HIPAA to Unified Control Map

HIPAA Control

Unified Control

AC-01-HIPAA-S Access Control Policy and Procedures

CTRL-1 Access Control Policy and Procedures

AC-01.01-HIPAA Access Control Policy

CTRL-1 Access Control Policy and Procedures

AC-01.01-HIPAA-S Access Control Policy

CTRL-1 Access Control Policy and Procedures

AC-02-HIPAA-S User Account Management

CTRL-1 Access Control Policy and Procedures

AC-02.02-HIPAA Access Provisioning

CTRL-16 Access Provisioning

AC-02.02-HIPAA-S Access Provisioning

CTRL-16 Access Provisioning

AC-02.03-HIPAA Access Deprovisioning

CTRL-535 Access Termination

AC-02.03-HIPAA-S Access Deprovisioning

CTRL-535 Access Termination

AC-02.04-HIPAA Access Review

CTRL-73 Review of User Privileges

AC-02.04-HIPAA-S Access Review

CTRL-73 Review of User Privileges

AC-03-HIPAA-S Role-based Access Controls (RBAC)

CTRL-23 Role-Based Access Control

AC-03.01-HIPAA Privileged Access

CTRL-9 Privileged User Accounts

AC-03.01-HIPAA-S Privileged Access

CTRL-9 Privileged User Accounts

AC-04-HIPAA-S Information Flow Enforcement

CTRL-814 System Integrity Policy and Procedures

AC-05-HIPAA-S Separation of Duties

CTRL-65 Separation of Duties

AC-06-HIPAA-S Least Privilege Access

CTRL-23 Role-Based Access Control

AC-06(07)-HIPAA-S Review of Access Privileges

CTRL-73 Review of User Privileges

AC-11-HIPAA-S Device Lock and Session Timeouts

CTRL-91 Session Termination

AC-17-HIPAA-S Remote Access

CTRL-110 Remote Access

AC-18-HIPAA-S Wireless Access

CTRL-539 Access Agreements

AC-19-HIPAA-S Access Control for Mobile Devices

CTRL-79 Mobile Device Management

AT-01-HIPAA-S Awareness and Training Policy and Procedures

CTRL-245 Security and Privacy Awareness Training

AT-02-HIPAA-S Security Awareness and Privacy Training

CTRL-245 Security and Privacy Awareness Training

AT-02.01-HIPAA Security Awareness Training Reminders

CTRL-245 Security and Privacy Awareness Training

AT-02.01-HIPAA-S Security Awareness Training Reminders

CTRL-245 Security and Privacy Awareness Training

AT-04-HIPAA-S Training Records

CTRL-245 Security and Privacy Awareness Training

AT-04.01-HIPAA Security Awareness Training

CTRL-245 Security and Privacy Awareness Training

AT-04.01-HIPAA-S Security Awareness Training

CTRL-245 Security and Privacy Awareness Training

AU-01-HIPAA-S Audit and Accountability Policy and Procedures

CTRL-833 Logging and Monitoring

AU-02-HIPAA-S Event Logging in IT Systems

CTRL-833 Logging and Monitoring

AU-03-HIPAA-S Informative Log Content

CTRL-833 Logging and Monitoring

AU-06-HIPAA-S Log Review and Reporting

CTRL-833 Logging and Monitoring

AU-09-HIPAA-S Protection of Audit Information

CTRL-896 Information Management and Retention

AU-11-HIPAA-S Audit Record Retention

CTRL-896 Information Management and Retention

AU-11-HIPAA-S Audit Record Retention

CTRL-833 Logging and Monitoring

AU-11.01-HIPAA Policy Review

CTRL-431 Information Security Policy and Procedures

AU-11.01-HIPAA-S Policy Review

CTRL-431 Information Security Policy and Procedures

CA-01-HIPAA-S Assessment, Authorization, and Monitoring Policy and Procedures

CTRL-174 Penetration Testing

CA-02-HIPAA-S Control Assessments

CTRL-149 Control Assessments

CA-03-HIPAA-S Third-Party Agreements

CTRL-1129 Third-Party Agreements

CA-07-HIPAA-S Continuous Monitoring

CTRL-833 Logging and Monitoring

CA-07-HIPAA-S Continuous Monitoring

CTRL-167 Continuous Monitoring

CA-08-HIPAA-S Penetration Testing

CTRL-174 Penetration Testing

CA-08.01-HIPAA Technical Evaluations

CTRL-174 Penetration Testing

CA-08.01-HIPAA-S Penetration Testing

CTRL-174 Penetration Testing

CA-08.02-HIPAA-S Penetration Testing Remediation

CTRL-174 Penetration Testing

CM-01-HIPAA-S Configuration and Change Management Policy and Procedures

CTRL-262 Change Management and Software Development Policy and Procedures

CM-01.01-HIPAA-S Change Management Policies

CTRL-262 Change Management and Software Development Policy and Procedures

CM-03-HIPAA-S Configuration Change Control

CTRL-190 Change Management and Software Development Life Cycle

CM-05.01-HIPAA-S Segregation of Duties

CTRL-190 Change Management and Software Development Life Cycle

CM-05.02.HIPAA-S Confidentiality Data Policy

CTRL-198 Network Segmentation

CM-06-HIPAA-S System Hardening Through Baseline Configurations

CTRL-208 Configuration Management

CM-08-HIPAA-S Asset Inventory

CTRL-435 System Inventory

CM-08.01-HIPAA Asset Inventory

CTRL-435 System Inventory

CM-08.01-HIPAA-S Asset Inventory

CTRL-435 System Inventory

CM-08.02-HIPAA-S Change Management

CTRL-190 Change Management and Software Development Life Cycle

CM-08.03-HIPAA-S Asset Custody Log

CTRL-435 System Inventory

CP-01-HIPAA-S Contingency Planning Policy and Procedures

CTRL-264 Contingency Plan

CP-02-HIPAA-S Contingency Plan (BCP/DR)

CTRL-264 Contingency Plan

CP-02.02-HIPAA Business Continuity & Diaster Recovery Plan

CTRL-264 Contingency Plan

CP-02.02-HIPAA-S Business Continuity & Disaster Recovery Plan

CTRL-264 Contingency Plan

CP-02.03-HIPAA Data Restoration

CTRL-301 System Backup Test

CP-02.03-HIPAA-S Data Restoration

CTRL-301 System Backup Test

CP-02.04-HIPAA Data Replication

CTRL-306 Redundant Secondary System

CP-02.04-HIPAA-S Data Replication

CTRL-306 Redundant Secondary System

CP-02.05-HIPAA Backups

CTRL-300 System Backup

CP-02.05-HIPAA-S Device Backups

CTRL-300 System Backup

CP-02.06-HIPAA-S Backup Policies

CTRL-300 System Backup

CP-02.07-HIPAA-S Backups

CTRL-300 System Backup

CP-03-HIPAA-S Contingency Training

CTRL-245 Security and Privacy Awareness Training

CP-04-HIPAA-S Contingency Plan (BCP/DR) Testing

CTRL-276 Contingency Plan Testing

CP-09-HIPAA-S Data Backup

CTRL-300 System Backup

IA-01-HIPAA-S Identification and Authentication Policy and Procedures

CTRL-319 Identification and Authentication

IA-02-HIPAA-S Internal Users Identification and Authentication

CTRL-319 Identification and Authentication

IA-02.01-HIPAA Authentication Controls

CTRL-319 Identification and Authentication

IA-02.01-HIPAA-S Authentication Controls

CTRL-319 Identification and Authentication

IA-02.03-HIPAA Multi-Factor Authentication

CTRL-320 Multi-Factor Authentication

IA-02.03-HIPAA-S Multi-Factor Authentication

CTRL-320 Multi-Factor Authentication

IA-02(01)-HIPAA-S Multi-factor Authentication to Privileged Accounts

CTRL-319 Identification and Authentication

IA-02(02)-HIPAA-S Multi-factor Authentication to Non-privileged Accounts

CTRL-319 Identification and Authentication

IA-05-HIPAA-S Password Management

CTRL-349 Password-Based Authentication

IA-05.01-HIPAA Password Configurations

CTRL-349 Password-Based Authentication

IA-05.01-HIPAA-S Password Configurations

CTRL-349 Password-Based Authentication

IA-05.02-HIPAA Automated Logoffs

CTRL-91 Session Termination

IA-05.02-HIPAA-S Automated Logoffs

CTRL-91 Session Termination

IA-08-HIPAA-S External Users Identification and Authentication

CTRL-319 Identification and Authentication

IR-01-HIPAA-S Incident Response Policy and Procedures

CTRL-423 Incident Response Plan

IR-01.01-HIPAA Incident Response Policy

CTRL-423 Incident Response Plan

IR-01.01-HIPAA-S Incident Response Policies

CTRL-423 Incident Response Plan

IR-01.02-HIPAA-S Breach Notification Policy

CTRL-423 Incident Response Plan

IR-03-HIPAA-S Incident Response Testing

CTRL-23 Role-Based Access Control

IR-04-HIPAA-S Incident Handling and Reporting

CTRL-423 Incident Response Plan

IR-05-HIPAA-S Incident Monitoring

CTRL-423 Incident Response Plan

IR-08-HIPAA-S Incident Response Plan

CTRL-423 Incident Response Plan

IR-08.01-HIPAA Security Incidents

CTRL-423 Incident Response Plan

IR-08.01-HIPAA-S Security Incidents

CTRL-423 Incident Response Plan

IR-08.02-HIPAA-S Incident Response Test

CTRL-394 Incident Response Testing

KT-01-HIPAA Key Tool Selection (HR)

CTRL-1134 Key Tools Selection (HR)

KT-01-HIPAA-S Key Tool Selection (HR)

CTRL-1134 Key Tools Selection (HR)

KT-02-HIPAA Key Tool Selection (Technical)

CTRL-1135 Key Tools Selection (Technical)

KT-02-HIPAA-S Key Tool Selection (Technical)

CTRL-1135 Key Tools Selection (Technical)

MA-01-HIPAA-S Maintenance Policy and Procedures

CTRL-468 Maintenance Policy and Procedures

MA-02-HIPAA-S Controlled Maintenance

CTRL-468 Maintenance Policy and Procedures

MP-01-HIPAA-S Media Protection Policy and Procedures

CTRL-498 Media Protection Policy and Procedures

MP-01.01-HIPAA Physical Device Security

CTRL-255 Physical Security Controls

MP-01.01-HIPAA-S Physical Device Security

CTRL-255 Physical Security Controls

MP-02-HIPAA-S Media Access

CTRL-23 Role-Based Access Control

MP-02-HIPAA-S Media Access

CTRL-16 Access Provisioning

MP-05-HIPAA-S Media Transport

CTRL-506 Media Transport

PE-01-HIPAA-S Physical and Environmental Policy and Procedures

CTRL-546 Physical and Environmental Protection Policy and Procedures

PE-01.01-HIPAA Physical Security Measures

CTRL-255 Physical Security Controls

PE-01.01-HIPAA-S Physical Access

CTRL-255 Physical Security Controls

PE-01.02-HIPAA-S Physical Access Visitors

CTRL-255 Physical Security Controls

PE-01.03-HIPAA-S Physical Access Admins

CTRL-9 Privileged User Accounts

PE-01.04-HIPAA-S Physical Access Review

CTRL-73 Review of User Privileges

PE-01.05-HIPAA-S Physical Access Entry

CTRL-255 Physical Security Controls

PE-01.06-HIPAA-S Physical Equipment Maintanence

CTRL-468 Maintenance Policy and Procedures

PE-02-HIPAA-S Physical Access Authorizations

CTRL-551 Physical Access Control

PE-03-HIPAA-S Physical Access Control

CTRL-255 Physical Security Controls

PE-05-HIPAA-S Access to Output Devices

CTRL-551 Physical Access Control

PE-08-HIPAA-S Visitor Access Records

CTRL-255 Physical Security Controls

PL-01-HIPAA-S Planning Policy and Procedures

CTRL-263 Contingency Planning Policy and Procedures

PL-01-HIPAA-S Planning Policy and Procedures

CTRL-266 Capacity Planning

PL-02-HIPAA-S System Security and Privacy Plans

CTRL-431 Information Security Policy and Procedures

PL-04-HIPAA-S Rules of Behavior

CTRL-539 Access Agreements

PM-01-HIPAA-S Information Security Program Management Policy and Procedures

CTRL-431 Information Security Policy and Procedures

PM-01.01-HIPAA HIPAA Security Rule

CTRL-431 Information Security Policy and Procedures

PM-01.01-HIPAA-S HIPAA Security Rule

CTRL-431 Information Security Policy and Procedures

PM-02-HIPAA-S Information Security Program Leadership Role

CTRL-432 Information Security Program Leadership Role

PM-02.01-HIPAA Roles and Responsibilities

CTRL-432 Information Security Program Leadership Role

PM-02.01-HIPAA-S Roles and Responsibilities

CTRL-432 Information Security Program Leadership Role

PM-03.01-HIPAA-S Information Security Policies

CTRL-431 Information Security Policy and Procedures

PM-07-HIPAA-S Network Architecture and Dataflow Diagrams

CTRL-198 Network Segmentation

PM-07.01-HIPAA-S Network Segmentation

CTRL-198 Network Segmentation

PM-09-HIPAA-S Risk Management Program and Strategy

CTRL-646 Risk Assessment

PM-15-02-HIPAA Group Health Plan

CTRL-1129 Third-Party Agreements

PM-15-02-HIPAA-S Group Health Plan

CTRL-1129 Third-Party Agreements

PM-15.01-HIPAA Health Care Clearinghouse

CTRL-1129 Third-Party Agreements

PM-15.01-HIPAA-S Health Care Clearinghouse

CTRL-1129 Third-Party Agreements

PS-01-HIPAA-S Personnel Security Policy and Procedures

CTRL-530 Personnel Screening

PS-02.01-HIPAA-S Job Descriptions

CTRL-545 Position Descriptions

PS-02.02-HIPAA-S Organization Chart

CTRL-545 Position Descriptions

PS-03-HIPAA-S Personnel Screening

CTRL-530 Personnel Screening

PS-03.01-HIPAA Personnel Screening

CTRL-530 Personnel Screening

PS-03.01-HIPAA-S Background Checks

CTRL-530 Personnel Screening

PS-04-HIPAA-S Personnel Termination

CTRL-535 Access Termination

PS-06-HIPAA-S Confidentiality Agreements for Company Personnel

CTRL-539 Access Agreements

PS-06.01-HIPAA Code of Conduct

CTRL-539 Access Agreements

PS-06.01-HIPAA-S Confidentiality Agreements for Company Personnel

CTRL-539 Access Agreements

PS-06.02-HIPAA-S Code of Conduct

CTRL-539 Access Agreements

PS-08-HIPAA-S Personnel Sanctions

CTRL-544 Personnel Sanctions

PS-08.01-HIPAA Personnel Sanctions

CTRL-544 Personnel Sanctions

PS-08.01-HIPAA-S Personnel Sanctions

CTRL-544 Personnel Sanctions

PT-01-HIPAA-S Privacy Policy and Procedures

CTRL-622 Privacy Policy and Procedures

RA-01-HIPAA-S Risk Assessment Policy and Procedures

CTRL-643 Risk Assessment Policy and Procedures

RA-02-HIPAA-S Security Categorization

CTRL-896 Information Management and Retention

RA-03-HIPAA-S Risk Assessment

CTRL-646 Risk Assessment

RA-03.01-HIPAA Risk Assessment

CTRL-646 Risk Assessment

RA-03.01-HIPAA-S Risk Assessment (PHI)

