Skip to content

Joieux/grc-clinical-data-platform

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
evidence
evidence
 
 
matrices
matrices
 
 
policies
policies
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
USER-MANUAL.md
USER-MANUAL.md
 
 
index.html
index.html
 
 

Repository files navigation

MedVault Clinical Data Platform — GRC Portfolio

Overview

This portfolio demonstrates governance, risk, and compliance (GRC) competency through a realistic security policy pack and control evidence matrix for MedVault, a fictional cloud-hosted clinical data platform handling electronic Protected Health Information (ePHI).

Regulatory Scope

Framework Coverage
HIPAA Security Rule 45 CFR §164.302–318
NIST SP 800-53 Rev 5 Moderate baseline
SOC 2 Type II Trust Services Criteria
HITRUST CSF v11 Selected controls

Portfolio Contents

clinical-data-platform/
├── README.md                              ← You are here
├── policies/
│   └── security-policy-pack.md            ← 11 policy domains covering the security program
├── matrices/
│   └── control-evidence-matrix.md         ← 25 controls mapped to evidence and test steps
└── evidence/                              ← Directory structure for evidence artifacts
    ├── access-control/
    ├── audit-logging/
    ├── business-continuity/
    ├── change-mgmt/
    ├── data-protection/
    ├── incident-response/
    ├── third-party/
    ├── vuln-mgmt/
    └── workforce/

What This Demonstrates

Competency Where to Look
Policy writing and program design policies/security-policy-pack.md
Multi-framework regulatory mapping Matrix "Regulatory Source(s)" column
Control design with measurable SLAs Policy sections with specific thresholds and timelines
Evidence artifact identification Matrix "Evidence Artifact(s)" column
Audit-ready test procedures Matrix "Test Procedure" column with step-by-step instructions
Continuous compliance cadence Matrix "Frequency" column and evidence collection schedule
Risk-based prioritization Severity-driven SLAs (vuln remediation, incident response)

Key Design Decisions

  1. 25 controls across 9 domains — covers the breadth expected in a real HIPAA/SOC2 audit without over-indexing on any single domain.
  2. Every control has a test procedure — not just "verify X exists" but multi-step procedures an auditor would actually follow.
  3. Evidence is concrete — specific artifacts (KMS key policies, IdP exports, SIEM dashboards) rather than generic "documentation."
  4. SLAs are measurable — 4-hour deprovisioning, 72-hour critical vuln remediation, 15-minute SOC triage. Auditors can objectively pass/fail.
  5. Collection schedule is realistic — weekly through annual cadence that balances rigor with operational overhead.

About

GRC portfolio: Security policy pack and control evidence matrix for a fictional clinical data platform (HIPAA, NIST 800-53, SOC 2, HITRUST)

Resources

Readme
Activity

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages