icdev 1.0.0__py3-none-any.whl

icdev/data/context/compliance/hitrust_csf_v11.json

@@ -0,0 +1,930 @@
+{
+  "metadata": {
+    "title": "HITRUST CSF v11 — Common Security Framework Control Catalog",
+    "source": "HITRUST CSF v11 (2023), NIST SP 800-53 Rev 5, HIPAA Security Rule (45 CFR 164), PCI DSS v4.0, ISO/IEC 27001:2022",
+    "classification": "CUI // SP-CTI",
+    "version": "1.0",
+    "last_updated": "2026-02-18",
+    "description": "HITRUST Common Security Framework v11 control catalog with 14 control categories mapping to NIST 800-53, HIPAA, PCI DSS, and ISO 27001. HITRUST is a certifiable framework that harmonizes healthcare and general security requirements into a single assessment."
+  },
+  "assessment_types": {
+    "e1": {
+      "name": "Essentials, 1-year",
+      "control_count": 44,
+      "description": "Entry-level assessment for lower-risk organizations. Focused on foundational cybersecurity hygiene practices.",
+      "assessment_type": "self_assessment"
+    },
+    "i1": {
+      "name": "Implemented, 1-year",
+      "control_count": 182,
+      "description": "Mid-level assessment validating implementation of leading security practices. Covers NIST Cybersecurity Framework and key HIPAA requirements.",
+      "assessment_type": "validated"
+    },
+    "r2": {
+      "name": "Risk-based, 2-year",
+      "control_count": 500,
+      "description": "Comprehensive risk-based assessment. Full CSF coverage including all regulatory and industry requirements. Required for high-risk environments.",
+      "assessment_type": "validated"
+    }
+  },
+  "categories": [
+    {
+      "code": "0",
+      "name": "Information Security Management Program",
+      "control_count": 5,
+      "description": "Establishment and management of an information security management program aligned with organizational objectives"
+    },
+    {
+      "code": "1",
+      "name": "Access Control",
+      "control_count": 7,
+      "description": "Logical and technical access controls to information systems and data"
+    },
+    {
+      "code": "2",
+      "name": "Human Resources Security",
+      "control_count": 4,
+      "description": "Security controls related to personnel lifecycle including hiring, training, and termination"
+    },
+    {
+      "code": "3",
+      "name": "Risk Management",
+      "control_count": 4,
+      "description": "Identification, assessment, and treatment of information security risks"
+    },
+    {
+      "code": "4",
+      "name": "Security Policy",
+      "control_count": 3,
+      "description": "Development, review, and maintenance of information security policies"
+    },
+    {
+      "code": "5",
+      "name": "Organization of Information Security",
+      "control_count": 4,
+      "description": "Internal organization and management framework for information security"
+    },
+    {
+      "code": "6",
+      "name": "Compliance",
+      "control_count": 4,
+      "description": "Compliance with legal, regulatory, and contractual requirements"
+    },
+    {
+      "code": "7",
+      "name": "Asset Management",
+      "control_count": 3,
+      "description": "Identification, classification, and protection of information assets"
+    },
+    {
+      "code": "8",
+      "name": "Physical and Environmental Security",
+      "control_count": 3,
+      "description": "Physical protection of facilities, equipment, and information assets"
+    },
+    {
+      "code": "9",
+      "name": "Communications and Operations Management",
+      "control_count": 6,
+      "description": "Secure management of communications, networks, and IT operations"
+    },
+    {
+      "code": "10",
+      "name": "Information Systems Acquisition, Development and Maintenance",
+      "control_count": 4,
+      "description": "Security requirements for system acquisition, development, and maintenance activities"
+    },
+    {
+      "code": "11",
+      "name": "Information Security Incident Management",
+      "control_count": 3,
+      "description": "Detection, reporting, and response to information security incidents"
+    },
+    {
+      "code": "12",
+      "name": "Business Continuity Management",
+      "control_count": 3,
+      "description": "Business continuity and disaster recovery planning to ensure resilience"
+    },
+    {
+      "code": "13",
+      "name": "Privacy Practices",
+      "control_count": 5,
+      "description": "Privacy protections for personally identifiable information and protected health information"
+    }
+  ],
+  "requirements": [
+    {
+      "id": "HITRUST-0.a",
+      "title": "Information Security Management Program",
+      "description": "Establish and maintain a formal information security management program (ISMP) that includes the identification of the scope, objectives, policies, and procedures for managing information security risks. The ISMP must be aligned with organizational business objectives and approved by senior management.",
+      "family": "Information Security Management Program",
+      "category_code": "0",
+      "priority": "P1",
+      "assessment_level": "e1",
+      "nist_800_53_crosswalk": ["PM-1", "PL-1", "PL-2"],
+      "hipaa_crosswalk": ["164.308(a)(1)(i)", "164.308(a)(1)(ii)(A)"],
+      "iso_27001_crosswalk": ["A.5.1"],
+      "evidence_required": "ISMP charter, scope documentation, management approval records",
+      "automation_level": "manual"
+    },
+    {
+      "id": "HITRUST-0.b",
+      "title": "Information Security Coordination",
+      "description": "Coordinate information security activities across the organization using defined roles, responsibilities, and communication channels. Establish a cross-functional security governance committee or equivalent body to oversee security strategy and investments.",
+      "family": "Information Security Management Program",
+      "category_code": "0",
+      "priority": "P1",
+      "assessment_level": "i1",
+      "nist_800_53_crosswalk": ["PM-2", "PM-3"],
+      "hipaa_crosswalk": ["164.308(a)(2)"],
+      "iso_27001_crosswalk": ["A.5.2"],
+      "evidence_required": "Governance committee charter, meeting minutes, RACI matrix",
+      "automation_level": "manual"
+    },
+    {
+      "id": "HITRUST-0.c",
+      "title": "Information Security Risk Assessment",
+      "description": "Conduct periodic risk assessments to identify threats, vulnerabilities, and potential impacts to information assets. Risk assessments must be performed at least annually and whenever significant changes occur to the environment, applications, or regulatory landscape.",
+      "family": "Information Security Management Program",
+      "category_code": "0",
+      "priority": "P1",
