(a)(1)(ii)(A) HIPAA.SR
45 CFR Part § 164.308(a)(1)(ii)(B) HIPAA.SR
45 CFR Part § 164.310(b) HIPAA.SR
201 CMR 17.03(2)(g) 45 CFR Part § 164.310(c) HIPAA.SR
45 CFR Part § 164.310(d)(1) HIPAA.SR
45 CFR Part § 164.310(a)(1) HIPAA.SR
45 CFR Part § 164.310(b) HIPAA.SR
45 CFR Part § 164.310(c) HIPAA.SR
CRR v2016 CCM:MIL4.Q3
CRR v2016 CCM:MIL5.Q2
CRR v2016 CM:G2.Q1
CRR v2016 CM:MIL2.Q3
CRR v2016 CM:MIL2.Q4
CRR v2016 CM:MIL3.Q3
CRR v2016 CM:MIL4.Q3
CRR v2016 CM:MIL5.Q2
CRR v2016 EDM:MIL2.Q3
CRR v2016 EDM:MIL3.Q3
CRR v2016 EDM:MIL4.Q3
CRR v2016 EDM:MIL5.Q2
CRR v2016 IM:MIL3.Q3
CRR v2016 IM:MIL4.Q3
CRR v2016 IM:MIL5.Q2
CRR v2016 RM:MIL2.Q3 IRS Pub 1075 v2016 7.1
CRR v2016 RM:MIL3.Q3 IRS Pub 1075 v2016 7.2.1 NIST Cybersecurity Framework v1.1 DE.DP- 4
CMSRs v3.1 PL-02 (HIGH; MOD) CRR v2016 RM:MIL4.Q3 MARS-E v2 PL-2
AICPA 2017 CC1.1 CMSRs v3.1 PL-02(03) (HIGH; MOD) CRR v2016 RM:MIL5.Q2 FedRAMP PL-2 FFIEC IS v2016 A.1.5 IRS Pub 1075 v2016 7.4 MARS-E v2 PL-2(3) NIST Cybersecurity Framework v1.1 ID.BE-3
AICPA 2017 CC2.2 COBIT 5 APO13.01 FFIEC IS v2016 A.3.1 IRS Pub 1075 v2016 9.3.12.2 NIST Cybersecurity F ramework v1.1 ID.GV-2
AICPA 2017 CC3.1 CMSRs v3.1 PM- 01 (HIGH; MOD) COBIT 5 APO13.02 CRR v2016 SA:G1.Q3 FedRAMP PL-2(3) FFIEC IS v2016 A.3.1c IRS Pub 1075 v2016 9.3.15.2 MARS-E v2 PM- 1 NIST Cybersecurity F ramework v1.1 ID.GV-3
AICPA 2017 CC3.4 CMSRs v3.1 PM- 03 (HIGH; MOD) CRR v2016 SA:G2.Q1 FedRAMP SA-2 FFIEC IS v2016 A.8.1(n) IRS Pub 1075 v2016 9.4.1 MARS-E v2 PM- 3 NIST Cybersecurity Framework v1.1 PR.IP-3
CMSRs v3.1 SA-02 (HIGH; MOD) CRR v2016 SA:G2.Q2 IRS Pub 1075 v2016 9.4.14 MARS-E v2 SA-2 NIST Cybersecurity Framework v1.1 PR.IP-8
CRR v2016 SA:G3.Q1
CRR v2016 SA:G3.Q2 IRS Pub 1075 v2016 Exhibit 6
CRR v2016 SA:MIL2.Q3
CRR v2016 SA:MIL3.Q3
CRR v2016 SA:MIL4.Q3
CRR v2016 SA:MIL5.Q2
CRR v2016 SCM:MIL2.Q3
CRR v2016 SCM:MIL3.Q3
CRR v2016 SCM:MIL4.Q3
CRR v2016 SCM:MIL5.Q2
CRR v2016 TA:MIL2.Q2
CRR v2016 TA:MIL2.Q3
CRR v2016 TA:MIL3.Q3
CRR v2016 TA:MIL4.Q3
CRR v2016 TA:MIL5.Q2
CRR v2016 VM:MIL2.Q3
CRR v2016 VM:MIL3.Q3
CMSRs v3.1 AT-03 (HIGH; MOD) MARS-E v2 AT-3 NIST Cybersecurity F ramework v1.1 ID.GV-1
FFIEC IS v2016 A.1.5 IRS Pub 1075 v2016 9.3.15.3 NIST Cybersecurity F ramework v1.1 ID.GV-2
AICPA 2017 CC1.3 CAQH Core Phase 1 102: Eligibility CAQH Core Phase 2 202: Certification CMSRs v3.1 IR-02 (HIGH; MOD) COBIT 5 APO13.01 CSA CCM v3.0.1 GRM-04 CRR v2016 SA:G1.Q1 FedRAMP AT-3 FFIEC IS v2016 A.2.7 De-ID Framework v1 Accountable Individuals: IRS Pub 1075 v2016 9.3.18.1 ISO/IEC 27002:2013 6.1.1 ISO/IEC 27799:2016 6.1.1 MARS-E v2 IR-2 NIST Cybersecurity Framework v1.1 PR.AT-1
and Benefits Certification Policy CMSRs v3.1 PM- 02 (HIGH; MOD) HITRUST MARS-E v2 PM-10
AICPA 2017 CC5.3 v1.1.0 Subsection 3.4 Policy v2.1.0 Subsection 3.4 CMSRs v3.1 PM- 10 (HIGH; MOD) COBIT 5 APO13.02 CSA CCM v3.0.1 HRS-07 CRR v2016 SA:MIL2.Q2 FedRAMP SA-3 FFIEC IS v2016 A.2.8 General IRS Pub 1075 v2016 9.3.2.3 ISO/IEC 27002:2013 6.1.3 ISO/IEC 27799:2016 6.1.3 MARS-E v2 PM- 2 NIST Cybersecurity Framework v1.1 PR.AT-2
FFIEC IS v2016 A.2.9 IRS Pub 1075 v2016 9.3.8.2 NIST Cybersecurity Framework v1.1 PR.AT-4
CMSRs v3.1 SA-03 (HIGH; MOD) MARS-E v2 SA-3 NIST Cybersecurity Framework v1.1 PR.AT-5
CMSRs v3.1 CA-02 (HIGH; MOD) MARS-E v2 CA-2
AICPA 2017 CC3.4 CMSRs v3.1 CA-06 (HIGH; MOD) CRR v2016 AM:G5.Q1 FedRAMP CA-2 IRS Pub 1075 v2016 9.3.14.2 MARS-E v2 CA-6 NIST Cybersecurity Framework v1.1 ID.BE-1
AICPA 2017 CC6.1 FedRAMP CA-6 IRS Pub 1075 v2016 9.3.4.2 NIST Cybersecurity F ramework v1.1 ID.GV-4
AICPA 2017 CC8.1 CMSRs v3.1 PM- 10 (HIGH; MOD) CRR v2016 AM:G7.Q3 FedRAMP RA-3 IRS Pub 1075 v2016 9.3.4.5 MARS-E v2 PM-10 NIST Cybersecurity Framework v1.1 ID.RA-4
CMSRs v3.1 RA-03 (HIGH; MOD) MARS-E v2 RA-3
NIST Cybersecurity Framework v1.1 ID.AM-6
FFIEC IS v2016 A.6.31(d) NIST Cybersecurity F ramework v1.1 ID.GV-3
CSA CCM v3.0.1 HRS-06 HITRUST ISO/IEC 27002:2013 13.2.4 ISO/IEC 27799:2016 13.2.4 MARS-E v2 SA-9
FFIEC IS v2016 A.6.8(e) NIST Cybersecurity Framework v1.1 PR.DS-5
NIST Cybersecurity Framework v1.1 PR.IP- 11
AICPA 2017 CC2.3 CMSRs v3.1 CP-02 (HIGH; MOD) FedRAMP CP-2 IRS Pub 1075 v2016 9.3.6.2 ISO/IEC 27002:2013 6.1.3 ISO/IEC 27799:2016 6.1.3 MARS-E v2 CP-2 NIST Cybersecurity Framework v1.1 DE.DP- 4
CSA CCM v3.0.1 SEF-01 CRR v2016 EDM:G5.Q1 FedRAMP CP-4 FFIEC IS v2016 A.8.1(f) NIST Cybersecurity Framework v1.1 RS.CO-2
AICPA 2017 CC7.3 CMSRs v3.1 CP-04 (HIGH; MOD) FedRAMP IR-6 IRS Pub 1075 v2016 9.3.6.4 ISO/IEC 27002:2013 6.1.6 ISO/IEC 27799:2016 6.1.6 MARS-E v2 CP-4 NIST Cybersecurity Framework v1.1 RS.CO-3
NIST Cybersecurity F ramework v1.1 ID.GV-3
NIST Cybersecurity F ramework v1.1 ID.GV-4
CMSRs v3.1 PM- 15 (HIGH; MOD) FFIEC IS v2016 A.4.3 MARS-E v2 PM-15 NIST Cybersecurity Framework v1.1 ID.RA-2
CMSRs v3.1 SI-05 (HIGH; MOD) CSA CCM v3.0.1 SEF-01 CRR v2016 SA:G1.Q2 FedRAMP SI-5 IRS Pub 1075 v2016 9.3.17.5 ISO/IEC 27002:2013 6.1.4 ISO/IEC 27799:2016 6.1.4
CMSRs v3.1 SI-05(01) (HIGH) FFIEC IS v2016 A.4.4 MARS-E v2 SI-5 NIST Cybersecurity Framework v1.1 RS.AN-5
NIST Cybersecurity Framework v1.1 RS.CO-3
NIST Cybersecurity Framework v1.1 RS.CO-5
FFIEC IS v2016 A.10.1
FFIEC IS v2016 A.10.3(d)
CMSRs v3.1 AR-04 (HIGH) FFIEC IS v2016 A.10.5 NIST Cybersecurity F ramework v1.1 ID.GV-4
CMSRs v3.1 AR-04 (HIGH; MOD) FedRAMP CA-2 FFIEC IS v2016 A.10.6 MARS-E v2 AR-4 NIST Cybersecurity F ramework v1.1 ID.RM-1
AICPA 2017 CC3.4 CAQH Core Phase 1 102: Eligibility CAQH Core Phase 2 202: Certification CMSRs v3.1 CA-02 (HIGH; MOD) FedRAMP CA-2(1) FFIEC IS v2016 A.2.1(a) De-ID Framework v1 Privacy Reviews/Audits: IRS Pub 1075 v2016 9.3.4.2 MARS-E v2 CA-2 NIST Cybersecurity F ramework v1.1 ID.RM-2
AICPA 2017 CC4.2 and Benefits Certification Policy COBIT 5 DSS05.07 CSA CCM v3.0.1 AAC-02 CRR v2016 VM:MIL4.Q1 FFIEC IS v2016 A.2.1(b) ISO/IEC 27002:2013 18.2.1 ISO/IEC 27799:2016 18.2.1 MARS-E v2 CA-2(1)
AICPA 2017 P8.1 v1.1.0 Subsection 3.4 Policy v2.1.0 Subsection 3.4 CMSRs v3.1 CA-02(01) (HIGH; MOD) FedRAMP CA-7 FFIEC IS v2016 A.2.1(c) General IRS Pub 1075 v2016 9.3.4.6 MARS-E v2 CA-7 NIST Cybersecurity F ramework v1.1 ID.RM-3
CMSRs v3.1 CA-07 (HIGH; MOD) FedRAMP CA-7(1) NIST Cybersecurity Framework v1.1 PR.IP-7
CMSRs v3.1 CA-07(01) (HIGH; MOD) FFIEC IS v2016 A.6.8(c) MARS-E v2 CA-7(1) NIST Cybersecurity Framework v1.1 PR.IP-8
FFIEC IS v2016 A.8.1(c)
FFIEC IS v2016 A.9.1
FFIEC IS v2016 A.9.4
FFIEC IS v2016 A.3.3
F FIEC IS v2016 A.6.18(c)
FFIEC IS v2016 A.6.19
FFIEC IS v2016 A.6.23 NIST Cybersecurity Framework v1.1 DE.AE-1
CRR v2016 CCM:G1.Q5 FFIEC IS v2016 A.6.31(a) NIST Cybersecurity Framework v1.1 ID.AM-3
AICPA 2017 CC2.3 CMSRs v3.1 AC-06 (HIGH; MOD) CSA CCM v3.0.1 IAM-07 CRR v2016 CCM:G2.Q11 FedRAMP AC-17(2) FFIEC IS v2016 A.6.31(b) IRS Pub 1075 v2016 9.3.1.12 MARS-E v2 AC-17(2) NIST Cybersecurity F ramework v1.1 ID.GV-3
AICPA 2017 CC3.2 CMSRs v3.1 AC-17(02) (HIGH; MOD) CSA CCM v3.0.1 STA-01 CRR v2016 EDM:G1.Q3 FedRAMP AC-6 F FIEC IS v2016 A.6.31(c) IRS Pub 1075 v2016 9.3.1.6 ISO/IEC 27002:2013 15.1.1 ISO/IEC 27799:2016 15.1.1 MARS-E v2 AC-6 NIST Cybersecurity F ramework v1.1 ID.RM-1
AICPA 2017 CC9.2 CMSRs v3.1 CA-03 (HIGH; MOD) EU GDPR Article 32(4) FedRAMP CA-3 FFIEC IS v2016 A.6.31(d) IRS Pub 1075 v2016 9.3.16.6 ISO/IEC 27002:2013 15.1.2 ISO/IEC 27799:2016 15.1.2 MARS-E v2 CA-3 NIST Cybersecurity F ramework v1.1 ID.RM-2
AICPA 2017 P6.1 CMSRs v3.1 MA-04 (HIGH; MOD) CSA CCM v3.0.1 STA-05 CRR v2016 EDM:G2.Q1 FedRAMP MA-4 FFIEC IS v2016 A.6.31(e) IRS Pub 1075 v2016 9.3.4.3 ISO/IEC 27002:2013 15.1.3 ISO/IEC 27799:2016 15.1.3 MARS-E v2 MA-4 NIST Cybersecurity Framework v1.1 PR.AC-3
CSA CCM v3.0.1 STA-08 CRR v2016 EDM:MIL2.Q1
AICPA 2017 P6.4 CMSRs v3.1 SC-08(01) (HIGH; MOD) CRR v2016 EDM:MIL2.Q4 FedRAMP SA-9(4) FFIEC IS v2016 A.6.31(f) IRS Pub 1075 v2016 9.3.9.4 MARS-E v2 SC-8(1) NIST Cybersecurity Framework v1.1 PR.AC-4
FFIEC IS v2016 A.6.31(g) NIST Cybersecurity Framework v1.1 PR.AT-3
FFIEC IS v2016 A.6.32 NIST Cybersecurity Framework v1.1 PR.DS-2
FFIEC IS v2016 A.6.33
FFIEC IS v2016 A.6.7(a)
FFIEC IS v2016 A.6.7(d)
IRS Pub 1075 v2016 9.3.1.8
CMSRs v3.1 AC-08 (HIGH; MOD) IRS Pub 1075 v2016 9.3.12.3 MARS-E v2 AC-8 NIST Cybersecurity Framework v1.1 ID.AM-6
CMSRs v3.1 CA-03 (HIGH; MOD) CRR v2016 EDM:G1.Q2 FedRAMP AC-8 FFIEC IS v2016 A.6.25(a) IRS Pub 1075 v2016 9.3.4.3 MARS-E v2 CA-3 NIST Cybersecurity Framework v1.1 PR.AC-1
AICPA 2017 CC3.3 CSA CCM v3.0.1 AIS-02 FedRAMP CA-3 De-ID Framework v1 Transparency: General ISO/IEC 27002:2013 14.1.2 ISO/IEC 27799:2016 14.1.2
CMSRs v3.1 PL-04 (HIGH; MOD) CRR v2016 EDM:MIL2.Q4 FedRAMP PL-4 FFIEC IS v2016 A.6.26 IRS Pub 1075 v2016 9.4.13 MARS-E v2 PL-4 NIST Cybersecurity Framework v1.1 PR.AC-3
CMSRs v3.1 TR-03 (HIGH; MOD) IRS Pub 1075 v2016 9.4.16 MARS-E v2 TR-3 NIST Cybersecurity Framework v1.1 PR.AT-3
IRS Pub 1075 v2016 9.4.5
EU GDPR Article 26(1)
AICPA 2017 CC1.4 EU GDPR Article 26(2) NIST Cybersecurity Framework v1.1 DE.CM-6
AICPA 2017 CC2.3
AICPA 2017 CC3.1 CSA CCM v3.0.1 IPY-03 CRR v2016 EDM:G1.Q1 EU GDPR Article 26(3) FFIEC IS v2016 A.3.3 IRS Pub 1075 v2016 5.4.2 ISO/IEC 27002:2013 7.1.1 ISO/IEC 27799:2016 7.1.1 NIST Cybersecurity Framework v1.1 ID.AM-6
CAQH Core Phase 1 102: Eligibility CSA CCM v3.0.1 STA-03 CRR v2016 EDM:G3.Q1 EU GDPR Article 28(2) F FIEC IS v2016 A.6.31(c) IRS Pub 1075 v2016 9.3.13.7 NIST Cybersecurity F ramework v1.1 ID.GV-2
AICPA 2017 CC3.4 and Benefits Certification Policy CAQHPolicy
Core Phase 2 202: Certification CMSRs v3.1 PS-07 (HIGH; MOD) CSA CCM v3.0.1 STA-05 CRR v2016 EDM:G3.Q3 EU GDPR Article 28(3) FedRAMP PS-7 FFIEC IS v2016 A.6.31(e) De-ID Framework v1 Third-party Assurance: IRS Pub 1075 v2016 9.3.15.7 ISO/IEC 27002:2013 15.1.1 ISO/IEC 27799:2016 15.1.1 MARS-E v2 PS-7 NIST Cybersecurity F ramework v1.1 ID.GV-3
AICPA 2017 CC9.2 v1.1.0 Subsection 3.4 v2.1.0 Subsection 3.4 CMSRs v3.1 SA-09 (HIGH; MOD) CSA CCM v3.0.1 STA-07 CRR v2016 EDM:G3.Q4 EU GDPR Article 28(4) FedRAMP SA-9 FFIEC IS v2016 A.6.31(f) General IRS Pub 1075 v2016 9.4.1 ISO/IEC 27002:2013 15.1.2 ISO/IEC 27799:2016 15.1.2 MARS-E v2 SA-9 NIST Cybersecurity Framework v1.1 ID.SC-1
AICPA 2017 P6.1 CSA CCM v3.0.1 STA-09 CRR v2016 EDM:MIL2.Q1 EU GDPR Article 28(9) FFIEC IS v2016 A.6.31(g) IRS Pub 1075 v2016 Exhibit 7 ISO/IEC 27002:2013 15.1.3 ISO/IEC 27799:2016 15.1.3 NIST Cybersecurity Framework v1.1 PR.AT-3
AICPA 2017 P6.4
AICPA 2017 P6.5 EU GDPR Article 29 NIST Cybersecurity Framework v1.1 PR.IP- 11
EU GDPR Article 32(4)
NIST Cybersecurity F ramework v1.1 ID.GV-3
ISO/IEC 27002:2013 18.1.1 ISO/IEC 27799:2016 18.1.1 NIST Cybersecurity F ramework v1.1 ID.GV-4
AICPA 2017 CC1.3 CMSRs v3.1 PM-15 (HIGH; MOD) CSA CCM v3.0.1 AAC-03 FFIEC IS v2016 A.4.5 ISO/IEC 27002:2013 6.1.4 ISO/IEC 27799:2016 6.1.4 MARS-E v2 PM-15 NIST Cybersecurity Framework v1.1 PR.AT-3
ISO/IEC 27002:2013 7.2.2 ISO/IEC 27799:2016 7.2.2 NIST Cybersecurity Framework v1.1 PR.IP-7
NIST Cybersecurity Framework v1.1 RS.CO-5
FedRAMP CM-10 NIST Cybersecurity Framework v1.1 DE.CM-3
CMSRs v3.1 CM-10 (HIGH; MOD) IRS Pub 1075 v2016 9.3.5.10 ISO/IEC 27002:2013 18.1.2 ISO/IEC 27799:2016 18.1.2 MARS-E v2 CM-10 NIST Cybersecurity F ramework v1.1 ID.GV-3
FedRAMP CM-10(1) NIST Cybersecurity Framework v1.1 PR.IP-1
IRS Pub 1075 v2016 3.1
CMSRs v3.1 AU-11 (HIGH; MOD) IRS Pub 1075 v2016 4.2 MARS-E v2 AU-11 NIST Cybersecurity Framework v1.1 ID.AM-5
AICPA 2017 C1.1 CMS Rs v3.1 DM-02 (HIGH; MOD) FedRAMP RA-2 FFIEC IS v2016 A.6.18(a) De-ID Framework v1 Retention: Data Retention IRS Pub 1075 v2016 9.3.17.9 ISO/IEC 27002:2013 18.1.3 ISO/IEC 27799:2016 18.1.3 MARS-E v2 DM-2 NIST Cybersecurity F ramework v1.1 ID.GV-3
AICPA 2017 C1.2 CMSRs v3.1 DM- 02(01) (HIGH; MOD) CRR v2016 CM:G2.Q3 MARS-E v2 DM-2(1) NIST Cybersecurity F ramework v1.1 ID.GV-4
AICPA 2017 P4.2 CMSRs v3.1 RA-02 (HIGH; MOD) FedRAMP SI-12 FFIEC IS v2016 A.6.18(b) Policy IRS Pub 1075 v2016 9.3.3.11 ISO/IEC 27002:2013 8.2.1 ISO/IEC 27799:2016 8.2.1 MARS-E v2 RA-2 NIST Cybersecurity Framework v1.1 PR.PT-1
IRS Pub 1075 v2016 9.3.6.7
CMSRs v3.1 SI-12 (HIGH; MOD) IRS Pub 1075 v2016 Exhibit 10 MARS-E v2 SI-12 NIST Cybersecurity Framework v1.1 PS.DS-3
EU GDPR Article 27(1)
EU GDPR Article 27(2)
EU GDPR Article 27(3)
EU GDPR Article 27(4)
EU GDPR Article 27(5)
EU GDPR Article 37(1) De- ID Framework v1 Data Storage: General IRS Pub 1075 v2016 11.1
CMSRs v3.1 AR-01 (HIGH; MOD) EU GDPR Article 37(2) De-ID Framework v1 Storage (Minimal IRS Pub 1075 v2016 4.2 MARS-E v2 AR-1
CIS CSC v7.1 14.4 CMSRs v3.1 AR-02 (HIGH; MOD) CSA CCM v3.0.1 EKM-01 EU GDPR Article 37(3) FedRAMP SC-28 FFIEC IS v2016 A.6.18(a) Locations Authorized): Implementation IRS Pub 1075 v2016 8.3 ISO/IEC 27002:2013 18.1.3 ISO/IEC 27799:2016 7.12.2.2 MARS-E v2 AR-2 NIST Cybersecurity F ramework v1.1 ID.GV-3
AICPA 2017 CC6.1 CMSRs v3.1 SC-12(01) (HIGH) CSA CCM v3.0.1 EKM-02 CRR v2016 CM:G2.Q3 FedRAMP SC-28(1) HITRUST De-ID Framework v1 Storage (Minimal IRS Pub 1075 v2016 9.3.16.15 ISO/IEC 27799:2016 18.1.3 MARS-E v2 SC-12 NIST Cybersecurity Framework v1.1 PR.DS-1
CIS CSC v7.1 14.8 CMSRs v3.1 SC-28 (HIGH; MOD) CSA CCM v3.0.1 EKM-03 EU GDPR Article 37(4) FedRAMP SI-12 FFIEC IS v2016 A.6.30 Locations Authorized): Policy IRS Pub 1075 v2016 9.3.17.9 ISO/IEC 27002:2013 18.1.4 ISO/IEC 27799:2016 18.1.4 MARS-E v2 SC-28 NIST Cybersecurity Framework v1.1 PR.DS-2
EU GDPR Article 37(5)
CMSRs v3.1 SI-12 (HIGH) EU GDPR Article 37(7) De-ID Framework v1 Transmission Encryption: IRS Pub 1075 v2016 9.3.6.7 MARS-E v2 SI-12
EU GDPR Article 38(1) Applicability IRS Pub 1075 v2016 Exhibit 10
EU GDPR Article 38(2)
EU GDPR Article 38(3)
EU GDPR Article 39(1)
EU GDPR Article 39(2)
CMSRs v3.1 AC-08 (HIGH; MOD) IRS Pub 1075 v2016 9.3.1.8 NIST Cybersecurity Framework v1.1 DE.CM-1
AICPA 2017 CC1.1 CMSRs v3.1 PL-04 (HIGH) FedRAMP AC-8 IRS Pub 1075 v2016 9.3.12.3 MARS-E v2 AC-8 NIST Cybersecurity Framework v1.1 DE.CM-3
FedRAMP PL-4 MARS-E v2 PL-4
AICPA 2017 CC1.5 CMSRs v3.1 PL-04 (HIGH; MOD) FedRAMP PS-8 IRS Pub 1075 v2016 9.3.13.8 MARS-E v2 PS-8 NIST Cybersecurity F ramework v1.1 ID.GV-3
CMSRs v3.1 PS-08 (HIGH; MOD) IRS Pub 1075 v2016 Exhibit 8 NIST Cybersecurity Framework v1.1 PR.IP- 11
ISO/IEC 27002:2013 18.1.1
CMSRs v3.1 IA-07 (HIGH; MOD) FedRAMP IA-7 IRS Pub 1075 v2016 9.3.16.9 ISO/IEC 27002:2013 18.1.2 ISO/IEC 27799:2016 18.1.1 MARS-E v2 IA-13(1)
CMSRs v3.1 SC-13 (HIGH; MOD) FedRAMP SC-13 IRS Pub 1075 v2016 9.3.7.7 ISO/IEC 27002:2013 18.1.3 ISO/IEC 27799:2016 18.1.2 MARS-E v2 IA-7 NIST Cybersecurity Framework v1.1 ID.GV-3
ISO/IEC 27002:2013 18.1.4 ISO/IEC 27799:2016 18.1.5 MARS-E v2 ISC-13
ISO/IEC 27002:2013 18.1.5
FFIEC IS v2016 A.10.1
FFIEC IS v2016 A.10.3(a)
CMSRs v3.1 AR-04 (HIGH; MOD) FFIEC IS v2016 A.10.5 MARS-E v2 AR-4 NIST Cybersecurity Framework v1.1 DE.CM-7
CMSRs v3.1 CA-01 (HIGH; MOD) FedRAMP CA-7 FFIEC IS v2016 A.10.6 IRS Pub 1075 v2016 9.3.14.3 NIST Cybersecurity Framework v1.1 DE.DP- 1
CAQH Core Phase 1 102: Eligibility CAQH Core Phase 2 202: Certification CMSRs v3.1 CA-02(01) (HIGH; MOD) CSA CCM v3.0.1 HRS-07 FedRAMP CA-7(1) FFIEC IS v2016 A.4.1 IRS Pub 1075 v2016 9.3.4.1 ISO/IEC 27002:2013 18.2.2 ISO/IEC 27799:2016 18.2.2 MARS-E v2 CA-1 NIST Cybersecurity Framework v1.1 DE.DP- 4
AICPA 2017 CC2.1 and Benefits Certification Policy COBIT 5 DSS05.07 MARS-E v2 CA-7
v1.1.0 Subsection 3.4 Policy v2.1.0 Subsection 3.4 CMSRs v3.1 CA-07 (HIGH; MOD) CSA CCM v3.0.1 STA-04 FedRAMP RA-5 FFIEC IS v2016 A.6.4(c) IRS Pub 1075 v2016 9.3.4.6 ISO/IEC 27002:2013 18.2.3 ISO/IEC 27799:2016 18.2.3 MARS-E v2 CA-7(1) NIST Cybersecurity Framework v1.1 DE.DP- 7
CMSRs v3.1 CA-07(01) (HIGH; MOD) FedRAMP SA-4(8) FFIEC IS v2016 A.7.4(c) IRS Pub 1075 v2016 Exhibit 10 MARS-E v2 RA-5 NIST Cybersecurity F ramework v1.1 ID.GV-3
CMSRs v3.1 RA-05 (HIGH; MOD) FFIEC IS v2016 A.7.4(d) NIST Cybersecurity Framework v1.1 ID.RA-6
FFIEC IS v2016 A.8.1(c)
FFIEC IS v2016 A.8.1(o)
CIS CSC v7.1 11.1 NIST Cybersecurity Framework v1.1 DE.CM-8
CAQH Core Phase 1 102: Eligibility CAQH Core Phase 2 202: Certification CIS CSC v7.1 11.3 CMSRs v3.1 CA-02(02) (HIGH) FedRAMP CA-2(2) IRS Pub 1075 v2016 9.3.14.3 ISO/IEC 27002:2013 18.2.2 ISO/IEC 27799:2016 18.2.2 MARS-E v2 CA-7 NIST Cybersecurity Framework v1.1 ID.RA-1
AICPA 2017 CC4.1 and Benefits Certification Policy CIS CSC v7.1 13.3 CMSRs v3.1 CA-07 (HIGH; MOD) COBIT 5 DSS05.07 FedRAMP CA-7 NIST Cybersecurity Framework v1.1 ID.RA-6
v1.1.0 Subsection 3.4 Policy v2.1.0 Subsection 3.4 CIS CSC v7.1 14.5 CMSRs v3.1 RA-05 (HIGH; MOD) FedRAMP RA-5 IRS Pub 1075 v2016 9.3.4.6 ISO/IEC 27002:2013 18.2.3 ISO/IEC 27799:2016 18.2.3 MARS-E v2 RA-5 NIST Cybersecurity Framework v1.1 PR.IP- 12
CIS CSC v7.1 14.9 NIST Cybersecurity Framework v1.1 RS.MI-3
NIST Cybersecurity Framework v1.1 DE.DP- 1
AICPA 2017 CC3.1 CAQH Core Phase 1 102: Eligibility CAQH Core Phase 2 202: Certification CMSRs v3.1 AU-01 (HIGH; MOD) CSA CCM v3.0.1 AAC-01 FedRAMP AU-1 IRS Pub 1075 v2016 9.3.12.2 MARS-E v2 AU-1 NIST Cybersecurity Framework v1.1 DE.DP- 2
and Benefits Certification Policy CMSRs v3.1 CA-02 (HIGH; MOD) FedRAMP CA-2 IRS Pub 1075 v2016 9.3.3.1 ISO/IEC 27002:2013 12.7.1 ISO/IEC 27799:2016 12.7.1 MARS-E v2 CA-2 NIST Cybersecurity Framework v1.1 DE.DP- 4
AICPA 2017 CC5.1 v1.1.0 Subsection 3.4 Policy v2.1.0 Subsection 3.4 CMSRs v3.1 PL-02 (HIGH; MOD) CSA CCM v3.0.1 AAC-02 FedRAMP PL-2 IRS Pub 1075 v2016 9.3.4.2 MARS-E v2 PL-2 NIST Cybersecurity F ramework v1.1 ID.GV-4
NIST Cybersecurity Framework v1.1 PR.PT-1
CMSRs v3.1 AC-06(01) (HIGH; MOD) FedRAMP AC-6(1) MARS-E v2 AC-6(1) NIST Cybersecurity Framework v1.1 DE.DP- 1
CMSRs v3.1 AU-01 (HIGH; MOD) CSA CCM v3.0.1 AAC-02 FedRAMP AU-1 IRS Pub 1075 v2016 9.3.3.10 MARS-E v2 AU-1 NIST Cybersecurity Framework v1.1 PR.AC-1
CMSRs v3.1 AU-02 (HIGH; MOD) IRS Pub 1075 v2016 9.3.3.11 ISO/IEC 27002:2013 12.7.1 ISO/IEC 27799:2016 12.7.1 NIST Cybersecurity Framework v1.1 PR.AC-4
CMSRs v3.1 AU-09 (HIGH; MOD) CSA CCM v3.0.1 IAM-01 FedRAMP AU-9 IRS Pub 1075 v2016 9.3.4.2 MARS-E v2 AU-9 NIST Cybersecurity Framework v1.1 PR.IP-1
CMSRs v3.1 CA-02 (HIGH; MOD) FedRAMP CA-2 MARS-E v2 CA-2 NIST Cybersecurity Framework v1.1 PR.PT-3
CRR v2016 AM:G2.Q1
CRR v2016 AM:G2.Q3
CMSRs v3.1 CM-02(02) (HIGH; MOD) CRR v2016 AM:G2.Q4
CIS CSC v7.1 1.1 CMSRs v3.1 CM-08 (HIGH; MOD) CRR v2016 AM:G2.Q5
CIS CSC v7.1 1.3 CMSRs v3.1 CM-08(01) (HIGH; MOD) CRR v2016 AM:G3.Q1 FedRAMP CM-7 FFIEC IS v2016 A.6.16(a) IRS Pub 1075 v2016 4.5 MARS-E v2 CM-8 NIST Cybersecurity Framework v1.1 ID.AM-1
CIS CSC v7.1 1.4 CMSRs v3.1 CM-08(02) (HIGH) FFIEC IS v2016 A.6.16(b)
AICPA 2017 CC6.1 CAQH Core Phase 1 102: Eligibility CAQH Core Phase 2 202: Certification CIS CSC v7.1 1.5 CMSRs v3.1 CM-08(03) (HIGH; MOD) CSA CCM v3.0.1 DCS-01 CRR v2016 AM:G4.Q2 FedRAMP CM-8 F FIEC IS v2016 A.6.16(c) IRS Pub 1075 v2016 9.3.10.1 MARS-E v2 CM-8(1) NIST Cybersecurity Framework v1.1 ID.AM-2
AICPA 2017 CC6.5 and Benefits Certification Policy COBIT 5 APO12.03 CRR v2016 AM:G6.Q1 FedRAMP CM-8(1) HITRUST De-ID Framework v1 Data Storage: General IRS Pub 1075 v2016 9.3.5.8 ISO/IEC 27002:2013 8.1.1 ISO/IEC 27799:2016 8.1.1 MARS-E v2 MP-1 NIST Cybersecurity Framework v1.1 ID.AM-5
AICPA 2017 CC7.1 v1.1.0 Subsection 3.4 Policy v2.1.0 Subsection 3.4 CIS CSC v7.1 15.1 CMSRs v3.1 CM-08(04) (HIGH) CSA CCM v3.0.1 MOS-09 CRR v2016 AM:G6.Q6 FedRAMP CM-8(5) FFIEC IS v2016 A.6.16(d) IRS Pub 1075 v2016 9.4.12 MARS-E v2 PM- 5 NIST Cybersecurity Framework v1.1 PR.AC-4
CIS CSC v7.1 2.3 CMSRs v3.1 CM-08(05) (HIGH; MOD) CRR v2016 AM:G6.Q7 FedRAMP MP-1 FFIEC IS v2016 A.6.16(e) IRS Pub 1075 v2016 9.4.18 MARS-E v2 SE-1 NIST Cybersecurity Framework v1.1 PR.DS-3
CIS CSC v7.1 2.4 CMSRs v3.1 MP-01 (HIGH; MOD) CRR v2016 AM:MIL2.Q1 FFIEC IS v2016 A.6.6
CIS CSC v7.1 2.5 CMSRs v3.1 PM- 05 (HIGH; MOD)
CMSRs v3.1 SE-01 (HIGH; MOD) CRR v2016 AM:MIL2.Q2
CRR v2016 AM:MIL2.Q4
CRR v2016 VM:G1.Q5
NIST Cybersecurity Framework v1.1 ID.AM-5
CRR v2016 AM:G2.Q3 NIST Cybersecurity Framework v1.1 ID.AM-6
CRR v2016 AM:G5.Q1
CMSRs v3.1 CM-08 (HIGH; MOD) CSA CCM v3.0.1 DCS-01 CRR v2016 AM:G5.Q2 FedRAMP CM-10 IRS Pub 1075 v2016 9.3.5.10 NIST Cybersecurity F ramework v1.1 ID.GV-3
AICPA 2017 CC6.1 FedRAMP CM-7 FFIEC IS v2016 A.6.6 IRS Pub 1075 v2016 9.3.5.8 ISO/IEC 27002:2013 8.1.2 ISO/IEC 27799:2016 8.1.2 MARS-E v2 CM-8 NIST Cybersecurity F ramework v1.1 ID.GV-4
CMSRs v3.1 CM-10 (HIGH; MOD) CSA CCM v3.0.1 DSI-06 CRR v2016 AM:G5.Q3 FedRAMP CM-8 IRS Pub 1075 v2016 Exhibit 10 NIST Cybersecurity Framework v1.1 PR.DS-3
CRR v2016 AM:G5.Q4 NIST Cybersecurity Framework v1.1 PR.IP-1
CRR v2016 AM:MIL2.Q4 NIST Cybersecurity Framework v1.1 PR.PT-1
NIST Cybersecurity Framework v1.1 ID.AM-6
CMSRs v3.1 AC-20 (HIGH; MOD) FedRAMP AC-20 FFIEC IS v2016 A.6.18(g) MARS-E v2 AC-20 NIST Cybersecurity Framework v1.1 PR.AT-1
CMSRs v3.1 PL-04 (HIGH; MOD) CSA CCM v3.0.1 HRS-08 FedRAMP PL-4 IRS Pub 1075 v2016 9.3.12.3 ISO/IEC 27002:2013 8.1.3 ISO/IEC 27799:2016 8.1.3 MARS-E v2 PL-4
CMSRs v3.1 PL-04(01) (HIGH; MOD) FedRAMP PL-4(1) F FIEC IS v2016 A.6.8(f) MARS-E v2 PL-4(1) NIST Cybersecurity Framework v1.1 PR.DS-5
NIST Cybersecurity Framework v1.1 PR.IP- 11
NIST Cybersecurity Framework v1.1 ID.AM-1
NIST Cybersecurity Framework v1.1 ID.AM-2
NIST Cybersecurity Framework v1.1 ID.AM-5
NIST Cybersecurity Framework v1.1 ID.AM-6
CRR v2016 AM:G3.Q2 NIST Cybersecurity F ramework v1.1 ID.GV-4
CMSRs v3.1 CM-08 (HIGH; MOD) CRR v2016 AM:G6.Q1 FedRAMP CM-7 ISO/IEC 27002:2013 8.1.1 ISO/IEC 27799:2016 8.1.1 MARS-E v2 CM-8 NIST Cybersecurity Framework v1.1 ID.RA-3
CSA CCM v3.0.1 DSI-01 FedRAMP CM-8 FFIEC IS v2016 A.6.6 HITRUST IRS Pub 1075 v2016 Exhibit 10 ISO/IEC 27002:2013 8.1.2 ISO/IEC 27799:2016 8.1.2
CMSRs v3.1 RA-02 (HIGH; MOD) CRR v2016 AM:G6.Q2 FedRAMP RA-2 ISO/IEC 27002:2013 8.2.1 ISO/IEC 27799:2016 8.2.1 MARS-E v2 RA-2 NIST Cybersecurity Framework v1.1 ID.RA-4
CRR v2016 RM:G2.Q1 NIST Cybersecurity Framework v1.1 ID.RA-5
NIST Cybersecurity Framework v1.1 IR.RA-4
NIST Cybersecurity Framework v1.1 PR.AC-4
NIST Cybersecurity Framework v1.1 PR.DS-3
NIST Cybersecurity Framework v1.1 PR.DS-5
IRS Pub 1075 v2016 9.3.1.8
AICPA 2017 C1.1 CMSRs v3.1 AC-08 (HIGH; MOD) FedRAMP AC-8 IRS Pub 1075 v2016 9.3.10.3 ISO/IEC 27002:2013 16.1.7 ISO/IEC 27799:2016 16.1.7 MARS-E v2 AC-8 NIST Cybersecurity Framework v1.1 PR.DS-5
CSA CCM v3.0.1 DSI-04 CRR v2016 AM:G6.Q3 HITRUST ISO/IEC 27002:2013 8.2.2 ISO/IEC 27799:2016 8.2.2
AICPA 2017 C1.2 CMSRs v3.1 MP-03 (HIGH; MOD) FedRAMP MP-3 IRS Pub 1075 v2016 9.4.3 ISO/IEC 27002:2013 8.2.3 ISO/IEC 27799:2016 8.2.3 MARS-E v2 MP-3 NIST Cybersecurity Framework v1.1 PR.PT-2
IRS Pub 1075 v2016 9.4.4
IRS Pub 1075 v2016 4.2 NIST Cybersecurity Framework v1.1 DE.CM-2
CAQH Core Phase 1 102: Eligibility CAQH Core Phase 2 202: Certification CMSRs v3.1 MA-02 (HIGH; MOD) FedRAMP MA-2 F FIEC IS v2016 A.6.21(c) De-ID Framework v1 Public Access to Sensitive IRS Pub 1075 v2016 4.3 ISO/IEC 27002:2013 11.1.1 ISO/IEC 27799:2016 11.1.1 MARS-E v2 MA-2 NIST Cybersecurity Framework v1.1 DE.CM-7
AICPA 2017 CC6.4 and Benefits Certification Policy CMSRs v3.1 PE-03 (HIGH; MOD) COBIT 5 DSS05.05 CSA CCM v3.0.1 DCS-02 FFIEC IS v2016 A.6.8 IRS Pub 1075 v2016 4.5
v1.1.0 Subsection 3.4 Policy v2.1.0 Subsection 3.4 CMSRs v3.1 SC-24 (HIGH; MOD) FedRAMP PE-3 FFIEC IS v2016 A.8.1(e) Areas: General IRS Pub 1075 v2016 9.3.11.3 ISO/IEC 27002:2013 11.2.6 ISO/IEC 27799:2016 11.2.6 MARS-E v2 PE-3 NIST Cybersecurity Framework v1.1 DE.DP- 2
IRS Pub 1075 v2016 9.3.9.2 NIST Cybersecurity Framework v1.1 PR.AC-2

08.b Physical Entry Controls
08.c Securing Offices, Rooms, and
Facilities
08.d Protecting Against External and
Environmental Threats
08.e Working in Secure Areas
08.f Public Access, Delivery, and Loading
Areas
08.g Equipment Siting and Protection
08.h Supporting Utilities
08.i Cabling Security
08.j Equipment Maintenance
08.k Security of Equipment Off-Premises
08.l Secure Disposal or Re-Use of
Equipment
08.m Removal of Property
09.a Documented Operations Procedures
09.b Change Management
09.c Segregation of Duties
09.d Separation of Development, Test,
and Operational Environments
09.e Service Delivery
09.f Monitoring and Review of Third
Party Services
09.g Managing Changes to Third Party
Services
09.h Capacity Management
09.i System Acceptance
09.j Controls Against Malicious Code
09.k Controls Against Mobile Code
09.l Back-up
09.m Network Controls
09.n Security of Network Services
09.o Management of Removable Media
09.p Disposal of Media
09.q Information Handling Procedures
09.r Security of System Documentation
09.s Information Exchange Policies and
Procedures
09.t Exchange Agreements
© 2019 HITRUST. All rights reserved.
1 TAC § 390.2(a)(1)
1 TAC § 390.2(a)(4)(A)(xi)
1 TAC § 390.2(a)(1)
1 TAC § 390.2(a)(4)(A)(xi)
1 TAC § 390.2(a)(1)
1 TAC § 390.2(a)(1)
1 TAC § 390.2(a)(4)(A)(xi)
1 TAC § 390.2(a)(1)
1 TAC § 390.2(a)(4)(A)(xi)
1 TAC § 390.2(a)(1)
1 TAC § 390.2(a)(4)(A)(xi)
1 TAC § 390.2(a)(1)
1 TAC § 390.2(a)(4)(A)(xi)
1 TAC § 390.2(a)(1)
1 TAC § 390.2(a)(4)(A)(xi)
1 TAC § 390.2(a)(1)
1 TAC § 390.2(a)(4)(A)(xi)
1 TAC § 390.2(a)(4)(A)(xi)
1 TAC § 390.2(a)(1)
1 TAC § 390.2(a)(4)(A)(xi)
1 TAC § 390.2(a)(4)(A)(xi)
1 TAC § 390.2(a)(1)
1 TAC § 390.2(a)(4)(A)(xi)
1 TAC § 390.2(a)(4)(A)(xi)
1 TAC § 390.2(a)(1) 16 CFR Part § 681 Appendix A VI(c)
1 TAC § 390.2(a)(4)(A)(xi)
16 CFR Part § 681 Appendix A VI(c)
1 TAC § 390.2(a)(3)
1 TAC § 390.2(a)(4)(A)(xi)
16 CFR Part § 681 Appendix A VI(c)
1 TAC § 390.2(a)(1)
1 TAC § 390.2(a)(4)(A)(xi)
1 TAC § 390.2(a)(4)(A)(xi)
1 TAC § 390.2(a)(1)
1 TAC § 390.2(a)(4)(A)(xi)
1 TAC § 390.2(a)(1)
1 TAC § 390.2(a)(4)(A)(xi)
1 TAC § 390.2(a)(1)
1 TAC § 390.2(a)(4)(A)(xi)
1 TAC § 390.2(a)(1)
1 TAC § 390.2(a)(4)(A)(xi)
1 TAC § 390.2(a)(1)
1 TAC § 390.2(a)(4)(A)(xi)
1 TAC § 390.2(a)(1)
1 TAC § 390.2(a)(4)(A)(xi)
1 TAC § 390.2(a)(1)
1 TAC § 390.2(a)(4)(A)(xi)
1 TAC § 390.2(a)(1)
1 TAC § 390.2(a)(4)(A)(ii)
1 TAC § 390.2(a)(4)(A)(xi)
1 TAC § 390.2(a)(4)(A)(xi)
1 TAC § 390.2(a)(1)
1 TAC § 390.2(a)(4)(A)(xi)
1 TAC § 390.2(a)(1)
1 TAC § 390.2(a)(4)(A)(xi)
45 CFR Part § 164.310(a)(1) HIPAA.SR
21 CFR Part 11.10(d) 45 CFR Part § 164.310(a)(2)(iii) HIPAA.SR
45 CFR Part § 164.310(b) HIPAA.SR
45 CFR Part § 164.310(c) HIPAA.SR
45 CFR Part § 164.310(a)(1) HIPAA.SR
45 CFR Part § 164.310(a)(2)(iii) HIPAA.SR
45 CFR Part § 164.310(b) HIPAA.SR
45 CFR Part § 164.310(c) HIPAA.SR
45 CFR Part § 164.310(a)(1) HIPAA.SR
45 CFR Part § 164.310(a)(2)(ii) HIPAA.SR
45 CFR Part § 164.310(a)(2)(iii) HIPAA.SR
45 CFR Part § 164.308(a)(3)(ii)(A) HIPAA.SR
45 CFR Part § 164.310(a)(2)(iii) HIPAA.SR
45 CFR Part § 164.310(c) HIPAA.SR
45 CFR Part § 164.310(a)(1) HIPAA.SR
45 CFR Part § 164.310(a)(2)(ii) HIPAA.SR
45 CFR Part § 164.310(a)(2)(iii) HIPAA.SR
45 CFR Part § 164.310(c) HIPAA.SR
45 CFR Part § 164.308(a)(7)(ii)(C) HIPAA.SR
45 CFR Part § 164.310(a)(1) HIPAA.SR
45 CFR Part § 164.310(c) HIPAA.SR
45 CFR Part § 164.308(a)(3)(ii)(A) HIPAA.SR
45 CFR Part § 164.310(a)(2)(iv) HIPAA.SR
45 CFR Part § 164.310(c) HIPAA.SR
45 CFR Part § 164.310(d)(1) HIPAA.SR
45 CFR Part § 164.310(d)(2)(iii) HIPAA.SR
45 CFR Part § 164.312(c)(1) HIPAA.SR
45 CFR Part § 164.310(d)(1) HIPAA.SR
45 CFR Part § 164.310(d)(2)(i) HIPAA.SR
45 CFR Part § 164.310(d)(2)(ii) HIPAA.SR
45 CFR Part § 164.310(d)(1) HIPAA.SR
45 CFR Part § 164.310(d)(2)(iii) HIPAA.SR
21 CFR Part 11.10(k) 45 CFR Part § 164.310(a)(2)(iv) HIPAA.SR
45 CFR Part § 164.316(a) HIPAA.SR
45 CFR Part § 164.308(a)(3)(i) HIPAA.SR
45 CFR Part § 164.308(a)(4)(i) HIPAA.SR
45 CFR Part § 164.308(a)(4)(ii)(A) HIPAA.SR
45 CFR Part § 164.312(a)(1) HIPAA.SR
45 CFR Part § 164.308(b)(1) HIPAA.SR
45 CFR Part § 164.308(b)(3) HIPAA.SR
201 CMR 17.03(2)(f)(2) 45 CFR Part § 164.314(a)(1) HIPAA.SR
16 CFR Part § 681.1 (e)(4) 45 CFR Part § 164.314(a)(2)(i) HIPAA.SR
45 CFR Part § 164.314(a)(2)(ii) HIPAA.SR
45 CFR Part § 164.314(b)(2)(i) HIPAA.SR
45 CFR Part § 164.308(b)(1) HIPAA.SR
45 CFR Part § 164.308(b)(3) HIPAA.SR
16 CFR Part § 681.1 (e) 45 CFR Part § 164.314(a)(1) HIPAA.SR
16 CFR Part § 681.1 (e)(4) 45 CFR Part § 164.314(a)(2)(i) HIPAA.SR
45 CFR Part § 164.314(a)(2)(ii) HIPAA.SR
16 CFR Part § 681.1 (e)(4)
45 CFR Part § 164.312(b) HIPAA.SR
45 CFR Part § 164.308(a)(8) HIPAA.SR
201 CMR 17.04(7) 45 CFR Part § 164.308(a)(5)(i) HIPAA.SR
45 CFR Part § 164.308(a)(5)(ii)(B) HIPAA.SR
45 CFR Part § 164.308(a)(5)(ii)(B) HIPAA.SR
45 CFR Part § 164.308(a)(7)(ii)(A) HIPAA.SR
23 NYCRR 500.06(b) 45 CFR Part § 164.308(a)(7)(ii)(B) HIPAA.SR
45 CFR Part § 164.310(d)(2)(iv) HIPAA.SR
45 CFR Part § 164.312(c)(1) HIPAA.SR
45 CFR Part § 164.312(a)(2)(i) HIPAA.SR
45 CFR Part § 164.312(c)(1) HIPAA.SR
45 CFR Part § 164.312(c)(2) HIPAA.SR
45 CFR Part § 164.312(d) HIPAA.SR
45 CFR Part § 164.312(e)(1) HIPAA.S R
45 CFR Part § 164.312(e)(2)(i) HIPAA.SR
45 CFR Part § 164.312(e)(2)(ii) HIPAA.SR
45 CFR Part § 164.308(b)(1) HIPAA.SR
16 CFR Part § 681.1 (e)(4) 21 CFR Part 11.30 45 CFR Part § 164.308(b)(3) HIPAA.SR
45 CFR Part § 164.314(a)(1) HIPAA.SR
45 CFR Part § 164.314(a)(2)(ii) HIPAA.SR
45 CFR Part § 164.310(c) HIPAA.SR
45 CFR Part § 164.310(d)(1) HIPAA.SR
201 CMR 17.03(2)(c) 45 CFR Part § 164.310(d)(2)(iii) HIPAA.SR
201 CMR 17.04(5)
45 CFR Part § 164.310(d)(2)(iv) HIPAA.SR
45 CFR Part § 164.312(c)(1) HIPAA.SR
45 CFR Part § 164.310(d)(1) HIPAA.SR
45 CFR Part § 164.310(d)(2)(i) HIPAA.SR
45 CFR Part § 164.310(d)(2)(ii) HIPAA.SR
45 CFR Part § 164.308(a)(3)(ii) HIPAA.SR
45 CFR Part § 164.308(a)(3)(ii)(A) HIPAA.SR
201 CMR 17.03(2)(c) 45 CFR Part § 164.310(b) HIPAA.SR
201 CMR 17.03(2)(g) 45 CFR Part § 164.310(c) HIPAA.SR
45 CFR Part § 164.310(d)(1) HIPAA.SR
45 CFR Part § 164.312(c)(1) HIPAA.SR
45 CFR Part § 164.308(a)(4)(ii)(B) HIPAA.SR
45 CFR Part § 164.310(b) HIPAA.SR
201 CMR 17.04(3) 45 CFR Part § 164.312(e)(1) HIPAA.S R
45 CFR Part § 164.312(e)(2)(i) HIPAA.SR
45 CFR Part § 164.312(e)(2)(ii) HIPAA.SR
45 CFR Part § 164.306(a)(1) HIPAA.SR
45 CFR Part § 164.308(a)(1)(i) HIPAA.SR
45 CFR Part § 164.308(b)(1) HIPAA.SR
201 CMR 17.03(2)(c) 45 CFR Part § 164.308(b)(3) HIPAA.SR
45 CFR Part § 164.310(d)(1) HIPAA.SR
45 CFR Part § 164.314(a)(1) HIPAA.SR
45 CFR Part § 164.314(a)(2)(i) HIPAA.SR
45 CFR Part § 164.314(a)(2)(ii) HIPAA.SR
AICPA 2017 CC6.1 CAQH Core Phase 1 102: Eligibility CAQH Core Phase 2 202: Certification
AICPA 2017 CC6.2
AICPA 2017 CC6.3 and Benefits Certification Policy
v1.1.0 Subsection 3.4
AICPA 2017 CC6.4
CAQH Core Phase 1 102: Eligibility CAQH Core Phase 2 202: Certification
AICPA 2017 CC3.1 and Benefits Certification Policy
v1.1.0 Subsection 3.4
AICPA 2017 A1.2 CAQH Core Phase 1 102: Eligibility CAQH Core Phase 2 202: Certification
AICPA 2017 CC6.4 and Benefits Certification Policy
v1.1.0 Subsection 3.4
AICPA 2017 A1.2
CAQH Core Phase 1 102: Eligibility CAQH Core Phase 2 202: Certification
AICPA 2017 CC3.1 and Benefits Certification Policy
v1.1.0 Subsection 3.4
AICPA 2017 CC6.5
AICPA 2017 CC1.3
AICPA 2017 CC3.3
AICPA 2017 CC5.1
AICPA 2017 CC6.3
AICPA 2017 CC9.2
AICPA 2017 A1.1
AICPA 2017 CC7.2
AICPA 2017 CC6.1
CAQH Core Phase 1 102: Eligibility
AICPA 2017 CC6.8 and Benefits Certification Policy CAQHPolicy
v1.1.0 Subsection 3.4
AICPA 2017 CC8.1
CAQH Core Phase 1 102: Eligibility
AICPA 2017 A1.2 and Benefits Certification Policy CAQHPolicy
AICPA 2017 A1.3
v1.1.0 Subsection 3.4
CAQH Core Phase 1 102: Eligibility
and Benefits Certification Policy
v1.1.0 Subsection 3.4
CAQH Core Phase 1 153: Eligibility
and Benefits Connectivity Rule
v1.1.0 Subsection 5.2
CAQH Core Phase 1 102: Eligibility CAQH Core Phase 2 202: Certification
and Benefits Certification Policy
v1.1.0 Subsection 3.4
CAQH Core Phase 1 102: Eligibility
AICPA 2017 CC6.1 and Benefits Certification Policy CAQHPolicy
v1.1.0 Subsection 3.4
CAQH Core Phase 1 102: Eligibility CAQH Core Phase 2 202: Certification
AICPA 2017 CC6.5 and Benefits Certification Policy
v1.1.0 Subsection 3.4
CAQH Core Phase 1 153: Eligibility
AICPA 2017 CC6.7 and Benefits Connectivity Rule
v1.1.0 Subsection 5.2
CAQH Core Phase 1 102: Eligibility CAQH Core Phase 2 202: Certification
and Benefits Certification Policy
v1.1.0 Subsection 3.4
Policy v2.1.0 Subsection 3.4
CIS CSC v7.1 12.7
Policy v2.1.0 Subsection 3.4
Policy v2.1.0 Subsection 3.4
Policy v2.1.0 Subsection 3.4
CIS CSC v7.1 18.9
CIS CSC v7.1 6.4
Core Phase 2 202: Certification
v2.1.0 Subsection 3.4
Core Phase 2 202: Certification
v2.1.0 Subsection 3.4
CAQH Core Phase 2 202: Certification
Policy v2.1.0 Subsection 3.4
Policy v2.1.0 Subsection 3.4
Core Phase 2 202: Certification
v2.1.0 Subsection 3.4
Policy v2.1.0 Subsection 3.4
Policy v2.1.0 Subsection 3.4
CMSRs v3.1 MA-02 (HIGH; MOD)
CMSRs v3.1 PE-02 (HIGH; MOD)
CMSRs v3.1 PE-03 (HIGH; MOD)
CMSRs v3.1 PE-03(01) (HIGH)
CMSRs v3.1 PE-06 (HIGH; MOD)
CMSRs v3.1 PE-06(01) (HIGH; MOD)
CMSRs v3.1 PE-08 (HIGH; MOD)
CMSRs v3.1 PE-08(01) (HIGH)
CMSRs v3.1 PE-03 (HIGH; MOD)
CMSRs v3.1 PE-01 (HIGH; MOD)
CMSRs v3.1 PE-13 (HIGH; MOD)
CMSRs v3.1 PE-13(01) (HIGH)
CMSRs v3.1 PE-13(02) (HIGH)
CMSRs v3.1 PE-13(03) (HIGH; MOD)
CMSRs v3.1 PE-15 (HIGH; MOD)
CMSRs v3.1 PE-15(01) (HIGH)
CMSRs v3.1 PE-16 (HIGH; MOD)
CMSRs v3.1 AC-18 (HIGH; MOD)
CMSRs v3.1 PE-01 (HIGH; MOD)
CMSRs v3.1 PE-14 (HIGH; MOD)
CMSRs v3.1 PE-18 (HIGH)
CMSRs v3.1 CP-08 (HIGH; MOD)
CMSRs v3.1 PE-09 (HIGH; MOD)
CMSRs v3.1 PE-10 (HIGH; MOD)
CMSRs v3.1 PE-11(01) (HIGH)
CMSRs v3.1 PE-12 (HIGH; MOD)
CMSRs v3.1 PE-14 (HIGH; MOD)
CMSRs v3.1 CM-08(03) (HIGH; MOD)
CMSRs v3.1 PE-04 (HIGH; MOD)
CMSRs v3.1 PE-09 (HIGH; MOD)
CMSRs v3.1 MA-01 (HIGH; MOD)
CMSRs v3.1 MA-02 (HIGH; MOD)
CMSRs v3.1 MA-02(02) (HIGH)
CMSRs v3.1 MA-03 (HIGH; MOD)
CMSRs v3.1 MA-03(01) (HIGH; MOD)
CMSRs v3.1 MA-03(02) (HIGH; MOD)
CMSRs v3.1 MA-03(03) (HIGH)
CMSRs v3.1 MA-04 (HIGH; MOD)
CMSRs v3.1 MA-04(01) (HIGH; MOD)
CMSRs v3.1 MA-04(02) (HIGH)
CMSRs v3.1 MA-04(02) (HIGH; MOD)
CMSRs v3.1 MA-04(03) (HIGH)
CMSRs v3.1 MA-05 (HIGH; MOD)
CMSRs v3.1 MA-05(01) (HIGH)
CMSRs v3.1 MA-06 (HIGH; MOD)
CMSRs v3.1 AC-20 (HIGH; MOD)
CMSRs v3.1 MP-05 (HIGH; MOD)
CMSRs v3.1 PE-17 (HIGH; MOD)
CMS Rs v3.1 DM-02 (HIGH; MOD)
CMSRs v3.1 MP-06 (HIGH; MOD)
CMSRs v3.1 PE-16 (HIGH; MOD)
CMSRs v3.1 AC-01 (HIGH; MOD)
CMSRs v3.1 AT-01 (HIGH; MOD)
CMSRs v3.1 AU-01 (HIGH; MOD)
CMSRs v3.1 CA-01 (HIGH; MOD)
CMSRs v3.1 CM-01 (HIGH; MOD)
CMSRs v3.1 CP-01 (HIGH; MOD)
CMSRs v3.1 IA-01 (HIGH; MOD)
CMSRs v3.1 IR-01 (HIGH; MOD)
CMSRs v3.1 PE-01 (HIGH; MOD)
CMSRs v3.1 PL-01 (HIGH; MOD)
CMSRs v3.1 PM- 01 (HIGH; MOD)
CMSRs v3.1 PS-01 (HIGH; MOD)
CMSRs v3.1 RA-01 (HIGH; MOD)
CMSRs v3.1 SA-01 (HIGH; MOD)
CMSRs v3.1 SC-01 (HIGH; MOD)
CMSRs v3.1 SI-01 (HIGH; MOD)
CMSRs v3.1 CM-03 (HIGH; MOD)
CMSRs v3.1 CM-04 (HIGH; MOD)
CMSRs v3.1 CM-05 (HIGH; MOD)
CMSRs v3.1 AC-05 (HIGH; MOD)
CMSRs v3.1 CM-02 (HIGH; MOD)
CMSRs v3.1 SA-11 (HIGH; MOD)
CMSRs v3.1 SA-09 (HIGH; MOD)
CMSRs v3.1 SA-09 (HIGH; MOD)
CMSRs v3.1 AU-04 (HIGH; MOD)
CMSRs v3.1 AU-05 (HIGH; MOD)
CMSRs v3.1 SC-05 (HIGH; MOD)
CMSRs v3.1 CM-03 (HIGH; MOD)
CMSRs v3.1 CM-07 (HIGH; MOD)
CMSRs v3.1 SA-11 (HIGH)
CMSRs v3.1 SA-11 (HIGH; MOD)
CMSRs v3.1 CM-11 (HIGH; MOD)
CMSRs v3.1 SC-02 (HIGH; MOD)
CIS CSC v7.1 7.8 CMSRs v3.1 SI-03 (HIGH)
CIS CSC v7.1 7.9 CMSRs v3.1 SI-03 (HIGH; MOD)
CIS CSC v7.1 8.1 CMSRs v3.1 SI-03(01) (HIGH; MOD)
CIS CSC v7.1 8.3 CMSRs v3.1 SI-03(02) (HIGH; MOD)
CIS CSC v7.1 8.4 CMSRs v3.1 SI-08 (HIGH; MOD)
CMSRs v3.1 SI-08(01) (HIGH; MOD)
CMSRs v3.1 SI-08(02) (HIGH; MOD)
CMSRs v3.1 CM-03 (HIGH; MOD)
CMSRs v3.1 SC-02 (HIGH)
CMSRs v3.1 SC-03 (HIGH)
CMSRs v3.1 SC-18 (HIGH)
CMSRs v3.1 SC-18 (HIGH; MOD)
CMSRs v3.1 SI-03 (HIGH)
CMSRs v3.1 CP-02 (HIGH; MOD)
CMSRs v3.1 CP-06 (HIGH; MOD)
CMSRs v3.1 CP-06(03) (HIGH; MOD)
CIS CSC v7.1 10.1 CMSRs v3.1 CP-09 (HIGH; MOD)
CIS CSC v7.1 10.2 CMSRs v3.1 CP-09(01) (HIGH; MOD)
CIS CSC v7.1 10.3 CMSRs v3.1 CP-09(02) (HIGH)
CIS CSC v7.1 10.4 CMSRs v3.1 CP-09(03) (HIGH)
CIS CSC v7.1 10.5 CMSRs v3.1 CP-09(05) (HIGH)
CMSRs v3.1 MP-04 (HIGH; MOD)
CMSRs v3.1 MP-05 (HIGH; MOD)
CMSRs v3.1 SC-28 (HIGH; MOD)
CMSRs v3.1 AC-18 (HIGH; MOD)
CIS CSC v7.1 1.7 CMSRs v3.1 AC-18(01) (HIGH; MOD)
CIS CSC v7.1 11.1 CMSRs v3.1 AC-18(04) (HIGH)
CIS CSC v7.1 11.2
CIS CSC v7.1 11.3 CMSRs v3.1 AC-18(05) (HIGH)
CMSRs v3.1 AR-05 (HIGH; MOD)
CIS CSC v7.1 11.5 CMSRs v3.1 CA-03 (HIGH; MOD)
CIS CSC v7.1 12.3 CMSRs v3.1 CM-03 (HIGH; MOD)
CIS CSC v7.1 12.5 CMSRs v3.1 CM-07 (HIGH; MOD)
CIS CSC v7.1 12.6
CIS CSC v7.1 12.7 CMSRs v3.1 CP-02 (HIGH; MOD)
CMSRs v3.1 IA-03 (HIGH; MOD)
CIS CSC v7.1 13.4 CMSRs v3.1 SC-07 (HIGH; MOD)
CIS CSC v7.1 15.1 CMSRs v3.1 SC-07(05) (HIGH; MOD)
CIS CSC v7.1 15.2 CMSRs v3.1 SC-07(18) (HIGH)
CIS CSC v7.1 15.5
CIS CSC v7.1 15.6 CMSRs v3.1 SC-08 (HIGH; MOS)
CMSRs v3.1 SC-08(01) (HIGH; MOD)
CIS CSC v7.1 15.7 CMSRs v3.1 SC-19 (HIGH; MOD)
CIS CSC v7.1 15.8 CMSRs v3.1 SC-20 (HIGH; MOD)
CIS CSC v7.1 7.5 CMSRs v3.1 SC-22 (HIGH; MOD)
CIS CSC v7.1 8.7
CIS CSC v7.1 9.4 CMSRs v3.1 SC-7(18) (HIGH)
CMSRs v3.1 SI-04 (HIGH; MOD)
CMSRs v3.1 CA-03 (HIGH; MOD)
CMSRs v3.1 CA-03(05) (HIGH; MOD)
CMSRs v3.1 SA-09 (HIGH; MOD)
CMSRs v3.1 SA-09(02) (HIGH; MOD)
CMSRs v3.1 MP-01 (HIGH; MOD)
CMSRs v3.1 MP-04 (HIGH; MOD)
CMSRs v3.1 MP-05 (HIGH; MOD)
CIS CSC v7.1 13.7 CMSRs v3.1 MP-05(04) (HIGH; MOD)
CIS CSC v7.1 8.4
CMSRs v3.1 MP-06(03) (HIGH)
CMSRs v3.1 MP-07 (HIGH; MOD)
CMSRs v3.1 MP-07(01) (HIGH; MOD)
CMS Rs v3.1 DM-02 (HIGH; MOD)
CMSRs v3.1 MP-06 (HIGH; MOD)
CMSRs v3.1 MP-06(01) (HIGH)
CMSRs v3.1 MP-06(02) (HIGH)
CMSRs v3.1 MP-02 (HIGH; MOD)
CMSRs v3.1 MP-03 (HIGH; MOD)
CMSRs v3.1 MP-05 (HIGH; MOD)
CMSRs v3.1 MP-05(04) (HIGH; MOD)
CMS Rs v3.1 MP-CMS-1 (HIGH; MOD)
CMSRs v3.1 SI-12 (HIGH; MOD)
CMSRs v3.1 SA-05 (HIGH; MOD)
CMSRs v3.1 AC-17 (HIGH; MOD)
CMSRs v3.1 AC-17(02) (HIGH; MOD)
CMSRs v3.1 AC-20 (HIGH; MOD)
CMSRs v3.1 AC-20(01) (HIGH; MOD)
CMSRs v3.1 AC-20(02) (HIGH; MOD)
CMSRs v3.1 SC-01 (HIGH; MOD)
CMSRs v3.1 SC-15 (HIGH; MOD)
CMSRs v3.1 SC-15(01) (HIGH; MOD)
CMSRs v3.1 MP-01 (HIGH; MOD)
De-ID Framework v1 Perimeter Security IRS Pub 1075 v2016 4.2 MARS-E v2 MA-2 NIST Cybersecurity Framework v1.1 DE.CM-2
(Alarms): General IRS Pub 1075 v2016 4.3 MARS-E v2 PE-2 NIST Cybersecurity Framework v1.1 DE.CM-7
FedRAMP MA-2 De-ID Framework v1 Perimeter Security IRS Pub 1075 v2016 4.3.1 MARS-E v2 PE-2(1) NIST Cybersecurity Framework v1.1 DE.DP- 2
FedRAMP PE-2 (Alarms): Logging IRS Pub 1075 v2016 4.3.2 MARS-E v2 PE-3 NIST Cybersecurity Framework v1.1 DE.DP- 3
COBIT 5 DSS05.05 CSA CCM v3.0.1 DCS-07 FedRAMP PE-3 FFIEC IS v2016 A.6.8 De-ID Framework v1 Physical Access: IRS Pub 1075 v2016 4.3.3 ISO/IEC 27002:2013 11.1.1 ISO/IEC 27799:2016 11.1.1
CSA CCM v3.0.1 DCS-09 FedRAMP PE-6 FFIEC IS v2016 A.8.1(e) Identification Policy IRS Pub 1075 v2016 4.5 ISO/IEC 27002:2013 11.1.2 ISO/IEC 27799:2016 11.1.2 MARS-E v2 PE-6 NIST Cybersecurity F ramework v1.1 ID.GV-3
MARS-E v2 PE-6(1) NIST Cybersecurity Framework v1.1 PR.AC-2
FedRAMP PE-6(1) De-ID Framework v1 Physical Access: IRS Pub 1075 v2016 9.3.11.2 MARS-E v2 PE-7 NIST Cybersecurity Framework v1.1 PR.PT-1
FedRAMP PE-8 Inappropriate Use IRS Pub 1075 v2016 9.3.11.3 MARS-E v2 PE-7(1) NIST Cybersecurity Framework v1.1 RS.AN-1
De-ID Framework v1 Physical Security: General IRS Pub 1075 v2016 9.3.11.6 MARS-E v2 PE-8 NIST Cybersecurity Framework v1.1 RS.CO-3
De-ID Framework v1 Visitor Access: Policy IRS Pub 1075 v2016 9.3.11.7
NIST Cybersecurity Framework v1.1 DE.CM-2
De-ID Framework v1 Public Access to Sensitive NIST Cybersecurity Framework v1.1 DE.CM-3
COBIT 5 DSS05.05 CSA CCM v3.0.1 DCS-06 FedRAMP PE-3 FFIEC IS v2016 A.6.8 Areas: General IRS Pub 1075 v2016 9.3.11.3 ISO/IEC 27002:2013 11.1.3 ISO/IEC 27799:2016 11.1.3 MARS-E v2 PE-3 NIST Cybersecurity Framework v1.1 DE.CM-7
FFIEC IS v2016 A.8.1(e) De-ID F ramework v1 Video Surveillance: NIST Cybersecurity Framework v1.1 DE.DP- 2
General NIST Cybersecurity F ramework v1.1 ID.GV-3
NIST Cybersecurity Framework v1.1 PR.AC-2
MARS-E v2 AT-3
FedRAMP PE-1 MARS-E v2 PE-1
FedRAMP PE-13 ISO/IEC 27002:2013 11.1.4 MARS-E v2 PE-13
CSA CCM v3.0.1 BCR-05 FedRAMP PE-13(2) FFIEC IS v2016 A.6.8 IRS Pub 1075 v2016 9.3.11.1 ISO/IEC 27799:2016 11.1.4 MARS-E v2 PE-13(1) NIST Cybersecurity Framework v1.1 PR.IP-5
FedRAMP PE-13(3) ISO/IEC 27002:2013 9.1.4 MARS-E v2 PE-13(2)
FedRAMP PE-15 MARS-E v2 PE-13(3)
MARS-E v2 PE-15
NIST Cybersecurity Framework v1.1 PR.AC-2
IRS Pub 1075 v2016 4.5 ISO/IEC 27002:2013 11.1.5 ISO/IEC 27799:2016 11.1.5 NIST Cybersecurity Framework v1.1 PR.IP-5
CSA CCM v3.0.1 DCS-08 FedRAMP PE-16 IRS Pub 1075 v2016 4.3.1 ISO/IEC 27002:2013 11.1.6 ISO/IEC 27799:2016 11.1.6 MARS-E v2 PE-16 NIST Cybersecurity Framework v1.1 PR.AC-2
IRS Pub 1075 v2016 9.3.11.8 NIST Cybersecurity Framework v1.1 PR.IP-5
IRS Pub 1075 v2016 4.3
FedRAMP AC-18 IRS Pub 1075 v2016 4.3.2 MARS-E v2 AC-18
FedRAMP PE-1 De-ID Framework v1 Physical and IRS Pub 1075 v2016 9.3.11.1 ISO/IEC 27002:2013 11.1.4 ISO/IEC 27799:2016 11.1.4 MARS-E v2 PE-1
CSA CCM v3.0.1 BCR-06 FedRAMP PE-14 HITRUST Environmental Security: General IRS Pub 1075 v2016 9.3.11.10 ISO/IEC 27002:2013 11.2.1 ISO/IEC 27799:2016 11.2.1 MARS-E v2 PE-14 NIST Cybersecurity Framework v1.1 PR.IP-5
FedRAMP PE-14(2) De-ID Framework v1 Physical Security: General IRS Pub 1075 v2016 9.4.4 MARS-E v2 PE-18
IRS Pub 1075 v2016 9.4.9
FedRAMP PE-10 MARS-E v2 CP-8
FedRAMP PE-11 ISO/IEC 27002:2013 11.2.1 ISO/IEC 27799:2016 11.2.1 MARS-E v2 PE-10 NIST Cybersecurity Framework v1.1 ID.BE-4
CSA CCM v3.0.1 BCR-03 FedRAMP PE-12 MARS-E v2 PE-11 NIST Cybersecurity F ramework v1.1 ID.GV-3
CSA CCM v3.0.1 BCR-08 FedRAMP PE-14 ISO/IEC 27002:2013 11.2.2 ISO/IEC 27799:2016 11.2.2 MARS-E v2 PE-12 NIST Cybersecurity Framework v1.1 PR.AC-2
ISO/IEC 27002:2013 11.2.4 ISO/IEC 27799:2016 11.2.4
FedRAMP PE-14(2) MARS-E v2 PE-14 NIST Cybersecurity Framework v1.1 PR.IP-5
FedRAMP PE-9 MARS-E v2 PE-9
NIST Cybersecurity Framework v1.1 PR.AC-2
CSA CCM v3.0.1 BCR-03 FedRAMP PE-4 IRS Pub 1075 v2016 9.3.11.4 ISO/IEC 27002:2013 11.2.3 ISO/IEC 27799:2016 11.2.3 MARS-E v2 PE-4 NIST Cybersecurity Framework v1.1 PR.AC-4
CSA CCM v3.0.1 DCS-09 FedRAMP PE-9 IRS Pub 1075 v2016 9.3.16.6 MARS-E v2 PE-9 NIST Cybersecurity Framework v1.1 PR.DS-2
NIST Cybersecurity Framework v1.1 PR.IP-5
MARS-E v2 IR-9
FedRAMP MA-1 MARS-E v2 MA-1
FedRAMP MA-2 MARS-E v2 MA-2
FedRAMP MA-3 IRS Pub 1075 v2016 9.3.9.1 MARS-E v2 MA-2(1)
FedRAMP MA-3(1) MARS-E v2 MA-3 NIST Cybersecurity Framework v1.1 DE.CM-4
CRR v2016 CCM:G2.Q10 FedRAMP MA-3(2) IRS Pub 1075 v2016 9.3.9.2 MARS-E v2 MA-3(1) NIST Cybersecurity Framework v1.1 PR.DS-1
CSA CCM v3.0.1 BCR-07 CRR v2016 CCM:G2.Q11 FedRAMP MA-3(3) IRS Pub 1075 v2016 9.3.9.3 ISO/IEC 27002:2013 11.2.4 ISO/IEC 27799:2016 11.2.4 MARS-E v2 MA-3(2) NIST Cybersecurity Framework v1.1 PR.MA-1
CRR v2016 CCM:G2.Q9 FedRAMP MA-4 IRS Pub 1075 v2016 9.3.9.4 MARS-E v2 MA-4 NIST Cybersecurity Framework v1.1 PR.MA-2
IRS Pub 1075 v2016 9.3.9.5
FedRAMP MA-4(2) MARS-E v2 MA-4(1)
FedRAMP MA-5 MARS-E v2 MA-4(2)
FedRAMP MA-6 MARS-E v2 MA-5
MARS-E v2 MA-6
ISO/IEC 27002:2013 11.2.6 ISO/IEC 27799:2016 11.2.6
CSA CCM v3.0.1 DCS-04 FedRAMP MP-5 IRS Pub 1075 v2016 9.3.10.5 ISO/IEC 27002:2013 6.2 ISO/IEC 27799:2016 6.2 MARS-E v2 AC-20
CSA CCM v3.0.1 DCS-05 FedRAMP PE-17 IRS Pub 1075 v2016 9.3.11.9 ISO/IEC 27002:2013 6.2.1 ISO/IEC 27799:2016 6.2.1 MARS-E v2 MP-5 NIST Cybersecurity Framework v1.1 PR.DS-3
ISO/IEC 27002:2013 6.2.2 ISO/IEC 27799:2016 6.2.2 MARS-E v2 PE-17
COBIT 5 DSS05.03 FFIEC IS v2016 A.6.16(e) De-ID Framework v1 Disposal: Data Destruction IRS Pub 1075 v2016 8.2 MARS-E v2 DM-2 NIST Cybersecurity Framework v1.1 PR.DS-3
CSA CCM v3.0.1 DSI-07 CRR v2016 AM:G6.Q6 FedRAMP MP-6 IRS Pub 1075 v2016 8.3 ISO/IEC 27002:2013 11.2.7 ISO/IEC 27799:2016 11.2.7
COBIT 5 DSS05.06 FFIEC IS v2016 A.6.18(e) Procedures IRS Pub 1075 v2016 9.3.10.6 MARS-E v2 MP-6 NIST Cybersecurity Framework v1.1 PR.IP-6
CSA CCM v3.0.1 DCS-04 FedRAMP PE-16 IRS Pub 1075 v2016 4.3.1 ISO/IEC 27002:2013 11.2.5 ISO/IEC 27799:2016 11.2.5 MARS-E v2 PE-16 NIST Cybersecurity Framework v1.1 PR.DS-3
IRS Pub 1075 v2016 9.3.11.8 NIST Cybersecurity Framework v1.1 PR.IP-6
IRS Pub 1075 v2016 9.3.1.1 MARS-E v2 AC-1
FedRAMP AT-1 IRS Pub 1075 v2016 9.3.10.1 MARS-E v2 AT-1
FedRAMP AU-1 IRS Pub 1075 v2016 9.3.11.1 MARS-E v2 AU-1
FedRAMP CA-1 IRS Pub 1075 v2016 9.3.12.1 MARS-E v2 CA-1
FedRAMP CM-1 IRS Pub 1075 v2016 9.3.13.1 MARS-E v2 CM-1
FedRAMP CP-1 IRS Pub 1075 v2016 9.3.14.1 MARS-E v2 CP-1
FedRAMP IA-1 IRS Pub 1075 v2016 9.3.15.1 MARS-E v2 IA-1
FedRAMP IR-1 IRS Pub 1075 v2016 9.3.16.1 MARS-E v2 IR-1
CSA CCM v3.0.1 BCR-04 FedRAMP MA-1 FFIEC IS v2016 A.6.1 IRS Pub 1075 v2016 9.3.17.1 ISO/IEC 27002:2013 12.1.1 ISO/IEC 27799:2016 12.1.1 MARS-E v2 MA-1
CSA CCM v3.0.1 BCR-10 FedRAMP MP-1 IRS Pub 1075 v2016 9.3.2.1 MARS-E v2 MP-1
FedRAMP PE-1 IRS Pub 1075 v2016 9.3.3.1 MARS-E v2 PE-1
FedRAMP PL-1 IRS Pub 1075 v2016 9.3.4.1 MARS-E v2 PL-1
FedRAMP PS-1 IRS Pub 1075 v2016 9.3.5.1 MARS-E v2 PM- 1
FedRAMP RA-1 IRS Pub 1075 v2016 9.3.6.1 MARS-E v2 PS-1
FedRAMP SA-1 IRS Pub 1075 v2016 9.3.7.1 MARS-E v2 RA-1
FedRAMP SC-1 IRS Pub 1075 v2016 9.3.8.1 MARS-E v2 SA-1
FedRAMP SI-1 IRS Pub 1075 v2016 9.3.9.1 MARS-E v2 SC-1
IRS Pub 1075 v2016 Exhibit 10 MARS-E v2 SI-1
CRR v2016 AM:G4.Q1
CRR v2016 CCM:G1.Q1
CRR v2016 CCM:G1.Q5 FedRAMP CM-3 IRS Pub 1075 v2016 9.3.5.3 MARS-E v2 CM-3
CRR v2016 CCM:G2.Q2 FFIEC IS v2016 A.6.11 ISO/IEC 27001:2013 8.1 ISO/IEC 27002:2013 12.1.2 ISO/IEC 27799:2016 12.1.2 NIST Cybersecurity Framework v1.1 PR.IP-3
CRR v2016 CCM:G2.Q3 FedRAMP CM-4 IRS Pub 1075 v2016 9.3.5.4 MARS-E v2 CM-4
CRR v2016 CCM:MIL2.Q1 FedRAMP CM-5 IRS Pub 1075 v2016 9.3.5.5 MARS-E v2 CM-5
CRR v2016 CCM:MIL2.Q2
CRR v2016 CCM:MIL2.Q4
COBIT 5 DS 05.04 CSA CCM v3.0.1 IAM-05 CRR v2016 AM:G5.Q6 FedRAMP AC-5 FFIEC IS v2016 A.6.8(d) IRS Pub 1075 v2016 9.3.1.5 ISO/IEC 27002:2013 6.1.2 ISO/IEC 27799:2016 6.1.2 MARS-E v2 AC-5 NIST Cybersecurity Framework v1.1 DE.CM-3
COBIT 5 DSS05.05 IRS Pub 1075 v2016 9.4.5 NIST Cybersecurity Framework v1.1 PR.AC-4
CSA CCM v3.0.1 IVS-08 CRR v2016 CCM:G1.Q1 FedRAMP CM-2 IRS Pub 1075 v2016 9.3.5.2 ISO/IEC 27002:2013 12.1.2 ISO/IEC 27799:2016 12.1.2 MARS-E v2 CM-2 NIST Cybersecurity Framework v1.1 PR.DS-7
CRR v2016 CCM:G2.Q7 IRS Pub 1075 v2016 Exhibit 10 ISO/IEC 27002:2013 12.1.4 ISO/IEC 27799:2016 12.1.4 MARS-E v2 SA-11 NIST Cybersecurity Framework v1.1 PR.IP-3
NIST Cybersecurity Framework v1.1 DE.AE-4
FFIEC IS v2016 A.6.31(a) IRS Pub 1075 v2016 5.3 NIST Cybersecurity Framework v1.1 DE.CM-6
CSA CCM v3.0.1 STA-09 CRR v2016 EDM:G4.Q1 EU GDPR Article 32(4) FedRAMP SA-9 De-ID Framework v1 Extra-National Access ISO/IEC 27001:2013 8.1 ISO/IEC 27002:2013 15.1.1 ISO/IEC 27799:2016 15.1.1 MARS-E v2 SA-9 NIST Cybersecurity Framework v1.1 ID.AM-4
CRR v2016 EDM:G4.Q2 FedRAMP SA-9(5) F FIEC IS v2016 A.6.31(c) Restrictions: General IRS Pub 1075 v2016 9.3.1.12 ISO/IEC 27002:2013 15.2.1 ISO/IEC 27799:2016 15.2.1 MARS-E v2 SA-9(5) NIST Cybersecurity Framework v1.1 PR.AC-3
FFIEC IS v2016 A.6.31(g) IRS Pub 1075 v2016 9.3.15.7 NIST Cybersecurity Framework v1.1 PR.AT-3
NIST Cybersecurity Framework v1.1 PR.DS-3
CRR v2016 EDM:G4.Q1
CRR v2016 EDM:G4.Q2 NIST Cybersecurity Framework v1.1 DE.CM-6
CSA CCM v3.0.1 STA-09 FedRAMP SA-9 FFIEC IS v2016 A.6.21(b) IRS Pub 1075 v2016 9.3.15.7 ISO/IEC 27001:2013 8.1 ISO/IEC 27002:2013 13.1.2 ISO/IEC 27799:2016 13.1.2 MARS-E v2 SA-9 NIST Cybersecurity Framework v1.1 PR.AT-3
CRR v2016 EDM:G4.Q3 ISO/IEC 27002:2013 15.2.1 ISO/IEC 27799:2016 15.2.1 NIST Cybersecurity Framework v1.1 RS.CO-4
CRR v2016 EDM:G4.Q4 NIST Cybersecurity Framework v1.1 RS.MI-2
CRR v2016 EDM:MIL2.Q1
NIST Cybersecurity Framework v1.1 ID.BE-1
ISO/IEC 27001:2013 8.1 ISO/IEC 27002:2013 15.2.2 ISO/IEC 27799:2016 15.2.2 NIST Cybersecurity Framework v1.1 ID.RA-4
NIST Cybersecurity Framework v1.1 PR.AT-3
FedRAMP AU-4 MARS-E v2 AU-4 NIST Cybersecurity Framework v1.1 ID.BE-1
CSA CCM v3.0.1 IVS-04 CRR v2016 CCM:G1.Q3 FedRAMP AU-5 FFIEC IS v2016 A.8.1(p) IRS Pub 1075 v2016 9.3.16.4 ISO/IEC 27002:2013 12.1.3 ISO/IEC 27799:2016 12.1.3
FedRAMP SC-5 IRS Pub 1075 v2016 9.3.3.5 MARS-E v2 AU-5 NIST Cybersecurity Framework v1.1 PR.DS-4
FedRAMP SC-6 MARS-E v2 SC-5 NIST Cybersecurity Framework v1.1 PR.PT-1
IRS Pub 1075 v2016 9.3.15.4
CSA CCM v3.0.1 CCC-01 FedRAMP CM-3 IRS Pub 1075 v2016 9.3.15.9 MARS-E v2 CM-3
CRR v2016 CCM:G2.Q7 FedRAMP CM-7 FFIEC IS v2016 A.6.28(a) IRS Pub 1075 v2016 9.3.5.3 ISO/IEC 27002:2013 14.2.2 ISO/IEC 27799:2016 14.2.2 MARS-E v2 CM-7 NIST Cybersecurity Framework v1.1 PR.DS-5
CSA CCM v3.0.1 CCC-03 FedRAMP SA-11 FFIEC IS v2016 A.6.28(b) IRS Pub 1075 v2016 9.3.5.7 ISO/IEC 27002:2013 14.2.9 ISO/IEC 27799:2016 14.2.9 MARS-E v2 SA-11 NIST Cybersecurity Framework v1.1 PR.IP-2
CSA CCM v3.0.1 CCC-05 FedRAMP SA-4 IRS Pub 1075 v2016 9.4.15 MARS-E v2 SA-4
IRS Pub 1075 v2016 9.4.6
MARS-E v2 CM-11
FedRAMP CM-11 MARS-E v2 DM-2
FedRAMP SC-2 IRS Pub 1075 v2016 9.3.16.2 MARS-E v2 PE-2
FedRAMP SI-3 IRS Pub 1075 v2016 9.3.17.10 MARS-E v2 SC-2
FedRAMP SI-3(1) IRS Pub 1075 v2016 9.3.17.3 MARS-E v2 SI-16 NIST Cybersecurity Framework v1.1 DE.CM-4
COBIT 5 DSS05.01 CSA CCM v3.0.1 MOS-17 CRR v2016 VM:G1.Q3 FedRAMP SI-3(2) FFIEC IS v2016 A.6.17 De-ID Framework v1 Anti-malware: General IRS Pub 1075 v2016 9.3.17.6 ISO/IEC 27002:2013 12.2.1 ISO/IEC 27799:2016 12.2.1 MARS-E v2 SI-3 NIST Cybersecurity Framework v1.1 PR.AC-4
CSA CCM v3.0.1 TVM- 01 FFIEC IS v2016 A.8.1(a) ISO/IEC 27002:2013 12.6.2 ISO/IEC 27799:2016 12.6.2
FedRAMP SI-3(7) IRS Pub 1075 v2016 9.3.5.11 MARS-E v2 SI-3(1) NIST Cybersecurity Framework v1.1 PR.AT-1
FedRAMP SI-8 IRS Pub 1075 v2016 9.4.13 MARS-E v2 SI-3(2)
FedRAMP SI-8(1) IRS Pub 1075 v2016 9.4.3 MARS-E v2 SI-7(7)
FedRAMP SI-8(2) MARS-E v2 SI-8
MARS-E v2 SI-8(1)
FedRAMP CM-3 IRS Pub 1075 v2016 9.3.16.12 MARS-E v2 CM-3 NIST Cybersecurity Framework v1.1 DE.CM-4
CSA CCM v3.0.1 TVM- 01 CRR v2016 VM:G1.Q4 FedRAMP SC-18 FFIEC IS v2016 A.6.17 IRS Pub 1075 v2016 9.3.16.2 ISO/IEC 27002:2013 12.2.1 ISO/IEC 27799:2016 12.2.1 MARS-E v2 SC-18 NIST Cybersecurity Framework v1.1 DE.CM-5
CSA CCM v3.0.1 TVM- 03 FedRAMP SC-2 IRS Pub 1075 v2016 9.3.17.3 ISO/IEC 27002:2013 12.5.1 ISO/IEC 27799:2016 12.5.1 MARS-E v2 SC-2
FedRAMP SI-3 IRS Pub 1075 v2016 9.3.5.3 MARS-E v2 SI-3 NIST Cybersecurity Framework v1.1 PR.DS-7
IRS Pub 1075 v2016 4.2
IRS Pub 1075 v2016 4.4 MARS-E v2 CP-2
IRS Pub 1075 v2016 4.5
FedRAMP CP-2 IRS Pub 1075 v2016 9.3.10.3 MARS-E v2 CP-6
CSA CCM v3.0.1 BCR-11 FedRAMP CP-9 IRS Pub 1075 v2016 9.3.10.5 MARS-E v2 CP-6(3) NIST Cybersecurity Framework v1.1 ID.SC-5
CSA CCM v3.0.1 EKM-03 CRR v2016 AM:G6.Q5 FedRAMP CP-9(1) IRS Pub 1075 v2016 9.3.16.15 ISO/IEC 27002:2013 12.3.1 ISO/IEC 27799:2016 12.3.1 MARS-E v2 CP-9 NIST Cybersecurity Framework v1.1 PR.DS-1
CRR v2016 SCM:G3.Q4 FedRAMP CP-9(3) ISO/IEC 27002:2013 15.2 IS O/IEC 27799:2016 15.2 MARS-E v2 CP-9(1) NIST Cybersecurity Framework v1.1 PR.DS-2
CSA CCM v3.0.1 MOS-17 FedRAMP MP-4 IRS Pub 1075 v2016 9.3.6.2 MARS-E v2 MP-4 NIST Cybersecurity Framework v1.1 PR.IP-4
IRS Pub 1075 v2016 9.3.6.5
FedRAMP SC-28(1) IRS Pub 1075 v2016 9.3.6.7 MARS-E v2 MP-5
IRS Pub 1075 v2016 9.4.11 MARS-E v2 SC-28
IRS Pub 1075 v2016 9.4.14
MARS-E v2 AC-18
MARS-E v2 AC-18(1)
FedRAMP AC-18 IRS Pub 1075 v2016 9.3.1.13 MARS-E v2 AR-5
FedRAMP AC-18(1) IRS Pub 1075 v2016 9.3.16.13 MARS-E v2 CA-3
FedRAMP CA-3 IRS Pub 1075 v2016 9.3.16.5 MARS-E v2 CM-3
FedRAMP CM-3 IRS Pub 1075 v2016 9.3.16.6 MARS-E v2 CM-7 NIST Cybersecurity Framework v1.1 DE.AE-1
FedRAMP CM-7 FFIEC IS v2016 A.6.10 IRS Pub 1075 v2016 9.3.4.3 MARS-E v2 CP-2 NIST Cybersecurity Framework v1.1 DE.AE-4
FedRAMP CP-2 FFIEC IS v2016 A.6.18(d) IRS Pub 1075 v2016 9.3.5.3 MARS-E v2 IA-3 NIST Cybersecurity Framework v1.1 DE.CM-1
FedRAMP IA-3 IRS Pub 1075 v2016 9.3.5.7 MARS-E v2 PM- 1
CSA CCM v3.0.1 IVS-06 CRR v2016 AM:G2.Q5 FedRAMP SC-19 FFIEC IS v2016 A.6.7(a) IRS Pub 1075 v2016 9.3.6.2 ISO/IEC 27002:2013 13.1.1 ISO/IEC 27799:2016 13.1.1 MARS-E v2 SC-19 NIST Cybersecurity Framework v1.1 ID.AM-3
COBIT 5 DSS05.02 CSA CCM v3.0.1 IVS-10 CRR v2016 CM:G2.Q2 FFIEC IS v2016 A.6.7(b) De-ID Framework v1 Transmission Encryption: NIST Cybersecurity Framework v1.1 ID.AM-6
CSA CCM v3.0.1 IVS-12 CRR v2016 CM:G2.Q4 FedRAMP SC-20 FFIEC IS v2016 A.6.7(c) Policies IRS Pub 1075 v2016 9.3.7.3 ISO/IEC 27002:2013 13.1.2 ISO/IEC 27799:2016 13.1.2 MARS-E v2 SC-20 NIST Cybersecurity Framework v1.1 PR.AC-1
CSA CCM v3.0.1 IVS-13 CRR v2016 CM:G2.Q8 FedRAMP SC-21 FFIEC IS v2016 A.8.1(a) IRS Pub 1075 v2016 9.4.1.8 ISO/IEC 27002:2013 13.1.3 ISO/IEC 27799:2016 13.1.3 MARS-E v2 SC-22 NIST Cybersecurity Framework v1.1 PR.AC-5
FedRAMP SC-22 FFIEC IS v2016 A.8.1(h) IRS Pub 1075 v2016 9.4.10 MARS-E v2 SC-7 NIST Cybersecurity Framework v1.1 PR.DS-2
FedRAMP SC-7 IRS Pub 1075 v2016 9.4.11 MARS-E v2 SC-7(18)
FedRAMP SC-7(18) FFIEC IS v2016 A.8.4 IRS Pub 1075 v2016 9.4.14 MARS-E v2 SC-7(5) NIST Cybersecurity Framework v1.1 PR.DS-5
NIST Cybersecurity Framework v1.1 PR.IP-1
FedRAMP SC-8 IRS Pub 1075 v2016 9.4.15 MARS-E v2 SC-8
FedRAMP SC-8(1) IRS Pub 1075 v2016 9.4.17 MARS-E v2 SC-8(1)
FedRAMP SI-4 IRS Pub 1075 v2016 9.4.18 MARS-E v2 SC-9
FedRAMP SI-4(14) IRS Pub 1075 v2016 Exhibit 10 MARS-E v2 SC-9(1)
MARS-E v2 SI-4
MARS-E v2 SI-4(14)
NIST Cybersecurity Framework v1.1 DE.AE-1
NIST Cybersecurity Framework v1.1 DE.CM-6
NIST Cybersecurity Framework v1.1 DE.CM-7
FedRAMP CA-3 NIST Cybersecurity Framework v1.1 ID.AM-3
FedRAMP CA-3(3) NIST Cybersecurity Framework v1.1 ID.AM-4
CSA CCM v3.0.1 STA-03 FFIEC IS v2016 A.6.7(a) IRS Pub 1075 v2016 9.3.15.7 ISO/IEC 27002:2013 13.1.2 ISO/IEC 27799:2016 13.1.2 MARS-E v2 CA-3
FedRAMP CA-3(5) FFIEC IS v2016 A.6.7(e) IRS Pub 1075 v2016 9.3.4.3 MARS-E v2 SA-9 NIST Cybersecurity Framework v1.1 ID.AM-6
FedRAMP SA-9 NIST Cybersecurity F ramework v1.1 ID.GV-3
FedRAMP SA-9(2) NIST Cybersecurity Framework v1.1 ID.SC-1
NIST Cybersecurity Framework v1.1 ID.SC-3
NIST Cybersecurity Framework v1.1 PR.AT-3
NIST Cybersecurity Framework v1.1 PR.PT-4
FedRAMP MP-1
FedRAMP MP-4 IRS Pub 1075 v2016 9.3.10.1 MARS-E v2 MP-1
CSA CCM v3.0.1 EKM-03 CRR v2016 CM:G2.Q7 FedRAMP MP-5 FFIEC IS v2016 A.6.21(d) IRS Pub 1075 v2016 9.3.10.4 ISO/IEC 27002:2013 10.7.1 ISO/IEC 27799:2016 8.3.1 MARS-E v2 MP-4 NIST Cybersecurity Framework v1.1 PR.DS-1
CSA CCM v3.0.1 HRS-05 FedRAMP MP-5(4) ISO/IEC 27002:2013 8.3.1 MARS-E v2 MP-5 NIST Cybersecurity Framework v1.1 PR.PT-2
FedRAMP MP-7 IRS Pub 1075 v2016 9.3.10.5 MARS-E v2 MP-5(4)
FedRAMP MP-7(1)
IRS Pub 1075 v2016 8.3
IRS Pub 1075 v2016 8.4
CRR v2016 AM:G6.Q6 IRS Pub 1075 v2016 9.3.10.6 MARS-E v2 DM-2 NIST Cybersecurity Framework v1.1 PR.DS-3
CSA CCM v3.0.1 DSI-07 CRR v2016 AM:G6.Q7 FedRAMP MP-6 FFIEC IS v2016 A.6.18(e) IRS Pub 1075 v2016 9.4.18 ISO/IEC 27002:2013 8.3.2 ISO/IEC 27799:2016 8.3.2 MARS-E v2 MP-6 NIST Cybersecurity Framework v1.1 PR.DS-5
CRR v2016 CM:G2.Q5 FedRAMP MP-6(2) IRS Pub 1075 v2016 9.4.7 MARS-E v2 MP-6(1) NIST Cybersecurity Framework v1.1 PR.IP-6
IRS Pub 1075 v2016 9.4.8 MARS-E v2 MP-6(2)
IRS Pub 1075 v2016 9.4.9
IRS Pub 1075 v2016 Exhibit 10
MARS-E v2 MP-2
FedRAMP MP-2 IRS Pub 1075 v2016 4.5 MARS-E v2 MP-2(1) NIST Cybersecurity Framework v1.1 PR.DS-3
FedRAMP MP-3 IRS Pub 1075 v2016 9.3.10.2 MARS-E v2 MP-3
CRR v2016 AM:G6.Q3 FedRAMP MP-5 IRS Pub 1075 v2016 9.3.10.3 ISO/IEC 27002:2013 8.2.3 ISO/IEC 27799:2016 8.2.3 MARS-E v2 MP-5 NIST Cybersecurity Framework v1.1 PR.DS-5
CRR v2016 AM:G6.Q7 NIST Cybersecurity Framework v1.1 PR.PT-1
FedRAMP MP-5(4) IRS Pub 1075 v2016 9.3.10.5 MARS-E v2 MP-5(4) NIST Cybersecurity Framework v1.1 PR.PT-2
FedRAMP SI-12 IRS Pub 1075 v2016 9.3.17.9 MARS-E v2 MP-CMS-1
MARS-E v2 SI-12
CSA CCM v3.0.1 BCR-04 FedRAMP SA-5 IRS Pub 1075 v2016 9.3.15.5 MARS-E v2 SA-5 NIST Cybersecurity Framework v1.1 ID.RA-1
NIST Cybersecurity Framework v1.1 PR.AC-4
FedRAMP AC-17 MARS-E v2 AC-17
EU GDPR Article 45(1) FedRAMP AC-17(2) IRS Pub 1075 v2016 4.7.3 MARS-E v2 AC-17(2)
EU GDPR Article 46(1) MARS-E v2 AC-20
CSA CCM v3.0.1 AIS-04 EU GDPR Article 46(2) FedRAMP AC-19(5) IRS Pub 1075 v2016 9.3.1.12 MARS-E v2 AC-20(1) NIST Cybersecurity Framework v1.1 PR.AC-3
COBIT 5 DSS05.02 CSA CCM v3.0.1 EKM-03 CRR v2016 CM:G2.Q4 EU GDPR Article 46(3) FedRAMP AC-20 FFIEC IS v2016 A.6.23 IRS Pub 1075 v2016 9.3.1.15 ISO/IEC 27002:2013 13.2.1 ISO/IEC 27799:2016 13.2.1 MARS-E v2 AC-20(2) NIST Cybersecurity Framework v1.1 PR.AT-1
CSA CCM v3.0.1 IPY-04 EU GDPR Article 47(1) FedRAMP AC-20(1) FFIEC IS v2016 A.6.24 IRS Pub 1075 v2016 9.3.16.1 MARS-E v2 AR-4 NIST Cybersecurity Framework v1.1 PR.DS-2
CSA CCM v3.0.1 IPY-05 FedRAMP AC-20(2) IRS Pub 1075 v2016 9.3.16.10 NIST Cybersecurity Framework v1.1 PR.DS-5
EU GDPR Article 48 FedRAMP SC-1 IRS Pub 1075 v2016 9.4.9 MARS-E v2 SC-1
EU GDPR Article 49(1) MARS-E v2 SC-15
FedRAMP SC-15 MARS-E v2 SC-15(1)
NIST Cybersecurity Framework v1.1 PR.AT-3
COBIT 5 DSS05.02 CSA CCM v3.0.1 STA-05 FedRAMP MP-1 De-ID Framework v1 Data Sharing Agreements: IRS Pub 1075 v2016 9.3.10.1 ISO/IEC 27002:2013 13.2.2 ISO/IEC 27799:2016 13.2.2 MARS-E v2 MP-1 NIST Cybersecurity Framework v1.1 PR.DS-2
DSAs NIST Cybersecurity Framework v1.1 PR.PT-2

09.u Physical Media in Transit
09.v Electronic Messaging
09.w Interconnected Business
Information Systems
09.x Electronic Commerce Services
09.y On-line Transactions
09.z Publicly Available Information
09.aa Audit Logging
09.ab Monitoring System Use
09.ac Protection of Log Information
09.ad Administrator and Operator Logs
09.ae Fault Logging
09.af Clock Synchronization
10.a Security Requirements Analysis and
Specification
10.b Input Data Validation
10.c Control of Internal Processing
10.d Message Integrity
10.e Output Data Validation
10.f Policy on the Use of Cryptographic
Controls
10.g Key Management
10.h Control of Operational Software
10.i Protection of System Test Data
10.j Access Control to Program Source
Code
10.k Change Control Procedures
10.l Outsourced Software Development
10.m Control of Technical Vulnerabilities
© 2019 HITRUST. All rights reserved.
1 TAC § 390.2(a)(1) 45 CFR Part § 164.310(d)(1) HIPAA.SR
1 TAC § 390.2(a)(4)(A)(xi) 45 CFR Part § 164.310(d)(2)(iii) HIPAA.SR
45 CFR Part § 164.312(c)(1) HIPAA.SR
45 CFR Part § 164.312(c)(1) HIPAA.SR
1 TAC § 390.2(a)(1) 45 CFR Part § 164.312(c)(2) HIPAA.SR
201 CMR 17.04(3) 45 CFR Part § 164.312(e)(1) HIPAA.S R
1 TAC § 390.2(a)(4)(A)(xi) 45 CFR Part § 164.312(e)(2)(i) HIPAA.SR
45 CFR Part § 164.312(e)(2)(ii) HIPAA.SR
45 CFR Part § 164.308(b)(1) HIPAA.SR
1 TAC § 390.2(a)(1) 45 CFR Part § 164.308(b)(3) HIPAA.SR
1 TAC § 390.2(a)(4)(A)(xi) 45 CFR Part § 164.310(b) HIPAA.SR
45 CFR Part § 164.314(a)(2)(ii) HIPAA.SR
45 CFR Part § 164.312(c)(1) HIPAA.SR
1 TAC § 390.2(a)(1) 45 CFR Part § 164.312(c)(2) HIPAA.SR
45 CFR Part § 164.312(e)(1) HIPAA.S R
1 TAC § 390.2(a)(4)(A)(xi) 45 CFR Part § 164.312(e)(2)(i) HIPAA.SR
45 CFR Part § 164.312(e)(2)(ii) HIPAA.SR
1 TAC § 390.2(a)(4)(A)(xi)
21 CFR Part 11.10(b) 45 CFR Part § 164.308(a)(5)(ii)(C) HIPAA.SR
1 TAC § 390.2(a)(4)(A)(xi) 21 CF R Part 11.10(e) 23 NYCRR 500.06(b) 45 CFR Part § 164.312(b) HIPAA.SR
45 CFR Part § 164.308(a)(1)(ii)(D) HIPAA.SR
45 CFR Part § 164.308(a)(3)(ii)(A) HIPAA.SR
45 CFR Part § 164.308(a)(4)(i) HIPAA.SR
1 TAC § 390.2(a)(1) 16 CFR Part § 681 Appendix A III(b) 201 CMR 17.03(2)(h) 45 CFR Part § 164.308(a)(4)(ii)(B) HIPAA.SR
1 TAC § 390.2(a)(4)(A)(xi) 45 CFR Part § 164.308(a)(5)(ii)(B) HIPAA.SR
45 CFR Part § 164.308(a)(5)(ii)(C) HIPAA.SR
45 CFR Part § 164.312(b) HIPAA.SR
1 TAC § 390.2(a)(4)(A)(xi)
1 TAC § 390.2(a)(1) 45 CFR Part § 164.308(a)(5)(ii)(C) HIPAA.SR
1 TAC § 390.2(a)(4)(A)(xi) 45 CFR Part § 164.312(b) HIPAA.SR
1 TAC § 390.2(a)(1) 45 CFR Part § 164.308(a)(1)(ii)(D) HIPAA.SR
1 TAC § 390.2(a)(4)(A)(xi) 45 CFR Part § 164.308(a)(5)(ii)(C) HIPAA.SR
45 CFR Part § 164.312(b) HIPAA.SR
1 TAC § 390.2(a)(4)(A)(xi)
1 TAC § 390.2(a)(1) 45 CFR Part § 164.308(a)(1)(ii)(A) HIPAA.SR
1 TAC § 390.2(a)(4)(A)(xi) 45 CFR Part § 164.308(a)(1)(ii)(B) HIPAA.SR
45 CFR Part § 164.314(a)(2)(i) HIPAA.SR
1 TAC § 390.2(a)(3)
21 CFR Part 11.10(h) 23 NYCRR 500.08(b)
1 TAC § 390.2(a)(4)(A)(xi)
1 TAC § 390.2(a)(1) 45 CFR Part § 164.312(c)(1) HIPAA.SR
21 CFR Part 11.10(f) 45 CFR Part § 164.312(c)(2) HIPAA.SR
1 TAC § 390.2(a)(4)(A)(xi) 45 CFR Part § 164.312(e)(2)(i) HIPAA.SR
1 TAC § 390.2(a)(1) 45 CFR Part § 164.312(c)(1) HIPAA.SR
45 CFR Part § 164.312(c)(2) HIPAA.SR
1 TAC § 390.2(a)(4)(A)(xi) 45 CFR Part § 164.312(e)(2)(i) HIPAA.SR
1 TAC § 390.2(a)(1) 45 CFR Part § 164.312(a)(2)(iv) HIPAA.SR
21 CFR Part 11.100(c)
1 TAC § 390.2(a)(4)(A)(xi) 45 CFR Part § 164.312(e)(2)(ii) HIPAA.SR
1 TAC § 390.2(a)(1) 45 CFR Part § 164.312(a)(2)(iv) HIPAA.SR
1 TAC § 390.2(a)(4)(A)(xi) 45 CFR Part § 164.312(e)(2)(ii) HIPAA.SR
1 TAC § 390.2(a)(4)(A)(xi) 21 CFR Part 11.10(a)
1 TAC § 390.2(a)(4)(A)(xi) 45 CFR Part § 164.308(a)(4)(i) HIPAA.SR
45 CFR Part § 164.312(a)(1) HIPAA.SR
45 CFR Part § 164.308(a)(4)(i) HIPAA.SR
1 TAC § 390.2(a)(4)(A)(xi)
45 CFR Part § 164.312(a)(1) HIPAA.SR
45 CFR Part § 164.308(a)(4)(i) HIPAA.SR
1 TAC § 390.2(a)(4)(A)(xi) 45 CFR Part § 164.312(a)(1) HIPAA.SR
45 CFR Part § 164.308(b)(1) HIPAA.SR
45 CFR Part § 164.308(b)(3) HIPAA.SR
45 CFR Part § 164.314(a)(1) HIPAA.SR
45 CFR Part § 164.314(a)(2)(i) HIPAA.SR
45 CFR Part § 164.314(a)(2)(ii) HIPAA.SR
1 TAC § 390.2(a)(4)(A)(xi) 201 CMR 17.04(6) 45 CFR Part § 164.308(a)(8) HIPAA.SR
CMSRs v3.1 MP-05 (HIGH; MOD)
CAQH Core Phase 1 102: Eligibility CAQH Core Phase 2 202: Certification CMSRs v3.1 MP-05(04) (HIGH; MOD)
and Benefits Certification Policy Policy v2.1.0 Subsection 3.4 CMSRs v3.1 PE-16 (HIGH; MOD)
v1.1.0 Subsection 3.4 CMSRs v3.1 SC-28 (HIGH; MOD)
CMSRs v3.1 SC-08 (HIGH; MOD)
CMSRs v3.1 SC-08(01) (HIGH; MOD)
CMSRs v3.1 SC-CMS-1 (HIGH; MOD)
AICPA 2017 CC6.1 CMSRs v3.1 CA-09 (HIGH; MOD)
CMSRs v3.1 CM-02 (HIGH; MOD)
CMSRs v3.1 AU-10 (HIGH)
CMSRs v3.1 SC-08 (HIGH; MOD)
CMSRs v3.1 SC-08(01) (HIGH; MOD)
CAQH Core Phase 1 153: Eligibility
CMSRs v3.1 AU-10 (HIGH)
and Benefits Connectivity Rule
v1.1.0 Subsection 5.2
CMSRs v3.1 AC-22 (HIGH; MOD)
CMSRs v3.1 CM-06 (HIGH; MOD)
AICPA 2017 CC8.1 CMSRs v3.1 SC-05 (HIGH; MOD)
CMSRs v3.1 SC-05(02) (HIGH; MOD)
CMSRs v3.1 SC-CMS-2 (HIGH; MOD)
CMSRs v3.1 AC-06(09) (HIGH; MOD)
CMSRs v3.1 AC-06(09) (HIGH; MPD)
CMSRs v3.1 AR-04 (HIGH; MOD)
CMSRs v3.1 AU-02 (HIGH)
CMSRs v3.1 AU-02 (HIGH; MOD)
CMSRs v3.1 AU-02(03) (HIGH)
CMSRs v3.1 AU-03 (HIGH; MOD)
CIS CSC v7.1 14.9
AICPA 2017 C1.2 CIS CSC v7.1 6.2 CMSRs v3.1 AU-03(01) (HIGH; MOD)
AICPA 2017 CC2.1 CIS CSC v7.1 6.3 CMSRs v3.1 AU-03(02) (HIGH)
CIS CSC v7.1 7.6 CMSRs v3.1 AU-05 (HIGH; MOD)
CMSRs v3.1 AU-05(02) (HIGH)
CMSRs v3.1 AU-07(01) (HIGH; MOD)
CMSRs v3.1 AU-08 (HIGH; MOD)
CMSRs v3.1 AU-09 (HIGH; MOD)
CMSRs v3.1 AU-11 (HIGH; MOD)
CMSRs v3.1 AU-12 (HIGH; MOD)
CMSRs v3.1 AU-12(01) (HIGH)
CMSRs v3.1 AC-02(12) (HIGH)
CMSRs v3.1 AR-04 (HIGH)
CMSRs v3.1 AR-04 (HIGH; MOD)
CMSRs v3.1 AU-02 (HIGH; MOD)
CMSRs v3.1 AU-03 (HIGH; MOD)
CIS CSC v7.1 12.5
CIS CSC v7.1 12.6 CMSRs v3.1 AU-06 (HIGH; MOD)
CIS CSC v7.1 12.8 CMSRs v3.1 AU-06(01) (HIGH; MOD)
CIS CSC v7.1 13.3 CMSRs v3.1 AU-06(03) (HIGH; MOD)
CMSRs v3.1 AU-06(05) (HIGH)
AICPA 2017 A1.2 CIS CSC v7.1 13.5 CMSRs v3.1 AU-06(05) (HIGH; MOD)
CIS CSC v7.1 13.9
AICPA 2017 CC2.1 CAQH Core Phase 1 102: Eligibility CAQH Core Phase 2 202: Certification CIS CSC v7.1 15.10 CMSRs v3.1 AU-06(06) (HIGH)
AICPA 2017 CC3.1 and Benefits Certification Policy CIS CSC v7.1 16.12 CMSRs v3.1 AU-07 (HIGH; MOD)
AICPA 2017 CC6.7 v1.1.0 Subsection 3.4 Policy v2.1.0 Subsection 3.4 CIS CSC v7.1 16.13 CMSRs v3.1 AU-07(01) (HIGH)
AICPA 2017 CC6.8 CMSRs v3.1 AU-07(01) (HIGH; MOD)
AICPA 2017 CC7.2 CIS CSC v7.1 20.2 CMSRs v3.1 PE-06 (HIGH)
CIS CSC v7.1 6.2
CIS CSC v7.1 6.6 CMSRs v3.1 PE-06 (HIGH; MOD)
CIS CSC v7.1 6.7 CMSRs v3.1 PE-06(04) (HIGH)
CIS CSC v7.1 8.1 CMSRs v3.1 SI-03 (HIGH)
CMSRs v3.1 SI-04 (HIGH; MOD)
CIS CSC v7.1 8.4 CMSRs v3.1 SI-04(02) (HIGH; MOD)
CMSRs v3.1 SI-04(03) (HIGH; MOD)
CMSRs v3.1 SI-04(04) (HIGH; MOD)
CMSRs v3.1 SI-04(05) (HIGH; MOD)
CMSRs v3.1 SI-07(02) (HIGH)
CMSRs v3.1 AU-05(01) (HIGH)
CMSRs v3.1 AU-05(02) (HIGH)
CIS CSC v7.1 6.4 CMSRs v3.1 AU-09 (HIGH; MOD)
CMSRs v3.1 AU-09(02) (HIGH)
CMSRs v3.1 AU-09(03) (HIGH)
CAQH Core Phase 1 102: Eligibility CAQH Core Phase 2 202: Certification CMSRs v3.1 AR-04 (HIGH; MOD)
and Benefits Certification Policy CIS CSC v7.1 6.2 CMSRs v3.1 AU-02 (HIGH; MOD)
v1.1.0 Subsection 3.4 Policy v2.1.0 Subsection 3.4 CMSRs v3.1 AU-06 (HIGH; MOD)
CAQH Core Phase 1 102: Eligibility CAQH Core Phase 2 202: Certification CMSRs v3.1 AU-02 (HIGH; MOD)
AICPA 2017 A1.2 and Benefits Certification Policy Policy v2.1.0 Subsection 3.4 CIS CSC v7.1 18.5 CMSRs v3.1 AU-05(02) (HIGH)
v1.1.0 Subsection 3.4 CMSRs v3.1 SI-11 (HIGH; MOD)
CIS CSC v7.1 6.1 CMSRs v3.1 AU-08 (HIGH; MOD)
CMSRs v3.1 AU-08(01) (HIGH; MOD)
CMSRs v3.1 AR-07 (HIGH; MOD)
CMSRs v3.1 PL-08 (HIGH; MOD)
CMSRs v3.1 PM- 07 (HIGH; MOD)
CMSRs v3.1 SA-03 (HIGH)
CMSRs v3.1 SA-03 (HIGH; MOD)
CMSRs v3.1 SA-04 (HIGH)
CMSRs v3.1 SA-04 (HIGH; MOD)
AICPA 2017 CC3.1 CMSRs v3.1 SA-04(01) (HIGH; MOD)
AICPA 2017 CC5.2 CMSRs v3.1 SA-04(02) (HIGH; MOD)
AICPA 2017 CC8.1 CMSRs v3.1 SA-04(09) (HIGH; MOD)
CMSRs v3.1 SA-08 (HIGH; MOD)
CMSRs v3.1 SA-09 (HIGH; MOD)
CMSRs v3.1 SA-09(02) (HIGH; MOD)
CMSRs v3.1 SA-15 (HIGH; MOD)
CMSRs v3.1 SA-17 (HIGH)
CMSRs v3.1 SC-05 (HIGH; MOD)
CMSRs v3.1 SI-01 (HIGH; MOD)
CIS CSC v7.1 18.11
CIS CSC v7.1 18.2 CMSRs v3.1 SI-01 (HIGH; MOD)
CIS CSC v7.1 18.7 CMSRs v3.1 SI-10 (HIGH; MOD)
CIS CSC v7.1 9.5
CMS Rs v3.1 DI-02 (HIGH; MOD)
CMSRs v3.1 SC-24 (HIGH)
CMSRs v3.1 SI-02 (HIGH; MOD)
CMSRs v3.1 SI-06 (HIGH)
AICPA 2017 CC6.8 CAQH Core Phase 1 102: Eligibility CAQH Core Phase 2 202: Certification CMSRs v3.1 SI-07 (HIGH; MOD)
AICPA 2017 CC7.1 and Benefits Certification Policy
AICPA 2017 CC8.1 v1.1.0 Subsection 3.4 Policy v2.1.0 Subsection 3.4 CMSRs v3.1 SI-07(01) (HIGH; MOD)
CMSRs v3.1 SI-07(02) (HIGH)
CMSRs v3.1 SI-07(05) (HIGH)
CMSRs v3.1 SI-07(07) (HIGH; MOD)
CMSRs v3.1 SI-10 (HIGH; MOD)
CAQH Core Phase 1 102: Eligibility CAQH Core Phase 2 202: Certification CMSRs v3.1 SC-08 (HIGH; MOD)
and Benefits Certification Policy
v1.1.0 Subsection 3.4 Policy v2.1.0 Subsection 3.4 CMSRs v3.1 SC-23 (HIGH; MOD)
CAQH Core Phase 1 102: Eligibility CAQH Core Phase 2 202: Certification
AICPA 2017 CC6.7 and Benefits Certification Policy CMSRs v3.1 SC-13 (HIGH; MOD)
v1.1.0 Subsection 3.4 Policy v2.1.0 Subsection 3.4
CAQH Core Phase 1 102: Eligibility CAQH Core Phase 2 202: Certification CMSRs v3.1 SC-12 (HIGH; MOD)
AICPA 2017 CC6.1 and Benefits Certification Policy Policy v2.1.0 Subsection 3.4 CMSRs v3.1 SC-12(01) (HIGH)
v1.1.0 Subsection 3.4 CMSRs v3.1 SC-17 (HIGH; MOD)
CMSRs v3.1 CM-02(03) (HIGH; MOD)
CIS CSC v7.1 18.3 CMSRs v3.1 CM-03 (HIGH; MOD)
CIS CSC v7.1 2.1 CMSRs v3.1 CM-03(02) (HIGH; MOD)
AICPA 2017 CC6.8 CIS CSC v7.1 2.7 CMSRs v3.1 CM-04 (HIGH)
CIS CSC v7.1 7.1 CMSRs v3.1 CM-06 (HIGH; MOD)
AICPA 2017 CC8.1 CIS CSC v7.1 7.2 CMSRs v3.1 CM-06(01) (HIGH)
CIS CSC v7.1 7.3 CMSRs v3.1 CM-06(02) (HIGH)
CIS CSC v7.1 9.4 CMSRs v3.1 CM-07(02) (HIGH; MOD)
CMSRs v3.1 CM-07(05) (HIGH)
CMSRs v3.1 AC-06 (HIGH; MOD)
CMSRs v3.1 CM-05 (HIGH; MOD)
CMSRs v3.1 CM-07 (HIGH; MOD)
CMSRs v3.1 CM-01 (HIGH; MOD)
CMSRs v3.1 CM-02 (HIGH; MOD)
CMSRs v3.1 CM-02(01) (HIGH; MOD)
CMSRs v3.1 CM-02(02) (HIGH)
CMSRs v3.1 CM-02(03) (HIGH; MOD)
CMSRs v3.1 CM-03 (HIGH; MOD)
CMSRs v3.1 CM-03(01) (HIGH)
CMSRs v3.1 CM-03(02) (HIGH; MOD)
CIS CSC v7.1 11.3
AICPA 2017 CC4.1 CIS CSC v7.1 5.1 CMSRs v3.1 CM-04 (HIGH; MOD)
AICPA 2017 CC6.8 CIS CSC v7.1 5.2 CMSRs v3.1 CM-04(01) (HIGH)
AICPA 2017 CC7.1 CIS CSC v7.1 5.3 CMSRs v3.1 CM-04(01) (HIGH; MOD)
AICPA 2017 CC7.5 CMSRs v3.1 CM-05 (HIGH; MOD)
AICPA 2017 CC8.1 CIS CSC v7.1 5.4 CMSRs v3.1 CM-05(01) (HIGH)
CIS CSC v7.1 5.5
CMSRs v3.1 CM-05(02) (HIGH)
CMSRs v3.1 CM-05(03) (HIGH)
CMSRs v3.1 CM-06 (HIGH; MOD)
CMSRs v3.1 CM-06(01) (HIGH)
CMSRs v3.1 CM-06(02) (HIGH)
CMSRs v3.1 CM-08(02) (HIGH)
CMSRs v3.1 CM-09 (HIGH; MOD)
CMSRs v3.1 SA-10 (HIGH; MOD)
CAQH Core Phase 1 102: Eligibility CAQH Core Phase 2 202: Certification CMSRs v3.1 SA-11 (HIGH; MOD)
AICPA 2017 CC3.2 and Benefits Certification Policy CMSRs v3.1 SA-12 (HIGH)
v1.1.0 Subsection 3.4 Policy v2.1.0 Subsection 3.4 CMSRs v3.1 SA-13 (HIGH)
CIS CSC v7.1 11.4
CIS CSC v7.1 18.11 CMSRs v3.1 CA-02 (HIGH; MOD)
CIS CSC v7.1 20.1
CIS CSC v7.1 20.2 CMSRs v3.1 CA-08 (HIGH; MOD)
CIS CSC v7.1 20.3 CMSRs v3.1 CM-06 (HIGH; MOD)
CIS CSC v7.1 20.4 CMSRs v3.1 CM-07 (HIGH; MOD)
CMSRs V3.1 RA-05 (HIGH)
AICPA 2017 CC4.2 CIS CSC v7.1 20.5 CMSRs v3.1 RA-05 (HIGH; MOD)
AICPA 2017 CC7.1 CIS CSC v7.1 20.6
AICPA 2017 CC7.4 CIS CSC v7.1 20.7 CMSRs v3.1 RA-05(01) (HIGH; MOD)
CIS CSC v7.1 3.1 CMSRs v3.1 RA-05(02) (HIGH; MOD)
CIS CSC v7.1 3.3 CMSRs v3.1 RA-05(04) (HIGH)
CMSRs v3.1 SI-02 (HIGH; MOD)
CIS CSC v7.1 3.4 CMSRs v3.1 SI-02(01) (HIGH)
CIS CSC v7.1 3.6
CIS CSC v7.1 3.7 CMSRs v3.1 SI-02(02) (HIGH; MOD)
CIS CSC v7.1 5.1
FedRAMP MP-5 IRS Pub 1075 v2016 4.3.1 MARS-E v2 MP-5
FedRAMP MP-5(4) IRS Pub 1075 v2016 4.4 MARS-E v2 MP-5(4) NIST Cybersecurity Framework v1.1 PR.DS-2
COBIT 5 DSS05.02 CSA CCM v3.0.1 HRS-05 FedRAMP PE-16 FFIEC IS v2016 A.6.18(f) IRS Pub 1075 v2016 9.3.10.5 ISO/IEC 27002:2013 8.3.3 ISO/IEC 27799:2016 8.3.3 MARS-E v2 PE-16 NIST Cybersecurity Framework v1.1 PR.PT-2
FedRAMP SC-28 IRS Pub 1075 v2016 9.3.11.8 MARS-E v2 SC-28
FedRAMP SC-28(1) IRS Pub 1075 v2016 9.3.16.15
MARS-E v2 SC-8
IRS Pub 1075 v2016 9.3.16.6 MARS-E v2 SC-8(1) NIST Cybersecurity F ramework v1.1 ID.GV-3
COBIT 5 DSS05.02 CRR v2016 CM:G2.Q4 FedRAMP SC-8 IRS Pub 1075 v2016 9.4.3 ISO/IEC 27002:2013 13.2.3 ISO/IEC 27799:2016 13.2.3 MARS-E v2 SC-8(2) NIST Cybersecurity Framework v1.1 PR.DS-2
IRS Pub 1075 v2016 9.4.4 MARS-E v2 SC-ACA-1 NIST Cybersecurity Framework v1.1 PR.DS-5
MARS-E v2 SC-ACA-2
NIST Cybersecurity Framework v1.1 DE.AE-1
NIST Cybersecurity Framework v1.1 PR.AC-3
NIST Cybersecurity Framework v1.1 PR.AC-4
COBIT 5 DSS05.02 FedRAMP CA-9 IRS Pub 1075 v2016 9.3.5.2 ISO/IEC 27002:2013 13.1.3 ISO/IEC 27799:2016 13.1.3 MARS-E v2 CM-2
COBIT 5 DSS05.03 FedRAMP CM-2 NIST Cybersecurity Framework v1.1 PR.AC-5
NIST Cybersecurity Framework v1.1 PR.DS-5
NIST Cybersecurity Framework v1.1 PR.IP-1
NIST Cybersecurity Framework v1.1 PR.IP-4
NIST Cybersecurity F ramework v1.1 ID.GV-3
MARS-E v2 AU-10 NIST Cybersecurity Framework v1.1 PR.AT-3
CSA CCM v3.0.1 DSI-03 FedRAMP SC-8 IRS Pub 1075 v2016 9.3.16.6 ISO/IEC 27002:2013 14.1.2 ISO/IEC 27799:2016 14.1.2 MARS-E v2 SC-8 NIST Cybersecurity Framework v1.1 PR.DS-1
MARS-E v2 SC-8(1) NIST Cybersecurity Framework v1.1 PR.DS-2
NIST Cybersecurity Framework v1.1 PR.DS-5
NIST Cybersecurity Framework v1.1 PR.AC-4
CSA CCM v3.0.1 DSI-03 CRR v2016 CM:G2.Q4 IRS Pub 1075 v2016 Exhibit 10 ISO/IEC 27002:2013 14.1.3 ISO/IEC 27799:2016 14.1.3 MARS-E v2 AU-10 NIST Cybersecurity Framework v1.1 PR.DS-1
NIST Cybersecurity Framework v1.1 PR.DS-2
NIST Cybersecurity Framework v1.1 PR.DS-5
NIST Cybersecurity Framework v1.1 DE.CM-6
NIST Cybersecurity Framework v1.1 DE.CM-8
NIST Cybersecurity F ramework v1.1 ID.GV-3
NIST Cybersecurity Framework v1.1 ID.RA-1
FedRAMP AC-22 IRS Pub 1075 v2016 9.3.1.17 MARS-E v2 CM-6 NIST Cybersecurity Framework v1.1 PR.AC-4
COBIT 5 DSS06.03 FedRAMP CM-6 IRS Pub 1075 v2016 9.3.16.4 ISO/IEC 27001:2013 14.1.2 ISO/IEC 27002:2013 14.1.2 ISO/IEC 27799:2016 14.1.2 NIST Cybersecurity Framework v1.1 PR.AT-2
FedRAMP SC-5 IRS Pub 1075 v2016 9.3.5.6 MARS-E v2 SC-5 NIST Cybersecurity Framework v1.1 PR.DS-1
NIST Cybersecurity Framework v1.1 PR.DS-2
NIST Cybersecurity Framework v1.1 PR.DS-6
NIST Cybersecurity Framework v1.1 PR.DS-8
NIST Cybersecurity Framework v1.1 PR.IP-1
MARS-E v2 AC-6(9)
IRS Pub 1075 v2016 9.3.3.10 MARS-E v2 AR-4
FedRAMP AC-6(9) IRS Pub 1075 v2016 9.3.3.11 MARS-E v2 AU-11
FedRAMP AU-11 IRS Pub 1075 v2016 9.3.3.12
FedRAMP AU-2 FFIEC IS v2016 A.6.20(d) IRS Pub 1075 v2016 9.3.3.2 MARS-E v2 AU-12
De-ID Framework v1 Audit Logging/Monitoring: MARS-E v2 AU-12(1) NIST Cybersecurity Framework v1.1 DE.CM-1
FedRAMP AU-2(3) FFIEC IS v2016 A.6.21(b) General IRS Pub 1075 v2016 9.3.3.3 ISO/IEC 27002:2013 12.4.1 ISO/IEC 27799:2016 12.4.1 MARS-E v2 AU-16 NIST Cybersecurity Framework v1.1 DE.CM-3
COBIT 5 DSS05.04 CSA CCM v3.0.1 IVS-01 CRR v2016 CM:G2.Q6 FedRAMP AU-3 FFIEC IS v2016 A.6.22(f) HITRUST De-ID Framework v1 Retention: Data Retention IRS Pub 1075 v2016 9.3.3.4 ISO/IEC 27002:2013 12.4.2 ISO/IEC 27799:2016 12.4.2 MARS-E v2 AU-2 NIST Cybersecurity Framework v1.1 ID.SC-4
FedRAMP AU-3(1) FFIEC IS v2016 A.6.27(a) Policy IRS Pub 1075 v2016 9.4.11 ISO/IEC 27002:2013 12.4.3 ISO/IEC 27799:2016 12.4.3 MARS-E v2 AU-3 NIST Cybersecurity Framework v1.1 PR.PT-1
FedRAMP AU-5 FFIEC IS v2016 A.6.35 IRS Pub 1075 v2016 9.4.13
FedRAMP AU-8(1) IRS Pub 1075 v2016 9.4.18 MARS-E v2 AU-5
MARS-E v2 AU-8
FedRAMP AU-9 IRS Pub 1075 v2016 9.4.3 MARS-E v2 AU-9
IRS Pub 1075 v2016 9.4.9 MARS-E v2 PE-13(1)
MARS-E v1 AU-6
FedRAMP AC-17 IRS Pub 1075 v2016 4.3.2 MARS-E v2 AC-17 NIST Cybersecurity Framework v1.1 DE.AE-2
MARS-E v2 AR-4
FedRAMP AC-2(12) IRS Pub 1075 v2016 6.4.1 MARS-E v2 AU-2 NIST Cybersecurity Framework v1.1 DE.AE-3
FedRAMP AU-2 IRS Pub 1075 v2016 9.3.11.6 MARS-E v2 AU-3 NIST Cybersecurity Framework v1.1 DE.CM-1
FedRAMP AU-6 FFIEC IS v2016 A.6.20(d) IRS Pub 1075 v2016 9.3.16.6 MARS-E v2 AU-3(1) NIST Cybersecurity Framework v1.1 DE.CM-2
FedRAMP AU-6(1) IRS Pub 1075 v2016 9.3.17.3 NIST Cybersecurity Framework v1.1 DE.CM-4
FedRAMP AU-6(3) FFIEC IS v2016 A.6.21(f) IRS Pub 1075 v2016 9.3.17.4 MARS-E v2 AU-6 NIST Cybersecurity Framework v1.1 DE.CM-7
FFIEC IS v2016 A.6.21(g) MARS-E v2 AU-6(1)
COBIT 5 DSS05.01 FedRAMP AU-7 FFIEC IS v2016 A.6.22(f) De-ID Framework v1 Audit Logging/Monitoring: IRS Pub 1075 v2016 9.3.3.3 MARS-E v2 AU-6(3) NIST Cybersecurity Framework v1.1 DE.DP- 2
COBIT 5 DSS05.05 CSA CCM v3.0.1 IVS-01 CRR v2016 IM:G2.Q2 FedRAMP AU-7(1) FFIEC IS v2016 A.6.35 Aberrant and Inappropriate Use IRS Pub 1075 v2016 9.3.3.4 ISO/IEC 27002:2013 12.4.1 ISO/IEC 27799:2016 12.4.1 MARS-E v2 AU-7 NIST Cybersecurity Framework v1.1 DE.DP- 3
COBIT 5 DSS05.07 CRR v2016 VM:G1.Q5 FedRAMP PE-6 F FIEC IS v2016 A.6.35(c) De-ID Framework v1 Audit Logging/Monitoring: IRS Pub 1075 v2016 9.3.3.7 MARS-E v2 AU-7(1) NIST Cybersecurity Framework v1.1 DE.DP- 4
FedRAMP SI-3 General IRS Pub 1075 v2016 9.3.3.8 NIST Cybersecurity Framework v1.1 DE.DP- 5
FedRAMP SI-4 FFIEC IS v2016 A.6.35(d) IRS Pub 1075 v2016 9.4.11 MARS-E v2 PE-6 NIST Cybersecurity F ramework v1.1 ID.GV-3
FFIEC IS v2016 A.8.1(h) MARS-E v2 SC-7(12)
FedRAMP SI-4(1) FFIEC IS v2016 A.8.5(a) IRS Pub 1075 v2016 9.4.14 MARS-E v2 SI-3 NIST Cybersecurity Framework v1.1 ID.RA-1
FedRAMP SI-4(16) IRS Pub 1075 v2016 9.4.15 MARS-E v2 SI-4 NIST Cybersecurity Framework v1.1 PR.PT-1
FedRAMP SI-4(2) IRS Pub 1075 v2016 9.4.18 MARS-E v2 SI-4(1) NIST Cybersecurity Framework v1.1 RS.AN-1
FedRAMP SI-4(4) IRS Pub 1075 v2016 9.4.9 NIST Cybersecurity Framework v1.1 RS.CO-2
FedRAMP SI-4(5) IRS Pub 1075 v2016 Exhibit 10 MARS-E v2 SI-4(2) NIST Cybersecurity Framework v1.1 RS.CO-3
MARS-E v2 SI-4(4)
MARS-E v2 SI-4(5)
NIST Cybersecurity Framework v1.1 DE.CM-1
NIST Cybersecurity Framework v1.1 PR.AC-4
NIST Cybersecurity Framework v1.1 PR.DS-1
FedRAMP AU-9 FFIEC IS v2016 A.6.21(b) IRS Pub 1075 v2016 9.3.3.10 ISO/IEC 27002:2013 12.4.2 ISO/IEC 27799:2016 12.4.2 MARS-E v2 AU-5(1) NIST Cybersecurity Framework v1.1 PR.DS-2
COBIT 5 DSS05.07
FedRAMP AU-9(2) FFIEC IS v2016 A.6.35(b) IRS Pub 1075 v2016 9.3.3.6 ISO/IEC 27002:2013 12.4.3 ISO/IEC 27799:2016 12.4.3 MARS-E v2 AU-9 NIST Cybersecurity Framework v1.1 PR.DS-4
NIST Cybersecurity Framework v1.1 PR.DS-6
NIST Cybersecurity Framework v1.1 PR.PT-1
NIST Cybersecurity Framework v1.1 RS.AN-1
FedRAMP AU-12 FFIEC IS v2016 A.6.35 IRS Pub 1075 v2016 9.3.3.3 ISO/IEC 27002:2013 12.4.1 ISO/IEC 27799:2016 12.4.1 MARS-E v2 AU-2 NIST Cybersecurity Framework v1.1 ID.SC-4
CSA CCM v3.0.1 IVS-01 FedRAMP AU-2
FedRAMP AU-6 F FIEC IS v2016 A.6.35(c) IRS Pub 1075 v2016 9.3.3.7 ISO/IEC 27002:2013 12.4.3 ISO/IEC 27799:2016 12.4.3 MARS-E v2 AU-6 NIST Cybersecurity Framework v1.1 PR.PT-1
FedRAMP AU-12 IRS Pub 1075 v2016 9.3.17.8 MARS-E v2 AU-2 NIST Cybersecurity Framework v1.1 DE.DP- 4
COBIT 5 DSS05.07 CSA CCM v3.0.1 IVS-01 FedRAMP AU-2 IRS Pub 1075 v2016 9.3.3.3 ISO/IEC 27002:2013 12.4.1 ISO/IEC 27799:2016 12.4.1 MARS-E v2 SI-11 NIST Cybersecurity Framework v1.1 PR.PT-1
FedRAMP SI-11 IRS Pub 1075 v2016 9.3.3.6
CSA CCM v3.0.1 IVS-03 FedRAMP AU-8 IRS Pub 1075 v2016 9.3.3.9 ISO/IEC 27002:2013 12.4.4 ISO/IEC 27799:2016 12.4.4 MARS-E v2 AU-8 NIST Cybersecurity Framework v1.1 PR.PT-1
FedRAMP AU-8(1) MARS-E v2 AU-8(1)
FedRAMP PE-14 MARS-E v2 AR-7
FedRAMP PL-8 MARS-E v2 PM- 7
FedRAMP SA-3
FedRAMP SA-4 MARS-E v2 SA-3
IRS Pub 1075 v2016 5.4.2 ISO/IEC 27002:2013 14.1.1 ISO/IEC 27799:2016 14.1.1 MARS-E v2 SA-4
CRR v2016 CCM:G1.Q6 FedRAMP SA-4(1) IRS Pub 1075 v2016 9.3.15.3 ISO/IEC 27002:2013 14.2.1 ISO/IEC 27799:2016 14.2.1 MARS-E v2 SA-4(1) NIST Cybersecurity F ramework v1.1 ID.GV-3
CRR v2016 CM:G2.Q2 EU GDPR Article 25(1) FedRAMP SA-4(10) IRS Pub 1075 v2016 9.3.15.4 ISO/IEC 27002:2013 14.2.5 ISO/IEC 27799:2016 14.2.5 MARS-E v2 SA-4(2) NIST Cybersecurity Framework v1.1 PR.AT-3
CSA CCM v3.0.1 GRM-01 CRR v2016 CM:G2.Q3 EU GDPR Article 25(1) FedRAMP SA-4(2) FFIEC IS v2016 A.6.27 HITRUST IRS Pub 1075 v2016 9.3.15.6 ISO/IEC 27001:2013 6.1.5 ISO/IEC 27002:2013 14.2.6 ISO/IEC 27799:2016 14.2.6 MARS-E v2 SA-4(9) NIST Cybersecurity Framework v1.1 PR.IP-2
FedRAMP SA-4(9)
CRR v2016 CM:G2.Q4 FedRAMP SA-8 IRS Pub 1075 v2016 Exhibit 10 ISO/IEC 27002:2013 14.2.8 ISO/IEC 27799:2016 14.2.8 MARS-E v2 SA-8 NIST Cybersecurity Framework v1.1 RS.MI-2
IRS Pub 1075 v2016 Exhibit 7 ISO/IEC 27002:2013 17.2.1 ISO/IEC 27799:2016 17.2.1 MARS-E v2 SA-9(1)
FedRAMP SA-9(1) MARS-E v2 SA-9(2)
FedRAMP SA-9(2) MARS-E v2 SC-5
FedRAMP SC-5 MARS-E v2 SI-1
FedRAMP SI-1
CSA CCM v3.0.1 AIS-01 FedRAMP SI-1 FFIEC IS v2016 A.6.27(e) IRS Pub 1075 v2016 9.3.17.7 MARS-E v2 SI-1 NIST Cybersecurity Framework v1.1 DE.CM-8
CRR v2016 CM:G2.Q5 EU GDPR Article 25(1) NIST Cybersecurity Framework v1.1 PR.DS-5
CSA CCM v3.0.1 AIS-03 FedRAMP SI-10 FFIEC IS v2016 A.6.27(g) IRS Pub 1075 v2016 Exhibit 10 MARS-E v2 SI-10 NIST Cybersecurity Framework v1.1 PR.DS-6
MARS-E v2 CM-6(3)
FedRAMP SI-10 MARS-E v2 DI-2 NIST Cybersecurity Framework v1.1 DE.CM-8
FedRAMP SI-2 NIST Cybersecurity Framework v1.1 ID.RA-1
CRR v2016 CCM:G2.Q5 FedRAMP SI-6 FFIEC IS v2016 A.6.27(e) MARS-E v2 SI-10 NIST Cybersecurity Framework v1.1 PR.DS-6
CSA CCM v3.0.1 AIS-01 EU GDPR Article 25(1) FFIEC IS v2016 A.6.29 IRS Pub 1075 v2016 9.3.17.7 MARS-E v2 SI-2
CRR v2016 CCM:G2.Q6 FedRAMP SI-7 FFIEC IS v2016 A.8.1(l) MARS-E v2 SI-7(1) NIST Cybersecurity Framework v1.1 PR.DS-8
FedRAMP SI-7(1) MARS-E v2 SI-7(7) NIST Cybersecurity Framework v1.1 RS.CO-2
FedRAMP SI-7(7) MARS-E v2 SI-9 NIST Cybersecurity Framework v1.1 RS.MI-3
IRS Pub 1075 v2016 9.3.16.14 MARS-E v2 SC-23 NIST Cybersecurity Framework v1.1 PR.DS-2
FedRAMP SC-23 ISO/IEC 27002:2013 10.1.1 ISO/IEC 27799:2016 10.1.1 NIST Cybersecurity Framework v1.1 PR.DS-5
IRS Pub 1075 v2016 9.3.16.8 MARS-E v2 SC-8 NIST Cybersecurity Framework v1.1 PR.DS-6
CSA CCM v3.0.1 AIS-01 EU GDPR Article 25(1) ISO/IEC 27002:2013 14.2.5 ISO/IEC 27799:2016 14.2.5
CSA CCM v3.0.1 AIS-03
CSA CCM v3.0.1 EKM-03 NIST Cybersecurity F ramework v1.1 ID.GV-3
COBIT 5 DSS05.03 FedRAMP SC-13 FFIEC IS v2016 A.6.30 IRS Pub 1075 v2016 9.3.16.9 ISO/IEC 27002:2013 10.1.1 ISO/IEC 27799:2016 10.1.1 MARS-E v2 SC-13 NIST Cybersecurity Framework v1.1 PR.DS-1
CSA CCM v3.0.1 GRM-06 NIST Cybersecurity Framework v1.1 PR.DS-2
FedRAMP SC-12 MARS-E v2 SC-12
CSA CCM v3.0.1 EKM-01 FedRAMP SC-12(2) IRS Pub 1075 v2016 9.3.16.11 NIST Cybersecurity Framework v1.1 PR.DS-1
COBIT 5 DSS05.03 CSA CCM v3.0.1 EKM-02 FedRAMP SC-12(3) FFIEC IS v2016 A.6.30 IRS Pub 1075 v2016 9.3.16.8 ISO/IEC 27002:2013 10.1.2 ISO/IEC 27799:2016 10.1.2 MARS-E v2 SC-12(2) NIST Cybersecurity Framework v1.1 PR.DS-2
MARS-E v2 SC-17
FedRAMP SC-17
IRS Pub 1075 v2016 9.3.15.10 MARS-E v2 CM-2(3)
CSA CCM v3.0.1 CCC-04 FedRAMP CM-2(3) MARS-E v2 CM-3
CSA CCM v3.0.1 IPY-01 FedRAMP CM-4 IRS Pub 1075 v2016 9.3.5.4 ISO/IEC 27002:2013 12.1.14 MARS-E v2 CM-3(2) NIST Cybersecurity Framework v1.1 PR.DS-7
FFIEC IS v2016 A.6.17 IRS Pub 1075 v2016 9.3.5.6 ISO/IEC 27799:2016 12.5.1 NIST Cybersecurity Framework v1.1 PR.IP-1
CSA CCM v3.0.1 IPY-02 FedRAMP CM-7(5) IRS Pub 1075 v2016 9.4.17 ISO/IEC 27002:2013 12.5.1 MARS-E v2 CM-4 NIST Cybersecurity Framework v1.1 PR.IP-3
CSA CCM v3.0.1 IVS-07 FedRAMP SC-7(12) IRS Pub 1075 v2016 9.4.18 MARS-E v2 SA-22
MARS-E v2 SC-7(12)
NIST Cybersecurity Framework v1.1 PR.AC-1
NIST Cybersecurity Framework v1.1 PR.AC-2
NIST Cybersecurity Framework v1.1 PR.AC-3
CSA CCM v3.0.1 DSI-05 IRS Pub 1075 v2016 9.4.6 ISO/IEC 27002:2013 14.3.1 ISO/IEC 27799:2016 14.3.1 NIST Cybersecurity Framework v1.1 PR.AC-4
NIST Cybersecurity Framework v1.1 PR.AC-5
NIST Cybersecurity Framework v1.1 PR.DS-1
NIST Cybersecurity Framework v1.1 PR.PT-1
NIST Cybersecurity Framework v1.1 PR.PT-3
CSA CCM v3.0.1 IAM-06 FedRAMP AC-6 IRS Pub 1075 v2016 9.3.1.6 MARS-E v2 AC-6 NIST Cybersecurity Framework v1.1 PR.DS-5
FedRAMP CM-5 ISO/IEC 27002:2013 9.4.5 ISO/IEC 27799:2016 9.4.5 MARS-E v2 CM-5
CSA CCM v3.0.1 IAM-09 FedRAMP CM-7 IRS Pub 1075 v2016 9.3.5.5 MARS-E v2 CM-7 NIST Cybersecurity Framework v1.1 PR.PT-3
IRS Pub 1075 v2016 9.1
FFIEC IS v2016 A.6.11(a) IRS Pub 1075 v2016 9.3.15.8
FFIEC IS v2016 A.6.11(b) IRS Pub 1075 v2016 9.3.5.1
FedRAMP CM-1 F FIEC IS v2016 A.6.11(c) IRS Pub 1075 v2016 9.3.5.2
FedRAMP CM-2 FFIEC IS v2016 A.6.11(d) IRS Pub 1075 v2016 9.3.5.3 MARS-E v2 CM-1
CRR v2016 CCM:G1.Q1 FedRAMP CM-2(1) FFIEC IS v2016 A.6.11(e) IRS Pub 1075 v2016 9.3.5.4 MARS-E v2 CM-2 NIST Cybersecurity Framework v1.1 DE.CM-1
FedRAMP CM-2(2) FFIEC IS v2016 A.6.11(f) IRS Pub 1075 v2016 9.3.5.5 MARS-E v2 CM-2(1)
CRR v2016 CCM:G1.Q4 FedRAMP CM-3 FFIEC IS v2016 A.6.11(g) IRS Pub 1075 v2016 9.3.5.6 MARS-E v2 CM-3 NIST Cybersecurity Framework v1.1 DE.CM-7
CRR v2016 CCM:G1.Q6 NIST Cybersecurity Framework v1.1 ID.AM-6
CSA CCM v3.0.1 CCC-05 CRR v2016 CCM:G2.Q1 FedRAMP CM-4 FFIEC IS v2016 A.6.11(h) IRS Pub 1075 v2016 9.3.5.9 ISO/IEC 27002:2013 14.2.2 ISO/IEC 27799:2016 14.2.2 MARS-E v2 CM-3(2) NIST Cybersecurity Framework v1.1 ID.RA-4
CSA CCM v3.0.1 IVS-02 CRR v2016 CCM:G2.Q2 FedRAMP CM-5 FFIEC IS v2016 A.6.11(i) IRS Pub 1075 v2016 9.4.11 ISO/IEC 27002:2013 14.2.3 ISO/IEC 27799:2016 14.2.3 MARS-E v2 CM-4 NIST Cybersecurity Framework v1.1 ID.RA-5
CSA CCM v3.0.1 MOS-07 CRR v2016 CCM:G2.Q3 FedRAMP CM-5(1) FFIEC IS v2016 A.6.11( j) IRS Pub 1075 v2016 9.4.13 ISO/IEC 27001:2013 8.1 ISO/IEC 27002:2013 14.2.4 ISO/IEC 27799:2016 14.2.4 MARS-E v2 CM-4(1) NIST Cybersecurity Framework v1.1 PR.AT-3
FedRAMP CM-5(3) FFIEC IS v2016 A.6.11(k) IRS Pub 1075 v2016 9.4.14 ISO/IEC 27002:2013 14.2.6 ISO/IEC 27799:2016 14.2.6 MARS-E v2 CM-4(2)
CSA CCM v3.0.1 MOS-15 CRR v2016 CCM:G2.Q4 FedRAMP CM-5(5) FFIEC IS v2016 A.6.11(l) IRS Pub 1075 v2016 9.4.15 ISO/IEC 27002:2013 14.2.7 ISO/IEC 27799:2016 14.2.7 MARS-E v2 CM-5 NIST Cybersecurity Framework v1.1 PR.IP-1
CRR v2016 CCM:G2.Q7 NIST Cybersecurity Framework v1.1 PR.IP-2
CRR v2016 CCM:G3.Q1 FedRAMP CM-6 FFIEC IS v2016 A.6.11(m) IRS Pub 1075 v2016 9.4.16 MARS-E v2 CM-6 NIST Cybersecurity Framework v1.1 PR.IP-3
CRR v2016 CCM:G3.Q2 FedRAMP CM-6(1) FFIEC IS v2016 A.6.12 IRS Pub 1075 v2016 9.4.17 MARS-E v2 CM-6(1) NIST Cybersecurity Framework v1.1 PR.PT-3
FedRAMP CM-9 FFIEC IS v2016 A.6.14 IRS Pub 1075 v2016 9.4.18 MARS-E v2 CM-9
FedRAMP SA-10 FFIEC IS v2016 A.6.15(d) IRS Pub 1075 v2016 9.4.3 MARS-E v2 SA-10
FedRAMP SA-10(1) FFIEC IS v2016 A.6.15(g) IRS Pub 1075 v2016 9.4.5
FFIEC IS v2016 A.6.15(h) IRS Pub 1075 v2016 9.4.8
FFIEC IS v2016 A.6.28(a) IRS Pub 1075 v2016 9.4.9
IRS Pub 1075 v2016 Exhibit 10
NIST Cybersecurity Framework v1.1 DE.CM-4
NIST Cybersecurity Framework v1.1 DE.CM-6
FFIEC IS v2016 A.6.28 NIST Cybersecurity Framework v1.1 ID.BE-1
CSA CCM v3.0.1 CCC-02 FedRAMP SA-11 FFIEC IS v2016 A.6.28(b) ISO/IEC 27001:2013 8.1 ISO/IEC 27002:2013 14.2.7 ISO/IEC 27799:2016 14.2.7 MARS-E v2 SA-11
FFIEC IS v2016 A.6.28(d) NIST Cybersecurity Framework v1.1 ID.RA-3
NIST Cybersecurity Framework v1.1 ID.RA-6
NIST Cybersecurity Framework v1.1 PR.AT-3
CRR v2016 CCM:G2.Q7 FedRAMP CA-8
CRR v2016 VM:G1.Q1 FedRAMP CA-8(1) FFIEC IS v2016 A.10.1
CRR v2016 VM:G1.Q5 FedRAMP CM-6 FFIEC IS v2016 A.10.3(b) NIST Cybersecurity Framework v1.1 DE.CM-8
CRR v2016 VM:G2.Q1 FedRAMP RA-3 F FIEC IS v2016 A.10.3(c)
CRR v2016 VM:G2.Q2 FedRAMP RA-5 FFIEC IS v2016 A.10.5 IRS Pub 1075 v2016 9.3.14.3 MARS-E v2 CA-2 NIST Cybersecurity Framework v1.1 DE.DP- 5
CRR v2016 VM:G2.Q3 FedRAMP RA-5(1) FFIEC IS v2016 A.4.4 IRS Pub 1075 v2016 9.3.17.2 MARS-E v2 CM-6 NIST Cybersecurity Framework v1.1 ID.AM-6
CRR v2016 VM:G2.Q4 FedRAMP RA-5(2) FFIEC IS v2016 A.6.13 IRS Pub 1075 v2016 9.3.5.6 MARS-E v2 CM-7 NIST Cybersecurity Framework v1.1 ID.RA-1
IRS Pub 1075 v2016 9.3.5.7 MARS-E v2 PE-2(2) NIST Cybersecurity Framework v1.1 ID.RA-2
CSA CCM v3.0.1 IVS-05 CRR v2016 VM:G2.Q5 FedRAMP RA-5(3) F FIEC IS v2016 A.6.15(c) IRS Pub 1075 v2016 9.4.14 MARS-E v2 RA-5 NIST Cybersecurity Framework v1.1 ID.RA-4
COBIT 5 DSS05.02 CRR v2016 VM:G3.Q2 FedRAMP RA-5(5) FFIEC IS v2016 A.6.15(d) HITRUST ISO/IEC 27002:2013 12.6.1 ISO/IEC 27799:2016 12.6.1
CSA CCM v3.0.1 TVM- 02 CRR v2016 VM:G3.Q3 FedRAMP RA-5(6) FFIEC IS v2016 A.6.15(f) IRS Pub 1075 v2016 9.4.15 MARS-E v2 RA-5(1) NIST Cybersecurity Framework v1.1 ID.RA-5
CRR v2016 VM:G4.Q1 FedRAMP RA-5(8) FFIEC IS v2016 A.6.15(h) IRS Pub 1075 v2016 9.4.16 MARS-E v2 SA-11(1) NIST Cybersecurity Framework v1.1 ID.RA-6
CRR v2016 VM:MIL2.Q2 FedRAMP SA-11(1) FFIEC IS v2016 A.6.27(d) IRS Pub 1075 v2016 9.4.17 MARS-E v2 SI-2 NIST Cybersecurity Framework v1.1 PR.IP- 12
IRS Pub 1075 v2016 9.4.18 MARS-E v2 SI-2(1) NIST Cybersecurity Framework v1.1 PR.PT-3
CRR v2016 VM:MIL2.Q4 FedRAMP SA-11(2) FFIEC IS v2016 A.8.1(c) IRS Pub 1075 v2016 9.4.9 MARS-E v2 SI-2(2) NIST Cybersecurity Framework v1.1 RS.CO-3
CRR v2016 VM:MIL3.Q2 FedRAMP SA-11(8) FFIEC IS v2016 A.8.1(d)
CRR v2016 VM:MIL3.Q4 FedRAMP SI-2 FFIEC IS v2016 A.8.3 NIST Cybersecurity Framework v1.1 RS.MI-3
CRR v2016 VM:MIL4.Q1 FedRAMP SI-2(2) FFIEC IS v2016 A.8.4
CRR v2016 VM:MIL4.Q2 FedRAMP SI-2(3)

11.a Reporting Information Security
Events
1 TAC § 390.2(a)(4)(B)(xviii)(III)
1 TAC § 390.2(a)(4)(B)(xviii)(IV)
11.b Reporting Security Weaknesses
11.c Responsibilities and Procedures
11.d Learning from Information Security
Incidents
11.e Collection of Evidence
12.a Including Information Security in
the Business Continuity Management
Process
12.b Business Continuity and Risk
Assessment
12.c Developing and Implementing
Continuity Plans Including Information
Security
12.d Business Continuity Planning
Framework
12.e Testing, Maintaining and Re-
Assessing Business Continuity Plans
13.a Privacy Notice
13.b Openness and Transparency
13.c Accounting of Disclosures
13.d Consent
13.e Choice
13.f Principle Access
13.g Purpose Legitimacy
13.h Purpose Specification
13.i Collection Limitation
13.j Data Minimization
© 2019 HITRUST. All rights reserved.
1 TAC § 390.2(a)(1)
1 TAC § 390.2(a)(2)
1 TAC § 390.2(a)(3)
1 TAC § 390.2(a)(4)
1 TAC § 390.2(a)(4)(A)(ix)
1 TAC § 390.2(a)(4)(A)(xi)
1 TAC § 390.2(a)(4)(B)(xvi)
1 TAC § 390.2(a)(3)
1 TAC § 390.2(a)(4)(A)(xi)
1 TAC § 390.2(a)(1)
1 TAC § 390.2(a)(3)
1 TAC § 390.2(a)(4)(A)(xi)
1 TAC § 390.2(a)(1)
1 TAC § 390.2(a)(4)(A)(xi)
1 TAC § 390.2(a)(1)
1 TAC § 390.2(a)(4)(A)(xi)
1 TAC § 390.2(a)(4)(A)(xi)
1 TAC § 390.2(a)(4)(A)(xi)
1 TAC § 390.2(a)(1)
1 TAC § 390.2(a)(4)(A)(xi)
1 TAC § 390.2(a)(1)
1 TAC § 390.2(a)(4)(A)(xi)
1 TAC § 390.2(a)(4)(A)(xi)
1 TAC § 390.2(a)(1)
1 TAC § 390.2(a)(4)(B)(i)
1 TAC § 390.2(a)(4)(B)(ii)
1 TAC § 390.2(a)(4)(B)(iii)
1 TAC § 390.2(a)(4)(B)(v)
1 TAC § 390.2(a)(4)(B)(xiv)
1 TAC § 390.2(a)(4)(B)(xv)
1 TAC § 390.2(a)(4)(B)(xvi)
1 TAC § 390.2(a)(4)(C)(i)
1 TAC § 390.2(a)(4)(C)(ii)
1 TAC § 390.2(a)(1)
1 TAC § 390.2(a)(4)(B)(ii)
1 TAC § 390.2(a)(4)(C)(i)
45 CFR Part § 164.404(a)(2) HIPAA.BN
45 CFR Part § 164.404(b) HIPAA.BN
45 CFR Part § 164.404(c)(1) HIPAA.BN
45 CFR Part § 164.404(c)(2) HIPAA.BN
45 CFR Part § 164.404(c)(3) HIPAA.BN
45 CFR Part § 164.404(d)(1) HIPAA.BN
45 CFR Part § 164.404(d)(2) HIPAA.BN
45 CFR Part § 164.404(d)(3) HIPAA.BN
23 NYCRR 500.017(a) 45 CFR Part § 164.406(a) HIPAA.BN
201 CMR 17.03(2)(j) 45 CFR Part § 164.406(b) HIPAA.BN
23 NYCRR 500.017(a)(1) 45 CFR Part § 164.406(c) HIPAA.BN
23 NYCRR 500.017(a)(2)
45 CFR Part § 164.408(a) HIPAA.BN
45 CFR Part § 164.408(b) HIPAA.BN
45 CFR Part § 164.408(c) HIPAA.BN
45 CFR Part § 164.410(a)(1) HIPAA.BN
45 CFR Part § 164.410(a)(2) HIPAA.BN
45 CFR Part § 164.410(b) HIPAA.BN
45 CFR Part § 164.410(c)(1) HIPAA.BN
45 CFR Part § 164.410(c)(2) HIPAA.BN
45 CFR Part § 164.414(b) HIPAA.BN
16 CF R Part § 681 Appendix A II(c)
16 CFR Part § 681 Appendix A IV(a)
16 CFR Part § 681 Appendix A IV(b)
16 CFR Part § 681 Appendix A IV(c)
16 CFR Part § 681 Appendix A IV(d)
201 CMR 17.03(2)(j) 45 CFR Part § 164.404(a)(1) HIPAA.BN
16 CFR Part § 681 Appendix A IV(e) 45 CFR Part § 164.408(c) HIPAA.BN
16 CFR Part § 681 Appendix A IV(f )
16 CFR Part § 681 Appendix A IV(g)
16 CFR Part § 681 Appendix A IV(h)
16 CFR Part § 681 Appendix A IV(i)
16 CFR Part § 681 Appendix A IV(a) 45 CFR Part § 164.408(c) HIPAA.BN
45 CFR Part § 164.414(b) HIPAA.BN
45 CFR Part § 164.520(a) HIPAA.PR
45 CFR Part § 164.520(a)(2) HIPAA.PR
45 CFR Part § 164.520(c)(1)(ii) HIPAA.PR
45 CFR Part § 164.520(c)(1)(iii) HIPAA.PR
45 CFR Part § 164.520(c)(1)(v)(B)
HIPAA.PR
45 CFR Part § 164.520(c)(3)(ii) HIPAA.PR
45 CFR Part § 164.520(b) HIPAA.PR
45 CFR Part § 164.528(a) HIPAA.PR
45 CF R Part § 164.528(a)(2)(i) HIPAA.PR
45 CFR Part § 164.528(b) HIPAA.PR
45 CFR Part § 164.528(c) HIPAA.PR
45 CFR Part § 164.528(d) HIPAA.PR
45 CFR Part § 164.530(j)(2) HIPAA.PR
45 CFR Part § 164.508(2) HIPAA.PR
45 CFR Part § 164.508(a)(1) HIPAA.PR
45 CFR Part § 164.508(a)(2) HIPAA.PR
45 CFR Part § 164.508(b) HIPAA.PR
45 CFR Part § 164.508(b)(4) HIPAA.PR
45 CFR Part § 164.508(c) HIPAA.PR
45 CFR Part § 164.508(c)(1)(i) HIPAA.PR
45 CFR Part § 164.508(c)(3) HIPAA.PR
45 CFR Part § 164.502(g) HIPAA.PR
45 CFR Part § 164.508(b)(5) HIPAA.PR
45 CFR Part § 164.510 HIPAA.PR
45 CFR Part § 164.510(a) HIPAA.PR
45 CFR Part § 164.510(a)(2) HIPAA.PR
45 CFR Part § 164.510(b)(2) HIPAA.PR
45 CFR Part § 164.522(a) HIPAA.PR
45 CFR Part § 164.522(a)(2) HIPAA.PR
45 CFR Part § 164.522(a)(3) HIPAA.PR
45 CFR Part § 164.530(g) HIPAA.PR
45 CFR Part § 164.502(a) HIPAA.PR
45 CFR Part § 164.514(h) HIPAA.PR
45 CFR Part § 164.521(a)(3) HIPAA.PR
45 CFR Part § 164.522(b) HIPAA.PR
45 CFR Part § 164.522(b)(1) HIPAA.PR
45 CFR Part § 164.522(b)(2) HIPAA.PR
45 CFR Part § 164.522(b)(2)(i) HIPAA.PR
45 CFR Part § 164.524(b) HIPAA.PR
45 CFR Part § 164.524(c)(2) HIPAA.PR
45 CFR Part § 164.524(c)(3)(ii) HIPAA.PR
45 CFR Part § 164.524(d) HIPAA.PR
45 CFR Part § 164.524(d)(4) HIPAA.PR
45 CFR Part § 164.526(a)(1) HIPAA.PR
45 CFR Part § 164.526(a)(2) HIPAA.PR
45 CFR Part § 164.526(b)(2) HIPAA.PR
45 CFR Part § 164.526(c) HIPAA.PR
45 CFR Part § 164.526(d) HIPAA.PR
45 CFR Part § 164.526(e) HIPAA.PR
45 CFR Part § 164.502(a)(5) HIPAA.PR
45 CFR Part § 164.514(a) HIPAA.PR
45 CFR Part § 164.514(b) HIPAA.PR
45 CFR Part § 164.514(c) HIPAA.PR
45 CFR Part § 164.514(d)(4) HIPAA.PR
45 CFR Part § 164.514(e) HIPAA.PR
CRR v2016 IM:G1.Q1
CRR v2016 IM:G1.Q3
CRR v2016 IM:G1.Q4
CRR v2016 IM:G2.Q1 NIST Cybersecurity Framework v1.1 DE.CM-1
CRR v2016 IM:G3.Q1 FFIEC IS v2016 A.6.21(b) NIST Cybersecurity Framework v1.1 DE.DP- 4
AICPA 2017 CC2.2 CMSRs v3.1 IR-01 (HIGH; MOD) CRR v2016 IM:G3.Q2 EU GDPR Article 33(1) FFIEC IS v2016 A.6.31(f) ISO/IEC 27002:2013 16.1.1 ISO/IEC 27799:2016 16.1.1 MARS-E v2 IR-1 NIST Cybersecurity F ramework v1.1 ID.GV-3
45 CFR Part § 164.308(a)(1)(ii)(C) HIPAA.SR AICPA 2017 CC2.3 CIS CSC v7.1 19.1 CMSRs v3.1 IR-02 (HIGH) CRR v2016 IM:G4.Q1 EU GDPR Article 33(2) FFIEC IS v2016 A.8.1(b) IRS Pub 1075 v2016 10.2 ISO/IEC 27002:2013 16.1.2 ISO/IEC 27799:2016 16.1.2 MARS-E v2 IR-2 NIST Cybersecurity Framework v1.1 PR.AT-5
45 CFR Part § 164.308(a)(1)(ii)(D) HIPAA.SR AICPA 2017 CC3.1 CAQH Core Phase 1 102: Eligibility CAQH Core Phase 2 202: Certification CIS CSC v7.1 19.2 CMSRs v3.1 IR-02 (HIGH; MOD) CSA CCM v3.0.1 SEF-02 CRR v2016 IM:G4.Q2 EU GDPR Article 33(3) FedRAMP IR-1 FFIEC IS v2016 A.8.1(j) De-ID Framework v1 Data Breach Response: IRS Pub 1075 v2016 10.4 ISO/IEC 27002:2013 16.1.3 ISO/IEC 27799:2016 16.1.3 MARS-E v2 IR-4(1) NIST Cybersecurity Framework v1.1 PR.IP- 11
AICPA 2017 CC7.3 CCPA 1798.150(a) CIS CSC v7.1 19.3 CMSRs v3.1 IR-04 (HIGH; MOD) COBIT 5 DSS02.01 CSA CCM v3.0.1 SEF-03 CRR v2016 IM:G4.Q3 EU GDPR Article 33(4) FedRAMP IR-4 FFIEC IS v2016 A.8.5(a) IRS Pub 1075 v2016 12.10.3 NIST Cybersecurity Framework v1.1 PR.IP-7
45 CFR Part § 164.308(a)(6)(i) HIPAA.SR AICPA 2017 CC7.4 and Benefits Certification Policy Policy v2.1.0 Subsection 3.4 CIS CSC v7.1 19.4 CMSRs v3.1 IR-06 (HIGH) COBIT 5 DSS05.07 CSA CCM v3.0.1 SEF-04 CRR v2016 IM:G4.Q4 EU GDPR Article 33(5) FedRAMP IR-6 FFIEC IS v2016 A.8.5(b) General IRS Pub 1075 v2016 9.3.8.1 ISO/IEC 27002:2013 16.1.4 ISO/IEC 27799:2016 16.1.4 MARS-E v2 IR-6 NIST Cybersecurity Framework v1.1 PR.IP-9
45 CFR Part § 164.308(a)(6)(ii) HIPAA.SR v1.1.0 Subsection 3.4 De-ID Framework v1 Visitor Access: Incidents ISO/IEC 27002:2013 16.1.6 ISO/IEC 27799:2016 16.1.6 MARS-E v2 IR-6(1)
45 CFR Part § 164.314(a)(2)(i) HIPAA.SR AICPA 2017 CC7.5 CIS CSC v7.1 19.5 CMSRs v3.1 IR-06 (HIGH; MOD) CSA CCM v3.0.1 STA-02 CRR v2016 IM:MIL2.Q1 EU GDPR Article 34(1) FedRAMP IR-6(1) FFIEC IS v2016 A.8.5(d) IRS Pub 1075 v2016 9.3.8.2 ISO/IEC 27002:2013 7.2.1 ISO/IEC 27799:2016 7.2.1 MARS-E v2 PM-12 NIST Cybersecurity Framework v1.1 RS.CO-1
AICPA 2017 P6.5 CIS CSC v7.1 19.6 CMSRs v3.1 IR-06(01) (HIGH; MOD) CRR v2016 IM:MIL2.Q2 EU GDPR Article 34(2) FFIEC IS v2016 A.8.5(e) IRS Pub 1075 v2016 9.3.8.6 ISO/IEC 27002:2013 7.2.2 ISO/IEC 27799:2016 7.2.2 MARS-E v2 SE-2 NIST Cybersecurity Framework v1.1 RS.CO-2
AICPA 2017 P6.6 CMSRs v3.1 PM- 12 (HIGH; MOD) CRR v2016 IM:MIL2.Q3 EU GDPR Article 34(3) F FIEC IS v2016 A.8.5(f) NIST Cybersecurity Framework v1.1 RS.CO-3
CRR v2016 IM:MIL3.Q1 FFIEC IS v2016 A.8.5(g) NIST Cybersecurity Framework v1.1 RS.CO-5
CRR v2016 IM:MIL3.Q2 NIST Cybersecurity Framework v1.1 RS.RP-1
CRR v2016 IM:MIL4.Q1
CRR v2016 IM:MIL4.Q3
CRR v2016 IM:MIL5.Q1
CMSRs v3.1 IR-06 (HIGH; MOD) FedRAMP IR-4 IRS Pub 1075 v2016 9.3.12.3 MARS-E v2 IR-6 NIST Cybersecurity Framework v1.1 ID.RA-1
AICPA 2017 CC2.3 CSA CCM v3.0.1 SEF-03 FedRAMP IR-6 FFIEC IS v2016 A.8.1(m) ISO/IEC 27002:2013 16.1.3 ISO/IEC 27799:2016 16.1.3 NIST Cybersecurity Framework v1.1 PR.AT-1
AICPA 2017 P6.5 CMSRs v3.1 PL-04 (HIGH; MOD) FedRAMP PL-4 FFIEC IS v2016 A.8.5(g) IRS Pub 1075 v2016 9.3.17.2 MARS-E v2 PL-4 NIST Cybersecurity Framework v1.1 RS.AN-5
CMSRs v3.1 SI-02 (HIGH; MOD) IRS Pub 1075 v2016 9.3.8.6 MARS-E v2 SI-2
FedRAMP SI-2 NIST Cybersecurity Framework v1.1 RS.CO-2
NIST Cybersecurity Framework v1.1 DE.AE-3
NIST Cybersecurity F ramework v1.1 ID.GV-3
NIST Cybersecurity Framework v1.1 ID.SC-5
FedRAMP IR-1 F FIEC IS v2016 A.6.21(c) NIST Cybersecurity Framework v1.1 PR.AT-1
CRR v2016 IM:G1.Q2 FFIEC IS v2016 A.8.5(c) NIST Cybersecurity Framework v1.1 PR.IP- 10
CRR v2016 IM:G2.Q1 FedRAMP IR-3 FFIEC IS v2016 A.8.5(e) NIST Cybersecurity Framework v1.1 PR.IP-9
CMSRs v3.1 IR-01 (HIGH; MOD) CRR v2016 IM:G2.Q3 FedRAMP IR-3(2) F FIEC IS v2016 A.8.5(f) IRS Pub 1075 v2016 10.3 MARS-E v2 IR-1 NIST Cybersecurity Framework v1.1 RC.CO-1
CMSRs v3.1 IR-03 (HIGH; MOD) CRR v2016 IM:G2.Q5 FedRAMP IR-4 FFIEC IS v2016 A.8.5(h) IRS Pub 1075 v2016 9.3.8.1 MARS-E v2 IR-3 NIST Cybersecurity Framework v1.1 RC.CO-2
AICPA 2017 CC3.1 FedRAMP IR-6 IRS Pub 1075 v2016 9.3.8.3 ISO/IEC 27002:2013 13.1.1
45 CFR Part § 164.308(a)(1)(ii)(D) HIPAA.SR AICPA 2017 CC7.3 CAQH Core Phase 1 102: Eligibility CAQH Core Phase 2 202: Certification CMSRs v3.1 IR-03(02) (HIGH; MOD) COBIT 5 DSS02.01 CSA CCM v3.0.1 IVS-13 CRR v2016 IM:G2.Q8 FedRAMP IR-7 FFIEC IS v2016 A.8.6(a) IRS Pub 1075 v2016 9.3.8.4 ISO/IEC 27002:2013 13.2.1 ISO/IEC 27799:2016 16.1.1 MARS-E v2 IR-3(2) NIST Cybersecurity Framework v1.1 RS.AN-3
CIS CSC v7.1 19.7 CMSRs v3.1 IR-05(01) (HIGH) CRR v2016 IM:G2.Q9 FFIEC IS v2016 A.8.6(b) ISO/IEC 27799:2016 16.1.3 MARS-E v2 IR-6 NIST Cybersecurity Framework v1.1 RS.AN-4
45 CFR Part § 164.308(a)(6)(i) HIPAA.SR AICPA 2017 CC7.4 and Benefits Certification Policy Policy v2.1.0 Subsection 3.4 CMSRs v3.1 IR-06 (HIGH; MOD) COBIT 5 DSS02.04 CSA CCM v3.0.1 SEF-02 CRR v2016 IM:G4.Q1 FedRAMP IR-8 FFIEC IS v2016 A.8.6(c) IRS Pub 1075 v2016 9.3.8.5 ISO/IEC 27002:2013 16.1.1 ISO/IEC 27799:2016 16.1.5 MARS-E v2 IR-7 NIST Cybersecurity Framework v1.1 RS.CO-1
45 CFR Part § 164.308(a)(6)(ii) HIPAA.SR AICPA 2017 CC7.5 v1.1.0 Subsection 3.4 CMSRs v3.1 IR-07 (HIGH; MOD) COBIT 5 DSS02.05 CSA CCM v3.0.1 SEF-03 CRR v2016 IM:G5.Q1 FedRAMP IR-9 FFIEC IS v2016 A.8.6(d) IRS Pub 1075 v2016 9.3.8.6 ISO/IEC 27002:2013 16.1.3 ISO/IEC 27799:2016 7.10.2.1 MARS-E v2 IR-8 NIST Cybersecurity Framework v1.1 RS.CO-2
AICPA 2017 P6.3 CMSRs v3.1 IR-08 (HIGH; MOD) CRR v2016 IM:MIL3.Q4 FedRAMP IR-9(1) FFIEC IS v2016 A.8.6(e) IRS Pub 1075 v2016 9.3.8.7 ISO/IEC 27002:2013 16.1.5 MARS-E v2 IR-9 NIST Cybersecurity Framework v1.1 RS.CO-3
FedRAMP IR-9(2) IRS Pub 1075 v2016 9.3.8.8
CMSRs v3.1 SE-02 (HIGH; MOD) CRR v2016 IM:MIL4.Q1 FedRAMP IR-9(3) F FIEC IS v2016 A.8.6(f) IRS Pub 1075 v2016 9.3.8.9 MARS-E v2 SE-2 NIST Cybersecurity Framework v1.1 RS.CO-4
CRR v2016 IM:MIL4.Q3 FFIEC IS v2016 A.8.6(g) NIST Cybersecurity Framework v1.1 RS.CO-5
CRR v2016 IM:MIL5.Q1 FedRAMP IR-9(4) FFIEC IS v2016 A.8.6(h) NIST Cybersecurity Framework v1.1 RS.IM-1
FedRAMP MA-5(1) FFIEC IS v2016 A.8.6(i) NIST Cybersecurity Framework v1.1 RS.IM-2
NIST Cybersecurity Framework v1.1 RS.MI-1
NIST Cybersecurity Framework v1.1 RS.MI-2
NIST Cybersecurity Framework v1.1 RS.RP-1
NIST Cybersecurity Framework v1.1 DE.AE-1
NIST Cybersecurity Framework v1.1 DE.AE-2
NIST Cybersecurity Framework v1.1 DE.AE-3
NIST Cybersecurity Framework v1.1 DE.AE-4
NIST Cybersecurity Framework v1.1 ID.AM-6
NIST Cybersecurity Framework v1.1 RC.CO-1
CRR v2016 IM:G1.Q3 NIST Cybersecurity Framework v1.1 RC.CO-2
CRR v2016 IM:G2.Q4 NIST Cybersecurity Framework v1.1 RC.CO-3
CMSRs v3.1 IR-04 (HIGH; MOD) CRR v2016 IM:G2.Q7 NIST Cybersecurity Framework v1.1 RC.IM-1
45 CFR Part § 164.308(a)(1)(ii)(D) HIPAA.SR AICPA 2017 CC7.4 CAQH Core Phase 1 102: Eligibility CAQH Core Phase 2 202: Certification CMSRs v3.1 IR-04(01) (HIGH; MOD) CRR v2016 IM:G3.Q3 FedRAMP IR-4 IRS Pub 1075 v2016 10.3 MARS-E v2 IR-4 NIST Cybersecurity Framework v1.1 RC.IM-2
and Benefits Certification Policy CMSRs v3.1 IR-04(04) (HIGH) CSA CCM v3.0.1 SEF-05 CRR v2016 IM:G5.Q2 ISO/IEC 27002:2013 16.1.6 ISO/IEC 27799:2016 16.11.6 NIST Cybersecurity Framework v1.1 RC.RP-1
45 CFR Part § 164.308(a)(6)(ii) HIPAA.SR AICPA 2017 CC7.5 v1.1.0 Subsection 3.4 Policy v2.1.0 Subsection 3.4 CMSRs v3.1 IR-05 (HIGH; MOD) CRR v2016 IM:G5.Q3 FedRAMP IR-4(1) IRS Pub 1075 v2016 9.3.8.4 MARS-E v2 IR-4(1) NIST Cybersecurity Framework v1.1 RS.AN-1
CMSRs v3.1 IR-05(01) (HIGH) CRR v2016 IM:MIL3.Q4 NIST Cybersecurity Framework v1.1 RS.AN-2
CRR v2016 IM:MIL4.Q1 NIST Cybersecurity Framework v1.1 RS.AN-3
CRR v2016 IM:MIL5.Q2 NIST Cybersecurity Framework v1.1 RS.CO-3
NIST Cybersecurity Framework v1.1 RS.CO-4
NIST Cybersecurity Framework v1.1 RS.IM-1
NIST Cybersecurity Framework v1.1 RS.IM-2
NIST Cybersecurity Framework v1.1 RS.MI-1
NIST Cybersecurity Framework v1.1 RS.MI-2
NIST Cybersecurity Framework v1.1 RS.RP-1
CAQH Core Phase 1 102: Eligibility CRR v2016 IM:G2.Q8 NIST Cybersecurity F ramework v1.1 ID.GV-3
45 CFR Part § 164.308(a)(6)(ii) HIPAA.SR AICPA 2017 P6.6 and Benefits Certification Policy CAQHPolicy
Core Phase 2 202: Certification CMSRs v3.1 IR-04 (HIGH; MOD) CSA CCM v3.0.1 SEF-04 CRR v2016 IM:G2.Q9 FedRAMP IR-4 FFIEC IS v2016 A.8.1(b) IRS Pub 1075 v2016 9.3.8.4 ISO/IEC 27002:2013 16.1.1 ISO/IEC 27799:2016 16.1.1 MARS-E v2 IR-4 NIST Cybersecurity Framework v1.1 PR.IP- 11
v2.1.0 Subsection 3.4 ISO/IEC 27002:2013 16.1.7 ISO/IEC 27799:2016 16.1.7
v1.1.0 Subsection 3.4 CRR v2016 IM:MIL3.Q2 NIST Cybersecurity Framework v1.1 RS.AN-3
CRR v2016 AM:G2.Q1
45 CFR Part § 164.308(a)(7)(i) HIPAA.SR CRR v2016 CCM:G1.Q2
45 CFR Part § 164.308(a)(7)(ii)(B) HIPAA.SR CRR v2016 EDM:G3.Q1 NIST Cybersecurity Framework v1.1 DE.AE-4
45 CFR Part § 164.308(a)(7)(ii)(C) HIPAA.SR AICPA 2017 CC7.3 CMSRs v3.1 CP-02 (HIGH; MOD) CRR v2016 SCM:G1.Q1 NIST Cybersecurity Framework v1.1 ID.AM-5
45 CFR Part § 164.308(a)(7)(ii)(D) HIPAA.SR AICPA 2017 CC7.4 CMSRs v3.1 CP-02(08) (HIGH; MOD) CSA CCM v3.0.1 BCR-09 CRR v2016 SCM:G3.Q1 FedRAMP CP-2 FFIEC IS v2016 A.6.35(a) IRS Pub 1075 v2016 9.3.6.2 ISO/IEC 27002:2013 17.1.2 ISO/IEC 27799:2016 17.1.2 MARS-E v2 CP-2 NIST Cybersecurity Framework v1.1 ID.AM-6
AICPA 2017 CC7.5 CRR v2016 SCM:G3.Q3 FedRAMP CP-2(8) F FIEC IS v2016 A.6.35(c) MARS-E v2 PM- 9 NIST Cybersecurity Framework v1.1 ID.BE-5
45 CFR Part § 164.308(a)(7)(ii)(E) HIPAA.S R AICPA 2017 CC9.1 CMSRs v3.1 PM- 09 (HIGH; MOD) CRR v2016 SCM:MIL2.Q1 NIST Cybersecurity Framework v1.1 PR.IP- 11
45 CFR Part § 164.310(a)(2)(i) HIPAA.SR
45 CFR Part § 164.312(a)(2)(ii) HIPAA.SR CRR v2016 SCM:MIL2.Q2 NIST Cybersecurity Framework v1.1 PR.IP-9
CRR v2016 SCM:MIL2.Q4
CRR v2016 SCM:MIL3.Q4
NIST Cybersecurity Framework v1.1 DE.AE-4
CRR v2016 AM:G3.Q1 NIST Cybersecurity Framework v1.1 ID.BE-2
CRR v2016 AM:G7.Q1 NIST Cybersecurity Framework v1.1 ID.BE-4
CRR v2016 EDM:G3.Q1 NIST Cybersecurity Framework v1.1 ID.BE-5
45 CFR Part § 164.308(a)(7)(ii)(A) HIPAA.SR CMSRs v3.1 CP-02 (HIGH; MOD) CRR v2016 RM:G2.Q2 NIST Cybersecurity Framework v1.1 ID.RA-1
45 CFR Part § 164.308(a)(7)(ii)(B) HIPAA.SR AICPA 2017 A1.3 CMSRs v3.1 CP-02(08) (HIGH; MOD) CSA CCM v3.0.1 BCR-09 CRR v2016 SCM:G1.Q1 FedRAMP CP-2 De-ID Framework v1 Physical and IRS Pub 1075 v2016 9.3.6.2 ISO/IEC 27002:2013 17.1.1 ISO/IEC 27799:2016 17.1.1 MARS-E v2 CP-2 NIST Cybersecurity Framework v1.1 ID.RA-3
AICPA 2017 CC3.3 FedRAMP CP-2(8) Environmental Security: General ISO/IEC 27002:2013 17.1.2 ISO/IEC 27799:2016 17.1.2 MARS-E v2 PM- 8
45 CFR Part § 164.308(a)(7)(ii)(E) HIPAA.S R CMSRs v3.1 PM- 08 (HIGH; MOD) CRR v2016 SCM:G1.Q2 NIST Cybersecurity Framework v1.1 ID.RA-4
CRR v2016 SCM:G1.Q4 NIST Cybersecurity Framework v1.1 ID.RA-5
CRR v2016 SCM:MIL2.Q4 NIST Cybersecurity F ramework v1.1 ID.RM-3
CRR v2016 SCM:MIL3.Q4 NIST Cybersecurity Framework v1.1 PR.IP-9
NIST Cybersecurity Framework v1.1 PR.PT-5
CMSRs v3.1 CP-02 (HIGH; MOD)
CMSRs v3.1 CP-02(02) (HIGH)
CMSRs v3.1 CP-02(03) (HIGH; MOD)
CMSRs v3.1 CP-02(04) (HIGH)
CMSRs v3.1 CP-02(05) (HIGH) FedRAMP CP-1 MARS-E v1 CP-10(3) NIST Cybersecurity Framework v1.1 ID.AM-5
CMSRs v3.1 CP-06 (HIGH; MOD) FedRAMP CP-2 MARS-E v2 CP-10(3) NIST Cybersecurity Framework v1.1 ID.AM-6
CMSRs v3.1 CP-06(01) (HIGH; MOD)
CMSRs v3.1 CP-06(02) (HIGH) CRR v2016 CCM:G1.Q3 FedRAMP CP-2(2) MARS-E v2 CP-2 NIST Cybersecurity Framework v1.1 ID.BE-4
45 CFR Part § 164.308(a)(7)(i) HIPAA.SR CRR v2016 SCM:G1.Q1 FedRAMP CP-2(3) MARS-E v2 CP-2(2) NIST Cybersecurity Framework v1.1 ID.BE-5
45 CFR Part § 164.308(a)(7)(ii)(A) HIPAA.SR CMSRs v3.1 CP-07 (HIGH; MOD) CRR v2016 SCM:G1.Q4 FedRAMP CP-6 MARS-E v2 CP-6 NIST Cybersecurity Framework v1.1 PR.AT-1
45 CFR Part § 164.308(a)(7)(ii)(B) HIPAA.SR CAQH Core Phase 1 102: Eligibility CMSRs v3.1 CP-07(01) (HIGH; MOD) CRR v2016 SCM:G1.Q6 FedRAMP CP-6(1) IRS Pub 1075 v2016 9.3.6.2 MARS-E v2 CP-6(1) NIST Cybersecurity Framework v1.1 PR.DS-1
45 CFR Part § 164.308(a)(7)(ii)(C) HIPAA.SR AICPA 2017 A1.2 and Benefits Certification Policy CAQHPolicy
Core Phase 2 202: Certification CMSRs v3.1 CP-07(03) (HIGH; MOD) CSA CCM v3.0.1 BCR-09 CRR v2016 SCM:G3.Q3 EHNAC Accreditation Committee FedRAMP CP-7 FFIEC IS v2016 A.6.35(a) De-ID Framework v1 Physical and IRS Pub 1075 v2016 9.3.6.5 ISO/IEC 27002:2013 17.1.2 ISO/IEC 27799:2016 11.2.2 MARS-E v2 CP-7 NIST Cybersecurity Framework v1.1 PR.DS-4
v2.1.0 Subsection 3.4 CMSRs v3.1 CP-07(04) (HIGH) FFIEC IS v2016 A.6.35(b) Environmental Security: General ISO/IEC 27799:2016 17.1.2
45 CFR Part § 164.308(a)(7)(ii)(E) HIPAA.S R v1.1.0 Subsection 3.4 CMSRs v3.1 CP-08 (HIGH) CRR v2016 SCM:MIL2.Q3 FedRAMP CP-7(1) IRS Pub 1075 v2016 9.3.6.6 MARS-E v2 CP-7(1) NIST Cybersecurity Framework v1.1 PR.IP-7
45 CFR Part § 164.310(a)(2)(i) HIPAA.SR CRR v2016 SCM:MIL2.Q4 FedRAMP CP-7(3) MARS-E v2 CP-7(3) NIST Cybersecurity Framework v1.1 PR.IP-9
45 CFR Part § 164.312(a)(2)(ii) HIPAA.SR CMSRs v3.1 CP-08 (HIGH; MOD) CRR v2016 SCM:MIL3.Q2 FedRAMP CP-8 MARS-E v2 CP-7(5) NIST Cybersecurity Framework v1.1 RC.CO-3
CMSRs v3.1 CP-08(01) (HIGH; MOD) CRR v2016 SCM:MIL5.Q1 FedRAMP CP-8(1) MARS-E v2 CP-8 NIST Cybersecurity Framework v1.1 RC.RP-1
CMSRs v3.1 CP-08(02) (HIGH; MOD) FedRAMP CP-8(2) MARS-E v2 CP-8(1) NIST Cybersecurity Framework v1.1 RS.CO-1
CMSRs v3.1 CP-08(03) (HIGH)
CMSRs v3.1 CP-08(03) (HIGH; MOD) FedRAMP IR-4 MARS-E v2 CP-8(2) NIST Cybersecurity Framework v1.1 RS.CO-4
CMSRs v3.1 CP-08(04) (HIGH)
CMSRs v3.1 CP-09 (HIGH; MOD)
CMSRs v3.1 CP-09(02) (HIGH)
CMSRs v3.1 CP-10(04) (HIGH)
NIST Cybersecurity Framework v1.1 DE.AE-5
45 CFR Part § 164.308(a)(7)(i) HIPAA.SR NIST Cybersecurity Framework v1.1 ID.AM-5
45 CFR Part § 164.308(a)(7)(ii)(B) HIPAA.SR CAQH Core Phase 1 102: Eligibility CRR v2016 SCM:G1.Q3 NIST Cybersecurity Framework v1.1 ID.AM-6
45 CFR Part § 164.308(a)(7)(ii)(C) HIPAA.SR and Benefits Certification Policy CAQHPolicy
Core Phase 2 202: Certification CMSRs v3.1 CP-02 (HIGH; MOD) CSA CCM v3.0.1 BCR-01 CRR v2016 SCM:G3.Q2 FedRAMP CP-2 FFIEC IS v2016 A.6.35(a) IRS Pub 1075 v2016 9.3.6.2 ISO/IEC 27002:2013 17.1.2 ISO/IEC 27799:2016 17.1.2 MARS-E v2 CP-2 NIST Cybersecurity Framework v1.1 ID.BE-5
45 CFR Part § 164.308(a)(7)(ii)(E) HIPAA.S R v2.1.0 Subsection 3.4 F FIEC IS v2016 A.6.35(c) NIST Cybersecurity Framework v1.1 PR.AT-1
45 CFR Part § 164.310(a)(2)(i) HIPAA.SR v1.1.0 Subsection 3.4 CRR v2016 SCM:G4.Q1 NIST Cybersecurity Framework v1.1 PR.IP-7
45 CFR Part § 164.312(a)(2)(ii) HIPAA.SR NIST Cybersecurity Framework v1.1 PR.IP-9
NIST Cybersecurity Framework v1.1 RS.CO-1
CRR v2016 SCM:G1.Q3
CRR v2016 SCM:G2.Q1 NIST Cybersecurity Framework v1.1 ID.AM-6
45 CFR Part § 164.308(a)(7)(ii)(B) HIPAA.SR CRR v2016 SCM:G3.Q2 NIST Cybersecurity F ramework v1.1 ID.GV-3
45 CFR Part § 164.308(a)(7)(ii)(C) HIPAA.SR CMSRs v3.1 CP-02 (HIGH; MOD) CRR v2016 SCM:G3.Q3 NIST Cybersecurity Framework v1.1 ID.SC-5
45 CFR Part § 164.308(a)(7)(ii)(D) HIPAA.SR CRR v2016 SCM:G3.Q4 FedRAMP CP-2 IRS Pub 1075 v2016 9.3.6.2 MARS-E v2 CP-2 NIST Cybersecurity Framework v1.1 PR.IP- 10
45 CFR Part § 164.308(a)(7)(ii)(E) HIPAA.S R AICPA 2017 A1.3 CMSRs v3.1 CP-04 (HIGH; MOD) CSA CCM v3.0.1 BCR-02 CRR v2016 SCM:G3.Q5 FedRAMP CP-4 FFIEC IS v2016 A.6.35(c) IRS Pub 1075 v2016 9.3.6.4 ISO/IEC 27002:2013 17.1.3 ISO/IEC 27799:2016 17.1.3 MARS-E v2 CP-4 NIST Cybersecurity Framework v1.1 PR.IP-7
CMSRs v3.1 CP-04(01) (HIGH; MOD)
45 CFR Part § 164.308(a)(8) HIPAA.SR CMSRs v3.1 CP-04(02) (HIGH) CRR v2016 SCM:G4.Q2 FedRAMP CP-4(1) IRS Pub 1075 v2016 Exhibit 10 MARS-E v2 CP-4(1) NIST Cybersecurity Framework v1.1 PR.IP-9
45 CFR Part § 164.310(a)(2)(i) HIPAA.SR CRR v2016 SCM:G4.Q3 NIST Cybersecurity Framework v1.1 RC.IM-1
45 CFR Part § 164.312(a)(2)(ii) HIPAA.SR CRR v2016 SCM:MIL3.Q2 NIST Cybersecurity Framework v1.1 RC.IM-2
CRR v2016 SCM:MIL4.Q1 NIST Cybersecurity Framework v1.1 RS.CO-1
CRR v2016 SCM:MIL5.Q2
EU GDPR Article 12(1)
EU GDPR Article 12(5)
CMSRs v3.1 AP-02 (HIGH; MOD) EU GDPR Article 13(1) MARS-E v2 TR-1
CMSRs v3.1 TR-01 (HIGH; MOD) EU GDPR Article 13(3) ISO/IEC 29151:2017 A.9.1(c) MARS-E v2 TR-1(1)
AICPA 2017 CC2.2 APEC II 15 CMSRs v3.1 TR-01(01) (HIGH; MOD) EHNAC Accreditation Committee EU GDPR Article 13(4) ISO/IEC 29100:2011 5.8 ISO/IEC 29151:2017 A.9.1(e) MARS-E v2 TR-2
AICPA 2017 P1.1 APEC II 16 CMSRs v3.1 TR-02 (HIGH; MOD)
CMSRs v3.1 TR-02(01) (HIGH; MOD) EU GDPR Article 14(1) ISO/IEC 29151:2017 A.9.1(f) MARS-E v2 TR-2(1)
EU GDPR Article 14(3) MARS-E v2 TR-3
CMSRs v3.1 TR-03 (HIGH; MOD) EU GDPR Article 14(5)
EU GDPR Recital 62
ISO/IEC 29151:2017 A.10.1(n)
ISO/IEC 29151:2017 A.9.1(a)
CCPA 1798.100(b) ISO/IEC 29151:2017 A.9.1(a)(1)
CCPA 1798.105(b) ISO/IEC 29151:2017 A.9.1(a)(2)
APEC II 15 CCPA 1798.110(a) EU GDPR Article 13(1) ISO/IEC 29151:2017 A.9.1(a)(3)
APEC II 15(a) EU GDPR Article 13(1)(a) ISO/IEC 29151:2017 A.9.1(a)(4)
AICPA 2017 P1.1 APEC II 15(b) CCPA 1798.115(c) EU GDPR Article 13(1)(c) ISO/IEC 29151:2017 A.9.2
AICPA 2017 P2.1 CCPA 1798.120(b) ISO/IEC 29100:2011 5.8
AICPA 2017 P6.7 APEC II 15(c) CCPA 1798.125(b) EU GDPR Article 13(2) ISO/IEC 29151:2017 A.9.2(a)
AICPA 2017 P8.1 APEC II 15(d) CCPA 1798.130(a) EU GDPR Article 14(1) IS O/IEC 29151:2017 A.9.2(b)
APEC II 15(e) CCPA 1798.130(a)(5) EU GDPR Article 14(2) ISO/IEC 29151:2017 A.9.2(c)
APEC II 16 EU GDPR Recital 60 ISO/IEC 29151:2017 A.9.2(e)
CCPA 1798.135(a) ISO/IEC 29151:2017 A.9.2(f)
CCPA 1798.145(g)
ISO/IEC 29151:2017 A.9.2(g)
IS O/IEC 29151:2017 A.9.2(h)
IS O/IEC 29151:2017 A.9.2(i)
ISO/IEC 29151:2017 A.7.3(a)
AICPA 2017 P6.2 CMSRs v3.1 AR-08 (HIGH; MOD) IS O/IEC 29151:2017 A.7.3(b) MARS-E v2 AR-8
AICPA 2017 P6.7 ISO/IEC 29151:2017 A.7.4
ISO/IEC 29151:2017 A.7.5
EU GDPR Article 22(4) ISO/IEC 29151:2017 A.3.1(a)
EU GDPR Article 4(11) IS O/IEC 29151:2017 A.3.1(b)
EU GDPR Article 7(1)
CMS Rs v3.1 DM-03 (HIGH; MOD) EU GDPR Article 7(2) ISO/IEC 29151:2017 A.3.1(c) MARS-E v2 DM-3
AICPA 2017 P2.1 CCPA 1798.115(d) IS O/IEC 29151:2017 A.3.1(d)
AICPA 2017 P3.2 CCPA 1798.120(c) CMSRs v3.1 IP-01 (HIGH; MOD) EU GDPR Article 7(3) ISO/IEC 29151:2017 A.3.1(e) MARS-E v2 IP-1
CMSRs v3.1 IP-01(01) (HIGH; MOD) EU GDPR Article 7(4) ISO/IEC 29151:2017 A.3.1(g) MARS-E v2 IP-1(1)
EU GDPR Article 8(1) IS O/IEC 29151:2017 A.3.1(h)
EU GDPR Article 8(2)
EU GDPR Recital 32 ISO/IEC 29151:2017 A.3.1(j)
EU GDPR Article 18(1)
EU GDPR Article 18(2)
EU GDPR Article 18(3)
EU GDPR Article 21(2)
EU GDPR Article 21(3) ISO/IEC 29151:2017 A.3.2
EU GDPR Article 21(4) IS O/IEC 29151:2017 A.3.2(b)
AICPA 2017 P2.1 CCPA 1798.125(a) CMSRs v3.1 IP-01 (HIGH; MOD) EU GDPR Article 21(5) IS O/IEC 29151:2017 A.3.2(d) MARS-E v2 IP-1
EU GDPR Article 21(6) ISO/IEC 29151:2017 A.3.2(g)
EU GDPR Article 22(1) ISO/IEC 29151:2017 A.3.2(j)
EU GDPR Article 22(2)
EU GDPR Article 22(3)
EU GDPR Article 7(3)
EU GDPR Recital 67
EU GDPR Article 11(2)
EU GDPR Article 12(2)
EU GDPR Article 12(3) ISO/IEC 29151:2017 A.10.1(a)
EU GDPR Article 12(4) ISO/IEC 29151:2017 A.10.1(c)
CCPA 1798.100(a) EU GDPR Article 12(6) ISO/IEC 29151:2017 A.10.1(d)
CCPA 1798.100(c) EU GDPR Article 15(1) ISO/IEC 29151:2017 A.10.1(e)
AICPA 2017 P4.3 APEC VIII 23(b) CMS Rs v3.1 DI-01 (HIGH; MOD) EU GDPR Article 15(2) ISO/IEC 29151:2017 A.10.1(g ) MARS-E v2 DI-1
AICPA 2017 P5.1 APEC VIII 24 CCPA 1798.100(d) CMSRs v3.1 IP-02 (HIGH; MOD) EHNAC Accreditation Committee EU GDPR Article 15(3) ISO/IEC 29100:2011 5.9 ISO/IEC 29151:2017 A.10.1(h) MARS-E v2 IP-2
CCPA 1798.105(c)
AICPA 2017 P5.2 APEC VIII 25 CCPA 1798.115(a) CMSRs v3.1 IP-03 (HIGH; MOD) EU GDPR Article 15(4) ISO/IEC 29151:2017 A.10.1(j) MARS-E v2 IP-3
CCPA 1798.115(b) EU GDPR Article 16 ISO/IEC 29151:2017 A.10.1(k)
EU GDPR Article 20(1) ISO/IEC 29151:2017 A.10.1(l)
EU GDPR Article 20(2) ISO/IEC 29151:2017 A.10.1(m)
EU GDPR Article 20(3) ISO/IEC 29151:2017 A.10.1(o)
EU GDPR Article 20(4)
EU GDPR Recital 68
EU GDPR Article 36(5) ISO/IEC 29151:2017 A.4.1
ISO/IEC 29151:2017 A.4.1(a)
EU GDPR Article 5(1)(a) ISO/IEC 29100:2011 5.3 IS O/IEC 29151:2017 A.4.1(b)
EU GDPR Article 6(1)
EU GDPR Article 6(1)(a) ISO/IEC 29151:2017 A.4.1(c)
IS O/IEC 29151:2017 A.4.1(d)
ISO/IEC 29151:2017 A.4.2
ISO/IEC 29151:2017 A.4.2(a)
ISO/IEC 29100:2011 5.3 IS O/IEC 29151:2017 A.4.2(b)
IS O/IEC 29151:2017 A.4.2(d)
ISO/IEC 29151:2017 A.5(f)
ISO/IEC 29151:2017 A.5
ISO/IEC 29151:2017 A.5(a)
AICPA 2017 P2.1 EU GDPR Article 11(1) ISO/IEC 29151:2017 A.5(b)
AICPA 2017 P3.1 APEC II 18 EU GDPR Article 5(1)(b) ISO/IEC 29100:2011 5.4 ISO/IEC 29151:2017 A.5(c) NIST SP 800-122 4.2.1
EU GDPR Article 5(1)(c) ISO/IEC 29151:2017 A.5(e)
AICPA 2017 P4.1 EU GDPR Recital 39 ISO/IEC 29151:2017 A.5(f)
ISO/IEC 29151:2017 A.5(g)
ISO/IEC 29151:2017 A.6(d)
EU GDPR Article 4(5) ISO/IEC 29151:2017 A.6(b)
EU GDPR Article 89(1)
CMS Rs v3.1 DM-01 (HIGH; MOD) EU GDPR Article 9(1) De-ID Framework v1 Aggregated Data: ISO/IEC 29100:2011 5.5 ISO/IEC 29151:2017 A.6(c) MARS-E v2 DM-1
CMSRs v3.1 DM- 03(01) (HIGH; MOD) Disclosure Policy ISO/IEC 29151:2017 A.6(f) MARS-E v2 DM-3(1)
EU GDPR Article 9(2) ISO/IEC 29151:2017 A.6(g)
EU GDPR Recital 26

1 TAC § 390.2(a)(1)
1 TAC § 390.2(a)(4)(A)(i)
1 TAC § 390.2(a)(4)(A)(iii)
1 TAC § 390.2(a)(4)(A)(v)
1 TAC § 390.2(a)(4)(A)(vi)
1 TAC § 390.2(a)(4)(A)(vii)
1 TAC § 390.2(a)(4)(A)(viii)
1 TAC § 390.2(a)(4)(A)(ix)
1 TAC § 390.2(a)(4)(A)(x)
1 TAC § 390.2(a)(4)(A)(xii)
1 TAC § 390.2(a)(4)(A)(xiii)
13.k Use and Disclosure
1 TAC § 390.2(a)(4)(A)(xiv)
1 TAC § 390.2(a)(4)(A)(xv)
1 TAC § 390.2(a)(4)(B)(i)
1 TAC § 390.2(a)(4)(B)(iii)
1 TAC § 390.2(a)(4)(B)(ix)
1 TAC § 390.2(a)(4)(B)(vii)
1 TAC § 390.2(a)(4)(B)(viii)
1 TAC § 390.2(a)(4)(B)(x)
1 TAC § 390.2(a)(4)(B)(xii)
1 TAC § 390.2(a)(4)(B)(xiv)
1 TAC § 390.2(a)(4)(B)(xviii)(I)
1 TAC § 390.2(a)(4)(C)(iii)
13.l Retention and Disposal 1 TAC § 390.2(a)(1)
13.m Accuracy and Quality
13.n Participation and Redress 1 TAC § 390.2(a)(1)
13.o Compliant Management
13.p Governance
13.q Privacy and Impact Assessment
13.r Privacy Requirements for
Contractors and Processors
13.s Privacy Monitoring and Auditing
13.t Privacy Protection Awareness and
Training
13.u Privacy Protection Reporting
© 2019 HITRUST. All rights reserved.
© 2019 HITRUST. All rights reserved.
45 CFR Part § 164.105(c)(2)
HIPAA.GE
45 CFR Part § 164.502(a)(5) HIPAA.PR
45 CFR Part § 164.502(j)(2) HIPAA.PR
45 CF R Part § 164.504(e) HIPAA.PR
45 CFR Part § 164.504(f)(1)(i) HIPAA.PR
45 CFR Part § 164.504(f)(1)(iii) HIPAA.PR
45 CFR Part § 164.504(f)(2)(ii) HIPAA.PR
45 CFR Part § 164.504(f)(2)(iii) HIPAA.PR
45 CFR Part § 164.504(g)(2) HIPAA.PR
45 CFR Part § 164.506(a) HIPAA.PR
45 CFR Part § 164.510(b) HIPAA.PR
45 CFR Part § 164.510(b)(3) HIPAA.PR
45 CFR Part § 164.510(b)(5) HIPAA.PR
45 CFR Part § 164.512(a)(1) HIPAA.PR
45 CFR Part § 164.512(b) HIPAA.PR
45 CFR Part § 164.512(c) HIPAA.PR
45 CFR Part § 164.512(d) HIPAA.PR
45 CF R Part § 164.512(e) HIPAA.PR
45 CFR Part § 164.512(f)(1) HIPAA.PR
45 CFR Part § 164.512(f)(2) HIPAA.PR
45 CFR Part § 164.512(f)(3) HIPAA.PR
45 CFR Part § 164.512(f)(4) HIPAA.PR
45 CFR Part § 164.512(f)(5) HIPAA.PR
45 CFR Part § 164.512(f)(6) HIPAA.PR
45 CFR Part § 164.512(g) HIPAA.PR
45 CFR Part § 164.512(h) HIPAA.PR
45 CFR Part § 164.512(i) HIPAA.PR
45 CFR Part § 164.512(i)(1) HIPAA.PR
45 CFR Part § 164.512(i)(1)(i) HIPAA.PR
45 CFR Part § 164.512( j) HIPAA.PR
45 CFR Part § 164.512(k)(1) HIPAA.PR
45 CFR Part § 164.512(k)(2) HIPAA.PR
45 CFR Part § 164.512(k)(3) HIPAA.PR
45 CFR Part § 164.512(k)(4) HIPAA.PR
45 CFR Part § 164.512(k)(5) HIPAA.PR
45 CFR Part § 164.512(k)(6)(i) HIPAA.PR
45 CF R Part § 164.512(k)(6)(ii) HIPAA.PR
45 CFR Part § 164.512(l) HIPAA.PR
45 CFR Part § 164.514(d)(3) HIPAA.PR
45 CFR Part § 164.526(a)(1) HIPAA.PR
45 CFR Part § 164.526(a)(1) HIPAA.PR
45 CFR Part § 164.526(b)(1) HIPAA.PR
45 CFR Part § 164.526(f) HIPAA.PR
45 CFR Part § 164.530(d) HIPAA.PR
45 CFR Part § 164.504(e) HIPAA.PR
45 CFR Part § 164.504(f) HIPAA.PR
45 CFR Part § 164.504(e)(1) HIPAA.PR
MARS-E v2 AP-1
CMSRs v3.1 AP-01 (HIGH; MOD) EU GDPR Article 49(2) De-ID Framework v1 Aggregated Data:
AICPA 2017 CC2.2 CMS Rs v3.1 DM-03 (HIGH; MOD) EU GDPR Article 49(3) Disclosure Policy ISO/IEC 29151:2017 A.6(a) MARS-E v2 AP-3
APEC IV 19 EHNAC Accreditation Committee ISO/IEC 29100:2011 5.5 ISO/IEC 29151:2017 A.6(e) MARS-E v2 DM-3
AICPA 2017 CC2.3 CMSRs v3.1 IP-01 (HIGH; MOD) EU GDPR Article 49(4) De-ID Framework v1 Audit and Monitoring: ISO/IEC 29100:2011 5.6 ISO/IEC 29151:2017 A.7.1(a) MARS-E v2 IP-1
AICPA 2017 P6.1 CMSRs v3.1 UL-01 (HIGH; MOD) EU GDPR Article 49(6) Auditing ISO/IEC 29151:2017 A.7.1(c) MARS-E v2 UL-1
CMSRs v3.1 UL-02 (HIGH; MOD) EU GDPR Article 6(4) De-ID Framework v1 Secondary Use: General MARS-E v2 UL-2
AICPA 2017 C1.2 ISO/IEC 29151:2017 A.7.1(a)
AICPA 2017 P3.2 EU GDPR Article 5(1)(e) ISO/IEC 29100:2011 5.6 IS O/IEC 29151:2017 A.7.1(d) NIST SP 800-122 4.2.1
AICPA 2017 P4.2 EU GDPR Recital 39 ISO/IEC 29151:2017 A.7.1(e)
AICPA 2017 P4.3 IS O/IEC 29151:2017 A.7.1(i)
AICPA 2017 P1.1 CMSRs v3.1 DI- 01(01) (HIGH; MOD) ISO/IEC 29151:2017 A.8 MARS-E v2 DI-1(1)
AICPA 2017 P6.2 APEC VI 21 CMSRs v3.1 DI- 01(02) (HIGH; MOD) EU GDPR Article 5(1)(d) ISO/IEC 29100:2011 5.7 ISO/IEC 29151:2017 A.8(a) MARS-E v2 DI-1(2)
AICPA 2017 P7.1 CMS Rs v3.1 DI-02 (HIGH; MOD) ISO/IEC 29151:2017 A.8(c) MARS-E v2 DI-2
CMSRs v3.1 DI- 02(01) (HIGH; MOD) ISO/IEC 29151:2017 A.8(f) MARS-E v2 DI-2(1)
EU GDPR Article 17(1)
EU GDPR Article 17(2)
AICPA 2017 P4.3 EU GDPR Article 17(3)
APEC VIII 23(c) CCPA 1798.105(a) CMSRs v3.1 IP-03 (HIGH; MOD) ISO/IEC 29151:2017 A.10.2 MARS-E v2 IP-3
AICPA 2017 P5.2 EU GDPR Article 19
EU GDPR Article 21(1)
EU GDPR Recital 66
AICPA 2017 P8.1 CMSRs v3.1 IP-04 (HIGH; MOD) De-ID Framework v1 Complaints: Policy ISO/IEC 29100:2011 5.10 ISO/IEC 29151:2017 A.10.3 MARS-E v2 IP-4
CMSRs v3.1 IP-04(01) (HIGH; MOD) MARS-E v2 IP-4(1)
EU GDPR Article 5(2)
EU GDPR Article 37(1)
EU GDPR Article 37(5)
EU GDPR Recital 97
EU GDPR Article 38(4)
EU GDPR Article 38(6)
EU GDPR Article 39(1)
EU GDPR Article 39(2)
EU GDPR Article 38(2)
EU GDPR Article 38(3) ISO/IEC 29100:2011 5.10 ISO/IEC 29151:2017 A.11.1(e)
EU GDPR Article 38(5) ISO/IEC 29151:2017 A.11.1(h)
EU GDPR Recital 97
EU GDPR Article 30(1)
EU GDPR Article 30(3)
EU GDPR Article 30(4)
EU GDPR Article 30(5)
EU GDPR Recital 36
EU GDPR Article 47(2)
EU GDPR Article 60(10)
EU GDPR Article 35(1)
EU GDPR Article 35(2)
EU GDPR Article 35(3)
AICPA 2017 P8.1 EU GDPR Article 35(9)
EU GDPR Article 35(10)
EU GDPR Article 35(11)
EU GDPR Article 36(1)
EU GDPR Recital 95
ISO/IEC 29151:2017 A.7.5
EU GDPR Article 27(5) ISO/IEC 29151:2017 A.11.3(a)
EU GDPR Article 28(2) ISO/IEC 29151:2017 A.11.3(b)
AICPA 2017 P6.1 EU GDPR Article 28(3) ISO/IEC 29151:2017 A.11.3(c) MARS-E v2 AR-3
AICPA 2017 P6.5 CMSRs v3.1 AR-03 (HIGH; MOD) EU GDPR Article 28(4) ISO/IEC 29100:2011 5.10 ISO/IEC 29151:2017 A.11.3(e) MARS-E v2 UL-2
AICPA 2017 P6.6 CMSRs v3.1 UL-02 (HIGH; MOD) EU GDPR Article 28(9) IS O/IEC 29151:2017 A.11.3(f)
EU GDPR Article 30(2) ISO/IEC 29151:2017 A.11.3(g )
EU GDPR Article 32(1) ISO/IEC 29151:2017 A.11.3(h)
ISO/IEC 29151:2017 A.11.3(j)
ISO/IEC 29151:2017 A.11.4(a)
AICPA 2017 CC4.1 ISO/IEC 29100:2011 5.12 ISO/IEC 29151:2017 A.11.4(c)
AICPA 2017 P8.1 ISO/IEC 29151:2017 A.11.4(d)
ISO/IEC 29151:2017 A.11.5(a)
CCPA 1798.130(a)(6) ISO/IEC 29100:2011 5.10 ISO/IEC 29151:2017 A.11.5(b)
ISO/IEC 29151:2017 A.11.5(c)
ISO/IEC 29151:2017 A.11.5(d)
ISO/IEC 29151:2017 A.11.6
 NIST SP 800-171 r2 (DFARS) NIST SP 800-53 r4 NRS 603A OCR Audit Protocol (2016) OCR Guidance for Unsecured PHI OECD Privacy Framework PCI DSS v3.2.1 PDPA PMI DSP Framework SCIDSA 4655 TJC

NIST SP 800-53 R4 PM-1 SCIDSA 33-22-20(C)

NIST SP 800-53 R4 PM-2 SCIDSA 33-99-20(A)
NIST SP 800-53 R4 PM-3 SCIDSA 33- 99-20(B)
NIST SP 800-53 R4 PM-4 SCIDSA 33-99-20(D) TJC IM.02.01.03, EP 1
NIST SP 800-53 R4 PM-6 SCIDSA 33-99-20(E)
NIST SP 800-53 R4 PM-9 SCIDSA 33-99-20(G)
NIST SP 800-53 R4 PM-13 SCIDSA 33-99-20(I)

NIST SP 800-53 R4 AC-1

NIST SP 800-171 R2 3.1.1 NIST SP 800-53 R4 AC-2 TJC IM.02.01.03, EP 1
NIST SP 800-171 R2 3.1.2 NIST SP 800-53 R4 AC-5
NIST S P 800-53 R4 MP-1

NIST SP 800-53 R4 AC-2

NIST SP 800-53 R4 AC-2(1)
NIST SP 800-53 R4 AC-2(2)
NIST SP 800-53 R4 AC-2(3) PCI DSS v3.2.1 8.1.2
NIST SP 800-53 R4 AC-5 PCI DSS v3.2.1 8.1.3
NIST SP 800-171 R2 3.1.1 NIST SP 800-53 R4 AC-21 NRS 603A.215.1 OCR Audit Protocol (2016) PCI DSS v3.2.1 8.1.4 PMI DSP Framework PR.AC-4 TJC IM.02.01.03, EP 5
NIST SP 800-171 R2 3.1.2 NIST SP 800-53 R4 AU-6 164.308(a)(3)(ii)(A) PCI DSS v3.2.1 8.2
NIST SP 800-53 R4 IA-1 PCI DSS v3.2.1 8.5
NIST SP 800-53 R4 IA-4
NIST SP 800-53 R4 IA-5
NIST S P 800-53 R4 IA-5(3)

NIST SP 800-53 R4 AC-10

NIST SP 800-53 R4 AC-2 PCI DSS v3.2.1 7.1
NIST SP 800-53 R4 AC-21 PCI DSS v3.2.1 7.1.1
NIST SP 800-53 R4 AC-3 PCI DSS v3.2.1 7.1.2
NIST SP 800-171 R2 3.1.2 NIST SP 800-53 R4 AC-3(7) PCI DSS v3.2.1 7.1.3
NIST SP 800-171 R2 3.1.5
NIST SP 800-171 R2 3.1.6 NIST SP 800-53 R4 AC-6 NRS 603A.215.1 PCI DSS v3.2.1 7.1.4 TJC IM.02.01.03, EP 5
NIST SP 800-171 R2 3.1.7 NIST SP 800-53 R4 AC-6(1) PCI DSS v3.2.1 7.2
NIST SP 800-171 R2 3.4.6 NIST SP 800-53 R4 AC-6(10) PCI DSS v3.2.1 7.2.1
NIST SP 800-53 R4 AC-6(2) PCI DSS v3.2.1 7.2.2
NIST SP 800-53 R4 AC-6(5) PCI DSS v3.2.1 7.2.3
NIST SP 800-53 R4 AC-6(9) PCI DSS v3.2.1 A1.1
NIST SP 800-53 R4 CM-7

NIST SP 800-53 R4 IA-2 PCI DSS v3.2.1 2.1

NIST SP 800-53 R4 IA-5 PCI DSS v3.2.1 8.2.1
NIST SP 800-171 R2 3.5.10 PCI DSS v3.2.1 8.2.2
NIST SP 800-171 R2 3.5.11 NIST SP 800-53 R4 IA-5.h NRS 603A.215.1 PCI DSS v3.2.1 8.2.3
NIST SP 800-171 R2 3.5.9 NIST S P 800-53 R4 IA-5(1) PCI DSS v3.2.1 8.2.4
NIST S P 800-53 R4 IA-5(7) PCI DSS v3.2.1 8.2.5
NIST SP 800-53 R4 IA-6
PCI DSS v3.2.1 8.2.6

NIST SP 800-53 R4 AC-2

NIST SP 800-171 R2 3.9.2 NIST SP 800-53 R4 PS-4
NIST SP 800-53 R4 PS-5

PCI DSS v3.2.1 8.2.5

NIST SP 800-53 R4 IA-5 NRS 603A.215.1 PCI DSS v3.2.1 8.2.6 TJC IM.02.01.03, EP 5
PCI DSS v3.2.1 8.4

NIST SP 800-53 R4 AC-11

NIST SP 800-53 R4 PE-18
NIST SP 800-53 R4 PE-5
NIST SP 800-53 R4 SC-10

NIST SP 800-53 R4 AC-11

NIST SP 800-171 R2 3.8.1 NIST S P 800-53 R4 MP-3
NIST S P 800-53 R4 MP-4

NIST SP 800-53 R4 AC-1

NIST SP 800-171 R2 3.1.1 NIST SP 800-53 R4 AC-17
NIST SP 800-171 R2 3.1.16 NIST SP 800-53 R4 AC-18
NIST SP 800-171 R2 3.1.2 NIST SP 800-53 R4 AC-20
NIST SP 800-171 R2 3.1.20 NIST SP 800-53 R4 AC-6
NIST SP 800-53 R4 CM-7

NIST SP 800-53 R4 AC-17

NIST SP 800-53 R4 AC-17(1)
NIST SP 800-53 R4 AC-17(2)
NIST SP 800-53 R4 AC-17(4)
NIST SP 800-171 R2 3.1.12 NIST SP 800-53 R4 AC-18
NIST SP 800-53 R4 AC-2
NIST SP 800-171 R2 3.1.13 NIST SP 800-53 R4 CM-2
NIST SP 800-171 R2 3.1.15
NIST SP 800-171 R2 3.1.16 NIST SP 800-53 R4 CM-2(2) PCI DSS v3.2.1 12.3.9
NIST SP 800-53 R4 IA-2 NRS 603A.215.1 PCI DSS v3.2.1 8.1.5
NIST SP 800-171 R2 3.1.17 NIST SP 800-53 R4 IA-3 PCI DSS v3.2.1 8.3.2
NIST SP 800-171 R2 3.5.1 NIST SP 800-53 R4 IA-5(11)
NIST SP 800-171 R2 3.5.2 NIST SP 800-53 R4 IA-8
NIST SP 800-171 R2 3.7.5
NIST S P 800-53 R4 IA-8(1)
NIST S P 800-53 R4 IA-8(2)
NIST S P 800-53 R4 IA-8(3)
NIST S P 800-53 R4 IA-8(4)
NIST SP 800-53 R4 MA-4

NIST SP 800-53 R4 IA-3

NIST SP 800-53 R4 IA-5

NIST SP 800-53 R4 CM-7

NIST SP 800-53 R4 CM-7(1)
NIST SP 800-53 R4 CM-7(2)
NIST SP 800-53 R4 CM-7(4)
NIST SP 800-171 R2 3.4.7 NIST SP 800-53 R4 CM-7(5)
NIST SP 800-171 R2 3.4.8 NIST SP 800-53 R4 MA-4
NIST S P 800-53 R4 MA-4(2)
NIST S P 800-53 R4 MA-4(3)
NIST SP 800-53 R4 PE-3(1)
NIST SP 800-53 R4 PE-3(4)

NIST SP 800-171 R2 3.1.3 NIST SP 800-53 R4 AC-4
NIST SP 800-53 R4 AC-4(2)
NIST SP 800-171 R2 3.13.1 NIST SP 800-53 R4 SC-32
NIST SP 800-171 R2 3.13.5
NIST SP 800-53 R4 SC-7
PCI DSS v3.2.1 1.1
NRS 603A.215.1 PCI DSS v3.2.1 1.1.4
PCI DSS v3.2.1 1.2

NIST SP 800-53 R4 AC-17

NIST SP 800-53 R4 AC-17(3)
NIST SP 800-53 R4 AC-2(11)
NIST SP 800-171 R2 3.1.14 NIST SP 800-53 R4 SC-7
NIST SP 800-171 R2 3.13.6 NIST SP 800-53 R4 SC-7(3)
NIST SP 800-171 R2 3.13.7 NIST SP 800-53 R4 SC-7(4) NRS 603A.215.1 PCI DSS v3.2.1 1.2.1 PMI DSP Framework PR.DS-1
NIST SP 800-171 R2 3.13.8 NIST SP 800-53 R4 SC-7(5)
NIST SP 800-53 R4 SC-7(7)
NIST SP 800-53 R4 SC-7(8)
NIST SP 800-53 R4 SC-8

NIST SP 800-53 R4 AC-4 PCI DSS v3.2.1 1.2

NIST SP 800-53 R4 SC-7 NRS 603A.215.1 PCI DSS v3.2.1 1.2.1

NIST SP 800-53 R4 AC-10

NIST SP 800-53 R4 AC-7
NIST SP 800-53 R4 AC-8
NIST SP 800-171 R2 3.1.8 NIST SP 800-53 R4 AC-9 NRS 603A.215.1 PCI DSS v3.2.1 8.1.6
NIST SP 800-53 R4 AT-2 PCI DSS v3.2.1 8.1.7
NIST SP 800-53 R4 AU-12
NIST SP 800-53 R4 AU-2
NIST SP 800-53 R4 IA-6

NIST SP 800-53 R4 AC-6(2)

NIST SP 800-53 R4 IA-2
NIST S P 800-53 R4 IA-2(1)
NIST SP 800-53 R4 IA-2(11) PCI DSS v3.2.1 12.3.2
NIST SP 800-171 R2 3.1.5 NIST SP 800-53 R4 IA-2(12)
NIST SP 800-171 R2 3.1.6 NIST S P 800-53 R4 IA-2(2) PCI DSS v3.2.1 8.1
PCI DSS v3.2.1 8.1.1
NIST SP 800-171 R2 3.5.1 NIST S P 800-53 R4 IA-2(3) PCI DSS v3.2.1 8.2.2 PMI DSP F ramework PR.AC-1
NIST SP 800-171 R2 3.5.2 NIST S P 800-53 R4 IA-2(8) NRS 603A.215.1 PMI DSP F ramework PR.AC-2
NIST SP 800-171 R2 3.5.3 NIST SP 800-53 R4 IA-4 PCI DSS v3.2.1 8.3.2 PMI DSP F ramework PR.AC-3
NIST SP 800-171 R2 3.5.4 NIST SP 800-53 R4 IA-5 PCI DSS v3.2.1 8.5
NIST SP 800-171 R2 3.5.5 NIST SP 800-53 R4 IA-5(11) PCI DSS v3.2.1 8.5.1
PCI DSS v3.2.1 8.6
NIST S P 800-53 R4 IA-5(2)
NIST S P 800-53 R4 IA-5(3)
NIST S P 800-53 R4 IA-5(7)
NIST SP 800-53 R4 IA-8

NIST SP 800-171 R2 3.5.7 NIST SP 800-53 R4 IA-2 PCI DSS v3.2.1 2.1
NIST SP 800-171 R2 3.5.8 NIST SP 800-53 R4 IA-5 NRS 603A.215.1 PCI DSS v3.2.1 8.2.1
NIST S P 800-53 R4 IA-5(1)

NIST SP 800-53 R4 AC-3

NIST SP 800-53 R4 AC-6 NRS 603A.215.1 PCI DSS v3.2.1 2.2.5
NIST SP 800-53 R4 AU-2
NIST SP 800-53 R4 SC-2

NIST SP 800-53 R4 AC-11

NIST SP 800-171 R2 3.1.10 NIST SP 800-53 R4 AC-11(1) PCI DSS v3.2.1 12.3.8
NIST SP 800-171 R2 3.1.11 NRS 603A.215.1
NIST SP 800-171 R2 3.13.9 NIST SP 800-53 R4 AC-12 PCI DSS v3.2.1 8.1.8
NIST SP 800-53 R4 SC-10

NIST S P 800-53 R4 IA-11

NIST SP 800-53 R4 SC-43

NIST SP 800-53 R4 AC-1

NIST SP 800-53 R4 AC-14
NIST SP 800-53 R4 AC-3 PCI DSS v3.2.1 12.3.10
NIST SP 800-53 R4 AC-6 NRS 603A.215.1 PCI DSS v3.2.1 8.7
NIST SP 800-53 R4 DM-1
NIST SP 800-53 R4 SC-15

© 2019 HITRUST. All rights reserved.

 NIST SP 800-53 R4 AC-2
NIST SP 800-53 R4 RA-2
NIST SP 800-53 R4 SC-4

NIST SP 800-53 R4 AC-19

NIST SP 800-171 R2 3.1.18 NIST SP 800-53 R4 AC-19(5) NRS 603A.215.1 PCI DSS v3.2.1 1.4 PMI DSP Framework PR.DS-1
NIST SP 800-171 R2 3.1.19 NIST SP 800-53 R4 CM-2(7) PCI DSS v3.2.1 9.5
NIST S P 800-53 R4 SI-4

NIST SP 800-53 R4 AC-17

NIST SP 800-53 R4 AC-17(2)
NIST SP 800-53 R4 AC-20
NIST SP 800-171 R2 3.1.13 NIST SP 800-53 R4 AC-6 PMI DSP Framework PR.IP-2
NIST SP 800-171 R2 3.10.6 NIST SP 800-53 R4 AT-2
NIST SP 800-53 R4 IA-2
NIST SP 800-53 R4 PE-17
NIST SP 800-53 R4 PL-4

NIST SP 800-53 R4 PL-4

NIST SP 800-53 R4 PS-1 NRS 603A.215.1 PCI DSS v3.2.1 12.4.1
NIST SP 800-53 R4 PS-2

NIST SP 800-53 R4 PS-1

NIST SP 800-171 R2 3.9.1 NIST SP 800-53 R4 PS-2 NRS 603A.215.1 PCI DSS v3.2.1 12.7 PMI DSP Framework PR.AC-1
NIST SP 800-53 R4 PS-3

NIST SP 800-53 R4 PL-4 NRS 603A.215.1 PCI DSS v3.2.1 12.4

NIST SP 800-53 R4 PS-6

NIST SP 800-53 R4 AT-3

NIST SP 800-53 R4 PL-4
NIST SP 800-53 R4 PM-13 PCI DSS v3.2.1 12.3
NIST SP 800-53 R4 PM-14 NRS 603A.215.1 PMI DSP Framework PR.AC-1
NIST SP 800-53 R4 PM-15 PCI DSS v3.2.1 12.3.5
NIST SP 800-53 R4 PM-2
NIST SP 800-53 R4 PS-7

NIST SP 800-53 R4 AR-5

NIST SP 800-53 R4 AT-1
NIST SP 800-53 R4 AT-2
NIST SP 800-53 R4 AT-2(2)
NIST SP 800-53 R4 AT-3 PCI DSS v3.2.1 12.6
NIST SP 800-53 R4 AT-4
NIST SP 800-171 R2 3.2.1 NIST SP 800-53 R4 CP-3 PCI DSS v3.2.1 12.6.1
NIST SP 800-171 R2 3.2.2 NRS 603A.215.1 PCI DSS v3.2.1 12.6.2 PMI DSP Framework PR.AT-2
NIST SP 800-171 R2 3.2.3 NIST SP 800-53 R4 CP-3(1) PCI DSS v3.2.1 6.5
NIST SP 800-53 R4 CP-4
NIST SP 800-171 R2 3.6.1 NIST SP 800-53 R4 IR-2 PCI DSS v3.2.1 9.9
NIST SP 800-53 R4 IR-2(1) PCI DSS v3.2.1 9.9.3
NIST SP 800-53 R4 PL-4
NIST SP 800-53 R4 PM-14
NIST SP 800-53 R4 PM-6
NIST SP 800-53 R4 SA-16

NIST SP 800-53 R4 IR-5 OCR Audit Protocol (2016)

NIST SP 800-53 R4 PS-8 164.308(a)(1)(ii)(C)

NIST SP 800-171 R2 3.9.2 NIST SP 800-53 R4 PS-4

NIST SP 800-53 R4 PS-5

NIST SP 800-171 R2 3.9.2 NIST SP 800-53 R4 PS-4

NIST SP 800-53 R4 PS-5

NIST SP 800-53 R4 AC-2

NIST SP 800-171 R2 3.9.2 NIST SP 800-53 R4 PS-4 NRS 603A.215.1 PCI DSS v3.2.1 8.1.3
NIST SP 800-53 R4 PS-4(2)
NIST SP 800-53 R4 PS-5

NIST SP 800-53 R4 AR-1

NIST SP 800-53 R4 AR-2
NIST SP 800-53 R4 PM-11 PMI DSP Framework ID-1
NIST SP 800-171 R2 3.11.1 NIST SP 800-53 R4 PM-4 SCIDSA 33-99-20(C)
NIST SP 800-53 R4 PM-9 PMI DSP Framework ID-2
NIST SP 800-53 R4 RA-1
NIST SP 800-53 R4 RA-3

NIST SP 800-171 R2 3.11.1 NIST SP 800-53 R4 CA-2 NRS 603A.215.1 PCI DSS v3.2.1 12.2 PMI DSP Framework RS-1
NIST SP 800-171 R2 3.12.1 NIST SP 800-53 R4 RA-3

NIST SP 800-53 R4 CA-5

NIST SP 800-171 R2 3.12.2 NIST SP 800-53 R4 CA-5(1)
NIST SP 800-53 R4 PM-4

NIST SP 800-171 R2 3.11.1 NIST SP 800-53 R4 CM-3

NIST SP 800-53 R4 RA-3

NIST SP 800-53 R4 AC-1

NIST SP 800-53 R4 AT-1
NIST SP 800-53 R4 AU-1 PCI DSS v3.2.1 1.5
NIST SP 800-53 R4 CA-1 PCI DSS v3.2.1 10.9
NIST SP 800-53 R4 CM-1 PCI DSS v3.2.1 11.6
NIST SP 800-53 R4 CP-1 PCI DSS v3.2.1 12.3
NIST SP 800-53 R4 IA-1
NIST SP 800-53 R4 IR-1 PCI DSS v3.2.1 2.5
PCI DSS v3.2.1 3.7 PMI DSP Framework ID-1 TJC IM.02.01.03, EP 1
NIST SP 800-53 R4 MA-1 PCI DSS v3.2.1 4.3
NIST SP 800-53 R4 PE-1 PCI DSS v3.2.1 5.4
NIST SP 800-53 R4 PL-1 PCI DSS v3.2.1 6.7
NIST SP 800-53 R4 PM-1
NIST SP 800-53 R4 PS-1 PCI DSS v3.2.1 7.3
PCI DSS v3.2.1 8.8
NIST SP 800-53 R4 RA-1 PCI DSS v3.2.1 9.10
NIST S P 800-53 R4 SA-1
NIST SP 800-53 R4 SC-1
NIST S P 800-53 R4 SI-1

NIST SP 800-53 R4 AC-1

NIST SP 800-53 R4 AT-1
NIST SP 800-53 R4 AU-1
NIST SP 800-53 R4 CA-1
NIST SP 800-53 R4 CM-1
NIST SP 800-53 R4 CP-1
NIST SP 800-53 R4 IA-1
NIST S P 800-53 R4 IP-4
NIST SP 800-53 R4 IR-1 NRS 603A.215.1 PCI DSS v3.2.1 12.1.1 PMI DSP Framework ID-1
NIST SP 800-53 R4 MA-1
NIST SP 800-53 R4 PE-1
NIST SP 800-53 R4 PL-1
NIST SP 800-53 R4 PM-1
NIST SP 800-53 R4 PS-1
NIST SP 800-53 R4 RA-1
NIST S P 800-53 R4 SA-1
NIST SP 800-53 R4 SC-1
NIST S P 800-53 R4 SI-1

NIST SP 800-53 R4 AC-1

NIST SP 800-53 R4 CA-2(1)
NIST SP 800-171 R2 3.12.1
NIST SP 800-53 R4 PM-13
NIST SP 800-53 R4 AR-1
NIST SP 800-53 R4 AT-1
NIST SP 800-53 R4 AU-1
NIST SP 800-53 R4 CA-1
NIST SP 800-53 R4 CA-2
NIST SP 800-53 R4 CM-1
NIST SP 800-53 R4 CP-1
NIST SP 800-53 R4 IA-1
NIST SP 800-53 R4 IR-1 PCI DSS v3.2.1 12.4.1 PMI DSP Framework DE-5
NIST SP 800-53 R4 MA-1 NRS 603A.215.1 PCI DSS v3.2.1 12.5 PMI DSP Framework ID-1 TJC IM.02.01.03, EP 5
NIST SP 800-53 R4 PE-1 PCI DSS v3.2.1 12.5.1 PMI DSP Framework ID-3
NIST SP 800-53 R4 PL-1
NIST SP 800-53 R4 PM-1
NIST SP 800-53 R4 PM-2
NIST SP 800-53 R4 PM-3
NIST SP 800-53 R4 PM-9
NIST SP 800-53 R4 PS-1
NIST SP 800-53 R4 RA-1
NIST S P 800-53 R4 SA-1
NIST SP 800-53 R4 SC-1
NIST S P 800-53 R4 SI-1

© 2019 HITRUST. All rights reserved.


NIST SP 800-171 R2 3.12.4
NIST SP 800-53 R4 IR-4
NIST SP 800-53 R4 PL-2
NIST SP 800-53 R4 Pl- 2(3) NRS 603A.215.1 PCI DSS v3.2.1 12.5.2 PMI DSP Framework RC-3 TJC IM.02.01.03, EP 8
NIST SP 800-53 R4 PM-1
NIST SP 800-53 R4 PM-3
NIST S P 800-53 R4 SA-2

PCI DSS v3.2.1 12.4

NIST SP 800-53 R4 AT-3 PCI DSS v3.2.1 12.5
NIST SP 800-53 R4 IR-2 PCI DSS v3.2.1 12.5.1
NIST SP 800-53 R4 PM-10 NRS 603A.215.1 PCI DSS v3.2.1 12.5.2
NIST SP 800-53 R4 PM-2 PCI DSS v3.2.1 12.5.3
NIST S P 800-53 R4 SA-3 PCI DSS v3.2.1 12.5.4
PCI DSS v3.2.1 12.5.5

NIST SP 800-53 R4 CA-1

NIST SP 800-53 R4 CA-2
NIST SP 800-53 R4 CA-6
NIST SP 800-53 R4 PM-10
NIST SP 800-53 R4 RA-3

NIST SP 800-53 R4 PS-6 PMI DSP Framework RS-1

NIST SP 800-53 R4 CP-2

NIST SP 800-171 R2 3.6.1 NIST SP 800-53 R4 CP-4 PMI DSP Framework RS-1
NIST SP 800-171 R2 3.6.2 NIST SP 800-53 R4 IR-4
NIST SP 800-53 R4 IR-6

NIST SP 800-53 R4 PM-15

NIST S P 800-53 R4 SI-5 PMI DSP Framework DE-4
NIST SP 800-53 R4 SI-5 (1)

NIST SP 800-53 R4 AR-4

NIST SP 800-171 R2 3.12.1 NIST SP 800-53 R4 CA-2
NIST SP 800-53 R4 CA-2(1) PMI DSP Framework ID-3
NIST SP 800-171 R2 3.12.3 NIST SP 800-53 R4 CA-7
NIST SP 800-53 R4 CA-7(1)

NIST SP 800-53 R4 AC-17(2)

NIST SP 800-53 R4 AC-3(8)
NIST SP 800-171 R2 3.1.13 NIST SP 800-53 R4 AC-6 NRS 603A.215.1 PCI DSS v3.2.1 12.8.3 PMI DSP Framework ID-4
NIST SP 800-53 R4 CA-3 PCI DSS v3.2.1 2.6 PMI DSP Framework PR.DS-4
NIST SP 800-53 R4 MA-4
NIST SP 800-53 R4 SC-8(1)

NIST SP 800-53 R4 AC-8

NIST SP 800-53 R4 CA-3 PMI DSP F ramework PR.AC-1
NIST SP 800-171 R2 3.1.9 PMI DSP Framework PR.AT-1
NIST SP 800-53 R4 PL-4 PMI DSP Framework RS- 1
NIST S P 800-53 R4 TR-3

NIST SP 800-53 R4 CA-7(1) PCI DSS v3.2.1 12.8.2

NIST SP 800-53 R4 PS-7 NRS 603A.210.2 PCI DSS v3.2.1 12.8.5 PMI DSP Framework PR.DS-1
NIST S P 800-53 R4 SA-9 NRS 603A.215.1 PCI DSS v3.2.1 12.9 PMI DSP Framework RS- 1
PCI DSS v3.2.1 2.6

NIST SP 800-53 R4 PM-15

NIST SP 800-53 R4 CM-10

NIST SP 800-53 R4 AU-11

NIST SP 800-53 R4 AU-9
NIST SP 800-53 R4 DM-2 NRS 603A.210.1
NRS 603A.210.3 PCI DSS v3.2.1 3.1 PMI DSP Framework PR.DS-2 TJC IM.02.01.03, EP 6
NIST SP 800-53 R4 DM-2(1) NRS 603A.215.1
NIST SP 800-53 R4 RA-2
NIST SP 800-53 R4 SI-12

NIST SP 800-53 R4 AR-1

NIST SP 800-53 R4 AR-2
NIST SP 800-53 R4 SC-12(1)
NIST SP 800-171 R2 3.13.16
NIST SP 800-53 R4 SC-28
NIST SP 800-53 R4 SC-28(1)
NIST SP 800-53 R4 SI-12
OCR Guidance for Unsecured PHI
NRS 603A.210.1 (1)(i) PCI DSS v3.2.1 3.1 PMI DSP Framework PR.DS-1
PCI DSS v3.2.1 3.4 TJC IM.02.01.03, EP 2
NRS 603A.215.1 OCR Guidance for Unsecured PHI PCI DSS v3.2.1 3.4.1 PMI DSP Framework PR.DS-2
(1)(ii)

NIST SP 800-53 R4 AC-8

NIST SP 800-171 R2 3.1.9 NIST SP 800-53 R4 PL-4 NRS 603A.215.1 PCI DSS v3.2.1 12.3.1
NIST SP 800-53 R4 PS-6
NIST SP 800-53 R4 PS-8

NIST SP 800-53 R4 IA-7

NIST SP 800-53 R4 SC-13

NIST SP 800-53 R4 AR-4

NIST SP 800-53 R4 CA-1 PCI DSS v3.2.1 12.11
NIST SP 800-171 R2 3.12.3 NIST SP 800-53 R4 CA-7 TJC IM.02.01.03, EP 8
NIST SP 800-53 R4 CA-7(1) PCI DSS v3.2.1 12.11.1
NIST SP 800-53 R4 RA-5

NIST SP 800-53 R4 CA-2

NIST SP 800-53 R4 CA-2(2)
NIST SP 800-53 R4 CA-7
NIST SP 800-53 R4 RA-5

NIST SP 800-53 R4 AU-1

NIST SP 800-53 R4 AU-2 PMI DSP Framework DE-1
NIST SP 800-53 R4 CA-2
NIST SP 800-53 R4 PL-2

NIST SP 800-53 R4 AC-6(1)

NIST SP 800-171 R2 3.3.8 NIST SP 800-53 R4 AU-1
NIST SP 800-171 R2 3.3.9 NIST SP 800-53 R4 AU-9
NIST SP 800-53 R4 CA-2

NIST SP 800-53 R4 CM-8

NIST SP 800-53 R4 CM-8(1)
NIST SP 800-53 R4 CM-8(3)
NIST SP 800-53 R4 CM-8(5)
NIST S P 800-53 R4 MP-1
NIST SP 800-53 R4 PM-5
NIST SP 800-53 R4 SE-1
PCI DSS v3.2.1 11.1.1
PCI DSS v3.2.1 12.3.3
PCI DSS v3.2.1 2.4
NRS 603A.215.1
PCI DSS v3.2.1 9.7.1
PCI DSS v3.2.1 9.9
PCI DSS v3.2.1 9.9.1

NIST SP 800-53 R4 CM-10 NRS 603A.215.1 PCI DSS v3.2.1 12.3.4

NIST SP 800-53 R4 CM-8

NIST SP 800-53 R4 AC-20 PCI DSS v3.2.1 12.3

NIST SP 800-53 R4 PL-4 NRS 603A.215.1 TJC IM.02.01.03, EP 1
NIST SP 800-53 R4 PL-4(1) PCI DSS v3.2.1 12.3.5

NIST SP 800-53 R4 CM-8

NIST SP 800-53 R4 CM-8(7) PMI DSP Framework ID-2 TJC IM.02.01.03, EP 5
NIST SP 800-53 R4 RA-2

NIST SP 800-171 R2 3.1.9 NIST SP 800-53 R4 AC-16

NIST SP 800-53 R4 AC-8 NRS 603A.215.1 PCI DSS v3.2.1 9.6.1
NIST SP 800-171 R2 3.8.4 NIST S P 800-53 R4 MP-3

NIST SP 800-53 R4 MA-2 OCR Audit Protocol (2016)

NIST SP 800-53 R4 PE-3 NRS 603A.215.1 PCI DSS v3.2.1 9.1
NIST SP 800-53 R4 SC-24 164.310(a)(2)(iv)

© 2019 HITRUST. All rights reserved.

 NIST SP 800-53 R4 MA-2 PCI DSS v3.2.1 9.1
NIST SP 800-171 R2 3.10.1 NIST SP 800-53 R4 PE-2 PCI DSS v3.2.1 9.2
NIST SP 800-171 R2 3.10.2 NIST SP 800-53 R4 PE-3 PCI DSS v3.2.1 9.3
NRS 603A.215.1 PCI DSS v3.2.1 9.4 TJC IM.02.01.03, EP 5
NIST SP 800-171 R2 3.10.3 NIST SP 800-53 R4 PE-3(1) PCI DSS v3.2.1 9.4.1
NIST SP 800-171 R2 3.10.4 NIST SP 800-53 R4 PE-6
NIST SP 800-171 R2 3.10.5 NIST SP 800-53 R4 PE-6(1) PCI DSS v3.2.1 9.4.2
NIST SP 800-53 R4 PE-8 PCI DSS v3.2.1 9.4.3
PCI DSS v3.2.1 9.4.4

NIST SP 800-53 R4 PE-3 NRS 603A.215.1 PCI DSS v3.2.1 9.1.1

NIST SP 800-53 R4 PE-6(2)

NIST SP 800-53 R4 AT-3(1)

NIST SP 800-53 R4 PE-1
NIST SP 800-53 R4 PE-13
NIST SP 800-53 R4 PE-13(1) PMI DSP Framework PR.DS-3
NIST SP 800-53 R4 PE-13(2)
NIST SP 800-53 R4 PE-13(3)
NIST SP 800-53 R4 PE-15
NIST SP 800-53 R4 PE-15(1)

NIST SP 800-53 R4 PE-16

NIST SP 800-53 R4 PE-3

NIST SP 800-53 R4 AC-18

NIST SP 800-53 R4 PE-1
NIST SP 800-53 R4 PE-13 PCI DSS v3.2.1 9.1.3
NIST SP 800-53 R4 PE-14 NRS 603A.215.1 PCI DSS v3.2.1 9.9
NIST SP 800-53 R4 PE-15 PCI DSS v3.2.1 9.9.2
NIST SP 800-53 R4 PE-18
NIST SP 800-53 R4 PE-18(1)

NIST SP 800-53 R4 CP-8

NIST SP 800-53 R4 PE-10
NIST SP 800-53 R4 PE-11
NIST SP 800-53 R4 PE-12
NIST SP 800-53 R4 PE-14
NIST SP 800-53 R4 PE-9

NIST SP 800-171 R2 3.10.1 NIST SP 800-53 R4 CM-8(3)

NIST SP 800-53 R4 PE-4 NRS 603A.215.1 PCI DSS v3.2.1 9.1.2 TJC IM.02.01.03, EP 5
NIST SP 800-171 R2 3.10.2 NIST SP 800-53 R4 PE-9

NIST SP 800-53 R4 MA-1

NIST SP 800-53 R4 MA-2
NIST SP 800-53 R4 MA-3
NIST SP 800-171 R2 3.7.1 NIST S P 800-53 R4 MA-3(1)
NIST SP 800-171 R2 3.7.2 NIST S P 800-53 R4 MA-3(2)
NIST SP 800-171 R2 3.7.3 NIST SP 800-53 R4 MA-4
NIST SP 800-171 R2 3.7.4 NIST S P 800-53 R4 MA-4(1)
NIST SP 800-171 R2 3.7.6 NIST S P 800-53 R4 MA-4(2)
NIST S P 800-53 R4 MA-4(3)
NIST SP 800-53 R4 MA-5
NIST SP 800-53 R4 MA-6

NIST SP 800-53 R4 AC-20

NIST SP 800-171 R2 3.10.6 NIST S P 800-53 R4 MP-5 NRS 603A.215.1
NIST SP 800-53 R4 PE-17

NRS 603A.200.1 OCR Guidance for Unsecured PHI

NIST SP 800-171 R2 3.8.3 NIST SP 800-53 R4 DM-2 (2)(i) PCI DSS v3.2.1 9.8.1 TJC IM.02.01.03, EP 7
NIST S P 800-53 R4 MP-6 NRS 603A.200.2.b.1 OCR Guidance for Unsecured PHI PCI DSS v3.2.1 9.8.2
NRS 603A.200.2.b.2
(2)(ii)

NIST SP 800-53 R4 MA-2

NIST SP 800-171 R2 3.7.1 NIST S P 800-53 R4 MP-5 TJC IM.02.01.03, EP 4
NIST SP 800-53 R4 PE-16

NIST SP 800-53 R4 AC-1

NIST SP 800-53 R4 AT-1
NIST SP 800-53 R4 AU-1
NIST SP 800-53 R4 CA-1 PCI DSS v3.2.1 1.5
NIST SP 800-53 R4 CM-1 PCI DSS v3.2.1 10.9
NIST SP 800-53 R4 CP-1 PCI DSS v3.2.1 11.6
NIST SP 800-53 R4 IA-1 PCI DSS v3.2.1 12.3
NIST SP 800-53 R4 IR-1 PCI DSS v3.2.1 2.5
NIST SP 800-53 R4 MA-1 NRS 603A.215.1 PCI DSS v3.2.1 3.7
NIST S P 800-53 R4 MP-1 PCI DSS v3.2.1 4.3
NIST SP 800-53 R4 PE-1 PCI DSS v3.2.1 5.4
NIST SP 800-53 R4 PL-1 PCI DSS v3.2.1 6.7
NIST SP 800-53 R4 PM-1 PCI DSS v3.2.1 7.3
NIST SP 800-53 R4 PS-1 PCI DSS v3.2.1 8.8
NIST SP 800-53 R4 RA-1 PCI DSS v3.2.1 9.10
NIST S P 800-53 R4 SA-1
NIST SP 800-53 R4 SC-1
NIST S P 800-53 R4 SI-1

NIST SP 800-53 R4 CM-3

NIST SP 800-171 R2 3.4.4 NIST SP 800-53 R4 CM-4
NIST SP 800-171 R2 3.4.5 NIST SP 800-53 R4 CM-5
NIST SP 800-53 R4 CM-9

NIST SP 800-171 R2 3.1.4 NIST SP 800-53 R4 AC-5 NRS 603A.215.1 PCI DSS v3.2.1 6.4.2

PCI DSS v3.2.1 6.3.1

PCI DSS v3.2.1 6.3.2
NIST SP 800-53 R4 CM-2 NRS 603A.215.1 PCI DSS v3.2.1 6.4.1
NIST SP 800-53 R4 SA-10
PCI DSS v3.2.1 6.4.3
PCI DSS v3.2.1 6.4.4

PCI DSS v3.2.1 12.8

NIST SP 800-53 R4 SA-9 NRS 603A.215.1 PCI DSS v3.2.1 12.8.1
PCI DSS v3.2.1 2.6

PCI DSS v3.2.1 12.8

NIST SP 800-53 R4 SA-9 NRS 603A.215.1 PCI DSS v3.2.1 12.8.4
PCI DSS v3.2.1 2.6

NIST SP 800-53 R4 SA-9

NIST SP 800-53 R4 AU-4

NIST SP 800-53 R4 AU-5
NIST SP 800-53 R4 SC-5

NIST SP 800-53 R4 CA-2

NIST SP 800-171 R2 3.4.4
NIST SP 800-53 R4 CA-6
NIST SP 800-53 R4 CM-3
NIST SP 800-53 R4 CM-4
NIST SP 800-53 R4 CM-7
NIST SP 800-53 R4 SA-10
NIST SP 800-53 R4 SA-11
NIST S P 800-53 R4 SA-4

NIST SP 800-53 R4 CM-11

NIST SP 800-171 R2 3.13.3
NIST SP 800-171 R2 3.4.9
NIST SP 800-53 R4 SC-2
NIST SP 800-53 R4 SI-16 PCI DSS v3.2.1 5.1
NIST S P 800-53 R4 SI-3 PCI DSS v3.2.1 5.1.1
NIST SP 800-53 R4 SI-3(1) NRS 603A.215.1 PCI DSS v3.2.1 5.1.2
NIST SP 800-53 R4 SI-3(2) PCI DSS v3.2.1 5.2
NIST S P 800-53 R4 SI-8 PCI DSS v3.2.1 5.3
NIST SP 800-53 R4 SI-8(1)
NIST SP 800-53 R4 SI-8(2)

NIST SP 800-53 R4 CM-2(6)

NIST SP 800-171 R2 3.13.13
NIST SP 800-53 R4 CM-3
NIST SP 800-53 R4 SC-18
NIST SP 800-53 R4 SC-18(3)
NIST SP 800-53 R4 SC-2
NIST SP 800-53 R4 SC-3
NIST S P 800-53 R4 SI-3

NIST SP 800-53 R4 CP-2

NIST SP 800-53 R4 CP-6
NIST SP 800-53 R4 CP-6(3)
NIST SP 800-53 R4 CP-9
NIST SP 800-53 R4 CP-9(1)
NIST SP 800-171 R2 3.8.1 NIST SP 800-53 R4 CP-9(2) NRS 603A.215.1 OCR Audit Protocol (2016) PCI DSS v3.2.1 9.5.1 PMI DSP Framework RC-1 TJC IM.01.01.03, EP 4
NIST SP 800-171 R2 3.8.9 164.310(d)(2)(iv)
NIST SP 800-53 R4 CP-9(3)
NIST SP 800-53 R4 CP-9(5)
NIST S P 800-53 R4 MP-4
NIST S P 800-53 R4 MP-5
NIST SP 800-53 R4 SC-28

PCI DSS v3.2.1 1.1

PCI DSS v3.2.1 1.1.1
NIST SP 800-53 R4 AC-17 PCI DSS v3.2.1 1.1.2
NIST SP 800-53 R4 AC-18 PCI DSS v3.2.1 1.1.3
NIST SP 800-53 R4 AC-18(1) PCI DSS v3.2.1 1.1.4
NIST SP 800-53 R4 AC-18(4)
NIST SP 800-53 R4 AC-18(5) PCI DSS v3.2.1 1.1.6
PCI DSS v3.2.1 1.1.7
NIST SP 800-53 R4 CA-3 PCI DSS v3.2.1 1.2
NIST SP 800-53 R4 CM-3 PCI DSS v3.2.1 1.2.2
NIST SP 800-171 R2 3.1.16 NIST SP 800-53 R4 CM-7 PCI DSS v3.2.1 1.2.3
NIST SP 800-171 R2 3.1.17 NIST SP 800-53 R4 CP-2
NIST SP 800- 171 R2 3.13.11 NIST SP 800-53 R4 IA-3 PCI DSS v3.2.1 1.3
NRS 603A.215.1 PCI DSS v3.2.1 1.3.1 PMI DSP Framework PR.DS-1
NIST SP 800- 171 R2 3.13.14 NIST SP 800-53 R4 SC-19 PCI DSS v3.2.1 1.3.2
NIST SP 800-171 R2 3.13.5 NIST SP 800-53 R4 SC-20 PCI DSS v3.2.1 1.3.3
NIST SP 800-171 R2 3.13.6 NIST SP 800-53 R4 SC-21 PCI DSS v3.2.1 1.3.4
NIST SP 800-171 R2 3.13.8 NIST SP 800-53 R4 SC-22
NIST SP 800-53 R4 SC-7 PCI DSS v3.2.1 1.3.5
PCI DSS v3.2.1 1.3.6
NIST SP 800-53 R4 SC-7(18) PCI DSS v3.2.1 1.3.7
NIST SP 800-53 R4 SC-7(5) PCI DSS v3.2.1 1.3.8
NIST SP 800-53 R4 SC-8 PCI DSS v3.2.1 11.1
NIST SP 800-53 R4 SC-8(1)
NIST SP 800-53 R4 SC-8(2) PCI DSS v3.2.1 11.4
PCI DSS v3.2.1 2.1.1
NIST S P 800-53 R4 SI-4 PCI DSS v3.2.1 4.1.1
PCI DSS v3.2.1 9.1.3

NIST SP 800-53 R4 CA-3

NIST SP 800-53 R4 CA-3(5)
NIST S P 800-53 R4 SA-9
NIST SP 800-53 R4 SA-9(2)

NIST S P 800-53 R4 MP-1

NIST S P 800-53 R4 MP-4
NIST SP 800-171 R2 3.8.1 NIST S P 800-53 R4 MP-5
NIST SP 800-171 R2 3.8.5 NIST SP 800-53 R4 MP-5(3) NRS 603A.215.1 OCR Guidance for Unsecured PHI PCI DSS v3.2.1 9.6.3 PMI DSP Framework PR.DS-1
(1)(i)
NIST SP 800-171 R2 3.8.7 NIST SP 800-53 R4 MP-5(4)
NIST S P 800-53 R4 MP-7
NIST SP 800-53 R4 MP-7(1)

NIST SP 800-53 R4 DM-2 OCR Guidance for Unsecured PHI

NIST SP 800-171 R2 3.8.2 NIST S P 800-53 R4 MP-6 NRS 603A.215.1 (2)(i) PCI DSS v3.2.1 9.8 TJC IM.02.01.03, EP 3
NIST SP 800-171 R2 3.8.3 NIST SP 800-53 R4 MP-6(1) OCR Guidance for Unsecured PHI
NIST SP 800-53 R4 MP-6(2) (2)(ii)

PCI DSS v3.2.1 3.2

NIST SP 800-53 R4 AC-3 PCI DSS v3.2.1 3.2.1
NIST SP 800-171 R2 3.8.1 NIST S P 800-53 R4 MP-2 PCI DSS v3.2.1 3.2.2
PCI DSS v3.2.1 3.2.3
NIST SP 800-171 R2 3.8.4 NIST S P 800-53 R4 MP-3 NRS 603A.215.1 PCI DSS v3.2.1 3.3
NIST SP 800-171 R2 3.8.5 NIST S P 800-53 R4 MP-5
NIST SP 800-171 R2 3.8.6 NIST SP 800-53 R4 MP-5(4) PCI DSS v3.2.1 9.5
NIST SP 800-53 R4 SI-12 PCI DSS v3.2.1 9.6
PCI DSS v3.2.1 9.6.3
PCI DSS v3.2.1 9.7

NIST SP 800-53 R4 SA-5

NIST SP 800-53 R4 AC-1

NIST SP 800-171 R2 3.1.13
NIST SP 800-171 R2 3.1.20
NIST SP 800-171 R2 3.1.21
NIST SP 800- 171 R2 3.13.12
NIST SP 800-171 R2 3.13.8
NIST SP 800-53 R4 AC-17
NIST SP 800-53 R4 AC-17(2)
NIST SP 800-53 R4 AC-20
NIST SP 800-53 R4 AC-20(1)
NIST SP 800-53 R4 AC-20(2) PCI DSS v3.2.1 2.3
NIST SP 800-53 R4 AC-3 NRS 603A.215.1 OCR Guidance for Unsecured PHI PCI DSS v3.2.1 4.1 PMI DSP Framework PR.DS-1 TJC IM.02.01.03, EP 1
NIST SP 800-53 R4 AC-4 NRS 603A.215.2.a (1)(ii) PCI DSS v3.2.1 4.1.1 TJC IM.02.01.03, EP 5
NIST SP 800-53 R4 PL-4
NIST SP 800-53 R4 PS-6
NIST SP 800-53 R4 SC-1
NIST SP 800-53 R4 SC-15
NIST SP 800-53 R4 SC-15(1)
NIST SP 800-53 R4 SC-8

NIST SP 800-53 R4 MP-1

© 2019 HITRUST. All rights reserved.

 NIST S P 800-53 R4 MP-5
NIST SP 800-171 R2 3.8.5 NIST SP 800-53 R4 MP-5(3) NRS 603A.215.1 PCI DSS v3.2.1 9.5
NIST SP 800-171 R2 3.8.6 NIST SP 800-53 R4 MP-5(4) NRS 603A.215.2.a PCI DSS v3.2.1 9.6 TJC IM.02.01.03, EP 5
NIST SP 800-53 R4 PE-16 NRS 603A.215.2.b PCI DSS v3.2.1 9.6.2
NIST SP 800-53 R4 SC-28

NIST SP 800-53 R4 SC-8

NIST SP 800-171 R2 3.13.8 NIST SP 800-53 R4 SC-8(1) NRS 603A.215.2.a PCI DSS v3.2.1 4.2
NIST SP 800-53 R4 SC-8(2)

NIST SP 800-171 R2 3.4.1 NIST SP 800-53 R4 CA-3

NIST SP 800-53 R4 CA-9 NRS 603A.215.1 PCI DSS v3.2.1 1.2
NIST SP 800-171 R2 3.4.2 NIST SP 800-53 R4 CM-2

NIST SP 800-53 R4 AU-10

NIST SP 800-53 R4 SC-13
NIST SP 800-53 R4 SC-8
NIST SP 800-53 R4 SC-8(1)

NIST SP 800-53 R4 AU-10

NIST SP 800-53 R4 IA-8
NIST SP 800-171 R2 3.13.8 NIST SP 800-53 R4 SC-13
NIST SP 800-53 R4 SC-2
NIST SP 800-53 R4 SC-8

NIST SP 800-53 R4 AC-22

NIST SP 800-53 R4 CM-6
NIST SP 800-171 R2 3.1.22 NIST SP 800-53 R4 SC-5
NIST SP 800-53 R4 SC-5(2)
NIST SP 800-53 R4 SC-7

PCI DSS v3.2.1 10.2

PCI DSS v3.2.1 10.2.1
NIST SP 800-53 R4 AC-6(9) PCI DSS v3.2.1 10.2.2
NIST SP 800-53 R4 AR-4 PCI DSS v3.2.1 10.2.4
NIST SP 800-53 R4 AU-11 PCI DSS v3.2.1 10.2.7
NIST SP 800-53 R4 AU-2 PCI DSS v3.2.1 10.3.1
NIST SP 800-171 R2 3.3.1 NIST SP 800-53 R4 AU-2(3) OCR Audit Protocol (2016) PCI DSS v3.2.1 10.3.2 PMI DSP Framework DE-1
NIST SP 800-171 R2 3.3.2 NIST SP 800-53 R4 AU-3 NRS 603A.215.1 164.308(a)(5)(ii)(c) PCI DSS v3.2.1 10.3.3 PMI DSP Framework DE-2 SCIDSA 38-99-30(D)
NIST SP 800-171 R2 3.3.4 NIST SP 800-53 R4 AU-3(1) PCI DSS v3.2.1 10.3.4 PMI DSP Framework PR.DS-5
NIST SP 800-53 R4 AU-5 PCI DSS v3.2.1 10.3.5
NIST SP 800-53 R4 AU-5(4) PCI DSS v3.2.1 10.3.6
NIST SP 800-53 R4 AU-8 PCI DSS v3.2.1 10.3.7
NIST SP 800-53 R4 AU-9 PCI DSS v3.2.1 10.5
PCI DSS v3.2.1 10.7
PCI DSS v3.2.1 A1.3

NIST SP 800-53 R4 AC-2(12)

NIST SP 800-53 R4 AR-4
NIST SP 800-53 R4 AU-2
NIST SP 800-53 R4 AU-3
NIST SP 800-53 R4 AU-6
NIST SP 800-53 R4 AU-6(1)
NIST SP 800-53 R4 AU-6(3) PCI DSS v3.2.1 10.6
NIST SP 800-53 R4 AU-6(9)
NIST SP 800-171 R2 3.3.1 NIST SP 800-53 R4 AU-7 PCI DSS v3.2.1 10.6.1 PMI DSP Framework DE-2
NIST SP 800-171 R2 3.3.3 NIST SP 800-53 R4 AU-7(1) NRS 603A.215.1 OCR Audit Protocol (2016) PCI DSS v3.2.1 10.6.3 PMI DSP Framework DE-3
NIST SP 800-171 R2 3.3.5 NIST SP 800-53 R4 PE-6 164.308(a)(1)(ii)(D) PCI DSS v3.2.1 10.8 PMI DSP Framework PR.DS-5
NIST SP 800-171 R2 3.3.6 PCI DSS v3.2.1 10.8.1
NIST S P 800-53 R4 SI-3 PCI DSS v3.2.1 11.5
NIST S P 800-53 R4 SI-4
NIST SP 800-53 R4 SI-4(1)
NIST SP 800-53 R4 SI-4(2)
NIST SP 800-53 R4 SI-4(3)
NIST SP 800-53 R4 SI-4(4)
NIST SP 800-53 R4 SI-4(5)
NIST SP 800-53 R4 SI-7(2)

PCI DSS v3.2.1 10.2.3

NIST SP 800-53 R4 AU-9 PCI DSS v3.2.1 10.5
NRS 603A.215.1 PCI DSS v3.2.1 10.5.4 PMI DSP Framework DE-2
NIST S P 800-53 R4 SI-4 PCI DSS v3.2.1 10.5.5
PCI DSS v3.2.1 11.5

NIST SP 800-53 R4 AR-4

NIST SP 800-171 R2 3.3.1 NIST SP 800-53 R4 AU-12
NIST SP 800-171 R2 3.3.2 NRS 603A.215.1 PCI DSS v3.2.1 10.2.2
NIST SP 800-171 R2 3.3.3 NIST SP 800-53 R4 AU-2
NIST SP 800-53 R4 AU-6

NIST SP 800-53 R4 AU-12

NIST SP 800-53 R4 AU-2
NIST SP 800-53 R4 AU-5(2)
NIST SP 800-53 R4 AU-6
NIST SP 800-53 R4 SI-11

PCI DSS v3.2.1 10.4

NIST SP 800-171 R2 3.3.7 NIST SP 800-53 R4 AU-8 NRS 603A.215.1 PCI DSS v3.2.1 10.4.1
NIST SP 800-53 R4 AU-8(1) PCI DSS v3.2.1 10.4.2
PCI DSS v3.2.1 10.4.3

NIST SP 800-53 R4 AR-7

NIST SP 800-53 R4 CP-9(6)
NIST SP 800-53 R4 PL-8
NIST SP 800-53 R4 PM-7
NIST SP 800-53 R4 SA-15
NIST SP 800-53 R4 SA-17
NIST S P 800-53 R4 SA-3
NIST SP 800-171 R2 3.13.2 NIST S P 800-53 R4 SA-4 NRS 603A.215.1 PCI DSS v3.2.1 6.3 PMI DSP Framework PR.IP-1
NIST SP 800-53 R4 SA-4(1)
NIST SP 800-53 R4 SA-4(2)
NIST SP 800-53 R4 SA-4(9)
NIST S P 800-53 R4 SA-8
NIST SP 800-53 R4 SA-9(2)
NIST SP 800-53 R4 SC-5
NIST S P 800-53 R4 SI-1

PCI DSS v3.2.1 6.5

PCI DSS v3.2.1 6.5.1
PCI DSS v3.2.1 6.5.10
PCI DSS v3.2.1 6.5.2
PCI DSS v3.2.1 6.5.3
NIST S P 800-53 R4 SI-1 NRS 603A.215.1 PCI DSS v3.2.1 6.5.4 PMI DSP Framework PR.DS-5 TJC IM.04.01.01, EP 1
NIST SP 800-53 R4 SI-10 PCI DSS v3.2.1 6.5.5
PCI DSS v3.2.1 6.5.6
PCI DSS v3.2.1 6.5.7
PCI DSS v3.2.1 6.5.8
PCI DSS v3.2.1 6.5.9
PCI DSS v3.2.1 6.6

NIST SP 800-53 R4 DI-2

NIST SP 800-53 R4 SI-10
NIST S P 800-53 R4 SI-2
NIST S P 800-53 R4 SI-6
NIST SP 800-53 R4 SI-6(2) NRS 603A.215.1 PCI DSS v3.2.1 6.6 PMI DSP Framework PR.DS-5 TJC IM.04.01.01, EP 1
NIST S P 800-53 R4 SI-7
NIST SP 800-53 R4 SI-7(1)
NIST SP 800-53 R4 SI-7(2)
NIST SP 800-53 R4 SI-7(5)
NIST SP 800-53 R4 SI-7(7)

NIST SP 800-53 R4 AU-10 OCR Guidance for Unsecured PHI

NIST SP 800-171 R2 3.13.15 NIST SP 800-53 R4 SC-23 PMI DSP Framework PR.DS-5 TJC IM.02.01.03, EP 6
NIST SP 800-53 R4 SC-8 (1)(ii)

NIST SP 800-53 R4 SI-15 TJC IM.04.01.01, EP 1

NIST S P 800-53 R4 MP-1 OCR Guidance for Unsecured PHI

NIST SP 800-53 R4 SC-1 NRS 603A.215.2.a PCI DSS v3.2.1 3.5.1 TJC IM.02.01.03, EP 2
NIST SP 800-53 R4 SC-12 (1)

PCI DSS v3.2.1 3.5

NIST SP 800-171 R2 3.13.10
PCI DSS v3.2.1 3.5.2
PCI DSS v3.2.1 3.5.3
PCI DSS v3.2.1 3.5.4
PCI DSS v3.2.1 3.5.8
NIST SP 800-53 R4 SC-12 PCI DSS v3.2.1 3.6
NIST SP 800-53 R4 SC-12(1) NRS 603A.215.1 PCI DSS v3.2.1 3.6.1 PMI DSP Framework PR.DS-2 TJC IM.02.01.03, EP 6
NIST SP 800-53 R4 SC-17 PCI DSS v3.2.1 3.6.2
PCI DSS v3.2.1 3.6.3
PCI DSS v3.2.1 3.6.4
PCI DSS v3.2.1 3.6.5
PCI DSS v3.2.1 3.6.7
PCI DSS v3.2.1 8.2.2

NIST SP 800-53 R4 CM-2(3)

NIST SP 800-53 R4 CM-3
NIST SP 800-53 R4 CM-3(2)
NIST SP 800-53 R4 CM-4
NIST SP 800-171 R2 3.4.1 NIST SP 800-53 R4 CM-6
NIST SP 800-171 R2 3.4.2 PCI DSS v3.2.1 2.2.4
NIST SP 800-171 R2 3.4.4 NIST SP 800-53 R4 CM-6(1)
NIST SP 800-53 R4 CM-6(2)
NIST SP 800-53 R4 CM-7(2)
NIST SP 800-53 R4 CM-7(4)
NIST SP 800-53 R4 SA-22

NIST SP 800-53 R4 SA-15(9) PCI DSS v3.2.1 6.4

NIST SP 800-53 R4 AC-3

NIST SP 800-53 R4 AC-6
NIST SP 800-53 R4 CM-5
NIST SP 800-53 R4 CM-7

NIST SP 800-53 R4 AC-3

NIST SP 800-53 R4 CM-1
NIST SP 800-53 R4 CM-2
NIST SP 800-53 R4 CM-2(1)
NIST SP 800-53 R4 CM-2(2)
NIST SP 800-53 R4 CM-2(3)
NIST SP 800-53 R4 CM-2(6)
NIST SP 800-53 R4 CM-3
NIST SP 800-171 R2 3.4.1 NIST SP 800-53 R4 CM-3(1)
NIST SP 800-171 R2 3.4.2 NIST SP 800-53 R4 CM-3(2) PCI DSS v3.2.1 6.4
NIST SP 800-171 R2 3.4.3 NIST SP 800-53 R4 CM-4 NRS 603A.215.1 PCI DSS v3.2.1 6.4.6
NIST SP 800-53 R4 CM-4(1)
NIST SP 800-171 R2 3.4.5 NIST SP 800-53 R4 CM-4(2)
NIST SP 800-53 R4 CM-5
NIST SP 800-53 R4 CM-5(1)
NIST SP 800-53 R4 CM-5(2)
NIST SP 800-53 R4 CM-6
NIST SP 800-53 R4 CM-6(1)
NIST SP 800-53 R4 CM-6(2)
NIST SP 800-53 R4 CM-9
NIST SP 800-53 R4 SA-10

NIST S P 800-53 R4 SA-1

NIST SP 800-53 R4 SA-11
NIST SP 800-53 R4 SA-13
NIST SP 800-53 R4 SA-15

PCI DSS v3.2.1 11.2

PCI DSS v3.2.1 11.2.1
NIST SP 800-53 R4 CA-2 PCI DSS v3.2.1 11.2.2
NIST SP 800-53 R4 CA-7
NIST SP 800-53 R4 CA-8 PCI DSS v3.2.1 11.2.3
NIST SP 800-53 R4 CM-6 PCI DSS v3.2.1 11.3
NIST SP 800-53 R4 CM-7 PCI DSS v3.2.1 11.3.1
PCI DSS v3.2.1 11.3.2
NIST SP 800-171 R2 3.11.2 NIST SP 800-53 R4 RA-5 PCI DSS v3.2.1 11.3.3
NIST SP 800-53 R4 RA-5(1) NRS 603A.215.1 PMI DSP Framework PR.IP-2
NIST SP 800-171 R2 3.11.3 NIST SP 800-53 R4 RA-5(2) PCI DSS v3.2.1 11.3.4
NIST SP 800-53 R4 RA-5(4) PCI DSS v3.2.1 11.3.4.1
NIST S P 800-53 R4 SI-2 PCI DSS v3.2.1 2.2
PCI DSS v3.2.1 2.2.2
NIST SP 800-53 R4 SI-2(1) PCI DSS v3.2.1 2.2.3
NIST SP 800-53 R4 SI-2(2)
NIST S P 800-53 R4 SI-5 PCI DSS v3.2.1 6.1
PCI DSS v3.2.1 6.2
PCI DSS v3.2.1 6.4.5

© 2019 HITRUST. All rights reserved.

 NIST SP 800-53 R4 IR-1
NIST SP 800-53 R4 IR-2 PCI DSS v3.2.1 12.10 SCIDSA 33-99-20(E)
NIST SP 800-53 R4 IR-4(1) PCI DSS v3.2.1 12.10.1 PMI DSP Framework DE-4 SCIDSA 33-99-20(H)
NIST SP 800-171 R2 3.6.1 NIST SP 800-53 R4 IR-4(7) NRS 603A.215.1
NIST SP 800-171 R2 3.6.2 NIST SP 800-53 R4 IR-6 NRS 603A.215.2 PCI DSS v3.2.1 12.10.3 PMI DSP Framework RC-3 SCIDSA 38-99-40(A)
PCI DSS v3.2.1 12.10.4 PMI DSP Framework RS- 1 SCIDSA 38- 99-40(B)
NIST SP 800-53 R4 IR-6(1) PCI DSS v3.2.1 12.10.5 S CIDSA 38-99-40(c)
NIST SP 800-53 R4 PM-12
NIST S P 800-53 R4 SI-4

NIST SP 800-53 R4 CA-7

NIST SP 800-53 R4 IR-6
NIST SP 800-53 R4 PL-4 NRS 603A.215.1 PCI DSS v3.2.1 12.10.4 PMI DSP Framework DE-4
NIST S P 800-53 R4 SI-2
NIST S P 800-53 R4 SI-4
NIST S P 800-53 R4 SI-5

NIST SP 800-53 R4 IR-1

NIST SP 800-53 R4 IR-3 NRS 603A.215.1 PMI DSP Framework DE-5
NIST SP 800-171 R2 3.6.1 NIST SP 800-53 R4 IR-3(2) NRS 603A.220.4.a PCI DSS v3.2.1 11.1.2 PMI DSP Framework RC-1 SCIDSA 38-99-30(A)
NIST SP 800-53 R4 IR-4 NRS 603A.220.4.b PCI DSS v3.2.1 12.10.1
NIST SP 800-171 R2 3.6.2 NIST SP 800-53 R4 IR-6 NRS 603A.220.4.c.1 PCI DSS v3.2.1 12.10.2 PMI DSP Framework RC-2 SCIDSA 38- 99-30(B)
NIST SP 800-171 R2 3.6.3 NIST SP 800-53 R4 IR-7 NRS 603A.220.4.c.2 PCI DSS v3.2.1 12.10.4 PMI DSP Framework RS- 1 S CIDSA 38-99-30(c)
NIST SP 800-53 R4 IR-8 NRS 603A.220.6 PMI DSP Framework RS- 4
NIST SP 800-53 R4 SE-2

NIST SP 800-53 R4 IR-4

NIST SP 800-53 R4 IR-4(1)
NIST SP 800-171 R2 3.6.1 NIST SP 800-53 R4 IR-4(4) NRS 603A.215.1 PCI DSS v3.2.1 12.10.6 PMI DSP Framework RC-3
NIST SP 800-53 R4 IR-5
NIST SP 800-53 R4 IR-5(1)

NIST SP 800-53 R4 AU-11

NIST SP 800-53 R4 AU-9 NRS 603A.215.1 PCI DSS v3.2.1 A1.4
NIST SP 800-53 R4 IR-4

NIST SP 800-53 R4 CP-1

NIST SP 800-53 R4 CP-2
NIST SP 800-53 R4 CP-2(8)
NIST SP 800-53 R4 PM-9

NIST SP 800-53 R4 CP-2

NIST SP 800-171 R2 3.11.1 NIST SP 800-53 R4 CP-2(8)
NIST SP 800-53 R4 PM-8
NIST SP 800-53 R4 RA-3

NIST SP 800-53 R4 CP-10(4)

NIST SP 800-53 R4 CP-11
NIST SP 800-53 R4 CP-2
NIST SP 800-53 R4 CP-2(2)
NIST SP 800-53 R4 CP-2(3)
NIST SP 800-53 R4 CP-2(5)
NIST SP 800-53 R4 CP-6 TJC IM.01.01.03, EP 1
NIST SP 800-53 R4 CP-6(1) PMI DSP Framework RC-1 TJC IM.01.01.03, EP 2
NIST SP 800-53 R4 CP-7 TJC IM.01.01.03, EP 3
NIST SP 800-53 R4 CP-7(1) TJC IM.01.01.03, EP 4
NIST SP 800-53 R4 CP-7(3)
NIST SP 800-53 R4 CP-8
NIST SP 800-53 R4 CP-8(1)
NIST SP 800-53 R4 CP-8(2)
NIST SP 800-53 R4 CP-9
NIST SP 800-53 R4 CP-9(2)

NIST SP 800-53 R4 CP-2 TJC IM.01.01.03, EP 1

NIST SP 800-53 R4 CP-2

NIST SP 800-53 R4 CP-4
NIST SP 800-53 R4 CP-4(1) PMI DSP Framework RC-3 TJC IM.01.01.03, EP 5
NIST SP 800-53 R4 CP-4(2)
NIST SP 800-53 R4 CP-4(4)

NIST SP 800-53 R4 AP-2

NIST S P 800-53 R4 TR-1
NIST SP 800-53 R4 TR-1(1)
NIST S P 800-53 R4 TR-2
NIST SP 800-53 R4 TR-2(1)

PDPA 11(5)
PDPA 20
NIST SP 800-53 R4 TR-3 PDPA 20(1)(e)
PDPA 42
PDPA 44

NIST SP 800-53 R4 AR-8

NIST SP 800-53 R4 DM-3 PDPA 13

PDPA 15
NIST S P 800-53 R4 IP-1 PDPA 17
NIST SP 800-53 R4 IP-1(1) PDPA 46

PDPA 16
NIST SP 800-53 R4 IP-1 PDPA 40
PDPA 47

NIST SP 800-53 R4 DI-1

NIST S P 800-53 R4 IP-2 PDPA 21
PDPA 22
NIST S P 800-53 R4 IP-3

PDPA 36
PDPA 37
PDPA 38
PDPA 43
PDPA 44
PDPA 45

PDPA 14(1)
PDPA 20(1)

NIST SP 800-53 R4 DM-1 OECD Part 2 7 PDPA 18

NIST SP 800-53 R4 DM-1(1)

NIST SP 800-53 R4 DM-3(1)

© 2019 HITRUST. All rights reserved.

 NIST SP 800-53 R4 DM-3
NIST S P 800-53 R4 IP-1 OECD Part 2 10 PDPA 24
NIST SP 800-53 R4 UL-1 PDPA 26
NIST SP 800-53 R4 UL-2

NIST SP 800-53 R4 DM-2 PDPA 25

NIST SP 800-53 R4 DI-1

NIST SP 800-53 R4 DI-1(1)
NIST SP 800-53 R4 DI-1(2) OECD Part 2 8 PDPA 23
NIST SP 800-53 R4 DI-2
NIST SP 800-53 R4 DI-2(1)

NIST SP 800-53 R4 IP-3 PDPA 22(2)(b)

NIST SP 800-53 R4 IP-4 PDPA 12(b)

NIST SP 800-53 R4 AR-1 OECD Part 3 15(ii) PDPA 11(3)

NIST SP 800-53 R4 AR-2

NIST SP 800-53 R4 AR-3

NIST SP 800-53 R4 UL-2

NIST SP 800-53 R4 AR-4

NIST SP 800-53 R4 AR-5

NIST SP 800-53 R4 AR-7

© 2019 HITRUST. All rights reserved.

