INFOSEC TRACEABILITY MATRIX

SAMPLE INFOSEC TRACEABILITY MATRIX
CRITERIA	BS ISO/IEC 17799:2000	Information Security Policy (ISP)	Health Insurance Portability & Accountability Act (HIPAA)	Gramm-Leach-Bliley Act (GLBA)	Sarbanes-Oxley (SOX)
	Policy and/or Standard Paragraph Number
*Audit and Accountability*	*ISO 17799*	*ISP (Best Practice)*	*HIPAA*	*GLBA*	*SOX*
Audit Processing	9.7.2	ISP120-00 Accountability	Sec. 164.512 (d) Uses and disclosures for which consent, an authorization, or opportunity to agree or object is not required.		Section 302 Corporate Responsibility For Financial Reports (a)(4)(5)(6)
Audit Monitoring, Analysis, and Reporting	9.7.2	ISP128-03 Monitoring, Review, and Maintenance			Section 302 Corporate Responsibility For Financial Reports (a)(5) Section 404: Management Assessment Of Internal Controls (b) INTERNAL CONTROL EVALUATION AND REPORTING
*Personnel Security*	*ISO 17799*	*ISP (Best Practice)*	*HIPAA*	*GLBA*	*SOX*
Access Agreements	6.1.3	isp060-02 RESPONSIBILITY isp060-11 Non-Disclosure Agreements	Sec. 164.502 (c) Uses and disclosures of protected health information: general rules.
Third-Party Personnel Security	4.2.2	isp060-18 Special Conditions	Sec. 164.502 (e) Uses and disclosures of protected health information: general rules. Sec. 164.508 Uses and disclosures for which an authorization is required.
Permissions and Privileges	9.1.1.2 9.2.2	isp062-00 PERSONAL isp060-09 Access and Use Privileges	Sec. 164.508(a) Uses and disclosures for which an authorization is required. Sec. 164.526 Amendment of protected health information.
Privacy Protection	12.1.4	isp060-09 Access and Use Privileges	Sec. 164.502 (h) Uses and disclosures of protected health information: general rules. Sec. 164.522 Rights to request privacy protection for protected health information.	Sec. 6801. Protection of nonpublic personal information Sec. 6803. Disclosure of institution privacy policy Sec. 6821. Privacy protection for customer information of financial institutions