+      "assessment_level": "e1",
+      "nist_800_53_crosswalk": ["RA-3", "RA-5"],
+      "hipaa_crosswalk": ["164.308(a)(1)(ii)(A)", "164.308(a)(1)(ii)(B)"],
+      "iso_27001_crosswalk": ["A.5.7"],
+      "evidence_required": "Risk assessment report, threat/vulnerability inventory, risk register",
+      "automation_level": "semi"
+    },
+    {
+      "id": "HITRUST-0.d",
+      "title": "Risk Treatment Plan",
+      "description": "Develop and implement a risk treatment plan that addresses identified risks through mitigation, acceptance, transfer, or avoidance. Track treatment activities to completion and reassess residual risk after treatment.",
+      "family": "Information Security Management Program",
+      "category_code": "0",
+      "priority": "P1",
+      "assessment_level": "i1",
+      "nist_800_53_crosswalk": ["PM-4", "PM-9", "RA-3"],
+      "hipaa_crosswalk": ["164.308(a)(1)(ii)(B)"],
+      "iso_27001_crosswalk": ["A.5.1"],
+      "evidence_required": "Risk treatment plan, residual risk documentation, management approval of risk acceptance",
+      "automation_level": "manual"
+    },
+    {
+      "id": "HITRUST-0.e",
+      "title": "Management Review of Information Security",
+      "description": "Senior management must review the information security program at planned intervals to ensure its continuing suitability, adequacy, and effectiveness. Reviews must consider audit results, incident reports, risk assessments, and corrective action status.",
+      "family": "Information Security Management Program",
+      "category_code": "0",
+      "priority": "P2",
+      "assessment_level": "r2",
+      "nist_800_53_crosswalk": ["PM-1", "CA-7"],
+      "hipaa_crosswalk": ["164.308(a)(8)"],
+      "iso_27001_crosswalk": ["A.5.1", "A.5.36"],
+      "evidence_required": "Management review meeting minutes, review reports, action item tracking",
+      "automation_level": "manual"
+    },
+    {
+      "id": "HITRUST-1.a",
+      "title": "Access Control Policy",
+      "description": "Establish, document, and maintain an access control policy that defines the requirements for granting, modifying, and revoking access to information systems and data based on business and security requirements. The policy must enforce the principles of least privilege and separation of duties.",
+      "family": "Access Control",
+      "category_code": "1",
+      "priority": "P1",
+      "assessment_level": "e1",
+      "nist_800_53_crosswalk": ["AC-1", "AC-2", "AC-3"],
+      "hipaa_crosswalk": ["164.312(a)(1)", "164.308(a)(3)(i)"],
+      "iso_27001_crosswalk": ["A.5.15", "A.8.3"],
+      "evidence_required": "Access control policy, access request/approval records, role definitions",
+      "automation_level": "auto"
+    },
+    {
+      "id": "HITRUST-1.b",
+      "title": "User Registration and De-registration",
+      "description": "Implement formal user registration and de-registration procedures for granting and revoking access to all information systems and services. Ensure unique user identifiers are assigned and shared accounts are prohibited except where operationally necessary with compensating controls.",
+      "family": "Access Control",
+      "category_code": "1",
+      "priority": "P1",
+      "assessment_level": "e1",
+      "nist_800_53_crosswalk": ["AC-2", "IA-4"],
+      "hipaa_crosswalk": ["164.312(a)(2)(i)", "164.308(a)(3)(ii)(A)"],
+      "iso_27001_crosswalk": ["A.5.16", "A.5.18"],
+      "evidence_required": "User provisioning procedures, account creation/removal logs, unique ID assignment records",
+      "automation_level": "auto"
+    },
+    {
+      "id": "HITRUST-1.c",
+      "title": "Privilege Management",
+      "description": "Restrict and control the allocation and use of privileged access rights. Privileged accounts must be separately managed, monitored, and subject to enhanced authentication requirements. Privilege escalation must be logged and reviewed.",
+      "family": "Access Control",
+      "category_code": "1",
+      "priority": "P1",
+      "assessment_level": "e1",
+      "nist_800_53_crosswalk": ["AC-6", "AC-6(1)", "AC-6(5)", "AC-6(10)"],
+      "hipaa_crosswalk": ["164.312(a)(1)", "164.308(a)(4)(ii)(B)"],
+      "iso_27001_crosswalk": ["A.8.2"],
+      "evidence_required": "Privileged account inventory, privilege escalation logs, periodic access reviews",
+      "automation_level": "auto"
+    },
+    {
+      "id": "HITRUST-1.d",
+      "title": "User Authentication Management",
+      "description": "Implement strong authentication mechanisms for all system access including multi-factor authentication for remote access and privileged accounts. Password policies must enforce minimum length, complexity, rotation, and history requirements. Support PKI, tokens, or biometric authentication where appropriate.",
+      "family": "Access Control",
+      "category_code": "1",
+      "priority": "P1",
+      "assessment_level": "e1",
+      "nist_800_53_crosswalk": ["IA-2", "IA-2(1)", "IA-2(2)", "IA-5", "IA-5(1)"],
+      "hipaa_crosswalk": ["164.312(d)", "164.312(a)(2)(iv)"],
+      "iso_27001_crosswalk": ["A.8.5"],
+      "evidence_required": "Authentication policy, MFA configuration evidence, password policy settings",
+      "automation_level": "auto"
+    },
+    {
+      "id": "HITRUST-1.e",
+      "title": "Access Review",
+      "description": "Conduct periodic reviews of user access rights to ensure access assignments remain appropriate and aligned with current job responsibilities. Reviews must be performed at least quarterly for privileged accounts and semi-annually for standard accounts. Remove or modify access that is no longer required.",
+      "family": "Access Control",
+      "category_code": "1",
+      "priority": "P1",
+      "assessment_level": "i1",
+      "nist_800_53_crosswalk": ["AC-2(3)", "AC-2(4)"],
+      "hipaa_crosswalk": ["164.308(a)(3)(ii)(B)", "164.308(a)(4)(ii)(C)"],
+      "iso_27001_crosswalk": ["A.5.18"],
+      "evidence_required": "Access review schedules, review completion records, remediation evidence",
+      "automation_level": "semi"
+    },
+    {
+      "id": "HITRUST-1.f",
+      "title": "Session Management",
+      "description": "Implement automatic session lock and termination controls for inactive sessions. Sessions must be locked after a configurable period of inactivity (not to exceed 15 minutes for systems processing sensitive data). Re-authentication must be required to resume locked sessions.",
+      "family": "Access Control",
+      "category_code": "1",
+      "priority": "P2",
+      "assessment_level": "i1",
+      "nist_800_53_crosswalk": ["AC-11", "AC-12", "SC-10"],
+      "hipaa_crosswalk": ["164.312(a)(2)(iii)"],
+      "iso_27001_crosswalk": ["A.8.1"],
+      "evidence_required": "Session timeout configuration, automatic lock settings, re-authentication enforcement",
+      "automation_level": "auto"
+    },
+    {
+      "id": "HITRUST-1.g",
+      "title": "Remote Access Control",
+      "description": "Establish and enforce controls for remote access to information systems including VPN with encryption, multi-factor authentication, and network access control. Monitor and audit all remote access sessions. Limit remote access to only authorized users and approved devices.",
+      "family": "Access Control",
+      "category_code": "1",
+      "priority": "P1",
+      "assessment_level": "i1",
+      "nist_800_53_crosswalk": ["AC-17", "AC-17(1)", "AC-17(2)"],
+      "hipaa_crosswalk": ["164.312(e)(1)", "164.312(a)(1)"],
+      "iso_27001_crosswalk": ["A.8.1", "A.8.5"],
+      "evidence_required": "Remote access policy, VPN configuration, MFA for remote access, remote access logs",
+      "automation_level": "auto"
+    },
+    {
+      "id": "HITRUST-2.a",
+      "title": "Security Roles and Responsibilities",
+      "description": "Define and communicate information security roles and responsibilities for all employees, contractors, and third-party users. Include security responsibilities in job descriptions and employment agreements. Ensure personnel understand their obligations for protecting organizational information.",
+      "family": "Human Resources Security",
+      "category_code": "2",
+      "priority": "P1",
+      "assessment_level": "i1",
+      "nist_800_53_crosswalk": ["PS-1", "PS-7", "PM-2"],
+      "hipaa_crosswalk": ["164.308(a)(2)", "164.308(a)(3)(i)"],
+      "iso_27001_crosswalk": ["A.5.2", "A.6.2"],
+      "evidence_required": "Job descriptions with security responsibilities, employment agreements, RACI matrix",
+      "automation_level": "manual"
+    },
+    {
+      "id": "HITRUST-2.b",
+      "title": "Security Awareness Training",
+      "description": "Provide security awareness training to all workforce members upon hiring and at least annually thereafter. Training must cover organizational policies, HIPAA requirements, phishing awareness, social engineering, password hygiene, incident reporting, and handling of sensitive data. Track completion and enforce compliance.",
+      "family": "Human Resources Security",
+      "category_code": "2",
+      "priority": "P1",
+      "assessment_level": "e1",
+      "nist_800_53_crosswalk": ["AT-2", "AT-2(2)", "AT-3"],
+      "hipaa_crosswalk": ["164.308(a)(5)(i)", "164.308(a)(5)(ii)(A)"],
+      "iso_27001_crosswalk": ["A.6.3"],
+      "evidence_required": "Training program materials, completion records, annual training schedule, phishing simulation results",
+      "automation_level": "semi"
+    },
+    {
+      "id": "HITRUST-2.c",
+      "title": "Personnel Screening",
+      "description": "Conduct background verification checks on all candidates for employment, contractors, and third-party users in accordance with relevant laws, regulations, and proportional to the data classification level they will access. Screening must be completed before granting access to systems or data.",
+      "family": "Human Resources Security",
+      "category_code": "2",
+      "priority": "P2",
+      "assessment_level": "i1",
+      "nist_800_53_crosswalk": ["PS-3", "PS-3(3)"],
+      "hipaa_crosswalk": ["164.308(a)(3)(ii)(B)"],
+      "iso_27001_crosswalk": ["A.6.1"],
+      "evidence_required": "Background check policy, screening completion records, third-party verification evidence",
+      "automation_level": "manual"
+    },
+    {
+      "id": "HITRUST-2.d",
+      "title": "Termination and Change of Employment",
+      "description": "Implement procedures to ensure timely revocation of access upon termination or change of employment. Access must be disabled within 24 hours of termination. For role changes, conduct access review and modify permissions to match new responsibilities within 5 business days.",
+      "family": "Human Resources Security",
+      "category_code": "2",
+      "priority": "P1",
+      "assessment_level": "e1",
+      "nist_800_53_crosswalk": ["PS-4", "PS-5"],
+      "hipaa_crosswalk": ["164.308(a)(3)(ii)(C)"],
+      "iso_27001_crosswalk": ["A.6.5"],
+      "evidence_required": "Termination procedures, access revocation logs, timeliness metrics, role change access reviews",
+      "automation_level": "auto"
+    },
+    {
+      "id": "HITRUST-3.a",
+      "title": "Risk Assessment Process",
+      "description": "Establish a formal risk assessment process that identifies threats and vulnerabilities to information assets, determines the likelihood and impact of exploitation, and calculates risk levels. The methodology must be documented, repeatable, and aligned with industry standards such as NIST SP 800-30 or ISO 27005.",
+      "family": "Risk Management",
+      "category_code": "3",
+      "priority": "P1",
+      "assessment_level": "e1",
+      "nist_800_53_crosswalk": ["RA-1", "RA-3"],
+      "hipaa_crosswalk": ["164.308(a)(1)(ii)(A)"],
+      "iso_27001_crosswalk": ["A.5.7"],
+      "evidence_required": "Risk assessment methodology documentation, risk register, assessment schedule",
+      "automation_level": "semi"
+    },
+    {
+      "id": "HITRUST-3.b",
+      "title": "Vulnerability Management",
+      "description": "Establish a vulnerability management program that includes regular scanning, prioritization, and timely remediation of identified vulnerabilities. Critical vulnerabilities must be remediated within 30 days, high within 60 days. Maintain an exception process for vulnerabilities that cannot be immediately remediated.",
+      "family": "Risk Management",
+      "category_code": "3",
+      "priority": "P1",
+      "assessment_level": "e1",
+      "nist_800_53_crosswalk": ["RA-5", "SI-2", "SI-5"],
+      "hipaa_crosswalk": ["164.308(a)(1)(ii)(A)", "164.308(a)(1)(ii)(B)"],
+      "iso_27001_crosswalk": ["A.8.8"],
+      "evidence_required": "Vulnerability scan reports, remediation tracking, SLA compliance metrics, exception documentation",
+      "automation_level": "auto"
+    },
+    {
+      "id": "HITRUST-3.c",
+      "title": "Risk Acceptance",
+      "description": "Document and obtain appropriate management approval for accepted risks. Risk acceptance decisions must include a description of the risk, potential impact, compensating controls, and timeframe for re-evaluation. Accepted risks must be reviewed at least annually.",
+      "family": "Risk Management",
+      "category_code": "3",
+      "priority": "P2",
+      "assessment_level": "r2",
+      "nist_800_53_crosswalk": ["PM-9", "CA-5"],
+      "hipaa_crosswalk": ["164.308(a)(1)(ii)(B)"],
+      "iso_27001_crosswalk": ["A.5.1"],
+      "evidence_required": "Risk acceptance forms, management sign-off, annual review records",
+      "automation_level": "manual"
+    },
+    {
+      "id": "HITRUST-3.d",
+      "title": "Third-Party Risk Management",
+      "description": "Assess and manage information security risks associated with third-party service providers and business associates. Conduct due diligence assessments before engagement and periodic reassessments thereafter. Require business associate agreements (BAAs) for entities handling PHI.",
+      "family": "Risk Management",
+      "category_code": "3",
+      "priority": "P1",
+      "assessment_level": "i1",
+      "nist_800_53_crosswalk": ["SA-9", "SR-1", "SR-3"],
+      "hipaa_crosswalk": ["164.308(b)(1)", "164.308(b)(3)", "164.314(a)(1)"],
+      "iso_27001_crosswalk": ["A.5.19", "A.5.20", "A.5.21"],
+      "evidence_required": "Vendor risk assessment questionnaires, BAAs, due diligence reports, periodic review records",
+      "automation_level": "semi"
+    },
+    {
+      "id": "HITRUST-4.a",
+      "title": "Information Security Policy Document",
+      "description": "Develop, publish, and maintain a comprehensive information security policy approved by management. The policy must address scope, objectives, principles, roles, and compliance requirements. Distribute the policy to all relevant parties and ensure acknowledgment of receipt.",
+      "family": "Security Policy",
+      "category_code": "4",
+      "priority": "P1",
+      "assessment_level": "e1",
+      "nist_800_53_crosswalk": ["PL-1", "PL-2"],
+      "hipaa_crosswalk": ["164.316(a)", "164.316(b)(1)"],
+      "iso_27001_crosswalk": ["A.5.1"],
+      "evidence_required": "Information security policy document, management approval records, distribution acknowledgments",
+      "automation_level": "manual"
+    },
+    {
+      "id": "HITRUST-4.b",
+      "title": "Policy Review and Update",
+      "description": "Review information security policies at planned intervals or when significant changes occur, at minimum annually. Updates must reflect changes in legislation, regulations, threats, technology, and organizational structure. Maintain version control and approval history.",
+      "family": "Security Policy",
+      "category_code": "4",
+      "priority": "P2",
+      "assessment_level": "i1",
+      "nist_800_53_crosswalk": ["PL-1", "PM-1"],
+      "hipaa_crosswalk": ["164.316(b)(2)(iii)"],
+      "iso_27001_crosswalk": ["A.5.1"],
+      "evidence_required": "Policy review records, version history, change logs, management re-approval",
+      "automation_level": "manual"
+    },
+    {
+      "id": "HITRUST-4.c",
+      "title": "Acceptable Use Policy",
+      "description": "Define and enforce an acceptable use policy for information assets, systems, and network resources. The policy must address permitted and prohibited activities, personal use, monitoring disclosures, and consequences of non-compliance. Users must acknowledge the policy before obtaining system access.",
+      "family": "Security Policy",
+      "category_code": "4",
+      "priority": "P2",
+      "assessment_level": "i1",
+      "nist_800_53_crosswalk": ["PL-4", "AC-20"],
+      "hipaa_crosswalk": ["164.310(b)"],
+      "iso_27001_crosswalk": ["A.5.10"],
+      "evidence_required": "Acceptable use policy, user acknowledgment records, enforcement examples",
+      "automation_level": "manual"
+    },
+    {
+      "id": "HITRUST-5.a",
+      "title": "Internal Organization of Information Security",
+      "description": "Establish a management framework to initiate and control the implementation and operation of information security within the organization. Assign a senior-level individual (CISO or equivalent) as the responsible authority for information security with direct reporting to senior leadership.",
+      "family": "Organization of Information Security",
+      "category_code": "5",
+      "priority": "P1",
+      "assessment_level": "i1",
+      "nist_800_53_crosswalk": ["PM-2", "PM-3"],
+      "hipaa_crosswalk": ["164.308(a)(2)"],
+      "iso_27001_crosswalk": ["A.5.2", "A.5.4"],
+      "evidence_required": "Organizational chart with security function, CISO appointment, reporting structure documentation",
+      "automation_level": "manual"
+    },
+    {
+      "id": "HITRUST-5.b",
+      "title": "Segregation of Duties",
+      "description": "Implement segregation of duties to reduce opportunities for unauthorized or unintentional modification or misuse of organizational assets. Where segregation is not possible, implement compensating controls such as enhanced monitoring, audit trails, and management oversight.",
+      "family": "Organization of Information Security",
+      "category_code": "5",
+      "priority": "P1",
+      "assessment_level": "i1",
+      "nist_800_53_crosswalk": ["AC-5"],
+      "hipaa_crosswalk": ["164.312(a)(1)"],
+      "iso_27001_crosswalk": ["A.5.3"],
+      "evidence_required": "Segregation of duties matrix, compensating control documentation, conflict analysis",
+      "automation_level": "semi"
+    },
+    {
+      "id": "HITRUST-5.c",
+      "title": "Contact with Authorities",
+      "description": "Maintain procedures for contacting relevant authorities (law enforcement, regulatory bodies, fire departments) in a timely manner. Establish relationships with relevant authorities before incidents occur to facilitate rapid coordination during security events.",
+      "family": "Organization of Information Security",
+      "category_code": "5",
+      "priority": "P3",
+      "assessment_level": "r2",
+      "nist_800_53_crosswalk": ["IR-6", "SI-5"],
+      "hipaa_crosswalk": ["164.308(a)(6)(ii)"],
+      "iso_27001_crosswalk": ["A.5.5"],
+      "evidence_required": "Authority contact list, escalation procedures, relationship documentation",
+      "automation_level": "manual"
+    },
+    {
+      "id": "HITRUST-5.d",
+      "title": "Information Security in Project Management",
+      "description": "Integrate information security requirements into all project management methodologies and system development lifecycle processes. Security must be addressed from project initiation through deployment, including risk assessment, architecture review, and security testing gates.",
+      "family": "Organization of Information Security",
+      "category_code": "5",
+      "priority": "P2",
+      "assessment_level": "r2",
+      "nist_800_53_crosswalk": ["SA-3", "PL-7", "SA-15"],
+      "hipaa_crosswalk": ["164.308(a)(1)(i)"],
+      "iso_27001_crosswalk": ["A.5.8"],
+      "evidence_required": "Project management methodology with security gates, security requirements templates, review records",