Authoritative Source
1 TAC § 390.2(a)(1)
© 2019 HITRUST. All rights reserved.
HITRUST Control Reference
00.a Information Security Management Program
01.a Access Control Policy
01.c Privilege Management
01.d User Password Management
01.e Review of User Access Rights
01.f Password Use
01.g Unattended User Equipment
01.h Clear Desk and Clear Screen Policy
01.i Policy on the Use of Network Services
01.j User Authentication for External Connections
01.k Equipment Identification in Networks
01.m Segregation in Networks
01.n Network Connection Control
01.o Network Routing Control
01.p Secure Log-on Procedures
01.q User Identification and Authentication
01.r Password Management System
01.s Use of System Utilities
01.t Session Time-out
01.v Information Access Restriction
01.x Mobile Computing and Communications
01.y Teleworking
02.a Roles and Responsibilities
02.b Screening
02.c Terms and Conditions of Employment
02.d Management Responsibilities
02.e Information Security Awareness, Education, and Training
02.f Disciplinary Process
02.g Termination or Change Responsibilities
02.h Return of Assets
02.i Removal of Access Rights
03.a Risk Management Program Development
03.b Performing Risk Assessments
03.c Risk Mitigation
04.a Information Security Policy Document
04.b Review of the Information Security Policy
05.a Management Commitment to Information Security
05.b Information Security Coordination
05.c Allocation of Information Security Responsibilities
05.d Authorization Process for Information Assets and Facilities
05.g Contact with Special Interest Groups
05.h Independent Review of Information Security
05.i Identification of Risks Related to External Parties
05.j Addressing Security When Dealing with Customers
05.k Addressing Security in Third Party Agreements
06.c Protection of Organizational Records
06.e Prevention of Misuse of Information Assets
06.f Regulation of Cryptographic Controls
06.g Compliance with Security Policies and Standards
06.h Technical Compliance Checking
06.i Information Systems Audit Controls
07.a Inventory of Assets
 07.b Ownership of Assets
07.d Classification Guidelines
07.e Information Labeling and Handling
08.a Physical Security Perimeter
08.b Physical Entry Controls
08.c Securing Offices, Rooms, and Facilities
08.d Protecting Against External and Environmental Threats
08.e Working in Secure Areas
08.g Equipment Siting and Protection
08.i Cabling Security
08.j Equipment Maintenance
08.k Security of Equipment Off-Premises
08.l Secure Disposal or Re-Use of Equipment
09.a Documented Operations Procedures
09.c Segregation of Duties
09.e Service Delivery
09.h Capacity Management
09.j Controls Against Malicious Code
09.k Controls Against Mobile Code
09.l Back-up
09.m Network Controls
09.n Security of Network Services
09.o Management of Removable Media
09.p Disposal of Media
09.q Information Handling Procedures
09.s Information Exchange Policies and Procedures
09.t Exchange Agreements
09.u Physical Media in Transit
09.v Electronic Messaging
09.w Interconnected Business Information Systems
09.x Electronic Commerce Services
09.ab Monitoring System Use
09.ad Administrator and Operator Logs
09.ae Fault Logging
10.a Security Requirements Analysis and Specification
10.c Control of Internal Processing
10.d Message Integrity
10.f Policy on the Use of Cryptographic Controls
10.g Key Management
11.a Reporting Information Security Events
11.c Responsibilities and Procedures
11.d Learning from Information Security Incidents
11.e Collection of Evidence
12.c Developing and Implementing Continuity Plans Including Information Security
12.d Business Continuity Planning Framework
13.a Privacy Notice
13.d Consent
13.k Use and Disclosure
13.l Retention and Disposal
13.n Participation and Redress
1 TAC § 390.2(a)(2) 11.a Reporting Information Security Events
1 TAC § 390.2(a)(3) 01.j User Authentication for External Connections
02.e Information Security Awareness, Education, and Training

© 2019 HITRUST. All rights reserved.

1 TAC § 390.2(a)(3)
1 TAC § 390.2(a)(4)
1 TAC § 390.2(a)(4)(A)(i)
1 TAC § 390.2(a)(4)(A)(ii)
1 TAC § 390.2(a)(4)(A)(iii)
1 TAC § 390.2(a)(4)(A)(v)
1 TAC § 390.2(a)(4)(A)(vi)
1 TAC § 390.2(a)(4)(A)(vii)
1 TAC § 390.2(a)(4)(A)(viii)
1 TAC § 390.2(a)(4)(A)(ix)
1 TAC § 390.2(a)(4)(A)(x)
1 TAC § 390.2(a)(4)(A)(xi)
© 2019 HITRUST. All rights reserved.
03.a Risk Management Program Development
03.b Performing Risk Assessments
03.d Risk Evaluation
05.a Management Commitment to Information Security
05.c Allocation of Information Security Responsibilities
05.i Identification of Risks Related to External Parties
06.a Identification of Applicable Legislation
06.c Protection of Organizational Records
09.f Monitoring and Review of Third Party Services
10.b Input Data Validation
11.a Reporting Information Security Events
11.b Reporting Security Weaknesses
11.c Responsibilities and Procedures
06.d Data Protection and Privacy of Covered Information
11.a Reporting Information Security Events
06.d Data Protection and Privacy of Covered Information
13.k Use and Disclosure
07.e Information Labeling and Handling
09.q Information Handling Procedures
13.k Use and Disclosure
13.k Use and Disclosure
07.e Information Labeling and Handling
13.k Use and Disclosure
07.e Information Labeling and Handling
13.k Use and Disclosure
13.k Use and Disclosure
11.a Reporting Information Security Events
13.k Use and Disclosure
13.k Use and Disclosure
01.e Review of User Access Rights
01.f Password Use
01.g Unattended User Equipment
01.h Clear Desk and Clear Screen Policy
01.i Policy on the Use of Network Services
01.j User Authentication for External Connections
01.k Equipment Identification in Networks
01.l Remote Diagnostic and Configuration Port Protection
01.m Segregation in Networks
01.n Network Connection Control
01.o Network Routing Control
01.p Secure Log-on Procedures
01.q User Identification and Authentication
01.r Password Management System
01.s Use of System Utilities
01.t Session Time-out
01.v Information Access Restriction
01.w Sensitive System Isolation
01.x Mobile Computing and Communications
01.y Teleworking
02.a Roles and Responsibilities
02.b Screening
02.c Terms and Conditions of Employment
02.d Management Responsibilities
 02.e Information Security Awareness, Education, and Training
02.f Disciplinary Process
02.g Termination or Change Responsibilities
02.h Return of Assets
02.i Removal of Access Rights
03.a Risk Management Program Development
03.b Performing Risk Assessments
03.c Risk Mitigation
03.d Risk Evaluation
04.a Information Security Policy Document
04.b Review of the Information Security Policy
05.a Management Commitment to Information Security
05.b Information Security Coordination
05.c Allocation of Information Security Responsibilities
05.d Authorization Process for Information Assets and Facilities
05.f Contact with Authorities
05.g Contact with Special Interest Groups
05.h Independent Review of Information Security
05.i Identification of Risks Related to External Parties
05.j Addressing Security When Dealing with Customers
05.k Addressing Security in Third Party Agreements
06.b Intellectual Property Rights
06.c Protection of Organizational Records
06.d Data Protection and Privacy of Covered Information
06.e Prevention of Misuse of Information Assets
06.f Regulation of Cryptographic Controls
06.g Compliance with Security Policies and Standards
06.h Technical Compliance Checking
06.i Information Systems Audit Controls
06.j Protection of Information Systems Audit Tools
07.a Inventory of Assets
07.b Ownership of Assets
07.c Acceptable Use of Assets
07.d Classification Guidelines
07.e Information Labeling and Handling
08.a Physical Security Perimeter
08.b Physical Entry Controls
08.c Securing Offices, Rooms, and Facilities
08.f Public Access, Delivery, and Loading Areas
08.g Equipment Siting and Protection
08.i Cabling Security
08.j Equipment Maintenance
08.k Security of Equipment Off-Premises
08.l Secure Disposal or Re-Use of Equipment
08.m Removal of Property
09.a Documented Operations Procedures
09.aa Audit Logging
09.ab Monitoring System Use
09.ac Protection of Log Information
09.ad Administrator and Operator Logs
09.ae Fault Logging
09.af Clock Synchronization
09.b Change Management

© 2019 HITRUST. All rights reserved.


1 TAC § 390.2(a)(4)(A)(xii)
1 TAC § 390.2(a)(4)(A)(xiii)
1 TAC § 390.2(a)(4)(A)(xiv)
1 TAC § 390.2(a)(4)(A)(xv)
1 TAC § 390.2(a)(4)(B)(i)
1 TAC § 390.2(a)(4)(B)(ii)
1 TAC § 390.2(a)(4)(B)(iii)
© 2019 HITRUST. All rights reserved.
09.c Segregation of Duties
09.d Separation of Development, Test, and Operational Environments
09.e Service Delivery
09.f Monitoring and Review of Third Party Services
09.h Capacity Management
09.i System Acceptance
09.j Controls Against Malicious Code
09.k Controls Against Mobile Code
09.l Back-up
09.m Network Controls
09.n Security of Network Services
09.o Management of Removable Media
09.p Disposal of Media
09.q Information Handling Procedures
09.r Security of System Documentation
09.s Information Exchange Policies and Procedures
09.t Exchange Agreements
09.u Physical Media in Transit
09.v Electronic Messaging
09.w Interconnected Business Information Systems
09.x Electronic Commerce Services
09.z Publicly Available Information
10.a Security Requirements Analysis and Specification
10.b Input Data Validation
10.c Control of Internal Processing
10.d Message Integrity
10.f Policy on the Use of Cryptographic Controls
10.g Key Management
10.h Control of Operational Software
10.i Protection of System Test Data
10.j Access Control to Program Source Code
10.k Change Control Procedures
10.m Control of Technical Vulnerabilities
11.a Reporting Information Security Events
11.b Reporting Security Weaknesses
11.c Responsibilities and Procedures
11.d Learning from Information Security Incidents
11.e Collection of Evidence
12.a Including Information Security in the Business Continuity Management Process
12.b Business Continuity and Risk Assessment
12.c Developing and Implementing Continuity Plans Including Information Security
12.d Business Continuity Planning Framework
12.e Testing, Maintaining and Re-Assessing Business Continuity Plans
13.k Use and Disclosure
13.k Use and Disclosure
13.k Use and Disclosure
06.d Data Protection and Privacy of Covered Information
13.k Use and Disclosure
13.a Privacy Notice
13.k Use and Disclosure
13.a Privacy Notice
13.d Consent
13.a Privacy Notice
1 TAC § 390.2(a)(4)(B)(iii)
1 TAC § 390.2(a)(4)(B)(iv)
1 TAC § 390.2(a)(4)(B)(v)
1 TAC § 390.2(a)(4)(B)(vii)
1 TAC § 390.2(a)(4)(B)(viii)
1 TAC § 390.2(a)(4)(B)(ix)
1 TAC § 390.2(a)(4)(B)(x)
1 TAC § 390.2(a)(4)(B)(xii)
1 TAC § 390.2(a)(4)(B)(xiv)
1 TAC § 390.2(a)(4)(B)(xv)
1 TAC § 390.2(a)(4)(B)(xvi)
1 TAC § 390.2(a)(4)(B)(xviii)(I)
1 TAC § 390.2(a)(4)(B)(xviii)(II)
1 TAC § 390.2(a)(4)(B)(xviii)(III)
1 TAC § 390.2(a)(4)(B)(xviii)(IV)
1 TAC § 390.2(a)(4)(C)(i)
1 TAC § 390.2(a)(4)(C)(ii)
1 TAC § 390.2(a)(4)(C)(iii)
1 TAC § 390.2(b)
© 2019 HITRUST. All rights reserved.
© 2019 HITRUST. All rights reserved.
13.k Use and Disclosure
07.e Information Labeling and Handling
13.a Privacy Notice
13.k Use and Disclosure
13.k Use and Disclosure
13.k Use and Disclosure
13.k Use and Disclosure
13.k Use and Disclosure
13.a Privacy Notice
13.k Use and Disclosure
13.a Privacy Notice
11.a Reporting Information Security Events
13.a Privacy Notice
02.f Disciplinary Process
06.a Identification of Applicable Legislation
13.k Use and Disclosure
02.f Disciplinary Process
02.f Disciplinary Process
11.a Reporting Information Security Events
11.a Reporting Information Security Events
13.a Privacy Notice
13.d Consent
13.a Privacy Notice
13.k Use and Disclosure
03.a Risk Management Program Development
 Authoritative Source
16 CFR Part § 681 Appendix A I
16 CFR Part § 681 Appendix A II
16 CFR Part § 681 Appendix A II(b)
16 CFR Part § 681 Appendix A II(c)
16 CFR Part § 681 Appendix A III(b)
16 CFR Part § 681 Appendix A IV(a)
16 CFR Part § 681 Appendix A IV(b)
16 CFR Part § 681 Appendix A IV(c)
16 CFR Part § 681 Appendix A IV(d)
16 CFR Part § 681 Appendix A IV(e)
16 CFR Part § 681 Appendix A IV(f)
16 CFR Part § 681 Appendix A IV(g)
16 CFR Part § 681 Appendix A IV(h)
16 CFR Part § 681 Appendix A IV(i)
16 CFR Part § 681 Appendix A V
16 CFR Part § 681 Appendix A V(a)
16 CFR Part § 681 Appendix A V(b)
16 CFR Part § 681 Appendix A V(c)
16 CFR Part § 681 Appendix A V(d)
16 CFR Part § 681 Appendix A V(e)
16 CFR Part § 681 Appendix A VI(a)
16 CFR Part § 681 Appendix A VI(b)
16 CFR Part § 681 Appendix A VI(c)
16 CFR Part § 681 Appendix A VII(a)
16 CFR Part § 681 Appendix A VII(b)
16 CFR Part § 681 Appendix A VII(c)
16 CFR Part § 681 Appendix A VII(d)
16 CFR Part § 681.1 (b)(3)
16 CFR Part § 681.1 (c)
16 CFR Part § 681.1 (d)(1)
16 CFR Part § 681.1 (d)(2)
16 CFR Part § 681.1 (e)
16 CFR Part § 681.1 (e)(1)
16 CFR Part § 681.1 (e)(2)
16 CFR Part § 681.1 (e)(3)
16 CFR Part § 681.1 (e)(4)
16 CFR Part § 681.1 (f)
© 2019 HITRUST. All rights reserved.
© 2019 HITRUST. All rights reserved.
HITRUST Control Reference
03.a Risk Management Program Development
03.a Risk Management Program Development
03.b Performing Risk Assessments
11.b Reporting Security Weaknesses
01.j User Authentication for External Connections
09.ab Monitoring System Use
11.c Responsibilities and Procedures
11.e Collection of Evidence
11.c Responsibilities and Procedures
11.c Responsibilities and Procedures
11.c Responsibilities and Procedures
11.c Responsibilities and Procedures
11.c Responsibilities and Procedures
11.c Responsibilities and Procedures
11.c Responsibilities and Procedures
11.c Responsibilities and Procedures
03.a Risk Management Program Development
03.d Risk Evaluation
03.d Risk Evaluation
03.d Risk Evaluation
03.d Risk Evaluation
03.d Risk Evaluation
03.d Risk Evaluation
05.c Allocation of Information Security Responsibilities
05.c Allocation of Information Security Responsibilities
09.e Service Delivery
09.f Monitoring and Review of Third Party Services
09.g Managing Changes to Third Party Services
06.a Identification of Applicable Legislation
06.a Identification of Applicable Legislation
06.a Identification of Applicable Legislation
06.a Identification of Applicable Legislation
03.a Risk Management Program Development
03.b Performing Risk Assessments
03.a Risk Management Program Development
03.a Risk Management Program Development
09.f Monitoring and Review of Third Party Services
05.a Management Commitment to Information Security
05.a Management Commitment to Information Security
02.e Information Security Awareness, Education, and Training
05.i Identification of Risks Related to External Parties
05.k Addressing Security in Third Party Agreements
09.e Service Delivery
09.f Monitoring and Review of Third Party Services
09.g Managing Changes to Third Party Services
09.n Security of Network Services
03.a Risk Management Program Development
 Authoritative Source HITRUST Control Reference
201 CMR 17.03(1) 06.a Identification of Applicable Legislation
201 CMR 17.03(2)(a) 05.a Management Commitment to Information Security
05.h Independent Review of Information Security
201 CMR 17.03(2)(b) 03.b Performing Risk Assessments
05.h Independent Review of Information Security
201 CMR 17.03(2)(c) 07.c Acceptable Use of Assets
09.o Management of Removable Media
09.q Information Handling Procedures
09.t Exchange Agreements
201 CMR 17.03(2)(d) 02.f Disciplinary Process
201 CMR 17.03(2)(e) 02.h Return of Assets
201 CMR 17.03(2)(f) 05.k Addressing Security in Third Party Agreements
201 CMR 17.03(2)(f)(2) 09.e Service Delivery
201 CMR 17.03(2)(g) 06.c Protection of Organizational Records
07.e Information Labeling and Handling
09.q Information Handling Procedures
201 CMR 17.03(2)(h) 01.e Review of User Access Rights
09.ab Monitoring System Use
201 CMR 17.03(2)(j) 11.a Reporting Information Security Events
11.c Responsibilities and Procedures
201 CMR 17.04(1)(a) 01.q User Identification and Authentication
201 CMR 17.04(1)(b) 01.d User Password Management
01.f Password Use
01.r Password Management System
201 CMR 17.04(1)(c) 01.r Password Management System
201 CMR 17.04(1)(d) 01.b User Registration
201 CMR 17.04(1)(e) 01.f Password Use
201 CMR 17.04(2)(a) 01.b User Registration
01.c Privilege Management
201 CMR 17.04(2)(b) 01.b User Registration
01.q User Identification and Authentication
201 CMR 17.04(2)(d) 01.b User Registration
201 CMR 17.04(3) 09.s Information Exchange Policies and Procedures
09.v Electronic Messaging
201 CMR 17.04(5) 09.o Management of Removable Media
201 CMR 17.04(6) 01.n Network Connection Control
10.m Control of Technical Vulnerabilities
201 CMR 17.04(7) 09.j Controls Against Malicious Code
201 CMR 17.04(8) 02.e Information Security Awareness, Education, and Training

© 2019 HITRUST. All rights reserved.

© 2019 HITRUST. All rights reserved.

 Authoritative Source HITRUST Control Reference
21 CFR Part 11.10(a) 10.h Control of Operational Software
21 CFR Part 11.10(b) 09.aa Audit Logging
21 CFR Part 11.10(c) 06.c Protection of Organizational Records
21 CFR Part 11.10(d) 01.a Access Control Policy
01.b User Registration
01.c Privilege Management
01.e Review of User Access Rights
01.j User Authentication for External Connections
01.q User Identification and Authentication
01.t Session Time-out
01.u Limitation of Connection Time
08.b Physical Entry Controls
21 CFR Part 11.10(e) 09.aa Audit Logging
21 CFR Part 11.10(f) 10.c Control of Internal Processing
21 CFR Part 11.10(g) 01.b User Registration
01.c Privilege Management
01.q User Identification and Authentication
21 CFR Part 11.10(h) 10.b Input Data Validation
21 CFR Part 11.10(i) 02.e Information Security Awareness, Education, and Training
21 CFR Part 11.10(j) 02.f Disciplinary Process
21 CFR Part 11.10(k) 09.a Documented Operations Procedures
21 CFR Part 11.100(a) 01.q User Identification and Authentication
21 CFR Part 11.100(b) 01.b User Registration
21 CFR Part 11.100(c) 10.f Policy on the Use of Cryptographic Controls
21 CFR Part 11.200(a) 01.d User Password Management
21 CFR Part 11.200(b) 01.q User Identification and Authentication
21 CFR Part 11.3 01.d User Password Management
21 CFR Part 11.30 06.c Protection of Organizational Records
06.d Data Protection and Privacy of Covered Information
09.n Security of Network Services
21 CFR Part 11.300 01.d User Password Management
21 CFR Part 11.50(a) 01.q User Identification and Authentication
21 CFR Part 11.50(b) 01.q User Identification and Authentication
21 CFR Part 11.70 01.q User Identification and Authentication

© 2019 HITRUST. All rights reserved.

© 2019 HITRUST. All rights reserved.

 Authoritative Source
23 NYCRR 500.017(a)
23 NYCRR 500.017(a)(1)
23 NYCRR 500.017(a)(2)
23 NYCRR 500.02(c)
23 NYCRR 500.02(d)
23 NYCRR 500.04(a)(1)
23 NYCRR 500.04(a)(2)
23 NYCRR 500.04(a)(3)
23 NYCRR 500.04(b)
23 NYCRR 500.04(b)(1)
23 NYCRR 500.04(b)(2)
23 NYCRR 500.04(b)(3)
23 NYCRR 500.04(b)(4)
23 NYCRR 500.04(b)(5)
23 NYCRR 500.06(b)
23 NYCRR 500.09(b)(1)
23 NYCRR 500.14(b)
23 NYCRR 500.15(a)(1)
23 NYCRR 500.17(b)
23 NYCRR 500.19(e)
23 NYCRR 500.21
© 2019 HITRUST. All rights reserved.
© 2019 HITRUST. All rights reserved.
HITRUST Control Reference
11.a Reporting Information Security Events
11.a Reporting Information Security Events
11.a Reporting Information Security Events
00.a Information Security Management Program
00.a Information Security Management Program
05.a Management Commitment to Information Security
05.a Management Commitment to Information Security
05.a Management Commitment to Information Security
05.a Management Commitment to Information Security
05.a Management Commitment to Information Security
05.a Management Commitment to Information Security
05.a Management Commitment to Information Security
05.a Management Commitment to Information Security
05.a Management Commitment to Information Security
09.l Back-up
09.aa Audit Logging
10.b Input Data Validation
03.b Performing Risk Assessments
02.e Information Security Awareness, Education, and Training
06.d Data Protection and Privacy of Covered Information
00.a Information Security Management Program
00.a Information Security Management Program
00.a Information Security Management Program
Authoritative Source
45 CFR Part § 164.402(2) HIPAA.BN
45 CFR Part § 164.404(a)(1) HIPAA.BN
45 CFR Part § 164.404(a)(2) HIPAA.BN
45 CFR Part § 164.404(b) HIPAA.BN
45 CFR Part § 164.404(c)(1) HIPAA.BN
45 CFR Part § 164.404(c)(2) HIPAA.BN
45 CFR Part § 164.404(c)(3) HIPAA.BN
45 CFR Part § 164.404(d)(1) HIPAA.BN
45 CFR Part § 164.404(d)(2) HIPAA.BN
45 CFR Part § 164.404(d)(3) HIPAA.BN
45 CFR Part § 164.406(a) HIPAA.BN
45 CFR Part § 164.406(b) HIPAA.BN
45 CFR Part § 164.406(c) HIPAA.BN
45 CFR Part § 164.408(a) HIPAA.BN
45 CFR Part § 164.408(b) HIPAA.BN
45 CFR Part § 164.408(c) HIPAA.BN
45 CFR Part § 164.410(a)(1) HIPAA.BN
45 CFR Part § 164.410(a)(2) HIPAA.BN
45 CFR Part § 164.410(b) HIPAA.BN
45 CFR Part § 164.410(c)(1) HIPAA.BN
45 CFR Part § 164.410(c)(2) HIPAA.BN
45 CFR Part § 164.414(a) HIPAA.BN
45 CFR Part § 164.414(b) HIPAA.BN
© 2019 HITRUST. All rights reserved.
© 2019 HITRUST. All rights reserved.
HITRUST Control Reference
03.b Performing Risk Assessments
11.a Reporting Information Security Events
11.c Responsibilities and Procedures
11.a Reporting Information Security Events
05.k Addressing Security in Third Party Agreements
11.a Reporting Information Security Events
11.a Reporting Information Security Events
11.a Reporting Information Security Events
11.a Reporting Information Security Events
11.a Reporting Information Security Events
11.a Reporting Information Security Events
11.a Reporting Information Security Events
11.a Reporting Information Security Events
11.a Reporting Information Security Events
11.a Reporting Information Security Events
11.a Reporting Information Security Events
11.a Reporting Information Security Events
11.a Reporting Information Security Events
11.c Responsibilities and Procedures
11.e Collection of Evidence
05.k Addressing Security in Third Party Agreements
11.a Reporting Information Security Events
05.k Addressing Security in Third Party Agreements
11.a Reporting Information Security Events
05.k Addressing Security in Third Party Agreements
11.a Reporting Information Security Events
05.k Addressing Security in Third Party Agreements
11.a Reporting Information Security Events
05.k Addressing Security in Third Party Agreements
11.a Reporting Information Security Events
02.e Information Security Awareness, Education, and Training
02.f Disciplinary Process
04.a Information Security Policy Document
04.b Review of the Information Security Policy
06.c Protection of Organizational Records
05.k Addressing Security in Third Party Agreements
11.a Reporting Information Security Events
11.e Collection of Evidence
 Authoritative Source HITRUST Control Reference
45 CFR Part § 160.103 HIPAA.GE 06.c Protection of Organizational Records
45 CFR Part § 164.105(c)(2) HIPAA.GE 13.l Retention and Disposal

© 2019 HITRUST. All rights reserved.

© 2019 HITRUST. All rights reserved.

Authoritative Source
45 CFR Part § 164.502(a) HIPAA.PR
45 CFR Part § 164.502(a)(2) HIPAA.PR
45 CFR Part § 164.502(a)(3) HIPAA.PR
45 CFR Part § 164.502(a)(4) HIPAA.PR
45 CFR Part § 164.502(a)(5) HIPAA.PR
45 CFR Part § 164.502(f) HIPAA.PR
45 CFR Part § 164.502(g) HIPAA.PR
45 CFR Part § 164.502(j)(2) HIPAA.PR
45 CFR Part § 164.504(e) HIPAA.PR
45 CFR Part § 164.504(e)(1) HIPAA.PR
45 CFR Part § 164.504(f) HIPAA.PR
45 CFR Part § 164.504(f)(1)(i) HIPAA.PR
45 CFR Part § 164.504(f)(1)(iii) HIPAA.PR
45 CFR Part § 164.504(f)(2)(ii) HIPAA.PR
45 CFR Part § 164.504(f)(2)(iii) HIPAA.PR
45 CFR Part § 164.504(g)(2) HIPAA.PR
45 CFR Part § 164.506(a) HIPAA.PR
45 CFR Part § 164.508(2) HIPAA.PR
45 CFR Part § 164.508(a)(1) HIPAA.PR
45 CFR Part § 164.508(a)(2) HIPAA.PR
45 CFR Part § 164.508(b) HIPAA.PR
45 CFR Part § 164.508(b)(4) HIPAA.PR
45 CFR Part § 164.508(b)(5) HIPAA.PR
45 CFR Part § 164.508(c) HIPAA.PR
45 CFR Part § 164.508(c)(1)(i) HIPAA.PR
45 CFR Part § 164.508(c)(3) HIPAA.PR
45 CFR Part § 164.510 HIPAA.PR
45 CFR Part § 164.510(a) HIPAA.PR
45 CFR Part § 164.510(a)(2) HIPAA.PR
45 CFR Part § 164.510(b) HIPAA.PR
45 CFR Part § 164.510(b)(2) HIPAA.PR
45 CFR Part § 164.510(b)(3) HIPAA.PR
45 CFR Part § 164.510(b)(5) HIPAA.PR
45 CFR Part § 164.512(a)(1) HIPAA.PR
45 CFR Part § 164.512(b) HIPAA.PR
45 CFR Part § 164.512(c) HIPAA.PR
45 CFR Part § 164.512(d) HIPAA.PR
45 CFR Part § 164.512(e) HIPAA.PR
45 CFR Part § 164.512(f)(1) HIPAA.PR
45 CFR Part § 164.512(f)(2) HIPAA.PR
45 CFR Part § 164.512(f)(3) HIPAA.PR
45 CFR Part § 164.512(f)(4) HIPAA.PR
45 CFR Part § 164.512(f)(5) HIPAA.PR
45 CFR Part § 164.512(f)(6) HIPAA.PR
45 CFR Part § 164.512(g) HIPAA.PR
45 CFR Part § 164.512(h) HIPAA.PR
45 CFR Part § 164.512(i) HIPAA.PR
© 2019 HITRUST. All rights reserved.
HITRUST Control Reference
13.f Principle Access
13.k Use and Disclosure
13.k Use and Disclosure
13.k Use and Disclosure
13.k Use and Disclosure
13.j Data Minimization
13.k Use and Disclosure
06.c Protection of Organizational Records
13.e Choice
13.k Use and Disclosure
13.k Use and Disclosure
13.r Privacy Requirements for Contractors and Processors
13.r Privacy Requirements for Contractors and Processors
13.r Privacy Requirements for Contractors and Processors
13.k Use and Disclosure
13.k Use and Disclosure
13.k Use and Disclosure
13.k Use and Disclosure
13.k Use and Disclosure
13.k Use and Disclosure
13.d Consent
13.d Consent
13.d Consent
13.d Consent
13.d Consent
13.e Choice
13.d Consent
13.d Consent
13.d Consent
05.j Addressing Security When Dealing with Customers
13.e Choice
13.e Choice
13.e Choice
13.k Use and Disclosure
13.e Choice
13.k Use and Disclosure
13.k Use and Disclosure
13.k Use and Disclosure
13.k Use and Disclosure
13.k Use and Disclosure
13.k Use and Disclosure
13.k Use and Disclosure
13.k Use and Disclosure
13.k Use and Disclosure
13.k Use and Disclosure
13.k Use and Disclosure
13.k Use and Disclosure
13.k Use and Disclosure
13.k Use and Disclosure
13.k Use and Disclosure
13.k Use and Disclosure
45 CFR Part § 164.512(i)(1) HIPAA.PR 13.k Use and Disclosure
45 CFR Part § 164.512(i)(1)(i) HIPAA.PR 13.k Use and Disclosure
45 CFR Part § 164.512(j) HIPAA.PR 13.k Use and Disclosure
45 CFR Part § 164.512(k)(1) HIPAA.PR 13.k Use and Disclosure
45 CFR Part § 164.512(k)(2) HIPAA.PR 13.k Use and Disclosure
45 CFR Part § 164.512(k)(3) HIPAA.PR 13.k Use and Disclosure
45 CFR Part § 164.512(k)(4) HIPAA.PR 13.k Use and Disclosure
45 CFR Part § 164.512(k)(5) HIPAA.PR 13.k Use and Disclosure
45 CFR Part § 164.512(k)(6)(i) HIPAA.PR 13.k Use and Disclosure
45 CFR Part § 164.512(k)(6)(ii) HIPAA.PR 13.k Use and Disclosure
45 CFR Part § 164.512(l) HIPAA.PR 13.k Use and Disclosure
45 CFR Part § 164.514(a) HIPAA.PR 13.j Data Minimization
45 CFR Part § 164.514(b) HIPAA.PR 13.j Data Minimization
45 CFR Part § 164.514(c) HIPAA.PR 13.j Data Minimization
45 CFR Part § 164.514(d)(3) HIPAA.PR 13.k Use and Disclosure
45 CFR Part § 164.514(d)(4) HIPAA.PR 13.j Data Minimization
45 CFR Part § 164.514(e) HIPAA.PR 13.j Data Minimization
13.k Use and Disclosure
45 CFR Part § 164.514(f)(1) HIPAA.PR 13.k Use and Disclosure
45 CFR Part § 164.514(g) HIPAA.PR 13.k Use and Disclosure
45 CFR Part § 164.514(h) HIPAA.PR 13.f Principle Access
45 CFR Part § 164.520(a) HIPAA.PR 13.a Privacy Notice
45 CFR Part § 164.520(a)(2) HIPAA.PR 13.a Privacy Notice
45 CFR Part § 164.520(b) HIPAA.PR 13.b Openness and Transparency
45 CFR Part § 164.520(c)(1)(ii) HIPAA.PR 13.a Privacy Notice
45 CFR Part § 164.520(c)(1)(iii) HIPAA.PR 13.a Privacy Notice
45 CFR Part § 164.520(c)(1)(v)(B) HIPAA.PR 13.a Privacy Notice
45 CFR Part § 164.520(c)(3)(ii) HIPAA.PR 13.a Privacy Notice
45 CFR Part § 164.520(e) HIPAA.PR 06.c Protection of Organizational Records
45 CFR Part § 164.521(a)(3) HIPAA.PR 13.f Principle Access
45 CFR Part § 164.522(a) HIPAA.PR 13.e Choice
45 CFR Part § 164.522(a)(2) HIPAA.PR 13.e Choice
45 CFR Part § 164.522(a)(3) HIPAA.PR 06.c Protection of Organizational Records
45 CFR Part § 164.522(a)(3) HIPAA.PR 13.e Choice
45 CFR Part § 164.522(b) HIPAA.PR 13.f Principle Access
45 CFR Part § 164.522(b)(1) HIPAA.PR 13.f Principle Access
45 CFR Part § 164.522(b)(2) HIPAA.PR 13.f Principle Access
45 CFR Part § 164.522(b)(2)(i) HIPAA.PR 13.f Principle Access
45 CFR Part § 164.524(b) HIPAA.PR 13.f Principle Access
45 CFR Part § 164.524(c)(2) HIPAA.PR 13.f Principle Access
45 CFR Part § 164.524(c)(3)(ii) HIPAA.PR 13.f Principle Access
45 CFR Part § 164.524(d) HIPAA.PR 13.f Principle Access
45 CFR Part § 164.524(d)(4) HIPAA.PR 13.f Principle Access
45 CFR Part § 164.524(e) HIPAA.PR 06.c Protection of Organizational Records
45 CFR Part § 164.526(a)(1) HIPAA.PR 13.f Principle Access
13.l Retention and Disposal
13.n Participation and Redress
45 CFR Part § 164.526(a)(2) HIPAA.PR 13.f Principle Access
45 CFR Part § 164.526(b)(1) HIPAA.PR 13.n Participation and Redress
45 CFR Part § 164.526(b)(2) HIPAA.PR 13.f Principle Access
45 CFR Part § 164.526(c) HIPAA.PR 13.f Principle Access
45 CFR Part § 164.526(d) HIPAA.PR 13.f Principle Access
© 2019 HITRUST. All rights reserved.
45 CFR Part § 164.526(e) HIPAA.PR
45 CFR Part § 164.526(f) HIPAA.PR
45 CFR Part § 164.528(a) HIPAA.PR
45 CFR Part § 164.528(a)(2)(i) HIPAA.PR
45 CFR Part § 164.528(b) HIPAA.PR
45 CFR Part § 164.528(c) HIPAA.PR
45 CFR Part § 164.528(d) HIPAA.PR
45 CFR Part § 164.530(a) HIPAA.PR
45 CFR Part § 164.530(a)(2)(i) HIPAA.PR
45 CFR Part § 164.530(b) HIPAA.PR
45 CFR Part § 164.530(b)(1) HIPAA.PR
45 CFR Part § 164.530(b)(2) HIPAA.PR
45 CFR Part § 164.530(c)(1) HIPAA.PR
45 CFR Part § 164.530(d) HIPAA.PR
45 CFR Part § 164.530(d)(1) HIPAA.PR
45 CFR Part § 164.530(e) HIPAA.PR
45 CFR Part § 164.530(e)(1) HIPAA.PR
45 CFR Part § 164.530(e)(2) HIPAA.PR
45 CFR Part § 164.530(f) HIPAA.PR
45 CFR Part § 164.530(g) HIPAA.PR
45 CFR Part § 164.530(i) HIPAA.PR
45 CFR Part § 164.530(i)(2) HIPAA.PR
45 CFR Part § 164.530(i)(3) HIPAA.PR
45 CFR Part § 164.530(i)(5) HIPAA.PR
45 CFR Part § 164.530(j) HIPAA.PR
45 CFR Part § 164.530(j)(2) HIPAA.PR
45 CFR Part §164.502(j)(1) HIPAA.PR
© 2019 HITRUST. All rights reserved.
© 2019 HITRUST. All rights reserved.
13.f Principle Access
13.n Participation and Redress
05.j Addressing Security When Dealing with Customers
13.c Accounting of Disclosures
13.c Accounting of Disclosures
13.c Accounting of Disclosures
13.c Accounting of Disclosures
06.c Protection of Organizational Records
13.c Accounting of Disclosures
06.d Data Protection and Privacy of Covered Information
06.d Data Protection and Privacy of Covered Information
06.d Data Protection and Privacy of Covered Information
02.e Information Security Awareness, Education, and Training
02.e Information Security Awareness, Education, and Training
06.d Data Protection and Privacy of Covered Information
13.o Compliant Management
04.b Review of the Information Security Policy
02.f Disciplinary Process
02.f Disciplinary Process
02.f Disciplinary Process
03.c Risk Mitigation
13.e Choice
04.a Information Security Policy Document
04.b Review of the Information Security Policy
04.b Review of the Information Security Policy
04.b Review of the Information Security Policy
04.b Review of the Information Security Policy
06.c Protection of Organizational Records
06.c Protection of Organizational Records
13.c Accounting of Disclosures
13.k Use and Disclosure
Authoritative Source
45 CFR Part § 164.306(a)(1) HIPAA.SR
45 CFR Part § 164.306(e) HIPAA.SR
45 CFR Part § 164.308(a)(1)(i) HIPAA.SR
45 CFR Part § 164.308(a)(1)(ii)(A) HIPAA.SR
45 CFR Part § 164.308(a)(1)(ii)(B) HIPAA.SR
45 CFR Part § 164.308(a)(1)(ii)(C) HIPAA.SR
45 CFR Part § 164.308(a)(1)(ii)(D) HIPAA.SR
45 CFR Part § 164.308(a)(2) HIPAA.SR
45 CFR Part § 164.308(a)(3)(i) HIPAA.SR
45 CFR Part § 164.308(a)(3)(ii) HIPAA.SR
45 CFR Part § 164.308(a)(3)(ii)(A) HIPAA.SR
© 2019 HITRUST. All rights reserved.
HITRUST Control Reference
09.t Exchange Agreements
03.c Risk Mitigation
00.a Information Security Management Program
02.a Roles and Responsibilities
03.a Risk Management Program Development
05.a Management Commitment to Information Security
05.h Independent Review of Information Security
09.t Exchange Agreements
00.a Information Security Management Program
03.a Risk Management Program Development
03.b Performing Risk Assessments
03.d Risk Evaluation
05.i Identification of Risks Related to External Parties
07.d Classification Guidelines
10.a Security Requirements Analysis and Specification
00.a Information Security Management Program
03.a Risk Management Program Development
03.b Performing Risk Assessments
03.c Risk Mitigation
05.b Information Security Coordination
05.i Identification of Risks Related to External Parties
06.i Information Systems Audit Controls
07.d Classification Guidelines
10.a Security Requirements Analysis and Specification
02.f Disciplinary Process
06.e Prevention of Misuse of Information Assets
11.a Reporting Information Security Events
05.h Independent Review of Information Security
06.e Prevention of Misuse of Information Assets
06.f Regulation of Cryptographic Controls
06.g Compliance with Security Policies and Standards
06.h Technical Compliance Checking
06.i Information Systems Audit Controls
09.ab Monitoring System Use
09.ae Fault Logging
11.a Reporting Information Security Events
11.c Responsibilities and Procedures
11.d Learning from Information Security Incidents
03.b Performing Risk Assessments
05.a Management Commitment to Information Security
05.c Allocation of Information Security Responsibilities
05.d Authorization Process for Information Assets and Facilities
06.g Compliance with Security Policies and Standards
01.a Access Control Policy
01.c Privilege Management
01.i Policy on the Use of Network Services
01.q User Identification and Authentication
01.s Use of System Utilities
01.v Information Access Restriction
01.y Teleworking
02.a Roles and Responsibilities
09.c Segregation of Duties
09.q Information Handling Procedures
01.a Access Control Policy
01.b User Registration
01.c Privilege Management
01.e Review of User Access Rights
01.i Policy on the Use of Network Services

45 CFR Part § 164.308(a)(3)(ii)(B) HIPAA.SR
45 CFR Part § 164.308(a)(3)(ii)(C) HIPAA.SR
45 CFR Part § 164.308(a)(4)(i) HIPAA.SR
45 CFR Part § 164.308(a)(4)(ii)(A) HIPAA.SR
45 CFR Part § 164.308(a)(4)(ii)(B) HIPAA.SR
© 2019 HITRUST. All rights reserved.
01.m Segregation in Networks
01.o Network Routing Control
01.s Use of System Utilities
01.v Information Access Restriction
02.a Roles and Responsibilities
02.c Terms and Conditions of Employment
02.d Management Responsibilities
02.i Removal of Access Rights
05.e Confidentiality Agreements
05.k Addressing Security in Third Party Agreements
06.e Prevention of Misuse of Information Assets
08.e Working in Secure Areas
08.j Equipment Maintenance
09.q Information Handling Procedures
09.ab Monitoring System Use
01.b User Registration
01.e Review of User Access Rights
01.m Segregation in Networks
01.o Network Routing Control
01.y Teleworking
02.a Roles and Responsibilities
02.b Screening
02.c Terms and Conditions of Employment
02.g Termination or Change Responsibilities
02.i Removal of Access Rights
01.b User Registration
01.e Review of User Access Rights
02.a Roles and Responsibilities
02.g Termination or Change Responsibilities
02.h Return of Assets
02.i Removal of Access Rights
01.a Access Control Policy
01.b User Registration
01.c Privilege Management
01.e Review of User Access Rights
01.i Policy on the Use of Network Services
01.m Segregation in Networks
01.s Use of System Utilities
01.v Information Access Restriction
02.i Removal of Access Rights
06.e Prevention of Misuse of Information Assets
09.c Segregation of Duties
09.ab Monitoring System Use
10.i Protection of System Test Data
10.j Access Control to Program Source Code
10.k Change Control Procedures
01.a Access Control Policy
01.c Privilege Management
01.s Use of System Utilities
01.v Information Access Restriction
09.c Segregation of Duties
01.a Access Control Policy
01.b User Registration
01.c Privilege Management
01.e Review of User Access Rights
01.i Policy on the Use of Network Services
01.p Secure Log-on Procedures
01.s Use of System Utilities
01.v Information Access Restriction

45 CFR Part § 164.308(a)(4)(ii)(C) HIPAA.SR
45 CFR Part § 164.308(a)(5)(i) HIPAA.SR
45 CFR Part § 164.308(a)(5)(ii)(A) HIPAA.SR
45 CFR Part § 164.308(a)(5)(ii)(B) HIPAA.SR
45 CFR Part § 164.308(a)(5)(ii)(C) HIPAA.SR
45 CFR Part § 164.308(a)(5)(ii)(D) HIPAA.SR
45 CFR Part § 164.308(a)(6)(i) HIPAA.SR
45 CFR Part § 164.308(a)(6)(ii) HIPAA.SR
45 CFR Part § 164.308(a)(7)(i) HIPAA.SR
45 CFR Part § 164.308(a)(7)(ii)(A) HIPAA.SR
45 CFR Part § 164.308(a)(7)(ii)(B) HIPAA.SR
© 2019 HITRUST. All rights reserved.
01.y Teleworking
02.c Terms and Conditions of Employment
02.d Management Responsibilities
02.i Removal of Access Rights
05.d Authorization Process for Information Assets and Facilities
05.k Addressing Security in Third Party Agreements
06.e Prevention of Misuse of Information Assets
09.s Information Exchange Policies and Procedures
09.ab Monitoring System Use
01.b User Registration
01.c Privilege Management
01.e Review of User Access Rights
01.i Policy on the Use of Network Services
01.s Use of System Utilities
01.v Information Access Restriction
01.y Teleworking
02.i Removal of Access Rights
02.e Information Security Awareness, Education, and Training
05.c Allocation of Information Security Responsibilities
09.j Controls Against Malicious Code
02.e Information Security Awareness, Education, and Training
05.g Contact with Special Interest Groups
02.e Information Security Awareness, Education, and Training
09.j Controls Against Malicious Code
09.k Controls Against Mobile Code
09.ab Monitoring System Use
01.b User Registration
01.c Privilege Management
01.e Review of User Access Rights
02.e Information Security Awareness, Education, and Training
09.aa Audit Logging
09.ab Monitoring System Use
09.ad Administrator and Operator Logs
09.ae Fault Logging
01.b User Registration
01.d User Password Management
01.f Password Use
01.p Secure Log-on Procedures
01.q User Identification and Authentication
01.r Password Management System
02.e Information Security Awareness, Education, and Training
11.a Reporting Information Security Events
11.c Responsibilities and Procedures
05.f Contact with Authorities
11.a Reporting Information Security Events
11.c Responsibilities and Procedures
11.d Learning from Information Security Incidents
11.e Collection of Evidence
12.a Including Information Security in the Business Continuity Management Process
12.c Developing and Implementing Continuity Plans Including Information Security
12.d Business Continuity Planning Framework
09.l Back-up
12.b Business Continuity and Risk Assessment
12.c Developing and Implementing Continuity Plans Including Information Security
09.l Back-up
12.a Including Information Security in the Business Continuity Management Process
12.b Business Continuity and Risk Assessment
12.c Developing and Implementing Continuity Plans Including Information Security
12.d Business Continuity Planning Framework

45 CFR Part § 164.308(a)(7)(ii)(C) HIPAA.SR
45 CFR Part § 164.308(a)(7)(ii)(D) HIPAA.SR
45 CFR Part § 164.308(a)(7)(ii)(E) HIPAA.SR
45 CFR Part § 164.308(a)(8) HIPAA.SR
45 CFR Part § 164.308(b)(1) HIPAA.SR
45 CFR Part § 164.308(b)(3) HIPAA.SR
45 CFR Part § 164.310(a)(1) HIPAA.SR
45 CFR Part § 164.310(a)(2)(i) HIPAA.SR
45 CFR Part § 164.310(a)(2)(ii) HIPAA.SR
© 2019 HITRUST. All rights reserved.
12.e Testing, Maintaining and Re-Assessing Business Continuity Plans
08.h Supporting Utilities
12.a Including Information Security in the Business Continuity Management Process
12.c Developing and Implementing Continuity Plans Including Information Security
12.d Business Continuity Planning Framework
12.e Testing, Maintaining and Re-Assessing Business Continuity Plans
02.e Information Security Awareness, Education, and Training
12.a Including Information Security in the Business Continuity Management Process
12.e Testing, Maintaining and Re-Assessing Business Continuity Plans
03.b Performing Risk Assessments
12.a Including Information Security in the Business Continuity Management Process
12.b Business Continuity and Risk Assessment
12.c Developing and Implementing Continuity Plans Including Information Security
12.d Business Continuity Planning Framework
12.e Testing, Maintaining and Re-Assessing Business Continuity Plans
00.a Information Security Management Program
04.b Review of the Information Security Policy
05.a Management Commitment to Information Security
05.b Information Security Coordination
05.d Authorization Process for Information Assets and Facilities
05.h Independent Review of Information Security
06.g Compliance with Security Policies and Standards
06.h Technical Compliance Checking
09.i System Acceptance
10.m Control of Technical Vulnerabilities
12.e Testing, Maintaining and Re-Assessing Business Continuity Plans
02.d Management Responsibilities
05.i Identification of Risks Related to External Parties
05.k Addressing Security in Third Party Agreements
09.e Service Delivery
09.f Monitoring and Review of Third Party Services
09.n Security of Network Services
09.t Exchange Agreements
09.w Interconnected Business Information Systems
10.l Outsourced Software Development
05.e Confidentiality Agreements
05.i Identification of Risks Related to External Parties
05.k Addressing Security in Third Party Agreements
09.e Service Delivery
09.f Monitoring and Review of Third Party Services
09.n Security of Network Services
09.t Exchange Agreements
09.w Interconnected Business Information Systems
10.l Outsourced Software Development
01.g Unattended User Equipment
08.a Physical Security Perimeter
08.b Physical Entry Controls
08.c Securing Offices, Rooms, and Facilities
08.d Protecting Against External and Environmental Threats
08.g Equipment Siting and Protection
08.i Cabling Security
01.y Teleworking
12.a Including Information Security in the Business Continuity Management Process
12.c Developing and Implementing Continuity Plans Including Information Security
12.d Business Continuity Planning Framework
12.e Testing, Maintaining and Re-Assessing Business Continuity Plans
05.b Information Security Coordination
06.i Information Systems Audit Controls
08.d Protecting Against External and Environmental Threats
45 CFR Part § 164.310(a)(2)(ii) HIPAA.SR
45 CFR Part § 164.310(a)(2)(iii) HIPAA.SR
45 CFR Part § 164.310(a)(2)(iv) HIPAA.SR
45 CFR Part § 164.310(b) HIPAA.SR
45 CFR Part § 164.310(c) HIPAA.SR
45 CFR Part § 164.310(d)(1) HIPAA.SR
45 CFR Part § 164.310(d)(2)(i) HIPAA.SR
© 2019 HITRUST. All rights reserved.
08.g Equipment Siting and Protection
01.b User Registration
01.l Remote Diagnostic and Configuration Port Protection
01.s Use of System Utilities
08.b Physical Entry Controls
08.c Securing Offices, Rooms, and Facilities
08.d Protecting Against External and Environmental Threats
08.e Working in Secure Areas
08.g Equipment Siting and Protection
08.j Equipment Maintenance
09.a Documented Operations Procedures
01.g Unattended User Equipment
01.h Clear Desk and Clear Screen Policy
01.j User Authentication for External Connections
01.l Remote Diagnostic and Configuration Port Protection
01.m Segregation in Networks
01.n Network Connection Control
01.s Use of System Utilities
01.t Session Time-out
01.v Information Access Restriction
01.x Mobile Computing and Communications
01.y Teleworking
02.c Terms and Conditions of Employment
05.e Confidentiality Agreements
06.e Prevention of Misuse of Information Assets
07.e Information Labeling and Handling
08.a Physical Security Perimeter
08.b Physical Entry Controls
08.c Securing Offices, Rooms, and Facilities
09.q Information Handling Procedures
09.s Information Exchange Policies and Procedures
09.w Interconnected Business Information Systems
01.g Unattended User Equipment
01.h Clear Desk and Clear Screen Policy
01.l Remote Diagnostic and Configuration Port Protection
01.x Mobile Computing and Communications
07.e Information Labeling and Handling
08.a Physical Security Perimeter
08.b Physical Entry Controls
08.c Securing Offices, Rooms, and Facilities
08.e Working in Secure Areas
08.g Equipment Siting and Protection
08.i Cabling Security
08.k Security of Equipment Off-Premises
09.o Management of Removable Media
09.q Information Handling Procedures
07.a Inventory of Assets
07.b Ownership of Assets
07.e Information Labeling and Handling
08.k Security of Equipment Off-Premises
08.l Secure Disposal or Re-Use of Equipment
08.m Removal of Property
09.o Management of Removable Media
09.p Disposal of Media
09.q Information Handling Procedures
09.t Exchange Agreements
09.u Physical Media in Transit
07.a Inventory of Assets
08.l Secure Disposal or Re-Use of Equipment
45 CFR Part § 164.310(d)(2)(i) HIPAA.SR
45 CFR Part § 164.310(d)(2)(ii) HIPAA.SR
45 CFR Part § 164.310(d)(2)(iii) HIPAA.SR
45 CFR Part § 164.310(d)(2)(iv) HIPAA.SR
45 CFR Part § 164.312(a)(1) HIPAA.SR
45 CFR Part § 164.312(a)(2)(i) HIPAA.SR
45 CFR Part § 164.312(a)(2)(ii) HIPAA.SR
45 CFR Part § 164.312(a)(2)(iii) HIPAA.SR
45 CFR Part § 164.312(a)(2)(iv) HIPAA.SR
45 CFR Part § 164.312(b) HIPAA.SR
45 CFR Part § 164.312(c)(1) HIPAA.SR
© 2019 HITRUST. All rights reserved.
09.p Disposal of Media
08.l Secure Disposal or Re-Use of Equipment
09.p Disposal of Media
02.c Terms and Conditions of Employment
07.a Inventory of Assets
07.b Ownership of Assets
08.k Security of Equipment Off-Premises
08.m Removal of Property
09.o Management of Removable Media
09.u Physical Media in Transit
09.l Back-up
09.o Management of Removable Media
01.a Access Control Policy
01.c Privilege Management
01.e Review of User Access Rights
01.i Policy on the Use of Network Services
01.s Use of System Utilities
01.v Information Access Restriction
09.c Segregation of Duties
10.i Protection of System Test Data
10.j Access Control to Program Source Code
10.k Change Control Procedures
01.b User Registration
01.c Privilege Management
01.h Clear Desk and Clear Screen Policy
01.k Equipment Identification in Networks
01.q User Identification and Authentication
01.s Use of System Utilities
01.v Information Access Restriction
09.m Network Controls
01.a Access Control Policy
01.b User Registration
01.c Privilege Management
01.s Use of System Utilities
02.i Removal of Access Rights
12.a Including Information Security in the Business Continuity Management Process
12.c Developing and Implementing Continuity Plans Including Information Security
12.d Business Continuity Planning Framework
12.e Testing, Maintaining and Re-Assessing Business Continuity Plans
01.g Unattended User Equipment
01.h Clear Desk and Clear Screen Policy
01.t Session Time-out
01.s Use of System Utilities
06.f Regulation of Cryptographic Controls
10.f Policy on the Use of Cryptographic Controls
10.g Key Management
01.s Use of System Utilities
06.i Information Systems Audit Controls
09.h Capacity Management
09.aa Audit Logging
09.ab Monitoring System Use
09.ad Administrator and Operator Logs
09.ae Fault Logging
04.a Information Security Policy Document
08.k Security of Equipment Off-Premises
09.l Back-up
09.m Network Controls
09.o Management of Removable Media
09.q Information Handling Procedures

45 CFR Part § 164.312(c)(2) HIPAA.SR
45 CFR Part § 164.312(d) HIPAA.SR
45 CFR Part § 164.312(e)(1) HIPAA.SR
45 CFR Part § 164.312(e)(2)(i) HIPAA.SR
45 CFR Part § 164.312(e)(2)(ii) HIPAA.SR
45 CFR Part § 164.314(a)(1) HIPAA.SR
45 CFR Part § 164.314(a)(2)(i) HIPAA.SR
45 CFR Part § 164.314(a)(2)(ii) HIPAA.SR
© 2019 HITRUST. All rights reserved.
09.u Physical Media in Transit
09.v Electronic Messaging
09.x Electronic Commerce Services
10.c Control of Internal Processing
10.d Message Integrity
09.m Network Controls
09.v Electronic Messaging
09.x Electronic Commerce Services
10.c Control of Internal Processing
10.d Message Integrity
01.b User Registration
01.j User Authentication for External Connections
01.k Equipment Identification in Networks
01.p Secure Log-on Procedures
01.q User Identification and Authentication
09.m Network Controls
01.o Network Routing Control
09.m Network Controls
09.s Information Exchange Policies and Procedures
09.v Electronic Messaging
09.x Electronic Commerce Services
09.m Network Controls
09.s Information Exchange Policies and Procedures
09.v Electronic Messaging
09.x Electronic Commerce Services
10.c Control of Internal Processing
10.d Message Integrity
06.f Regulation of Cryptographic Controls
09.m Network Controls
09.s Information Exchange Policies and Procedures
09.v Electronic Messaging
09.x Electronic Commerce Services
10.f Policy on the Use of Cryptographic Controls
10.g Key Management
02.c Terms and Conditions of Employment
02.d Management Responsibilities
05.i Identification of Risks Related to External Parties
05.k Addressing Security in Third Party Agreements
09.e Service Delivery
09.f Monitoring and Review of Third Party Services
09.n Security of Network Services
09.t Exchange Agreements
10.l Outsourced Software Development
02.c Terms and Conditions of Employment
02.d Management Responsibilities
05.i Identification of Risks Related to External Parties
05.k Addressing Security in Third Party Agreements
09.e Service Delivery
09.f Monitoring and Review of Third Party Services
09.t Exchange Agreements
10.a Security Requirements Analysis and Specification
10.l Outsourced Software Development
11.a Reporting Information Security Events
02.c Terms and Conditions of Employment
02.d Management Responsibilities
05.i Identification of Risks Related to External Parties
05.k Addressing Security in Third Party Agreements
09.e Service Delivery
09.f Monitoring and Review of Third Party Services

45 CFR Part § 164.314(b)(1) HIPAA.SR
45 CFR Part § 164.314(b)(2)(i) HIPAA.SR
45 CFR Part § 164.314(b)(2)(iii) HIPAA.SR
45 CFR Part § 164.314(b)(2)(iv) HIPAA.SR
45 CFR Part § 164.316(a) HIPAA.SR
45 CFR Part § 164.316(b)(1) HIPAA.SR
45 CFR Part § 164.316(b)(2)(i) HIPAA.SR
45 CFR Part § 164.316(b)(2)(ii) HIPAA.SR
45 CFR Part § 164.316(b)(2)(iii) HIPAA.SR
© 2019 HITRUST. All rights reserved.
© 2019 HITRUST. All rights reserved.
09.n Security of Network Services
09.t Exchange Agreements
09.w Interconnected Business Information Systems
10.l Outsourced Software Development
05.k Addressing Security in Third Party Agreements
05.k Addressing Security in Third Party Agreements
09.e Service Delivery
05.k Addressing Security in Third Party Agreements
05.k Addressing Security in Third Party Agreements
03.a Risk Management Program Development
03.b Performing Risk Assessments
04.a Information Security Policy Document
04.b Review of the Information Security Policy
05.a Management Commitment to Information Security
05.b Information Security Coordination
06.i Information Systems Audit Controls
09.a Documented Operations Procedures
00.a Information Security Management Program
05.b Information Security Coordination
06.i Information Systems Audit Controls
04.a Information Security Policy Document
04.a Information Security Policy Document
00.a Information Security Management Program
05.b Information Security Coordination
06.i Information Systems Audit Controls
 Authoritative Source
AICPA 2017 A1.1
AICPA 2017 A1.2

AICPA 2017 A1.3

AICPA 2017 C1.1

AICPA 2017 C1.2

AICPA 2017 CC1.1

AICPA 2017 CC1.2

AICPA 2017 CC1.3

AICPA 2017 CC1.4

AICPA 2017 CC1.5

AICPA 2017 CC2.1

AICPA 2017 CC2.2

© 2019 HITRUST. All rights reserved.

 AICPA 2017 CC2.3

AICPA 2017 CC3.1

AICPA 2017 CC3.2

AICPA 2017 CC3.3

AICPA 2017 CC3.4

AICPA 2017 CC4.1

AICPA 2017 CC4.2

AICPA 2017 CC5.1

© 2019 HITRUST. All rights reserved.

 AICPA 2017 CC5.1

AICPA 2017 CC5.2

AICPA 2017 CC5.3

AICPA 2017 CC6.1

AICPA 2017 CC6.2

AICPA 2017 CC6.3

AICPA 2017 CC6.4

AICPA 2017 CC6.5

AICPA 2017 CC6.6

© 2019 HITRUST. All rights reserved.

 AICPA 2017 CC6.6

AICPA 2017 CC6.7

AICPA 2017 CC6.8

AICPA 2017 CC7.1

AICPA 2017 CC7.2

AICPA 2017 CC7.3

AICPA 2017 CC7.4

AICPA 2017 CC7.5

AICPA 2017 CC8.1

AICPA 2017 CC9.1

AICPA 2017 CC9.2

AICPA 2017 P1.1

© 2019 HITRUST. All rights reserved.

 AICPA 2017 P1.1

AICPA 2017 P2.1

AICPA 2017 P3.1

AICPA 2017 P3.2

AICPA 2017 P4.1

AICPA 2017 P4.2

AICPA 2017 P4.3

AICPA 2017 P5.1

AICPA 2017 P5.2

AICPA 2017 P6.1

AICPA 2017 P6.2

AICPA 2017 P6.3

AICPA 2017 P6.4

AICPA 2017 P6.5

AICPA 2017 P6.6

AICPA 2017 P6.7

AICPA 2017 P7.1

AICPA 2017 P8.1

© 2019 HITRUST. All rights reserved.

© 2019 HITRUST. All rights reserved.

 Authoritative Source HITRUST Control Reference
APEC II 15 13.a Privacy Notice
13.b Openness and Transparency
APEC II 15(a) 13.b Openness and Transparency
APEC II 15(b) 13.b Openness and Transparency
APEC II 15(c) 13.b Openness and Transparency
APEC II 15(d) 13.b Openness and Transparency
APEC II 15(e) 13.b Openness and Transparency
APEC II 16 13.a Privacy Notice
13.b Openness and Transparency
APEC II 18 13.i Collection Limitation
APEC IV 19 13.k Use and Disclosure
APEC VI 21 13.m Accuracy and Quality
APEC VIII 23(b) 13.f Principle Access
APEC VIII 23(c) 13.n Participation and Redress
APEC VIII 24 13.f Principle Access
APEC VIII 25 13.f Principle Access

© 2019 HITRUST. All rights reserved.

© 2019 HITRUST. All rights reserved.

Authoritative Source
CAQH Core Phase 1 102: Eligibility and Benefits 00.a Information Security Management Program
Certification Policy v1.1.0 Subsection 3.4
© 2019 HITRUST. All rights reserved.
HITRUST Control Reference
01.a Access Control Policy
01.b User Registration
01.c Privilege Management
01.d User Password Management
01.e Review of User Access Rights
01.f Password Use
01.h Clear Desk and Clear Screen Policy
01.i Policy on the Use of Network Services
01.q User Identification and Authentication
01.r Password Management System
01.t Session Time-out
01.v Information Access Restriction
02.e Information Security Awareness, Education, and Training
02.f Disciplinary Process
02.g Termination or Change Responsibilities
02.h Return of Assets
02.i Removal of Access Rights
03.a Risk Management Program Development
03.b Performing Risk Assessments
03.c Risk Mitigation
04.a Information Security Policy Document
04.b Review of the Information Security Policy
05.a Management Commitment to Information Security
05.c Allocation of Information Security Responsibilities
05.h Independent Review of Information Security
05.k Addressing Security in Third Party Agreements
06.g Compliance with Security Policies and Standards
06.h Technical Compliance Checking
06.i Information Systems Audit Controls
07.a Inventory of Assets
08.a Physical Security Perimeter
08.b Physical Entry Controls
08.d Protecting Against External and Environmental Threats
08.g Equipment Siting and Protection
08.j Equipment Maintenance
09.j Controls Against Malicious Code
09.l Back-up
09.m Network Controls
09.n Security of Network Services
09.o Management of Removable Media
09.p Disposal of Media
09.t Exchange Agreements
09.u Physical Media in Transit
09.ab Monitoring System Use
09.ad Administrator and Operator Logs
09.ae Fault Logging
10.c Control of Internal Processing
10.d Message Integrity
10.f Policy on the Use of Cryptographic Controls
10.g Key Management
10.l Outsourced Software Development
11.a Reporting Information Security Events
11.c Responsibilities and Procedures
11.d Learning from Information Security Incidents
11.e Collection of Evidence
12.c Developing and Implementing Continuity Plans Including Information Security
 12.d Business Continuity Planning Framework
CAQH Core Phase 1 153: Eligibility and Benefits 01.d User Password Management
Connectivity Rule v1.1.0 Subsection 5.2 01.f Password Use
01.q User Identification and Authentication
01.r Password Management System
09.m Network Controls
09.s Information Exchange Policies and Procedures
09.y On-line Transactions

© 2019 HITRUST. All rights reserved.

© 2019 HITRUST. All rights reserved.

Authoritative Source
CAQH Core Phase 2 202: Certification
Policy v2.1.0 Subsection 3.4
© 2019 HITRUST. All rights reserved.
HITRUST Control Reference
00.a Information Security Management Program
01.a Access Control Policy
01.b User Registration
01.c Privilege Management
01.e Review of User Access Rights
01.f Password Use
01.h Clear Desk and Clear Screen Policy
01.i Policy on the Use of Network Services
01.t Session Time-out
01.v Information Access Restriction
02.e Information Security Awareness, Education, and Training
02.f Disciplinary Process
02.g Termination or Change Responsibilities
02.h Return of Assets
02.i Removal of Access Rights
03.a Risk Management Program Development
03.b Performing Risk Assessments
03.c Risk Mitigation
04.a Information Security Policy Document
04.b Review of the Information Security Policy
05.a Management Commitment to Information Security
05.c Allocation of Information Security Responsibilities
05.h Independent Review of Information Security
05.k Addressing Security in Third Party Agreements
06.g Compliance with Security Policies and Standards
06.h Technical Compliance Checking
06.i Information Systems Audit Controls
07.a Inventory of Assets
08.a Physical Security Perimeter
08.b Physical Entry Controls
08.d Protecting Against External and Environmental Threats
08.g Equipment Siting and Protection
08.j Equipment Maintenance
09.j Controls Against Malicious Code
09.l Back-up
09.m Network Controls
09.n Security of Network Services
09.o Management of Removable Media
09.p Disposal of Media
09.t Exchange Agreements
09.u Physical Media in Transit
09.ab Monitoring System Use
09.ad Administrator and Operator Logs
09.ae Fault Logging
10.c Control of Internal Processing
10.d Message Integrity
10.f Policy on the Use of Cryptographic Controls
10.g Key Management
10.l Outsourced Software Development
11.a Reporting Information Security Events
11.c Responsibilities and Procedures
11.d Learning from Information Security Incidents
11.e Collection of Evidence
12.c Developing and Implementing Continuity Plans Including Information Security
12.d Business Continuity Planning Framework
© 2019 HITRUST. All rights reserved.

© 2019 HITRUST. All rights reserved.

 Authoritative Source
CCPA 1798.100(a)
CCPA 1798.100(b)
CCPA 1798.100(c)
CCPA 1798.100(d)
CCPA 1798.105(a)
CCPA 1798.105(b)
CCPA 1798.105(c)
CCPA 1798.110(a)
CCPA 1798.115(a)
CCPA 1798.115(b)
CCPA 1798.115(c)
CCPA 1798.115(d)
CCPA 1798.120(b)
CCPA 1798.120(c)
CCPA 1798.125(a)
CCPA 1798.125(b)
CCPA 1798.130(a)
CCPA 1798.130(a)(5)
CCPA 1798.130(a)(6)
CCPA 1798.135(a)
CCPA 1798.145(g)
CCPA 1798.150(a)
© 2019 HITRUST. All rights reserved.
© 2019 HITRUST. All rights reserved.
HITRUST Control Reference
13.f Principle Access
13.b Openness and Transparency
13.f Principle Access
13.f Principle Access
13.n Participation and Redress
13.b Openness and Transparency
13.f Principle Access
13.b Openness and Transparency
13.f Principle Access
13.f Principle Access
13.b Openness and Transparency
13.d Consent
13.b Openness and Transparency
13.d Consent
13.e Choice
13.b Openness and Transparency
13.b Openness and Transparency
13.b Openness and Transparency
13.t Privacy Protection Awareness and Training
13.b Openness and Transparency
13.b Openness and Transparency
11.a Reporting Information Security Events
 Authoritative Source HITRUST Control Reference
CIS CSC v7.1 1.1 07.a Inventory of Assets
CIS CSC v7.1 1.3 07.a Inventory of Assets
CIS CSC v7.1 1.4 07.a Inventory of Assets
CIS CSC v7.1 1.5 07.a Inventory of Assets
CIS CSC v7.1 1.7 09.m Network Controls
CIS CSC v7.1 10.1 09.l Back-up
CIS CSC v7.1 10.2 09.l Back-up
CIS CSC v7.1 10.3 09.l Back-up
CIS CSC v7.1 10.4 09.l Back-up
CIS CSC v7.1 10.5 09.l Back-up
CIS CSC v7.1 11.1 06.h Technical Compliance Checking
09.m Network Controls
CIS CSC v7.1 11.2 09.m Network Controls
CIS CSC v7.1 11.3 06.h Technical Compliance Checking
09.m Network Controls
10.k Change Control Procedures
CIS CSC v7.1 11.4 10.m Control of Technical Vulnerabilities
CIS CSC v7.1 11.5 01.q User Identification and Authentication
09.m Network Controls
CIS CSC v7.1 11.6 01.c Privilege Management
01.m Segregation in Networks
CIS CSC v7.1 11.7 01.m Segregation in Networks
CIS CSC v7.1 11.17 01.m Segregation in Networks
CIS CSC v7.1 12.3 09.m Network Controls
CIS CSC v7.1 12.5 09.m Network Controls
09.ab Monitoring System Use
CIS CSC v7.1 12.6 09.m Network Controls
09.ab Monitoring System Use
CIS CSC v7.1 12.7 08.c Securing Offices, Rooms, and Facilities
09.m Network Controls
CIS CSC v7.1 12.8 09.ab Monitoring System Use
CIS CSC v7.1 12.9 01.n Network Connection Control
01.o Network Routing Control
CIS CSC v7.1 12.11 01.j User Authentication for External Connections
CIS CSC v7.1 12.12 01.x Mobile Computing and Communications
CIS CSC v7.1 13.3 06.h Technical Compliance Checking
09.ab Monitoring System Use
CIS CSC v7.1 13.4 01.i Policy on the Use of Network Services
09.m Network Controls
CIS CSC v7.1 13.5 09.ab Monitoring System Use
CIS CSC v7.1 13.6 01.x Mobile Computing and Communications
CIS CSC v7.1 13.7 09.o Management of Removable Media
CIS CSC v7.1 13.9 09.ab Monitoring System Use
CIS CSC v7.1 14.1 01.m Segregation in Networks
CIS CSC v7.1 14.3 01.o Network Routing Control
CIS CSC v7.1 14.4 06.d Data Protection and Privacy of Covered Information
CIS CSC v7.1 14.5 06.h Technical Compliance Checking
© 2019 HITRUST. All rights reserved.
 CIS CSC v7.1 14.6 01.c Privilege Management
01.v Information Access Restriction
CIS CSC v7.1 14.8 06.d Data Protection and Privacy of Covered Information
CIS CSC v7.1 14.9 06.h Technical Compliance Checking
09.aa Audit Logging
CIS CSC v7.1 15.1 07.a Inventory of Assets
09.m Network Controls
CIS CSC v7.1 15.2 09.m Network Controls
CIS CSC v7.1 15.5 09.m Network Controls
CIS CSC v7.1 15.6 01.l Remote Diagnostic and Configuration Port Protection
09.m Network Controls
CIS CSC v7.1 15.7 09.m Network Controls
CIS CSC v7.1 15.8 01.j User Authentication for External Connections
09.m Network Controls
CIS CSC v7.1 15.10 01.m Segregation in Networks
09.ab Monitoring System Use
CIS CSC v7.1 16.2 01.q User Identification and Authentication
CIS CSC v7.1 16.5 01.d User Password Management
01.n Network Connection Control
01.p Secure Log-on Procedures
CIS CSC v7.1 16.7 01.b User Registration
01.e Review of User Access Rights
02.g Termination or Change Responsibilities
CIS CSC v7.1 16.8 01.e Review of User Access Rights
CIS CSC v7.1 16.9 01.e Review of User Access Rights
CIS CSC v7.1 16.10 01.b User Registration
01.e Review of User Access Rights
01.q User Identification and Authentication
CIS CSC v7.1 16.11 01.t Session Time-out
CIS CSC v7.1 16.12 09.ab Monitoring System Use
CIS CSC v7.1 16.13 09.ab Monitoring System Use
CIS CSC v7.1 17.1 02.e Information Security Awareness, Education, and Training
CIS CSC v7.1 17.2 02.e Information Security Awareness, Education, and Training
CIS CSC v7.1 17.3 02.e Information Security Awareness, Education, and Training
CIS CSC v7.1 18.2 10.b Input Data Validation
CIS CSC v7.1 18.3 10.h Control of Operational Software
CIS CSC v7.1 18.5 09.ae Fault Logging
CIS CSC v7.1 18.6 02.e Information Security Awareness, Education, and Training
CIS CSC v7.1 18.7 10.b Input Data Validation
CIS CSC v7.1 18.9 09.d Separation of Development, Test, and Operational Environments
CIS CSC v7.1 18.11 10.b Input Data Validation
10.m Control of Technical Vulnerabilities
CIS CSC v7.1 19.1 11.a Reporting Information Security Events
CIS CSC v7.1 19.2 11.a Reporting Information Security Events
CIS CSC v7.1 19.3 11.a Reporting Information Security Events
CIS CSC v7.1 19.4 11.a Reporting Information Security Events
CIS CSC v7.1 19.5 11.a Reporting Information Security Events
CIS CSC v7.1 19.6 11.a Reporting Information Security Events
© 2019 HITRUST. All rights reserved.
 CIS CSC v7.1 19.7 11.c Responsibilities and Procedures
CIS CSC v7.1 2.1 01.l Remote Diagnostic and Configuration Port Protection
10.h Control of Operational Software
CIS CSC v7.1 2.3 07.a Inventory of Assets
CIS CSC v7.1 2.4 07.a Inventory of Assets
CIS CSC v7.1 2.5 07.a Inventory of Assets
CIS CSC v7.1 2.7 10.h Control of Operational Software
CIS CSC v7.1 2.10 01.m Segregation in Networks
CIS CSC v7.1 20.1 10.m Control of Technical Vulnerabilities
CIS CSC v7.1 20.2 09.ab Monitoring System Use
10.m Control of Technical Vulnerabilities
CIS CSC v7.1 20.3 10.m Control of Technical Vulnerabilities
CIS CSC v7.1 20.4 10.m Control of Technical Vulnerabilities
CIS CSC v7.1 20.5 10.m Control of Technical Vulnerabilities
CIS CSC v7.1 20.6 10.m Control of Technical Vulnerabilities
CIS CSC v7.1 20.7 10.m Control of Technical Vulnerabilities
CIS CSC v7.1 3.1 10.m Control of Technical Vulnerabilities
CIS CSC v7.1 3.3 10.m Control of Technical Vulnerabilities
CIS CSC v7.1 3.4 10.m Control of Technical Vulnerabilities
CIS CSC v7.1 3.6 10.m Control of Technical Vulnerabilities
CIS CSC v7.1 3.7 10.m Control of Technical Vulnerabilities
CIS CSC v7.1 4.1 01.c Privilege Management
CIS CSC v7.1 4.2 01.d User Password Management
CIS CSC v7.1 4.3 01.c Privilege Management
CIS CSC v7.1 4.5 01.j User Authentication for External Connections
CIS CSC v7.1 4.5 01.q User Identification and Authentication
CIS CSC v7.1 4.6 01.c Privilege Management
CIS CSC v7.1 5.1 10.k Change Control Procedures
10.m Control of Technical Vulnerabilities
CIS CSC v7.1 5.2 10.k Change Control Procedures
CIS CSC v7.1 5.3 10.k Change Control Procedures
CIS CSC v7.1 5.4 10.k Change Control Procedures
CIS CSC v7.1 5.5 10.k Change Control Procedures
CIS CSC v7.1 6.1 09.af Clock Synchronization
CIS CSC v7.1 6.2 09.aa Audit Logging
09.ab Monitoring System Use
09.ad Administrator and Operator Logs
CIS CSC v7.1 6.3 09.aa Audit Logging
CIS CSC v7.1 6.4 09.h Capacity Management
09.ac Protection of Log Information
CIS CSC v7.1 6.6 09.ab Monitoring System Use
CIS CSC v7.1 6.7 09.ab Monitoring System Use
CIS CSC v7.1 7.1 10.h Control of Operational Software
CIS CSC v7.1 7.2 10.h Control of Operational Software
CIS CSC v7.1 7.3 10.h Control of Operational Software
CIS CSC v7.1 7.5 09.m Network Controls
CIS CSC v7.1 7.6 09.aa Audit Logging
CIS CSC v7.1 7.8 09.j Controls Against Malicious Code
© 2019 HITRUST. All rights reserved.
 CIS CSC v7.1 7.9 09.j Controls Against Malicious Code
CIS CSC v7.1 8.1 01.x Mobile Computing and Communications
09.j Controls Against Malicious Code
09.ab Monitoring System Use
CIS CSC v7.1 8.3 09.j Controls Against Malicious Code
CIS CSC v7.1 8.4 01.l Remote Diagnostic and Configuration Port Protection
09.j Controls Against Malicious Code
09.ab Monitoring System Use
09.o Management of Removable Media
CIS CSC v7.1 8.7 09.m Network Controls
CIS CSC v7.1 9.2 01.l Remote Diagnostic and Configuration Port Protection
CIS CSC v7.1 9.3 01.l Remote Diagnostic and Configuration Port Protection
CIS CSC v7.1 9.4 09.m Network Controls
10.h Control of Operational Software
CIS CSC v7.1 9.5 10.b Input Data Validation

© 2019 HITRUST. All rights reserved.

© 2019 HITRUST. All rights reserved.

Authoritative Source
CMSRs v3.1 AC-01 (HIGH; MOD)
CMSRs v3.1 AC-02 (HIGH; MOD)
CMSRs v3.1 AC-02(01) (HIGH; MOD)
CMSRs v3.1 AC-02(02) (HIGH; MOD)
CMSRs v3.1 AC-02(03) (HIGH; MOD)
CMSRs v3.1 AC-02(05) (HIGH)
CMSRs v3.1 AC-02(11) (HIGH)
CMSRs v3.1 AC-02(12) (HIGH)
CMSRs v3.1 AC-02(13) (HIGH)
CMSRs v3.1 AC-03 (HIGH; MOD)
CMSRs v3.1 AC-04 (HIGH; MOD)
CMSRs v3.1 AC-05 (HIGH; MOD)
CMSRs v3.1 AC-06 (HIGH; MOD)
CMSRs v3.1 AC-06(01) (HIGH; MOD)
CMSRs v3.1 AC-06(02) (HIGH; MOD)
CMSRs v3.1 AC-06(03) (HIGH)
CMSRs v3.1 AC-06(03) (HIGH; MOD)
CMSRs v3.1 AC-06(05) (HIGH; MOD)
CMSRs v3.1 AC-06(09) (HIGH; MOD)
CMSRs v3.1 AC-06(10) (HIGH; MOD)
CMSRs v3.1 AC-07 (HIGH)
CMSRs v3.1 AC-07 (HIGH; MOD)
CMSRs v3.1 AC-08 (HIGH; MOD)
CMSRs v3.1 AC-09 (HIGH)
CMSRs v3.1 AC-10 (HIGH)
CMSRs v3.1 AC-11 (HIGH; MOD)
CMSRs v3.1 AC-11(01) (HIGH; MOD)
CMSRs v3.1 AC-12 (HIGH; MOD)
© 2019 HITRUST. All rights reserved.
HITRUST Control Reference
01.a Access Control Policy
01.i Policy on the Use of Network Services
04.a Information Security Policy Document
04.b Review of the Information Security Policy
05.a Management Commitment to Information Security
09.a Documented Operations Procedures
01.a Access Control Policy
01.b User Registration
01.c Privilege Management
01.e Review of User Access Rights
01.j User Authentication for External Connections
01.b User Registration
01.b User Registration
01.b User Registration
01.t Session Time-out
01.n Network Connection Control
09.ab Monitoring System Use
01.b User Registration
01.s Use of System Utilities
01.v Information Access Restriction
01.m Segregation in Networks
01.o Network Routing Control
09.c Segregation of Duties
01.c Privilege Management
01.s Use of System Utilities
01.v Information Access Restriction
01.y Teleworking
05.i Identification of Risks Related to External Parties
10.j Access Control to Program Source Code
01.c Privilege Management
06.j Protection of Information Systems Audit Tools
01.c Privilege Management
01.q User Identification and Authentication
01.c Privilege Management
01.j User Authentication for External Connections
01.c Privilege Management
01.c Privilege Management
01.c Privilege Management
09.aa Audit Logging
01.c Privilege Management
01.p Secure Log-on Procedures
01.p Secure Log-on Procedures
01.p Secure Log-on Procedures
05.j Addressing Security When Dealing with Customers
06.e Prevention of Misuse of Information Assets
07.e Information Labeling and Handling
01.p Secure Log-on Procedures
01.c Privilege Management
01.p Secure Log-on Procedures
01.g Unattended User Equipment
01.h Clear Desk and Clear Screen Policy
01.t Session Time-out
01.t Session Time-out
01.t Session Time-out
CMSRs v3.1 AC-14 (HIGH; MOD)
CMSRs v3.1 AC-17 (HIGH; MOD)
CMSRs v3.1 AC-17(01) (HIGH; MOD)
CMSRs v3.1 AC-17(02) (HIGH; MOD)
CMSRs v3.1 AC-17(03) (HIGH; MOD)
CMSRs v3.1 AC-17(04) (HIGH; MOD)
CMSRs v3.1 AC-18 (HIGH; MOD)
CMSRs v3.1 AC-18(01) (HIGH; MOD)
CMSRs v3.1 AC-18(04) (HIGH)
CMSRs v3.1 AC-18(05) (HIGH)
CMSRs v3.1 AC-19 (HIGH)
CMSRs v3.1 AC-19 (HIGH; MOD)
CMSRs v3.1 AC-19(05) (HIGH; MOD)
CMSRs v3.1 AC-2 (HIGH; MOD)
CMSRs v3.1 AC-20 (HIGH; MOD)
CMSRs v3.1 AC-20(01) (HIGH; MOD)
CMSRs v3.1 AC-20(02) (HIGH; MOD)
CMSRs v3.1 AC-21 (HIGH; MOD)
CMSRs v3.1 AC-22 (HIGH; MOD)
CMSRs v3.1 AP-01 (HIGH; MOD)
CMSRs v3.1 AP-02 (HIGH; MOD)
CMSRs v3.1 AR-01 (HIGH; MOD)
CMSRs v3.1 AR-02 (HIGH; MOD)
CMSRs v3.1 AR-03 (HIGH; MOD)
CMSRs v3.1 AR-04 (HIGH)
CMSRs v3.1 AR-04 (HIGH; MOD)
CMSRs v3.1 AR-05 (HIGH; MOD)
CMSRs v3.1 AR-07 (HIGH; MOD)
CMSRs v3.1 AR-08 (HIGH; MOD)
CMSRs v3.1 AT-01 (HIGH; MOD)
© 2019 HITRUST. All rights reserved.
01.v Information Access Restriction
01.j User Authentication for External Connections
01.y Teleworking
09.s Information Exchange Policies and Procedures
01.j User Authentication for External Connections
01.j User Authentication for External Connections
01.y Teleworking
05.i Identification of Risks Related to External Parties
09.s Information Exchange Policies and Procedures
01.j User Authentication for External Connections
01.n Network Connection Control
01.j User Authentication for External Connections
01.j User Authentication for External Connections
08.g Equipment Siting and Protection
09.m Network Controls
01.j User Authentication for External Connections
09.m Network Controls
09.m Network Controls
09.m Network Controls
01.x Mobile Computing and Communications
01.x Mobile Computing and Communications
01.x Mobile Computing and Communications
02.i Removal of Access Rights
01.i Policy on the Use of Network Services
01.y Teleworking
07.c Acceptable Use of Assets
08.k Security of Equipment Off-Premises
09.s Information Exchange Policies and Procedures
09.s Information Exchange Policies and Procedures
09.s Information Exchange Policies and Procedures
01.c Privilege Management
09.z Publicly Available Information
13.k Use and Disclosure
13.a Privacy Notice
05.a Management Commitment to Information Security
06.d Data Protection and Privacy of Covered Information
03.a Risk Management Program Development
04.b Review of the Information Security Policy
06.d Data Protection and Privacy of Covered Information
13.r Privacy Requirements for Contractors and Processors
05.h Independent Review of Information Security
09.ab Monitoring System Use
05.h Independent Review of Information Security
06.g Compliance with Security Policies and Standards
09.aa Audit Logging
09.ab Monitoring System Use
09.ad Administrator and Operator Logs
02.e Information Security Awareness, Education, and Training
09.m Network Controls
10.a Security Requirements Analysis and Specification
13.c Accounting of Disclosures
02.e Information Security Awareness, Education, and Training
04.a Information Security Policy Document
04.b Review of the Information Security Policy
05.a Management Commitment to Information Security