CTRL-646 Risk Assessment

RA-03.02-HIPAA Risk Strategy

CTRL-646 Risk Assessment

RA-03.02-HIPAA-S Risk Strategy

CTRL-646 Risk Assessment

RA-03.03-HIPAA-S Risk Assessment Policy

CTRL-643 Risk Assessment Policy and Procedures

RA-07-HIPAA-S Risk Response and Remediation

CTRL-646 Risk Assessment

SA-01-HIPAA-S System Development Life Cycle (SDLC) Policy and Procedures

CTRL-262 Change Management and Software Development Policy and Procedures

SA-02-HIPAA-S Allocation of Resources

CTRL-266 Capacity Planning

SA-09-HIPAA-S External System Services

CTRL-1109 Supplier Assessments and Reviews

SC-01-HIPAA-S System Protection Policy and Procedures

CTRL-932 System Protection Policy and Procedures

SC-07-HIPAA-S Boundary Protection and Firewalls

CTRL-950 Boundary Protection

SC-07(12)-HIPAA-S Host-based Protection

CTRL-833 Logging and Monitoring

SC-08-HIPAA-S Transmission Confidentiality and Integrity

CTRL-112 Encryption of Data at Rest and in Transit

SC-08.01-HIPAA-S Data Transmission Protocols

CTRL-112 Encryption of Data at Rest and in Transit

SC-08.02-HIPAA Encryption

CTRL-112 Encryption of Data at Rest and in Transit

SC-08.02-HIPAA-S Encryption

CTRL-112 Encryption of Data at Rest and in Transit

SC-08.03-HIPAA Security Groups (SG)

CTRL-950 Boundary Protection

SC-08.03-HIPAA-S Security Groups (SG)

CTRL-950 Boundary Protection

SC-13-HIPAA-S Cryptographic Protection

CTRL-194 Cryptography Management

SC-38-HIPAA-S Operations Security

CTRL-190 Change Management and Software Development Life Cycle

SI-01-HIPAA-S System Integrity Policy and Procedures

CTRL-896 Information Management and Retention

SI-01-HIPAA-S System Integrity Policy and Procedures

CTRL-814 System Integrity Policy and Procedures

SI-01.01-HIPAA-S Vulnerability Management Policies

CTRL-833 Logging and Monitoring

SI-03-HIPAA-S Malware and Endpoint Protection

CTRL-822 Malicious Code Protection

SI-04-HIPAA-S System Monitoring

CTRL-833 Logging and Monitoring

SI-04.01-HIPAA Data Loss Prevention

CTRL-833 Logging and Monitoring

SI-04.01-HIPAA-S Data Loss Prevention

CTRL-833 Logging and Monitoring

SI-04.02-HIPAA Anti-Virus

CTRL-822 Malicious Code Protection

SI-04.02-HIPAA-S Anti-Virus

CTRL-822 Malicious Code Protection

SI-04.03-HIPAA-S Vulnerability Scans

CTRL-652 Vulnerability Management

SI-04.04-HIPAA-S Vulnerability Scan Remediation

CTRL-652 Vulnerability Management

SI-04.05-HIPAA System Monitoring

CTRL-833 Logging and Monitoring

SI-04.05-HIPAA-S System Monitoring

CTRL-833 Logging and Monitoring

SI-12-HIPAA-S Data Handling, Retention, and Disposal

CTRL-896 Information Management and Retention

SI-12.01-HIPAA Data Retention & Disposal Policy

CTRL-899 Information Disposal

SI-12.01-HIPAA-S Customer Data Deletion

CTRL-899 Information Disposal

SI-12.02-HIPAA-S Data Classification Policy

CTRL-896 Information Management and Retention

SI-12.03-HIPAA-S Device Re-Use

CTRL-511 Media Sanitization and Disposal

SI-12.04-HIPAA-S Data Retention & Disposal Policy

CTRL-896 Information Management and Retention

SR-01-HIPAA-S Third-Party Risk Management Policy and Procedures

CTRL-1094 Third-Party Risk Management Policy and Procedures

SR-06-HIPAA-S Third-Party Risk Assessments

CTRL-1109 Supplier Assessments and Reviews

SR-06.01-HIPAA-S Vendor Management

CTRL-1094 Third-Party Risk Management Policy and Procedures

SR-06.02-HIPAA Third-Party Agreements

CTRL-1129 Third-Party Agreements

SR-06.02-HIPAA-S Third-Party Agreements

CTRL-1129 Third-Party Agreements

SR-06.03-HIPAA-S Vendor Assessments

CTRL-1109 Supplier Assessments and Reviews