+      "automation_level": "semi"
+    },
+    {
+      "id": "HITRUST-6.a",
+      "title": "Regulatory Compliance Identification",
+      "description": "Identify and document all applicable legislative, regulatory, and contractual requirements relevant to the organization's information security posture. Maintain a compliance register that maps requirements to organizational controls and responsible parties.",
+      "family": "Compliance",
+      "category_code": "6",
+      "priority": "P1",
+      "assessment_level": "i1",
+      "nist_800_53_crosswalk": ["CA-1", "PM-8", "SA-9"],
+      "hipaa_crosswalk": ["164.308(a)(1)(i)", "164.316(a)"],
+      "iso_27001_crosswalk": ["A.5.31"],
+      "evidence_required": "Compliance register, regulatory requirement inventory, mapping to controls",
+      "automation_level": "manual"
+    },
+    {
+      "id": "HITRUST-6.b",
+      "title": "HIPAA Compliance",
+      "description": "Implement all required safeguards under the HIPAA Security Rule (Administrative, Physical, and Technical) and the HIPAA Privacy Rule as applicable. Conduct annual HIPAA risk assessments and maintain documentation demonstrating compliance with all applicable requirements.",
+      "family": "Compliance",
+      "category_code": "6",
+      "priority": "P1",
+      "assessment_level": "e1",
+      "nist_800_53_crosswalk": ["CA-2", "PM-8"],
+      "hipaa_crosswalk": ["164.308(a)(1)(i)", "164.308(a)(1)(ii)(A)", "164.310(a)(1)", "164.312(a)(1)"],
+      "iso_27001_crosswalk": ["A.5.31", "A.5.36"],
+      "evidence_required": "HIPAA risk assessment, safeguard implementation evidence, compliance documentation",
+      "automation_level": "semi"
+    },
+    {
+      "id": "HITRUST-6.c",
+      "title": "Audit Controls and Compliance Monitoring",
+      "description": "Implement mechanisms to record and examine activity in information systems that contain or use electronic protected health information (ePHI). Conduct regular compliance monitoring and internal audits to verify adherence to security policies and regulatory requirements.",
+      "family": "Compliance",
+      "category_code": "6",
+      "priority": "P1",
+      "assessment_level": "i1",
+      "nist_800_53_crosswalk": ["AU-2", "AU-6", "CA-2", "CA-7"],
+      "hipaa_crosswalk": ["164.312(b)", "164.308(a)(8)"],
+      "iso_27001_crosswalk": ["A.5.35", "A.5.36"],
+      "evidence_required": "Audit log configuration, monitoring reports, internal audit results, corrective action plans",
+      "automation_level": "auto"
+    },
+    {
+      "id": "HITRUST-6.d",
+      "title": "Technical Compliance Review",
+      "description": "Conduct regular technical compliance reviews including penetration testing, vulnerability assessments, and configuration audits to verify that systems comply with organizational security policies, technical standards, and regulatory requirements.",
+      "family": "Compliance",
+      "category_code": "6",
+      "priority": "P2",
+      "assessment_level": "r2",
+      "nist_800_53_crosswalk": ["CA-2", "CA-8", "RA-5"],
+      "hipaa_crosswalk": ["164.308(a)(8)"],
+      "iso_27001_crosswalk": ["A.5.36", "A.8.8"],
+      "evidence_required": "Penetration test reports, vulnerability scan results, configuration audit findings, remediation tracking",
+      "automation_level": "auto"
+    },
+    {
+      "id": "HITRUST-7.a",
+      "title": "Asset Inventory",
+      "description": "Maintain an accurate and current inventory of all information assets including hardware, software, data stores, network components, and cloud services. Assets must be classified by criticality and sensitivity. Asset owners must be assigned and documented.",
+      "family": "Asset Management",
+      "category_code": "7",
+      "priority": "P1",
+      "assessment_level": "e1",
+      "nist_800_53_crosswalk": ["CM-8", "CM-8(1)", "PM-5"],
+      "hipaa_crosswalk": ["164.310(d)(1)", "164.310(d)(2)(iii)"],
+      "iso_27001_crosswalk": ["A.5.9"],
+      "evidence_required": "Asset inventory database, classification records, asset owner assignments",
+      "automation_level": "auto"
+    },
+    {
+      "id": "HITRUST-7.b",
+      "title": "Information Classification",
+      "description": "Classify information based on its sensitivity, legal requirements, criticality, and value to the organization. Implement labeling and handling procedures consistent with the classification scheme. Include specific handling requirements for PHI, PII, and CUI.",
+      "family": "Asset Management",
+      "category_code": "7",
+      "priority": "P1",
+      "assessment_level": "i1",
+      "nist_800_53_crosswalk": ["RA-2", "SC-16"],
+      "hipaa_crosswalk": ["164.312(e)(2)(ii)"],
+      "iso_27001_crosswalk": ["A.5.12", "A.5.13"],
+      "evidence_required": "Classification scheme, labeling procedures, data handling guidelines, classification examples",
+      "automation_level": "semi"
+    },
+    {
+      "id": "HITRUST-7.c",
+      "title": "Media Handling and Disposal",
+      "description": "Implement procedures for the secure handling, storage, transport, and disposal of media containing sensitive information. Electronic media must be sanitized using approved methods (NIST 800-88) before reuse or disposal. Maintain chain of custody records for media containing PHI.",
+      "family": "Asset Management",
+      "category_code": "7",
+      "priority": "P1",
+      "assessment_level": "i1",
+      "nist_800_53_crosswalk": ["MP-2", "MP-4", "MP-6", "MP-6(2)"],
+      "hipaa_crosswalk": ["164.310(d)(1)", "164.310(d)(2)(i)", "164.310(d)(2)(ii)"],
+      "iso_27001_crosswalk": ["A.7.10", "A.7.14"],
+      "evidence_required": "Media handling procedures, sanitization records, disposal certificates, chain of custody logs",
+      "automation_level": "semi"
+    },
+    {
+      "id": "HITRUST-8.a",
+      "title": "Physical Security Perimeter",
+      "description": "Establish physical security perimeters to protect areas that contain information processing facilities and sensitive data. Implement entry controls including badge readers, biometric scanners, or security guards. Maintain visitor logs and escort procedures for non-authorized personnel.",
+      "family": "Physical and Environmental Security",
+      "category_code": "8",
+      "priority": "P1",
+      "assessment_level": "i1",
+      "nist_800_53_crosswalk": ["PE-2", "PE-3", "PE-6"],
+      "hipaa_crosswalk": ["164.310(a)(1)", "164.310(a)(2)(ii)", "164.310(a)(2)(iii)"],
+      "iso_27001_crosswalk": ["A.7.1", "A.7.2"],
+      "evidence_required": "Physical security controls documentation, entry control configurations, visitor logs, perimeter assessments",
+      "automation_level": "semi"
+    },
+    {
+      "id": "HITRUST-8.b",
+      "title": "Equipment Security",
+      "description": "Protect equipment from physical and environmental threats including unauthorized access, power failures, temperature extremes, and natural disasters. Implement UPS systems, environmental monitoring, and secure server room access controls. Equipment containing sensitive data must be securely maintained.",
+      "family": "Physical and Environmental Security",
+      "category_code": "8",
+      "priority": "P2",
+      "assessment_level": "i1",
+      "nist_800_53_crosswalk": ["PE-9", "PE-10", "PE-11", "PE-14", "PE-15"],
+      "hipaa_crosswalk": ["164.310(a)(2)(ii)", "164.310(c)"],
+      "iso_27001_crosswalk": ["A.7.5", "A.7.8", "A.7.11", "A.7.12"],
+      "evidence_required": "Environmental monitoring records, UPS test results, server room access logs, maintenance records",
+      "automation_level": "semi"
+    },
+    {
+      "id": "HITRUST-8.c",
+      "title": "Workstation and Device Security",
+      "description": "Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of workstations that can access ePHI. Implement automatic screen lock and full disk encryption for portable devices.",
+      "family": "Physical and Environmental Security",
+      "category_code": "8",
+      "priority": "P1",
+      "assessment_level": "e1",
+      "nist_800_53_crosswalk": ["PE-18", "AC-11", "SC-28"],
+      "hipaa_crosswalk": ["164.310(b)", "164.310(c)", "164.312(a)(2)(iv)"],
+      "iso_27001_crosswalk": ["A.7.7", "A.8.1"],
+      "evidence_required": "Workstation security policy, encryption configuration, screen lock settings, device inventory",
+      "automation_level": "auto"
+    },
+    {
+      "id": "HITRUST-9.a",
+      "title": "Network Security Management",
+      "description": "Implement network security controls including firewalls, intrusion detection/prevention systems, network segmentation, and secure network architecture. Networks must be segmented to isolate sensitive data environments. Monitor network traffic for anomalies and unauthorized access attempts.",
+      "family": "Communications and Operations Management",
+      "category_code": "9",
+      "priority": "P1",
+      "assessment_level": "e1",
+      "nist_800_53_crosswalk": ["SC-7", "SC-7(5)", "SI-4", "AC-4"],
+      "hipaa_crosswalk": ["164.312(e)(1)", "164.312(a)(1)"],
+      "iso_27001_crosswalk": ["A.8.20", "A.8.21", "A.8.22"],
+      "evidence_required": "Network architecture diagrams, firewall rules, IDS/IPS configuration, segmentation documentation",
+      "automation_level": "auto"
+    },
+    {
+      "id": "HITRUST-9.b",
+      "title": "Encryption and Data Protection in Transit",
+      "description": "Implement encryption for all electronic protected health information transmitted over networks. Use TLS 1.2 or higher for all web-based transmissions. Implement end-to-end encryption for sensitive data transfers. Manage encryption keys using a formal key management process.",
+      "family": "Communications and Operations Management",
+      "category_code": "9",
+      "priority": "P1",
+      "assessment_level": "e1",
+      "nist_800_53_crosswalk": ["SC-8", "SC-8(1)", "SC-12", "SC-13"],
+      "hipaa_crosswalk": ["164.312(e)(1)", "164.312(e)(2)(ii)"],
+      "iso_27001_crosswalk": ["A.8.24"],
+      "evidence_required": "Encryption policy, TLS configuration evidence, key management procedures, certificate inventory",
+      "automation_level": "auto"
+    },
+    {
+      "id": "HITRUST-9.c",
+      "title": "Malware Protection",
+      "description": "Deploy and maintain anti-malware solutions on all endpoints and servers. Ensure malware signatures are updated automatically and scans are performed regularly. Implement application whitelisting for critical systems. Monitor for and respond to malware detections promptly.",
+      "family": "Communications and Operations Management",
+      "category_code": "9",
+      "priority": "P1",
+      "assessment_level": "e1",
+      "nist_800_53_crosswalk": ["SI-3", "SI-3(1)", "SI-3(2)"],
+      "hipaa_crosswalk": ["164.308(a)(5)(ii)(B)"],
+      "iso_27001_crosswalk": ["A.8.7"],
+      "evidence_required": "Anti-malware deployment status, signature update logs, scan reports, detection response records",
+      "automation_level": "auto"
+    },
+    {
+      "id": "HITRUST-9.d",
+      "title": "Backup and Recovery",
+      "description": "Implement a comprehensive backup strategy for all critical data including ePHI. Backups must be encrypted, tested regularly for recoverability, and stored in a geographically separate location. Define and enforce retention periods consistent with regulatory requirements. Document and test recovery procedures.",
+      "family": "Communications and Operations Management",
+      "category_code": "9",
+      "priority": "P1",
+      "assessment_level": "e1",
+      "nist_800_53_crosswalk": ["CP-9", "CP-9(1)", "CP-10"],
+      "hipaa_crosswalk": ["164.308(a)(7)(ii)(A)", "164.310(d)(2)(iv)"],
+      "iso_27001_crosswalk": ["A.8.13"],
+      "evidence_required": "Backup policy, backup logs, restore test results, offsite storage evidence, retention schedule",
+      "automation_level": "auto"
+    },
+    {
+      "id": "HITRUST-9.e",
+      "title": "Logging and Monitoring",
+      "description": "Implement comprehensive logging of security-relevant events including authentication attempts, access to ePHI, system changes, and administrative actions. Centralize log collection and analysis. Establish log retention periods meeting regulatory requirements (minimum 6 years for HIPAA). Monitor logs for security anomalies.",
+      "family": "Communications and Operations Management",
+      "category_code": "9",
+      "priority": "P1",
+      "assessment_level": "e1",
+      "nist_800_53_crosswalk": ["AU-2", "AU-3", "AU-6", "AU-6(1)", "AU-11"],
+      "hipaa_crosswalk": ["164.312(b)", "164.308(a)(1)(ii)(D)"],
+      "iso_27001_crosswalk": ["A.8.15", "A.8.16"],
+      "evidence_required": "Logging configuration, SIEM deployment, log retention settings, monitoring alert rules, review procedures",
+      "automation_level": "auto"
+    },
+    {
+      "id": "HITRUST-9.f",
+      "title": "Change Management",
+      "description": "Implement formal change management procedures for all changes to information systems, applications, and infrastructure. Changes must be documented, tested, approved, and reviewed post-implementation. Emergency change procedures must be defined with retroactive documentation requirements.",
+      "family": "Communications and Operations Management",
+      "category_code": "9",
+      "priority": "P1",
+      "assessment_level": "i1",