CMSRs v3.1 AT-02 (HIGH; MOD)
CMSRs v3.1 AT-02(02) (HIGH; MOD)
CMSRs v3.1 AT-03 (HIGH; MOD)
CMSRs v3.1 AT-04 (HIGH; MOD)
CMSRs v3.1 AU-01 (HIGH; MOD)
CMSRs v3.1 AU-02 (HIGH)
CMSRs v3.1 AU-02 (HIGH; MOD)
CMSRs v3.1 AU-02(03) (HIGH)
CMSRs v3.1 AU-03 (HIGH; MOD)
CMSRs v3.1 AU-03(01) (HIGH; MOD)
CMSRs v3.1 AU-03(02) (HIGH)
CMSRs v3.1 AU-04 (HIGH; MOD)
CMSRs v3.1 AU-05 (HIGH; MOD)
CMSRs v3.1 AU-05(01) (HIGH)
CMSRs v3.1 AU-05(02) (HIGH)
CMSRs v3.1 AU-06 (HIGH; MOD)
CMSRs v3.1 AU-06(01) (HIGH; MOD)
CMSRs v3.1 AU-06(03) (HIGH; MOD)
CMSRs v3.1 AU-06(05) (HIGH)
CMSRs v3.1 AU-06(05) (HIGH; MOD)
CMSRs v3.1 AU-06(06) (HIGH)
CMSRs v3.1 AU-07 (HIGH; MOD)
CMSRs v3.1 AU-07(01) (HIGH)
CMSRs v3.1 AU-07(01) (HIGH; MOD)
CMSRs v3.1 AU-08 (HIGH; MOD)
CMSRs v3.1 AU-08(01) (HIGH; MOD)
CMSRs v3.1 AU-09 (HIGH; MOD)
CMSRs v3.1 AU-09(02) (HIGH)
CMSRs v3.1 AU-09(03) (HIGH)
CMSRs v3.1 AU-10 (HIGH)
© 2019 HITRUST. All rights reserved.
09.a Documented Operations Procedures
01.p Secure Log-on Procedures
01.y Teleworking
02.e Information Security Awareness, Education, and Training
02.e Information Security Awareness, Education, and Training
02.d Management Responsibilities
02.e Information Security Awareness, Education, and Training
05.c Allocation of Information Security Responsibilities
02.e Information Security Awareness, Education, and Training
04.a Information Security Policy Document
04.b Review of the Information Security Policy
05.a Management Commitment to Information Security
06.i Information Systems Audit Controls
06.j Protection of Information Systems Audit Tools
09.a Documented Operations Procedures
09.aa Audit Logging
01.p Secure Log-on Procedures
06.j Protection of Information Systems Audit Tools
09.aa Audit Logging
09.ab Monitoring System Use
09.ad Administrator and Operator Logs
09.ae Fault Logging
09.aa Audit Logging
09.aa Audit Logging
09.ab Monitoring System Use
09.aa Audit Logging
09.aa Audit Logging
09.h Capacity Management
09.h Capacity Management
09.aa Audit Logging
09.ac Protection of Log Information
09.aa Audit Logging
09.ac Protection of Log Information
09.ae Fault Logging
09.ab Monitoring System Use
09.ad Administrator and Operator Logs
09.ab Monitoring System Use
09.ab Monitoring System Use
09.ab Monitoring System Use
09.ab Monitoring System Use
09.ab Monitoring System Use
09.ab Monitoring System Use
09.ab Monitoring System Use
09.aa Audit Logging
09.ab Monitoring System Use
09.aa Audit Logging
09.af Clock Synchronization
09.af Clock Synchronization
06.j Protection of Information Systems Audit Tools
09.aa Audit Logging
09.ac Protection of Log Information
09.ac Protection of Log Information
09.ac Protection of Log Information
09.x Electronic Commerce Services
09.y On-line Transactions
CMSRs v3.1 AU-11 (HIGH; MOD)
CMSRs v3.1 AU-12 (HIGH; MOD)
CMSRs v3.1 AU-12(01) (HIGH)
CMSRs v3.1 CA-01 (HIGH; MOD)
CMSRs v3.1 CA-02 (HIGH; MOD)
CMSRs v3.1 CA-02(01) (HIGH; MOD)
CMSRs v3.1 CA-02(02) (HIGH)
CMSRs v3.1 CA-03 (HIGH; MOD)
CMSRs v3.1 CA-03(05) (HIGH; MOD)
CMSRs v3.1 CA-05 (HIGH; MOD)
CMSRs v3.1 CA-06 (HIGH; MOD)
CMSRs v3.1 CA-07 (HIGH; MOD)
CMSRs v3.1 CA-07(01) (HIGH; MOD)
CMSRs v3.1 CA-08 (HIGH; MOD)
CMSRs v3.1 CA-09 (HIGH; MOD)
CMSRs v3.1 CM-01 (HIGH; MOD)
CMSRs v3.1 CM-02 (HIGH; MOD)
CMSRs v3.1 CM-02(01) (HIGH; MOD)
CMSRs v3.1 CM-02(02) (HIGH)
CMSRs v3.1 CM-02(02) (HIGH; MOD)
CMSRs v3.1 CM-02(03) (HIGH; MOD)
CMSRs v3.1 CM-02(07) (HIGH; MOD)
CMSRs v3.1 CM-03 (HIGH; MOD)
© 2019 HITRUST. All rights reserved.
06.c Protection of Organizational Records
09.aa Audit Logging
01.p Secure Log-on Procedures
09.aa Audit Logging
09.aa Audit Logging
04.a Information Security Policy Document
04.b Review of the Information Security Policy
05.a Management Commitment to Information Security
06.g Compliance with Security Policies and Standards
09.a Documented Operations Procedures
03.b Performing Risk Assessments
05.a Management Commitment to Information Security
05.d Authorization Process for Information Assets and Facilities
05.h Independent Review of Information Security
06.i Information Systems Audit Controls
06.j Protection of Information Systems Audit Tools
10.m Control of Technical Vulnerabilities
03.b Performing Risk Assessments
05.a Management Commitment to Information Security
05.h Independent Review of Information Security
06.g Compliance with Security Policies and Standards
06.h Technical Compliance Checking
05.i Identification of Risks Related to External Parties
05.j Addressing Security When Dealing with Customers
09.m Network Controls
09.n Security of Network Services
09.n Security of Network Services
03.c Risk Mitigation
05.d Authorization Process for Information Assets and Facilities
05.h Independent Review of Information Security
06.g Compliance with Security Policies and Standards
06.h Technical Compliance Checking
05.h Independent Review of Information Security
06.g Compliance with Security Policies and Standards
10.m Control of Technical Vulnerabilities
09.w Interconnected Business Information Systems
04.a Information Security Policy Document
04.b Review of the Information Security Policy
05.a Management Commitment to Information Security
09.a Documented Operations Procedures
10.k Change Control Procedures
01.j User Authentication for External Connections
09.d Separation of Development, Test, and Operational Environments
09.w Interconnected Business Information Systems
10.k Change Control Procedures
10.k Change Control Procedures
01.j User Authentication for External Connections
10.k Change Control Procedures
07.a Inventory of Assets
10.h Control of Operational Software
10.k Change Control Procedures
01.x Mobile Computing and Communications
03.d Risk Evaluation
09.b Change Management
09.i System Acceptance
CMSRs v3.1 CM-03 (HIGH; MOD)
CMSRs v3.1 CM-03(01) (HIGH)
CMSRs v3.1 CM-03(02) (HIGH; MOD)
CMSRs v3.1 CM-04 (HIGH)
CMSRs v3.1 CM-04 (HIGH; MOD)
CMSRs v3.1 CM-04(01) (HIGH)
CMSRs v3.1 CM-04(01) (HIGH; MOD)
CMSRs v3.1 CM-05 (HIGH; MOD)
CMSRs v3.1 CM-05(01) (HIGH)
CMSRs v3.1 CM-05(02) (HIGH)
CMSRs v3.1 CM-05(03) (HIGH)
CMSRs v3.1 CM-06 (HIGH; MOD)
CMSRs v3.1 CM-06(01) (HIGH)
CMSRs v3.1 CM-06(02) (HIGH)
CMSRs v3.1 CM-07 (HIGH; MOD)
CMSRs v3.1 CM-07(01) (HIGH; MOD)
CMSRs v3.1 CM-07(02) (HIGH; MOD)
CMSRs v3.1 CM-07(05) (HIGH)
CMSRs v3.1 CM-08 (HIGH; MOD)
CMSRs v3.1 CM-08(01) (HIGH; MOD)
CMSRs v3.1 CM-08(02) (HIGH)
CMSRs v3.1 CM-08(03) (HIGH; MOD)
CMSRs v3.1 CM-08(04) (HIGH)
CMSRs v3.1 CM-08(05) (HIGH; MOD)
CMSRs v3.1 CM-09 (HIGH; MOD)
CMSRs v3.1 CM-10 (HIGH; MOD)
CMSRs v3.1 CM-11 (HIGH; MOD)
CMSRs v3.1 CP-01 (HIGH; MOD)
© 2019 HITRUST. All rights reserved.
09.k Controls Against Mobile Code
09.m Network Controls
10.h Control of Operational Software
10.k Change Control Procedures
10.k Change Control Procedures
10.h Control of Operational Software
10.k Change Control Procedures
10.h Control of Operational Software
09.b Change Management
10.k Change Control Procedures
10.k Change Control Procedures
10.k Change Control Procedures
09.b Change Management
10.j Access Control to Program Source Code
10.k Change Control Procedures
10.k Change Control Procedures
10.k Change Control Procedures
10.k Change Control Procedures
09.z Publicly Available Information
10.h Control of Operational Software
10.k Change Control Procedures
10.m Control of Technical Vulnerabilities
10.h Control of Operational Software
10.k Change Control Procedures
10.h Control of Operational Software
10.k Change Control Procedures
01.c Privilege Management
01.i Policy on the Use of Network Services
01.l Remote Diagnostic and Configuration Port Protection
09.i System Acceptance
09.m Network Controls
10.j Access Control to Program Source Code
10.m Control of Technical Vulnerabilities
01.l Remote Diagnostic and Configuration Port Protection
01.l Remote Diagnostic and Configuration Port Protection
10.h Control of Operational Software
01.l Remote Diagnostic and Configuration Port Protection
10.h Control of Operational Software
07.a Inventory of Assets
07.b Ownership of Assets
07.d Classification Guidelines
07.a Inventory of Assets
07.a Inventory of Assets
10.k Change Control Procedures
01.q User Identification and Authentication
07.a Inventory of Assets
08.i Cabling Security
07.a Inventory of Assets
07.a Inventory of Assets
10.k Change Control Procedures
06.b Intellectual Property Rights
07.b Ownership of Assets
09.j Controls Against Malicious Code
04.a Information Security Policy Document
04.b Review of the Information Security Policy
CMSRs v3.1 CP-01 (HIGH; MOD)
CMSRs v3.1 CP-02 (HIGH; MOD)
CMSRs v3.1 CP-02(02) (HIGH)
CMSRs v3.1 CP-02(03) (HIGH; MOD)
CMSRs v3.1 CP-02(04) (HIGH)
CMSRs v3.1 CP-02(05) (HIGH)
CMSRs v3.1 CP-02(08) (HIGH; MOD)
CMSRs v3.1 CP-03 (HIGH; MOD)
CMSRs v3.1 CP-03(01) (HIGH; MOD)
CMSRs v3.1 CP-04 (HIGH)
CMSRs v3.1 CP-04 (HIGH; MOD)
CMSRs v3.1 CP-04(01) (HIGH; MOD)
CMSRs v3.1 CP-04(02) (HIGH)
CMSRs v3.1 CP-06 (HIGH; MOD)
CMSRs v3.1 CP-06(01) (HIGH; MOD)
CMSRs v3.1 CP-06(02) (HIGH)
CMSRs v3.1 CP-06(03) (HIGH; MOD)
CMSRs v3.1 CP-07 (HIGH; MOD)
CMSRs v3.1 CP-07(01) (HIGH; MOD)
CMSRs v3.1 CP-07(03) (HIGH; MOD)
CMSRs v3.1 CP-07(04) (HIGH)
CMSRs v3.1 CP-08 (HIGH)
CMSRs v3.1 CP-08 (HIGH; MOD)
CMSRs v3.1 CP-08(01) (HIGH; MOD)
CMSRs v3.1 CP-08(02) (HIGH; MOD)
CMSRs v3.1 CP-08(03) (HIGH)
CMSRs v3.1 CP-08(03) (HIGH; MOD)
CMSRs v3.1 CP-08(04) (HIGH)
CMSRs v3.1 CP-09 (HIGH; MOD)
CMSRs v3.1 CP-09(01) (HIGH; MOD)
CMSRs v3.1 CP-09(02) (HIGH)
CMSRs v3.1 CP-09(03) (HIGH)
CMSRs v3.1 CP-09(05) (HIGH)
CMSRs v3.1 CP-10(04) (HIGH)
CMSRs v3.1 DI-01 (HIGH; MOD)
CMSRs v3.1 DI-01(01) (HIGH; MOD)
CMSRs v3.1 DI-01(02) (HIGH; MOD)
CMSRs v3.1 DI-02 (HIGH; MOD)
CMSRs v3.1 DI-02(01) (HIGH; MOD)
CMSRs v3.1 DM-01 (HIGH; MOD)
© 2019 HITRUST. All rights reserved.
05.a Management Commitment to Information Security
09.a Documented Operations Procedures
05.f Contact with Authorities
09.l Back-up
09.m Network Controls
12.a Including Information Security in the Business Continuity Management Process
12.b Business Continuity and Risk Assessment
12.c Developing and Implementing Continuity Plans Including Information Security
12.d Business Continuity Planning Framework
12.e Testing, Maintaining and Re-Assessing Business Continuity Plans
12.c Developing and Implementing Continuity Plans Including Information Security
12.c Developing and Implementing Continuity Plans Including Information Security
12.c Developing and Implementing Continuity Plans Including Information Security
12.c Developing and Implementing Continuity Plans Including Information Security
12.a Including Information Security in the Business Continuity Management Process
12.b Business Continuity and Risk Assessment
02.e Information Security Awareness, Education, and Training
02.e Information Security Awareness, Education, and Training
02.e Information Security Awareness, Education, and Training
05.f Contact with Authorities
12.e Testing, Maintaining and Re-Assessing Business Continuity Plans
12.e Testing, Maintaining and Re-Assessing Business Continuity Plans
12.e Testing, Maintaining and Re-Assessing Business Continuity Plans
09.l Back-up
12.c Developing and Implementing Continuity Plans Including Information Security
12.c Developing and Implementing Continuity Plans Including Information Security
12.c Developing and Implementing Continuity Plans Including Information Security
09.l Back-up
12.c Developing and Implementing Continuity Plans Including Information Security
12.c Developing and Implementing Continuity Plans Including Information Security
12.c Developing and Implementing Continuity Plans Including Information Security
12.c Developing and Implementing Continuity Plans Including Information Security
12.c Developing and Implementing Continuity Plans Including Information Security
08.h Supporting Utilities
12.c Developing and Implementing Continuity Plans Including Information Security
12.c Developing and Implementing Continuity Plans Including Information Security
12.c Developing and Implementing Continuity Plans Including Information Security
12.c Developing and Implementing Continuity Plans Including Information Security
12.c Developing and Implementing Continuity Plans Including Information Security
12.c Developing and Implementing Continuity Plans Including Information Security
09.l Back-up
12.c Developing and Implementing Continuity Plans Including Information Security
09.l Back-up
09.l Back-up
12.c Developing and Implementing Continuity Plans Including Information Security
09.l Back-up
09.l Back-up
12.c Developing and Implementing Continuity Plans Including Information Security
13.f Principle Access
13.m Accuracy and Quality
13.m Accuracy and Quality
10.c Control of Internal Processing
13.m Accuracy and Quality
13.m Accuracy and Quality
01.v Information Access Restriction
CMSRs v3.1 DM-01 (HIGH; MOD)
CMSRs v3.1 DM-02 (HIGH; MOD)
CMSRs v3.1 DM-02(01) (HIGH; MOD)
CMSRs v3.1 DM-03 (HIGH; MOD)
CMSRs v3.1 DM-03(01) (HIGH; MOD)
CMSRs v3.1 IA-(08) (HIGH; MOD)
CMSRs v3.1 IA-01 (HIGH; MOD)
CMSRs v3.1 IA-02 (HIGH; MOD)
CMSRs v3.1 IA-02(01) (HIGH; MOD)
CMSRs v3.1 IA-02(02) (HIGH; MOD)
CMSRs v3.1 IA-02(03) (HIGH; MOD)
CMSRs v3.1 IA-02(04) (HIGH)
CMSRs v3.1 IA-02(08) (HIGH; MOD)
CMSRs v3.1 IA-02(09) (HIGH)
CMSRs v3.1 IA-02(11) (HIGH)
CMSRs v3.1 IA-02(11) (HIGH; MOD)
CMSRs v3.1 IA-02(12) (HIGH; MOD)
CMSRs v3.1 IA-03 (HIGH; MOD)
CMSRs v3.1 IA-05 (HIGH)
CMSRs v3.1 IA-05 (HIGH; MOD)
CMSRs v3.1 IA-05(01) (HIGH; MOD)
CMSRs v3.1 IA-05(02) (HIGH; MOD)
CMSRs v3.1 IA-05(03) (HIGH; MOD)
CMSRs v3.1 IA-05(11) (HIGH; MOD)
CMSRs v3.1 IA-06 (HIGH; MOD)
CMSRs v3.1 IA-07 (HIGH; MOD)
CMSRs v3.1 IA-08 (HIGH; MOD)
CMSRs v3.1 IA-08(01) (HIGH; MOD)
CMSRs v3.1 IA-08(02) (HIGH; MOD)
CMSRs v3.1 IA-08(03) (HIGH; MOD)
CMSRs v3.1 IA-08(04) (HIGH; MOD)
CMSRs v3.1 IP-01 (HIGH; MOD)
© 2019 HITRUST. All rights reserved.
13.j Data Minimization
06.c Protection of Organizational Records
08.l Secure Disposal or Re-Use of Equipment
09.p Disposal of Media
06.c Protection of Organizational Records
13.d Consent
13.k Use and Disclosure
13.j Data Minimization
01.j User Authentication for External Connections
01.b User Registration
04.a Information Security Policy Document
04.b Review of the Information Security Policy
05.a Management Commitment to Information Security
09.a Documented Operations Procedures
01.j User Authentication for External Connections
01.q User Identification and Authentication
01.y Teleworking
01.q User Identification and Authentication
01.q User Identification and Authentication
01.q User Identification and Authentication
01.q User Identification and Authentication
01.q User Identification and Authentication
01.q User Identification and Authentication
01.q User Identification and Authentication
01.q User Identification and Authentication
01.q User Identification and Authentication
01.k Equipment Identification in Networks
09.m Network Controls
01.b User Registration
01.q User Identification and Authentication
01.d User Password Management
01.b User Registration
01.d User Password Management
01.f Password Use
01.k Equipment Identification in Networks
01.q User Identification and Authentication
01.r Password Management System
01.d User Password Management
01.r Password Management System
01.q User Identification and Authentication
01.r Password Management System
01.b User Registration
01.q User Identification and Authentication
01.q User Identification and Authentication
01.p Secure Log-on Procedures
06.f Regulation of Cryptographic Controls
01.j User Authentication for External Connections
01.q User Identification and Authentication
01.j User Authentication for External Connections
01.j User Authentication for External Connections
01.j User Authentication for External Connections
01.j User Authentication for External Connections
13.d Consent
13.e Choice
13.k Use and Disclosure
CMSRs v3.1 IP-01(01) (HIGH; MOD)
CMSRs v3.1 IP-02 (HIGH; MOD)
CMSRs v3.1 IP-03 (HIGH; MOD)
CMSRs v3.1 IP-04 (HIGH; MOD)
CMSRs v3.1 IP-04(01) (HIGH; MOD)
CMSRs v3.1 IR-01 (HIGH; MOD)
CMSRs v3.1 IR-02 (HIGH)
CMSRs v3.1 IR-02 (HIGH; MOD)
CMSRs v3.1 IR-02(01) (HIGH)
CMSRs v3.1 IR-02(02) (HIGH)
CMSRs v3.1 IR-03 (HIGH; MOD)
CMSRs v3.1 IR-03(02) (HIGH; MOD)
CMSRs v3.1 IR-04 (HIGH; MOD)
CMSRs v3.1 IR-04(01) (HIGH; MOD)
CMSRs v3.1 IR-04(04) (HIGH)
CMSRs v3.1 IR-05 (HIGH; MOD)
CMSRs v3.1 IR-05(01) (HIGH)
CMSRs v3.1 IR-06 (HIGH)
CMSRs v3.1 IR-06 (HIGH; MOD)
CMSRs v3.1 IR-06(01) (HIGH; MOD)
CMSRs v3.1 IR-07 (HIGH; MOD)
CMSRs v3.1 IR-08 (HIGH; MOD)
CMSRs v3.1 MA-01 (HIGH; MOD)
CMSRs v3.1 MA-02 (HIGH; MOD)
CMSRs v3.1 MA-02(02) (HIGH)
CMSRs v3.1 MA-03 (HIGH; MOD)
CMSRs v3.1 MA-03(01) (HIGH; MOD)
CMSRs v3.1 MA-03(02) (HIGH; MOD)
CMSRs v3.1 MA-03(03) (HIGH)
CMSRs v3.1 MA-04 (HIGH; MOD)
CMSRs v3.1 MA-04(01) (HIGH; MOD)
CMSRs v3.1 MA-04(02) (HIGH)
CMSRs v3.1 MA-04(02) (HIGH; MOD)
CMSRs v3.1 MA-04(03) (HIGH)
© 2019 HITRUST. All rights reserved.
13.d Consent
13.f Principle Access
13.f Principle Access
13.n Participation and Redress
04.b Review of the Information Security Policy
13.o Compliant Management
13.o Compliant Management
09.a Documented Operations Procedures
11.a Reporting Information Security Events
11.c Responsibilities and Procedures
11.a Reporting Information Security Events
02.e Information Security Awareness, Education, and Training
05.c Allocation of Information Security Responsibilities
11.a Reporting Information Security Events
02.e Information Security Awareness, Education, and Training
02.e Information Security Awareness, Education, and Training
11.c Responsibilities and Procedures
11.c Responsibilities and Procedures
11.a Reporting Information Security Events
11.d Learning from Information Security Incidents
11.e Collection of Evidence
11.d Learning from Information Security Incidents
11.d Learning from Information Security Incidents
02.f Disciplinary Process
11.d Learning from Information Security Incidents
11.c Responsibilities and Procedures
11.d Learning from Information Security Incidents
11.a Reporting Information Security Events
11.a Reporting Information Security Events
11.b Reporting Security Weaknesses
11.c Responsibilities and Procedures
11.a Reporting Information Security Events
11.c Responsibilities and Procedures
11.c Responsibilities and Procedures
04.a Information Security Policy Document
04.b Review of the Information Security Policy
05.a Management Commitment to Information Security
08.j Equipment Maintenance
08.a Physical Security Perimeter
08.b Physical Entry Controls
08.j Equipment Maintenance
08.j Equipment Maintenance
08.j Equipment Maintenance
08.j Equipment Maintenance
08.j Equipment Maintenance
08.j Equipment Maintenance
01.j User Authentication for External Connections
01.l Remote Diagnostic and Configuration Port Protection
05.i Identification of Risks Related to External Parties
08.j Equipment Maintenance
08.j Equipment Maintenance
08.j Equipment Maintenance
01.l Remote Diagnostic and Configuration Port Protection
08.j Equipment Maintenance
01.l Remote Diagnostic and Configuration Port Protection
CMSRs v3.1 MA-04(03) (HIGH)
CMSRs v3.1 MA-05 (HIGH; MOD)
CMSRs v3.1 MA-05(01) (HIGH)
CMSRs v3.1 MA-06 (HIGH; MOD)
CMSRs v3.1 MP-01 (HIGH; MOD)
CMSRs v3.1 MP-02 (HIGH; MOD)
CMSRs v3.1 MP-03 (HIGH; MOD)
CMSRs v3.1 MP-04 (HIGH; MOD)
CMSRs v3.1 MP-05 (HIGH; MOD)
CMSRs v3.1 MP-05(04) (HIGH; MOD)
CMSRs v3.1 MP-06 (HIGH; MOD)
CMSRs v3.1 MP-06(01) (HIGH)
CMSRs v3.1 MP-06(02) (HIGH)
CMSRs v3.1 MP-06(03) (HIGH)
CMSRs v3.1 MP-07 (HIGH; MOD)
CMSRs v3.1 MP-07(01) (HIGH; MOD)
CMSRs v3.1 MP-CMS-1 (HIGH; MOD)
CMSRs v3.1 PE-01 (HIGH; MOD)
CMSRs v3.1 PE-02 (HIGH; MOD)
CMSRs v3.1 PE-03 (HIGH; MOD)
CMSRs v3.1 PE-03(01) (HIGH)
CMSRs v3.1 PE-04 (HIGH; MOD)
CMSRs v3.1 PE-05 (HIGH; MOD)
CMSRs v3.1 PE-06 (HIGH)
CMSRs v3.1 PE-06 (HIGH; MOD)
CMSRs v3.1 PE-06(01) (HIGH; MOD)
CMSRs v3.1 PE-06(04) (HIGH)
CMSRs v3.1 PE-08 (HIGH; MOD)
CMSRs v3.1 PE-08(01) (HIGH)
CMSRs v3.1 PE-09 (HIGH; MOD)
CMSRs v3.1 PE-10 (HIGH; MOD)
CMSRs v3.1 PE-11(01) (HIGH)
CMSRs v3.1 PE-12 (HIGH; MOD)
© 2019 HITRUST. All rights reserved.
08.j Equipment Maintenance
08.j Equipment Maintenance
08.j Equipment Maintenance
08.j Equipment Maintenance
07.a Inventory of Assets
09.o Management of Removable Media
09.t Exchange Agreements
09.q Information Handling Procedures
01.h Clear Desk and Clear Screen Policy
07.e Information Labeling and Handling
09.q Information Handling Procedures
09.l Back-up
09.o Management of Removable Media
08.k Security of Equipment Off-Premises
09.l Back-up
09.o Management of Removable Media
09.q Information Handling Procedures
09.u Physical Media in Transit
09.o Management of Removable Media
09.q Information Handling Procedures
09.u Physical Media in Transit
08.l Secure Disposal or Re-Use of Equipment
09.p Disposal of Media
09.p Disposal of Media
09.p Disposal of Media
09.o Management of Removable Media
09.o Management of Removable Media
09.o Management of Removable Media
09.q Information Handling Procedures
04.a Information Security Policy Document
04.b Review of the Information Security Policy
05.a Management Commitment to Information Security
08.d Protecting Against External and Environmental Threats
08.g Equipment Siting and Protection
09.a Documented Operations Procedures
08.b Physical Entry Controls
08.a Physical Security Perimeter
08.b Physical Entry Controls
08.c Securing Offices, Rooms, and Facilities
01.l Remote Diagnostic and Configuration Port Protection
08.b Physical Entry Controls
08.i Cabling Security
01.g Unattended User Equipment
09.ab Monitoring System Use
08.b Physical Entry Controls
09.ab Monitoring System Use
08.b Physical Entry Controls
09.ab Monitoring System Use
08.b Physical Entry Controls
08.b Physical Entry Controls
08.h Supporting Utilities
08.i Cabling Security
08.h Supporting Utilities
08.h Supporting Utilities
08.h Supporting Utilities
CMSRs v3.1 PE-13 (HIGH; MOD)
CMSRs v3.1 PE-13(01) (HIGH)
CMSRs v3.1 PE-13(02) (HIGH)
CMSRs v3.1 PE-13(03) (HIGH; MOD)
CMSRs v3.1 PE-14 (HIGH; MOD)
CMSRs v3.1 PE-15 (HIGH; MOD)
CMSRs v3.1 PE-15(01) (HIGH)
CMSRs v3.1 PE-16 (HIGH; MOD)
CMSRs v3.1 PE-17 (HIGH; MOD)
CMSRs v3.1 PE-18 (HIGH)
CMSRs v3.1 PL-01 (HIGH; MOD)
CMSRs v3.1 PL-02 (HIGH; MOD)
CMSRs v3.1 PL-02(03) (HIGH; MOD)
CMSRs v3.1 PL-04 (HIGH)
CMSRs v3.1 PL-04 (HIGH; MOD)
CMSRs v3.1 PL-04(01) (HIGH; MOD)
CMSRs v3.1 PL-08 (HIGH; MOD)
CMSRs v3.1 PL-4 (HIGH; MOD)
CMSRs v3.1 PM-01 (HIGH; MOD)
CMSRs v3.1 PM-02 (HIGH; MOD)
CMSRs v3.1 PM-03 (HIGH; MOD)
CMSRs v3.1 PM-04 (HIGH; MOD)
CMSRs v3.1 PM-05 (HIGH; MOD)
CMSRs v3.1 PM-06 (HIGH; MOD)
CMSRs v3.1 PM-07 (HIGH; MOD)
CMSRs v3.1 PM-08 (HIGH; MOD)
CMSRs v3.1 PM-09 (HIGH; MOD)
© 2019 HITRUST. All rights reserved.
08.d Protecting Against External and Environmental Threats
08.d Protecting Against External and Environmental Threats
08.d Protecting Against External and Environmental Threats
08.d Protecting Against External and Environmental Threats
08.g Equipment Siting and Protection
08.h Supporting Utilities
08.d Protecting Against External and Environmental Threats
08.d Protecting Against External and Environmental Threats
08.f Public Access, Delivery, and Loading Areas
08.m Removal of Property
09.u Physical Media in Transit
01.y Teleworking
08.k Security of Equipment Off-Premises
08.g Equipment Siting and Protection
04.a Information Security Policy Document
04.b Review of the Information Security Policy
05.a Management Commitment to Information Security
09.a Documented Operations Procedures
05.b Information Security Coordination
06.i Information Systems Audit Controls
05.b Information Security Coordination
06.e Prevention of Misuse of Information Assets
02.c Terms and Conditions of Employment
02.d Management Responsibilities
02.e Information Security Awareness, Education, and Training
05.j Addressing Security When Dealing with Customers
06.e Prevention of Misuse of Information Assets
07.c Acceptable Use of Assets
11.b Reporting Security Weaknesses
07.c Acceptable Use of Assets
10.a Security Requirements Analysis and Specification
02.e Information Security Awareness, Education, and Training
00.a Information Security Management Program
04.a Information Security Policy Document
04.b Review of the Information Security Policy
05.a Management Commitment to Information Security
05.b Information Security Coordination
09.a Documented Operations Procedures
00.a Information Security Management Program
02.d Management Responsibilities
05.a Management Commitment to Information Security
05.c Allocation of Information Security Responsibilities
00.a Information Security Management Program
05.a Management Commitment to Information Security
05.b Information Security Coordination
00.a Information Security Management Program
03.a Risk Management Program Development
03.c Risk Mitigation
07.a Inventory of Assets
00.a Information Security Management Program
02.e Information Security Awareness, Education, and Training
10.a Security Requirements Analysis and Specification
12.b Business Continuity and Risk Assessment
00.a Information Security Management Program
03.a Risk Management Program Development
CMSRs v3.1 PM-09 (HIGH; MOD)
CMSRs v3.1 PM-10 (HIGH; MOD)
CMSRs v3.1 PM-11 (HIGH; MOD)
CMSRs v3.1 PM-12 (HIGH; MOD)
CMSRs v3.1 PM-13 (HIGH; MOD)
CMSRs v3.1 PM-14 (HIGH; MOD)
CMSRs v3.1 PM-15 (HIGH; MOD)
CMSRs v3.1 PS-01 (HIGH; MOD)
CMSRs v3.1 PS-02 (HIGH; MOD)
CMSRs v3.1 PS-03 (HIGH; MOD)
CMSRs v3.1 PS-04 (HIGH; MOD)
CMSRs v3.1 PS-04(02) (HIGH)
CMSRs v3.1 PS-05 (HIGH; MOD)
CMSRs v3.1 PS-06 (HIGH; MOD)
CMSRs v3.1 PS-07 (HIGH; MOD)
CMSRs v3.1 PS-08 (HIGH)
CMSRs v3.1 PS-08 (HIGH; MOD)
CMSRs v3.1 RA-01 (HIGH; MOD)
CMSRs v3.1 RA-02 (HIGH; MOD)
CMSRs v3.1 RA-03 (HIGH; MOD)
CMSRs V3.1 RA-05 (HIGH)
CMSRs v3.1 RA-05 (HIGH; MOD)
CMSRs v3.1 RA-05(01) (HIGH; MOD)
CMSRs v3.1 RA-05(02) (HIGH; MOD)
CMSRs v3.1 RA-05(04) (HIGH)
CMSRs v3.1 SA-01 (HIGH; MOD)
© 2019 HITRUST. All rights reserved.
05.a Management Commitment to Information Security
12.a Including Information Security in the Business Continuity Management Process
05.c Allocation of Information Security Responsibilities
05.d Authorization Process for Information Assets and Facilities
03.a Risk Management Program Development
11.a Reporting Information Security Events
00.a Information Security Management Program
02.d Management Responsibilities
05.a Management Commitment to Information Security
02.d Management Responsibilities
02.e Information Security Awareness, Education, and Training
02.d Management Responsibilities
05.g Contact with Special Interest Groups
06.a Identification of Applicable Legislation
02.a Roles and Responsibilities
02.b Screening
04.a Information Security Policy Document
04.b Review of the Information Security Policy
05.a Management Commitment to Information Security
09.a Documented Operations Procedures
02.a Roles and Responsibilities
02.b Screening
02.b Screening
02.g Termination or Change Responsibilities
02.h Return of Assets
02.i Removal of Access Rights
02.i Removal of Access Rights
01.e Review of User Access Rights
02.g Termination or Change Responsibilities
02.i Removal of Access Rights
02.c Terms and Conditions of Employment
05.k Addressing Security in Third Party Agreements
02.f Disciplinary Process
02.f Disciplinary Process
06.e Prevention of Misuse of Information Assets
03.a Risk Management Program Development
04.a Information Security Policy Document
04.b Review of the Information Security Policy
05.a Management Commitment to Information Security
09.a Documented Operations Procedures
01.w Sensitive System Isolation
06.c Protection of Organizational Records
07.d Classification Guidelines
03.a Risk Management Program Development
03.b Performing Risk Assessments
03.d Risk Evaluation
05.d Authorization Process for Information Assets and Facilities
10.m Control of Technical Vulnerabilities
06.g Compliance with Security Policies and Standards
06.h Technical Compliance Checking
10.m Control of Technical Vulnerabilities
10.m Control of Technical Vulnerabilities
10.m Control of Technical Vulnerabilities
10.m Control of Technical Vulnerabilities
04.a Information Security Policy Document
CMSRs v3.1 SA-01 (HIGH; MOD)
CMSRs v3.1 SA-02 (HIGH; MOD)
CMSRs v3.1 SA-03 (HIGH)
CMSRs v3.1 SA-03 (HIGH; MOD)
CMSRs v3.1 SA-04 (HIGH)
CMSRs v3.1 SA-04 (HIGH; MOD)
CMSRs v3.1 SA-04(01) (HIGH; MOD)
CMSRs v3.1 SA-04(02) (HIGH; MOD)
CMSRs v3.1 SA-04(09) (HIGH; MOD)
CMSRs v3.1 SA-05 (HIGH; MOD)
CMSRs v3.1 SA-08 (HIGH; MOD)
CMSRs v3.1 SA-09 (HIGH; MOD)
CMSRs v3.1 SA-09(02) (HIGH; MOD)
CMSRs v3.1 SA-10 (HIGH; MOD)
CMSRs v3.1 SA-11 (HIGH)
CMSRs v3.1 SA-11 (HIGH; MOD)
CMSRs v3.1 SA-12 (HIGH)
CMSRs v3.1 SA-13 (HIGH)
CMSRs v3.1 SA-15 (HIGH; MOD)
CMSRs v3.1 SA-16 (HIGH)
CMSRs v3.1 SA-17 (HIGH)
CMSRs v3.1 SC-01 (HIGH; MOD)
CMSRs v3.1 SC-02 (HIGH)
CMSRs v3.1 SC-02 (HIGH; MOD)
CMSRs v3.1 SC-03 (HIGH)
CMSRs v3.1 SC-04 (HIGH)
CMSRs v3.1 SC-04 (HIGH; MOD)
CMSRs v3.1 SC-05 (HIGH; MOD)
CMSRs v3.1 SC-05(02) (HIGH; MOD)
CMSRs v3.1 SC-07 (HIGH; MOD)
CMSRs v3.1 SC-07(03) (HIGH; MOD)
CMSRs v3.1 SC-07(04) (HIGH; MOD)
CMSRs v3.1 SC-07(05) (HIGH; MOD)
CMSRs v3.1 SC-07(07) (HIGH; MOD)
CMSRs v3.1 SC-07(08) (HIGH)
© 2019 HITRUST. All rights reserved.
04.b Review of the Information Security Policy
05.a Management Commitment to Information Security
09.a Documented Operations Procedures
05.b Information Security Coordination
10.a Security Requirements Analysis and Specification
05.c Allocation of Information Security Responsibilities
10.a Security Requirements Analysis and Specification
10.a Security Requirements Analysis and Specification
10.a Security Requirements Analysis and Specification
10.a Security Requirements Analysis and Specification
10.a Security Requirements Analysis and Specification
10.a Security Requirements Analysis and Specification
09.r Security of System Documentation
10.a Security Requirements Analysis and Specification
05.k Addressing Security in Third Party Agreements
09.e Service Delivery
09.f Monitoring and Review of Third Party Services
09.n Security of Network Services
10.a Security Requirements Analysis and Specification
09.n Security of Network Services
10.a Security Requirements Analysis and Specification
10.k Change Control Procedures
09.i System Acceptance
09.d Separation of Development, Test, and Operational Environments
09.i System Acceptance
10.l Outsourced Software Development
10.l Outsourced Software Development
10.l Outsourced Software Development
10.a Security Requirements Analysis and Specification
02.e Information Security Awareness, Education, and Training
10.a Security Requirements Analysis and Specification
04.a Information Security Policy Document
04.b Review of the Information Security Policy
05.a Management Commitment to Information Security
09.a Documented Operations Procedures
09.s Information Exchange Policies and Procedures
09.k Controls Against Mobile Code
09.j Controls Against Malicious Code
09.k Controls Against Mobile Code
01.w Sensitive System Isolation
01.w Sensitive System Isolation
09.h Capacity Management
09.z Publicly Available Information
10.a Security Requirements Analysis and Specification
09.z Publicly Available Information
01.m Segregation in Networks
01.n Network Connection Control
01.o Network Routing Control
09.m Network Controls
01.n Network Connection Control
01.n Network Connection Control
01.n Network Connection Control
09.m Network Controls
01.n Network Connection Control
01.n Network Connection Control
CMSRs v3.1 SC-07(13) (HIGH)
CMSRs v3.1 SC-07(18) (HIGH)
CMSRs v3.1 SC-07(21) (HIGH)
CMSRs v3.1 SC-08 (HIGH; MOD)
CMSRs v3.1 SC-08(01) (HIGH; MOD)
CMSRs v3.1 SC-10 (HIGH; MOD)
CMSRs v3.1 SC-12 (HIGH; MOD)
CMSRs v3.1 SC-12(01) (HIGH)
CMSRs v3.1 SC-13 (HIGH; MOD)
CMSRs v3.1 SC-15 (HIGH; MOD)
CMSRs v3.1 SC-15(01) (HIGH; MOD)
CMSRs v3.1 SC-17 (HIGH; MOD)
CMSRs v3.1 SC-18 (HIGH)
CMSRs v3.1 SC-18 (HIGH; MOD)
CMSRs v3.1 SC-19 (HIGH; MOD)
CMSRs v3.1 SC-20 (HIGH; MOD)
CMSRs v3.1 SC-22 (HIGH; MOD)
CMSRs v3.1 SC-23 (HIGH; MOD)
CMSRs v3.1 SC-24 (HIGH)
CMSRs v3.1 SC-24 (HIGH; MOD)
CMSRs v3.1 SC-28 (HIGH; MOD)
CMSRs v3.1 SC-32 (HIGH)
CMSRs v3.1 SC-7(18) (HIGH)
CMSRs v3.1 SC-CMS-1 (HIGH; MOD)
CMSRs v3.1 SE-01 (HIGH; MOD)
CMSRs v3.1 SE-02 (HIGH; MOD)
CMSRs v3.1 SI-01 (HIGH; MOD)
CMSRs v3.1 SI-02 (HIGH; MOD)
CMSRs v3.1 SI-02(01) (HIGH)
CMSRs v3.1 SI-02(02) (HIGH; MOD)
CMSRs v3.1 SI-03 (HIGH)
© 2019 HITRUST. All rights reserved.
01.m Segregation in Networks
09.m Network Controls
01.m Segregation in Networks
01.w Sensitive System Isolation
01.n Network Connection Control
09.v Electronic Messaging
09.x Electronic Commerce Services
10.d Message Integrity
09.m Network Controls
05.i Identification of Risks Related to External Parties
09.m Network Controls
09.v Electronic Messaging
09.x Electronic Commerce Services
01.t Session Time-out
10.g Key Management
06.d Data Protection and Privacy of Covered Information
10.g Key Management
06.f Regulation of Cryptographic Controls
10.f Policy on the Use of Cryptographic Controls
01.v Information Access Restriction
09.s Information Exchange Policies and Procedures
01.l Remote Diagnostic and Configuration Port Protection
09.s Information Exchange Policies and Procedures
10.g Key Management
09.k Controls Against Mobile Code
09.k Controls Against Mobile Code
09.m Network Controls
09.m Network Controls
09.m Network Controls
10.d Message Integrity
10.c Control of Internal Processing
08.a Physical Security Perimeter
06.d Data Protection and Privacy of Covered Information
09.l Back-up
09.u Physical Media in Transit
01.m Segregation in Networks
09.m Network Controls
09.v Electronic Messaging
09.z Publicly Available Information
07.a Inventory of Assets
11.c Responsibilities and Procedures
04.a Information Security Policy Document
04.b Review of the Information Security Policy
05.a Management Commitment to Information Security
09.a Documented Operations Procedures
10.a Security Requirements Analysis and Specification
10.b Input Data Validation
10.c Control of Internal Processing
10.m Control of Technical Vulnerabilities
11.b Reporting Security Weaknesses
10.m Control of Technical Vulnerabilities
10.m Control of Technical Vulnerabilities
09.ab Monitoring System Use
09.j Controls Against Malicious Code
09.k Controls Against Mobile Code
CMSRs v3.1 SI-03 (HIGH; MOD)
CMSRs v3.1 SI-03(01) (HIGH; MOD)
CMSRs v3.1 SI-03(02) (HIGH; MOD)
CMSRs v3.1 SI-04 (HIGH; MOD)
CMSRs v3.1 SI-04(02) (HIGH; MOD)
CMSRs v3.1 SI-04(03) (HIGH; MOD)
CMSRs v3.1 SI-04(04) (HIGH; MOD)
CMSRs v3.1 SI-04(05) (HIGH; MOD)
CMSRs v3.1 SI-05 (HIGH; MOD)
CMSRs v3.1 SI-05(01) (HIGH)
CMSRs v3.1 SI-06 (HIGH)
CMSRs v3.1 SI-07 (HIGH; MOD)
CMSRs v3.1 SI-07(01) (HIGH; MOD)
CMSRs v3.1 SI-07(02) (HIGH)
CMSRs v3.1 SI-07(05) (HIGH)
CMSRs v3.1 SI-07(07) (HIGH; MOD)
CMSRs v3.1 SI-08 (HIGH; MOD)
CMSRs v3.1 SI-08(01) (HIGH; MOD)
CMSRs v3.1 SI-08(02) (HIGH; MOD)
CMSRs v3.1 SI-10 (HIGH; MOD)
CMSRs v3.1 SI-11 (HIGH; MOD)
CMSRs v3.1 SI-12 (HIGH)
CMSRs v3.1 SI-12 (HIGH; MOD)
CMSRs v3.1 TR-01 (HIGH; MOD)
CMSRs v3.1 TR-01(01) (HIGH; MOD)
CMSRs v3.1 TR-02 (HIGH; MOD)
CMSRs v3.1 TR-02(01) (HIGH; MOD)
CMSRs v3.1 TR-03 (HIGH; MOD)
CMSRs v3.1 UL-01 (HIGH; MOD)
CMSRs v3.1 UL-02 (HIGH; MOD)
© 2019 HITRUST. All rights reserved.
© 2019 HITRUST. All rights reserved.
09.j Controls Against Malicious Code
09.j Controls Against Malicious Code
09.j Controls Against Malicious Code
01.x Mobile Computing and Communications
09.ab Monitoring System Use
09.m Network Controls
09.ab Monitoring System Use
09.ab Monitoring System Use
09.ab Monitoring System Use
09.ab Monitoring System Use
05.g Contact with Special Interest Groups
05.g Contact with Special Interest Groups
10.c Control of Internal Processing
10.c Control of Internal Processing
10.c Control of Internal Processing
09.ab Monitoring System Use
10.c Control of Internal Processing
10.c Control of Internal Processing
10.c Control of Internal Processing
09.j Controls Against Malicious Code
09.j Controls Against Malicious Code
09.j Controls Against Malicious Code
10.b Input Data Validation
10.c Control of Internal Processing
09.ae Fault Logging
06.d Data Protection and Privacy of Covered Information
06.c Protection of Organizational Records
09.q Information Handling Procedures
13.a Privacy Notice
13.a Privacy Notice
13.a Privacy Notice
13.a Privacy Notice
05.j Addressing Security When Dealing with Customers
13.a Privacy Notice
13.k Use and Disclosure
13.k Use and Disclosure
13.r Privacy Requirements for Contractors and Processors
 Authoritative Source HITRUST Control Reference
COBIT 5 APO12.03 07.a Inventory of Assets
COBIT 5 APO13.01 05.a Management Commitment to Information Security
05.b Information Security Coordination
05.c Allocation of Information Security Responsibilities
COBIT 5 APO13.02 00.a Information Security Management Program
04.a Information Security Policy Document
05.a Management Commitment to Information Security
05.b Information Security Coordination
05.c Allocation of Information Security Responsibilities
COBIT 5 DS05.04 09.c Segregation of Duties
COBIT 5 DSS02.01 11.a Reporting Information Security Events
11.c Responsibilities and Procedures
COBIT 5 DSS02.04 11.c Responsibilities and Procedures
COBIT 5 DSS02.05 11.c Responsibilities and Procedures
COBIT 5 DSS05.01 09.ab Monitoring System Use
09.j Controls Against Malicious Code
COBIT 5 DSS05.02 01.m Segregation in Networks
01.n Network Connection Control
09.m Network Controls
09.s Information Exchange Policies and Procedures
09.t Exchange Agreements
09.u Physical Media in Transit
09.v Electronic Messaging
09.w Interconnected Business Information Systems
10.m Control of Technical Vulnerabilities
COBIT 5 DSS05.03 01.b User Registration
08.l Secure Disposal or Re-Use of Equipment
09.w Interconnected Business Information Systems
10.f Policy on the Use of Cryptographic Controls
10.g Key Management
COBIT 5 DSS05.04 01.b User Registration
01.c Privilege Management
01.e Review of User Access Rights
01.q User Identification and Authentication
09.aa Audit Logging
COBIT 5 DSS05.05 01.k Equipment Identification in Networks
01.l Remote Diagnostic and Configuration Port Protection
01.s Use of System Utilities
08.a Physical Security Perimeter
08.b Physical Entry Controls
08.c Securing Offices, Rooms, and Facilities
09.c Segregation of Duties
09.ab Monitoring System Use
COBIT 5 DSS05.06 08.l Secure Disposal or Re-Use of Equipment
COBIT 5 DSS05.07 00.a Information Security Management Program
05.h Independent Review of Information Security
06.g Compliance with Security Policies and Standards
© 2019 HITRUST. All rights reserved.
 COBIT 5 DSS05.07

06.h Technical Compliance Checking

09.ab Monitoring System Use
09.ac Protection of Log Information
09.ae Fault Logging
11.a Reporting Information Security Events
COBIT 5 DSS06.03 09.z Publicly Available Information

© 2019 HITRUST. All rights reserved.

© 2019 HITRUST. All rights reserved.

Authoritative Source
CSA CCM v3.0.1 AAC-01
CSA CCM v3.0.1 AAC-02
CSA CCM v3.0.1 AAC-03
CSA CCM v3.0.1 AIS-01
CSA CCM v3.0.1 AIS-02
CSA CCM v3.0.1 AIS-03
CSA CCM v3.0.1 AIS-04
CSA CCM v3.0.1 BCR-01
CSA CCM v3.0.1 BCR-02
CSA CCM v3.0.1 BCR-03
CSA CCM v3.0.1 BCR-04
CSA CCM v3.0.1 BCR-05
CSA CCM v3.0.1 BCR-06
CSA CCM v3.0.1 BCR-07
CSA CCM v3.0.1 BCR-08
CSA CCM v3.0.1 BCR-09
CSA CCM v3.0.1 BCR-10
CSA CCM v3.0.1 BCR-11
CSA CCM v3.0.1 CCC-01
CSA CCM v3.0.1 CCC-02
CSA CCM v3.0.1 CCC-03
CSA CCM v3.0.1 CCC-04
CSA CCM v3.0.1 CCC-05
CSA CCM v3.0.1 DCS-01
CSA CCM v3.0.1 DCS-02
CSA CCM v3.0.1 DCS-03
CSA CCM v3.0.1 DCS-04
CSA CCM v3.0.1 DCS-05
CSA CCM v3.0.1 DCS-06
CSA CCM v3.0.1 DCS-07
CSA CCM v3.0.1 DCS-08
CSA CCM v3.0.1 DCS-09
CSA CCM v3.0.1 DSI-01
CSA CCM v3.0.1 DSI-02
CSA CCM v3.0.1 DSI-03
CSA CCM v3.0.1 DSI-04
© 2019 HITRUST. All rights reserved.
HITRUST Control Reference
06.i Information Systems Audit Controls
05.h Independent Review of Information Security
06.i Information Systems Audit Controls
06.j Protection of Information Systems Audit Tools
06.a Identification of Applicable Legislation
10.b Input Data Validation
10.c Control of Internal Processing
10.e Output Data Validation
05.j Addressing Security When Dealing with Customers
10.b Input Data Validation
10.e Output Data Validation
01.t Session Time-out
09.s Information Exchange Policies and Procedures
12.d Business Continuity Planning Framework
12.e Testing, Maintaining and Re-Assessing Business Continuity Plans
08.h Supporting Utilities
08.i Cabling Security
09.a Documented Operations Procedures
09.r Security of System Documentation
08.d Protecting Against External and Environmental Threats
08.g Equipment Siting and Protection
08.j Equipment Maintenance
08.h Supporting Utilities
12.a Including Information Security in the Business Continuity Management Process
12.b Business Continuity and Risk Assessment
12.c Developing and Implementing Continuity Plans Including Information Security
09.a Documented Operations Procedures
09.l Back-up
09.i System Acceptance
10.l Outsourced Software Development
09.i System Acceptance
10.h Control of Operational Software
09.i System Acceptance
10.k Change Control Procedures
07.a Inventory of Assets
07.b Ownership of Assets
08.a Physical Security Perimeter
01.k Equipment Identification in Networks
08.k Security of Equipment Off-Premises
08.m Removal of Property
08.k Security of Equipment Off-Premises
08.c Securing Offices, Rooms, and Facilities
08.b Physical Entry Controls
08.f Public Access, Delivery, and Loading Areas
08.b Physical Entry Controls
08.i Cabling Security
07.d Classification Guidelines
01.m Segregation in Networks
09.x Electronic Commerce Services
09.y On-line Transactions
07.e Information Labeling and Handling
CSA CCM v3.0.1 DSI-05
CSA CCM v3.0.1 DSI-06
CSA CCM v3.0.1 DSI-07
CSA CCM v3.0.1 EKM-01
CSA CCM v3.0.1 EKM-02
CSA CCM v3.0.1 EKM-03
CSA CCM v3.0.1 GRM-01
CSA CCM v3.0.1 GRM-02
CSA CCM v3.0.1 GRM-03
CSA CCM v3.0.1 GRM-04
CSA CCM v3.0.1 GRM-05
CSA CCM v3.0.1 GRM-06
CSA CCM v3.0.1 GRM-07
CSA CCM v3.0.1 GRM-08
CSA CCM v3.0.1 GRM-09
CSA CCM v3.0.1 GRM-10
CSA CCM v3.0.1 GRM-11
CSA CCM v3.0.1 HRS-01
CSA CCM v3.0.1 HRS-02
CSA CCM v3.0.1 HRS-03
CSA CCM v3.0.1 HRS-04
CSA CCM v3.0.1 HRS-05
CSA CCM v3.0.1 HRS-06
CSA CCM v3.0.1 HRS-07
CSA CCM v3.0.1 HRS-08
CSA CCM v3.0.1 HRS-09
CSA CCM v3.0.1 HRS-10
CSA CCM v3.0.1 HRS-11
CSA CCM v3.0.1 IAM-01
CSA CCM v3.0.1 IAM-02
CSA CCM v3.0.1 IAM-03
CSA CCM v3.0.1 IAM-04
CSA CCM v3.0.1 IAM-05
CSA CCM v3.0.1 IAM-06
© 2019 HITRUST. All rights reserved.
10.i Protection of System Test Data
07.b Ownership of Assets
08.l Secure Disposal or Re-Use of Equipment
09.p Disposal of Media
06.d Data Protection and Privacy of Covered Information
10.g Key Management
06.d Data Protection and Privacy of Covered Information
10.g Key Management
06.d Data Protection and Privacy of Covered Information
09.l Back-up
09.o Management of Removable Media
09.s Information Exchange Policies and Procedures
10.f Policy on the Use of Cryptographic Controls
10.a Security Requirements Analysis and Specification
03.b Performing Risk Assessments
02.d Management Responsibilities
00.a Information Security Management Program
05.a Management Commitment to Information Security
05.c Allocation of Information Security Responsibilities
05.a Management Commitment to Information Security
04.a Information Security Policy Document
10.f Policy on the Use of Cryptographic Controls
02.f Disciplinary Process
03.d Risk Evaluation
04.b Review of the Information Security Policy
03.b Performing Risk Assessments
03.a Risk Management Program Development
03.c Risk Mitigation
05.a Management Commitment to Information Security
02.h Return of Assets
02.b Screening
02.c Terms and Conditions of Employment
02.g Termination or Change Responsibilities
01.x Mobile Computing and Communications
09.o Management of Removable Media
09.u Physical Media in Transit
05.e Confidentiality Agreements
02.a Roles and Responsibilities
05.c Allocation of Information Security Responsibilities
06.g Compliance with Security Policies and Standards
07.c Acceptable Use of Assets
02.e Information Security Awareness, Education, and Training
01.g Unattended User Equipment
02.d Management Responsibilities
01.h Clear Desk and Clear Screen Policy
06.j Protection of Information Systems Audit Tools
01.a Access Control Policy
01.l Remote Diagnostic and Configuration Port Protection
01.c Privilege Management
01.q User Identification and Authentication
09.c Segregation of Duties
10.j Access Control to Program Source Code
CSA CCM v3.0.1 IAM-07
CSA CCM v3.0.1 IAM-08
CSA CCM v3.0.1 IAM-09
CSA CCM v3.0.1 IAM-10
CSA CCM v3.0.1 IAM-11
CSA CCM v3.0.1 IAM-12
CSA CCM v3.0.1 IAM-13
CSA CCM v3.0.1 IPY-01
CSA CCM v3.0.1 IPY-02
CSA CCM v3.0.1 IPY-03
CSA CCM v3.0.1 IPY-04
CSA CCM v3.0.1 IPY-05
CSA CCM v3.0.1 IVS-01
CSA CCM v3.0.1 IVS-02
CSA CCM v3.0.1 IVS-03
CSA CCM v3.0.1 IVS-04
CSA CCM v3.0.1 IVS-05
CSA CCM v3.0.1 IVS-06
CSA CCM v3.0.1 IVS-07
CSA CCM v3.0.1 IVS-08
CSA CCM v3.0.1 IVS-09
CSA CCM v3.0.1 IVS-10
CSA CCM v3.0.1 IVS-11
CSA CCM v3.0.1 IVS-12
CSA CCM v3.0.1 IVS-13
CSA CCM v3.0.1 MOS-01
CSA CCM v3.0.1 MOS-02
CSA CCM v3.0.1 MOS-03
CSA CCM v3.0.1 MOS-04
CSA CCM v3.0.1 MOS-05
CSA CCM v3.0.1 MOS-06
CSA CCM v3.0.1 MOS-07
CSA CCM v3.0.1 MOS-08
CSA CCM v3.0.1 MOS-09
CSA CCM v3.0.1 MOS-10
© 2019 HITRUST. All rights reserved.
05.i Identification of Risks Related to External Parties
01.b User Registration
01.b User Registration
01.c Privilege Management
01.i Policy on the Use of Network Services
01.v Information Access Restriction
10.j Access Control to Program Source Code
01.e Review of User Access Rights
02.g Termination or Change Responsibilities
02.i Removal of Access Rights
01.d User Password Management
01.s Use of System Utilities
10.h Control of Operational Software
10.h Control of Operational Software
05.k Addressing Security in Third Party Agreements
09.s Information Exchange Policies and Procedures
09.s Information Exchange Policies and Procedures
09.aa Audit Logging
09.ab Monitoring System Use
09.ad Administrator and Operator Logs
09.ae Fault Logging
10.k Change Control Procedures
09.af Clock Synchronization
09.h Capacity Management
10.m Control of Technical Vulnerabilities
01.i Policy on the Use of Network Services
01.m Segregation in Networks
01.n Network Connection Control
09.m Network Controls
01.l Remote Diagnostic and Configuration Port Protection
10.h Control of Operational Software
09.d Separation of Development, Test, and Operational Environments
01.m Segregation in Networks
01.n Network Connection Control
01.m Segregation in Networks
09.m Network Controls
01.c Privilege Management
09.m Network Controls
09.m Network Controls
11.c Responsibilities and Procedures
02.e Information Security Awareness, Education, and Training
01.x Mobile Computing and Communications
01.x Mobile Computing and Communications
02.d Management Responsibilities
02.e Information Security Awareness, Education, and Training
01.x Mobile Computing and Communications
02.e Information Security Awareness, Education, and Training
02.d Management Responsibilities
10.k Change Control Procedures
02.d Management Responsibilities
07.a Inventory of Assets
01.x Mobile Computing and Communications
CSA CCM v3.0.1 MOS-11
CSA CCM v3.0.1 MOS-12
CSA CCM v3.0.1 MOS-13
CSA CCM v3.0.1 MOS-14
CSA CCM v3.0.1 MOS-15
CSA CCM v3.0.1 MOS-16
CSA CCM v3.0.1 MOS-17
CSA CCM v3.0.1 MOS-18
CSA CCM v3.0.1 MOS-19
CSA CCM v3.0.1 MOS-20
CSA CCM v3.0.1 SEF-01
CSA CCM v3.0.1 SEF-02
CSA CCM v3.0.1 SEF-03
CSA CCM v3.0.1 SEF-04
CSA CCM v3.0.1 SEF-05
CSA CCM v3.0.1 STA-01
CSA CCM v3.0.1 STA-02
CSA CCM v3.0.1 STA-03
CSA CCM v3.0.1 STA-04
CSA CCM v3.0.1 STA-05
CSA CCM v3.0.1 STA-06
CSA CCM v3.0.1 STA-07
CSA CCM v3.0.1 STA-08
CSA CCM v3.0.1 STA-09
CSA CCM v3.0.1 TVM-01
CSA CCM v3.0.1 TVM-02
CSA CCM v3.0.1 TVM-03
© 2019 HITRUST. All rights reserved.
© 2019 HITRUST. All rights reserved.
01.x Mobile Computing and Communications
01.x Mobile Computing and Communications
02.d Management Responsibilities
01.t Session Time-out
10.k Change Control Procedures
01.d User Password Management
01.x Mobile Computing and Communications
09.j Controls Against Malicious Code
09.l Back-up
01.x Mobile Computing and Communications
01.x Mobile Computing and Communications
02.d Management Responsibilities
05.f Contact with Authorities
05.g Contact with Special Interest Groups
11.a Reporting Information Security Events
11.c Responsibilities and Procedures
11.a Reporting Information Security Events
11.b Reporting Security Weaknesses
11.c Responsibilities and Procedures
11.a Reporting Information Security Events
11.e Collection of Evidence
11.d Learning from Information Security Incidents
05.i Identification of Risks Related to External Parties
11.a Reporting Information Security Events
05.k Addressing Security in Third Party Agreements
09.n Security of Network Services
06.g Compliance with Security Policies and Standards
05.i Identification of Risks Related to External Parties
05.k Addressing Security in Third Party Agreements
09.t Exchange Agreements
03.a Risk Management Program Development
05.k Addressing Security in Third Party Agreements
05.i Identification of Risks Related to External Parties
05.k Addressing Security in Third Party Agreements
09.e Service Delivery
09.f Monitoring and Review of Third Party Services
09.j Controls Against Malicious Code
09.k Controls Against Mobile Code
10.m Control of Technical Vulnerabilities
09.k Controls Against Mobile Code
Authoritative Source HITRUST Control Reference
CRR v2016 AM:G1.Q3 04.a Information Security Policy Document
CRR v2016 AM:G1.Q4 05.a Management Commitment to Information Security
CRR v2016 AM:G2.Q1 07.a Inventory of Assets
12.a Including Information Security in the Business Continuity Management Process
CRR v2016 AM:G2.Q3 07.a Inventory of Assets
07.b Ownership of Assets
CRR v2016 AM:G2.Q4 07.a Inventory of Assets
CRR v2016 AM:G2.Q5 07.a Inventory of Assets
09.m Network Controls
CRR v2016 AM:G3.Q1 07.a Inventory of Assets
12.b Business Continuity and Risk Assessment
CRR v2016 AM:G3.Q2 07.d Classification Guidelines
CRR v2016 AM:G4.Q1 09.b Change Management
CRR v2016 AM:G4.Q2 07.a Inventory of Assets
CRR v2016 AM:G5.Q1 05.d Authorization Process for Information Assets and Facilities
07.b Ownership of Assets
CRR v2016 AM:G5.Q2 07.b Ownership of Assets
CRR v2016 AM:G5.Q3 07.b Ownership of Assets
CRR v2016 AM:G5.Q4 07.b Ownership of Assets
CRR v2016 AM:G5.Q5 01.c Privilege Management
CRR v2016 AM:G5.Q6 09.c Segregation of Duties
CRR v2016 AM:G6.Q1 07.a Inventory of Assets
07.d Classification Guidelines
CRR v2016 AM:G6.Q2 07.d Classification Guidelines
CRR v2016 AM:G6.Q3 07.e Information Labeling and Handling
09.q Information Handling Procedures
CRR v2016 AM:G6.Q4 02.d Management Responsibilities
CRR v2016 AM:G6.Q5 09.l Back-up
CRR v2016 AM:G6.Q6 07.a Inventory of Assets
08.l Secure Disposal or Re-Use of Equipment
09.p Disposal of Media
CRR v2016 AM:G6.Q7 07.a Inventory of Assets
09.p Disposal of Media
09.q Information Handling Procedures
CRR v2016 AM:G7.Q1 12.b Business Continuity and Risk Assessment
CRR v2016 AM:G7.Q3 05.d Authorization Process for Information Assets and Facilities
CRR v2016 AM:MIL2.Q1 07.a Inventory of Assets
CRR v2016 AM:MIL2.Q2 07.a Inventory of Assets
CRR v2016 AM:MIL2.Q3 05.a Management Commitment to Information Security
05.b Information Security Coordination
CRR v2016 AM:MIL2.Q4 07.a Inventory of Assets
07.b Ownership of Assets
CRR v2016 AM:MIL3.Q1 05.a Management Commitment to Information Security
CRR v2016 AM:MIL3.Q2 02.d Management Responsibilities
CRR v2016 AM:MIL3.Q3 05.a Management Commitment to Information Security
05.b Information Security Coordination
CRR v2016 AM:MIL3.Q4 03.a Risk Management Program Development
03.b Performing Risk Assessments
CRR v2016 AM:MIL4.Q1 03.b Performing Risk Assessments
05.a Management Commitment to Information Security
CRR v2016 AM:MIL4.Q2 03.b Performing Risk Assessments
05.a Management Commitment to Information Security
CRR v2016 AM:MIL4.Q3 05.a Management Commitment to Information Security
© 2019 HITRUST. All rights reserved.
CRR v2016 AM:MIL4.Q3
05.b Information Security Coordination
CRR v2016 AM:MIL5.Q1 04.a Information Security Policy Document
CRR v2016 AM:MIL5.Q2 05.b Information Security Coordination
CRR v2016 CCM:G1.Q1 09.b Change Management
09.d Separation of Development, Test, and Operational Environments
10.k Change Control Procedures
CRR v2016 CCM:G1.Q2 12.a Including Information Security in the Business Continuity Management Process
CRR v2016 CCM:G1.Q3 09.h Capacity Management
12.c Developing and Implementing Continuity Plans Including Information Security
CRR v2016 CCM:G1.Q4 10.k Change Control Procedures
CRR v2016 CCM:G1.Q5 05.i Identification of Risks Related to External Parties
09.b Change Management
CRR v2016 CCM:G1.Q6 10.a Security Requirements Analysis and Specification
10.k Change Control Procedures
CRR v2016 CCM:G2.Q1 10.k Change Control Procedures
CRR v2016 CCM:G2.Q2 09.b Change Management
10.k Change Control Procedures
CRR v2016 CCM:G2.Q3 09.b Change Management
10.k Change Control Procedures
CRR v2016 CCM:G2.Q4 01.a Access Control Policy
01.c Privilege Management
01.q User Identification and Authentication
01.v Information Access Restriction
10.k Change Control Procedures
CRR v2016 CCM:G2.Q5 10.c Control of Internal Processing
CRR v2016 CCM:G2.Q6 10.c Control of Internal Processing
CRR v2016 CCM:G2.Q7 09.d Separation of Development, Test, and Operational Environments
09.i System Acceptance
10.k Change Control Procedures
10.m Control of Technical Vulnerabilities
CRR v2016 CCM:G2.Q8 01.a Access Control Policy
CRR v2016 CCM:G2.Q9 08.j Equipment Maintenance
CRR v2016 CCM:G2.Q10 01.a Access Control Policy
08.j Equipment Maintenance
CRR v2016 CCM:G2.Q11 01.j User Authentication for External Connections
05.i Identification of Risks Related to External Parties
08.j Equipment Maintenance
CRR v2016 CCM:G3.Q1 10.k Change Control Procedures
CRR v2016 CCM:G3.Q2 10.k Change Control Procedures
CRR v2016 CCM:MIL2.Q1 09.b Change Management
CRR v2016 CCM:MIL2.Q2 09.b Change Management
CRR v2016 CCM:MIL2.Q3 05.a Management Commitment to Information Security
05.b Information Security Coordination
CRR v2016 CCM:MIL2.Q4 09.b Change Management
CRR v2016 CCM:MIL3.Q1 05.a Management Commitment to Information Security
CRR v2016 CCM:MIL3.Q2 02.a Roles and Responsibilities
02.d Management Responsibilities
05.a Management Commitment to Information Security
CRR v2016 CCM:MIL3.Q3 05.a Management Commitment to Information Security
05.b Information Security Coordination
CRR v2016 CCM:MIL3.Q4 03.b Performing Risk Assessments
03.c Risk Mitigation
CRR v2016 CCM:MIL4.Q1 03.b Performing Risk Assessments
05.a Management Commitment to Information Security
© 2019 HITRUST. All rights reserved.
CRR v2016 CCM:MIL4.Q2 03.b Performing Risk Assessments
05.a Management Commitment to Information Security
CRR v2016 CCM:MIL4.Q3 05.a Management Commitment to Information Security
05.b Information Security Coordination
CRR v2016 CCM:MIL5.Q1 04.a Information Security Policy Document
CRR v2016 CCM:MIL5.Q2 05.b Information Security Coordination
CRR v2016 CM:G1.Q1 00.a Information Security Management Program
04.a Information Security Policy Document
CRR v2016 CM:G1.Q2 03.a Risk Management Program Development
03.c Risk Mitigation
CRR v2016 CM:G2.Q1 00.a Information Security Management Program
04.a Information Security Policy Document
05.b Information Security Coordination
CRR v2016 CM:G2.Q2 01.m Segregation in Networks
01.n Network Connection Control
01.o Network Routing Control
01.w Sensitive System Isolation
09.m Network Controls
10.a Security Requirements Analysis and Specification
CRR v2016 CM:G2.Q3 01.v Information Access Restriction
06.c Protection of Organizational Records
06.d Data Protection and Privacy of Covered Information
10.a Security Requirements Analysis and Specification
CRR v2016 CM:G2.Q4 01.n Network Connection Control
09.m Network Controls
09.s Information Exchange Policies and Procedures
09.v Electronic Messaging
09.y On-line Transactions
10.a Security Requirements Analysis and Specification
CRR v2016 CM:G2.Q5 09.p Disposal of Media
10.b Input Data Validation
CRR v2016 CM:G2.Q6 09.aa Audit Logging
CRR v2016 CM:G2.Q7 09.o Management of Removable Media
CRR v2016 CM:G2.Q8 01.i Policy on the Use of Network Services
01.m Segregation in Networks
01.n Network Connection Control
01.o Network Routing Control
09.m Network Controls
CRR v2016 CM:G2.Q9 02.a Roles and Responsibilities
02.b Screening
CRR v2016 CM:G2.Q10 01.c Privilege Management
CRR v2016 CM:G4.Q1 00.a Information Security Management Program
03.c Risk Mitigation
04.b Review of the Information Security Policy
CRR v2016 CM:G4.Q2 03.c Risk Mitigation
CRR v2016 CM:MIL2.Q1 00.a Information Security Management Program
04.a Information Security Policy Document
CRR v2016 CM:MIL2.Q2 00.a Information Security Management Program
CRR v2016 CM:MIL2.Q3 05.a Management Commitment to Information Security
05.b Information Security Coordination
CRR v2016 CM:MIL2.Q4 00.a Information Security Management Program
03.a Risk Management Program Development
05.b Information Security Coordination
CRR v2016 CM:MIL3.Q1 05.a Management Commitment to Information Security
© 2019 HITRUST. All rights reserved.
CRR v2016 CM:MIL3.Q2
CRR v2016 CM:MIL3.Q3
CRR v2016 CM:MIL3.Q4
CRR v2016 CM:MIL4.Q1
CRR v2016 CM:MIL4.Q2
CRR v2016 CM:MIL4.Q3
CRR v2016 CM:MIL5.Q1
CRR v2016 CM:MIL5.Q2
CRR v2016 EDM:G1.Q1
CRR v2016 EDM:G1.Q2
CRR v2016 EDM:G1.Q3
CRR v2016 EDM:G2.Q1
CRR v2016 EDM:G3.Q1
CRR v2016 EDM:G3.Q3
CRR v2016 EDM:G3.Q4
CRR v2016 EDM:G4.Q1
CRR v2016 EDM:G4.Q2
CRR v2016 EDM:G4.Q3
CRR v2016 EDM:G4.Q4
CRR v2016 EDM:G5.Q1
CRR v2016 EDM:MIL2.Q1
CRR v2016 EDM:MIL2.Q2
CRR v2016 EDM:MIL2.Q3
CRR v2016 EDM:MIL2.Q4
CRR v2016 EDM:MIL3.Q1
CRR v2016 EDM:MIL3.Q2
CRR v2016 EDM:MIL3.Q3
CRR v2016 EDM:MIL3.Q4
CRR v2016 EDM:MIL4.Q1
CRR v2016 EDM:MIL4.Q2
CRR v2016 EDM:MIL4.Q3
CRR v2016 EDM:MIL5.Q1
CRR v2016 EDM:MIL5.Q2
CRR v2016 IM:G1.Q1
CRR v2016 IM:G1.Q2
© 2019 HITRUST. All rights reserved.
02.a Roles and Responsibilities
02.d Management Responsibilities
05.a Management Commitment to Information Security
05.b Information Security Coordination
03.a Risk Management Program Development
03.b Performing Risk Assessments
03.b Performing Risk Assessments
05.a Management Commitment to Information Security
03.b Performing Risk Assessments
05.a Management Commitment to Information Security
05.a Management Commitment to Information Security
05.b Information Security Coordination
04.a Information Security Policy Document
05.b Information Security Coordination
05.k Addressing Security in Third Party Agreements
05.j Addressing Security When Dealing with Customers
05.i Identification of Risks Related to External Parties
05.i Identification of Risks Related to External Parties
05.k Addressing Security in Third Party Agreements
12.a Including Information Security in the Business Continuity Management Process
12.b Business Continuity and Risk Assessment
05.k Addressing Security in Third Party Agreements
05.k Addressing Security in Third Party Agreements
09.e Service Delivery
09.f Monitoring and Review of Third Party Services
09.e Service Delivery
09.f Monitoring and Review of Third Party Services
09.f Monitoring and Review of Third Party Services
09.f Monitoring and Review of Third Party Services
05.f Contact with Authorities
05.i Identification of Risks Related to External Parties
05.k Addressing Security in Third Party Agreements
09.f Monitoring and Review of Third Party Services
03.a Risk Management Program Development
05.a Management Commitment to Information Security
05.b Information Security Coordination
05.i Identification of Risks Related to External Parties
05.j Addressing Security When Dealing with Customers
05.a Management Commitment to Information Security
02.a Roles and Responsibilities
02.d Management Responsibilities
05.a Management Commitment to Information Security
05.b Information Security Coordination
03.a Risk Management Program Development
03.c Risk Mitigation
03.b Performing Risk Assessments
05.a Management Commitment to Information Security
05.a Management Commitment to Information Security
05.a Management Commitment to Information Security
05.b Information Security Coordination
04.a Information Security Policy Document
05.b Information Security Coordination
11.a Reporting Information Security Events
11.c Responsibilities and Procedures
CRR v2016 IM:G1.Q3 11.a Reporting Information Security Events
11.d Learning from Information Security Incidents
CRR v2016 IM:G1.Q4 11.a Reporting Information Security Events
CRR v2016 IM:G2.Q1 11.a Reporting Information Security Events
11.c Responsibilities and Procedures
CRR v2016 IM:G2.Q2 09.ab Monitoring System Use
CRR v2016 IM:G2.Q3 11.c Responsibilities and Procedures
CRR v2016 IM:G2.Q4 11.d Learning from Information Security Incidents
CRR v2016 IM:G2.Q5 11.c Responsibilities and Procedures
CRR v2016 IM:G2.Q7 11.d Learning from Information Security Incidents
CRR v2016 IM:G2.Q8 11.c Responsibilities and Procedures
11.e Collection of Evidence
CRR v2016 IM:G2.Q9 11.c Responsibilities and Procedures
11.e Collection of Evidence
CRR v2016 IM:G3.Q1 11.a Reporting Information Security Events
CRR v2016 IM:G3.Q2 11.a Reporting Information Security Events
CRR v2016 IM:G3.Q3 11.d Learning from Information Security Incidents
CRR v2016 IM:G4.Q1 11.a Reporting Information Security Events
11.c Responsibilities and Procedures
CRR v2016 IM:G4.Q2 11.a Reporting Information Security Events
CRR v2016 IM:G4.Q3 11.a Reporting Information Security Events
CRR v2016 IM:G4.Q4 11.a Reporting Information Security Events
CRR v2016 IM:G5.Q1 11.c Responsibilities and Procedures
CRR v2016 IM:G5.Q2 11.d Learning from Information Security Incidents
CRR v2016 IM:G5.Q3 11.d Learning from Information Security Incidents
CRR v2016 IM:MIL2.Q1 11.a Reporting Information Security Events
CRR v2016 IM:MIL2.Q2 11.a Reporting Information Security Events
CRR v2016 IM:MIL2.Q3 11.a Reporting Information Security Events
CRR v2016 IM:MIL3.Q1 11.a Reporting Information Security Events
CRR v2016 IM:MIL3.Q2 02.d Management Responsibilities
11.a Reporting Information Security Events
11.e Collection of Evidence
CRR v2016 IM:MIL3.Q3 05.b Information Security Coordination
CRR v2016 IM:MIL3.Q4 03.a Risk Management Program Development
03.c Risk Mitigation
11.c Responsibilities and Procedures
11.d Learning from Information Security Incidents
CRR v2016 IM:MIL4.Q1 03.b Performing Risk Assessments
11.a Reporting Information Security Events
11.c Responsibilities and Procedures
11.d Learning from Information Security Incidents
CRR v2016 IM:MIL4.Q2 03.b Performing Risk Assessments
05.a Management Commitment to Information Security
CRR v2016 IM:MIL4.Q3 05.a Management Commitment to Information Security
05.b Information Security Coordination
11.a Reporting Information Security Events
11.c Responsibilities and Procedures
CRR v2016 IM:MIL5.Q1 04.a Information Security Policy Document
11.a Reporting Information Security Events
11.c Responsibilities and Procedures
CRR v2016 IM:MIL5.Q2 05.b Information Security Coordination
11.d Learning from Information Security Incidents
CRR v2016 RM:G1.Q1 03.a Risk Management Program Development
CRR v2016 RM:G1.Q2 03.a Risk Management Program Development
© 2019 HITRUST. All rights reserved.
CRR v2016 RM:G1.Q3 03.a Risk Management Program Development
03.c Risk Mitigation
CRR v2016 RM:G1.Q4 03.a Risk Management Program Development
CRR v2016 RM:G2.Q1 03.b Performing Risk Assessments
07.d Classification Guidelines
CRR v2016 RM:G2.Q2 12.b Business Continuity and Risk Assessment
CRR v2016 RM:G2.Q3 03.a Risk Management Program Development
03.c Risk Mitigation
CRR v2016 RM:G2.Q4 03.a Risk Management Program Development
CRR v2016 RM:G3.Q1 03.a Risk Management Program Development
03.b Performing Risk Assessments
CRR v2016 RM:G4.Q1 03.b Performing Risk Assessments
CRR v2016 RM:G4.Q2 03.c Risk Mitigation
CRR v2016 RM:G5.Q1 03.a Risk Management Program Development
03.b Performing Risk Assessments
CRR v2016 RM:G5.Q2 03.a Risk Management Program Development
CRR v2016 RM:MIL2.Q1 03.b Performing Risk Assessments
CRR v2016 RM:MIL2.Q2 04.a Information Security Policy Document
CRR v2016 RM:MIL2.Q3 05.a Management Commitment to Information Security
05.b Information Security Coordination
CRR v2016 RM:MIL2.Q4 03.a Risk Management Program Development
03.b Performing Risk Assessments
03.c Risk Mitigation
CRR v2016 RM:MIL3.Q1 03.c Risk Mitigation
05.a Management Commitment to Information Security
CRR v2016 RM:MIL3.Q2 02.a Roles and Responsibilities
02.d Management Responsibilities
05.a Management Commitment to Information Security
CRR v2016 RM:MIL3.Q3 05.a Management Commitment to Information Security
05.b Information Security Coordination
CRR v2016 RM:MIL3.Q4 03.a Risk Management Program Development
CRR v2016 RM:MIL4.Q1 03.b Performing Risk Assessments
03.c Risk Mitigation
CRR v2016 RM:MIL4.Q2 03.c Risk Mitigation
03.d Risk Evaluation
CRR v2016 RM:MIL4.Q3 03.a Risk Management Program Development
03.d Risk Evaluation
05.a Management Commitment to Information Security
05.b Information Security Coordination
CRR v2016 RM:MIL5.Q1 04.a Information Security Policy Document
CRR v2016 RM:MIL5.Q2 03.b Performing Risk Assessments
03.c Risk Mitigation
05.b Information Security Coordination
CRR v2016 SA:G1.Q1 05.c Allocation of Information Security Responsibilities
CRR v2016 SA:G1.Q2 02.d Management Responsibilities
03.a Risk Management Program Development
05.g Contact with Special Interest Groups
CRR v2016 SA:G1.Q3 05.a Management Commitment to Information Security
05.b Information Security Coordination
CRR v2016 SA:G2.Q1 05.b Information Security Coordination
CRR v2016 SA:G2.Q2 05.b Information Security Coordination
CRR v2016 SA:G3.Q1 05.b Information Security Coordination
CRR v2016 SA:G3.Q2 05.b Information Security Coordination
CRR v2016 SA:G3.Q3 02.d Management Responsibilities
© 2019 HITRUST. All rights reserved.
CRR v2016 SA:G3.Q3
CRR v2016 SA:MIL2.Q1
CRR v2016 SA:MIL2.Q2
CRR v2016 SA:MIL2.Q3
CRR v2016 SA:MIL2.Q4
CRR v2016 SA:MIL3.Q1
CRR v2016 SA:MIL3.Q2
CRR v2016 SA:MIL3.Q3
CRR v2016 SA:MIL3.Q4
CRR v2016 SA:MIL4.Q1
CRR v2016 SA:MIL4.Q2
CRR v2016 SA:MIL4.Q3
CRR v2016 SA:MIL5.Q1
CRR v2016 SA:MIL5.Q2
CRR v2016 SCM:G1.Q1
CRR v2016 SCM:G1.Q2
CRR v2016 SCM:G1.Q3
CRR v2016 SCM:G1.Q4
CRR v2016 SCM:G1.Q6
CRR v2016 SCM:G2.Q1
CRR v2016 SCM:G3.Q2
CRR v2016 SCM:G3.Q3
CRR v2016 SCM:G3.Q4
CRR v2016 SCM:G3.Q5
CRR v2016 SCM:G4.Q1
CRR v2016 SCM:G4.Q2
CRR v2016 SCM:G4.Q3
CRR v2016 SCM:MIL2.Q1
CRR v2016 SCM:MIL2.Q2
CRR v2016 SCM:MIL2.Q3
CRR v2016 SCM:MIL2.Q4
CRR v2016 SCM:MIL3.Q1
CRR v2016 SCM:MIL3.Q2
© 2019 HITRUST. All rights reserved.
02.e Information Security Awareness, Education, and Training
03.a Risk Management Program Development
00.a Information Security Management Program
04.a Information Security Policy Document
05.c Allocation of Information Security Responsibilities
05.a Management Commitment to Information Security
05.b Information Security Coordination
03.a Risk Management Program Development
04.a Information Security Policy Document
05.a Management Commitment to Information Security
02.d Management Responsibilities
05.a Management Commitment to Information Security
05.b Information Security Coordination
03.a Risk Management Program Development
03.c Risk Mitigation
03.b Performing Risk Assessments
05.a Management Commitment to Information Security
05.a Management Commitment to Information Security
05.a Management Commitment to Information Security
05.b Information Security Coordination
04.a Information Security Policy Document
05.b Information Security Coordination
12.a Including Information Security in the Business Continuity Management Process
12.b Business Continuity and Risk Assessment
12.c Developing and Implementing Continuity Plans Including Information Security
12.b Business Continuity and Risk Assessment
12.d Business Continuity Planning Framework
12.e Testing, Maintaining and Re-Assessing Business Continuity Plans
12.b Business Continuity and Risk Assessment
12.c Developing and Implementing Continuity Plans Including Information Security
12.c Developing and Implementing Continuity Plans Including Information Security
12.e Testing, Maintaining and Re-Assessing Business Continuity Plans
12.a Including Information Security in the Business Continuity Management Process
12.d Business Continuity Planning Framework
12.e Testing, Maintaining and Re-Assessing Business Continuity Plans
12.a Including Information Security in the Business Continuity Management Process
12.c Developing and Implementing Continuity Plans Including Information Security
12.e Testing, Maintaining and Re-Assessing Business Continuity Plans
09.l Back-up
12.e Testing, Maintaining and Re-Assessing Business Continuity Plans
12.e Testing, Maintaining and Re-Assessing Business Continuity Plans
12.d Business Continuity Planning Framework
12.e Testing, Maintaining and Re-Assessing Business Continuity Plans
12.e Testing, Maintaining and Re-Assessing Business Continuity Plans
12.a Including Information Security in the Business Continuity Management Process
12.a Including Information Security in the Business Continuity Management Process
05.b Information Security Coordination
12.c Developing and Implementing Continuity Plans Including Information Security
12.a Including Information Security in the Business Continuity Management Process
12.b Business Continuity and Risk Assessment
12.c Developing and Implementing Continuity Plans Including Information Security
05.a Management Commitment to Information Security
02.a Roles and Responsibilities
02.d Management Responsibilities
CRR v2016 SCM:MIL3.Q2
CRR v2016 SCM:MIL3.Q3
CRR v2016 SCM:MIL3.Q4
CRR v2016 SCM:MIL4.Q1
CRR v2016 SCM:MIL4.Q2
CRR v2016 SCM:MIL4.Q3
CRR v2016 SCM:MIL5.Q1
CRR v2016 SCM:MIL5.Q2
CRR v2016 TA:G1.Q1
CRR v2016 TA:G1.Q2
CRR v2016 TA:G1.Q3
CRR v2016 TA:G1.Q4
CRR v2016 TA:G2.Q1
CRR v2016 TA:G2.Q2
CRR v2016 TA:G2.Q3
CRR v2016 TA:G2.Q4
CRR v2016 TA:G2.Q5
CRR v2016 TA:G2.Q6
CRR v2016 TA:G2.Q7
CRR v2016 TA:MIL2.Q1
CRR v2016 TA:MIL2.Q2
CRR v2016 TA:MIL2.Q3
CRR v2016 TA:MIL2.Q4
CRR v2016 TA:MIL3.Q1
CRR v2016 TA:MIL3.Q2
CRR v2016 TA:MIL3.Q3
CRR v2016 TA:MIL3.Q4
CRR v2016 TA:MIL4.Q1
CRR v2016 TA:MIL4.Q2
CRR v2016 TA:MIL4.Q3
CRR v2016 TA:MIL5.Q1
CRR v2016 TA:MIL5.Q2
CRR v2016 VM:G1.Q1
CRR v2016 VM:G1.Q3
CRR v2016 VM:G1.Q4
CRR v2016 VM:G1.Q5
© 2019 HITRUST. All rights reserved.
12.c Developing and Implementing Continuity Plans Including Information Security
12.e Testing, Maintaining and Re-Assessing Business Continuity Plans
05.a Management Commitment to Information Security
05.b Information Security Coordination
12.a Including Information Security in the Business Continuity Management Process
12.b Business Continuity and Risk Assessment
03.b Performing Risk Assessments
12.e Testing, Maintaining and Re-Assessing Business Continuity Plans
05.a Management Commitment to Information Security
05.a Management Commitment to Information Security
05.b Information Security Coordination
04.a Information Security Policy Document
12.c Developing and Implementing Continuity Plans Including Information Security
05.b Information Security Coordination
12.e Testing, Maintaining and Re-Assessing Business Continuity Plans
02.e Information Security Awareness, Education, and Training
02.d Management Responsibilities
02.e Information Security Awareness, Education, and Training
02.e Information Security Awareness, Education, and Training
02.e Information Security Awareness, Education, and Training
02.e Information Security Awareness, Education, and Training
02.e Information Security Awareness, Education, and Training
02.e Information Security Awareness, Education, and Training
02.e Information Security Awareness, Education, and Training
02.e Information Security Awareness, Education, and Training
02.e Information Security Awareness, Education, and Training
05.a Management Commitment to Information Security
02.e Information Security Awareness, Education, and Training
02.e Information Security Awareness, Education, and Training
02.d Management Responsibilities
05.b Information Security Coordination
05.a Management Commitment to Information Security
05.b Information Security Coordination
02.e Information Security Awareness, Education, and Training
00.a Information Security Management Program
05.a Management Commitment to Information Security
02.d Management Responsibilities
05.b Information Security Coordination
03.a Risk Management Program Development
03.c Risk Mitigation
02.e Information Security Awareness, Education, and Training
03.b Performing Risk Assessments
05.a Management Commitment to Information Security
02.d Management Responsibilities
05.a Management Commitment to Information Security
05.b Information Security Coordination
04.a Information Security Policy Document
05.b Information Security Coordination
10.m Control of Technical Vulnerabilities
09.j Controls Against Malicious Code
09.k Controls Against Mobile Code
07.a Inventory of Assets
09.ab Monitoring System Use
10.m Control of Technical Vulnerabilities
CRR v2016 VM:G2.Q1
CRR v2016 VM:G2.Q2
CRR v2016 VM:G2.Q3
CRR v2016 VM:G2.Q4
CRR v2016 VM:G2.Q5
CRR v2016 VM:G2.Q6
CRR v2016 VM:G3.Q1
CRR v2016 VM:G3.Q2
CRR v2016 VM:G3.Q3
CRR v2016 VM:G4.Q1
CRR v2016 VM:MIL2.Q1
CRR v2016 VM:MIL2.Q2
CRR v2016 VM:MIL2.Q3
CRR v2016 VM:MIL2.Q4
CRR v2016 VM:MIL3.Q1
CRR v2016 VM:MIL3.Q2
CRR v2016 VM:MIL3.Q3
CRR v2016 VM:MIL3.Q4
CRR v2016 VM:MIL4.Q1
CRR v2016 VM:MIL4.Q1c
CRR v2016 VM:MIL4.Q2
CRR v2016 VM:MIL4.Q3
CRR v2016 VM:MIL5.Q1
CRR v2016 VM:MIL5.Q2
© 2019 HITRUST. All rights reserved.
© 2019 HITRUST. All rights reserved.
10.m Control of Technical Vulnerabilities
10.m Control of Technical Vulnerabilities
10.m Control of Technical Vulnerabilities
10.m Control of Technical Vulnerabilities
10.m Control of Technical Vulnerabilities
03.a Risk Management Program Development
03.c Risk Mitigation
03.c Risk Mitigation
10.m Control of Technical Vulnerabilities
10.m Control of Technical Vulnerabilities
03.c Risk Mitigation
10.m Control of Technical Vulnerabilities
03.a Risk Management Program Development
10.m Control of Technical Vulnerabilities
05.a Management Commitment to Information Security
05.b Information Security Coordination
10.m Control of Technical Vulnerabilities
00.a Information Security Management Program
05.a Management Commitment to Information Security
02.a Roles and Responsibilities
02.d Management Responsibilities
05.a Management Commitment to Information Security
10.m Control of Technical Vulnerabilities
05.a Management Commitment to Information Security
05.b Information Security Coordination
03.b Performing Risk Assessments
03.c Risk Mitigation
10.m Control of Technical Vulnerabilities
05.a Management Commitment to Information Security
05.h Independent Review of Information Security
10.m Control of Technical Vulnerabilities
03.b Performing Risk Assessments
05.a Management Commitment to Information Security
10.m Control of Technical Vulnerabilities
05.a Management Commitment to Information Security
05.b Information Security Coordination
04.a Information Security Policy Document
05.b Information Security Coordination
Authoritative Source
EHNAC Accreditation
Committee
HITRUST Control Reference
00.a Information Security Management Program
01.b User Registration
02.e Information Security Awareness, Education, and Training
02.f Disciplinary Process
03.a Risk Management Program Development
12.c Developing and Implementing Continuity Plans Including Information Security
13.a Privacy Notice
13.f Principle Access
13.k Use and Disclosure

© 2019 HITRUST. All rights reserved.

© 2019 HITRUST. All rights reserved.