+      "nist_800_53_crosswalk": ["CM-3", "CM-4", "CM-5"],
+      "hipaa_crosswalk": ["164.308(a)(8)", "164.312(e)(2)(ii)"],
+      "iso_27001_crosswalk": ["A.8.32"],
+      "evidence_required": "Change management policy, change records, approval workflows, post-implementation reviews",
+      "automation_level": "semi"
+    },
+    {
+      "id": "HITRUST-10.a",
+      "title": "Security Requirements for Information Systems",
+      "description": "Specify information security requirements in the requirements analysis phase of system acquisition or development. Requirements must address authentication, access control, data encryption, audit logging, and input validation. Include regulatory requirements such as HIPAA in system specifications.",
+      "family": "Information Systems Acquisition, Development and Maintenance",
+      "category_code": "10",
+      "priority": "P1",
+      "assessment_level": "i1",
+      "nist_800_53_crosswalk": ["SA-3", "SA-4", "SA-8"],
+      "hipaa_crosswalk": ["164.308(a)(1)(i)", "164.312(a)(1)"],
+      "iso_27001_crosswalk": ["A.8.25", "A.8.26"],
+      "evidence_required": "Security requirements specifications, vendor security assessment, secure design documentation",
+      "automation_level": "semi"
+    },
+    {
+      "id": "HITRUST-10.b",
+      "title": "Secure Development Practices",
+      "description": "Implement secure software development lifecycle (SSDLC) practices including secure coding standards, code review, static and dynamic application security testing, and security testing as part of the CI/CD pipeline. Developers must receive secure coding training annually.",
+      "family": "Information Systems Acquisition, Development and Maintenance",
+      "category_code": "10",
+      "priority": "P1",
+      "assessment_level": "i1",
+      "nist_800_53_crosswalk": ["SA-11", "SA-15", "SA-16", "SA-17"],
+      "hipaa_crosswalk": ["164.308(a)(1)(i)"],
+      "iso_27001_crosswalk": ["A.8.25", "A.8.28"],
+      "evidence_required": "SSDLC documentation, code review records, SAST/DAST results, developer training records",
+      "automation_level": "auto"
+    },
+    {
+      "id": "HITRUST-10.c",
+      "title": "Input Validation and Output Encoding",
+      "description": "Implement input validation controls on all application entry points to prevent injection attacks, cross-site scripting, and other input-based vulnerabilities. Validate data type, length, range, and format. Implement output encoding to prevent cross-site scripting. Reject invalid input by default.",
+      "family": "Information Systems Acquisition, Development and Maintenance",
+      "category_code": "10",
+      "priority": "P1",
+      "assessment_level": "i1",
+      "nist_800_53_crosswalk": ["SI-10", "SI-15"],
+      "hipaa_crosswalk": ["164.312(a)(1)"],
+      "iso_27001_crosswalk": ["A.8.28"],
+      "evidence_required": "Input validation rules, application security test results, code review findings",
+      "automation_level": "auto"
+    },
+    {
+      "id": "HITRUST-10.d",
+      "title": "Test Data Protection",
+      "description": "Protect test data derived from production systems. Personal and health data used in testing must be de-identified, masked, or synthetic. Production data must not be used in development or test environments without appropriate safeguards and data use agreements.",
+      "family": "Information Systems Acquisition, Development and Maintenance",
+      "category_code": "10",
+      "priority": "P2",
+      "assessment_level": "r2",
+      "nist_800_53_crosswalk": ["SA-11(8)", "PM-25"],
+      "hipaa_crosswalk": ["164.502(d)", "164.514(a)"],
+      "iso_27001_crosswalk": ["A.8.33"],
+      "evidence_required": "Test data management policy, de-identification procedures, data masking configuration, data use agreements",
+      "automation_level": "semi"
+    },
+    {
+      "id": "HITRUST-11.a",
+      "title": "Incident Response Plan",
+      "description": "Develop and maintain a comprehensive information security incident response plan that defines incident categories, severity levels, escalation procedures, roles and responsibilities, communication protocols, and post-incident review processes. The plan must address HIPAA breach notification requirements.",
+      "family": "Information Security Incident Management",
+      "category_code": "11",
+      "priority": "P1",
+      "assessment_level": "e1",
+      "nist_800_53_crosswalk": ["IR-1", "IR-8"],
+      "hipaa_crosswalk": ["164.308(a)(6)(i)", "164.308(a)(6)(ii)"],
+      "iso_27001_crosswalk": ["A.5.24"],
+      "evidence_required": "Incident response plan, team roster, escalation matrix, communication templates",
+      "automation_level": "manual"
+    },
+    {
+      "id": "HITRUST-11.b",
+      "title": "Incident Detection and Reporting",
+      "description": "Implement mechanisms for timely detection and reporting of information security incidents. All workforce members must be trained to recognize and report security events. Establish reporting channels that are available 24/7. Document and track all reported incidents from detection through resolution.",
+      "family": "Information Security Incident Management",
+      "category_code": "11",
+      "priority": "P1",
+      "assessment_level": "e1",
+      "nist_800_53_crosswalk": ["IR-4", "IR-5", "IR-6", "SI-4"],
+      "hipaa_crosswalk": ["164.308(a)(6)(ii)", "164.308(a)(5)(ii)(C)"],
+      "iso_27001_crosswalk": ["A.5.25", "A.6.8"],
+      "evidence_required": "Incident detection tools, reporting procedures, incident tracking system, workforce training records",
+      "automation_level": "auto"
+    },
+    {
+      "id": "HITRUST-11.c",
+      "title": "Breach Notification",
+      "description": "Implement procedures for HIPAA breach notification including individual notification within 60 days, HHS notification, and media notification for breaches affecting 500+ individuals. Conduct breach risk assessment to determine whether notification is required. Maintain breach documentation for 6 years.",
+      "family": "Information Security Incident Management",
+      "category_code": "11",
+      "priority": "P1",
+      "assessment_level": "e1",
+      "nist_800_53_crosswalk": ["IR-6", "IR-6(1)"],
+      "hipaa_crosswalk": ["164.404", "164.406", "164.408", "164.410"],
+      "iso_27001_crosswalk": ["A.5.26"],
+      "evidence_required": "Breach notification procedures, risk assessment methodology, notification templates, breach log",
+      "automation_level": "semi"
+    },
+    {
+      "id": "HITRUST-12.a",
+      "title": "Business Continuity Planning",