 Authoritative Source
EU GDPR Article 11(1)
EU GDPR Article 11(2)
EU GDPR Article 12(1)
EU GDPR Article 12(2)
EU GDPR Article 12(3)
EU GDPR Article 12(4)
EU GDPR Article 12(5)
EU GDPR Article 12(6)
EU GDPR Article 13(1)
EU GDPR Article 13(1)(a)
EU GDPR Article 13(1)(c)
EU GDPR Article 13(2)
EU GDPR Article 13(3)
EU GDPR Article 13(4)
EU GDPR Article 14(1)
EU GDPR Article 14(2)
EU GDPR Article 14(3)
EU GDPR Article 14(5)
EU GDPR Article 15(1)
EU GDPR Article 15(2)
EU GDPR Article 15(3)
EU GDPR Article 15(4)
EU GDPR Article 16
EU GDPR Article 17(1)
EU GDPR Article 17(2)
EU GDPR Article 17(3)
EU GDPR Article 18(1)
EU GDPR Article 18(2)
EU GDPR Article 18(3)
EU GDPR Article 19
EU GDPR Article 20(1)
EU GDPR Article 20(2)
EU GDPR Article 20(3)
EU GDPR Article 20(4)
EU GDPR Article 21(1)
EU GDPR Article 21(2)
EU GDPR Article 21(3)
EU GDPR Article 21(4)
EU GDPR Article 21(5)
EU GDPR Article 21(6)
EU GDPR Article 22(1)
EU GDPR Article 22(2)
EU GDPR Article 22(3)
EU GDPR Article 22(4)
EU GDPR Article 25(1)
© 2019 HITRUST. All rights reserved.
HITRUST Control Reference
13.i Collection Limitation
13.f Principle Access
13.a Privacy Notice
13.f Principle Access
13.f Principle Access
13.f Principle Access
13.a Privacy Notice
13.f Principle Access
13.a Privacy Notice
13.b Openness and Transparency
13.b Openness and Transparency
13.b Openness and Transparency
13.b Openness and Transparency
13.a Privacy Notice
13.a Privacy Notice
13.a Privacy Notice
13.b Openness and Transparency
13.b Openness and Transparency
13.a Privacy Notice
13.a Privacy Notice
13.f Principle Access
13.f Principle Access
13.f Principle Access
13.f Principle Access
13.f Principle Access
13.n Participation and Redress
13.n Participation and Redress
13.n Participation and Redress
13.e Choice
13.e Choice
13.e Choice
13.n Participation and Redress
13.f Principle Access
13.f Principle Access
13.f Principle Access
13.f Principle Access
13.n Participation and Redress
13.e Choice
13.e Choice
13.e Choice
13.e Choice
13.e Choice
13.e Choice
13.e Choice
13.e Choice
13.d Consent
10.a Security Requirements Analysis and Specification
 EU GDPR Article 25(1)
EU GDPR Article 26(1)
EU GDPR Article 26(2)
EU GDPR Article 26(3)
EU GDPR Article 27(1)
EU GDPR Article 27(2)
EU GDPR Article 27(3)
EU GDPR Article 27(4)
EU GDPR Article 27(5)
EU GDPR Article 28(2)
EU GDPR Article 28(3)
EU GDPR Article 28(4)
EU GDPR Article 28(9)
EU GDPR Article 29
EU GDPR Article 30(1)
EU GDPR Article 30(2)
EU GDPR Article 30(3)
EU GDPR Article 30(4)
EU GDPR Article 30(5)
EU GDPR Article 32(1)
EU GDPR Article 32(2)
EU GDPR Article 32(4)
EU GDPR Article 33(1)
EU GDPR Article 33(2)
EU GDPR Article 33(3)
EU GDPR Article 33(4)
EU GDPR Article 33(5)
EU GDPR Article 34(1)
EU GDPR Article 34(2)
EU GDPR Article 34(3)
EU GDPR Article 35(1)
EU GDPR Article 35(2)
EU GDPR Article 35(3)
EU GDPR Article 35(5)
EU GDPR Article 35(7)
EU GDPR Article 35(9)
© 2019 HITRUST. All rights reserved.
10.b Input Data Validation
10.c Control of Internal Processing
10.e Output Data Validation
05.k Addressing Security in Third Party Agreements
05.k Addressing Security in Third Party Agreements
05.k Addressing Security in Third Party Agreements
06.d Data Protection and Privacy of Covered Information
06.d Data Protection and Privacy of Covered Information
06.d Data Protection and Privacy of Covered Information
06.d Data Protection and Privacy of Covered Information
06.d Data Protection and Privacy of Covered Information
13.r Privacy Requirements for Contractors and Processors
05.k Addressing Security in Third Party Agreements
13.r Privacy Requirements for Contractors and Processors
05.k Addressing Security in Third Party Agreements
13.r Privacy Requirements for Contractors and Processors
05.k Addressing Security in Third Party Agreements
13.r Privacy Requirements for Contractors and Processors
05.k Addressing Security in Third Party Agreements
13.r Privacy Requirements for Contractors and Processors
05.k Addressing Security in Third Party Agreements
13.p Governance
13.r Privacy Requirements for Contractors and Processors
13.p Governance
13.p Governance
13.p Governance
13.r Privacy Requirements for Contractors and Processors
03.a Risk Management Program Development
05.i Identification of Risks Related to External Parties
05.k Addressing Security in Third Party Agreements
09.e Service Delivery
11.a Reporting Information Security Events
11.a Reporting Information Security Events
11.a Reporting Information Security Events
11.a Reporting Information Security Events
11.a Reporting Information Security Events
11.a Reporting Information Security Events
11.a Reporting Information Security Events
11.a Reporting Information Security Events
03.b Performing Risk Assessments
13.q Privacy and Impact Assessment
03.b Performing Risk Assessments
13.q Privacy and Impact Assessment
03.b Performing Risk Assessments
13.q Privacy and Impact Assessment
03.b Performing Risk Assessments
03.b Performing Risk Assessments
03.b Performing Risk Assessments
 EU GDPR Article 35(9)
EU GDPR Article 35(10)
EU GDPR Article 35(11)
EU GDPR Article 36(1)
EU GDPR Article 36(3)
EU GDPR Article 36(5)
EU GDPR Article 37(1)
EU GDPR Article 37(2)
EU GDPR Article 37(3)
EU GDPR Article 37(4)
EU GDPR Article 37(5)
EU GDPR Article 37(7)
EU GDPR Article 38(1)
EU GDPR Article 38(2)
EU GDPR Article 38(3)
EU GDPR Article 38(4)
EU GDPR Article 38(5)
EU GDPR Article 38(6)
EU GDPR Article 39(1)
EU GDPR Article 39(2)
EU GDPR Article 4(1)
EU GDPR Article 4(5)
EU GDPR Article 4(11)
EU GDPR Article 45(1)
EU GDPR Article 46(1)
EU GDPR Article 46(2)
EU GDPR Article 46(3)
EU GDPR Article 47(1)
EU GDPR Article 47(2)
EU GDPR Article 48
EU GDPR Article 49(1)
EU GDPR Article 49(2)
EU GDPR Article 49(3)
EU GDPR Article 49(4)
EU GDPR Article 49(6)
EU GDPR Article 5(1)(a)
EU GDPR Article 5(1)(b)
EU GDPR Article 5(1)(c)
EU GDPR Article 5(1)(d)
© 2019 HITRUST. All rights reserved.
13.q Privacy and Impact Assessment
03.b Performing Risk Assessments
13.q Privacy and Impact Assessment
03.b Performing Risk Assessments
13.q Privacy and Impact Assessment
03.b Performing Risk Assessments
13.q Privacy and Impact Assessment
03.b Performing Risk Assessments
13.g Purpose Legitimacy
06.d Data Protection and Privacy of Covered Information
13.p Governance
06.d Data Protection and Privacy of Covered Information
06.d Data Protection and Privacy of Covered Information
06.d Data Protection and Privacy of Covered Information
06.d Data Protection and Privacy of Covered Information
13.p Governance
06.d Data Protection and Privacy of Covered Information
06.d Data Protection and Privacy of Covered Information
06.d Data Protection and Privacy of Covered Information
13.p Governance
06.d Data Protection and Privacy of Covered Information
13.p Governance
13.p Governance
13.p Governance
13.p Governance
06.d Data Protection and Privacy of Covered Information
13.p Governance
06.d Data Protection and Privacy of Covered Information
13.p Governance
03.a Risk Management Program Development
13.j Data Minimization
13.d Consent
09.s Information Exchange Policies and Procedures
09.s Information Exchange Policies and Procedures
09.s Information Exchange Policies and Procedures
09.s Information Exchange Policies and Procedures
09.s Information Exchange Policies and Procedures
13.p Governance
09.s Information Exchange Policies and Procedures
09.s Information Exchange Policies and Procedures
13.k Use and Disclosure
13.k Use and Disclosure
13.k Use and Disclosure
13.k Use and Disclosure
13.g Purpose Legitimacy
13.i Collection Limitation
13.i Collection Limitation
13.m Accuracy and Quality
 EU GDPR Article 5(1)(e)
EU GDPR Article 5(2)
EU GDPR Article 6(1)
EU GDPR Article 6(1)(a)
EU GDPR Article 6(4)
EU GDPR Article 7(1)
EU GDPR Article 7(2)
EU GDPR Article 7(3)
EU GDPR Article 7(4)
EU GDPR Article 8(1)
EU GDPR Article 8(2)
EU GDPR Article 9(1)
EU GDPR Article 9(2)
EU GDPR Article 60(10)
EU GDPR Article 89(1)
EU GDPR Recital 26
EU GDPR Recital 32
EU GDPR Recital 36
EU GDPR Recital 39
EU GDPR Recital 60
EU GDPR Recital 62
EU GDPR Recital 66
EU GDPR Recital 67
EU GDPR Recital 68
EU GDPR Recital 95
EU GDPR Recital 97
© 2019 HITRUST. All rights reserved.
© 2019 HITRUST. All rights reserved.
13.l Retention and Disposal
13.p Governance
13.g Purpose Legitimacy
13.g Purpose Legitimacy
13.k Use and Disclosure
13.d Consent
13.d Consent
13.d Consent
13.e Choice
13.d Consent
13.d Consent
13.d Consent
13.j Data Minimization
13.j Data Minimization
13.p Governance
13.j Data Minimization
13.j Data Minimization
13.d Consent
13.p Governance
13.i Collection Limitation
13.l Retention and Disposal
13.b Openness and Transparency
13.a Privacy Notice
13.n Participation and Redress
13.e Choice
13.f Principle Access
13.q Privacy and Impact Assessment
13.p Governance
Authoritative Source
FedRAMP AC-1
FedRAMP AC-2
FedRAMP AC-2(1)
FedRAMP AC-2(2)
FedRAMP AC-2(3)
FedRAMP AC-2(4)
FedRAMP AC-2(5)
FedRAMP AC-2(7)
FedRAMP AC-2(9)
FedRAMP AC-2(10)
FedRAMP AC-2(12)
FedRAMP AC-3
FedRAMP AC-4
FedRAMP AC-4(21)
FedRAMP AC-5
FedRAMP AC-6
FedRAMP AC-6(1)
FedRAMP AC-6(2)
FedRAMP AC-6(5)
FedRAMP AC-6(9)
FedRAMP AC-6(10)
FedRAMP AC-7
FedRAMP AC-8
FedRAMP AC-10
FedRAMP AC-11
FedRAMP AC-11(1)
FedRAMP AC-12
FedRAMP AC-17
FedRAMP AC-17(1)
© 2019 HITRUST. All rights reserved.
HITRUST Control Reference
01.a Access Control Policy
02.a Roles and Responsibilities
01.a Access Control Policy
01.b User Registration
01.c Privilege Management
01.e Review of User Access Rights
01.j User Authentication for External Connections
02.i Removal of Access Rights
01.b User Registration
01.b User Registration
01.b User Registration
01.b User Registration
01.t Session Time-out
01.c Privilege Management
01.b User Registration
01.b User Registration
09.ab Monitoring System Use
01.s Use of System Utilities
01.o Network Routing Control
01.v Information Access Restriction
01.m Segregation in Networks
09.c Segregation of Duties
01.c Privilege Management
01.s Use of System Utilities
01.v Information Access Restriction
01.y Teleworking
05.i Identification of Risks Related to External Parties
10.j Access Control to Program Source Code
01.c Privilege Management
06.j Protection of Information Systems Audit Tools
01.c Privilege Management
01.q User Identification and Authentication
01.c Privilege Management
01.c Privilege Management
09.aa Audit Logging
01.c Privilege Management
01.p Secure Log-on Procedures
05.j Addressing Security When Dealing with Customers
06.e Prevention of Misuse of Information Assets
07.e Information Labeling and Handling
01.p Secure Log-on Procedures
01.t Session Time-out
01.t Session Time-out
01.t Session Time-out
01.j User Authentication for External Connections
01.n Network Connection Control
01.y Teleworking
09.s Information Exchange Policies and Procedures
09.ab Monitoring System Use
01.j User Authentication for External Connections
FedRAMP AC-17(2) 01.j User Authentication for External Connections
01.y Teleworking
05.i Identification of Risks Related to External Parties
09.s Information Exchange Policies and Procedures
FedRAMP AC-17(3) 01.j User Authentication for External Connections
01.n Network Connection Control
FedRAMP AC-17(4) 01.j User Authentication for External Connections
FedRAMP AC-17(9) 01.j User Authentication for External Connections
FedRAMP AC-18 01.j User Authentication for External Connections
08.g Equipment Siting and Protection
09.m Network Controls
FedRAMP AC-18(1) 01.j User Authentication for External Connections
09.m Network Controls
FedRAMP AC-19 01.x Mobile Computing and Communications
FedRAMP AC-19(5) 01.x Mobile Computing and Communications
09.s Information Exchange Policies and Procedures
FedRAMP AC-20 01.i Policy on the Use of Network Services
01.y Teleworking
07.c Acceptable Use of Assets
09.s Information Exchange Policies and Procedures
FedRAMP AC-20(1) 09.s Information Exchange Policies and Procedures
FedRAMP AC-20(2) 09.s Information Exchange Policies and Procedures
FedRAMP AC-21 01.c Privilege Management
FedRAMP AC-22 09.z Publicly Available Information
FedRAMP AT-1 02.e Information Security Awareness, Education, and Training
04.a Information Security Policy Document
04.b Review of the Information Security Policy
05.a Management Commitment to Information Security
09.a Documented Operations Procedures
FedRAMP AT-2 01.p Secure Log-on Procedures
01.y Teleworking
02.e Information Security Awareness, Education, and Training
FedRAMP AT-2(2) 02.e Information Security Awareness, Education, and Training
FedRAMP AT-3 02.d Management Responsibilities
02.e Information Security Awareness, Education, and Training
05.c Allocation of Information Security Responsibilities
FedRAMP AT-4 02.e Information Security Awareness, Education, and Training
FedRAMP AU-1 04.a Information Security Policy Document
04.b Review of the Information Security Policy
05.a Management Commitment to Information Security
06.i Information Systems Audit Controls
06.j Protection of Information Systems Audit Tools
09.a Documented Operations Procedures
FedRAMP AU-2 09.aa Audit Logging
09.ab Monitoring System Use
09.ad Administrator and Operator Logs
09.ae Fault Logging
FedRAMP AU-2(3) 09.aa Audit Logging
FedRAMP AU-3 09.aa Audit Logging
FedRAMP AU-3(1) 09.aa Audit Logging
FedRAMP AU-4 09.h Capacity Management
© 2019 HITRUST. All rights reserved.
FedRAMP AU-5 09.h Capacity Management
09.aa Audit Logging
FedRAMP AU-6 09.ab Monitoring System Use
09.ad Administrator and Operator Logs
FedRAMP AU-6(1) 09.ab Monitoring System Use
FedRAMP AU-6(3) 09.ab Monitoring System Use
FedRAMP AU-7 09.ab Monitoring System Use
FedRAMP AU-7(1) 09.ab Monitoring System Use
FedRAMP AU-8 09.af Clock Synchronization
FedRAMP AU-8(1) 09.aa Audit Logging
09.af Clock Synchronization
FedRAMP AU-9 06.j Protection of Information Systems Audit Tools
09.aa Audit Logging
09.ac Protection of Log Information
FedRAMP AU-9(2) 09.ac Protection of Log Information
FedRAMP AU-11 09.aa Audit Logging
FedRAMP AU-12 01.p Secure Log-on Procedures
09.ad Administrator and Operator Logs
09.ae Fault Logging
FedRAMP CA-1 04.a Information Security Policy Document
04.b Review of the Information Security Policy
05.a Management Commitment to Information Security
09.a Documented Operations Procedures
FedRAMP CA-2 03.b Performing Risk Assessments
05.a Management Commitment to Information Security
05.d Authorization Process for Information Assets and Facilities
05.h Independent Review of Information Security
06.i Information Systems Audit Controls
06.j Protection of Information Systems Audit Tools
FedRAMP CA-2(1) 05.a Management Commitment to Information Security
05.h Independent Review of Information Security
FedRAMP CA-2(2) 06.h Technical Compliance Checking
FedRAMP CA-2(3) 03.b Performing Risk Assessments
FedRAMP CA-3 05.i Identification of Risks Related to External Parties
05.j Addressing Security When Dealing with Customers
09.m Network Controls
09.n Security of Network Services
FedRAMP CA-3(3) 09.n Security of Network Services
FedRAMP CA-3(5) 09.n Security of Network Services
FedRAMP CA-5 03.c Risk Mitigation
FedRAMP CA-6 05.d Authorization Process for Information Assets and Facilities
FedRAMP CA-7 05.h Independent Review of Information Security
06.g Compliance with Security Policies and Standards
06.h Technical Compliance Checking
FedRAMP CA-7(1) 05.h Independent Review of Information Security
06.g Compliance with Security Policies and Standards
FedRAMP CA-8 10.m Control of Technical Vulnerabilities
FedRAMP CA-8(1) 10.m Control of Technical Vulnerabilities
FedRAMP CA-9 09.w Interconnected Business Information Systems
FedRAMP CM-1 04.a Information Security Policy Document
04.b Review of the Information Security Policy
© 2019 HITRUST. All rights reserved.
FedRAMP CM-1
FedRAMP CM-2
FedRAMP CM-2(1)
FedRAMP CM-2(2)
FedRAMP CM-2(3)
FedRAMP CM-2(7)
FedRAMP CM-3
FedRAMP CM-4
FedRAMP CM-5
FedRAMP CM-5(1)
FedRAMP CM-5(3)
FedRAMP CM-5(5)
FedRAMP CM-6
FedRAMP CM-6(1)
FedRAMP CM-7
FedRAMP CM-7(1)
FedRAMP CM-7(2)
FedRAMP CM-7(5)
FedRAMP CM-8
FedRAMP CM-8(1)
FedRAMP CM-8(3)
FedRAMP CM-8(5)
FedRAMP CM-9
FedRAMP CM-10
© 2019 HITRUST. All rights reserved.
05.a Management Commitment to Information Security
09.a Documented Operations Procedures
10.k Change Control Procedures
09.d Separation of Development, Test, and Operational Environments
09.w Interconnected Business Information Systems
10.k Change Control Procedures
10.k Change Control Procedures
10.k Change Control Procedures
10.h Control of Operational Software
01.x Mobile Computing and Communications
03.d Risk Evaluation
09.b Change Management
09.i System Acceptance
09.k Controls Against Mobile Code
09.m Network Controls
10.k Change Control Procedures
09.b Change Management
10.h Control of Operational Software
10.k Change Control Procedures
09.b Change Management
10.j Access Control to Program Source Code
10.k Change Control Procedures
10.k Change Control Procedures
10.k Change Control Procedures
01.e Review of User Access Rights
10.k Change Control Procedures
09.z Publicly Available Information
10.k Change Control Procedures
10.m Control of Technical Vulnerabilities
10.k Change Control Procedures
01.c Privilege Management
01.i Policy on the Use of Network Services
01.l Remote Diagnostic and Configuration Port Protection
07.a Inventory of Assets
07.b Ownership of Assets
07.d Classification Guidelines
09.i System Acceptance
09.m Network Controls
10.j Access Control to Program Source Code
01.l Remote Diagnostic and Configuration Port Protection
01.l Remote Diagnostic and Configuration Port Protection
01.l Remote Diagnostic and Configuration Port Protection
10.h Control of Operational Software
07.a Inventory of Assets
07.b Ownership of Assets
07.d Classification Guidelines
07.a Inventory of Assets
01.l Remote Diagnostic and Configuration Port Protection
07.a Inventory of Assets
10.k Change Control Procedures
06.b Intellectual Property Rights
FedRAMP CM-10
FedRAMP CM-10(1)
FedRAMP CM-11
FedRAMP CP-1
FedRAMP CP-2
FedRAMP CP-2(2)
FedRAMP CP-2(3)
FedRAMP CP-2(8)
FedRAMP CP-3
FedRAMP CP-4
FedRAMP CP-4(1)
FedRAMP CP-6
FedRAMP CP-6(1)
FedRAMP CP-7
FedRAMP CP-7(1)
FedRAMP CP-7(3)
FedRAMP CP-8
FedRAMP CP-8(1)
FedRAMP CP-8(2)
FedRAMP CP-9
FedRAMP CP-9(1)
FedRAMP CP-9(3)
FedRAMP IA-1
FedRAMP IA-2
FedRAMP IA-2(1)
FedRAMP IA-2(2)
FedRAMP IA-2(3)
FedRAMP IA-2(5)
FedRAMP IA-2(8)
FedRAMP IA-2(11)
© 2019 HITRUST. All rights reserved.
07.b Ownership of Assets
06.b Intellectual Property Rights
09.j Controls Against Malicious Code
04.a Information Security Policy Document
04.b Review of the Information Security Policy
05.a Management Commitment to Information Security
09.a Documented Operations Procedures
12.c Developing and Implementing Continuity Plans Including Information Security
05.f Contact with Authorities
09.l Back-up
09.m Network Controls
12.a Including Information Security in the Business Continuity Management Process
12.b Business Continuity and Risk Assessment
12.c Developing and Implementing Continuity Plans Including Information Security
12.d Business Continuity Planning Framework
12.e Testing, Maintaining and Re-Assessing Business Continuity Plans
12.c Developing and Implementing Continuity Plans Including Information Security
12.c Developing and Implementing Continuity Plans Including Information Security
12.a Including Information Security in the Business Continuity Management Process
12.b Business Continuity and Risk Assessment
02.e Information Security Awareness, Education, and Training
02.e Information Security Awareness, Education, and Training
05.f Contact with Authorities
12.e Testing, Maintaining and Re-Assessing Business Continuity Plans
12.e Testing, Maintaining and Re-Assessing Business Continuity Plans
12.c Developing and Implementing Continuity Plans Including Information Security
12.c Developing and Implementing Continuity Plans Including Information Security
12.c Developing and Implementing Continuity Plans Including Information Security
12.c Developing and Implementing Continuity Plans Including Information Security
12.c Developing and Implementing Continuity Plans Including Information Security
12.c Developing and Implementing Continuity Plans Including Information Security
12.c Developing and Implementing Continuity Plans Including Information Security
12.c Developing and Implementing Continuity Plans Including Information Security
09.l Back-up
09.l Back-up
01.q User Identification and Authentication
09.l Back-up
01.b User Registration
04.a Information Security Policy Document
04.b Review of the Information Security Policy
05.a Management Commitment to Information Security
09.a Documented Operations Procedures
01.j User Authentication for External Connections
01.q User Identification and Authentication
01.y Teleworking
01.q User Identification and Authentication
01.q User Identification and Authentication
01.q User Identification and Authentication
01.q User Identification and Authentication
01.q User Identification and Authentication
01.q User Identification and Authentication
FedRAMP IA-2(12)
FedRAMP IA-3
FedRAMP IA-4
FedRAMP IA-4(4)
FedRAMP IA-5
FedRAMP IA-5(1)
FedRAMP IA-5(2)
FedRAMP IA-5(3)
FedRAMP IA-5(4)
FedRAMP IA-5(6)
FedRAMP IA-5(7)
FedRAMP IA-5(11)
FedRAMP IA-6
FedRAMP IA-7
FedRAMP IA-8
FedRAMP IA-8(1)
FedRAMP IA-8(2)
FedRAMP IA-8(3)
FedRAMP IA-8(4)
FedRAMP IR-1
FedRAMP IR-2
FedRAMP IR-3
FedRAMP IR-3(2)
FedRAMP IR-4
FedRAMP IR-4(1)
FedRAMP IR-5
FedRAMP IR-6
FedRAMP IR-6(1)
FedRAMP IR-7
© 2019 HITRUST. All rights reserved.
01.q User Identification and Authentication
01.k Equipment Identification in Networks
01.q User Identification and Authentication
09.m Network Controls
01.b User Registration
01.q User Identification and Authentication
01.q User Identification and Authentication
01.b User Registration
01.d User Password Management
01.f Password Use
01.k Equipment Identification in Networks
01.q User Identification and Authentication
01.r Password Management System
01.d User Password Management
01.q User Identification and Authentication
01.b User Registration
01.q User Identification and Authentication
01.d User Password Management
01.d User Password Management
01.d User Password Management
01.q User Identification and Authentication
01.p Secure Log-on Procedures
06.f Regulation of Cryptographic Controls
01.q User Identification and Authentication
01.j User Authentication for External Connections
01.j User Authentication for External Connections
01.j User Authentication for External Connections
01.j User Authentication for External Connections
04.a Information Security Policy Document
04.b Review of the Information Security Policy
05.a Management Commitment to Information Security
09.a Documented Operations Procedures
11.a Reporting Information Security Events
11.c Responsibilities and Procedures
02.e Information Security Awareness, Education, and Training
11.c Responsibilities and Procedures
11.c Responsibilities and Procedures
11.a Reporting Information Security Events
11.b Reporting Security Weaknesses
11.c Responsibilities and Procedures
11.d Learning from Information Security Incidents
11.e Collection of Evidence
12.c Developing and Implementing Continuity Plans Including Information Security
11.d Learning from Information Security Incidents
02.f Disciplinary Process
05.f Contact with Authorities
11.a Reporting Information Security Events
11.b Reporting Security Weaknesses
11.c Responsibilities and Procedures
11.a Reporting Information Security Events
11.c Responsibilities and Procedures
FedRAMP IR-8 11.c Responsibilities and Procedures
FedRAMP IR-9 11.c Responsibilities and Procedures
FedRAMP IR-9(1) 11.c Responsibilities and Procedures
FedRAMP IR-9(2) 11.c Responsibilities and Procedures
FedRAMP IR-9(3) 11.c Responsibilities and Procedures
FedRAMP IR-9(4) 11.c Responsibilities and Procedures
FedRAMP MA-1 04.a Information Security Policy Document
04.b Review of the Information Security Policy
05.a Management Commitment to Information Security
08.j Equipment Maintenance
09.a Documented Operations Procedures
FedRAMP MA-2 08.a Physical Security Perimeter
08.b Physical Entry Controls
08.j Equipment Maintenance
FedRAMP MA-3 08.j Equipment Maintenance
FedRAMP MA-3(1) 08.j Equipment Maintenance
FedRAMP MA-3(2) 08.j Equipment Maintenance
FedRAMP MA-3(3) 08.j Equipment Maintenance
FedRAMP MA-4 01.j User Authentication for External Connections
01.l Remote Diagnostic and Configuration Port Protection
05.i Identification of Risks Related to External Parties
08.j Equipment Maintenance
FedRAMP MA-4(2) 08.j Equipment Maintenance
FedRAMP MA-5 08.j Equipment Maintenance
FedRAMP MA-5(1) 11.c Responsibilities and Procedures
FedRAMP MA-6 08.j Equipment Maintenance
FedRAMP MP-1 04.a Information Security Policy Document
04.b Review of the Information Security Policy
07.a Inventory of Assets
09.a Documented Operations Procedures
09.o Management of Removable Media
09.t Exchange Agreements
FedRAMP MP-2 09.q Information Handling Procedures
FedRAMP MP-3 07.e Information Labeling and Handling
09.q Information Handling Procedures
FedRAMP MP-4 09.l Back-up
09.o Management of Removable Media
FedRAMP MP-5 08.k Security of Equipment Off-Premises
09.o Management of Removable Media
09.q Information Handling Procedures
09.u Physical Media in Transit
FedRAMP MP-5(4) 09.o Management of Removable Media
09.q Information Handling Procedures
09.u Physical Media in Transit
FedRAMP MP-6 08.l Secure Disposal or Re-Use of Equipment
09.p Disposal of Media
FedRAMP MP-6(2) 09.p Disposal of Media
FedRAMP MP-7 09.o Management of Removable Media
FedRAMP MP-7(1) 09.o Management of Removable Media
FedRAMP PE-1 04.a Information Security Policy Document
04.b Review of the Information Security Policy
© 2019 HITRUST. All rights reserved.
FedRAMP PE-1

05.a Management Commitment to Information Security

08.d Protecting Against External and Environmental Threats
08.g Equipment Siting and Protection
09.a Documented Operations Procedures
FedRAMP PE-2 08.b Physical Entry Controls
FedRAMP PE-3 08.a Physical Security Perimeter
08.b Physical Entry Controls
08.c Securing Offices, Rooms, and Facilities
FedRAMP PE-4 08.i Cabling Security
FedRAMP PE-5 01.g Unattended User Equipment
FedRAMP PE-6 08.b Physical Entry Controls
09.ab Monitoring System Use
FedRAMP PE-6(1) 08.b Physical Entry Controls
FedRAMP PE-8 08.b Physical Entry Controls
FedRAMP PE-9 08.h Supporting Utilities
08.i Cabling Security
FedRAMP PE-10 08.h Supporting Utilities
FedRAMP PE-11 08.h Supporting Utilities
FedRAMP PE-12 08.h Supporting Utilities
FedRAMP PE-13 08.d Protecting Against External and Environmental Threats
FedRAMP PE-13(2) 08.d Protecting Against External and Environmental Threats
FedRAMP PE-13(3) 08.d Protecting Against External and Environmental Threats
FedRAMP PE-14 08.g Equipment Siting and Protection
08.h Supporting Utilities
10.a Security Requirements Analysis and Specification
FedRAMP PE-14(2) 08.g Equipment Siting and Protection
08.h Supporting Utilities
FedRAMP PE-15 08.d Protecting Against External and Environmental Threats
FedRAMP PE-16 08.f Public Access, Delivery, and Loading Areas
08.m Removal of Property
09.u Physical Media in Transit
FedRAMP PE-17 01.y Teleworking
08.k Security of Equipment Off-Premises
FedRAMP PL-1 04.a Information Security Policy Document
04.b Review of the Information Security Policy
05.a Management Commitment to Information Security
09.a Documented Operations Procedures
FedRAMP PL-2 05.b Information Security Coordination
06.i Information Systems Audit Controls
FedRAMP PL-2(3) 05.b Information Security Coordination
FedRAMP PL-4 02.c Terms and Conditions of Employment
02.d Management Responsibilities
02.e Information Security Awareness, Education, and Training
05.j Addressing Security When Dealing with Customers
06.e Prevention of Misuse of Information Assets
07.c Acceptable Use of Assets
11.b Reporting Security Weaknesses
FedRAMP PL-4(1) 07.c Acceptable Use of Assets
FedRAMP PL-8 10.a Security Requirements Analysis and Specification
FedRAMP PS-1 02.a Roles and Responsibilities
02.b Screening
© 2019 HITRUST. All rights reserved.
FedRAMP PS-1

04.a Information Security Policy Document

04.b Review of the Information Security Policy
05.a Management Commitment to Information Security
09.a Documented Operations Procedures
FedRAMP PS-2 02.a Roles and Responsibilities
02.b Screening
FedRAMP PS-3 02.b Screening
FedRAMP PS-3(3) 02.b Screening
FedRAMP PS-4 01.b User Registration
02.g Termination or Change Responsibilities
02.h Return of Assets
02.i Removal of Access Rights
FedRAMP PS-5 01.e Review of User Access Rights
02.g Termination or Change Responsibilities
02.i Removal of Access Rights
FedRAMP PS-6 02.c Terms and Conditions of Employment
FedRAMP PS-7 02.c Terms and Conditions of Employment
02.d Management Responsibilities
05.k Addressing Security in Third Party Agreements
FedRAMP PS-8 02.f Disciplinary Process
06.e Prevention of Misuse of Information Assets
FedRAMP RA-1 03.a Risk Management Program Development
04.a Information Security Policy Document
04.b Review of the Information Security Policy
05.a Management Commitment to Information Security
09.a Documented Operations Procedures
FedRAMP RA-2 01.w Sensitive System Isolation
06.c Protection of Organizational Records
07.d Classification Guidelines
FedRAMP RA-3 03.a Risk Management Program Development
03.b Performing Risk Assessments
03.d Risk Evaluation
05.d Authorization Process for Information Assets and Facilities
10.m Control of Technical Vulnerabilities
FedRAMP RA-5 06.g Compliance with Security Policies and Standards
06.h Technical Compliance Checking
10.m Control of Technical Vulnerabilities
FedRAMP RA-5(1) 10.m Control of Technical Vulnerabilities
FedRAMP RA-5(2) 10.m Control of Technical Vulnerabilities
FedRAMP RA-5(3) 10.m Control of Technical Vulnerabilities
FedRAMP RA-5(5) 10.m Control of Technical Vulnerabilities
FedRAMP RA-5(6) 10.m Control of Technical Vulnerabilities
FedRAMP RA-5(8) 10.m Control of Technical Vulnerabilities
FedRAMP SA-1 04.a Information Security Policy Document
04.b Review of the Information Security Policy
05.a Management Commitment to Information Security
09.a Documented Operations Procedures
FedRAMP SA-2 05.b Information Security Coordination
FedRAMP SA-3 05.c Allocation of Information Security Responsibilities
10.a Security Requirements Analysis and Specification
FedRAMP SA-4 09.i System Acceptance
© 2019 HITRUST. All rights reserved.
FedRAMP SA-4
FedRAMP SA-4(1)
FedRAMP SA-4(2)
FedRAMP SA-4(8)
FedRAMP SA-4(9)
FedRAMP SA-4(10)
FedRAMP SA-5
FedRAMP SA-8
FedRAMP SA-9
FedRAMP SA-9(1)
FedRAMP SA-9(2)
FedRAMP SA-9(4)
FedRAMP SA-9(5)
FedRAMP SA-10
FedRAMP SA-10(1)
FedRAMP SA-11
FedRAMP SA-11(1)
FedRAMP SA-11(2)
FedRAMP SA-11(8)
FedRAMP SC-1
FedRAMP SC-2
FedRAMP SC-4
FedRAMP SC-5
FedRAMP SC-6
FedRAMP SC-7
FedRAMP SC-7(3)
FedRAMP SC-7(4)
FedRAMP SC-7(5)
FedRAMP SC-7(7)
FedRAMP SC-7(8)
FedRAMP SC-7(12)
FedRAMP SC-7(13)
FedRAMP SC-7(18)
FedRAMP SC-8
FedRAMP SC-8
© 2019 HITRUST. All rights reserved.
10.a Security Requirements Analysis and Specification
10.a Security Requirements Analysis and Specification
10.a Security Requirements Analysis and Specification
06.g Compliance with Security Policies and Standards
10.a Security Requirements Analysis and Specification
10.a Security Requirements Analysis and Specification
09.r Security of System Documentation
10.a Security Requirements Analysis and Specification
05.k Addressing Security in Third Party Agreements
09.e Service Delivery
09.f Monitoring and Review of Third Party Services
09.n Security of Network Services
10.a Security Requirements Analysis and Specification
09.n Security of Network Services
10.a Security Requirements Analysis and Specification
05.i Identification of Risks Related to External Parties
09.e Service Delivery
10.k Change Control Procedures
10.k Change Control Procedures
09.i System Acceptance
10.l Outsourced Software Development
10.m Control of Technical Vulnerabilities
10.m Control of Technical Vulnerabilities
10.m Control of Technical Vulnerabilities
04.a Information Security Policy Document
04.b Review of the Information Security Policy
05.a Management Commitment to Information Security
09.a Documented Operations Procedures
09.s Information Exchange Policies and Procedures
09.j Controls Against Malicious Code
09.k Controls Against Mobile Code
01.w Sensitive System Isolation
09.h Capacity Management
09.z Publicly Available Information
10.a Security Requirements Analysis and Specification
09.h Capacity Management
01.m Segregation in Networks
01.n Network Connection Control
01.o Network Routing Control
09.m Network Controls
01.n Network Connection Control
01.n Network Connection Control
01.n Network Connection Control
01.n Network Connection Control
01.n Network Connection Control
01.x Mobile Computing and Communications
10.h Control of Operational Software
01.m Segregation in Networks
09.m Network Controls
01.n Network Connection Control
09.m Network Controls
FedRAMP SC-8 09.v Electronic Messaging
FedRAMP SC-8 09.x Electronic Commerce Services
FedRAMP SC-8(1) 09.m Network Controls
FedRAMP SC-10 01.t Session Time-out
FedRAMP SC-12 10.g Key Management
FedRAMP SC-12(2) 10.g Key Management
FedRAMP SC-12(3) 10.g Key Management
FedRAMP SC-13 06.f Regulation of Cryptographic Controls
10.f Policy on the Use of Cryptographic Controls
FedRAMP SC-15 01.v Information Access Restriction
09.s Information Exchange Policies and Procedures
FedRAMP SC-17 10.g Key Management
FedRAMP SC-18 09.k Controls Against Mobile Code
FedRAMP SC-19 09.m Network Controls
FedRAMP SC-20 09.m Network Controls
FedRAMP SC-21 09.m Network Controls
FedRAMP SC-22 09.m Network Controls
FedRAMP SC-23 10.d Message Integrity
FedRAMP SC-28 06.d Data Protection and Privacy of Covered Information
09.u Physical Media in Transit
FedRAMP SC-28(1) 06.d Data Protection and Privacy of Covered Information
09.l Back-up
09.u Physical Media in Transit
FedRAMP SI-1 04.a Information Security Policy Document
04.b Review of the Information Security Policy
05.a Management Commitment to Information Security
09.a Documented Operations Procedures
10.a Security Requirements Analysis and Specification
10.b Input Data Validation
FedRAMP SI-2 10.c Control of Internal Processing
10.m Control of Technical Vulnerabilities
11.b Reporting Security Weaknesses
FedRAMP SI-2(2) 10.m Control of Technical Vulnerabilities
FedRAMP SI-2(3) 10.m Control of Technical Vulnerabilities
FedRAMP SI-3 09.j Controls Against Malicious Code
09.k Controls Against Mobile Code
09.ab Monitoring System Use
FedRAMP SI-3(1) 09.j Controls Against Malicious Code
FedRAMP SI-3(2) 09.j Controls Against Malicious Code
FedRAMP SI-3(7) 09.j Controls Against Malicious Code
FedRAMP SI-4 09.m Network Controls
09.ab Monitoring System Use
FedRAMP SI-4(1) 09.ab Monitoring System Use
FedRAMP SI-4(2) 09.ab Monitoring System Use
FedRAMP SI-4(4) 09.ab Monitoring System Use
FedRAMP SI-4(5) 09.ab Monitoring System Use
FedRAMP SI-4(14) 09.m Network Controls
FedRAMP SI-4(16) 09.ab Monitoring System Use
FedRAMP SI-5 05.g Contact with Special Interest Groups
FedRAMP SI-6 10.c Control of Internal Processing
FedRAMP SI-7 10.c Control of Internal Processing
© 2019 HITRUST. All rights reserved.
FedRAMP SI-7(1) 10.c Control of Internal Processing
FedRAMP SI-7(7) 10.c Control of Internal Processing
FedRAMP SI-8 09.j Controls Against Malicious Code
FedRAMP SI-8(1) 09.j Controls Against Malicious Code
FedRAMP SI-8(2) 09.j Controls Against Malicious Code
FedRAMP SI-10 10.b Input Data Validation
10.c Control of Internal Processing
FedRAMP SI-11 09.ae Fault Logging
FedRAMP SI-12 06.c Protection of Organizational Records
06.d Data Protection and Privacy of Covered Information
09.q Information Handling Procedures

© 2019 HITRUST. All rights reserved.

© 2019 HITRUST. All rights reserved.

Authoritative Source
FFIEC IS v2016 A.1.4
FFIEC IS v2016 A.1.5
FFIEC IS v2016 A.2.1(a)
FFIEC IS v2016 A.2.1(b)
FFIEC IS v2016 A.2.1(c)
FFIEC IS v2016 A.2.2
FFIEC IS v2016 A.2.3
FFIEC IS v2016 A.2.6
FFIEC IS v2016 A.2.7
FFIEC IS v2016 A.2.8
FFIEC IS v2016 A.2.9
FFIEC IS v2016 A.2.10
FFIEC IS v2016 A.2.11
FFIEC IS v2016 A.3.1
FFIEC IS v2016 A.3.1c
FFIEC IS v2016 A.3.3
FFIEC IS v2016 A.4.1
FFIEC IS v2016 A.4.2
FFIEC IS v2016 A.4.3
FFIEC IS v2016 A.4.4
FFIEC IS v2016 A.4.5
FFIEC IS v2016 A.5.1
FFIEC IS v2016 A.6.1
FFIEC IS v2016 A.6.2
FFIEC IS v2016 A.6.4
FFIEC IS v2016 A.6.4(a)
FFIEC IS v2016 A.6.4(b)
© 2019 HITRUST. All rights reserved.
HITRUST Control Reference
00.a Information Security Management Program
05.a Management Commitment to Information Security
05.b Information Security Coordination
05.c Allocation of Information Security Responsibilities
05.h Independent Review of Information Security
05.h Independent Review of Information Security
05.h Independent Review of Information Security
00.a Information Security Management Program
05.a Management Commitment to Information Security
00.a Information Security Management Program
05.a Management Commitment to Information Security
05.a Management Commitment to Information Security
02.a Roles and Responsibilities
02.c Terms and Conditions of Employment
02.d Management Responsibilities
05.c Allocation of Information Security Responsibilities
00.a Information Security Management Program
05.c Allocation of Information Security Responsibilities
02.a Roles and Responsibilities
02.c Terms and Conditions of Employment
02.d Management Responsibilities
05.a Management Commitment to Information Security
05.c Allocation of Information Security Responsibilities
02.d Management Responsibilities
05.a Management Commitment to Information Security
03.a Risk Management Program Development
03.a Risk Management Program Development
05.b Information Security Coordination
05.b Information Security Coordination
05.i Identification of Risks Related to External Parties
05.k Addressing Security in Third Party Agreements
03.b Performing Risk Assessments
06.g Compliance with Security Policies and Standards
03.b Performing Risk Assessments
03.b Performing Risk Assessments
05.g Contact with Special Interest Groups
05.g Contact with Special Interest Groups
10.m Control of Technical Vulnerabilities
04.b Review of the Information Security Policy
06.a Identification of Applicable Legislation
03.c Risk Mitigation
00.a Information Security Management Program
09.a Documented Operations Procedures
05.a Management Commitment to Information Security
03.c Risk Mitigation
03.a Risk Management Program Development
03.b Performing Risk Assessments
03.c Risk Mitigation
05.a Management Commitment to Information Security
FFIEC IS v2016 A.6.4(c)
FFIEC IS v2016 A.6.6
FFIEC IS v2016 A.6.7(a)
FFIEC IS v2016 A.6.7(b)
FFIEC IS v2016 A.6.7(c)
FFIEC IS v2016 A.6.7(d)
FFIEC IS v2016 A.6.7(e)
FFIEC IS v2016 A.6.8
FFIEC IS v2016 A.6.8(a)
FFIEC IS v2016 A.6.8(b)
FFIEC IS v2016 A.6.8(c)
FFIEC IS v2016 A.6.8(d)
FFIEC IS v2016 A.6.8(e)
FFIEC IS v2016 A.6.8(f)
FFIEC IS v2016 A.6.10
FFIEC IS v2016 A.6.11
FFIEC IS v2016 A.6.11(a)
FFIEC IS v2016 A.6.11(b)
FFIEC IS v2016 A.6.11(c)
FFIEC IS v2016 A.6.11(d)
FFIEC IS v2016 A.6.11(e)
FFIEC IS v2016 A.6.11(f)
FFIEC IS v2016 A.6.11(g)
FFIEC IS v2016 A.6.11(h)
FFIEC IS v2016 A.6.11(i)
FFIEC IS v2016 A.6.11(j)
FFIEC IS v2016 A.6.11(k)
FFIEC IS v2016 A.6.11(l)
FFIEC IS v2016 A.6.11(m)
FFIEC IS v2016 A.6.12
FFIEC IS v2016 A.6.13
FFIEC IS v2016 A.6.14
FFIEC IS v2016 A.6.15(c)
© 2019 HITRUST. All rights reserved.
06.g Compliance with Security Policies and Standards
07.a Inventory of Assets
07.b Ownership of Assets
07.d Classification Guidelines
01.i Policy on the Use of Network Services
05.i Identification of Risks Related to External Parties
09.m Network Controls
09.n Security of Network Services
01.i Policy on the Use of Network Services
09.m Network Controls
01.i Policy on the Use of Network Services
09.m Network Controls
05.i Identification of Risks Related to External Parties
09.n Security of Network Services
08.a Physical Security Perimeter
08.b Physical Entry Controls
08.c Securing Offices, Rooms, and Facilities
08.d Protecting Against External and Environmental Threats
01.v Information Access Restriction
02.b Screening
01.a Access Control Policy
01.c Privilege Management
01.e Review of User Access Rights
01.v Information Access Restriction
02.g Termination or Change Responsibilities
05.h Independent Review of Information Security
09.c Segregation of Duties
05.e Confidentiality Agreements
02.e Information Security Awareness, Education, and Training
07.c Acceptable Use of Assets
01.m Segregation in Networks
09.m Network Controls
09.b Change Management
10.k Change Control Procedures
10.k Change Control Procedures
10.k Change Control Procedures
10.k Change Control Procedures
10.k Change Control Procedures
10.k Change Control Procedures
10.k Change Control Procedures
10.k Change Control Procedures
10.k Change Control Procedures
10.k Change Control Procedures
10.k Change Control Procedures
10.k Change Control Procedures
10.k Change Control Procedures
10.k Change Control Procedures
10.m Control of Technical Vulnerabilities
10.k Change Control Procedures
10.m Control of Technical Vulnerabilities
FFIEC IS v2016 A.6.15(d)
FFIEC IS v2016 A.6.15(f)
FFIEC IS v2016 A.6.15(g)
FFIEC IS v2016 A.6.15(h)
FFIEC IS v2016 A.6.16(a)
FFIEC IS v2016 A.6.16(b)
FFIEC IS v2016 A.6.16(c)
FFIEC IS v2016 A.6.16(d)
FFIEC IS v2016 A.6.16(e)
FFIEC IS v2016 A.6.17
FFIEC IS v2016 A.6.18(a)
FFIEC IS v2016 A.6.18(b)
FFIEC IS v2016 A.6.18(c)
FFIEC IS v2016 A.6.18(d)
FFIEC IS v2016 A.6.18(e)
FFIEC IS v2016 A.6.18(f)
FFIEC IS v2016 A.6.18(g)
FFIEC IS v2016 A.6.19
FFIEC IS v2016 A.6.20(a)
FFIEC IS v2016 A.6.20(b)
FFIEC IS v2016 A.6.20(c)
FFIEC IS v2016 A.6.20(d)
FFIEC IS v2016 A.6.20(e)
FFIEC IS v2016 A.6.21(a)
FFIEC IS v2016 A.6.21(b)
FFIEC IS v2016 A.6.21(c)
FFIEC IS v2016 A.6.21(d)
FFIEC IS v2016 A.6.21(e)
FFIEC IS v2016 A.6.21(f)
FFIEC IS v2016 A.6.21(g)
FFIEC IS v2016 A.6.22(a)
FFIEC IS v2016 A.6.22(b)
FFIEC IS v2016 A.6.22(b)
FFIEC IS v2016 A.6.22(c)
© 2019 HITRUST. All rights reserved.
10.k Change Control Procedures
10.m Control of Technical Vulnerabilities
10.m Control of Technical Vulnerabilities
10.k Change Control Procedures
10.k Change Control Procedures
10.m Control of Technical Vulnerabilities
07.a Inventory of Assets
07.a Inventory of Assets
07.a Inventory of Assets
07.a Inventory of Assets
07.a Inventory of Assets
08.l Secure Disposal or Re-Use of Equipment
01.m Segregation in Networks
09.j Controls Against Malicious Code
09.k Controls Against Mobile Code
10.h Control of Operational Software
06.c Protection of Organizational Records
06.d Data Protection and Privacy of Covered Information
06.c Protection of Organizational Records
05.i Identification of Risks Related to External Parties
09.m Network Controls
08.l Secure Disposal or Re-Use of Equipment
09.p Disposal of Media
09.u Physical Media in Transit
07.c Acceptable Use of Assets
05.i Identification of Risks Related to External Parties
01.b User Registration
01.b User Registration
01.e Review of User Access Rights
01.c Privilege Management
01.e Review of User Access Rights
09.aa Audit Logging
09.ab Monitoring System Use
01.b User Registration
01.c Privilege Management
01.s Use of System Utilities
09.f Monitoring and Review of Third Party Services
09.aa Audit Logging
09.ac Protection of Log Information
11.a Reporting Information Security Events
08.a Physical Security Perimeter
11.c Responsibilities and Procedures
09.o Management of Removable Media
01.j User Authentication for External Connections
09.ab Monitoring System Use
09.ab Monitoring System Use
01.d User Password Management
01.c Privilege Management
01.v Information Access Restriction
01.e Review of User Access Rights
FFIEC IS v2016 A.6.22(d)
FFIEC IS v2016 A.6.22(e)
FFIEC IS v2016 A.6.22(f)
FFIEC IS v2016 A.6.23
FFIEC IS v2016 A.6.24
FFIEC IS v2016 A.6.25(a)
FFIEC IS v2016 A.6.26
FFIEC IS v2016 A.6.27
FFIEC IS v2016 A.6.27(a)
FFIEC IS v2016 A.6.27(b)
FFIEC IS v2016 A.6.27(c)
FFIEC IS v2016 A.6.27(d)
FFIEC IS v2016 A.6.27(e)
FFIEC IS v2016 A.6.27(g)
FFIEC IS v2016 A.6.28
FFIEC IS v2016 A.6.28(a)
FFIEC IS v2016 A.6.28(b)
FFIEC IS v2016 A.6.28(c)
FFIEC IS v2016 A.6.28(d)
FFIEC IS v2016 A.6.29
FFIEC IS v2016 A.6.30
FFIEC IS v2016 A.6.31(a)
FFIEC IS v2016 A.6.31(b)
FFIEC IS v2016 A.6.31(c)
FFIEC IS v2016 A.6.31(d)
FFIEC IS v2016 A.6.31(e)
FFIEC IS v2016 A.6.31(f)
FFIEC IS v2016 A.6.31(g)
© 2019 HITRUST. All rights reserved.
01.a Access Control Policy
01.u Limitation of Connection Time
09.aa Audit Logging
09.ab Monitoring System Use
01.j User Authentication for External Connections
01.y Teleworking
05.i Identification of Risks Related to External Parties
09.s Information Exchange Policies and Procedures
01.j User Authentication for External Connections
01.x Mobile Computing and Communications
01.y Teleworking
09.s Information Exchange Policies and Procedures
05.j Addressing Security When Dealing with Customers
05.j Addressing Security When Dealing with Customers
10.a Security Requirements Analysis and Specification
09.aa Audit Logging
01.c Privilege Management
01.v Information Access Restriction
01.b User Registration
10.m Control of Technical Vulnerabilities
10.b Input Data Validation
10.c Control of Internal Processing
10.b Input Data Validation
10.l Outsourced Software Development
09.i System Acceptance
10.k Change Control Procedures
09.i System Acceptance
10.l Outsourced Software Development
03.b Performing Risk Assessments
10.l Outsourced Software Development
01.c Privilege Management
10.c Control of Internal Processing
06.d Data Protection and Privacy of Covered Information
10.f Policy on the Use of Cryptographic Controls
10.g Key Management
05.i Identification of Risks Related to External Parties
09.e Service Delivery
05.i Identification of Risks Related to External Parties
05.i Identification of Risks Related to External Parties
05.k Addressing Security in Third Party Agreements
09.e Service Delivery
05.e Confidentiality Agreements
05.i Identification of Risks Related to External Parties
05.i Identification of Risks Related to External Parties
05.k Addressing Security in Third Party Agreements
05.i Identification of Risks Related to External Parties
05.k Addressing Security in Third Party Agreements
11.a Reporting Information Security Events
05.i Identification of Risks Related to External Parties
05.k Addressing Security in Third Party Agreements
FFIEC IS v2016 A.6.31(g)
FFIEC IS v2016 A.6.32
FFIEC IS v2016 A.6.33
FFIEC IS v2016 A.6.35
FFIEC IS v2016 A.6.35(a)
FFIEC IS v2016 A.6.35(b)
FFIEC IS v2016 A.6.35(c)
FFIEC IS v2016 A.6.35(d)
FFIEC IS v2016 A.7.1
FFIEC IS v2016 A.7.2
FFIEC IS v2016 A.7.3
FFIEC IS v2016 A.7.4(a)
FFIEC IS v2016 A.7.4(b)
FFIEC IS v2016 A.7.4(c)
FFIEC IS v2016 A.7.4(d)
FFIEC IS v2016 A.7.4(e)
FFIEC IS v2016 A.8.1(a)
FFIEC IS v2016 A.8.1(b)
FFIEC IS v2016 A.8.1(c)
FFIEC IS v2016 A.8.1(d)
FFIEC IS v2016 A.8.1(e)
FFIEC IS v2016 A.8.1(f)
FFIEC IS v2016 A.8.1(h)
FFIEC IS v2016 A.8.1(i)
FFIEC IS v2016 A.8.1(j)
FFIEC IS v2016 A.8.1(k)
FFIEC IS v2016 A.8.1(l)
© 2019 HITRUST. All rights reserved.
09.e Service Delivery
05.i Identification of Risks Related to External Parties
05.i Identification of Risks Related to External Parties
09.aa Audit Logging
09.ab Monitoring System Use
09.ad Administrator and Operator Logs
12.a Including Information Security in the Business Continuity Management Process
12.c Developing and Implementing Continuity Plans Including Information Security
12.d Business Continuity Planning Framework
09.ac Protection of Log Information
12.c Developing and Implementing Continuity Plans Including Information Security
09.ab Monitoring System Use
09.ad Administrator and Operator Logs
12.a Including Information Security in the Business Continuity Management Process
12.d Business Continuity Planning Framework
12.e Testing, Maintaining and Re-Assessing Business Continuity Plans
09.ab Monitoring System Use
03.a Risk Management Program Development
03.b Performing Risk Assessments
03.c Risk Mitigation
03.d Risk Evaluation
03.a Risk Management Program Development
03.b Performing Risk Assessments
03.c Risk Mitigation
03.a Risk Management Program Development
03.b Performing Risk Assessments
03.c Risk Mitigation
00.a Information Security Management Program
00.a Information Security Management Program
06.g Compliance with Security Policies and Standards
06.g Compliance with Security Policies and Standards
03.b Performing Risk Assessments
09.j Controls Against Malicious Code
09.m Network Controls
11.a Reporting Information Security Events
11.e Collection of Evidence
05.h Independent Review of Information Security
06.g Compliance with Security Policies and Standards
10.m Control of Technical Vulnerabilities
10.m Control of Technical Vulnerabilities
08.a Physical Security Perimeter
08.b Physical Entry Controls
08.c Securing Offices, Rooms, and Facilities
05.f Contact with Authorities
09.ab Monitoring System Use
09.m Network Controls
03.b Performing Risk Assessments
11.a Reporting Information Security Events
01.v Information Access Restriction
10.c Control of Internal Processing
FFIEC IS v2016 A.8.1(m)
FFIEC IS v2016 A.8.1(n)
FFIEC IS v2016 A.8.1(o)
FFIEC IS v2016 A.8.1(p)
FFIEC IS v2016 A.8.3
FFIEC IS v2016 A.8.4
FFIEC IS v2016 A.8.5(a)
FFIEC IS v2016 A.8.5(b)
FFIEC IS v2016 A.8.5(c)
FFIEC IS v2016 A.8.5(d)
FFIEC IS v2016 A.8.5(e)
FFIEC IS v2016 A.8.5(f)
FFIEC IS v2016 A.8.5(g)
FFIEC IS v2016 A.8.5(h)
FFIEC IS v2016 A.8.6(a)
FFIEC IS v2016 A.8.6(b)
FFIEC IS v2016 A.8.6(c)
FFIEC IS v2016 A.8.6(d)
FFIEC IS v2016 A.8.6(e)
FFIEC IS v2016 A.8.6(f)
FFIEC IS v2016 A.8.6(g)
FFIEC IS v2016 A.8.6(h)
FFIEC IS v2016 A.8.6(i)
FFIEC IS v2016 A.9.1
FFIEC IS v2016 A.9.4
FFIEC IS v2016 A.10.1
FFIEC IS v2016 A.10.3(a)
FFIEC IS v2016 A.10.3(b)
FFIEC IS v2016 A.10.3(c)
FFIEC IS v2016 A.10.3(d)
FFIEC IS v2016 A.10.5
FFIEC IS v2016 A.10.6
© 2019 HITRUST. All rights reserved.
© 2019 HITRUST. All rights reserved.
11.b Reporting Security Weaknesses
05.b Information Security Coordination
06.g Compliance with Security Policies and Standards
09.h Capacity Management
10.m Control of Technical Vulnerabilities
09.m Network Controls
10.m Control of Technical Vulnerabilities
09.ab Monitoring System Use
11.a Reporting Information Security Events
11.a Reporting Information Security Events
11.c Responsibilities and Procedures
11.a Reporting Information Security Events
11.a Reporting Information Security Events
11.c Responsibilities and Procedures
11.a Reporting Information Security Events
11.c Responsibilities and Procedures
11.a Reporting Information Security Events
11.b Reporting Security Weaknesses
11.c Responsibilities and Procedures
11.c Responsibilities and Procedures
11.c Responsibilities and Procedures
11.c Responsibilities and Procedures
11.c Responsibilities and Procedures
11.c Responsibilities and Procedures
11.c Responsibilities and Procedures
11.c Responsibilities and Procedures
11.c Responsibilities and Procedures
11.c Responsibilities and Procedures
05.h Independent Review of Information Security
05.h Independent Review of Information Security
05.h Independent Review of Information Security
06.g Compliance with Security Policies and Standards
10.m Control of Technical Vulnerabilities
06.g Compliance with Security Policies and Standards
10.m Control of Technical Vulnerabilities
10.m Control of Technical Vulnerabilities
05.h Independent Review of Information Security
05.h Independent Review of Information Security
06.g Compliance with Security Policies and Standards
10.m Control of Technical Vulnerabilities
05.h Independent Review of Information Security
06.g Compliance with Security Policies and Standards
 Authoritative Source HITRUST Control Reference
HITRUST 01.d User Password Management
01.h Clear Desk and Clear Screen Policy
01.j User Authentication for External Connections
01.p Secure Log-on Procedures
02.b Screening
02.f Disciplinary Process
02.g Termination or Change Responsibilities
03.b Performing Risk Assessments
04.a Information Security Policy Document
05.a Management Commitment to Information Security
05.c Allocation of Information Security Responsibilities
05.e Confidentiality Agreements
06.d Data Protection and Privacy of Covered Information
07.a Inventory of Assets
07.d Classification Guidelines
07.e Information Labeling and Handling
08.g Equipment Siting and Protection
09.aa Audit Logging
10.a Security Requirements Analysis and Specification
10.m Control of Technical Vulnerabilities

© 2019 HITRUST. All rights reserved.

© 2019 HITRUST. All rights reserved.

Authoritative Source HITRUST Control Reference
De-ID Framework v1 Access Control: Access 01.c Privilege Management
Policies
De-ID Framework v1 Access Control: General 01.a Access Control Policy

De-ID Framework v1 Accountable Individuals: 05.a Management Commitment to Information Security

General 05.c Allocation of Information Security Responsibilities
De-ID Framework v1 Aggregated Data: 13.j Data Minimization
Disclosure Policy 13.k Use and Disclosure
De-ID Framework v1 Anti-malware: General 09.j Controls Against Malicious Code

De-ID Framework v1 Audit and Monitoring: 13.k Use and Disclosure

Auditing
De-ID Framework v1 Audit 09.ab Monitoring System Use
Logging/Monitoring: Aberrant and
Inappropriate Use

De-ID Framework v1 Audit 09.aa Audit Logging

Logging/Monitoring: General
De-ID Framework v1 Complaints: Policy
De-ID Framework v1 Data Breach Response:
General
De-ID Framework v1 Data Sharing
Agreements: DSAs
De-ID Framework v1 Data Storage: General
De-ID Framework v1 Disposal: Data
Destruction Procedures
De-ID Framework v1 Extra-National Access
Restrictions: General
De-ID Framework v1 Governance: General
09.ab Monitoring System Use
13.o Compliant Management
11.a Reporting Information Security Events
09.t Exchange Agreements
06.d Data Protection and Privacy of Covered Information
07.a Inventory of Assets
08.l Secure Disposal or Re-Use of Equipment
09.e Service Delivery
05.a Management Commitment to Information Security

De-ID Framework v1 Identification and 01.c Privilege Management

Authentication (Application-level):
Authentication Policy

De-ID Framework v1 Identification and 01.q User Identification and Authentication

Authentication (System-level): Authentication
Policy

De-ID Framework v1 Identification and 01.q User Identification and Authentication

Authentication: Authentication Policy
De-ID Framework v1 Non-disclosure and
Confidentiality: Policy
De-ID Framework v1 Perimeter Security
(Alarms): General
De-ID Framework v1 Perimeter Security
(Alarms): Logging
De-ID Framework v1 Perimeter Security
(Alarms): Testing
De-ID Framework v1 Physical Access:
Identification Policy
De-ID Framework v1 Physical Access:
Inappropriate Use
De-ID Framework v1 Physical and
Environmental Security: General
De-ID Framework v1 Physical Security:
General
02.c Terms and Conditions of Employment
08.b Physical Entry Controls
08.b Physical Entry Controls
02.e Information Security Awareness, Education, and Training
08.b Physical Entry Controls
08.b Physical Entry Controls
08.g Equipment Siting and Protection
12.b Business Continuity and Risk Assessment
12.c Developing and Implementing Continuity Plans Including Information Security
01.h Clear Desk and Clear Screen Policy
08.b Physical Entry Controls
08.g Equipment Siting and Protection

© 2019 HITRUST. All rights reserved.

De-ID Framework v1 Privacy and Security 00.a Information Security Management Program
Program: General
De-ID Framework v1 Privacy and Security 02.e Information Security Awareness, Education, and Training
Training: General
De-ID Framework v1 Privacy Reviews/Audits: 05.h Independent Review of Information Security
General
De-ID Framework v1 Public Access to 08.a Physical Security Perimeter
Sensitive Areas: General 08.c Securing Offices, Rooms, and Facilities
De-ID Framework v1 Remote Access: 01.j User Authentication for External Connections
Applicability
De-ID Framework v1 Retention: Data 06.c Protection of Organizational Records
Retention Policy 09.aa Audit Logging
De-ID Framework v1 Risk Assessments: 03.a Risk Management Program Development
Assessments 03.b Performing Risk Assessments
De-ID Framework v1 Sanctions: General 02.f Disciplinary Process
De-ID Framework v1 Secondary Use: General 13.k Use and Disclosure

De-ID Framework v1 Security Points of 05.a Management Commitment to Information Security

Contact: General
De-ID Framework v1 Storage (Minimal 02.e Information Security Awareness, Education, and Training
Locations Authorized): Implementation 06.d Data Protection and Privacy of Covered Information
De-ID Framework v1 Storage (Minimal 06.d Data Protection and Privacy of Covered Information
Locations Authorized): Policy
De-ID Framework v1 Third-party Assurance: 05.k Addressing Security in Third Party Agreements
General
De-ID Framework v1 Transmission Encryption: 06.d Data Protection and Privacy of Covered Information
Applicability
De-ID Framework v1 Transmission Encryption: 01.n Network Connection Control
Policies 09.m Network Controls
De-ID Framework v1 Transparency: General 05.j Addressing Security When Dealing with Customers

De-ID Framework v1 Video Surveillance: 08.c Securing Offices, Rooms, and Facilities
General
De-ID Framework v1 Visitor Access: Incidents 11.a Reporting Information Security Events

De-ID Framework v1 Visitor Access: Policy 08.b Physical Entry Controls

© 2019 HITRUST. All rights reserved.

© 2019 HITRUST. All rights reserved.

Authoritative Source
IRS Pub 1075 v2016 3.1
IRS Pub 1075 v2016 3.2
IRS Pub 1075 v2016 4.2
IRS Pub 1075 v2016 4.3
IRS Pub 1075 v2016 4.3.1
IRS Pub 1075 v2016 4.3.2
IRS Pub 1075 v2016 4.3.3
IRS Pub 1075 v2016 4.4
IRS Pub 1075 v2016 4.5
IRS Pub 1075 v2016 4.7
IRS Pub 1075 v2016 4.7.1
IRS Pub 1075 v2016 4.7.2
IRS Pub 1075 v2016 4.7.3
IRS Pub 1075 v2016 5.3
IRS Pub 1075 v2016 5.4.2
IRS Pub 1075 v2016 6.3
IRS Pub 1075 v2016 6.4.1
IRS Pub 1075 v2016 7.1
IRS Pub 1075 v2016 7.2.1
IRS Pub 1075 v2016 7.3.1
IRS Pub 1075 v2016 7.4
IRS Pub 1075 v2016 8.2
IRS Pub 1075 v2016 8.3
IRS Pub 1075 v2016 8.4
IRS Pub 1075 v2016 9.1
IRS Pub 1075 v2016 9.3.1.1
© 2019 HITRUST. All rights reserved.
HITRUST Control Reference
06.c Protection of Organizational Records
01.w Sensitive System Isolation
06.c Protection of Organizational Records
06.d Data Protection and Privacy of Covered Information
08.a Physical Security Perimeter
08.b Physical Entry Controls
09.l Back-up
08.a Physical Security Perimeter
08.b Physical Entry Controls
08.g Equipment Siting and Protection
08.b Physical Entry Controls
08.f Public Access, Delivery, and Loading Areas
08.m Removal of Property
09.u Physical Media in Transit
01.g Unattended User Equipment
08.b Physical Entry Controls
08.g Equipment Siting and Protection
09.ab Monitoring System Use
08.b Physical Entry Controls
09.l Back-up
09.u Physical Media in Transit
01.x Mobile Computing and Communications
01.y Teleworking
07.a Inventory of Assets
08.a Physical Security Perimeter
08.b Physical Entry Controls
08.e Working in Secure Areas
09.l Back-up
09.q Information Handling Procedures
01.y Teleworking
01.y Teleworking
01.v Information Access Restriction
01.y Teleworking
09.s Information Exchange Policies and Procedures
09.e Service Delivery
05.k Addressing Security in Third Party Agreements
10.a Security Requirements Analysis and Specification
02.e Information Security Awareness, Education, and Training
09.ab Monitoring System Use
05.b Information Security Coordination
05.b Information Security Coordination
03.c Risk Mitigation
05.b Information Security Coordination
08.l Secure Disposal or Re-Use of Equipment
06.d Data Protection and Privacy of Covered Information
08.l Secure Disposal or Re-Use of Equipment
09.p Disposal of Media
09.p Disposal of Media
10.k Change Control Procedures
01.a Access Control Policy
01.i Policy on the Use of Network Services
IRS Pub 1075 v2016 9.3.1.1
IRS Pub 1075 v2016 9.3.1.2
IRS Pub 1075 v2016 9.3.1.3
IRS Pub 1075 v2016 9.3.1.4
IRS Pub 1075 v2016 9.3.1.5
IRS Pub 1075 v2016 9.3.1.6
IRS Pub 1075 v2016 9.3.1.7
IRS Pub 1075 v2016 9.3.1.8
IRS Pub 1075 v2016 9.3.1.9
IRS Pub 1075 v2016 9.3.1.10
IRS Pub 1075 v2016 9.3.1.11
IRS Pub 1075 v2016 9.3.1.12
IRS Pub 1075 v2016 9.3.1.13
IRS Pub 1075 v2016 9.3.1.14
IRS Pub 1075 v2016 9.3.1.15
IRS Pub 1075 v2016 9.3.1.16
IRS Pub 1075 v2016 9.3.1.17
IRS Pub 1075 v2016 9.3.2.1
© 2019 HITRUST. All rights reserved.
04.a Information Security Policy Document
04.b Review of the Information Security Policy
05.a Management Commitment to Information Security
09.a Documented Operations Procedures
01.a Access Control Policy
01.b User Registration
01.c Privilege Management
01.e Review of User Access Rights
01.j User Authentication for External Connections
01.v Information Access Restriction
02.i Removal of Access Rights
01.s Use of System Utilities
01.v Information Access Restriction
01.m Segregation in Networks
01.n Network Connection Control
01.o Network Routing Control
01.v Information Access Restriction
09.c Segregation of Duties
01.c Privilege Management
01.s Use of System Utilities
01.v Information Access Restriction
01.y Teleworking
05.i Identification of Risks Related to External Parties
10.j Access Control to Program Source Code
01.p Secure Log-on Procedures
01.p Secure Log-on Procedures
05.j Addressing Security When Dealing with Customers
06.e Prevention of Misuse of Information Assets
07.e Information Labeling and Handling
01.g Unattended User Equipment
01.h Clear Desk and Clear Screen Policy
01.t Session Time-out
01.t Session Time-out
01.v Information Access Restriction
01.j User Authentication for External Connections
01.n Network Connection Control
01.q User Identification and Authentication
01.y Teleworking
05.i Identification of Risks Related to External Parties
09.e Service Delivery
09.s Information Exchange Policies and Procedures
01.j User Authentication for External Connections
09.m Network Controls
01.x Mobile Computing and Communications
01.i Policy on the Use of Network Services
09.s Information Exchange Policies and Procedures
01.c Privilege Management
01.d User Password Management
09.z Publicly Available Information
02.e Information Security Awareness, Education, and Training
04.a Information Security Policy Document
04.b Review of the Information Security Policy
IRS Pub 1075 v2016 9.3.2.1
IRS Pub 1075 v2016 9.3.2.2
IRS Pub 1075 v2016 9.3.2.3
IRS Pub 1075 v2016 9.3.2.4
IRS Pub 1075 v2016 9.3.3.1
IRS Pub 1075 v2016 9.3.3.2
IRS Pub 1075 v2016 9.3.3.3
IRS Pub 1075 v2016 9.3.3.4
IRS Pub 1075 v2016 9.3.3.5
IRS Pub 1075 v2016 9.3.3.6
IRS Pub 1075 v2016 9.3.3.7
IRS Pub 1075 v2016 9.3.3.8
IRS Pub 1075 v2016 9.3.3.9
IRS Pub 1075 v2016 9.3.3.10
IRS Pub 1075 v2016 9.3.3.11
IRS Pub 1075 v2016 9.3.3.12
IRS Pub 1075 v2016 9.3.4.1
IRS Pub 1075 v2016 9.3.4.2
IRS Pub 1075 v2016 9.3.4.3
IRS Pub 1075 v2016 9.3.4.4
IRS Pub 1075 v2016 9.3.4.5
IRS Pub 1075 v2016 9.3.4.6
© 2019 HITRUST. All rights reserved.
05.a Management Commitment to Information Security
09.a Documented Operations Procedures
02.e Information Security Awareness, Education, and Training
02.d Management Responsibilities
02.e Information Security Awareness, Education, and Training
05.c Allocation of Information Security Responsibilities
02.e Information Security Awareness, Education, and Training
04.a Information Security Policy Document
04.b Review of the Information Security Policy
05.a Management Commitment to Information Security
06.i Information Systems Audit Controls
09.a Documented Operations Procedures
09.aa Audit Logging
01.p Secure Log-on Procedures
09.aa Audit Logging
09.ab Monitoring System Use
09.ad Administrator and Operator Logs
09.ae Fault Logging
09.aa Audit Logging
09.ab Monitoring System Use
09.h Capacity Management
09.ac Protection of Log Information
09.ae Fault Logging
09.ab Monitoring System Use
09.ad Administrator and Operator Logs
09.ab Monitoring System Use
09.af Clock Synchronization
06.j Protection of Information Systems Audit Tools
09.aa Audit Logging
09.ac Protection of Log Information
06.c Protection of Organizational Records
06.j Protection of Information Systems Audit Tools
09.aa Audit Logging
09.aa Audit Logging
04.a Information Security Policy Document
04.b Review of the Information Security Policy
05.a Management Commitment to Information Security
06.g Compliance with Security Policies and Standards
09.a Documented Operations Procedures
03.b Performing Risk Assessments
05.a Management Commitment to Information Security
05.d Authorization Process for Information Assets and Facilities
05.h Independent Review of Information Security
06.i Information Systems Audit Controls
06.j Protection of Information Systems Audit Tools
05.i Identification of Risks Related to External Parties
05.j Addressing Security When Dealing with Customers
09.m Network Controls
09.n Security of Network Services
03.c Risk Mitigation
05.d Authorization Process for Information Assets and Facilities
05.h Independent Review of Information Security
IRS Pub 1075 v2016 9.3.4.6
IRS Pub 1075 v2016 9.3.5.1
IRS Pub 1075 v2016 9.3.5.2
IRS Pub 1075 v2016 9.3.5.3
IRS Pub 1075 v2016 9.3.5.4
IRS Pub 1075 v2016 9.3.5.5
IRS Pub 1075 v2016 9.3.5.6
IRS Pub 1075 v2016 9.3.5.7
IRS Pub 1075 v2016 9.3.5.8
IRS Pub 1075 v2016 9.3.5.9
IRS Pub 1075 v2016 9.3.5.10
IRS Pub 1075 v2016 9.3.5.11
IRS Pub 1075 v2016 9.3.6.1
IRS Pub 1075 v2016 9.3.6.2
IRS Pub 1075 v2016 9.3.6.3
IRS Pub 1075 v2016 9.3.6.4
© 2019 HITRUST. All rights reserved.
06.g Compliance with Security Policies and Standards
06.h Technical Compliance Checking
04.a Information Security Policy Document
04.b Review of the Information Security Policy
05.a Management Commitment to Information Security
09.a Documented Operations Procedures
10.k Change Control Procedures
09.d Separation of Development, Test, and Operational Environments
09.w Interconnected Business Information Systems
10.k Change Control Procedures
09.b Change Management
09.i System Acceptance
09.k Controls Against Mobile Code
09.m Network Controls
10.k Change Control Procedures
09.b Change Management
10.h Control of Operational Software
10.k Change Control Procedures
09.b Change Management
10.j Access Control to Program Source Code
10.k Change Control Procedures
03.b Performing Risk Assessments
09.z Publicly Available Information
10.h Control of Operational Software
10.k Change Control Procedures
10.m Control of Technical Vulnerabilities
01.c Privilege Management
01.i Policy on the Use of Network Services
01.l Remote Diagnostic and Configuration Port Protection
09.i System Acceptance
09.m Network Controls
10.m Control of Technical Vulnerabilities
07.a Inventory of Assets
07.b Ownership of Assets
10.k Change Control Procedures
06.b Intellectual Property Rights
07.b Ownership of Assets
09.j Controls Against Malicious Code
04.a Information Security Policy Document
04.b Review of the Information Security Policy
05.a Management Commitment to Information Security
09.a Documented Operations Procedures
05.f Contact with Authorities
09.l Back-up
09.m Network Controls
12.a Including Information Security in the Business Continuity Management Process
12.b Business Continuity and Risk Assessment
12.c Developing and Implementing Continuity Plans Including Information Security
12.d Business Continuity Planning Framework
12.e Testing, Maintaining and Re-Assessing Business Continuity Plans
02.e Information Security Awareness, Education, and Training
05.f Contact with Authorities
IRS Pub 1075 v2016 9.3.6.4
IRS Pub 1075 v2016 9.3.6.5
IRS Pub 1075 v2016 9.3.6.6
IRS Pub 1075 v2016 9.3.6.7
IRS Pub 1075 v2016 9.3.7.1
IRS Pub 1075 v2016 9.3.7.2
IRS Pub 1075 v2016 9.3.7.3
IRS Pub 1075 v2016 9.3.7.4
IRS Pub 1075 v2016 9.3.7.5
IRS Pub 1075 v2016 9.3.7.6
IRS Pub 1075 v2016 9.3.7.7
IRS Pub 1075 v2016 9.3.7.8
IRS Pub 1075 v2016 9.3.8.1
IRS Pub 1075 v2016 9.3.8.2
IRS Pub 1075 v2016 9.3.8.3
IRS Pub 1075 v2016 9.3.8.4
IRS Pub 1075 v2016 9.3.8.5
IRS Pub 1075 v2016 9.3.8.6
IRS Pub 1075 v2016 9.3.8.7
IRS Pub 1075 v2016 9.3.8.8
IRS Pub 1075 v2016 9.3.8.9
IRS Pub 1075 v2016 9.3.9.1
© 2019 HITRUST. All rights reserved.
12.e Testing, Maintaining and Re-Assessing Business Continuity Plans
09.l Back-up
12.c Developing and Implementing Continuity Plans Including Information Security
12.c Developing and Implementing Continuity Plans Including Information Security
06.c Protection of Organizational Records
06.d Data Protection and Privacy of Covered Information
09.l Back-up
04.a Information Security Policy Document
04.b Review of the Information Security Policy
05.a Management Commitment to Information Security
09.a Documented Operations Procedures
01.j User Authentication for External Connections
01.q User Identification and Authentication
01.k Equipment Identification in Networks
09.m Network Controls
01.b User Registration
01.q User Identification and Authentication
01.b User Registration
01.c Privilege Management
01.d User Password Management
01.f Password Use
01.j User Authentication for External Connections
01.k Equipment Identification in Networks
01.q User Identification and Authentication
01.r Password Management System
01.p Secure Log-on Procedures
06.f Regulation of Cryptographic Controls
01.j User Authentication for External Connections
01.q User Identification and Authentication
04.a Information Security Policy Document
04.b Review of the Information Security Policy
05.a Management Commitment to Information Security
09.a Documented Operations Procedures
11.a Reporting Information Security Events
11.c Responsibilities and Procedures
02.e Information Security Awareness, Education, and Training
05.c Allocation of Information Security Responsibilities
11.a Reporting Information Security Events
11.c Responsibilities and Procedures
11.c Responsibilities and Procedures
11.d Learning from Information Security Incidents
11.e Collection of Evidence
02.f Disciplinary Process
11.c Responsibilities and Procedures
11.a Reporting Information Security Events
11.b Reporting Security Weaknesses
11.c Responsibilities and Procedures
11.c Responsibilities and Procedures
11.c Responsibilities and Procedures
11.c Responsibilities and Procedures
04.a Information Security Policy Document
04.b Review of the Information Security Policy
IRS Pub 1075 v2016 9.3.9.1
IRS Pub 1075 v2016 9.3.9.2
IRS Pub 1075 v2016 9.3.9.3
IRS Pub 1075 v2016 9.3.9.4
IRS Pub 1075 v2016 9.3.9.5
IRS Pub 1075 v2016 9.3.10.1
IRS Pub 1075 v2016 9.3.10.2
IRS Pub 1075 v2016 9.3.10.3
IRS Pub 1075 v2016 9.3.10.4
IRS Pub 1075 v2016 9.3.10.5
IRS Pub 1075 v2016 9.3.10.6
IRS Pub 1075 v2016 9.3.11.1
IRS Pub 1075 v2016 9.3.11.2
IRS Pub 1075 v2016 9.3.11.3
IRS Pub 1075 v2016 9.3.11.4
IRS Pub 1075 v2016 9.3.11.5
IRS Pub 1075 v2016 9.3.11.6
IRS Pub 1075 v2016 9.3.11.7
IRS Pub 1075 v2016 9.3.11.8
IRS Pub 1075 v2016 9.3.11.9
© 2019 HITRUST. All rights reserved.
05.a Management Commitment to Information Security
08.j Equipment Maintenance
09.a Documented Operations Procedures
08.a Physical Security Perimeter
08.j Equipment Maintenance
08.j Equipment Maintenance
01.j User Authentication for External Connections
01.l Remote Diagnostic and Configuration Port Protection
05.i Identification of Risks Related to External Parties
08.j Equipment Maintenance
08.j Equipment Maintenance
04.a Information Security Policy Document
04.b Review of the Information Security Policy
05.a Management Commitment to Information Security
07.a Inventory of Assets
09.a Documented Operations Procedures
09.o Management of Removable Media
09.t Exchange Agreements
09.q Information Handling Procedures
01.h Clear Desk and Clear Screen Policy
07.e Information Labeling and Handling
09.l Back-up
09.q Information Handling Procedures
09.o Management of Removable Media
08.k Security of Equipment Off-Premises
09.l Back-up
09.o Management of Removable Media
09.q Information Handling Procedures
09.u Physical Media in Transit
01.c Privilege Management
08.l Secure Disposal or Re-Use of Equipment
09.p Disposal of Media
04.a Information Security Policy Document
04.b Review of the Information Security Policy
05.a Management Commitment to Information Security
08.d Protecting Against External and Environmental Threats
08.g Equipment Siting and Protection
09.a Documented Operations Procedures
08.b Physical Entry Controls
08.a Physical Security Perimeter
08.b Physical Entry Controls
08.c Securing Offices, Rooms, and Facilities
08.i Cabling Security
01.g Unattended User Equipment
08.b Physical Entry Controls
09.ab Monitoring System Use
08.b Physical Entry Controls
08.f Public Access, Delivery, and Loading Areas
08.m Removal of Property
09.u Physical Media in Transit
01.y Teleworking
08.k Security of Equipment Off-Premises
IRS Pub 1075 v2016 9.3.11.10
IRS Pub 1075 v2016 9.3.12.1
IRS Pub 1075 v2016 9.3.12.2
IRS Pub 1075 v2016 9.3.12.3
IRS Pub 1075 v2016 9.3.12.3.1
IRS Pub 1075 v2016 9.3.12.3.2
IRS Pub 1075 v2016 9.3.12.3.6
IRS Pub 1075 v2016 9.3.12.3.7
IRS Pub 1075 v2016 9.3.13.1
IRS Pub 1075 v2016 9.3.13.2
IRS Pub 1075 v2016 9.3.13.3
IRS Pub 1075 v2016 9.3.13.4
IRS Pub 1075 v2016 9.3.13.5
IRS Pub 1075 v2016 9.3.13.6
IRS Pub 1075 v2016 9.3.13.7
IRS Pub 1075 v2016 9.3.13.8
IRS Pub 1075 v2016 9.3.14.1
IRS Pub 1075 v2016 9.3.14.2
IRS Pub 1075 v2016 9.3.14.3
IRS Pub 1075 v2016 9.3.15.1
© 2019 HITRUST. All rights reserved.
08.g Equipment Siting and Protection
04.a Information Security Policy Document
04.b Review of the Information Security Policy
05.a Management Commitment to Information Security
09.a Documented Operations Procedures
05.b Information Security Coordination
06.i Information Systems Audit Controls
02.c Terms and Conditions of Employment
02.d Management Responsibilities
02.e Information Security Awareness, Education, and Training
05.j Addressing Security When Dealing with Customers
06.e Prevention of Misuse of Information Assets
07.c Acceptable Use of Assets
11.b Reporting Security Weaknesses
02.d Management Responsibilities
02.d Management Responsibilities
02.d Management Responsibilities
02.d Management Responsibilities
02.a Roles and Responsibilities
04.a Information Security Policy Document
04.b Review of the Information Security Policy
05.a Management Commitment to Information Security
09.a Documented Operations Procedures
02.a Roles and Responsibilities
02.b Screening
02.b Screening
02.g Termination or Change Responsibilities
02.h Return of Assets
02.i Removal of Access Rights
02.c Terms and Conditions of Employment
02.g Termination or Change Responsibilities
02.i Removal of Access Rights
02.c Terms and Conditions of Employment
02.d Management Responsibilities
05.k Addressing Security in Third Party Agreements
02.f Disciplinary Process
06.e Prevention of Misuse of Information Assets
03.a Risk Management Program Development
04.a Information Security Policy Document
04.b Review of the Information Security Policy
05.a Management Commitment to Information Security
09.a Documented Operations Procedures
03.a Risk Management Program Development
03.b Performing Risk Assessments
03.d Risk Evaluation
05.d Authorization Process for Information Assets and Facilities
06.g Compliance with Security Policies and Standards
06.h Technical Compliance Checking
10.m Control of Technical Vulnerabilities
04.a Information Security Policy Document
04.b Review of the Information Security Policy
05.a Management Commitment to Information Security
IRS Pub 1075 v2016 9.3.15.1
IRS Pub 1075 v2016 9.3.15.2
IRS Pub 1075 v2016 9.3.15.3
IRS Pub 1075 v2016 9.3.15.4
IRS Pub 1075 v2016 9.3.15.5
IRS Pub 1075 v2016 9.3.15.6
IRS Pub 1075 v2016 9.3.15.7
IRS Pub 1075 v2016 9.3.15.8
IRS Pub 1075 v2016 9.3.15.9
IRS Pub 1075 v2016 9.3.15.10
IRS Pub 1075 v2016 9.3.16.1
IRS Pub 1075 v2016 9.3.16.2
IRS Pub 1075 v2016 9.3.16.3
IRS Pub 1075 v2016 9.3.16.4
IRS Pub 1075 v2016 9.3.16.5
IRS Pub 1075 v2016 9.3.16.6
IRS Pub 1075 v2016 9.3.16.7
IRS Pub 1075 v2016 9.3.16.8
IRS Pub 1075 v2016 9.3.16.9
IRS Pub 1075 v2016 9.3.16.10
IRS Pub 1075 v2016 9.3.16.11
IRS Pub 1075 v2016 9.3.16.12
IRS Pub 1075 v2016 9.3.16.13
IRS Pub 1075 v2016 9.3.16.14
IRS Pub 1075 v2016 9.3.16.15
IRS Pub 1075 v2016 9.3.17.1
© 2019 HITRUST. All rights reserved.
09.a Documented Operations Procedures
05.b Information Security Coordination
05.c Allocation of Information Security Responsibilities
10.a Security Requirements Analysis and Specification
09.i System Acceptance
10.a Security Requirements Analysis and Specification
09.r Security of System Documentation
10.a Security Requirements Analysis and Specification
05.k Addressing Security in Third Party Agreements
09.e Service Delivery
09.f Monitoring and Review of Third Party Services
09.n Security of Network Services
10.k Change Control Procedures
09.i System Acceptance
10.h Control of Operational Software
04.a Information Security Policy Document
04.b Review of the Information Security Policy
05.a Management Commitment to Information Security
09.a Documented Operations Procedures
09.s Information Exchange Policies and Procedures
09.j Controls Against Malicious Code
09.k Controls Against Mobile Code
01.w Sensitive System Isolation
09.h Capacity Management
09.z Publicly Available Information
01.m Segregation in Networks
01.n Network Connection Control
01.o Network Routing Control
09.m Network Controls
05.i Identification of Risks Related to External Parties
08.i Cabling Security
09.ab Monitoring System Use
09.m Network Controls
09.v Electronic Messaging
09.x Electronic Commerce Services
01.t Session Time-out
10.d Message Integrity
10.g Key Management
06.f Regulation of Cryptographic Controls
10.f Policy on the Use of Cryptographic Controls
01.v Information Access Restriction
09.s Information Exchange Policies and Procedures
10.g Key Management
09.k Controls Against Mobile Code
09.m Network Controls
10.d Message Integrity
06.d Data Protection and Privacy of Covered Information
09.l Back-up
09.u Physical Media in Transit
04.a Information Security Policy Document
04.b Review of the Information Security Policy
05.a Management Commitment to Information Security
IRS Pub 1075 v2016 9.3.17.1
IRS Pub 1075 v2016 9.3.17.2
IRS Pub 1075 v2016 9.3.17.3
IRS Pub 1075 v2016 9.3.17.4
IRS Pub 1075 v2016 9.3.17.5
IRS Pub 1075 v2016 9.3.17.6
IRS Pub 1075 v2016 9.3.17.7
IRS Pub 1075 v2016 9.3.17.8
IRS Pub 1075 v2016 9.3.17.9
IRS Pub 1075 v2016 9.3.17.10
IRS Pub 1075 v2016 9.3.18.1
IRS Pub 1075 v2016 9.4.1
IRS Pub 1075 v2016 9.4.1.8
IRS Pub 1075 v2016 9.4.2
IRS Pub 1075 v2016 9.4.3
IRS Pub 1075 v2016 9.4.4
IRS Pub 1075 v2016 9.4.5
IRS Pub 1075 v2016 9.4.6
IRS Pub 1075 v2016 9.4.7
IRS Pub 1075 v2016 9.4.8
IRS Pub 1075 v2016 9.4.9
© 2019 HITRUST. All rights reserved.
09.a Documented Operations Procedures
10.m Control of Technical Vulnerabilities
11.b Reporting Security Weaknesses
09.ab Monitoring System Use
09.j Controls Against Malicious Code
09.k Controls Against Mobile Code
09.ab Monitoring System Use
05.g Contact with Special Interest Groups
09.j Controls Against Malicious Code
10.b Input Data Validation
10.c Control of Internal Processing
09.ae Fault Logging
06.c Protection of Organizational Records
06.d Data Protection and Privacy of Covered Information
09.q Information Handling Procedures
09.j Controls Against Malicious Code
00.a Information Security Management Program
02.d Management Responsibilities
05.a Management Commitment to Information Security
05.c Allocation of Information Security Responsibilities
01.w Sensitive System Isolation
03.b Performing Risk Assessments
05.b Information Security Coordination
05.k Addressing Security in Third Party Agreements
09.m Network Controls
03.b Performing Risk Assessments
04.a Information Security Policy Document
07.e Information Labeling and Handling
09.aa Audit Logging
09.j Controls Against Malicious Code
09.v Electronic Messaging
10.k Change Control Procedures
07.e Information Labeling and Handling
08.g Equipment Siting and Protection
09.v Electronic Messaging
01.m Segregation in Networks
05.j Addressing Security When Dealing with Customers
09.c Segregation of Duties
10.k Change Control Procedures
09.i System Acceptance
10.i Protection of System Test Data
09.p Disposal of Media
01.x Mobile Computing and Communications
09.p Disposal of Media
10.k Change Control Procedures
01.c Privilege Management
01.l Remote Diagnostic and Configuration Port Protection
08.g Equipment Siting and Protection
09.aa Audit Logging
09.ab Monitoring System Use
09.p Disposal of Media
09.s Information Exchange Policies and Procedures

IRS Pub 1075 v2016 9.4.10
IRS Pub 1075 v2016 9.4.11
IRS Pub 1075 v2016 9.4.12
IRS Pub 1075 v2016 9.4.13
IRS Pub 1075 v2016 9.4.14
IRS Pub 1075 v2016 9.4.15
IRS Pub 1075 v2016 9.4.16
IRS Pub 1075 v2016 9.4.17
IRS Pub 1075 v2016 9.4.18
© 2019 HITRUST. All rights reserved.
10.k Change Control Procedures
10.m Control of Technical Vulnerabilities
01.m Segregation in Networks
01.n Network Connection Control
01.o Network Routing Control
09.m Network Controls
01.c Privilege Management
01.m Segregation in Networks
09.aa Audit Logging
09.ab Monitoring System Use
09.l Back-up
09.m Network Controls
10.k Change Control Procedures
07.a Inventory of Assets
01.c Privilege Management
01.j User Authentication for External Connections
01.m Segregation in Networks
01.n Network Connection Control
05.j Addressing Security When Dealing with Customers
09.aa Audit Logging
09.j Controls Against Malicious Code
10.k Change Control Procedures
01.c Privilege Management
01.m Segregation in Networks
01.n Network Connection Control
01.v Information Access Restriction
05.b Information Security Coordination
09.ab Monitoring System Use
09.l Back-up
09.m Network Controls
10.k Change Control Procedures
10.m Control of Technical Vulnerabilities
01.m Segregation in Networks
09.ab Monitoring System Use
09.i System Acceptance
09.m Network Controls
10.k Change Control Procedures
10.m Control of Technical Vulnerabilities
01.n Network Connection Control
05.j Addressing Security When Dealing with Customers
10.k Change Control Procedures
10.m Control of Technical Vulnerabilities
01.n Network Connection Control
09.m Network Controls
10.h Control of Operational Software
10.k Change Control Procedures
10.m Control of Technical Vulnerabilities
01.j User Authentication for External Connections
01.m Segregation in Networks
07.a Inventory of Assets
09.aa Audit Logging
09.ab Monitoring System Use

IRS Pub 1075 v2016 10.2
IRS Pub 1075 v2016 10.3
IRS Pub 1075 v2016 10.4
IRS Pub 1075 v2016 11.1
IRS Pub 1075 v2016 12.10.3
IRS Pub 1075 v2016 Exhibit 6
IRS Pub 1075 v2016 Exhibit 7
IRS Pub 1075 v2016 Exhibit 8
IRS Pub 1075 v2016 Exhibit 9
IRS Pub 1075 v2016 Exhibit 10
© 2019 HITRUST. All rights reserved.
© 2019 HITRUST. All rights reserved.
09.m Network Controls
09.p Disposal of Media
10.h Control of Operational Software
10.k Change Control Procedures
10.m Control of Technical Vulnerabilities
11.a Reporting Information Security Events
11.c Responsibilities and Procedures
11.d Learning from Information Security Incidents
11.a Reporting Information Security Events
06.d Data Protection and Privacy of Covered Information
11.a Reporting Information Security Events
05.b Information Security Coordination
05.k Addressing Security in Third Party Agreements
10.a Security Requirements Analysis and Specification
06.e Prevention of Misuse of Information Assets
04.a Information Security Policy Document
04.b Review of the Information Security Policy
01.c Privilege Management
01.j User Authentication for External Connections
01.q User Identification and Authentication
01.v Information Access Restriction
02.b Screening
02.d Management Responsibilities
02.e Information Security Awareness, Education, and Training
03.b Performing Risk Assessments
04.a Information Security Policy Document
04.b Review of the Information Security Policy
06.c Protection of Organizational Records
06.d Data Protection and Privacy of Covered Information
06.g Compliance with Security Policies and Standards
07.b Ownership of Assets
07.d Classification Guidelines
09.a Documented Operations Procedures
09.ab Monitoring System Use
09.d Separation of Development, Test, and Operational Environments
09.m Network Controls
09.p Disposal of Media
09.y On-line Transactions
10.a Security Requirements Analysis and Specification
10.b Input Data Validation
10.k Change Control Procedures
12.e Testing, Maintaining and Re-Assessing Business Continuity Plans
 Authoritative Source
ISO/IEC 27001:2013 4.1
ISO/IEC 27001:2013 4.2(b)
ISO/IEC 27001:2013 4.4
ISO/IEC 27001:2013 5.1(a)
ISO/IEC 27001:2013 5.1(c)
ISO/IEC 27001:2013 5.1(d)
ISO/IEC 27001:2013 5.1(e)
ISO/IEC 27001:2013 5.1(f)
ISO/IEC 27001:2013 5.1(g)
ISO/IEC 27001:2013 5.2
ISO/IEC 27001:2013 5.3
ISO/IEC 27001:2013 6.1.1
ISO/IEC 27001:2013 6.1.1(c)
ISO/IEC 27001:2013 6.1.1(d)
ISO/IEC 27001:2013 6.1.1(e)
ISO/IEC 27001:2013 6.1.5
ISO/IEC 27001:2013 6.2
ISO/IEC 27001:2013 6.2(e)
ISO/IEC 27001:2013 7.1
ISO/IEC 27001:2013 7.2
ISO/IEC 27001:2013 7.3(b)
ISO/IEC 27001:2013 7.3(c)
ISO/IEC 27001:2013 7.4
ISO/IEC 27001:2013 7.5.1(a)
ISO/IEC 27001:2013 7.5.2
ISO/IEC 27001:2013 7.5.3
ISO/IEC 27001:2013 8.1
ISO/IEC 27001:2013 8.2
ISO/IEC 27001:2013 8.3
ISO/IEC 27001:2013 9.1
ISO/IEC 27001:2013 9.1.2
ISO/IEC 27001:2013 9.2
ISO/IEC 27001:2013 9.2.1
ISO/IEC 27001:2013 9.3
ISO/IEC 27001:2013 9.3(b)
ISO/IEC 27001:2013 9.3(f)
ISO/IEC 27001:2013 10.1(c)
ISO/IEC 27001:2013 10.2
ISO/IEC 27001:2013 14.1.2
ISO/IEC 27001:2013 A.9.2.6
© 2019 HITRUST. All rights reserved.
HITRUST Control Reference
00.a Information Security Management Program
00.a Information Security Management Program
00.a Information Security Management Program
00.a Information Security Management Program
00.a Information Security Management Program
00.a Information Security Management Program
00.a Information Security Management Program
00.a Information Security Management Program
00.a Information Security Management Program
00.a Information Security Management Program
00.a Information Security Management Program
00.a Information Security Management Program
00.a Information Security Management Program
00.a Information Security Management Program
00.a Information Security Management Program
10.a Security Requirements Analysis and Specification
00.a Information Security Management Program
00.a Information Security Management Program
00.a Information Security Management Program
00.a Information Security Management Program
00.a Information Security Management Program
00.a Information Security Management Program
00.a Information Security Management Program
00.a Information Security Management Program
00.a Information Security Management Program
00.a Information Security Management Program
00.a Information Security Management Program
09.b Change Management
09.e Service Delivery
09.f Monitoring and Review of Third Party Services
09.g Managing Changes to Third Party Services
10.k Change Control Procedures
10.l Outsourced Software Development
00.a Information Security Management Program
00.a Information Security Management Program
00.a Information Security Management Program
01.i Policy on the Use of Network Services
00.a Information Security Management Program
01.b User Registration
00.a Information Security Management Program
00.a Information Security Management Program
00.a Information Security Management Program
00.a Information Security Management Program
00.a Information Security Management Program
09.z Publicly Available Information
01.e Review of User Access Rights
 © 2019 HITRUST. All rights reserved.

© 2019 HITRUST. All rights reserved.

Authoritative Source
ISO/IEC 27002:2013 5.1.1
ISO/IEC 27002:2013 5.1.2
ISO/IEC 27002:2013 6.1.1
ISO/IEC 27002:2013 6.1.2
ISO/IEC 27002:2013 6.1.3
ISO/IEC 27002:2013 6.1.4
ISO/IEC 27002:2013 6.1.6
ISO/IEC 27002:2013 6.2
ISO/IEC 27002:2013 6.2.1
ISO/IEC 27002:2013 6.2.2
ISO/IEC 27002:2013 7.1.1
ISO/IEC 27002:2013 7.1.2
ISO/IEC 27002:2013 7.2.1
ISO/IEC 27002:2013 7.2.2
ISO/IEC 27002:2013 7.2.3
ISO/IEC 27002:2013 7.3.1
ISO/IEC 27002:2013 8.1.1
ISO/IEC 27002:2013 8.1.2
ISO/IEC 27002:2013 8.1.3
ISO/IEC 27002:2013 8.1.4
ISO/IEC 27002:2013 8.2.1
ISO/IEC 27002:2013 8.2.2
ISO/IEC 27002:2013 8.2.3
ISO/IEC 27002:2013 8.3.1
ISO/IEC 27002:2013 8.3.2
ISO/IEC 27002:2013 8.3.3
ISO/IEC 27002:2013 9.1.1
ISO/IEC 27002:2013 9.1.2
ISO/IEC 27002:2013 9.1.4
ISO/IEC 27002:2013 9.2.1
© 2019 HITRUST. All rights reserved.
HITRUST Control Reference
04.a Information Security Policy Document
05.a Management Commitment to Information Security
04.b Review of the Information Security Policy
02.a Roles and Responsibilities
02.g Termination or Change Responsibilities
05.c Allocation of Information Security Responsibilities
09.c Segregation of Duties
05.c Allocation of Information Security Responsibilities
05.f Contact with Authorities
05.g Contact with Special Interest Groups
06.a Identification of Applicable Legislation
05.f Contact with Authorities
08.k Security of Equipment Off-Premises
01.x Mobile Computing and Communications
01.y Teleworking
08.k Security of Equipment Off-Premises
01.y Teleworking
08.k Security of Equipment Off-Premises
02.b Screening
05.k Addressing Security in Third Party Agreements
02.a Roles and Responsibilities
02.c Terms and Conditions of Employment
02.d Management Responsibilities
11.a Reporting Information Security Events
01.p Secure Log-on Procedures
02.e Information Security Awareness, Education, and Training
06.a Identification of Applicable Legislation
11.a Reporting Information Security Events
02.f Disciplinary Process
02.g Termination or Change Responsibilities
07.a Inventory of Assets
07.d Classification Guidelines
07.b Ownership of Assets
07.d Classification Guidelines
07.c Acceptable Use of Assets
02.h Return of Assets
06.c Protection of Organizational Records
07.d Classification Guidelines
07.e Information Labeling and Handling
01.h Clear Desk and Clear Screen Policy
07.e Information Labeling and Handling
09.q Information Handling Procedures
09.o Management of Removable Media
09.p Disposal of Media
09.u Physical Media in Transit
01.a Access Control Policy
01.c Privilege Management
01.w Sensitive System Isolation
01.a Access Control Policy
01.i Policy on the Use of Network Services
08.d Protecting Against External and Environmental Threats
01.a Access Control Policy
01.b User Registration
ISO/IEC 27002:2013 9.2.1
ISO/IEC 27002:2013 9.2.2
ISO/IEC 27002:2013 9.2.3
ISO/IEC 27002:2013 9.2.3(b)
ISO/IEC 27002:2013 9.2.4
ISO/IEC 27002:2013 9.2.5
ISO/IEC 27002:2013 9.2.6
ISO/IEC 27002:2013 9.3.1
ISO/IEC 27002:2013 9.4.1
ISO/IEC 27002:2013 9.4.2
ISO/IEC 27002:2013 9.4.3
ISO/IEC 27002:2013 9.4.4
ISO/IEC 27002:2013 9.4.5
ISO/IEC 27002:2013 10.1.1
ISO/IEC 27002:2013 10.1.2
ISO/IEC 27002:2013 10.7.1
ISO/IEC 27002:2013 11.1.1
ISO/IEC 27002:2013 11.1.2
ISO/IEC 27002:2013 11.1.3
ISO/IEC 27002:2013 11.1.4
ISO/IEC 27002:2013 11.1.5
ISO/IEC 27002:2013 11.1.6
ISO/IEC 27002:2013 11.2.1
ISO/IEC 27002:2013 11.2.2
ISO/IEC 27002:2013 11.2.3
ISO/IEC 27002:2013 11.2.4
ISO/IEC 27002:2013 11.2.5
ISO/IEC 27002:2013 11.2.6
ISO/IEC 27002:2013 11.2.7
ISO/IEC 27002:2013 11.2.8
ISO/IEC 27002:2013 11.2.9
ISO/IEC 27002:2013 12.1.1
ISO/IEC 27002:2013 12.1.2
ISO/IEC 27002:2013 12.1.3
ISO/IEC 27002:2013 12.1.4
© 2019 HITRUST. All rights reserved.
01.q User Identification and Authentication
01.a Access Control Policy
01.b User Registration
01.a Access Control Policy
01.c Privilege Management
01.q User Identification and Authentication
01.c Privilege Management
01.d User Password Management
01.r Password Management System
01.e Review of User Access Rights
02.g Termination or Change Responsibilities
02.g Termination or Change Responsibilities
02.i Removal of Access Rights
01.d User Password Management
01.f Password Use
01.v Information Access Restriction
01.d User Password Management
01.p Secure Log-on Procedures
01.t Session Time-out
01.u Limitation of Connection Time
01.d User Password Management
01.r Password Management System
01.s Use of System Utilities
10.j Access Control to Program Source Code
10.d Message Integrity
10.f Policy on the Use of Cryptographic Controls
10.g Key Management
09.o Management of Removable Media
08.a Physical Security Perimeter
08.b Physical Entry Controls
08.b Physical Entry Controls
08.c Securing Offices, Rooms, and Facilities
08.d Protecting Against External and Environmental Threats
08.g Equipment Siting and Protection
08.e Working in Secure Areas
08.f Public Access, Delivery, and Loading Areas
08.g Equipment Siting and Protection
08.h Supporting Utilities
08.h Supporting Utilities
08.i Cabling Security
08.h Supporting Utilities
08.j Equipment Maintenance
08.m Removal of Property
08.a Physical Security Perimeter
08.k Security of Equipment Off-Premises
08.l Secure Disposal or Re-Use of Equipment
01.g Unattended User Equipment
01.h Clear Desk and Clear Screen Policy
09.a Documented Operations Procedures
03.d Risk Evaluation
09.b Change Management
09.d Separation of Development, Test, and Operational Environments
09.h Capacity Management
09.d Separation of Development, Test, and Operational Environments
ISO/IEC 27002:2013 12.1.14
ISO/IEC 27002:2013 12.2.1
ISO/IEC 27002:2013 12.3.1
ISO/IEC 27002:2013 12.4.1
ISO/IEC 27002:2013 12.4.2
ISO/IEC 27002:2013 12.4.3
ISO/IEC 27002:2013 12.4.4
ISO/IEC 27002:2013 12.5.1
ISO/IEC 27002:2013 12.6.1
ISO/IEC 27002:2013 12.6.2
ISO/IEC 27002:2013 12.7.1
ISO/IEC 27002:2013 13.1.1
ISO/IEC 27002:2013 13.1.2
ISO/IEC 27002:2013 13.1.3
ISO/IEC 27002:2013 13.2.1
ISO/IEC 27002:2013 13.2.2
ISO/IEC 27002:2013 13.2.3
ISO/IEC 27002:2013 13.2.4
ISO/IEC 27002:2013 14.1.1
ISO/IEC 27002:2013 14.1.2
ISO/IEC 27002:2013 14.1.3
ISO/IEC 27002:2013 14.2.1
ISO/IEC 27002:2013 14.2.2
ISO/IEC 27002:2013 14.2.3
ISO/IEC 27002:2013 14.2.4
ISO/IEC 27002:2013 14.2.5
ISO/IEC 27002:2013 14.2.6
ISO/IEC 27002:2013 14.2.7
ISO/IEC 27002:2013 14.2.8
© 2019 HITRUST. All rights reserved.
10.h Control of Operational Software
09.j Controls Against Malicious Code
09.k Controls Against Mobile Code
09.l Back-up
09.aa Audit Logging
09.ab Monitoring System Use
09.ae Fault Logging
09.ad Administrator and Operator Logs
09.aa Audit Logging
09.ac Protection of Log Information
09.aa Audit Logging
09.ac Protection of Log Information
09.ad Administrator and Operator Logs
09.af Clock Synchronization
09.k Controls Against Mobile Code
10.h Control of Operational Software
03.b Performing Risk Assessments
03.c Risk Mitigation
10.m Control of Technical Vulnerabilities
09.j Controls Against Malicious Code
03.c Risk Mitigation
06.i Information Systems Audit Controls
06.j Protection of Information Systems Audit Tools
09.m Network Controls
11.c Responsibilities and Procedures
09.f Monitoring and Review of Third Party Services
09.m Network Controls
09.n Security of Network Services
01.m Segregation in Networks
01.o Network Routing Control
09.m Network Controls
09.w Interconnected Business Information Systems
09.s Information Exchange Policies and Procedures
11.c Responsibilities and Procedures
09.t Exchange Agreements
09.v Electronic Messaging
05.e Confidentiality Agreements
10.a Security Requirements Analysis and Specification
05.j Addressing Security When Dealing with Customers
09.x Electronic Commerce Services
09.z Publicly Available Information
09.y On-line Transactions
10.a Security Requirements Analysis and Specification
09.i System Acceptance
10.k Change Control Procedures
10.k Change Control Procedures
10.k Change Control Procedures
10.a Security Requirements Analysis and Specification
10.e Output Data Validation
10.a Security Requirements Analysis and Specification
10.k Change Control Procedures
10.k Change Control Procedures
10.l Outsourced Software Development
10.a Security Requirements Analysis and Specification
ISO/IEC 27002:2013 14.2.9
ISO/IEC 27002:2013 14.3.1
ISO/IEC 27002:2013 15.1.1
ISO/IEC 27002:2013 15.1.2
ISO/IEC 27002:2013 15.1.3
ISO/IEC 27002:2013 15.2
ISO/IEC 27002:2013 15.2.1
ISO/IEC 27002:2013 15.2.2
ISO/IEC 27002:2013 16.1.1
ISO/IEC 27002:2013 16.1.2
ISO/IEC 27002:2013 16.1.3
ISO/IEC 27002:2013 16.1.4
ISO/IEC 27002:2013 16.1.5
ISO/IEC 27002:2013 16.1.6
ISO/IEC 27002:2013 16.1.7
ISO/IEC 27002:2013 17.1.1
ISO/IEC 27002:2013 17.1.2
ISO/IEC 27002:2013 17.1.3
ISO/IEC 27002:2013 17.2.1
ISO/IEC 27002:2013 18.1.1
ISO/IEC 27002:2013 18.1.2
ISO/IEC 27002:2013 18.1.3
ISO/IEC 27002:2013 18.1.4
ISO/IEC 27002:2013 18.1.5
ISO/IEC 27002:2013 18.2.1
ISO/IEC 27002:2013 18.2.2
ISO/IEC 27002:2013 18.2.3
© 2019 HITRUST. All rights reserved.
© 2019 HITRUST. All rights reserved.
09.i System Acceptance
10.i Protection of System Test Data
05.i Identification of Risks Related to External Parties
05.k Addressing Security in Third Party Agreements
09.e Service Delivery
05.i Identification of Risks Related to External Parties
05.k Addressing Security in Third Party Agreements
05.i Identification of Risks Related to External Parties
05.k Addressing Security in Third Party Agreements
09.l Back-up
09.e Service Delivery
09.f Monitoring and Review of Third Party Services
09.g Managing Changes to Third Party Services
11.a Reporting Information Security Events
11.c Responsibilities and Procedures
11.e Collection of Evidence
11.a Reporting Information Security Events
11.a Reporting Information Security Events
11.b Reporting Security Weaknesses
11.c Responsibilities and Procedures
11.a Reporting Information Security Events
11.c Responsibilities and Procedures
11.a Reporting Information Security Events
11.d Learning from Information Security Incidents
07.e Information Labeling and Handling
11.e Collection of Evidence
03.b Performing Risk Assessments
03.c Risk Mitigation
12.b Business Continuity and Risk Assessment
12.a Including Information Security in the Business Continuity Management Process
12.b Business Continuity and Risk Assessment
12.c Developing and Implementing Continuity Plans Including Information Security
12.d Business Continuity Planning Framework
12.e Testing, Maintaining and Re-Assessing Business Continuity Plans
10.a Security Requirements Analysis and Specification
06.a Identification of Applicable Legislation
06.f Regulation of Cryptographic Controls
06.b Intellectual Property Rights
06.f Regulation of Cryptographic Controls
06.c Protection of Organizational Records
06.d Data Protection and Privacy of Covered Information
06.f Regulation of Cryptographic Controls
06.d Data Protection and Privacy of Covered Information
06.f Regulation of Cryptographic Controls
06.f Regulation of Cryptographic Controls
05.a Management Commitment to Information Security
05.h Independent Review of Information Security
06.g Compliance with Security Policies and Standards
06.h Technical Compliance Checking
06.g Compliance with Security Policies and Standards
06.h Technical Compliance Checking
Authoritative Source
ISO/IEC 27799:2016
ISO/IEC 27799:2016 5.1.1
ISO/IEC 27799:2016 5.1.2
ISO/IEC 27799:2016 6.1.1
ISO/IEC 27799:2016 6.1.2
ISO/IEC 27799:2016 6.1.3
ISO/IEC 27799:2016 6.1.4
ISO/IEC 27799:2016 6.1.6
ISO/IEC 27799:2016 6.2
ISO/IEC 27799:2016 6.2.1
ISO/IEC 27799:2016 6.2.2
ISO/IEC 27799:2016 7.1.1
ISO/IEC 27799:2016 7.1.2
ISO/IEC 27799:2016 7.10.2.1
ISO/IEC 27799:2016 7.12.2.2
ISO/IEC 27799:2016 7.2.1
ISO/IEC 27799:2016 7.2.2
ISO/IEC 27799:2016 7.2.3
ISO/IEC 27799:2016 7.3.1
ISO/IEC 27799:2016 8.1.1
ISO/IEC 27799:2016 8.1.2
ISO/IEC 27799:2016 8.1.3
ISO/IEC 27799:2016 8.1.4
ISO/IEC 27799:2016 8.2.1
ISO/IEC 27799:2016 8.2.2
ISO/IEC 27799:2016 8.2.3
ISO/IEC 27799:2016 8.3.1
ISO/IEC 27799:2016 8.3.2
ISO/IEC 27799:2016 8.3.3
ISO/IEC 27799:2016 9.1.1
ISO/IEC 27799:2016 9.1.2
© 2019 HITRUST. All rights reserved.
HITRUST Control Reference
07.d Classification Guidelines
04.a Information Security Policy Document
05.a Management Commitment to Information Security
04.b Review of the Information Security Policy
02.a Roles and Responsibilities
02.g Termination or Change Responsibilities
05.c Allocation of Information Security Responsibilities
09.c Segregation of Duties
05.c Allocation of Information Security Responsibilities
05.f Contact with Authorities
05.g Contact with Special Interest Groups
06.a Identification of Applicable Legislation
05.f Contact with Authorities
08.k Security of Equipment Off-Premises
01.x Mobile Computing and Communications
01.y Teleworking
08.k Security of Equipment Off-Premises
01.y Teleworking
08.k Security of Equipment Off-Premises
02.b Screening
05.k Addressing Security in Third Party Agreements
02.a Roles and Responsibilities
02.c Terms and Conditions of Employment
11.c Responsibilities and Procedures
06.d Data Protection and Privacy of Covered Information
02.d Management Responsibilities
11.a Reporting Information Security Events
01.p Secure Log-on Procedures
02.e Information Security Awareness, Education, and Training
06.a Identification of Applicable Legislation
11.a Reporting Information Security Events
02.f Disciplinary Process
02.g Termination or Change Responsibilities
07.a Inventory of Assets
07.d Classification Guidelines
07.b Ownership of Assets
07.d Classification Guidelines
07.c Acceptable Use of Assets
02.h Return of Assets
06.c Protection of Organizational Records
07.d Classification Guidelines
07.e Information Labeling and Handling
01.h Clear Desk and Clear Screen Policy
07.e Information Labeling and Handling
09.q Information Handling Procedures
09.o Management of Removable Media
09.p Disposal of Media
09.u Physical Media in Transit
01.a Access Control Policy
01.c Privilege Management
01.w Sensitive System Isolation
01.a Access Control Policy
ISO/IEC 27799:2016 9.1.2
ISO/IEC 27799:2016 9.2.1
ISO/IEC 27799:2016 9.2.2
ISO/IEC 27799:2016 9.2.3
ISO/IEC 27799:2016 9.2.4
ISO/IEC 27799:2016 9.2.5
ISO/IEC 27799:2016 9.2.6
ISO/IEC 27799:2016 9.3.1
ISO/IEC 27799:2016 9.4.1
ISO/IEC 27799:2016 9.4.2
ISO/IEC 27799:2016 9.4.3
ISO/IEC 27799:2016 9.4.4
ISO/IEC 27799:2016 9.4.5
ISO/IEC 27799:2016 10.1.1
ISO/IEC 27799:2016 10.1.2
ISO/IEC 27799:2016 11.1.1
ISO/IEC 27799:2016 11.1.2
ISO/IEC 27799:2016 11.1.3
ISO/IEC 27799:2016 11.1.4
ISO/IEC 27799:2016 11.1.5
ISO/IEC 27799:2016 11.1.6
ISO/IEC 27799:2016 11.2.1
ISO/IEC 27799:2016 11.2.2
ISO/IEC 27799:2016 11.2.3
ISO/IEC 27799:2016 11.2.4
ISO/IEC 27799:2016 11.2.5
ISO/IEC 27799:2016 11.2.6
ISO/IEC 27799:2016 11.2.7
ISO/IEC 27799:2016 11.2.8
ISO/IEC 27799:2016 11.2.9
ISO/IEC 27799:2016 12.1.1
ISO/IEC 27799:2016 12.1.2
ISO/IEC 27799:2016 12.1.3
ISO/IEC 27799:2016 12.1.4
© 2019 HITRUST. All rights reserved.
01.i Policy on the Use of Network Services
01.a Access Control Policy
01.b User Registration
01.q User Identification and Authentication
01.b User Registration
01.c Privilege Management
01.q User Identification and Authentication
01.d User Password Management
01.r Password Management System
01.e Review of User Access Rights
02.g Termination or Change Responsibilities
02.i Removal of Access Rights
01.d User Password Management
01.f Password Use
01.v Information Access Restriction
01.d User Password Management
01.p Secure Log-on Procedures
01.t Session Time-out
01.u Limitation of Connection Time
01.d User Password Management
01.r Password Management System
01.s Use of System Utilities
10.j Access Control to Program Source Code
10.d Message Integrity
10.f Policy on the Use of Cryptographic Controls
10.g Key Management
08.a Physical Security Perimeter
08.b Physical Entry Controls
08.b Physical Entry Controls
08.c Securing Offices, Rooms, and Facilities
08.d Protecting Against External and Environmental Threats
08.g Equipment Siting and Protection
08.e Working in Secure Areas
08.f Public Access, Delivery, and Loading Areas
08.g Equipment Siting and Protection
08.h Supporting Utilities
08.h Supporting Utilities
12.c Developing and Implementing Continuity Plans Including Information Security
08.i Cabling Security
08.h Supporting Utilities
08.j Equipment Maintenance
08.m Removal of Property
08.a Physical Security Perimeter
08.k Security of Equipment Off-Premises
08.l Secure Disposal or Re-Use of Equipment
01.g Unattended User Equipment
01.h Clear Desk and Clear Screen Policy
09.a Documented Operations Procedures
03.d Risk Evaluation
09.b Change Management
09.d Separation of Development, Test, and Operational Environments
09.h Capacity Management
09.d Separation of Development, Test, and Operational Environments
ISO/IEC 27799:2016 12.2.1
ISO/IEC 27799:2016 12.3.1
ISO/IEC 27799:2016 12.4.1
ISO/IEC 27799:2016 12.4.2
ISO/IEC 27799:2016 12.4.3
ISO/IEC 27799:2016 12.4.4
ISO/IEC 27799:2016 12.5.1
ISO/IEC 27799:2016 12.6.1
ISO/IEC 27799:2016 12.6.2
ISO/IEC 27799:2016 12.7.1
ISO/IEC 27799:2016 13.1.1
ISO/IEC 27799:2016 13.1.2
ISO/IEC 27799:2016 13.1.3
ISO/IEC 27799:2016 13.2.1
ISO/IEC 27799:2016 13.2.2
ISO/IEC 27799:2016 13.2.3
ISO/IEC 27799:2016 13.2.4
ISO/IEC 27799:2016 14.1.1
ISO/IEC 27799:2016 14.1.2
ISO/IEC 27799:2016 14.1.3
ISO/IEC 27799:2016 14.2.1
ISO/IEC 27799:2016 14.2.2
ISO/IEC 27799:2016 14.2.3
ISO/IEC 27799:2016 14.2.4
ISO/IEC 27799:2016 14.2.5
ISO/IEC 27799:2016 14.2.6
ISO/IEC 27799:2016 14.2.7
ISO/IEC 27799:2016 14.2.8
ISO/IEC 27799:2016 14.2.9
ISO/IEC 27799:2016 14.3.1
© 2019 HITRUST. All rights reserved.
09.j Controls Against Malicious Code
09.k Controls Against Mobile Code
09.l Back-up
09.aa Audit Logging
09.ab Monitoring System Use
09.ad Administrator and Operator Logs
09.ae Fault Logging
09.aa Audit Logging
09.ac Protection of Log Information
09.aa Audit Logging
09.ac Protection of Log Information
09.ad Administrator and Operator Logs
09.af Clock Synchronization
09.k Controls Against Mobile Code
10.h Control of Operational Software
03.b Performing Risk Assessments
03.c Risk Mitigation
10.m Control of Technical Vulnerabilities
09.j Controls Against Malicious Code
03.c Risk Mitigation
06.i Information Systems Audit Controls
06.j Protection of Information Systems Audit Tools
09.m Network Controls
09.f Monitoring and Review of Third Party Services
09.m Network Controls
09.n Security of Network Services
01.m Segregation in Networks
01.o Network Routing Control
09.m Network Controls
09.w Interconnected Business Information Systems
09.s Information Exchange Policies and Procedures
09.t Exchange Agreements
09.v Electronic Messaging
05.e Confidentiality Agreements
10.a Security Requirements Analysis and Specification
05.j Addressing Security When Dealing with Customers
09.x Electronic Commerce Services
09.z Publicly Available Information
09.y On-line Transactions
10.a Security Requirements Analysis and Specification
09.i System Acceptance
10.k Change Control Procedures
10.k Change Control Procedures
10.k Change Control Procedures
10.a Security Requirements Analysis and Specification
10.e Output Data Validation
10.a Security Requirements Analysis and Specification
10.k Change Control Procedures
10.k Change Control Procedures
10.l Outsourced Software Development
10.a Security Requirements Analysis and Specification
09.i System Acceptance
10.i Protection of System Test Data
ISO/IEC 27799:2016 15.1.1
ISO/IEC 27799:2016 15.1.2
ISO/IEC 27799:2016 15.1.3
ISO/IEC 27799:2016 15.2
ISO/IEC 27799:2016 15.2.1
ISO/IEC 27799:2016 15.2.2
ISO/IEC 27799:2016 16.1.1
ISO/IEC 27799:2016 16.1.2
ISO/IEC 27799:2016 16.1.3
ISO/IEC 27799:2016 16.1.4
ISO/IEC 27799:2016 16.1.5
ISO/IEC 27799:2016 16.1.6
ISO/IEC 27799:2016 16.1.7
ISO/IEC 27799:2016 16.11.6
ISO/IEC 27799:2016 17.1.1
ISO/IEC 27799:2016 17.1.2
ISO/IEC 27799:2016 17.1.3
ISO/IEC 27799:2016 17.2.1
ISO/IEC 27799:2016 18.1.1
ISO/IEC 27799:2016 18.1.2
ISO/IEC 27799:2016 18.1.3
ISO/IEC 27799:2016 18.1.4
ISO/IEC 27799:2016 18.1.5
ISO/IEC 27799:2016 18.2.1
ISO/IEC 27799:2016 18.2.2
ISO/IEC 27799:2016 18.2.3
© 2019 HITRUST. All rights reserved.
© 2019 HITRUST. All rights reserved.
05.i Identification of Risks Related to External Parties
05.k Addressing Security in Third Party Agreements
09.e Service Delivery
05.i Identification of Risks Related to External Parties
05.k Addressing Security in Third Party Agreements
05.i Identification of Risks Related to External Parties
05.k Addressing Security in Third Party Agreements
09.l Back-up
09.e Service Delivery
09.f Monitoring and Review of Third Party Services
09.g Managing Changes to Third Party Services
11.a Reporting Information Security Events
11.c Responsibilities and Procedures
11.e Collection of Evidence
11.a Reporting Information Security Events
11.a Reporting Information Security Events
11.b Reporting Security Weaknesses
11.c Responsibilities and Procedures
11.a Reporting Information Security Events
11.c Responsibilities and Procedures
11.a Reporting Information Security Events
07.e Information Labeling and Handling
11.e Collection of Evidence
11.d Learning from Information Security Incidents
03.b Performing Risk Assessments
03.c Risk Mitigation
12.b Business Continuity and Risk Assessment
12.a Including Information Security in the Business Continuity Management Process
12.b Business Continuity and Risk Assessment
12.c Developing and Implementing Continuity Plans Including Information Security
12.d Business Continuity Planning Framework
12.e Testing, Maintaining and Re-Assessing Business Continuity Plans
10.a Security Requirements Analysis and Specification
06.a Identification of Applicable Legislation
06.f Regulation of Cryptographic Controls
06.b Intellectual Property Rights
06.f Regulation of Cryptographic Controls
06.c Protection of Organizational Records
06.d Data Protection and Privacy of Covered Information
06.d Data Protection and Privacy of Covered Information
06.f Regulation of Cryptographic Controls
05.a Management Commitment to Information Security
05.h Independent Review of Information Security
06.g Compliance with Security Policies and Standards
06.h Technical Compliance Checking
06.g Compliance with Security Policies and Standards
06.h Technical Compliance Checking
 Authoritative Source
ISO/IEC 29100:2011 5.3
ISO/IEC 29100:2011 5.4
ISO/IEC 29100:2011 5.5
ISO/IEC 29100:2011 5.6
ISO/IEC 29100:2011 5.7
ISO/IEC 29100:2011 5.8
ISO/IEC 29100:2011 5.9
ISO/IEC 29100:2011 5.10
ISO/IEC 29100:2011 5.12
© 2019 HITRUST. All rights reserved.
© 2019 HITRUST. All rights reserved.
HITRUST Control Reference
13.g Purpose Legitimacy
13.h Purpose Specification
13.i Collection Limitation
13.j Data Minimization
13.k Use and Disclosure
13.k Use and Disclosure
13.l Retention and Disposal
13.m Accuracy and Quality
13.a Privacy Notice
13.b Openness and Transparency
13.f Principle Access
13.o Compliant Management
13.p Governance
13.r Privacy Requirements for Contractors and Processors
13.t Privacy Protection Awareness and Training
13.s Privacy Monitoring and Auditing
 Authoritative Source
ISO/IEC 29151:2017 A.3.1(a)
ISO/IEC 29151:2017 A.3.1(b)
ISO/IEC 29151:2017 A.3.1(c)
ISO/IEC 29151:2017 A.3.1(d)
ISO/IEC 29151:2017 A.3.1(e)
ISO/IEC 29151:2017 A.3.1(g)
ISO/IEC 29151:2017 A.3.1(h)
ISO/IEC 29151:2017 A.3.1(j)
ISO/IEC 29151:2017 A.3.2
ISO/IEC 29151:2017 A.3.2(b)
ISO/IEC 29151:2017 A.3.2(d)
ISO/IEC 29151:2017 A.3.2(g)
ISO/IEC 29151:2017 A.3.2(j)
ISO/IEC 29151:2017 A.4.1
ISO/IEC 29151:2017 A.4.1(a)
ISO/IEC 29151:2017 A.4.1(b)
ISO/IEC 29151:2017 A.4.1(c)
ISO/IEC 29151:2017 A.4.1(d)
ISO/IEC 29151:2017 A.4.2
ISO/IEC 29151:2017 A.4.2(a)
ISO/IEC 29151:2017 A.4.2(b)
ISO/IEC 29151:2017 A.4.2(d)
ISO/IEC 29151:2017 A.5
ISO/IEC 29151:2017 A.5(a)
ISO/IEC 29151:2017 A.5(b)
ISO/IEC 29151:2017 A.5(c)
ISO/IEC 29151:2017 A.5(e)
ISO/IEC 29151:2017 A.5(f)
ISO/IEC 29151:2017 A.5(g)
ISO/IEC 29151:2017 A.6(a)
ISO/IEC 29151:2017 A.6(b)
ISO/IEC 29151:2017 A.6(c)
ISO/IEC 29151:2017 A.6(d)
ISO/IEC 29151:2017 A.6(e)
ISO/IEC 29151:2017 A.6(f)
ISO/IEC 29151:2017 A.6(g)
ISO/IEC 29151:2017 A.7.1(a)
ISO/IEC 29151:2017 A.7.1(c)
ISO/IEC 29151:2017 A.7.1(d)
ISO/IEC 29151:2017 A.7.1(e)
ISO/IEC 29151:2017 A.7.1(i)
ISO/IEC 29151:2017 A.7.3(a)
ISO/IEC 29151:2017 A.7.3(b)
ISO/IEC 29151:2017 A.7.4
ISO/IEC 29151:2017 A.7.5
© 2019 HITRUST. All rights reserved.
HITRUST Control Reference
13.d Consent
13.d Consent
13.d Consent
13.d Consent
13.d Consent
13.d Consent
13.d Consent
13.d Consent
13.e Choice
13.e Choice
13.e Choice
13.e Choice
13.e Choice
13.g Purpose Legitimacy
13.g Purpose Legitimacy
13.g Purpose Legitimacy
13.g Purpose Legitimacy
13.g Purpose Legitimacy
13.h Purpose Specification
13.h Purpose Specification
13.h Purpose Specification
13.h Purpose Specification
13.i Collection Limitation
13.i Collection Limitation
13.i Collection Limitation
13.i Collection Limitation
13.i Collection Limitation
13.h Purpose Specification
13.i Collection Limitation
13.i Collection Limitation
13.k Use and Disclosure
13.j Data Minimization
13.j Data Minimization
13.i Collection Limitation
13.k Use and Disclosure
13.j Data Minimization
13.j Data Minimization
13.k Use and Disclosure
13.l Retention and Disposal
13.k Use and Disclosure
13.l Retention and Disposal
13.l Retention and Disposal
13.l Retention and Disposal
13.c Accounting of Disclosures
13.c Accounting of Disclosures
13.c Accounting of Disclosures
13.c Accounting of Disclosures
 ISO/IEC 29151:2017 A.7.5
ISO/IEC 29151:2017 A.8
ISO/IEC 29151:2017 A.8(a)
ISO/IEC 29151:2017 A.8(c)
ISO/IEC 29151:2017 A.8(f)
ISO/IEC 29151:2017 A.9.1(a)
ISO/IEC 29151:2017 A.9.1(a)(1)
ISO/IEC 29151:2017 A.9.1(a)(2)
ISO/IEC 29151:2017 A.9.1(a)(3)
ISO/IEC 29151:2017 A.9.1(a)(4)
ISO/IEC 29151:2017 A.9.1(c)
ISO/IEC 29151:2017 A.9.1(e)
ISO/IEC 29151:2017 A.9.1(f)
ISO/IEC 29151:2017 A.9.2
ISO/IEC 29151:2017 A.9.2(a)
ISO/IEC 29151:2017 A.9.2(b)
ISO/IEC 29151:2017 A.9.2(c)
ISO/IEC 29151:2017 A.9.2(e)
ISO/IEC 29151:2017 A.9.2(f)
ISO/IEC 29151:2017 A.9.2(g)
ISO/IEC 29151:2017 A.9.2(h)
ISO/IEC 29151:2017 A.9.2(i)
ISO/IEC 29151:2017 A.10.1(a)
ISO/IEC 29151:2017 A.10.1(c)
ISO/IEC 29151:2017 A.10.1(d)
ISO/IEC 29151:2017 A.10.1(e)
ISO/IEC 29151:2017 A.10.1(g)
ISO/IEC 29151:2017 A.10.1(h)
ISO/IEC 29151:2017 A.10.1(j)
ISO/IEC 29151:2017 A.10.1(k)
ISO/IEC 29151:2017 A.10.1(l)
ISO/IEC 29151:2017 A.10.1(m)
ISO/IEC 29151:2017 A.10.1(n)
ISO/IEC 29151:2017 A.10.1(o)
ISO/IEC 29151:2017 A.10.2
ISO/IEC 29151:2017 A.10.3
ISO/IEC 29151:2017 A.11.1(e)
ISO/IEC 29151:2017 A.11.1(h)
ISO/IEC 29151:2017 A.11.3(a)
ISO/IEC 29151:2017 A.11.3(b)
ISO/IEC 29151:2017 A.11.3(c)
ISO/IEC 29151:2017 A.11.3(e)
ISO/IEC 29151:2017 A.11.3(f)
ISO/IEC 29151:2017 A.11.3(g)
ISO/IEC 29151:2017 A.11.3(h)
ISO/IEC 29151:2017 A.11.3(j)
ISO/IEC 29151:2017 A.11.4(a)
ISO/IEC 29151:2017 A.11.4(c)
© 2019 HITRUST. All rights reserved.
13.r Privacy Requirements for Contractors and Processors
13.m Accuracy and Quality
13.m Accuracy and Quality
13.m Accuracy and Quality
13.m Accuracy and Quality
13.b Openness and Transparency
13.b Openness and Transparency
13.b Openness and Transparency
13.b Openness and Transparency
13.b Openness and Transparency
13.a Privacy Notice
13.a Privacy Notice
13.a Privacy Notice
13.b Openness and Transparency
13.b Openness and Transparency
13.b Openness and Transparency
13.b Openness and Transparency
13.b Openness and Transparency
13.b Openness and Transparency
13.b Openness and Transparency
13.b Openness and Transparency
13.b Openness and Transparency
13.f Principle Access
13.f Principle Access
13.f Principle Access
13.f Principle Access
13.f Principle Access
13.f Principle Access
13.f Principle Access
13.f Principle Access
13.f Principle Access
13.f Principle Access
13.b Openness and Transparency
13.f Principle Access
13.n Participation and Redress
13.o Compliant Management
13.p Governance
13.p Governance
13.r Privacy Requirements for Contractors and Processors
13.r Privacy Requirements for Contractors and Processors
13.r Privacy Requirements for Contractors and Processors
13.r Privacy Requirements for Contractors and Processors
13.r Privacy Requirements for Contractors and Processors
13.r Privacy Requirements for Contractors and Processors
13.r Privacy Requirements for Contractors and Processors
13.r Privacy Requirements for Contractors and Processors
13.s Privacy Monitoring and Auditing
13.s Privacy Monitoring and Auditing
 ISO/IEC 29151:2017 A.11.4(d)
ISO/IEC 29151:2017 A.11.5(a)
ISO/IEC 29151:2017 A.11.5(b)
ISO/IEC 29151:2017 A.11.5(c)
ISO/IEC 29151:2017 A.11.5(d)
ISO/IEC 29151:2017 A.11.6
13.s Privacy Monitoring and Auditing
13.t Privacy Protection Awareness and Training
13.t Privacy Protection Awareness and Training
13.t Privacy Protection Awareness and Training
13.t Privacy Protection Awareness and Training
13.u Privacy Protection Reporting

© 2019 HITRUST. All rights reserved.

© 2019 HITRUST. All rights reserved.

Authoritative Source HITRUST Control Reference
MARS-E v2 AC-1 01.a Access Control Policy
01.i Policy on the Use of Network Services
04.a Information Security Policy Document
04.b Review of the Information Security Policy
05.a Management Commitment to Information Security
09.a Documented Operations Procedures
MARS-E v2 AC-2 01.a Access Control Policy
01.b User Registration
01.c Privilege Management
01.e Review of User Access Rights
01.j User Authentication for External Connections
02.i Removal of Access Rights
MARS-E v2 AC-2(1) 01.b User Registration
MARS-E v2 AC-2(2) 01.b User Registration
MARS-E v2 AC-2(3) 01.b User Registration
MARS-E v2 AC-2(7) 01.c Privilege Management
01.e Review of User Access Rights
MARS-E v2 AC-3 01.s Use of System Utilities
01.v Information Access Restriction
MARS-E v2 AC-3(9) 01.c Privilege Management
MARS-E v2 AC-4 01.o Network Routing Control
MARS-E v2 AC-5 09.c Segregation of Duties
MARS-E v2 AC-6 01.c Privilege Management
01.s Use of System Utilities
01.v Information Access Restriction
01.y Teleworking
05.i Identification of Risks Related to External Parties
10.j Access Control to Program Source Code
MARS-E v2 AC-6(1) 01.c Privilege Management
06.j Protection of Information Systems Audit Tools
MARS-E v2 AC-6(2) 01.c Privilege Management
01.q User Identification and Authentication
MARS-E v2 AC-6(5) 01.c Privilege Management
MARS-E v2 AC-6(9) 01.c Privilege Management
09.aa Audit Logging
MARS-E v2 AC-6(10) 01.c Privilege Management
MARS-E v2 AC-7 01.p Secure Log-on Procedures
MARS-E v2 AC-8 05.j Addressing Security When Dealing with Customers
06.e Prevention of Misuse of Information Assets
07.e Information Labeling and Handling
MARS-E v2 AC-9 01.p Secure Log-on Procedures
MARS-E v2 AC-10 01.c Privilege Management
01.p Secure Log-on Procedures
MARS-E v2 AC-11 01.g Unattended User Equipment
01.h Clear Desk and Clear Screen Policy
01.t Session Time-out
MARS-E v2 AC-11(1) 01.t Session Time-out
MARS-E v2 AC-12 01.t Session Time-out
MARS-E v2 AC-14 01.v Information Access Restriction
© 2019 HITRUST. All rights reserved.
MARS-E v2 AC-17 01.j User Authentication for External Connections
01.n Network Connection Control
01.y Teleworking
09.s Information Exchange Policies and Procedures
09.ab Monitoring System Use
MARS-E v2 AC-17(1) 01.j User Authentication for External Connections
MARS-E v2 AC-17(2) 01.j User Authentication for External Connections
01.y Teleworking
05.i Identification of Risks Related to External Parties
09.s Information Exchange Policies and Procedures
MARS-E v2 AC-17(3) 01.j User Authentication for External Connections
01.n Network Connection Control
MARS-E v2 AC-18 01.j User Authentication for External Connections
08.g Equipment Siting and Protection
09.m Network Controls
MARS-E v2 AC-18(1) 01.j User Authentication for External Connections
09.m Network Controls
MARS-E v2 AC-19 01.x Mobile Computing and Communications
MARS-E v2 AC-19(5) 01.x Mobile Computing and Communications
MARS-E v2 AC-20 01.i Policy on the Use of Network Services
01.y Teleworking
07.c Acceptable Use of Assets
08.k Security of Equipment Off-Premises
09.s Information Exchange Policies and Procedures
MARS-E v2 AC-20(1) 09.s Information Exchange Policies and Procedures
MARS-E v2 AC-20(2) 09.s Information Exchange Policies and Procedures
MARS-E v2 AP-1 13.k Use and Disclosure
MARS-E v2 AP-3 13.k Use and Disclosure
MARS-E v2 AR-1 04.b Review of the Information Security Policy
05.a Management Commitment to Information Security
06.d Data Protection and Privacy of Covered Information
MARS-E v2 AR-2 03.a Risk Management Program Development
04.b Review of the Information Security Policy
06.d Data Protection and Privacy of Covered Information
MARS-E v2 AR-3 13.r Privacy Requirements for Contractors and Processors
MARS-E v2 AR-4 05.h Independent Review of Information Security
06.g Compliance with Security Policies and Standards
09.s Information Exchange Policies and Procedures
09.aa Audit Logging
09.ab Monitoring System Use
MARS-E v2 AR-5 02.e Information Security Awareness, Education, and Training
09.m Network Controls
MARS-E v2 AR-7 10.a Security Requirements Analysis and Specification
MARS-E v2 AR-8 13.c Accounting of Disclosures
MARS-E v2 AT-1 02.e Information Security Awareness, Education, and Training
04.a Information Security Policy Document
04.b Review of the Information Security Policy
05.a Management Commitment to Information Security
09.a Documented Operations Procedures
MARS-E v2 AT-2 01.p Secure Log-on Procedures
© 2019 HITRUST. All rights reserved.
MARS-E v2 AT-2
01.y Teleworking
02.e Information Security Awareness, Education, and Training
MARS-E v2 AT-2(2) 02.e Information Security Awareness, Education, and Training
MARS-E v2 AT-3 02.d Management Responsibilities
02.e Information Security Awareness, Education, and Training
05.c Allocation of Information Security Responsibilities
08.d Protecting Against External and Environmental Threats
MARS-E v2 AT-4 02.e Information Security Awareness, Education, and Training
MARS-E v2 AU-1 04.a Information Security Policy Document
04.b Review of the Information Security Policy
05.a Management Commitment to Information Security
06.i Information Systems Audit Controls
06.j Protection of Information Systems Audit Tools
09.a Documented Operations Procedures
MARS-E v2 AU-2 01.p Secure Log-on Procedures
09.aa Audit Logging
09.ab Monitoring System Use
09.ad Administrator and Operator Logs
09.ae Fault Logging
MARS-E v2 AU-3 09.aa Audit Logging
09.ab Monitoring System Use
MARS-E v2 AU-3(1) 09.ab Monitoring System Use
MARS-E v2 AU-4 09.h Capacity Management
MARS-E v2 AU-5 09.h Capacity Management
09.aa Audit Logging
MARS-E v2 AU-5(1) 01.q User Identification and Authentication
09.ac Protection of Log Information
MARS-E v2 AU-6 09.ab Monitoring System Use
09.ad Administrator and Operator Logs
MARS-E v2 AU-6(1) 09.ab Monitoring System Use
MARS-E v2 AU-6(3) 09.ab Monitoring System Use
MARS-E v2 AU-7 09.ab Monitoring System Use
MARS-E v2 AU-7(1) 09.ab Monitoring System Use
MARS-E v2 AU-8 09.aa Audit Logging
09.af Clock Synchronization
MARS-E v2 AU-8(1) 09.af Clock Synchronization
MARS-E v2 AU-9 06.j Protection of Information Systems Audit Tools
09.aa Audit Logging
09.ac Protection of Log Information
MARS-E v2 AU-10 09.x Electronic Commerce Services
09.y On-line Transactions
MARS-E v2 AU-11 06.c Protection of Organizational Records
09.aa Audit Logging
MARS-E v2 AU-12 01.p Secure Log-on Procedures
09.aa Audit Logging
MARS-E v2 AU-12(1) 09.aa Audit Logging
MARS-E v2 AU-16 09.aa Audit Logging
MARS-E v2 CA-1 04.a Information Security Policy Document
04.b Review of the Information Security Policy
05.a Management Commitment to Information Security
© 2019 HITRUST. All rights reserved.
MARS-E v2 CA-1

06.g Compliance with Security Policies and Standards

09.a Documented Operations Procedures
MARS-E v2 CA-2 03.b Performing Risk Assessments
05.a Management Commitment to Information Security
05.d Authorization Process for Information Assets and Facilities
05.h Independent Review of Information Security
06.i Information Systems Audit Controls
06.j Protection of Information Systems Audit Tools
10.m Control of Technical Vulnerabilities
MARS-E v2 CA-2(1) 03.b Performing Risk Assessments
05.a Management Commitment to Information Security
05.h Independent Review of Information Security
MARS-E v2 CA-3 05.i Identification of Risks Related to External Parties
05.j Addressing Security When Dealing with Customers
09.m Network Controls
09.n Security of Network Services
MARS-E v2 CA-5 03.c Risk Mitigation
MARS-E v2 CA-5(1) 03.c Risk Mitigation
MARS-E v2 CA-6 05.d Authorization Process for Information Assets and Facilities
MARS-E v2 CA-7 05.h Independent Review of Information Security
06.g Compliance with Security Policies and Standards
06.h Technical Compliance Checking
MARS-E v2 CA-7(1) 05.h Independent Review of Information Security
06.g Compliance with Security Policies and Standards
MARS-E v2 CM-1 04.a Information Security Policy Document
04.b Review of the Information Security Policy
05.a Management Commitment to Information Security
09.a Documented Operations Procedures
10.k Change Control Procedures
MARS-E v2 CM-2 09.d Separation of Development, Test, and Operational Environments
09.w Interconnected Business Information Systems
10.k Change Control Procedures
MARS-E v2 CM-2(1) 10.k Change Control Procedures
MARS-E v2 CM-2(3) 10.h Control of Operational Software
MARS-E v2 CM-3 03.d Risk Evaluation
09.b Change Management
09.i System Acceptance
09.k Controls Against Mobile Code
09.m Network Controls
10.h Control of Operational Software
10.k Change Control Procedures
MARS-E v2 CM-3(2) 10.h Control of Operational Software
10.k Change Control Procedures
MARS-E v2 CM-4 09.b Change Management
10.h Control of Operational Software
10.k Change Control Procedures
MARS-E v2 CM-4(1) 10.k Change Control Procedures
MARS-E v2 CM-4(2) 10.k Change Control Procedures
MARS-E v2 CM-5 09.b Change Management
10.j Access Control to Program Source Code
© 2019 HITRUST. All rights reserved.
MARS-E v2 CM-5

10.k Change Control Procedures

MARS-E v2 CM-6 09.z Publicly Available Information
10.k Change Control Procedures
10.m Control of Technical Vulnerabilities
MARS-E v2 CM-6(1) 10.k Change Control Procedures
MARS-E v2 CM-6(3) 10.c Control of Internal Processing
MARS-E v2 CM-7 01.c Privilege Management
01.i Policy on the Use of Network Services
01.l Remote Diagnostic and Configuration Port Protection
09.i System Acceptance
09.m Network Controls
10.j Access Control to Program Source Code
10.m Control of Technical Vulnerabilities
MARS-E v2 CM-7(1) 01.l Remote Diagnostic and Configuration Port Protection
MARS-E v2 CM-8 07.a Inventory of Assets
07.b Ownership of Assets
07.d Classification Guidelines
MARS-E v2 CM-8(1) 07.a Inventory of Assets
MARS-E v2 CM-9 10.k Change Control Procedures
MARS-E v2 CM-10 06.b Intellectual Property Rights
MARS-E v2 CM-11 09.j Controls Against Malicious Code
MARS-E v2 CP-1 04.a Information Security Policy Document
04.b Review of the Information Security Policy
05.a Management Commitment to Information Security
09.a Documented Operations Procedures
MARS-E v2 CP-2 05.f Contact with Authorities
09.l Back-up
09.m Network Controls
12.a Including Information Security in the Business Continuity Management Process
12.b Business Continuity and Risk Assessment
12.c Developing and Implementing Continuity Plans Including Information Security
12.d Business Continuity Planning Framework
12.e Testing, Maintaining and Re-Assessing Business Continuity Plans
MARS-E v2 CP-2(2) 12.c Developing and Implementing Continuity Plans Including Information Security
MARS-E v2 CP-3 02.e Information Security Awareness, Education, and Training
MARS-E v2 CP-4 02.e Information Security Awareness, Education, and Training
05.f Contact with Authorities
12.e Testing, Maintaining and Re-Assessing Business Continuity Plans
MARS-E v2 CP-4(1) 12.e Testing, Maintaining and Re-Assessing Business Continuity Plans
MARS-E v2 CP-6 09.l Back-up
12.c Developing and Implementing Continuity Plans Including Information Security
MARS-E v2 CP-6(1) 12.c Developing and Implementing Continuity Plans Including Information Security
MARS-E v2 CP-6(3) 09.l Back-up
MARS-E v2 CP-7 12.c Developing and Implementing Continuity Plans Including Information Security
MARS-E v2 CP-7(1) 12.c Developing and Implementing Continuity Plans Including Information Security
MARS-E v2 CP-7(3) 12.c Developing and Implementing Continuity Plans Including Information Security
MARS-E v2 CP-7(5) 12.c Developing and Implementing Continuity Plans Including Information Security
MARS-E v2 CP-8 08.h Supporting Utilities
12.c Developing and Implementing Continuity Plans Including Information Security
MARS-E v2 CP-8(1) 12.c Developing and Implementing Continuity Plans Including Information Security
© 2019 HITRUST. All rights reserved.
MARS-E v2 CP-8(2) 12.c Developing and Implementing Continuity Plans Including Information Security
MARS-E v2 CP-9 09.l Back-up
MARS-E v2 CP-9(1) 09.l Back-up
MARS-E v2 CP-10(3) 12.c Developing and Implementing Continuity Plans Including Information Security
MARS-E v2 DI-1 13.f Principle Access
MARS-E v2 DI-1(1) 13.m Accuracy and Quality
MARS-E v2 DI-1(2) 13.m Accuracy and Quality
MARS-E v2 DI-2 10.c Control of Internal Processing
13.m Accuracy and Quality
MARS-E v2 DI-2(1) 13.m Accuracy and Quality
MARS-E v2 DM-1 01.v Information Access Restriction
13.j Data Minimization
MARS-E v2 DM-2 06.c Protection of Organizational Records
08.l Secure Disposal or Re-Use of Equipment
09.j Controls Against Malicious Code
09.p Disposal of Media
MARS-E v2 DM-2(1) 06.c Protection of Organizational Records
MARS-E v2 DM-3 13.d Consent
13.k Use and Disclosure
MARS-E v2 DM-3(1) 13.j Data Minimization
MARS-E v2 IA-1 01.b User Registration
04.a Information Security Policy Document
04.b Review of the Information Security Policy
05.a Management Commitment to Information Security
09.a Documented Operations Procedures
MARS-E v2 IA-2 01.j User Authentication for External Connections
01.q User Identification and Authentication
01.y Teleworking
MARS-E v2 IA-2(1) 01.q User Identification and Authentication
MARS-E v2 IA-2(2) 01.q User Identification and Authentication
MARS-E v2 IA-2(3) 01.q User Identification and Authentication
MARS-E v2 IA-2(8) 01.q User Identification and Authentication
MARS-E v2 IA-2(11) 01.q User Identification and Authentication
MARS-E v2 IA-3 01.k Equipment Identification in Networks
09.m Network Controls
MARS-E v2 IA-4 01.b User Registration
01.q User Identification and Authentication
MARS-E v2 IA-5 01.b User Registration
01.d User Password Management
01.f Password Use
01.k Equipment Identification in Networks
01.q User Identification and Authentication
01.r Password Management System
MARS-E v2 IA-5(1) 01.d User Password Management
01.r Password Management System
MARS-E v2 IA-5(2) 01.q User Identification and Authentication
MARS-E v2 IA-5(3) 01.b User Registration
01.q User Identification and Authentication
MARS-E v2 IA-5(7) 01.d User Password Management
MARS-E v2 IA-5(11) 01.j User Authentication for External Connections
© 2019 HITRUST. All rights reserved.
MARS-E v2 IA-6 01.p Secure Log-on Procedures
MARS-E v2 IA-7 06.f Regulation of Cryptographic Controls
MARS-E v2 IA-8 01.j User Authentication for External Connections
01.q User Identification and Authentication
MARS-E v2 IA-13(1) 06.f Regulation of Cryptographic Controls
MARS-E v2 ICM-2 01.j User Authentication for External Connections
MARS-E v2 IP-1 13.d Consent
13.e Choice
13.k Use and Disclosure
MARS-E v2 IP-1(1) 13.d Consent
MARS-E v2 IP-2 13.f Principle Access
MARS-E v2 IP-3 13.f Principle Access
13.n Participation and Redress
MARS-E v2 IP-4 13.o Compliant Management
MARS-E v2 IP-4(1) 13.o Compliant Management
MARS-E v2 IR-1 04.a Information Security Policy Document
04.b Review of the Information Security Policy
05.a Management Commitment to Information Security
09.a Documented Operations Procedures
11.a Reporting Information Security Events
11.c Responsibilities and Procedures
MARS-E v2 IR-2 02.e Information Security Awareness, Education, and Training
05.c Allocation of Information Security Responsibilities
11.a Reporting Information Security Events
MARS-E v2 IR-3 11.c Responsibilities and Procedures
MARS-E v2 IR-3(2) 11.c Responsibilities and Procedures
MARS-E v2 IR-4 11.d Learning from Information Security Incidents
11.e Collection of Evidence
MARS-E v2 IR-4(1) 11.a Reporting Information Security Events
11.d Learning from Information Security Incidents
MARS-E v2 IR-5 02.f Disciplinary Process
MARS-E v2 IR-6 11.a Reporting Information Security Events
11.b Reporting Security Weaknesses
11.c Responsibilities and Procedures
MARS-E v2 IR-6(1) 11.a Reporting Information Security Events
MARS-E v2 IR-7 11.c Responsibilities and Procedures
MARS-E v2 IR-8 11.c Responsibilities and Procedures
MARS-E v2 IR-9 08.j Equipment Maintenance
11.c Responsibilities and Procedures
MARS-E v2 ISC-13 06.f Regulation of Cryptographic Controls
MARS-E v2 MA-1 04.a Information Security Policy Document
04.b Review of the Information Security Policy
05.a Management Commitment to Information Security
08.j Equipment Maintenance
09.a Documented Operations Procedures
MARS-E v2 MA-2 08.a Physical Security Perimeter
08.b Physical Entry Controls
08.j Equipment Maintenance
MARS-E v2 MA-2(1) 08.j Equipment Maintenance
MARS-E v2 MA-3 08.j Equipment Maintenance
© 2019 HITRUST. All rights reserved.
MARS-E v2 MA-3(1) 08.j Equipment Maintenance
MARS-E v2 MA-3(2) 08.j Equipment Maintenance
MARS-E v2 MA-4 01.j User Authentication for External Connections
01.l Remote Diagnostic and Configuration Port Protection
05.i Identification of Risks Related to External Parties
08.j Equipment Maintenance
MARS-E v2 MA-4(1) 08.j Equipment Maintenance
MARS-E v2 MA-4(2) 01.l Remote Diagnostic and Configuration Port Protection
08.j Equipment Maintenance
MARS-E v2 MA-4(3) 01.l Remote Diagnostic and Configuration Port Protection
MARS-E v2 MA-5 08.j Equipment Maintenance
MARS-E v2 MA-6 08.j Equipment Maintenance
MARS-E v2 MP-1 07.a Inventory of Assets
09.a Documented Operations Procedures
09.o Management of Removable Media
09.t Exchange Agreements
MARS-E v2 MP-2 09.q Information Handling Procedures
MARS-E v2 MP-2(1) 09.q Information Handling Procedures
MARS-E v2 MP-3 01.h Clear Desk and Clear Screen Policy
07.e Information Labeling and Handling
09.q Information Handling Procedures
MARS-E v2 MP-4 09.l Back-up
09.o Management of Removable Media
MARS-E v2 MP-5 08.k Security of Equipment Off-Premises
09.l Back-up
09.o Management of Removable Media
09.q Information Handling Procedures
09.u Physical Media in Transit
MARS-E v2 MP-5(4) 09.o Management of Removable Media
09.q Information Handling Procedures
09.u Physical Media in Transit
MARS-E v2 MP-6 08.l Secure Disposal or Re-Use of Equipment
09.p Disposal of Media
MARS-E v2 MP-6(1) 09.p Disposal of Media
MARS-E v2 MP-6(2) 09.p Disposal of Media
MARS-E v2 MP-CMS-1 09.q Information Handling Procedures
MARS-E v2 PE-1 04.a Information Security Policy Document
04.b Review of the Information Security Policy
05.a Management Commitment to Information Security
08.d Protecting Against External and Environmental Threats
08.g Equipment Siting and Protection
09.a Documented Operations Procedures
MARS-E v2 PE-2 08.b Physical Entry Controls
09.j Controls Against Malicious Code
MARS-E v2 PE-2(1) 08.b Physical Entry Controls
MARS-E v2 PE-2(2) 10.m Control of Technical Vulnerabilities
MARS-E v2 PE-3 08.a Physical Security Perimeter
08.b Physical Entry Controls
08.c Securing Offices, Rooms, and Facilities
MARS-E v2 PE-4 08.i Cabling Security
© 2019 HITRUST. All rights reserved.
MARS-E v2 PE-5 01.g Unattended User Equipment
MARS-E v2 PE-6 08.b Physical Entry Controls
09.ab Monitoring System Use
MARS-E v2 PE-6(1) 08.b Physical Entry Controls
MARS-E v2 PE-7 08.b Physical Entry Controls
MARS-E v2 PE-7(1) 08.b Physical Entry Controls
MARS-E v2 PE-8 08.b Physical Entry Controls
MARS-E v2 PE-9 08.h Supporting Utilities
08.i Cabling Security
MARS-E v2 PE-10 08.h Supporting Utilities
MARS-E v2 PE-11 08.h Supporting Utilities
MARS-E v2 PE-12 08.h Supporting Utilities
MARS-E v2 PE-13 08.d Protecting Against External and Environmental Threats
MARS-E v2 PE-13(1) 08.d Protecting Against External and Environmental Threats
09.aa Audit Logging
MARS-E v2 PE-13(2) 08.d Protecting Against External and Environmental Threats
MARS-E v2 PE-13(3) 08.d Protecting Against External and Environmental Threats
MARS-E v2 PE-14 08.g Equipment Siting and Protection
08.h Supporting Utilities
MARS-E v2 PE-15 08.d Protecting Against External and Environmental Threats
MARS-E v2 PE-16 08.f Public Access, Delivery, and Loading Areas
08.m Removal of Property
09.u Physical Media in Transit
MARS-E v2 PE-17 01.y Teleworking
08.k Security of Equipment Off-Premises
MARS-E v2 PE-18 08.g Equipment Siting and Protection
MARS-E v2 PL-1 04.a Information Security Policy Document
04.b Review of the Information Security Policy
05.a Management Commitment to Information Security
09.a Documented Operations Procedures
MARS-E v2 PL-2 05.b Information Security Coordination
06.i Information Systems Audit Controls
MARS-E v2 PL-2(3) 05.b Information Security Coordination
MARS-E v2 PL-4 02.c Terms and Conditions of Employment
02.d Management Responsibilities
02.e Information Security Awareness, Education, and Training
05.j Addressing Security When Dealing with Customers
06.e Prevention of Misuse of Information Assets
07.c Acceptable Use of Assets
11.b Reporting Security Weaknesses
MARS-E v2 PL-4(1) 07.c Acceptable Use of Assets
MARS-E v2 PM-1 00.a Information Security Management Program
04.a Information Security Policy Document
04.b Review of the Information Security Policy
05.a Management Commitment to Information Security
05.b Information Security Coordination
09.a Documented Operations Procedures
09.m Network Controls
MARS-E v2 PM-2 00.a Information Security Management Program
02.d Management Responsibilities
© 2019 HITRUST. All rights reserved.
MARS-E v2 PM-2

05.a Management Commitment to Information Security

05.c Allocation of Information Security Responsibilities
MARS-E v2 PM-3 00.a Information Security Management Program
05.a Management Commitment to Information Security
05.b Information Security Coordination
MARS-E v2 PM-4 00.a Information Security Management Program
03.a Risk Management Program Development
03.c Risk Mitigation
MARS-E v2 PM-5 07.a Inventory of Assets
MARS-E v2 PM-6 00.a Information Security Management Program
02.e Information Security Awareness, Education, and Training
MARS-E v2 PM-7 10.a Security Requirements Analysis and Specification
MARS-E v2 PM-8 12.b Business Continuity and Risk Assessment
MARS-E v2 PM-9 00.a Information Security Management Program
03.a Risk Management Program Development
05.a Management Commitment to Information Security
12.a Including Information Security in the Business Continuity Management Process
MARS-E v2 PM-10 05.c Allocation of Information Security Responsibilities
05.d Authorization Process for Information Assets and Facilities
MARS-E v2 PM-11 03.a Risk Management Program Development
MARS-E v2 PM-12 11.a Reporting Information Security Events
MARS-E v2 PM-13 00.a Information Security Management Program
02.d Management Responsibilities
05.a Management Commitment to Information Security
MARS-E v2 PM-14 02.d Management Responsibilities
02.e Information Security Awareness, Education, and Training
MARS-E v2 PM-15 02.d Management Responsibilities
05.g Contact with Special Interest Groups
06.a Identification of Applicable Legislation
MARS-E v2 PS-1 02.a Roles and Responsibilities
02.b Screening
04.a Information Security Policy Document
04.b Review of the Information Security Policy
05.a Management Commitment to Information Security
09.a Documented Operations Procedures
MARS-E v2 PS-2 02.a Roles and Responsibilities
02.b Screening
MARS-E v2 PS-3 02.b Screening
MARS-E v2 PS-4 02.g Termination or Change Responsibilities
02.h Return of Assets
02.i Removal of Access Rights
MARS-E v2 PS-5 01.e Review of User Access Rights
02.g Termination or Change Responsibilities
02.i Removal of Access Rights
MARS-E v2 PS-6 02.c Terms and Conditions of Employment
MARS-E v2 PS-7 02.d Management Responsibilities
05.k Addressing Security in Third Party Agreements
MARS-E v2 PS-8 02.f Disciplinary Process
06.e Prevention of Misuse of Information Assets
MARS-E v2 RA-1 03.a Risk Management Program Development
© 2019 HITRUST. All rights reserved.
MARS-E v2 RA-1
04.a Information Security Policy Document
04.b Review of the Information Security Policy
05.a Management Commitment to Information Security
09.a Documented Operations Procedures
MARS-E v2 RA-2 01.w Sensitive System Isolation
06.c Protection of Organizational Records
07.d Classification Guidelines
MARS-E v2 RA-3 03.a Risk Management Program Development
03.b Performing Risk Assessments
03.d Risk Evaluation
05.d Authorization Process for Information Assets and Facilities
MARS-E v2 RA-5 06.g Compliance with Security Policies and Standards
06.h Technical Compliance Checking
10.m Control of Technical Vulnerabilities
MARS-E v2 RA-5(1) 10.m Control of Technical Vulnerabilities
MARS-E v2 SA-1 09.a Documented Operations Procedures
MARS-E v2 SA-2 05.b Information Security Coordination
MARS-E v2 SA-3 05.c Allocation of Information Security Responsibilities
10.a Security Requirements Analysis and Specification
MARS-E v2 SA-4 09.i System Acceptance
10.a Security Requirements Analysis and Specification
MARS-E v2 SA-4(1) 10.a Security Requirements Analysis and Specification
MARS-E v2 SA-4(2) 10.a Security Requirements Analysis and Specification
MARS-E v2 SA-4(9) 10.a Security Requirements Analysis and Specification
MARS-E v2 SA-5 09.r Security of System Documentation
MARS-E v2 SA-8 10.a Security Requirements Analysis and Specification
MARS-E v2 SA-9 05.e Confidentiality Agreements
05.k Addressing Security in Third Party Agreements
09.e Service Delivery
09.f Monitoring and Review of Third Party Services
09.n Security of Network Services
MARS-E v2 SA-9(1) 10.a Security Requirements Analysis and Specification
MARS-E v2 SA-9(2) 10.a Security Requirements Analysis and Specification
MARS-E v2 SA-9(5) 09.e Service Delivery
MARS-E v2 SA-10 10.k Change Control Procedures
MARS-E v2 SA-11 09.d Separation of Development, Test, and Operational Environments
09.i System Acceptance
10.l Outsourced Software Development
MARS-E v2 SA-11(1) 10.m Control of Technical Vulnerabilities
MARS-E v2 SA-22 10.h Control of Operational Software
MARS-E v2 SC-1 04.a Information Security Policy Document
04.b Review of the Information Security Policy
05.a Management Commitment to Information Security
09.a Documented Operations Procedures
09.s Information Exchange Policies and Procedures
MARS-E v2 SC-2 09.j Controls Against Malicious Code
09.k Controls Against Mobile Code
MARS-E v2 SC-4 01.w Sensitive System Isolation
MARS-E v2 SC-5 09.h Capacity Management
09.z Publicly Available Information
© 2019 HITRUST. All rights reserved.
MARS-E v2 SC-5

10.a Security Requirements Analysis and Specification

MARS-E v2 SC-7 01.m Segregation in Networks
01.n Network Connection Control
01.o Network Routing Control
09.m Network Controls
MARS-E v2 SC-7(3) 01.n Network Connection Control
MARS-E v2 SC-7(4) 01.n Network Connection Control
MARS-E v2 SC-7(5) 01.n Network Connection Control
09.m Network Controls
MARS-E v2 SC-7(7) 01.n Network Connection Control
MARS-E v2 SC-7(8) 01.n Network Connection Control
MARS-E v2 SC-7(12) 01.x Mobile Computing and Communications
09.ab Monitoring System Use
10.h Control of Operational Software
MARS-E v2 SC-7(13) 01.m Segregation in Networks
MARS-E v2 SC-7(18) 09.m Network Controls
MARS-E v2 SC-8 01.n Network Connection Control
09.m Network Controls
09.v Electronic Messaging
09.x Electronic Commerce Services
10.d Message Integrity
MARS-E v2 SC-8(1) 05.i Identification of Risks Related to External Parties
09.m Network Controls
09.v Electronic Messaging
09.x Electronic Commerce Services
MARS-E v2 SC-8(2) 09.v Electronic Messaging
MARS-E v2 SC-9 09.m Network Controls
MARS-E v2 SC-9(1) 09.m Network Controls
MARS-E v2 SC-10 01.t Session Time-out
MARS-E v2 SC-12 06.d Data Protection and Privacy of Covered Information
10.g Key Management
MARS-E v2 SC-12(2) 10.g Key Management
MARS-E v2 SC-13 10.f Policy on the Use of Cryptographic Controls
MARS-E v2 SC-15 01.v Information Access Restriction
09.s Information Exchange Policies and Procedures
MARS-E v2 SC-15(1) 09.s Information Exchange Policies and Procedures
MARS-E v2 SC-17 10.g Key Management
MARS-E v2 SC-18 09.k Controls Against Mobile Code
MARS-E v2 SC-19 09.m Network Controls
MARS-E v2 SC-20 09.m Network Controls
MARS-E v2 SC-22 09.m Network Controls
MARS-E v2 SC-23 10.d Message Integrity
MARS-E v2 SC-28 06.d Data Protection and Privacy of Covered Information
09.l Back-up
09.u Physical Media in Transit
MARS-E v2 SC-32 01.m Segregation in Networks
MARS-E v2 SC-ACA-1 09.v Electronic Messaging
MARS-E v2 SC-ACA-2 09.v Electronic Messaging
MARS-E v2 SE-1 07.a Inventory of Assets
MARS-E v2 SE-2 11.a Reporting Information Security Events
© 2019 HITRUST. All rights reserved.
MARS-E v2 SE-2
11.c Responsibilities and Procedures
MARS-E v2 SI-1 04.a Information Security Policy Document
04.b Review of the Information Security Policy
05.a Management Commitment to Information Security
09.a Documented Operations Procedures
10.a Security Requirements Analysis and Specification
10.b Input Data Validation
MARS-E v2 SI-2 10.c Control of Internal Processing
10.m Control of Technical Vulnerabilities
11.b Reporting Security Weaknesses
MARS-E v2 SI-2(1) 10.m Control of Technical Vulnerabilities
MARS-E v2 SI-2(2) 10.m Control of Technical Vulnerabilities
MARS-E v2 SI-3 09.ab Monitoring System Use
09.j Controls Against Malicious Code
09.k Controls Against Mobile Code
MARS-E v2 SI-3(1) 09.j Controls Against Malicious Code
MARS-E v2 SI-3(2) 09.j Controls Against Malicious Code
MARS-E v2 SI-4 09.m Network Controls
09.ab Monitoring System Use
MARS-E v2 SI-4(1) 09.ab Monitoring System Use
MARS-E v2 SI-4(2) 09.ab Monitoring System Use
MARS-E v2 SI-4(4) 09.ab Monitoring System Use
MARS-E v2 SI-4(5) 09.ab Monitoring System Use
MARS-E v2 SI-4(14) 09.m Network Controls
MARS-E v2 SI-5 05.g Contact with Special Interest Groups
MARS-E v2 SI-7(1) 10.c Control of Internal Processing
MARS-E v2 SI-7(7) 09.j Controls Against Malicious Code
10.c Control of Internal Processing
MARS-E v2 SI-8 09.j Controls Against Malicious Code
MARS-E v2 SI-8(1) 09.j Controls Against Malicious Code
MARS-E v2 SI-9 10.c Control of Internal Processing
MARS-E v2 SI-10 10.b Input Data Validation
10.c Control of Internal Processing
MARS-E v2 SI-11 09.ae Fault Logging
MARS-E v2 SI-12 06.c Protection of Organizational Records
06.d Data Protection and Privacy of Covered Information
09.q Information Handling Procedures
MARS-E v2 SI-16 09.j Controls Against Malicious Code
MARS-E v2 TR-1 13.a Privacy Notice
MARS-E v2 TR-1(1) 13.a Privacy Notice
MARS-E v2 TR-2 13.a Privacy Notice
MARS-E v2 TR-2(1) 13.a Privacy Notice
MARS-E v2 TR-3 05.j Addressing Security When Dealing with Customers
13.a Privacy Notice
MARS-E v2 UL-1 13.k Use and Disclosure
MARS-E v2 UL-2 13.k Use and Disclosure
13.r Privacy Requirements for Contractors and Processors

© 2019 HITRUST. All rights reserved.

© 2019 HITRUST. All rights reserved.

 Authoritative Source
NIST Cybersecurity Framework v1.1 DE.AE-1
NIST Cybersecurity Framework v1.1 DE.AE-2
NIST Cybersecurity Framework v1.1 DE.AE-3
NIST Cybersecurity Framework v1.1 DE.AE-4
NIST Cybersecurity Framework v1.1 DE.AE-5
NIST Cybersecurity Framework v1.1 DE.CM-1
NIST Cybersecurity Framework v1.1 DE.CM-2
NIST Cybersecurity Framework v1.1 DE.CM-3
NIST Cybersecurity Framework v1.1 DE.CM-4
NIST Cybersecurity Framework v1.1 DE.CM-5
NIST Cybersecurity Framework v1.1 DE.CM-6
NIST Cybersecurity Framework v1.1 DE.CM-7
© 2019 HITRUST. All rights reserved.
HITRUST Control Reference
01.i Policy on the Use of Network Services
01.l Remote Diagnostic and Configuration Port Protection
01.m Segregation in Networks
01.n Network Connection Control
05.i Identification of Risks Related to External Parties
09.m Network Controls
09.n Security of Network Services
09.w Interconnected Business Information Systems
11.d Learning from Information Security Incidents
09.ab Monitoring System Use
11.d Learning from Information Security Incidents
01.j User Authentication for External Connections
09.ab Monitoring System Use
11.c Responsibilities and Procedures
11.d Learning from Information Security Incidents
09.e Service Delivery
09.m Network Controls
11.d Learning from Information Security Incidents
12.a Including Information Security in the Business Continuity Management Process
12.b Business Continuity and Risk Assessment
12.d Business Continuity Planning Framework
01.j User Authentication for External Connections
01.n Network Connection Control
06.e Prevention of Misuse of Information Assets
09.m Network Controls
09.aa Audit Logging
09.ab Monitoring System Use
09.ac Protection of Log Information
10.k Change Control Procedures
11.a Reporting Information Security Events
08.a Physical Security Perimeter
08.b Physical Entry Controls
08.c Securing Offices, Rooms, and Facilities
09.ab Monitoring System Use
01.b User Registration
01.c Privilege Management
06.b Intellectual Property Rights
06.e Prevention of Misuse of Information Assets
08.c Securing Offices, Rooms, and Facilities
09.c Segregation of Duties
09.aa Audit Logging
08.j Equipment Maintenance
09.j Controls Against Malicious Code
09.k Controls Against Mobile Code
09.ab Monitoring System Use
10.l Outsourced Software Development
09.k Controls Against Mobile Code
05.k Addressing Security in Third Party Agreements
09.e Service Delivery
09.f Monitoring and Review of Third Party Services
09.n Security of Network Services
09.z Publicly Available Information
10.l Outsourced Software Development
01.x Mobile Computing and Communications
06.g Compliance with Security Policies and Standards
08.a Physical Security Perimeter
08.b Physical Entry Controls
08.c Securing Offices, Rooms, and Facilities

NIST Cybersecurity Framework v1.1 DE.CM-8
NIST Cybersecurity Framework v1.1 DE.DP-1
NIST Cybersecurity Framework v1.1 DE.DP-2
NIST Cybersecurity Framework v1.1 DE.DP-3
NIST Cybersecurity Framework v1.1 DE.DP-4
NIST Cybersecurity Framework v1.1 DE.DP-5
NIST Cybersecurity Framework v1.1 DE.DP-7
NIST Cybersecurity Framework v1.1 ID.AM-1
NIST Cybersecurity Framework v1.1 ID.AM-2
NIST Cybersecurity Framework v1.1 ID.AM-3
NIST Cybersecurity Framework v1.1 ID.AM-4
NIST Cybersecurity Framework v1.1 ID.AM-5
NIST Cybersecurity Framework v1.1 ID.AM-6
© 2019 HITRUST. All rights reserved.
09.n Security of Network Services
09.ab Monitoring System Use
10.k Change Control Procedures
06.h Technical Compliance Checking
09.z Publicly Available Information
10.b Input Data Validation
10.c Control of Internal Processing
10.m Control of Technical Vulnerabilities
02.a Roles and Responsibilities
06.g Compliance with Security Policies and Standards
06.i Information Systems Audit Controls
06.j Protection of Information Systems Audit Tools
06.i Information Systems Audit Controls
08.a Physical Security Perimeter
08.b Physical Entry Controls
08.c Securing Offices, Rooms, and Facilities
09.ab Monitoring System Use
08.b Physical Entry Controls
09.ab Monitoring System Use
05.b Information Security Coordination
05.f Contact with Authorities
06.g Compliance with Security Policies and Standards
06.i Information Systems Audit Controls
09.ab Monitoring System Use
09.ae Fault Logging
11.a Reporting Information Security Events
09.ab Monitoring System Use
10.m Control of Technical Vulnerabilities
06.g Compliance with Security Policies and Standards
07.a Inventory of Assets
07.d Classification Guidelines
01.l Remote Diagnostic and Configuration Port Protection
07.a Inventory of Assets
07.d Classification Guidelines
01.l Remote Diagnostic and Configuration Port Protection
01.m Segregation in Networks
01.o Network Routing Control
05.i Identification of Risks Related to External Parties
09.m Network Controls
09.n Security of Network Services
01.i Policy on the Use of Network Services
09.e Service Delivery
09.n Security of Network Services
01.a Access Control Policy
01.w Sensitive System Isolation
06.c Protection of Organizational Records
07.a Inventory of Assets
07.b Ownership of Assets
07.d Classification Guidelines
12.a Including Information Security in the Business Continuity Management Process
12.c Developing and Implementing Continuity Plans Including Information Security
12.d Business Continuity Planning Framework
00.a Information Security Management Program
01.a Access Control Policy
01.c Privilege Management
02.a Roles and Responsibilities
02.b Screening
02.c Terms and Conditions of Employment
02.d Management Responsibilities

NIST Cybersecurity Framework v1.1 ID.BE-1
NIST Cybersecurity Framework v1.1 ID.BE-2
NIST Cybersecurity Framework v1.1 ID.BE-3
NIST Cybersecurity Framework v1.1 ID.BE-4
NIST Cybersecurity Framework v1.1 ID.BE-5
NIST Cybersecurity Framework v1.1 ID.GV-1
NIST Cybersecurity Framework v1.1 ID.GV-2
NIST Cybersecurity Framework v1.1 ID.GV-3
© 2019 HITRUST. All rights reserved.
02.e Information Security Awareness, Education, and Training
05.e Confidentiality Agreements
05.j Addressing Security When Dealing with Customers
05.k Addressing Security in Third Party Agreements
07.b Ownership of Assets
07.c Acceptable Use of Assets
07.d Classification Guidelines
09.m Network Controls
09.n Security of Network Services
10.k Change Control Procedures
10.m Control of Technical Vulnerabilities
11.d Learning from Information Security Incidents
12.a Including Information Security in the Business Continuity Management Process
12.c Developing and Implementing Continuity Plans Including Information Security
12.d Business Continuity Planning Framework
12.e Testing, Maintaining and Re-Assessing Business Continuity Plans
05.d Authorization Process for Information Assets and Facilities
09.g Managing Changes to Third Party Services
09.h Capacity Management
10.l Outsourced Software Development
05.a Management Commitment to Information Security
12.b Business Continuity and Risk Assessment
01.w Sensitive System Isolation
03.a Risk Management Program Development
05.a Management Commitment to Information Security
05.b Information Security Coordination
08.h Supporting Utilities
12.b Business Continuity and Risk Assessment
12.c Developing and Implementing Continuity Plans Including Information Security
12.a Including Information Security in the Business Continuity Management Process
12.b Business Continuity and Risk Assessment
12.c Developing and Implementing Continuity Plans Including Information Security
12.d Business Continuity Planning Framework
00.a Information Security Management Program
04.a Information Security Policy Document
04.b Review of the Information Security Policy
05.a Management Commitment to Information Security
05.c Allocation of Information Security Responsibilities
04.a Information Security Policy Document
05.a Management Commitment to Information Security
05.b Information Security Coordination
05.c Allocation of Information Security Responsibilities
05.k Addressing Security in Third Party Agreements
01.a Access Control Policy
02.a Roles and Responsibilities
02.b Screening
02.c Terms and Conditions of Employment
02.e Information Security Awareness, Education, and Training
03.a Risk Management Program Development
04.a Information Security Policy Document
04.b Review of the Information Security Policy
05.a Management Commitment to Information Security
05.b Information Security Coordination
05.e Confidentiality Agreements
05.g Contact with Special Interest Groups
05.i Identification of Risks Related to External Parties
05.k Addressing Security in Third Party Agreements
06.a Identification of Applicable Legislation
06.b Intellectual Property Rights

NIST Cybersecurity Framework v1.1 ID.GV-4
NIST Cybersecurity Framework v1.1 ID.RA-1
NIST Cybersecurity Framework v1.1 ID.RA-2
NIST Cybersecurity Framework v1.1 ID.RA-3
NIST Cybersecurity Framework v1.1 ID.RA-4
© 2019 HITRUST. All rights reserved.
06.c Protection of Organizational Records
06.d Data Protection and Privacy of Covered Information
06.e Prevention of Misuse of Information Assets
06.f Regulation of Cryptographic Controls
06.g Compliance with Security Policies and Standards
07.b Ownership of Assets
08.b Physical Entry Controls
08.c Securing Offices, Rooms, and Facilities
08.h Supporting Utilities
09.n Security of Network Services
09.v Electronic Messaging
09.x Electronic Commerce Services
09.z Publicly Available Information
09.ab Monitoring System Use
10.a Security Requirements Analysis and Specification
10.f Policy on the Use of Cryptographic Controls
11.a Reporting Information Security Events
11.c Responsibilities and Procedures
11.e Collection of Evidence
12.e Testing, Maintaining and Re-Assessing Business Continuity Plans
00.a Information Security Management Program
01.a Access Control Policy
01.q User Identification and Authentication
01.w Sensitive System Isolation
01.x Mobile Computing and Communications
01.y Teleworking
02.e Information Security Awareness, Education, and Training
03.a Risk Management Program Development
03.b Performing Risk Assessments
03.d Risk Evaluation
04.a Information Security Policy Document
04.b Review of the Information Security Policy
05.a Management Commitment to Information Security
05.d Authorization Process for Information Assets and Facilities
05.g Contact with Special Interest Groups
05.h Independent Review of Information Security
06.a Identification of Applicable Legislation
06.c Protection of Organizational Records
06.i Information Systems Audit Controls
07.b Ownership of Assets
07.d Classification Guidelines
03.b Performing Risk Assessments
03.d Risk Evaluation
06.h Technical Compliance Checking
09.r Security of System Documentation
09.z Publicly Available Information
09.ab Monitoring System Use
10.c Control of Internal Processing
10.m Control of Technical Vulnerabilities
11.b Reporting Security Weaknesses
12.b Business Continuity and Risk Assessment
05.g Contact with Special Interest Groups
10.m Control of Technical Vulnerabilities
03.b Performing Risk Assessments
03.d Risk Evaluation
07.d Classification Guidelines
10.l Outsourced Software Development
12.b Business Continuity and Risk Assessment
03.b Performing Risk Assessments
 NIST Cybersecurity Framework v1.1 ID.RA-4
NIST Cybersecurity Framework v1.1 ID.RA-5
NIST Cybersecurity Framework v1.1 ID.RA-6
NIST Cybersecurity Framework v1.1 ID.RM-1
NIST Cybersecurity Framework v1.1 ID.RM-2
NIST Cybersecurity Framework v1.1 ID.RM-3
NIST Cybersecurity Framework v1.1 ID.SC-1
NIST Cybersecurity Framework v1.1 ID.SC-2
NIST Cybersecurity Framework v1.1 ID.SC-3
NIST Cybersecurity Framework v1.1 ID.SC-4
NIST Cybersecurity Framework v1.1 ID.SC-5
NIST Cybersecurity Framework v1.1 IR.RA-4
NIST Cybersecurity Framework v1.1 IS.AM-3
NIST Cybersecurity Framework v1.1 PR.AC-1
© 2019 HITRUST. All rights reserved.
03.d Risk Evaluation
05.d Authorization Process for Information Assets and Facilities
07.d Classification Guidelines
09.g Managing Changes to Third Party Services
10.k Change Control Procedures
10.m Control of Technical Vulnerabilities
12.b Business Continuity and Risk Assessment
03.b Performing Risk Assessments
03.d Risk Evaluation
07.d Classification Guidelines
10.k Change Control Procedures
10.m Control of Technical Vulnerabilities
12.b Business Continuity and Risk Assessment
03.c Risk Mitigation
06.g Compliance with Security Policies and Standards
06.h Technical Compliance Checking
10.l Outsourced Software Development
10.m Control of Technical Vulnerabilities
01.c Privilege Management
03.a Risk Management Program Development
03.b Performing Risk Assessments
05.a Management Commitment to Information Security
05.h Independent Review of Information Security
05.i Identification of Risks Related to External Parties
03.a Risk Management Program Development
05.h Independent Review of Information Security
05.i Identification of Risks Related to External Parties
03.a Risk Management Program Development
05.h Independent Review of Information Security
12.b Business Continuity and Risk Assessment
05.k Addressing Security in Third Party Agreements
09.n Security of Network Services
03.a Risk Management Program Development
09.n Security of Network Services
09.aa Audit Logging
09.ad Administrator and Operator Logs
09.l Back-up
11.c Responsibilities and Procedures
12.e Testing, Maintaining and Re-Assessing Business Continuity Plans
07.d Classification Guidelines
01.l Remote Diagnostic and Configuration Port Protection
01.a Access Control Policy
01.b User Registration
01.c Privilege Management
01.d User Password Management
01.e Review of User Access Rights
01.f Password Use
01.j User Authentication for External Connections
01.k Equipment Identification in Networks
01.p Secure Log-on Procedures
01.q User Identification and Authentication
01.r Password Management System
01.v Information Access Restriction
02.g Termination or Change Responsibilities
02.i Removal of Access Rights
05.j Addressing Security When Dealing with Customers
06.j Protection of Information Systems Audit Tools
09.m Network Controls
10.i Protection of System Test Data
 NIST Cybersecurity Framework v1.1 PR.AC-2
NIST Cybersecurity Framework v1.1 PR.AC-3
NIST Cybersecurity Framework v1.1 PR.AC-4
NIST Cybersecurity Framework v1.1 PR.AC-5
NIST Cybersecurity Framework v1.1 PR.AC-6
© 2019 HITRUST. All rights reserved.
01.g Unattended User Equipment
01.k Equipment Identification in Networks
01.l Remote Diagnostic and Configuration Port Protection
01.v Information Access Restriction
01.x Mobile Computing and Communications
01.y Teleworking
08.a Physical Security Perimeter
08.b Physical Entry Controls
08.c Securing Offices, Rooms, and Facilities
08.e Working in Secure Areas
08.f Public Access, Delivery, and Loading Areas
08.h Supporting Utilities
08.i Cabling Security
10.i Protection of System Test Data
01.j User Authentication for External Connections
01.n Network Connection Control
01.q User Identification and Authentication
01.v Information Access Restriction
01.y Teleworking
05.i Identification of Risks Related to External Parties
05.j Addressing Security When Dealing with Customers
09.e Service Delivery
09.s Information Exchange Policies and Procedures
09.w Interconnected Business Information Systems
10.i Protection of System Test Data
01.a Access Control Policy
01.b User Registration
01.c Privilege Management
01.e Review of User Access Rights
01.m Segregation in Networks
01.p Secure Log-on Procedures
01.s Use of System Utilities
01.v Information Access Restriction
01.x Mobile Computing and Communications
02.g Termination or Change Responsibilities
02.i Removal of Access Rights
05.i Identification of Risks Related to External Parties
06.j Protection of Information Systems Audit Tools
07.a Inventory of Assets
07.d Classification Guidelines
08.i Cabling Security
09.c Segregation of Duties
09.j Controls Against Malicious Code
09.r Security of System Documentation
09.w Interconnected Business Information Systems
09.y On-line Transactions
09.z Publicly Available Information
09.ac Protection of Log Information
10.i Protection of System Test Data
01.m Segregation in Networks
01.n Network Connection Control
01.o Network Routing Control
01.w Sensitive System Isolation
09.m Network Controls
09.w Interconnected Business Information Systems
10.i Protection of System Test Data
01.a Access Control Policy
01.b User Registration
01.c Privilege Management
 NIST Cybersecurity Framework v1.1 PR.AC-7
NIST Cybersecurity Framework v1.1 PR.AT-1
NIST Cybersecurity Framework v1.1 PR.AT-2
NIST Cybersecurity Framework v1.1 PR.AT-3
NIST Cybersecurity Framework v1.1 PR.AT-4
NIST Cybersecurity Framework v1.1 PR.AT-5
NIST Cybersecurity Framework v1.1 PR.DS-1
© 2019 HITRUST. All rights reserved.
01.q User Identification and Authentication
01.v Information Access Restriction
00.a Information Security Management Program
01.f Password Use
01.g Unattended User Equipment
01.p Secure Log-on Procedures
01.x Mobile Computing and Communications
01.y Teleworking
02.d Management Responsibilities
02.e Information Security Awareness, Education, and Training
05.c Allocation of Information Security Responsibilities
07.c Acceptable Use of Assets
09.j Controls Against Malicious Code
09.s Information Exchange Policies and Procedures
11.b Reporting Security Weaknesses
11.c Responsibilities and Procedures
12.c Developing and Implementing Continuity Plans Including Information Security
12.d Business Continuity Planning Framework
00.a Information Security Management Program
01.q User Identification and Authentication
02.d Management Responsibilities
02.e Information Security Awareness, Education, and Training
05.c Allocation of Information Security Responsibilities
09.z Publicly Available Information
00.a Information Security Management Program
02.d Management Responsibilities
05.i Identification of Risks Related to External Parties
05.j Addressing Security When Dealing with Customers
05.k Addressing Security in Third Party Agreements
06.a Identification of Applicable Legislation
09.e Service Delivery
09.f Monitoring and Review of Third Party Services
09.g Managing Changes to Third Party Services
09.n Security of Network Services
09.t Exchange Agreements
09.x Electronic Commerce Services
10.a Security Requirements Analysis and Specification
10.k Change Control Procedures
10.l Outsourced Software Development
00.a Information Security Management Program
02.d Management Responsibilities
02.e Information Security Awareness, Education, and Training
05.a Management Commitment to Information Security
05.c Allocation of Information Security Responsibilities
00.a Information Security Management Program
02.d Management Responsibilities
02.e Information Security Awareness, Education, and Training
05.a Management Commitment to Information Security
05.c Allocation of Information Security Responsibilities
11.a Reporting Information Security Events
01.d User Password Management
01.j User Authentication for External Connections
01.k Equipment Identification in Networks
01.v Information Access Restriction
01.x Mobile Computing and Communications
01.y Teleworking
06.d Data Protection and Privacy of Covered Information
08.j Equipment Maintenance
09.l Back-up

NIST Cybersecurity Framework v1.1 PR.DS-2
NIST Cybersecurity Framework v1.1 PR.DS-3
NIST Cybersecurity Framework v1.1 PR.DS-4
NIST Cybersecurity Framework v1.1 PR.DS-5
© 2019 HITRUST. All rights reserved.
09.o Management of Removable Media
09.x Electronic Commerce Services
09.y On-line Transactions
09.z Publicly Available Information
09.ac Protection of Log Information
10.f Policy on the Use of Cryptographic Controls
10.g Key Management
10.i Protection of System Test Data
12.c Developing and Implementing Continuity Plans Including Information Security
01.d User Password Management
01.j User Authentication for External Connections
01.n Network Connection Control
01.r Password Management System
01.x Mobile Computing and Communications
01.y Teleworking
05.i Identification of Risks Related to External Parties
06.d Data Protection and Privacy of Covered Information
08.i Cabling Security
09.l Back-up
09.m Network Controls
09.s Information Exchange Policies and Procedures
09.t Exchange Agreements
09.u Physical Media in Transit
09.v Electronic Messaging
09.x Electronic Commerce Services
09.y On-line Transactions
09.z Publicly Available Information
09.ac Protection of Log Information
10.d Message Integrity
10.f Policy on the Use of Cryptographic Controls
10.g Key Management
01.y Teleworking
07.a Inventory of Assets
07.b Ownership of Assets
07.d Classification Guidelines
08.k Security of Equipment Off-Premises
08.l Secure Disposal or Re-Use of Equipment
08.m Removal of Property
09.e Service Delivery
09.p Disposal of Media
09.q Information Handling Procedures
09.h Capacity Management
09.ac Protection of Log Information
12.c Developing and Implementing Continuity Plans Including Information Security
01.c Privilege Management
01.m Segregation in Networks
01.n Network Connection Control
01.o Network Routing Control
01.p Secure Log-on Procedures
01.r Password Management System
01.s Use of System Utilities
01.t Session Time-out
01.u Limitation of Connection Time
01.v Information Access Restriction
01.w Sensitive System Isolation
02.b Screening
02.c Terms and Conditions of Employment
05.e Confidentiality Agreements
07.c Acceptable Use of Assets

NIST Cybersecurity Framework v1.1 PR.DS-6
NIST Cybersecurity Framework v1.1 PR.DS-7
NIST Cybersecurity Framework v1.1 PR.DS-8
NIST Cybersecurity Framework v1.1 PR.IP-1
NIST Cybersecurity Framework v1.1 PR.IP-2
NIST Cybersecurity Framework v1.1 PR.IP-3
NIST Cybersecurity Framework v1.1 PR.IP-4
NIST Cybersecurity Framework v1.1 PR.IP-5
NIST Cybersecurity Framework v1.1 PR.IP-6
© 2019 HITRUST. All rights reserved.
07.d Classification Guidelines
07.e Information Labeling and Handling
09.i System Acceptance
09.m Network Controls
09.p Disposal of Media
09.q Information Handling Procedures
09.s Information Exchange Policies and Procedures
09.v Electronic Messaging
09.w Interconnected Business Information Systems
09.x Electronic Commerce Services
09.y On-line Transactions
10.b Input Data Validation
10.d Message Integrity
10.j Access Control to Program Source Code
09.z Publicly Available Information
09.ac Protection of Log Information
10.b Input Data Validation
10.c Control of Internal Processing
10.d Message Integrity
09.d Separation of Development, Test, and Operational Environments
09.k Controls Against Mobile Code
10.h Control of Operational Software
09.z Publicly Available Information
10.c Control of Internal Processing
01.i Policy on the Use of Network Services
01.l Remote Diagnostic and Configuration Port Protection
01.m Segregation in Networks
01.w Sensitive System Isolation
01.x Mobile Computing and Communications
01.y Teleworking
06.b Intellectual Property Rights
06.j Protection of Information Systems Audit Tools
07.b Ownership of Assets
09.m Network Controls
09.w Interconnected Business Information Systems
09.z Publicly Available Information
10.h Control of Operational Software
10.k Change Control Procedures
09.i System Acceptance
10.a Security Requirements Analysis and Specification
10.k Change Control Procedures
01.l Remote Diagnostic and Configuration Port Protection
01.n Network Connection Control
05.b Information Security Coordination
09.b Change Management
09.d Separation of Development, Test, and Operational Environments
10.h Control of Operational Software
10.k Change Control Procedures
09.l Back-up
09.w Interconnected Business Information Systems
01.g Unattended User Equipment
01.y Teleworking
08.d Protecting Against External and Environmental Threats
08.e Working in Secure Areas
08.f Public Access, Delivery, and Loading Areas
08.g Equipment Siting and Protection
08.h Supporting Utilities
08.i Cabling Security
08.l Secure Disposal or Re-Use of Equipment
 NIST Cybersecurity Framework v1.1 PR.IP-6
NIST Cybersecurity Framework v1.1 PR.IP-7
NIST Cybersecurity Framework v1.1 PR.IP-8
NIST Cybersecurity Framework v1.1 PR.IP-9
NIST Cybersecurity Framework v1.1 PR.IP-10
NIST Cybersecurity Framework v1.1 PR.IP-11
NIST Cybersecurity Framework v1.1 PR.IP-12
NIST Cybersecurity Framework v1.1 PR.MA-1
NIST Cybersecurity Framework v1.1 PR.MA-2
NIST Cybersecurity Framework v1.1 PR.PT-1
© 2019 HITRUST. All rights reserved.
08.m Removal of Property
09.p Disposal of Media
00.a Information Security Management Program
05.h Independent Review of Information Security
06.a Identification of Applicable Legislation
11.a Reporting Information Security Events
12.c Developing and Implementing Continuity Plans Including Information Security
12.d Business Continuity Planning Framework
12.e Testing, Maintaining and Re-Assessing Business Continuity Plans
05.b Information Security Coordination
05.h Independent Review of Information Security
11.a Reporting Information Security Events
11.c Responsibilities and Procedures
12.a Including Information Security in the Business Continuity Management Process
12.b Business Continuity and Risk Assessment
12.c Developing and Implementing Continuity Plans Including Information Security
12.d Business Continuity Planning Framework
12.e Testing, Maintaining and Re-Assessing Business Continuity Plans
11.c Responsibilities and Procedures
12.e Testing, Maintaining and Re-Assessing Business Continuity Plans
01.a Access Control Policy
01.b User Registration
01.c Privilege Management
01.d User Password Management
02.a Roles and Responsibilities
02.b Screening
02.c Terms and Conditions of Employment
02.d Management Responsibilities
02.e Information Security Awareness, Education, and Training
02.f Disciplinary Process
02.g Termination or Change Responsibilities
02.h Return of Assets
02.i Removal of Access Rights
05.e Confidentiality Agreements
05.k Addressing Security in Third Party Agreements
06.e Prevention of Misuse of Information Assets
07.c Acceptable Use of Assets
11.a Reporting Information Security Events
11.e Collection of Evidence
12.a Including Information Security in the Business Continuity Management Process
03.c Risk Mitigation
06.h Technical Compliance Checking
10.m Control of Technical Vulnerabilities
01.l Remote Diagnostic and Configuration Port Protection
08.j Equipment Maintenance
01.j User Authentication for External Connections
01.q User Identification and Authentication
08.j Equipment Maintenance
01.c Privilege Management
06.c Protection of Organizational Records
06.i Information Systems Audit Controls
07.b Ownership of Assets
08.b Physical Entry Controls
09.h Capacity Management
09.q Information Handling Procedures
09.aa Audit Logging
09.ab Monitoring System Use
09.ac Protection of Log Information
09.ad Administrator and Operator Logs

NIST Cybersecurity Framework v1.1 PR.PT-2
NIST Cybersecurity Framework v1.1 PR.PT-3
NIST Cybersecurity Framework v1.1 PR.PT-4
NIST Cybersecurity Framework v1.1 PR.PT-5
NIST Cybersecurity Framework v1.1 PR.SC-6
NIST Cybersecurity Framework v1.1 PS.DS-3
NIST Cybersecurity Framework v1.1 RC.CO-1
NIST Cybersecurity Framework v1.1 RC.CO-2
NIST Cybersecurity Framework v1.1 RC.CO-3
NIST Cybersecurity Framework v1.1 RC.IM-1
NIST Cybersecurity Framework v1.1 RC.IM-2
NIST Cybersecurity Framework v1.1 RC.RP-1
NIST Cybersecurity Framework v1.1 RS.AN-1
NIST Cybersecurity Framework v1.1 RS.AN-2
NIST Cybersecurity Framework v1.1 RS.AN-3
NIST Cybersecurity Framework v1.1 RS.AN-4
NIST Cybersecurity Framework v1.1 RS.AN-5
NIST Cybersecurity Framework v1.1 RS.CO-1
© 2019 HITRUST. All rights reserved.
09.ae Fault Logging
09.af Clock Synchronization
10.i Protection of System Test Data
01.c Privilege Management
01.g Unattended User Equipment
01.h Clear Desk and Clear Screen Policy
01.v Information Access Restriction
07.e Information Labeling and Handling
09.o Management of Removable Media
09.q Information Handling Procedures
09.t Exchange Agreements
09.u Physical Media in Transit
01.i Policy on the Use of Network Services
01.l Remote Diagnostic and Configuration Port Protection
01.s Use of System Utilities
01.u Limitation of Connection Time
01.v Information Access Restriction
06.j Protection of Information Systems Audit Tools
10.i Protection of System Test Data
10.j Access Control to Program Source Code
10.k Change Control Procedures
10.m Control of Technical Vulnerabilities
01.c Privilege Management
01.j User Authentication for External Connections
01.l Remote Diagnostic and Configuration Port Protection
01.m Segregation in Networks
01.n Network Connection Control
01.o Network Routing Control
01.t Session Time-out
01.u Limitation of Connection Time
09.n Security of Network Services
12.b Business Continuity and Risk Assessment
01.a Access Control Policy
06.c Protection of Organizational Records
11.c Responsibilities and Procedures
11.d Learning from Information Security Incidents
11.c Responsibilities and Procedures
11.d Learning from Information Security Incidents
11.d Learning from Information Security Incidents
12.c Developing and Implementing Continuity Plans Including Information Security
11.d Learning from Information Security Incidents
12.e Testing, Maintaining and Re-Assessing Business Continuity Plans
11.d Learning from Information Security Incidents
12.e Testing, Maintaining and Re-Assessing Business Continuity Plans
11.d Learning from Information Security Incidents
12.c Developing and Implementing Continuity Plans Including Information Security
08.b Physical Entry Controls
09.ab Monitoring System Use
09.ac Protection of Log Information
11.d Learning from Information Security Incidents
11.d Learning from Information Security Incidents
11.c Responsibilities and Procedures
11.d Learning from Information Security Incidents
11.e Collection of Evidence
11.c Responsibilities and Procedures
05.g Contact with Special Interest Groups
11.b Reporting Security Weaknesses
02.e Information Security Awareness, Education, and Training
11.a Reporting Information Security Events
 NIST Cybersecurity Framework v1.1 RS.CO-1
NIST Cybersecurity Framework v1.1 RS.CO-2
NIST Cybersecurity Framework v1.1 RS.CO-3
NIST Cybersecurity Framework v1.1 RS.CO-4
NIST Cybersecurity Framework v1.1 RS.CO-5
NIST Cybersecurity Framework v1.1 RS.IM-1
NIST Cybersecurity Framework v1.1 RS.IM-2
NIST Cybersecurity Framework v1.1 RS.MI-1
NIST Cybersecurity Framework v1.1 RS.MI-2
NIST Cybersecurity Framework v1.1 RS.MI-3
NIST Cybersecurity Framework v1.1 RS.RP-1
© 2019 HITRUST. All rights reserved.
© 2019 HITRUST. All rights reserved.
11.c Responsibilities and Procedures
12.c Developing and Implementing Continuity Plans Including Information Security
12.d Business Continuity Planning Framework
12.e Testing, Maintaining and Re-Assessing Business Continuity Plans
05.f Contact with Authorities
09.ab Monitoring System Use
10.c Control of Internal Processing
11.a Reporting Information Security Events
11.b Reporting Security Weaknesses
11.c Responsibilities and Procedures
05.f Contact with Authorities
05.g Contact with Special Interest Groups
08.b Physical Entry Controls
09.ab Monitoring System Use
10.m Control of Technical Vulnerabilities
11.a Reporting Information Security Events
11.c Responsibilities and Procedures
11.d Learning from Information Security Incidents
09.f Monitoring and Review of Third Party Services
11.c Responsibilities and Procedures
11.d Learning from Information Security Incidents
12.c Developing and Implementing Continuity Plans Including Information Security
03.b Performing Risk Assessments
05.g Contact with Special Interest Groups
06.a Identification of Applicable Legislation
11.a Reporting Information Security Events
11.c Responsibilities and Procedures
11.c Responsibilities and Procedures
11.d Learning from Information Security Incidents
11.c Responsibilities and Procedures
11.d Learning from Information Security Incidents
01.b User Registration
11.c Responsibilities and Procedures
11.d Learning from Information Security Incidents
01.b User Registration
09.f Monitoring and Review of Third Party Services
10.a Security Requirements Analysis and Specification
11.c Responsibilities and Procedures
11.d Learning from Information Security Incidents
03.a Risk Management Program Development
03.c Risk Mitigation
06.h Technical Compliance Checking
10.c Control of Internal Processing
10.m Control of Technical Vulnerabilities
11.a Reporting Information Security Events
11.c Responsibilities and Procedures
11.d Learning from Information Security Incidents
 Authoritative Source HITRUST Control Reference
NIST SP 800-122 4.2.1 13.i Collection Limitation
13.l Retention and Disposal

© 2019 HITRUST. All rights reserved.

© 2019 HITRUST. All rights reserved.

 Authoritative Source
NIST SP 800-171 R2 3.1.1
NIST SP 800-171 R2 3.1.2
NIST SP 800-171 R2 3.1.3
NIST SP 800-171 R2 3.1.4
NIST SP 800-171 R2 3.1.5
NIST SP 800-171 R2 3.1.6
NIST SP 800-171 R2 3.1.7
NIST SP 800-171 R2 3.1.8
NIST SP 800-171 R2 3.1.9
NIST SP 800-171 R2 3.1.10
NIST SP 800-171 R2 3.1.11
NIST SP 800-171 R2 3.1.12
NIST SP 800-171 R2 3.1.13
NIST SP 800-171 R2 3.1.14
NIST SP 800-171 R2 3.1.15
NIST SP 800-171 R2 3.1.16
NIST SP 800-171 R2 3.1.17
NIST SP 800-171 R2 3.1.18
NIST SP 800-171 R2 3.1.19
NIST SP 800-171 R2 3.1.20
NIST SP 800-171 R2 3.1.21
NIST SP 800-171 R2 3.1.22
NIST SP 800-171 R2 3.2.1
NIST SP 800-171 R2 3.2.2
NIST SP 800-171 R2 3.2.3
NIST SP 800-171 R2 3.3.1
NIST SP 800-171 R2 3.3.2
NIST SP 800-171 R2 3.3.3
© 2019 HITRUST. All rights reserved.
HITRUST Control Reference
01.a Access Control Policy
01.b User Registration
01.i Policy on the Use of Network Services
01.a Access Control Policy
01.b User Registration
01.c Privilege Management
01.i Policy on the Use of Network Services
01.m Segregation in Networks
09.c Segregation of Duties
01.c Privilege Management
01.q User Identification and Authentication
01.c Privilege Management
01.q User Identification and Authentication
01.c Privilege Management
01.p Secure Log-on Procedures
05.j Addressing Security When Dealing with Customers
06.e Prevention of Misuse of Information Assets
07.e Information Labeling and Handling
01.t Session Time-out
01.t Session Time-out
01.j User Authentication for External Connections
01.j User Authentication for External Connections
01.y Teleworking
05.i Identification of Risks Related to External Parties
09.s Information Exchange Policies and Procedures
01.n Network Connection Control
01.j User Authentication for External Connections
01.i Policy on the Use of Network Services
01.j User Authentication for External Connections
09.m Network Controls
01.j User Authentication for External Connections
09.m Network Controls
01.x Mobile Computing and Communications
01.x Mobile Computing and Communications
01.i Policy on the Use of Network Services
09.s Information Exchange Policies and Procedures
09.s Information Exchange Policies and Procedures
09.z Publicly Available Information
02.e Information Security Awareness, Education, and Training
02.e Information Security Awareness, Education, and Training
02.e Information Security Awareness, Education, and Training
09.aa Audit Logging
09.ab Monitoring System Use
09.ad Administrator and Operator Logs
09.aa Audit Logging
09.ad Administrator and Operator Logs
09.ab Monitoring System Use
 NIST SP 800-171 R2 3.3.3
NIST SP 800-171 R2 3.3.4
NIST SP 800-171 R2 3.3.5
NIST SP 800-171 R2 3.3.6
NIST SP 800-171 R2 3.3.7
NIST SP 800-171 R2 3.3.8
NIST SP 800-171 R2 3.3.9
NIST SP 800-171 R2 3.4.1
NIST SP 800-171 R2 3.4.2
NIST SP 800-171 R2 3.4.3
NIST SP 800-171 R2 3.4.4
NIST SP 800-171 R2 3.4.5
NIST SP 800-171 R2 3.4.6
NIST SP 800-171 R2 3.4.7
NIST SP 800-171 R2 3.4.8
NIST SP 800-171 R2 3.4.9
NIST SP 800-171 R2 3.5.1
NIST SP 800-171 R2 3.5.2
NIST SP 800-171 R2 3.5.3
NIST SP 800-171 R2 3.5.4
NIST SP 800-171 R2 3.5.5
NIST SP 800-171 R2 3.5.7
NIST SP 800-171 R2 3.5.8
NIST SP 800-171 R2 3.5.9
NIST SP 800-171 R2 3.5.10
NIST SP 800-171 R2 3.5.11
NIST SP 800-171 R2 3.6.1
NIST SP 800-171 R2 3.6.2
NIST SP 800-171 R2 3.6.3
NIST SP 800-171 R2 3.7.1
NIST SP 800-171 R2 3.7.2
NIST SP 800-171 R2 3.7.3
© 2019 HITRUST. All rights reserved.
09.ad Administrator and Operator Logs
09.aa Audit Logging
09.ab Monitoring System Use
09.ab Monitoring System Use
09.af Clock Synchronization
06.j Protection of Information Systems Audit Tools
06.j Protection of Information Systems Audit Tools
09.w Interconnected Business Information Systems
10.h Control of Operational Software
10.k Change Control Procedures
09.w Interconnected Business Information Systems
10.h Control of Operational Software
10.k Change Control Procedures
10.k Change Control Procedures
09.b Change Management
09.i System Acceptance
10.h Control of Operational Software
09.b Change Management
10.k Change Control Procedures
01.c Privilege Management
01.l Remote Diagnostic and Configuration Port Protection
01.l Remote Diagnostic and Configuration Port Protection
09.j Controls Against Malicious Code
01.j User Authentication for External Connections
01.q User Identification and Authentication
01.j User Authentication for External Connections
01.q User Identification and Authentication
01.q User Identification and Authentication
01.q User Identification and Authentication
01.q User Identification and Authentication
01.r Password Management System
01.r Password Management System
01.d User Password Management
01.d User Password Management
01.d User Password Management
02.e Information Security Awareness, Education, and Training
05.f Contact with Authorities
11.a Reporting Information Security Events
11.c Responsibilities and Procedures
11.d Learning from Information Security Incidents
05.f Contact with Authorities
11.a Reporting Information Security Events
11.c Responsibilities and Procedures
11.c Responsibilities and Procedures
08.j Equipment Maintenance
08.m Removal of Property
08.j Equipment Maintenance
08.j Equipment Maintenance
 NIST SP 800-171 R2 3.7.4
NIST SP 800-171 R2 3.7.5
NIST SP 800-171 R2 3.7.6
NIST SP 800-171 R2 3.8.1
NIST SP 800-171 R2 3.8.2
NIST SP 800-171 R2 3.8.3
NIST SP 800-171 R2 3.8.4
NIST SP 800-171 R2 3.8.5
NIST SP 800-171 R2 3.8.6
NIST SP 800-171 R2 3.8.7
NIST SP 800-171 R2 3.8.9
NIST SP 800-171 R2 3.9.1
NIST SP 800-171 R2 3.9.2
NIST SP 800-171 R2 3.10.1
NIST SP 800-171 R2 3.10.2
NIST SP 800-171 R2 3.10.3
NIST SP 800-171 R2 3.10.4
NIST SP 800-171 R2 3.10.5
NIST SP 800-171 R2 3.10.6
NIST SP 800-171 R2 3.11.1
NIST SP 800-171 R2 3.11.2
NIST SP 800-171 R2 3.11.3
NIST SP 800-171 R2 3.12.1
NIST SP 800-171 R2 3.12.2
NIST SP 800-171 R2 3.12.3
NIST SP 800-171 R2 3.12.4
NIST SP 800-171 R2 3.13.1
NIST SP 800-171 R2 3.13.2
© 2019 HITRUST. All rights reserved.
08.j Equipment Maintenance
01.j User Authentication for External Connections
08.j Equipment Maintenance
01.h Clear Desk and Clear Screen Policy
09.l Back-up
09.o Management of Removable Media
09.q Information Handling Procedures
09.p Disposal of Media
08.l Secure Disposal or Re-Use of Equipment
09.p Disposal of Media
07.e Information Labeling and Handling
09.q Information Handling Procedures
09.o Management of Removable Media
09.q Information Handling Procedures
09.u Physical Media in Transit
09.q Information Handling Procedures
09.u Physical Media in Transit
09.o Management of Removable Media
09.l Back-up
02.b Screening
01.e Review of User Access Rights
02.g Termination or Change Responsibilities
02.h Return of Assets
02.i Removal of Access Rights
08.b Physical Entry Controls
08.i Cabling Security
08.b Physical Entry Controls
08.i Cabling Security
08.b Physical Entry Controls
08.b Physical Entry Controls
08.b Physical Entry Controls
01.y Teleworking
08.k Security of Equipment Off-Premises
03.a Risk Management Program Development
03.b Performing Risk Assessments
03.d Risk Evaluation
12.b Business Continuity and Risk Assessment
10.m Control of Technical Vulnerabilities
10.m Control of Technical Vulnerabilities
03.b Performing Risk Assessments
05.a Management Commitment to Information Security
05.h Independent Review of Information Security
03.c Risk Mitigation
05.h Independent Review of Information Security
06.g Compliance with Security Policies and Standards
05.b Information Security Coordination
01.m Segregation in Networks
10.a Security Requirements Analysis and Specification
 NIST SP 800-171 R2 3.13.3
NIST SP 800-171 R2 3.13.5
NIST SP 800-171 R2 3.13.6
NIST SP 800-171 R2 3.13.7
NIST SP 800-171 R2 3.13.8
NIST SP 800-171 R2 3.13.9
NIST SP 800-171 R2 3.13.10
NIST SP 800-171 R2 3.13.11
NIST SP 800-171 R2 3.13.12
NIST SP 800-171 R2 3.13.13
NIST SP 800-171 R2 3.13.14
NIST SP 800-171 R2 3.13.15
NIST SP 800-171 R2 3.13.16
© 2019 HITRUST. All rights reserved.
© 2019 HITRUST. All rights reserved.
09.j Controls Against Malicious Code
01.m Segregation in Networks
09.m Network Controls
01.n Network Connection Control
09.m Network Controls
01.n Network Connection Control
01.n Network Connection Control
09.m Network Controls
09.s Information Exchange Policies and Procedures
09.v Electronic Messaging
09.y On-line Transactions
01.t Session Time-out
10.g Key Management
09.m Network Controls
09.s Information Exchange Policies and Procedures
09.k Controls Against Mobile Code
09.m Network Controls
10.d Message Integrity
06.d Data Protection and Privacy of Covered Information
Authoritative Source
NIST SP 800-53 R4 AC-1
NIST SP 800-53 R4 AC-2
NIST SP 800-53 R4 AC-2(1)
NIST SP 800-53 R4 AC-2(2)
NIST SP 800-53 R4 AC-2(3)
NIST SP 800-53 R4 AC-2(11)
NIST SP 800-53 R4 AC-2(12)
NIST SP 800-53 R4 AC-3
NIST SP 800-53 R4 AC-3(7)
NIST SP 800-53 R4 AC-3(8)
NIST SP 800-53 R4 AC-4
NIST SP 800-53 R4 AC-4(2)
NIST SP 800-53 R4 AC-5
NIST SP 800-53 R4 AC-6
NIST SP 800-53 R4 AC-6(1)
NIST SP 800-53 R4 AC-6(2)
NIST SP 800-53 R4 AC-6(5)
NIST SP 800-53 R4 AC-6(9)
NIST SP 800-53 R4 AC-6(10)
© 2019 HITRUST. All rights reserved.
HITRUST Control Reference
01.a Access Control Policy
01.i Policy on the Use of Network Services
01.v Information Access Restriction
04.a Information Security Policy Document
04.b Review of the Information Security Policy
05.a Management Commitment to Information Security
09.a Documented Operations Procedures
09.s Information Exchange Policies and Procedures
01.a Access Control Policy
01.b User Registration
01.c Privilege Management
01.e Review of User Access Rights
01.j User Authentication for External Connections
01.w Sensitive System Isolation
02.i Removal of Access Rights
01.b User Registration
01.b User Registration
01.b User Registration
01.n Network Connection Control
09.ab Monitoring System Use
01.c Privilege Management
01.s Use of System Utilities
01.v Information Access Restriction
09.q Information Handling Procedures
09.s Information Exchange Policies and Procedures
10.j Access Control to Program Source Code
10.k Change Control Procedures
01.c Privilege Management
05.i Identification of Risks Related to External Parties
01.m Segregation in Networks
01.o Network Routing Control
09.s Information Exchange Policies and Procedures
01.m Segregation in Networks
01.a Access Control Policy
01.b User Registration
09.c Segregation of Duties
01.c Privilege Management
01.i Policy on the Use of Network Services
01.s Use of System Utilities
01.v Information Access Restriction
01.y Teleworking
05.i Identification of Risks Related to External Parties
10.j Access Control to Program Source Code
01.c Privilege Management
06.j Protection of Information Systems Audit Tools
01.c Privilege Management
01.q User Identification and Authentication
01.c Privilege Management
01.c Privilege Management
09.aa Audit Logging
01.c Privilege Management
NIST SP 800-53 R4 AC-7
NIST SP 800-53 R4 AC-8
NIST SP 800-53 R4 AC-9
NIST SP 800-53 R4 AC-10
NIST SP 800-53 R4 AC-11
NIST SP 800-53 R4 AC-11(1)
NIST SP 800-53 R4 AC-12
NIST SP 800-53 R4 AC-14
NIST SP 800-53 R4 AC-16
NIST SP 800-53 R4 AC-17
NIST SP 800-53 R4 AC-17(1)
NIST SP 800-53 R4 AC-17(2)
NIST SP 800-53 R4 AC-17(3)
NIST SP 800-53 R4 AC-17(4)
NIST SP 800-53 R4 AC-18
NIST SP 800-53 R4 AC-18(1)
NIST SP 800-53 R4 AC-18(4)
NIST SP 800-53 R4 AC-18(5)
NIST SP 800-53 R4 AC-19
NIST SP 800-53 R4 AC-19(5)
NIST SP 800-53 R4 AC-20
NIST SP 800-53 R4 AC-20(1)
NIST SP 800-53 R4 AC-20(2)
NIST SP 800-53 R4 AC-21
NIST SP 800-53 R4 AC-22
NIST SP 800-53 R4 AP-2
NIST SP 800-53 R4 AR-1
© 2019 HITRUST. All rights reserved.
01.p Secure Log-on Procedures
01.p Secure Log-on Procedures
05.j Addressing Security When Dealing with Customers
06.e Prevention of Misuse of Information Assets
07.e Information Labeling and Handling
01.p Secure Log-on Procedures
01.c Privilege Management
01.p Secure Log-on Procedures
01.g Unattended User Equipment
01.h Clear Desk and Clear Screen Policy
01.t Session Time-out
01.t Session Time-out
01.t Session Time-out
01.v Information Access Restriction
07.e Information Labeling and Handling
01.i Policy on the Use of Network Services
01.j User Authentication for External Connections
01.n Network Connection Control
01.y Teleworking
09.m Network Controls
09.s Information Exchange Policies and Procedures
01.j User Authentication for External Connections
01.j User Authentication for External Connections
01.y Teleworking
05.i Identification of Risks Related to External Parties
09.s Information Exchange Policies and Procedures
01.n Network Connection Control
01.j User Authentication for External Connections
01.i Policy on the Use of Network Services
01.j User Authentication for External Connections
08.g Equipment Siting and Protection
09.m Network Controls
09.m Network Controls
09.m Network Controls
09.m Network Controls
01.x Mobile Computing and Communications
01.x Mobile Computing and Communications
01.i Policy on the Use of Network Services
01.y Teleworking
07.c Acceptable Use of Assets
08.k Security of Equipment Off-Premises
09.s Information Exchange Policies and Procedures
09.s Information Exchange Policies and Procedures
09.s Information Exchange Policies and Procedures
01.b User Registration
01.c Privilege Management
09.z Publicly Available Information
13.a Privacy Notice
03.a Risk Management Program Development
05.a Management Commitment to Information Security
06.d Data Protection and Privacy of Covered Information
13.p Governance
NIST SP 800-53 R4 AR-2
NIST SP 800-53 R4 AR-3
NIST SP 800-53 R4 AR-4
NIST SP 800-53 R4 AR-5
NIST SP 800-53 R4 AR-7
NIST SP 800-53 R4 AR-8
NIST SP 800-53 R4 AT-1
NIST SP 800-53 R4 AT-2
NIST SP 800-53 R4 AT-2(2)
NIST SP 800-53 R4 AT-3
NIST SP 800-53 R4 AT-3(1)
NIST SP 800-53 R4 AT-4
NIST SP 800-53 R4 AU-1
NIST SP 800-53 R4 AU-2
NIST SP 800-53 R4 AU-2(3)
NIST SP 800-53 R4 AU-3
NIST SP 800-53 R4 AU-3(1)
NIST SP 800-53 R4 AU-4
NIST SP 800-53 R4 AU-5
NIST SP 800-53 R4 AU-5(2)
NIST SP 800-53 R4 AU-5(4)
NIST SP 800-53 r4 AU-6
© 2019 HITRUST. All rights reserved.
03.a Risk Management Program Development
06.d Data Protection and Privacy of Covered Information
13.q Privacy and Impact Assessment
13.r Privacy Requirements for Contractors and Processors
05.h Independent Review of Information Security
06.g Compliance with Security Policies and Standards
09.aa Audit Logging
09.ab Monitoring System Use
09.ad Administrator and Operator Logs
13.s Privacy Monitoring and Auditing
02.e Information Security Awareness, Education, and Training
13.t Privacy Protection Awareness and Training
10.a Security Requirements Analysis and Specification
13.u Privacy Protection Reporting
13.c Accounting of Disclosures
02.e Information Security Awareness, Education, and Training
04.a Information Security Policy Document
04.b Review of the Information Security Policy
05.a Management Commitment to Information Security
09.a Documented Operations Procedures
01.p Secure Log-on Procedures
01.y Teleworking
02.e Information Security Awareness, Education, and Training
02.e Information Security Awareness, Education, and Training
02.d Management Responsibilities
02.e Information Security Awareness, Education, and Training
05.c Allocation of Information Security Responsibilities
08.d Protecting Against External and Environmental Threats
02.e Information Security Awareness, Education, and Training
04.a Information Security Policy Document
04.b Review of the Information Security Policy
05.a Management Commitment to Information Security
06.i Information Systems Audit Controls
06.j Protection of Information Systems Audit Tools
09.a Documented Operations Procedures
01.p Secure Log-on Procedures
01.s Use of System Utilities
06.i Information Systems Audit Controls
09.aa Audit Logging
09.ab Monitoring System Use
09.ad Administrator and Operator Logs
09.ae Fault Logging
09.aa Audit Logging
09.aa Audit Logging
09.ab Monitoring System Use
09.aa Audit Logging
09.h Capacity Management
09.h Capacity Management
09.aa Audit Logging
09.ae Fault Logging
09.aa Audit Logging
01.b User Registration
NIST SP 800-53 r4 AU-6
NIST SP 800-53 R4 AU-6(1)
NIST SP 800-53 R4 AU-6(3)
NIST SP 800-53 R4 AU-6(9)
NIST SP 800-53 R4 AU-7
NIST SP 800-53 R4 AU-7(1)
NIST SP 800-53 R4 AU-8
NIST SP 800-53 R4 AU-8(1)
NIST SP 800-53 R4 AU-9
NIST SP 800-53 R4 AU-10
NIST SP 800-53 R4 AU-11
NIST SP 800-53 R4 AU-12
NIST SP 800-53 R4 CA-1
NIST SP 800-53 R4 CA-2
NIST SP 800-53 R4 CA-2(1)
NIST SP 800-53 R4 CA-2(2)
NIST SP 800-53 R4 CA-3
NIST SP 800-53 R4 CA-3(5)
NIST SP 800-53 R4 CA-5
NIST SP 800-53 R4 CA-5(1)
NIST SP 800-53 R4 CA-6
© 2019 HITRUST. All rights reserved.
09.ab Monitoring System Use
09.ad Administrator and Operator Logs
09.ae Fault Logging
09.ab Monitoring System Use
09.ab Monitoring System Use
09.ab Monitoring System Use
09.ab Monitoring System Use
09.ab Monitoring System Use
09.aa Audit Logging
09.af Clock Synchronization
09.af Clock Synchronization
06.c Protection of Organizational Records
06.j Protection of Information Systems Audit Tools
09.aa Audit Logging
09.ac Protection of Log Information
11.e Collection of Evidence
09.x Electronic Commerce Services
09.y On-line Transactions
10.d Message Integrity
06.c Protection of Organizational Records
09.aa Audit Logging
11.e Collection of Evidence
01.p Secure Log-on Procedures
09.ad Administrator and Operator Logs
09.ae Fault Logging
04.a Information Security Policy Document
04.b Review of the Information Security Policy
05.a Management Commitment to Information Security
05.d Authorization Process for Information Assets and Facilities
06.g Compliance with Security Policies and Standards
09.a Documented Operations Procedures
03.b Performing Risk Assessments
05.a Management Commitment to Information Security
05.d Authorization Process for Information Assets and Facilities
05.h Independent Review of Information Security
06.h Technical Compliance Checking
06.i Information Systems Audit Controls
06.j Protection of Information Systems Audit Tools
09.i System Acceptance
10.m Control of Technical Vulnerabilities
05.a Management Commitment to Information Security
05.h Independent Review of Information Security
06.h Technical Compliance Checking
05.i Identification of Risks Related to External Parties
05.j Addressing Security When Dealing with Customers
09.m Network Controls
09.n Security of Network Services
09.w Interconnected Business Information Systems
09.n Security of Network Services
03.c Risk Mitigation
03.c Risk Mitigation
05.d Authorization Process for Information Assets and Facilities
NIST SP 800-53 R4 CA-6
NIST SP 800-53 R4 CA-7
NIST SP 800-53 R4 CA-7(1)
NIST SP 800-53 R4 CA-8
NIST SP 800-53 R4 CA-9
NIST SP 800-53 R4 CM-1
NIST SP 800-53 R4 CM-2
NIST SP 800-53 R4 CM-2(1)
NIST SP 800-53 R4 CM-2(2)
NIST SP 800-53 R4 CM-2(3)
NIST SP 800-53 R4 CM-2(6)
NIST SP 800-53 R4 CM-2(7)
NIST SP 800-53 R4 CM-3
NIST SP 800-53 R4 CM-3(1)
NIST SP 800-53 R4 CM-3(2)
NIST SP 800-53 R4 CM-4
NIST SP 800-53 R4 CM-4(1)
NIST SP 800-53 R4 CM-4(2)
NIST SP 800-53 R4 CM-5
NIST SP 800-53 R4 CM-5(1)
NIST SP 800-53 R4 CM-5(2)
NIST SP 800-53 R4 CM-6
© 2019 HITRUST. All rights reserved.
09.i System Acceptance
05.h Independent Review of Information Security
06.g Compliance with Security Policies and Standards
06.h Technical Compliance Checking
10.m Control of Technical Vulnerabilities
11.b Reporting Security Weaknesses
05.h Independent Review of Information Security
05.k Addressing Security in Third Party Agreements
06.g Compliance with Security Policies and Standards
10.m Control of Technical Vulnerabilities
09.w Interconnected Business Information Systems
04.a Information Security Policy Document
04.b Review of the Information Security Policy
05.a Management Commitment to Information Security
09.a Documented Operations Procedures
10.k Change Control Procedures
01.j User Authentication for External Connections
09.d Separation of Development, Test, and Operational Environments
09.w Interconnected Business Information Systems
10.k Change Control Procedures
10.k Change Control Procedures
01.j User Authentication for External Connections
10.k Change Control Procedures
10.h Control of Operational Software
10.k Change Control Procedures
09.k Controls Against Mobile Code
10.k Change Control Procedures
01.x Mobile Computing and Communications
03.d Risk Evaluation
09.b Change Management
09.i System Acceptance
09.k Controls Against Mobile Code
09.m Network Controls
10.h Control of Operational Software
10.k Change Control Procedures
10.k Change Control Procedures
10.h Control of Operational Software
10.k Change Control Procedures
09.b Change Management
09.i System Acceptance
10.h Control of Operational Software
10.k Change Control Procedures
10.k Change Control Procedures
10.k Change Control Procedures
09.b Change Management
10.j Access Control to Program Source Code
10.k Change Control Procedures
10.k Change Control Procedures
10.k Change Control Procedures
09.z Publicly Available Information
10.h Control of Operational Software
10.k Change Control Procedures
NIST SP 800-53 R4 CM-6
NIST SP 800-53 R4 CM-6(1)
NIST SP 800-53 R4 CM-6(2)
NIST SP 800-53 R4 CM-7
NIST SP 800-53 R4 CM-7(1)
NIST SP 800-53 R4 CM-7(2)
NIST SP 800-53 R4 CM-7(4)
NIST SP 800-53 R4 CM-7(5)
NIST SP 800-53 R4 CM-8
NIST SP 800-53 R4 CM-8(1)
NIST SP 800-53 R4 CM-8(3)
NIST SP 800-53 R4 CM-8(5)
NIST SP 800-53 R4 CM-8(7)
NIST SP 800-53 R4 CM-9
NIST SP 800-53 R4 CM-10
NIST SP 800-53 R4 CM-11
NIST SP 800-53 R4 CP-1
NIST SP 800-53 R4 CP-2
NIST SP 800-53 R4 CP-2(2)
NIST SP 800-53 R4 CP-2(3)
NIST SP 800-53 R4 CP-2(5)
NIST SP 800-53 R4 CP-2(8)
NIST SP 800-53 R4 CP-3
NIST SP 800-53 R4 CP-3(1)
NIST SP 800-53 R4 CP-4
© 2019 HITRUST. All rights reserved.
10.m Control of Technical Vulnerabilities
10.h Control of Operational Software
10.k Change Control Procedures
10.h Control of Operational Software
10.k Change Control Procedures
01.c Privilege Management
01.i Policy on the Use of Network Services
01.l Remote Diagnostic and Configuration Port Protection
09.i System Acceptance
09.m Network Controls
10.j Access Control to Program Source Code
10.m Control of Technical Vulnerabilities
01.l Remote Diagnostic and Configuration Port Protection
01.l Remote Diagnostic and Configuration Port Protection
10.h Control of Operational Software
01.l Remote Diagnostic and Configuration Port Protection
10.h Control of Operational Software
01.l Remote Diagnostic and Configuration Port Protection
07.a Inventory of Assets
07.b Ownership of Assets
07.d Classification Guidelines
07.a Inventory of Assets
07.a Inventory of Assets
08.i Cabling Security
07.a Inventory of Assets
07.d Classification Guidelines
09.b Change Management
10.k Change Control Procedures
06.b Intellectual Property Rights
07.b Ownership of Assets
09.j Controls Against Malicious Code
04.a Information Security Policy Document
04.b Review of the Information Security Policy
05.a Management Commitment to Information Security
09.a Documented Operations Procedures
12.a Including Information Security in the Business Continuity Management Process
05.f Contact with Authorities
09.l Back-up
09.m Network Controls
12.a Including Information Security in the Business Continuity Management Process
12.b Business Continuity and Risk Assessment
12.c Developing and Implementing Continuity Plans Including Information Security
12.d Business Continuity Planning Framework
12.e Testing, Maintaining and Re-Assessing Business Continuity Plans
12.c Developing and Implementing Continuity Plans Including Information Security
12.c Developing and Implementing Continuity Plans Including Information Security
12.c Developing and Implementing Continuity Plans Including Information Security
12.a Including Information Security in the Business Continuity Management Process
12.b Business Continuity and Risk Assessment
02.e Information Security Awareness, Education, and Training
02.e Information Security Awareness, Education, and Training
02.e Information Security Awareness, Education, and Training
NIST SP 800-53 R4 CP-4
NIST SP 800-53 R4 CP-4(1)
NIST SP 800-53 R4 CP-4(2)
NIST SP 800-53 R4 CP-4(4)
NIST SP 800-53 R4 CP-6
NIST SP 800-53 R4 CP-6(1)
NIST SP 800-53 R4 CP-6(3)
NIST SP 800-53 R4 CP-7
NIST SP 800-53 R4 CP-7(1)
NIST SP 800-53 R4 CP-7(3)
NIST SP 800-53 R4 CP-8
NIST SP 800-53 R4 CP-8(1)
NIST SP 800-53 R4 CP-8(2)
NIST SP 800-53 R4 CP-9
NIST SP 800-53 R4 CP-9(1)
NIST SP 800-53 R4 CP-9(2)
NIST SP 800-53 R4 CP-9(3)
NIST SP 800-53 R4 CP-9(5)
NIST SP 800-53 R4 CP-9(6)
NIST SP 800-53 R4 CP-10(4)
NIST SP 800-53 R4 CP-11
NIST SP 800-53 R4 DI-1
NIST SP 800-53 R4 DI-1(1)
NIST SP 800-53 R4 DI-1(2)
NIST SP 800-53 R4 DI-2
NIST SP 800-53 R4 DI-2(1)
NIST SP 800-53 R4 DM-1
NIST SP 800-53 R4 DM-1(1)
NIST SP 800-53 R4 DM-2
NIST SP 800-53 R4 DM-2(1)
NIST SP 800-53 R4 DM-3
NIST SP 800-53 R4 DM-3(1)
NIST SP 800-53 R4 IA-1
NIST SP 800-53 R4 IA-2
© 2019 HITRUST. All rights reserved.
05.f Contact with Authorities
12.e Testing, Maintaining and Re-Assessing Business Continuity Plans
12.e Testing, Maintaining and Re-Assessing Business Continuity Plans
12.e Testing, Maintaining and Re-Assessing Business Continuity Plans
12.e Testing, Maintaining and Re-Assessing Business Continuity Plans
09.l Back-up
12.c Developing and Implementing Continuity Plans Including Information Security
12.c Developing and Implementing Continuity Plans Including Information Security
09.l Back-up
12.c Developing and Implementing Continuity Plans Including Information Security
12.c Developing and Implementing Continuity Plans Including Information Security
12.c Developing and Implementing Continuity Plans Including Information Security
08.h Supporting Utilities
12.c Developing and Implementing Continuity Plans Including Information Security
12.c Developing and Implementing Continuity Plans Including Information Security
12.c Developing and Implementing Continuity Plans Including Information Security
09.l Back-up
12.c Developing and Implementing Continuity Plans Including Information Security
09.l Back-up
09.l Back-up
12.c Developing and Implementing Continuity Plans Including Information Security
09.l Back-up
09.l Back-up
10.a Security Requirements Analysis and Specification
12.c Developing and Implementing Continuity Plans Including Information Security
12.c Developing and Implementing Continuity Plans Including Information Security
13.f Principle Access
13.m Accuracy and Quality
13.m Accuracy and Quality
13.m Accuracy and Quality
10.c Control of Internal Processing
13.m Accuracy and Quality
13.m Accuracy and Quality
01.v Information Access Restriction
13.i Collection Limitation
13.j Data Minimization
06.c Protection of Organizational Records
08.l Secure Disposal or Re-Use of Equipment
09.p Disposal of Media
13.l Retention and Disposal
06.c Protection of Organizational Records
13.d Consent
13.k Use and Disclosure
13.j Data Minimization
01.b User Registration
04.a Information Security Policy Document
04.b Review of the Information Security Policy
05.a Management Commitment to Information Security
09.a Documented Operations Procedures
01.d User Password Management
01.j User Authentication for External Connections
01.q User Identification and Authentication
NIST SP 800-53 R4 IA-2
NIST SP 800-53 R4 IA-2(1)
NIST SP 800-53 R4 IA-2(2)
NIST SP 800-53 R4 IA-2(3)
NIST SP 800-53 R4 IA-2(8)
NIST SP 800-53 R4 IA-2(11)
NIST SP 800-53 R4 IA-2(12)
NIST SP 800-53 R4 IA-3
NIST SP 800-53 R4 IA-4
NIST SP 800-53 R4 IA-5
NIST SP 800-53 R4 IA-5.h
NIST SP 800-53 R4 IA-5(1)
NIST SP 800-53 R4 IA-5(11)
NIST SP 800-53 R4 IA-5(2)
NIST SP 800-53 R4 IA-5(3)
NIST SP 800-53 R4 IA-5(7)
NIST SP 800-53 R4 IA-6
NIST SP 800-53 R4 IA-7
NIST SP 800-53 R4 IA-8
NIST SP 800-53 R4 IA-8(1)
NIST SP 800-53 R4 IA-8(2)
NIST SP 800-53 R4 IA-8(3)
NIST SP 800-53 R4 IA-8(4)
NIST SP 800-53 R4 IA-11
NIST SP 800-53 R4 IP-1
NIST SP 800-53 R4 IP-1(1)
NIST SP 800-53 R4 IP-2
NIST SP 800-53 R4 IP-3
NIST SP 800-53 R4 IP-4
NIST SP 800-53 r4 IR-1
© 2019 HITRUST. All rights reserved.
01.r Password Management System
01.y Teleworking
01.q User Identification and Authentication
01.q User Identification and Authentication
01.q User Identification and Authentication
01.q User Identification and Authentication
01.q User Identification and Authentication
01.q User Identification and Authentication
01.j User Authentication for External Connections
01.k Equipment Identification in Networks
09.m Network Controls
01.b User Registration
01.q User Identification and Authentication
01.b User Registration
01.d User Password Management
01.f Password Use
01.k Equipment Identification in Networks
01.q User Identification and Authentication
01.r Password Management System
01.d User Password Management
01.d User Password Management
01.r Password Management System
01.j User Authentication for External Connections
01.q User Identification and Authentication
01.q User Identification and Authentication
01.b User Registration
01.q User Identification and Authentication
01.d User Password Management
01.q User Identification and Authentication
01.d User Password Management
01.p Secure Log-on Procedures
06.f Regulation of Cryptographic Controls
01.j User Authentication for External Connections
01.q User Identification and Authentication
09.y On-line Transactions
01.j User Authentication for External Connections
01.j User Authentication for External Connections
01.j User Authentication for External Connections
01.j User Authentication for External Connections
01.u Limitation of Connection Time
13.d Consent
13.e Choice
13.k Use and Disclosure
13.d Consent
13.f Principle Access
13.f Principle Access
13.n Participation and Redress
04.b Review of the Information Security Policy
13.o Compliant Management
04.a Information Security Policy Document
04.b Review of the Information Security Policy
05.a Management Commitment to Information Security
NIST SP 800-53 r4 IR-1
NIST SP 800-53 R4 IR-2
NIST SP 800-53 R4 IR-2(1)
NIST SP 800-53 R4 IR-3
NIST SP 800-53 R4 IR-3(2)
NIST SP 800-53 R4 IR-4
NIST SP 800-53 R4 IR-4(1)
NIST SP 800-53 R4 IR-4(4)
NIST SP 800-53 R4 IR-4(7)
NIST SP 800-53 R4 IR-5
NIST SP 800-53 R4 IR-5(1)
NIST SP 800-53 R4 IR-6
NIST SP 800-53 R4 IR-6(1)
NIST SP 800-53 R4 IR-7
NIST SP 800-53 R4 IR-8
NIST SP 800-53 R4 MA-1
NIST SP 800-53 R4 MA-2
NIST SP 800-53 R4 MA-3
NIST SP 800-53 R4 MA-3(1)
NIST SP 800-53 R4 MA-3(2)
NIST SP 800-53 R4 MA-4
NIST SP 800-53 R4 MA-4(1)
NIST SP 800-53 R4 MA-4(2)
NIST SP 800-53 R4 MA-4(3)
NIST SP 800-53 R4 MA-5
NIST SP 800-53 R4 MA-6
NIST SP 800-53 R4 MP-1
© 2019 HITRUST. All rights reserved.
09.a Documented Operations Procedures
11.a Reporting Information Security Events
11.c Responsibilities and Procedures
02.e Information Security Awareness, Education, and Training
05.c Allocation of Information Security Responsibilities
11.a Reporting Information Security Events
02.e Information Security Awareness, Education, and Training
11.c Responsibilities and Procedures
11.c Responsibilities and Procedures
05.b Information Security Coordination
05.f Contact with Authorities
11.c Responsibilities and Procedures
11.d Learning from Information Security Incidents
11.e Collection of Evidence
11.a Reporting Information Security Events
11.d Learning from Information Security Incidents
11.d Learning from Information Security Incidents
11.a Reporting Information Security Events
02.f Disciplinary Process
11.d Learning from Information Security Incidents
11.d Learning from Information Security Incidents
05.f Contact with Authorities
11.a Reporting Information Security Events
11.b Reporting Security Weaknesses
11.c Responsibilities and Procedures
11.a Reporting Information Security Events
11.c Responsibilities and Procedures
11.c Responsibilities and Procedures
04.a Information Security Policy Document
04.b Review of the Information Security Policy
05.a Management Commitment to Information Security
08.j Equipment Maintenance
09.a Documented Operations Procedures
08.a Physical Security Perimeter
08.b Physical Entry Controls
08.j Equipment Maintenance
08.m Removal of Property
08.j Equipment Maintenance
08.j Equipment Maintenance
08.j Equipment Maintenance
01.j User Authentication for External Connections
01.l Remote Diagnostic and Configuration Port Protection
05.i Identification of Risks Related to External Parties
08.j Equipment Maintenance
08.j Equipment Maintenance
01.l Remote Diagnostic and Configuration Port Protection
08.j Equipment Maintenance
01.l Remote Diagnostic and Configuration Port Protection
08.j Equipment Maintenance
08.j Equipment Maintenance
08.j Equipment Maintenance
01.a Access Control Policy
NIST SP 800-53 R4 MP-1
NIST SP 800-53 R4 MP-2
NIST SP 800-53 R4 MP-3
NIST SP 800-53 R4 MP-4
NIST SP 800-53 R4 MP-5
NIST SP 800-53 R4 MP-5(3)
NIST SP 800-53 R4 MP-5(4)
NIST SP 800-53 R4 MP-6
NIST SP 800-53 R4 MP-6(1)
NIST SP 800-53 R4 MP-6(2)
NIST SP 800-53 R4 MP-7
NIST SP 800-53 R4 MP-7(1)
NIST SP 800-53 R4 PE-1
NIST SP 800-53 R4 PE-2
NIST SP 800-53 R4 PE-3
NIST SP 800-53 R4 PE-3(1)
NIST SP 800-53 R4 PE-3(4)
NIST SP 800-53 R4 PE-4
NIST SP 800-53 R4 PE-5
NIST SP 800-53 R4 PE-6
NIST SP 800-53 R4 PE-6(1)
NIST SP 800-53 R4 PE-6(2)
NIST SP 800-53 R4 PE-8
NIST SP 800-53 R4 PE-9
© 2019 HITRUST. All rights reserved.
07.a Inventory of Assets
09.a Documented Operations Procedures
09.o Management of Removable Media
09.t Exchange Agreements
10.f Policy on the Use of Cryptographic Controls
09.q Information Handling Procedures
01.h Clear Desk and Clear Screen Policy
07.e Information Labeling and Handling
09.q Information Handling Procedures
01.h Clear Desk and Clear Screen Policy
09.l Back-up
09.o Management of Removable Media
08.k Security of Equipment Off-Premises
08.m Removal of Property
09.l Back-up
09.o Management of Removable Media
09.q Information Handling Procedures
09.u Physical Media in Transit
09.o Management of Removable Media
09.u Physical Media in Transit
09.o Management of Removable Media
09.q Information Handling Procedures
09.u Physical Media in Transit
08.l Secure Disposal or Re-Use of Equipment
09.p Disposal of Media
09.p Disposal of Media
09.p Disposal of Media
09.o Management of Removable Media
09.o Management of Removable Media
04.a Information Security Policy Document
04.b Review of the Information Security Policy
05.a Management Commitment to Information Security
08.d Protecting Against External and Environmental Threats
08.g Equipment Siting and Protection
09.a Documented Operations Procedures
08.b Physical Entry Controls
08.a Physical Security Perimeter
08.b Physical Entry Controls
08.c Securing Offices, Rooms, and Facilities
08.f Public Access, Delivery, and Loading Areas
01.l Remote Diagnostic and Configuration Port Protection
08.b Physical Entry Controls
01.l Remote Diagnostic and Configuration Port Protection
08.i Cabling Security
01.g Unattended User Equipment
08.b Physical Entry Controls
09.ab Monitoring System Use
08.b Physical Entry Controls
08.c Securing Offices, Rooms, and Facilities
08.b Physical Entry Controls
08.h Supporting Utilities
08.i Cabling Security
NIST SP 800-53 R4 PE-10
NIST SP 800-53 R4 PE-11
NIST SP 800-53 R4 PE-12
NIST SP 800-53 R4 PE-13
NIST SP 800-53 R4 PE-13(1)
NIST SP 800-53 R4 PE-13(2)
NIST SP 800-53 R4 PE-13(3)
NIST SP 800-53 R4 PE-14
NIST SP 800-53 R4 PE-15
NIST SP 800-53 R4 PE-15(1)
NIST SP 800-53 R4 PE-16
NIST SP 800-53 R4 PE-17
NIST SP 800-53 R4 PE-18
NIST SP 800-53 R4 PE-18(1)
NIST SP 800-53 R4 PL-1
NIST SP 800-53 R4 PL-2
NIST SP 800-53 R4 Pl-2(3)
NIST SP 800-53 R4 PL-4
NIST SP 800-53 R4 PL-4(1)
NIST SP 800-53 R4 PL-8
NIST SP 800-53 R4 PM-1
NIST SP 800-53 R4 PM-2
NIST SP 800-53 R4 PM-3
© 2019 HITRUST. All rights reserved.
08.h Supporting Utilities
08.h Supporting Utilities
08.h Supporting Utilities
08.d Protecting Against External and Environmental Threats
08.g Equipment Siting and Protection
08.d Protecting Against External and Environmental Threats
08.d Protecting Against External and Environmental Threats
08.d Protecting Against External and Environmental Threats
08.g Equipment Siting and Protection
08.h Supporting Utilities
08.d Protecting Against External and Environmental Threats
08.g Equipment Siting and Protection
08.d Protecting Against External and Environmental Threats
08.f Public Access, Delivery, and Loading Areas
08.m Removal of Property
09.u Physical Media in Transit
01.y Teleworking
08.k Security of Equipment Off-Premises
01.g Unattended User Equipment
08.g Equipment Siting and Protection
08.g Equipment Siting and Protection
04.a Information Security Policy Document
04.b Review of the Information Security Policy
05.a Management Commitment to Information Security
09.a Documented Operations Procedures
05.b Information Security Coordination
06.i Information Systems Audit Controls
05.b Information Security Coordination
01.y Teleworking
02.a Roles and Responsibilities
02.c Terms and Conditions of Employment
02.d Management Responsibilities
02.e Information Security Awareness, Education, and Training
05.j Addressing Security When Dealing with Customers
06.e Prevention of Misuse of Information Assets
07.c Acceptable Use of Assets
09.s Information Exchange Policies and Procedures
11.b Reporting Security Weaknesses
07.c Acceptable Use of Assets
10.a Security Requirements Analysis and Specification
00.a Information Security Management Program
04.a Information Security Policy Document
04.b Review of the Information Security Policy
05.a Management Commitment to Information Security
05.b Information Security Coordination
09.a Documented Operations Procedures
00.a Information Security Management Program
02.d Management Responsibilities
05.a Management Commitment to Information Security
05.c Allocation of Information Security Responsibilities
00.a Information Security Management Program
05.a Management Commitment to Information Security
NIST SP 800-53 R4 PM-3
NIST SP 800-53 R4 PM-4
NIST SP 800-53 R4 PM-5
NIST SP 800-53 R4 PM-6
NIST SP 800-53 R4 PM-7
NIST SP 800-53 R4 PM-8
NIST SP 800-53 R4 PM-9
NIST SP 800-53 R4 PM-10
NIST SP 800-53 R4 PM-11
NIST SP 800-53 R4 PM-12
NIST SP 800-53 R4 PM-13
NIST SP 800-53 R4 PM-14
NIST SP 800-53 R4 PM-15
NIST SP 800-53 R4 PS-1
NIST SP 800-53 R4 PS-2
NIST SP 800-53 R4 PS-3
NIST SP 800-53 R4 PS-4
NIST SP 800-53 R4 PS-4(2)
NIST SP 800-53 R4 PS-5
NIST SP 800-53 R4 PS-6
NIST SP 800-53 R4 PS-7
NIST SP 800-53 R4 PS-8
NIST SP 800-53 R4 RA-1
© 2019 HITRUST. All rights reserved.
05.b Information Security Coordination
00.a Information Security Management Program
03.a Risk Management Program Development
03.c Risk Mitigation
07.a Inventory of Assets
00.a Information Security Management Program
02.e Information Security Awareness, Education, and Training
10.a Security Requirements Analysis and Specification
12.b Business Continuity and Risk Assessment
00.a Information Security Management Program
03.a Risk Management Program Development
05.a Management Commitment to Information Security
12.a Including Information Security in the Business Continuity Management Process
05.c Allocation of Information Security Responsibilities
05.d Authorization Process for Information Assets and Facilities
03.a Risk Management Program Development
11.a Reporting Information Security Events
00.a Information Security Management Program
02.d Management Responsibilities
05.a Management Commitment to Information Security
02.d Management Responsibilities
02.e Information Security Awareness, Education, and Training
02.d Management Responsibilities
05.g Contact with Special Interest Groups
06.a Identification of Applicable Legislation
02.a Roles and Responsibilities
02.b Screening
04.a Information Security Policy Document
04.b Review of the Information Security Policy
05.a Management Commitment to Information Security
09.a Documented Operations Procedures
02.a Roles and Responsibilities
02.b Screening
02.b Screening
01.e Review of User Access Rights
02.g Termination or Change Responsibilities
02.h Return of Assets
02.i Removal of Access Rights
02.i Removal of Access Rights
01.e Review of User Access Rights
02.g Termination or Change Responsibilities
02.h Return of Assets
02.i Removal of Access Rights
02.c Terms and Conditions of Employment
05.e Confidentiality Agreements
06.e Prevention of Misuse of Information Assets
09.s Information Exchange Policies and Procedures
02.d Management Responsibilities
05.k Addressing Security in Third Party Agreements
02.f Disciplinary Process
06.e Prevention of Misuse of Information Assets
03.a Risk Management Program Development
NIST SP 800-53 R4 RA-1
NIST SP 800-53 R4 RA-2
NIST SP 800-53 R4 RA-3
NIST SP 800-53 R4 RA-5
NIST SP 800-53 R4 RA-5(1)
NIST SP 800-53 R4 RA-5(2)
NIST SP 800-53 R4 RA-5(4)
NIST SP 800-53 R4 SA-1
NIST SP 800-53 R4 SA-2
NIST SP 800-53 R4 SA-3
NIST SP 800-53 R4 SA-4
NIST SP 800-53 R4 SA-4(1)
NIST SP 800-53 R4 SA-4(2)
NIST SP 800-53 R4 SA-4(9)
NIST SP 800-53 R4 SA-5
NIST SP 800-53 R4 SA-8
NIST SP 800-53 R4 SA-9
NIST SP 800-53 R4 SA-9(2)
NIST SP 800-53 R4 SA-10
NIST SP 800-53 R4 SA-11
NIST SP 800-53 R4 SA-13
NIST SP 800-53 R4 SA-15
NIST SP 800-53 R4 SA-15(9)
NIST SP 800-53 R4 SA-16
NIST SP 800-53 R4 SA-17
NIST SP 800-53 R4 SA-22
© 2019 HITRUST. All rights reserved.
04.a Information Security Policy Document
04.b Review of the Information Security Policy
05.a Management Commitment to Information Security
09.a Documented Operations Procedures
01.w Sensitive System Isolation
06.c Protection of Organizational Records
07.d Classification Guidelines
03.a Risk Management Program Development
03.b Performing Risk Assessments
03.d Risk Evaluation
05.d Authorization Process for Information Assets and Facilities
12.b Business Continuity and Risk Assessment
06.g Compliance with Security Policies and Standards
06.h Technical Compliance Checking
10.m Control of Technical Vulnerabilities
10.m Control of Technical Vulnerabilities
10.m Control of Technical Vulnerabilities
10.m Control of Technical Vulnerabilities
04.a Information Security Policy Document
04.b Review of the Information Security Policy
05.a Management Commitment to Information Security
09.a Documented Operations Procedures
10.l Outsourced Software Development
05.b Information Security Coordination
05.c Allocation of Information Security Responsibilities
10.a Security Requirements Analysis and Specification
09.i System Acceptance
10.a Security Requirements Analysis and Specification
10.a Security Requirements Analysis and Specification
10.a Security Requirements Analysis and Specification
10.a Security Requirements Analysis and Specification
09.r Security of System Documentation
10.a Security Requirements Analysis and Specification
05.k Addressing Security in Third Party Agreements
09.e Service Delivery
09.f Monitoring and Review of Third Party Services
09.g Managing Changes to Third Party Services
09.n Security of Network Services
09.n Security of Network Services
10.a Security Requirements Analysis and Specification
09.d Separation of Development, Test, and Operational Environments
09.i System Acceptance
10.k Change Control Procedures
09.i System Acceptance
10.l Outsourced Software Development
10.l Outsourced Software Development
10.a Security Requirements Analysis and Specification
10.l Outsourced Software Development
10.i Protection of System Test Data
02.e Information Security Awareness, Education, and Training
10.a Security Requirements Analysis and Specification
10.h Control of Operational Software
NIST SP 800-53 R4 SC-1
NIST SP 800-53 R4 SC-2
NIST SP 800-53 R4 SC-3
NIST SP 800-53 R4 SC-4
NIST SP 800-53 R4 SC-5
NIST SP 800-53 R4 SC-5(2)
NIST SP 800-53 R4 SC-7
NIST SP 800-53 R4 SC-7(3)
NIST SP 800-53 R4 SC-7(4)
NIST SP 800-53 R4 SC-7(5)
NIST SP 800-53 R4 SC-7(7)
NIST SP 800-53 R4 SC-7(8)
NIST SP 800-53 R4 SC-7(18)
NIST SP 800-53 R4 SC-8
NIST SP 800-53 R4 SC-8(1)
NIST SP 800-53 R4 SC-8(2)
NIST SP 800-53 R4 SC-10
NIST SP 800-53 R4 SC-12
NIST SP 800-53 R4 SC-12(1)
NIST SP 800-53 R4 SC-13
NIST SP 800-53 R4 SC-15
© 2019 HITRUST. All rights reserved.
04.a Information Security Policy Document
04.b Review of the Information Security Policy
05.a Management Commitment to Information Security
09.a Documented Operations Procedures
09.s Information Exchange Policies and Procedures
10.f Policy on the Use of Cryptographic Controls
01.s Use of System Utilities
09.j Controls Against Malicious Code
09.k Controls Against Mobile Code
09.y On-line Transactions
09.k Controls Against Mobile Code
01.w Sensitive System Isolation
09.h Capacity Management
09.z Publicly Available Information
10.a Security Requirements Analysis and Specification
09.z Publicly Available Information
01.m Segregation in Networks
01.n Network Connection Control
01.o Network Routing Control
09.m Network Controls
09.z Publicly Available Information
01.n Network Connection Control
01.n Network Connection Control
01.n Network Connection Control
09.m Network Controls
01.n Network Connection Control
01.n Network Connection Control
09.m Network Controls
01.n Network Connection Control
09.m Network Controls
09.s Information Exchange Policies and Procedures
09.v Electronic Messaging
09.x Electronic Commerce Services
09.y On-line Transactions
10.d Message Integrity
05.i Identification of Risks Related to External Parties
09.m Network Controls
09.v Electronic Messaging
09.x Electronic Commerce Services
09.m Network Controls
09.v Electronic Messaging
01.g Unattended User Equipment
01.t Session Time-out
10.g Key Management
06.d Data Protection and Privacy of Covered Information
10.g Key Management
06.f Regulation of Cryptographic Controls
09.x Electronic Commerce Services
09.y On-line Transactions
10.f Policy on the Use of Cryptographic Controls
01.v Information Access Restriction
09.s Information Exchange Policies and Procedures
NIST SP 800-53 R4 SC-15(1)
NIST SP 800-53 R4 SC-17
NIST SP 800-53 R4 SC-18
NIST SP 800-53 R4 SC-18(3)
NIST SP 800-53 R4 SC-19
NIST SP 800-53 R4 SC-20
NIST SP 800-53 R4 SC-21
NIST SP 800-53 R4 SC-22
NIST SP 800-53 R4 SC-23
NIST SP 800-53 R4 SC-24
NIST SP 800-53 R4 SC-28
NIST SP 800-53 R4 SC-28(1)
NIST SP 800-53 R4 SC-32
NIST SP 800-53 R4 SC-43
NIST SP 800-53 R4 SE-1
NIST SP 800-53 R4 SE-2
NIST SP 800-53 R4 SI-1
NIST SP 800-53 R4 SI-2
NIST SP 800-53 R4 SI-2(1)
NIST SP 800-53 R4 SI-2(2)
NIST SP 800-53 R4 SI-3
NIST SP 800-53 R4 SI-3(1)
NIST SP 800-53 R4 SI-3(2)
NIST SP 800-53 R4 SI-4
NIST SP 800-53 R4 SI-4(1)
NIST SP 800-53 R4 SI-4(2)
NIST SP 800-53 R4 SI-4(3)
NIST SP 800-53 R4 SI-4(4)
NIST SP 800-53 R4 SI-4(5)
NIST SP 800-53 R4 SI-5
NIST SP 800-53 R4 SI-5 (1)
NIST SP 800-53 R4 SI-6
NIST SP 800-53 R4 SI-6(2)
NIST SP 800-53 R4 SI-7
© 2019 HITRUST. All rights reserved.
09.s Information Exchange Policies and Procedures
10.g Key Management
09.k Controls Against Mobile Code
09.k Controls Against Mobile Code
09.m Network Controls
09.m Network Controls
09.m Network Controls
09.m Network Controls
10.d Message Integrity
08.a Physical Security Perimeter
06.d Data Protection and Privacy of Covered Information
09.l Back-up
09.u Physical Media in Transit
06.d Data Protection and Privacy of Covered Information
01.m Segregation in Networks
01.u Limitation of Connection Time
07.a Inventory of Assets
11.c Responsibilities and Procedures
04.a Information Security Policy Document
04.b Review of the Information Security Policy
05.a Management Commitment to Information Security
09.a Documented Operations Procedures
10.a Security Requirements Analysis and Specification
10.b Input Data Validation
10.c Control of Internal Processing
10.m Control of Technical Vulnerabilities
11.b Reporting Security Weaknesses
10.m Control of Technical Vulnerabilities
10.m Control of Technical Vulnerabilities
09.ab Monitoring System Use
09.j Controls Against Malicious Code
09.k Controls Against Mobile Code
09.j Controls Against Malicious Code
09.j Controls Against Malicious Code
01.x Mobile Computing and Communications
09.m Network Controls
09.ab Monitoring System Use
09.ac Protection of Log Information
11.a Reporting Information Security Events
11.b Reporting Security Weaknesses
09.ab Monitoring System Use
09.ab Monitoring System Use
09.ab Monitoring System Use
09.ab Monitoring System Use
09.ab Monitoring System Use
05.g Contact with Special Interest Groups
10.m Control of Technical Vulnerabilities
11.b Reporting Security Weaknesses
05.g Contact with Special Interest Groups
10.c Control of Internal Processing
10.c Control of Internal Processing
10.c Control of Internal Processing
NIST SP 800-53 R4 SI-7(1)
NIST SP 800-53 R4 SI-7(2)
NIST SP 800-53 R4 SI-7(5)
NIST SP 800-53 R4 SI-7(7)
NIST SP 800-53 R4 SI-8
NIST SP 800-53 R4 SI-8(1)
NIST SP 800-53 R4 SI-8(2)
NIST SP 800-53 R4 SI-10
NIST SP 800-53 R4 SI-11
NIST SP 800-53 R4 SI-12
NIST SP 800-53 R4 SI-15
NIST SP 800-53 R4 SI-16
NIST SP 800-53 R4 TR-1
NIST SP 800-53 R4 TR-1(1)
NIST SP 800-53 R4 TR-2
NIST SP 800-53 R4 TR-2(1)
NIST SP 800-53 R4 TR-3
NIST SP 800-53 R4 UL-1
NIST SP 800-53 R4 UL-2
© 2019 HITRUST. All rights reserved.
© 2019 HITRUST. All rights reserved.
10.c Control of Internal Processing
09.ab Monitoring System Use
10.c Control of Internal Processing
10.c Control of Internal Processing
10.c Control of Internal Processing
09.j Controls Against Malicious Code
09.j Controls Against Malicious Code
09.j Controls Against Malicious Code
10.b Input Data Validation
10.c Control of Internal Processing
09.ae Fault Logging
06.c Protection of Organizational Records
06.d Data Protection and Privacy of Covered Information
09.q Information Handling Procedures
10.e Output Data Validation
09.j Controls Against Malicious Code
13.a Privacy Notice
13.a Privacy Notice
13.a Privacy Notice
13.a Privacy Notice
05.j Addressing Security When Dealing with Customers
13.b Openness and Transparency
13.k Use and Disclosure
13.k Use and Disclosure
13.r Privacy Requirements for Contractors and Processors
 Authoritative Source HITRUST Control Reference
NRS 603A.200.1 08.l Secure Disposal or Re-Use of Equipment
NRS 603A.200.2.b.1 08.l Secure Disposal or Re-Use of Equipment
NRS 603A.200.2.b.2 08.l Secure Disposal or Re-Use of Equipment
NRS 603A.210.1 06.c Protection of Organizational Records
06.d Data Protection and Privacy of Covered Information
NRS 603A.210.2 05.k Addressing Security in Third Party Agreements
NRS 603A.210.3 06.c Protection of Organizational Records
NRS 603A.215.1 01.b User Registration
01.c Privilege Management
01.d User Password Management
01.f Password Use
01.j User Authentication for External Connections
01.m Segregation in Networks
01.n Network Connection Control
01.o Network Routing Control
01.p Secure Log-on Procedures
01.q User Identification and Authentication
01.r Password Management System
01.s Use of System Utilities
01.t Session Time-out
01.v Information Access Restriction
01.x Mobile Computing and Communications
02.a Roles and Responsibilities
02.b Screening
02.c Terms and Conditions of Employment
02.d Management Responsibilities
02.e Information Security Awareness, Education, and Training
02.i Removal of Access Rights
03.b Performing Risk Assessments
04.b Review of the Information Security Policy
05.a Management Commitment to Information Security
05.b Information Security Coordination
05.c Allocation of Information Security Responsibilities
05.i Identification of Risks Related to External Parties
05.k Addressing Security in Third Party Agreements
06.c Protection of Organizational Records
06.d Data Protection and Privacy of Covered Information
06.e Prevention of Misuse of Information Assets
07.a Inventory of Assets
07.b Ownership of Assets
07.c Acceptable Use of Assets
07.e Information Labeling and Handling
08.a Physical Security Perimeter
08.b Physical Entry Controls
08.c Securing Offices, Rooms, and Facilities
08.g Equipment Siting and Protection
08.i Cabling Security
© 2019 HITRUST. All rights reserved.
 08.k Security of Equipment Off-Premises
09.a Documented Operations Procedures
09.c Segregation of Duties
09.d Separation of Development, Test, and Operational Environments
09.e Service Delivery
09.f Monitoring and Review of Third Party Services
09.j Controls Against Malicious Code
09.l Back-up
09.m Network Controls
09.o Management of Removable Media
09.p Disposal of Media
09.q Information Handling Procedures
09.s Information Exchange Policies and Procedures
09.u Physical Media in Transit
09.w Interconnected Business Information Systems
09.aa Audit Logging
09.ab Monitoring System Use
09.ac Protection of Log Information
09.ad Administrator and Operator Logs
09.af Clock Synchronization
10.a Security Requirements Analysis and Specification
10.b Input Data Validation
10.c Control of Internal Processing
10.g Key Management
10.k Change Control Procedures
10.m Control of Technical Vulnerabilities
11.a Reporting Information Security Events
11.b Reporting Security Weaknesses
11.c Responsibilities and Procedures
11.d Learning from Information Security Incidents
11.e Collection of Evidence
NRS 603A.215.2 11.a Reporting Information Security Events
NRS 603A.215.2.a 09.s Information Exchange Policies and Procedures
09.u Physical Media in Transit
09.v Electronic Messaging
10.f Policy on the Use of Cryptographic Controls
NRS 603A.215.2.b 09.u Physical Media in Transit
NRS 603A.220.4.a 11.c Responsibilities and Procedures
NRS 603A.220.4.b 11.c Responsibilities and Procedures
NRS 603A.220.4.c.1 11.c Responsibilities and Procedures
NRS 603A.220.4.c.2 11.c Responsibilities and Procedures
NRS 603A.220.6 11.c Responsibilities and Procedures

© 2019 HITRUST. All rights reserved.

© 2019 HITRUST. All rights reserved.

 Authoritative Source
OCR Audit Protocol (2016) 164.308(a)(1)(ii)(C)
OCR Audit Protocol (2016) 164.308(a)(1)(ii)(D)
OCR Audit Protocol (2016) 164.308(a)(3)(ii)(A)
OCR Audit Protocol (2016) 164.308(a)(5)(ii)(C)
OCR Audit Protocol (2016) 164.310(a)(2)(iv)
OCR Audit Protocol (2016) 164.310(d)(2)(iv)
© 2019 HITRUST. All rights reserved.
© 2019 HITRUST. All rights reserved.
HITRUST Control Reference
02.f Disciplinary Process
09.ab Monitoring System Use
01.b User Registration
09.aa Audit Logging
08.a Physical Security Perimeter
09.l Back-up
 Authoritative Source
OCR Guidance for Unsecured PHI (1)
OCR Guidance for Unsecured PHI (1)(i)
OCR Guidance for Unsecured PHI (1)(ii)
OCR Guidance for Unsecured PHI (2)(i)
OCR Guidance for Unsecured PHI (2)(ii)
© 2019 HITRUST. All rights reserved.
© 2019 HITRUST. All rights reserved.
HITRUST Control Reference
10.f Policy on the Use of Cryptographic Controls
06.d Data Protection and Privacy of Covered Information
09.o Management of Removable Media
06.d Data Protection and Privacy of Covered Information
09.s Information Exchange Policies and Procedures
10.d Message Integrity
08.l Secure Disposal or Re-Use of Equipment
09.p Disposal of Media
08.l Secure Disposal or Re-Use of Equipment
09.p Disposal of Media
 Authoritative Source HITRUST Control Reference
OECD Part 2 7 13.i Collection Limitation
OECD Part 2 8 13.m Accuracy and Quality
OECD Part 2 10 13.k Use and Disclosure
OECD Part 3 15(ii) 13.p Governance

© 2019 HITRUST. All rights reserved.

© 2019 HITRUST. All rights reserved.

 Authoritative Source
PCI DSS v3.2.1 1.1
PCI DSS v3.2.1 1.1.1
PCI DSS v3.2.1 1.1.2
PCI DSS v3.2.1 1.1.3
PCI DSS v3.2.1 1.1.4
PCI DSS v3.2.1 1.1.6
PCI DSS v3.2.1 1.1.7
PCI DSS v3.2.1 1.2
PCI DSS v3.2.1 1.2.1
PCI DSS v3.2.1 1.2.2
PCI DSS v3.2.1 1.2.3
PCI DSS v3.2.1 1.3
PCI DSS v3.2.1 1.3.1
PCI DSS v3.2.1 1.3.2
PCI DSS v3.2.1 1.3.3
PCI DSS v3.2.1 1.3.4
PCI DSS v3.2.1 1.3.5
PCI DSS v3.2.1 1.3.6
PCI DSS v3.2.1 1.3.7
PCI DSS v3.2.1 1.3.8
PCI DSS v3.2.1 1.4
PCI DSS v3.2.1 1.5
PCI DSS v3.2.1 10.2
PCI DSS v3.2.1 10.2.1
PCI DSS v3.2.1 10.2.2
PCI DSS v3.2.1 10.2.3
PCI DSS v3.2.1 10.2.4
PCI DSS v3.2.1 10.2.7
PCI DSS v3.2.1 10.3.1
PCI DSS v3.2.1 10.3.2
PCI DSS v3.2.1 10.3.3
PCI DSS v3.2.1 10.3.4
PCI DSS v3.2.1 10.3.5
PCI DSS v3.2.1 10.3.6
PCI DSS v3.2.1 10.3.7
PCI DSS v3.2.1 10.4
PCI DSS v3.2.1 10.4.1
PCI DSS v3.2.1 10.4.2
PCI DSS v3.2.1 10.4.3
© 2019 HITRUST. All rights reserved.
HITRUST Control Reference
01.m Segregation in Networks
09.m Network Controls
09.m Network Controls
09.m Network Controls
09.m Network Controls
01.m Segregation in Networks
09.m Network Controls
09.m Network Controls
09.m Network Controls
01.m Segregation in Networks
01.o Network Routing Control
09.m Network Controls
09.w Interconnected Business Information Systems
01.n Network Connection Control
01.o Network Routing Control
09.m Network Controls
09.m Network Controls
09.m Network Controls
09.m Network Controls
09.m Network Controls
09.m Network Controls
09.m Network Controls
09.m Network Controls
09.m Network Controls
09.m Network Controls
09.m Network Controls
01.x Mobile Computing and Communications
04.a Information Security Policy Document
09.a Documented Operations Procedures
09.aa Audit Logging
09.aa Audit Logging
09.aa Audit Logging
09.ad Administrator and Operator Logs
09.ac Protection of Log Information
09.aa Audit Logging
09.aa Audit Logging
09.aa Audit Logging
09.aa Audit Logging
09.aa Audit Logging
09.aa Audit Logging
09.aa Audit Logging
09.aa Audit Logging
09.aa Audit Logging
09.af Clock Synchronization
09.af Clock Synchronization
09.af Clock Synchronization
09.af Clock Synchronization
 PCI DSS v3.2.1 10.5
PCI DSS v3.2.1 10.5
PCI DSS v3.2.1 10.5.4
PCI DSS v3.2.1 10.5.5
PCI DSS v3.2.1 10.6
PCI DSS v3.2.1 10.6.1
PCI DSS v3.2.1 10.6.3
PCI DSS v3.2.1 10.7
PCI DSS v3.2.1 10.8
PCI DSS v3.2.1 10.8.1
PCI DSS v3.2.1 10.9
PCI DSS v3.2.1 11.1
PCI DSS v3.2.1 11.1.1
PCI DSS v3.2.1 11.1.2
PCI DSS v3.2.1 11.2
PCI DSS v3.2.1 11.2.1
PCI DSS v3.2.1 11.2.2
PCI DSS v3.2.1 11.2.3
PCI DSS v3.2.1 11.3
PCI DSS v3.2.1 11.3.1
PCI DSS v3.2.1 11.3.2
PCI DSS v3.2.1 11.3.3
PCI DSS v3.2.1 11.3.4
PCI DSS v3.2.1 11.3.4.1
PCI DSS v3.2.1 11.4
PCI DSS v3.2.1 11.5
PCI DSS v3.2.1 11.6
PCI DSS v3.2.1 12.1.1
PCI DSS v3.2.1 12.10
PCI DSS v3.2.1 12.10.1
PCI DSS v3.2.1 12.10.2
PCI DSS v3.2.1 12.10.3
PCI DSS v3.2.1 12.10.4
PCI DSS v3.2.1 12.10.5
PCI DSS v3.2.1 12.10.6
PCI DSS v3.2.1 12.11
PCI DSS v3.2.1 12.11.1
PCI DSS v3.2.1 12.2
PCI DSS v3.2.1 12.3
© 2019 HITRUST. All rights reserved.
09.aa Audit Logging
09.ac Protection of Log Information
09.ac Protection of Log Information
09.ac Protection of Log Information
09.ab Monitoring System Use
09.ab Monitoring System Use
09.ab Monitoring System Use
09.aa Audit Logging
09.ab Monitoring System Use
09.ab Monitoring System Use
04.a Information Security Policy Document
09.a Documented Operations Procedures
09.m Network Controls
07.a Inventory of Assets
11.c Responsibilities and Procedures
10.m Control of Technical Vulnerabilities
10.m Control of Technical Vulnerabilities
10.m Control of Technical Vulnerabilities
10.m Control of Technical Vulnerabilities
10.m Control of Technical Vulnerabilities
10.m Control of Technical Vulnerabilities
10.m Control of Technical Vulnerabilities
10.m Control of Technical Vulnerabilities
10.m Control of Technical Vulnerabilities
10.m Control of Technical Vulnerabilities
09.m Network Controls
09.ab Monitoring System Use
09.ac Protection of Log Information
04.a Information Security Policy Document
09.a Documented Operations Procedures
04.b Review of the Information Security Policy
11.a Reporting Information Security Events
11.a Reporting Information Security Events
11.c Responsibilities and Procedures
11.c Responsibilities and Procedures
11.a Reporting Information Security Events
11.a Reporting Information Security Events
11.b Reporting Security Weaknesses
11.c Responsibilities and Procedures
11.a Reporting Information Security Events
11.d Learning from Information Security Incidents
06.g Compliance with Security Policies and Standards
06.g Compliance with Security Policies and Standards
03.b Performing Risk Assessments
02.d Management Responsibilities
04.a Information Security Policy Document
07.c Acceptable Use of Assets
09.a Documented Operations Procedures
 PCI DSS v3.2.1 12.3.1
PCI DSS v3.2.1 12.3.2
PCI DSS v3.2.1 12.3.3
PCI DSS v3.2.1 12.3.4
PCI DSS v3.2.1 12.3.5
PCI DSS v3.2.1 12.3.8
PCI DSS v3.2.1 12.3.9
PCI DSS v3.2.1 12.3.10
PCI DSS v3.2.1 12.4
PCI DSS v3.2.1 12.4.1
PCI DSS v3.2.1 12.5
PCI DSS v3.2.1 12.5.1
PCI DSS v3.2.1 12.5.2
PCI DSS v3.2.1 12.5.3
PCI DSS v3.2.1 12.5.4
PCI DSS v3.2.1 12.5.5
PCI DSS v3.2.1 12.6
PCI DSS v3.2.1 12.6.1
PCI DSS v3.2.1 12.6.2
PCI DSS v3.2.1 12.7
PCI DSS v3.2.1 12.8
PCI DSS v3.2.1 12.8.1
PCI DSS v3.2.1 12.8.2
PCI DSS v3.2.1 12.8.3
PCI DSS v3.2.1 12.8.4
PCI DSS v3.2.1 12.8.5
PCI DSS v3.2.1 12.9
PCI DSS v3.2.1 2.1
PCI DSS v3.2.1 2.1.1
PCI DSS v3.2.1 2.2
PCI DSS v3.2.1 2.2.2
PCI DSS v3.2.1 2.2.3
PCI DSS v3.2.1 2.2.4
PCI DSS v3.2.1 2.2.5
PCI DSS v3.2.1 2.3
PCI DSS v3.2.1 2.4
PCI DSS v3.2.1 2.5
PCI DSS v3.2.1 2.6
© 2019 HITRUST. All rights reserved.
06.e Prevention of Misuse of Information Assets
01.q User Identification and Authentication
07.a Inventory of Assets
07.b Ownership of Assets
02.d Management Responsibilities
07.c Acceptable Use of Assets
01.t Session Time-out
01.j User Authentication for External Connections
01.v Information Access Restriction
02.c Terms and Conditions of Employment
05.c Allocation of Information Security Responsibilities
02.a Roles and Responsibilities
05.a Management Commitment to Information Security
05.a Management Commitment to Information Security
05.c Allocation of Information Security Responsibilities
05.a Management Commitment to Information Security
05.c Allocation of Information Security Responsibilities
05.b Information Security Coordination
05.c Allocation of Information Security Responsibilities
05.c Allocation of Information Security Responsibilities
05.c Allocation of Information Security Responsibilities
05.c Allocation of Information Security Responsibilities
02.e Information Security Awareness, Education, and Training
02.e Information Security Awareness, Education, and Training
02.e Information Security Awareness, Education, and Training
02.b Screening
09.e Service Delivery
09.f Monitoring and Review of Third Party Services
09.e Service Delivery
05.k Addressing Security in Third Party Agreements
05.i Identification of Risks Related to External Parties
09.f Monitoring and Review of Third Party Services
05.k Addressing Security in Third Party Agreements
05.k Addressing Security in Third Party Agreements
01.d User Password Management
01.r Password Management System
09.m Network Controls
10.m Control of Technical Vulnerabilities
10.m Control of Technical Vulnerabilities
10.m Control of Technical Vulnerabilities
10.h Control of Operational Software
01.s Use of System Utilities
09.s Information Exchange Policies and Procedures
07.a Inventory of Assets
04.a Information Security Policy Document
09.a Documented Operations Procedures
05.i Identification of Risks Related to External Parties
05.k Addressing Security in Third Party Agreements
 PCI DSS v3.2.1 2.6
PCI DSS v3.2.1 3.1
PCI DSS v3.2.1 3.2
PCI DSS v3.2.1 3.2.1
PCI DSS v3.2.1 3.2.2
PCI DSS v3.2.1 3.2.3
PCI DSS v3.2.1 3.3
PCI DSS v3.2.1 3.4
PCI DSS v3.2.1 3.4.1
PCI DSS v3.2.1 3.5
PCI DSS v3.2.1 3.5.1
PCI DSS v3.2.1 3.5.2
PCI DSS v3.2.1 3.5.3
PCI DSS v3.2.1 3.5.4
PCI DSS v3.2.1 3.5.8
PCI DSS v3.2.1 3.6
PCI DSS v3.2.1 3.6.1
PCI DSS v3.2.1 3.6.2
PCI DSS v3.2.1 3.6.3
PCI DSS v3.2.1 3.6.4
PCI DSS v3.2.1 3.6.5
PCI DSS v3.2.1 3.6.7
PCI DSS v3.2.1 3.7
PCI DSS v3.2.1 4.1
PCI DSS v3.2.1 4.1.1
PCI DSS v3.2.1 4.2
PCI DSS v3.2.1 4.3
PCI DSS v3.2.1 5.1
PCI DSS v3.2.1 5.1.1
PCI DSS v3.2.1 5.1.2
PCI DSS v3.2.1 5.2
PCI DSS v3.2.1 5.3
PCI DSS v3.2.1 5.4
PCI DSS v3.2.1 6.1
PCI DSS v3.2.1 6.2
PCI DSS v3.2.1 6.3
PCI DSS v3.2.1 6.3.1
PCI DSS v3.2.1 6.3.2
PCI DSS v3.2.1 6.4
PCI DSS v3.2.1 6.4.1
PCI DSS v3.2.1 6.4.2
© 2019 HITRUST. All rights reserved.
09.e Service Delivery
09.f Monitoring and Review of Third Party Services
06.c Protection of Organizational Records
06.d Data Protection and Privacy of Covered Information
09.q Information Handling Procedures
09.q Information Handling Procedures
09.q Information Handling Procedures
09.q Information Handling Procedures
09.q Information Handling Procedures
06.d Data Protection and Privacy of Covered Information
06.d Data Protection and Privacy of Covered Information
10.g Key Management
10.f Policy on the Use of Cryptographic Controls
10.g Key Management
10.g Key Management
10.g Key Management
10.g Key Management
10.g Key Management
10.g Key Management
10.g Key Management
10.g Key Management
10.g Key Management
10.g Key Management
10.g Key Management
04.a Information Security Policy Document
09.a Documented Operations Procedures
09.s Information Exchange Policies and Procedures
09.m Network Controls
09.s Information Exchange Policies and Procedures
09.v Electronic Messaging
04.a Information Security Policy Document
09.a Documented Operations Procedures
09.j Controls Against Malicious Code
09.j Controls Against Malicious Code
09.j Controls Against Malicious Code
09.j Controls Against Malicious Code
09.j Controls Against Malicious Code
04.a Information Security Policy Document
09.a Documented Operations Procedures
10.m Control of Technical Vulnerabilities
10.m Control of Technical Vulnerabilities
10.a Security Requirements Analysis and Specification
09.d Separation of Development, Test, and Operational Environments
09.d Separation of Development, Test, and Operational Environments
10.i Protection of System Test Data
10.k Change Control Procedures
09.d Separation of Development, Test, and Operational Environments
09.c Segregation of Duties
 PCI DSS v3.2.1 6.4.3
PCI DSS v3.2.1 6.4.4
PCI DSS v3.2.1 6.4.5
PCI DSS v3.2.1 6.4.6
PCI DSS v3.2.1 6.5
PCI DSS v3.2.1 6.5.1
PCI DSS v3.2.1 6.5.2
PCI DSS v3.2.1 6.5.3
PCI DSS v3.2.1 6.5.4
PCI DSS v3.2.1 6.5.5
PCI DSS v3.2.1 6.5.6
PCI DSS v3.2.1 6.5.7
PCI DSS v3.2.1 6.5.8
PCI DSS v3.2.1 6.5.9
PCI DSS v3.2.1 6.5.10
PCI DSS v3.2.1 6.6
PCI DSS v3.2.1 6.7
PCI DSS v3.2.1 7.1
PCI DSS v3.2.1 7.1.1
PCI DSS v3.2.1 7.1.2
PCI DSS v3.2.1 7.1.3
PCI DSS v3.2.1 7.1.4
PCI DSS v3.2.1 7.2
PCI DSS v3.2.1 7.2.1
PCI DSS v3.2.1 7.2.2
PCI DSS v3.2.1 7.2.3
PCI DSS v3.2.1 7.3
PCI DSS v3.2.1 8.1
PCI DSS v3.2.1 8.1.1
PCI DSS v3.2.1 8.1.2
PCI DSS v3.2.1 8.1.3
PCI DSS v3.2.1 8.1.4
PCI DSS v3.2.1 8.1.5
PCI DSS v3.2.1 8.1.6
PCI DSS v3.2.1 8.1.7
PCI DSS v3.2.1 8.1.8
PCI DSS v3.2.1 8.2
PCI DSS v3.2.1 8.2.1
PCI DSS v3.2.1 8.2.2
PCI DSS v3.2.1 8.2.3
© 2019 HITRUST. All rights reserved.
09.d Separation of Development, Test, and Operational Environments
09.d Separation of Development, Test, and Operational Environments
10.m Control of Technical Vulnerabilities
10.k Change Control Procedures
02.e Information Security Awareness, Education, and Training
10.b Input Data Validation
10.b Input Data Validation
10.b Input Data Validation
10.b Input Data Validation
10.b Input Data Validation
10.b Input Data Validation
10.b Input Data Validation
10.b Input Data Validation
10.b Input Data Validation
10.b Input Data Validation
10.b Input Data Validation
10.b Input Data Validation
10.c Control of Internal Processing
04.a Information Security Policy Document
09.a Documented Operations Procedures
01.c Privilege Management
01.c Privilege Management
01.c Privilege Management
01.c Privilege Management
01.c Privilege Management
01.c Privilege Management
01.c Privilege Management
01.c Privilege Management
01.c Privilege Management
04.a Information Security Policy Document
09.a Documented Operations Procedures
01.q User Identification and Authentication
01.q User Identification and Authentication
01.b User Registration
01.b User Registration
02.i Removal of Access Rights
01.b User Registration
01.j User Authentication for External Connections
01.p Secure Log-on Procedures
01.p Secure Log-on Procedures
01.t Session Time-out
01.b User Registration
01.d User Password Management
01.r Password Management System
01.d User Password Management
01.q User Identification and Authentication
10.g Key Management
01.d User Password Management
 PCI DSS v3.2.1 8.2.4
PCI DSS v3.2.1 8.2.5
PCI DSS v3.2.1 8.2.6
PCI DSS v3.2.1 8.3.2
PCI DSS v3.2.1 8.4
PCI DSS v3.2.1 8.5
PCI DSS v3.2.1 8.5.1
PCI DSS v3.2.1 8.6
PCI DSS v3.2.1 8.7
PCI DSS v3.2.1 8.8
PCI DSS v3.2.1 9.1
PCI DSS v3.2.1 9.1.1
PCI DSS v3.2.1 9.1.2
PCI DSS v3.2.1 9.1.3
PCI DSS v3.2.1 9.2
PCI DSS v3.2.1 9.3
PCI DSS v3.2.1 9.4
PCI DSS v3.2.1 9.4.1
PCI DSS v3.2.1 9.4.2
PCI DSS v3.2.1 9.4.3
PCI DSS v3.2.1 9.4.4
PCI DSS v3.2.1 9.5
PCI DSS v3.2.1 9.5.1
PCI DSS v3.2.1 9.6
PCI DSS v3.2.1 9.6.1
PCI DSS v3.2.1 9.6.2
PCI DSS v3.2.1 9.6.3
PCI DSS v3.2.1 9.7
PCI DSS v3.2.1 9.7.1
PCI DSS v3.2.1 9.8
PCI DSS v3.2.1 9.8.1
PCI DSS v3.2.1 9.8.2
PCI DSS v3.2.1 9.9
PCI DSS v3.2.1 9.9.1
PCI DSS v3.2.1 9.9.2
© 2019 HITRUST. All rights reserved.
01.d User Password Management
01.d User Password Management
01.f Password Use
01.d User Password Management
01.f Password Use
01.j User Authentication for External Connections
01.q User Identification and Authentication
01.f Password Use
01.b User Registration
01.q User Identification and Authentication
01.q User Identification and Authentication
01.q User Identification and Authentication
01.v Information Access Restriction
04.a Information Security Policy Document
09.a Documented Operations Procedures
08.a Physical Security Perimeter
08.b Physical Entry Controls
08.c Securing Offices, Rooms, and Facilities
08.i Cabling Security
08.g Equipment Siting and Protection
09.m Network Controls
08.b Physical Entry Controls
08.b Physical Entry Controls
08.b Physical Entry Controls
08.b Physical Entry Controls
08.b Physical Entry Controls
08.b Physical Entry Controls
08.b Physical Entry Controls
01.x Mobile Computing and Communications
09.q Information Handling Procedures
09.u Physical Media in Transit
09.l Back-up
09.q Information Handling Procedures
09.u Physical Media in Transit
07.e Information Labeling and Handling
09.u Physical Media in Transit
09.o Management of Removable Media
09.q Information Handling Procedures
09.q Information Handling Procedures
07.a Inventory of Assets
09.p Disposal of Media
08.l Secure Disposal or Re-Use of Equipment
08.l Secure Disposal or Re-Use of Equipment
02.e Information Security Awareness, Education, and Training
07.a Inventory of Assets
08.g Equipment Siting and Protection
07.a Inventory of Assets
08.g Equipment Siting and Protection
 PCI DSS v3.2.1 9.9.3
PCI DSS v3.2.1 9.10
PCI DSS v3.2.1 A1.1
PCI DSS v3.2.1 A1.3
PCI DSS v3.2.1 A1.4
02.e Information Security Awareness, Education, and Training
04.a Information Security Policy Document
09.a Documented Operations Procedures
01.c Privilege Management
09.aa Audit Logging
11.e Collection of Evidence

© 2019 HITRUST. All rights reserved.

© 2019 HITRUST. All rights reserved.

 Authoritative Source HITRUST Control Reference
PDPA 11(3) 13.p Governance
PDPA 11(5) 13.b Openness and Transparency
PDPA 12(b) 13.o Compliant Management
PDPA 13 13.d Consent
PDPA 14(1) 13.h Purpose Specification
PDPA 15 13.d Consent
PDPA 16 13.e Choice
PDPA 17 13.d Consent
PDPA 18 13.i Collection Limitation
PDPA 20 13.b Openness and Transparency
PDPA 20(1) 13.h Purpose Specification
PDPA 20(1)(e) 13.b Openness and Transparency
PDPA 21 13.f Principle Access
PDPA 22 13.f Principle Access
PDPA 22(2)(b) 13.n Participation and Redress
PDPA 23 13.m Accuracy and Quality
PDPA 24 13.k Use and Disclosure
PDPA 25 13.l Retention and Disposal
PDPA 26 13.k Use and Disclosure
PDPA 36 13.g Purpose Legitimacy
PDPA 37 13.g Purpose Legitimacy
PDPA 38 13.g Purpose Legitimacy
PDPA 40 13.e Choice
PDPA 42 13.b Openness and Transparency
PDPA 43 13.g Purpose Legitimacy
PDPA 44 13.b Openness and Transparency
13.g Purpose Legitimacy
PDPA 45 13.g Purpose Legitimacy
PDPA 46 13.d Consent
PDPA 47 13.e Choice

© 2019 HITRUST. All rights reserved.

© 2019 HITRUST. All rights reserved.

Authoritative Source
PMI DSP Framework DE-1
PMI DSP Framework DE-2
PMI DSP Framework DE-3
PMI DSP Framework DE-4
PMI DSP Framework DE-5
PMI DSP Framework ID-1
PMI DSP Framework ID-2
PMI DSP Framework ID-3
PMI DSP Framework ID-4
PMI DSP Framework PR.AC-1
PMI DSP Framework PR.AC-2
PMI DSP Framework PR.AC-3
PMI DSP Framework PR.AC-4
PMI DSP Framework PR.AT-1
PMI DSP Framework PR.AT-2
PMI DSP Framework PR.DS-1
PMI DSP Framework PR.DS-2
PMI DSP Framework PR.DS-3
PMI DSP Framework PR.DS-4
PMI DSP Framework PR.DS-5
PMI DSP Framework PR.IP-1
PMI DSP Framework PR.IP-2
PMI DSP Framework RC-1
© 2019 HITRUST. All rights reserved.
HITRUST Control Reference
06.i Information Systems Audit Controls
09.aa Audit Logging
09.aa Audit Logging
09.ab Monitoring System Use
09.ac Protection of Log Information
09.ab Monitoring System Use
05.g Contact with Special Interest Groups
11.a Reporting Information Security Events
11.b Reporting Security Weaknesses
05.a Management Commitment to Information Security
11.c Responsibilities and Procedures
03.a Risk Management Program Development
04.a Information Security Policy Document
04.b Review of the Information Security Policy
05.a Management Commitment to Information Security
03.a Risk Management Program Development
07.d Classification Guidelines
05.a Management Commitment to Information Security
05.h Independent Review of Information Security
05.i Identification of Risks Related to External Parties
01.q User Identification and Authentication
02.b Screening
02.d Management Responsibilities
05.j Addressing Security When Dealing with Customers
01.q User Identification and Authentication
01.q User Identification and Authentication
01.b User Registration
05.j Addressing Security When Dealing with Customers
02.e Information Security Awareness, Education, and Training
01.n Network Connection Control
01.x Mobile Computing and Communications
05.k Addressing Security in Third Party Agreements
06.d Data Protection and Privacy of Covered Information
09.m Network Controls
09.o Management of Removable Media
09.s Information Exchange Policies and Procedures
06.c Protection of Organizational Records
06.d Data Protection and Privacy of Covered Information
10.g Key Management
08.d Protecting Against External and Environmental Threats
05.i Identification of Risks Related to External Parties
09.aa Audit Logging
09.ab Monitoring System Use
10.b Input Data Validation
10.c Control of Internal Processing
10.d Message Integrity
10.a Security Requirements Analysis and Specification
01.y Teleworking
10.m Control of Technical Vulnerabilities
09.l Back-up
11.c Responsibilities and Procedures
12.c Developing and Implementing Continuity Plans Including Information Security
PMI DSP Framework RC-2
PMI DSP Framework RC-3
PMI DSP Framework RS-1
PMI DSP Framework RS-4
© 2019 HITRUST. All rights reserved.
© 2019 HITRUST. All rights reserved.
11.c Responsibilities and Procedures
05.b Information Security Coordination
11.a Reporting Information Security Events
11.d Learning from Information Security Incidents
12.e Testing, Maintaining and Re-Assessing Business Continuity Plans
03.b Performing Risk Assessments
05.e Confidentiality Agreements
05.f Contact with Authorities
05.j Addressing Security When Dealing with Customers
05.k Addressing Security in Third Party Agreements
11.a Reporting Information Security Events
11.c Responsibilities and Procedures
11.c Responsibilities and Procedures
 Authoritative Source HITRUST Control Reference
SCIDSA 33-22-20(C) 00.a Information Security Management Program
SCIDSA 33-99-20(A) 00.a Information Security Management Program
SCIDSA 33-99-20(B) 00.a Information Security Management Program
SCIDSA 33-99-20(C) 03.a Risk Management Program Development
SCIDSA 33-99-20(D) 00.a Information Security Management Program
SCIDSA 33-99-20(E) 00.a Information Security Management Program
11.a Reporting Information Security Events
SCIDSA 33-99-20(G) 00.a Information Security Management Program
SCIDSA 33-99-20(H) 11.a Reporting Information Security Events
SCIDSA 33-99-20(I) 00.a Information Security Management Program
SCIDSA 38-99-30(A) 11.c Responsibilities and Procedures
SCIDSA 38-99-30(B) 11.c Responsibilities and Procedures
SCIDSA 38-99-30(C) 11.c Responsibilities and Procedures
SCIDSA 38-99-30(D) 09.aa Audit Logging
SCIDSA 38-99-40(A) 11.a Reporting Information Security Events
SCIDSA 38-99-40(B) 11.a Reporting Information Security Events
SCIDSA 38-99-40(C) 11.a Reporting Information Security Events

© 2019 HITRUST. All rights reserved.

© 2019 HITRUST. All rights reserved.

Authoritative Source HITRUST Control Reference
TJC IM.01.01.03, EP 1 12.c Developing and Implementing Continuity Plans Including Information Security
12.d Business Continuity Planning Framework
TJC IM.01.01.03, EP 2 12.c Developing and Implementing Continuity Plans Including Information Security
TJC IM.01.01.03, EP 3 12.c Developing and Implementing Continuity Plans Including Information Security
TJC IM.01.01.03, EP 4 09.l Back-up
12.c Developing and Implementing Continuity Plans Including Information Security
TJC IM.01.01.03, EP 5 12.e Testing, Maintaining and Re-Assessing Business Continuity Plans
TJC IM.02.01.03, EP 1 00.a Information Security Management Program
01.a Access Control Policy
04.a Information Security Policy Document
07.c Acceptable Use of Assets
09.s Information Exchange Policies and Procedures
TJC IM.02.01.03, EP 2 06.d Data Protection and Privacy of Covered Information
10.f Policy on the Use of Cryptographic Controls
TJC IM.02.01.03, EP 3 09.p Disposal of Media
TJC IM.02.01.03, EP 4 08.m Removal of Property
TJC IM.02.01.03, EP 5 01.b User Registration
01.c Privilege Management
01.f Password Use
05.a Management Commitment to Information Security
07.d Classification Guidelines
08.b Physical Entry Controls
08.i Cabling Security
09.s Information Exchange Policies and Procedures
09.u Physical Media in Transit
TJC IM.02.01.03, EP 6 06.c Protection of Organizational Records
10.d Message Integrity
10.g Key Management
TJC IM.02.01.03, EP 7 08.l Secure Disposal or Re-Use of Equipment
TJC IM.02.01.03, EP 8 05.b Information Security Coordination
06.g Compliance with Security Policies and Standards
TJC IM.04.01.01, EP 1 10.b Input Data Validation
10.c Control of Internal Processing
10.e Output Data Validation

© 2019 HITRUST. All rights reserved.

© 2019 HITRUST. All rights reserved.