+      "description": "Develop and maintain business continuity plans that address the availability of critical information systems and business processes. Plans must include business impact analysis, recovery strategies, and documented recovery procedures. Address dependencies on third-party services and cloud providers.",
+      "family": "Business Continuity Management",
+      "category_code": "12",
+      "priority": "P1",
+      "assessment_level": "i1",
+      "nist_800_53_crosswalk": ["CP-1", "CP-2", "CP-2(1)"],
+      "hipaa_crosswalk": ["164.308(a)(7)(i)", "164.308(a)(7)(ii)(B)"],
+      "iso_27001_crosswalk": ["A.5.29", "A.5.30"],
+      "evidence_required": "Business continuity plan, business impact analysis, recovery strategy documentation, third-party dependencies",
+      "automation_level": "manual"
+    },
+    {
+      "id": "HITRUST-12.b",
+      "title": "Disaster Recovery",
+      "description": "Establish disaster recovery capabilities including redundant processing sites, data replication, and recovery procedures. Define recovery time objectives (RTO) and recovery point objectives (RPO) for critical systems. Ensure ePHI can be recovered within acceptable timeframes.",
+      "family": "Business Continuity Management",
+      "category_code": "12",
+      "priority": "P1",
+      "assessment_level": "i1",
+      "nist_800_53_crosswalk": ["CP-7", "CP-8", "CP-10"],
+      "hipaa_crosswalk": ["164.308(a)(7)(ii)(B)", "164.308(a)(7)(ii)(C)", "164.310(a)(2)(i)"],
+      "iso_27001_crosswalk": ["A.5.30", "A.8.14"],
+      "evidence_required": "Disaster recovery plan, RTO/RPO definitions, alternate site documentation, replication configuration",
+      "automation_level": "semi"
+    },
+    {
+      "id": "HITRUST-12.c",
+      "title": "Business Continuity Testing",
+      "description": "Test business continuity and disaster recovery plans at least annually to ensure effectiveness and identify gaps. Tests must include tabletop exercises and functional recovery testing. Document test results, lessons learned, and corrective actions. Update plans based on test findings.",
+      "family": "Business Continuity Management",
+      "category_code": "12",
+      "priority": "P2",
+      "assessment_level": "r2",
+      "nist_800_53_crosswalk": ["CP-4", "CP-4(1)"],
+      "hipaa_crosswalk": ["164.308(a)(7)(ii)(D)"],
+      "iso_27001_crosswalk": ["A.5.29"],
+      "evidence_required": "Test plan, test results, lessons learned, corrective action plans, plan update records",
+      "automation_level": "manual"
+    },
+    {
+      "id": "HITRUST-13.a",
+      "title": "Privacy Notice and Consent",
+      "description": "Provide clear and comprehensive privacy notices to individuals describing how their personal and health information is collected, used, disclosed, and protected. Obtain appropriate consent or authorization before using or disclosing PHI for purposes not covered by the HIPAA Treatment, Payment, and Healthcare Operations exceptions.",
+      "family": "Privacy Practices",
+      "category_code": "13",
+      "priority": "P1",
+      "assessment_level": "e1",
+      "nist_800_53_crosswalk": ["PT-3", "PT-4", "PT-5"],
+      "hipaa_crosswalk": ["164.520", "164.508"],
+      "iso_27001_crosswalk": ["A.5.34"],
+      "evidence_required": "Notice of Privacy Practices, authorization forms, consent mechanisms, disclosure tracking",
+      "automation_level": "manual"
+    },
+    {
+      "id": "HITRUST-13.b",
+      "title": "Minimum Necessary Use",
+      "description": "Implement the minimum necessary standard for all uses, disclosures, and requests for PHI. Define role-based access policies that limit PHI access to the minimum amount necessary for the intended purpose. Regularly review and update access permissions to enforce this principle.",
+      "family": "Privacy Practices",
+      "category_code": "13",
+      "priority": "P1",
+      "assessment_level": "e1",
+      "nist_800_53_crosswalk": ["AC-6", "AC-3", "PT-2"],
+      "hipaa_crosswalk": ["164.502(b)", "164.514(d)"],
+      "iso_27001_crosswalk": ["A.5.12", "A.8.3"],
+      "evidence_required": "Minimum necessary policy, role-based access matrix, access review records, disclosure logs",
+      "automation_level": "semi"
+    },
+    {
+      "id": "HITRUST-13.c",
+      "title": "Individual Rights",
+      "description": "Implement procedures to honor individual rights under HIPAA including the right to access, amend, receive an accounting of disclosures, request restrictions, and request confidential communications. Respond to individual requests within HIPAA-mandated timeframes (30 days for access, 60 days for amendment).",
+      "family": "Privacy Practices",
+      "category_code": "13",
+      "priority": "P1",
+      "assessment_level": "i1",
+      "nist_800_53_crosswalk": ["PT-4", "PT-5", "PT-6"],
+      "hipaa_crosswalk": ["164.524", "164.526", "164.528", "164.522"],
+      "iso_27001_crosswalk": ["A.5.34"],
+      "evidence_required": "Individual rights procedures, request tracking system, response templates, timeliness metrics",
+      "automation_level": "semi"
+    },
+    {
+      "id": "HITRUST-13.d",
+      "title": "Data De-identification",
+      "description": "Implement procedures for de-identifying PHI using either the Expert Determination method or the Safe Harbor method as specified by HIPAA. De-identified data is not subject to HIPAA requirements. Document the de-identification method used and maintain verification of adequacy.",
+      "family": "Privacy Practices",
+      "category_code": "13",
+      "priority": "P2",
+      "assessment_level": "r2",
+      "nist_800_53_crosswalk": ["PM-25", "PT-7"],
+      "hipaa_crosswalk": ["164.502(d)", "164.514(a)", "164.514(b)"],
+      "iso_27001_crosswalk": ["A.8.11"],
+      "evidence_required": "De-identification procedures, method documentation, expert determination reports or Safe Harbor analysis",
+      "automation_level": "semi"
+    },
+    {
+      "id": "HITRUST-13.e",
+      "title": "Cross-Border Data Transfer",
+      "description": "Implement controls for the transfer of personal and health information across jurisdictional boundaries. Ensure adequate protection mechanisms are in place such as standard contractual clauses, binding corporate rules, or country-specific adequacy determinations. Comply with applicable data localization requirements.",
+      "family": "Privacy Practices",
+      "category_code": "13",
+      "priority": "P2",
+      "assessment_level": "r2",
+      "nist_800_53_crosswalk": ["PT-8", "SA-9"],
+      "hipaa_crosswalk": ["164.308(b)(1)"],
+      "iso_27001_crosswalk": ["A.5.14"],
+      "evidence_required": "Data transfer agreements, cross-border transfer impact assessments, contractual safeguards",
+      "automation_level": "manual"
+    }
+  ]
+}