Combined Policy Pack

Information Security & Compliance Policy Pack

HIPAA + CIS v8Dunder Mifflin

Aligned to: HIPAA Security Rule (45 CFR Part 164, Subpart C) & CIS Controls v8

This pack consolidates 22 policies governing how Dunder Mifflin protects the confidentiality, integrity, and availability of its information, including electronic protected health information. Each policy below is maintained as a standalone document.

01

Information Security Policy

Master governance policy establishing the security program and risk-management process.

HIPAA + CIS v8
02

Acceptable Use Policy

Rules for appropriate use of company systems, devices, email, and internet.

CIS v8
03

Artificial Intelligence (AI) Acceptable Use Policy

Governs how workforce members may use AI and generative-AI tools, with strict rules for protecting sensitive and regulated data.

HIPAA + CIS v8
04

Workplace Monitoring & Employee Consent Policy

Establishes the company's right to monitor its systems, devices, data, and usage — and the consent each workforce member attests to.

Workforce
05

California Workplace Privacy & Monitoring Addendum

California-specific privacy, consent, and notice requirements that supplement the Workplace Monitoring policy for California workforce members.

Workforce
06

Access Control & Identity Management Policy

Provisioning, least privilege, and de-provisioning of system access.

HIPAA + CIS v8
07

Password & Authentication Policy

Password strength, MFA, and credential-handling requirements.

HIPAA + CIS v8
08

Data Classification & Handling Policy

Classifying data by sensitivity and the handling rules for each tier.

HIPAA + CIS v8
09

Data Encryption Policy

Encryption standards for data at rest and in transit.

HIPAA + CIS v8
10

Asset Management Policy

Maintaining an accurate inventory of hardware and software assets.

CIS v8
11

Secure Configuration Policy

Hardening baselines for systems, applications, and network devices.

CIS v8
12

Vulnerability & Patch Management Policy

Identifying, prioritizing, and remediating vulnerabilities and patches.

CIS v8
13

Malware Defense & Endpoint Protection Policy

Anti-malware, EDR, and endpoint protection requirements.

HIPAA + CIS v8
14

Audit Logging & Monitoring Policy

Collecting, protecting, and reviewing audit logs.

HIPAA + CIS v8
15

Network Security Policy

Firewalls, segmentation, wireless, and remote-access controls.

CIS v8
16

Backup & Data Recovery Policy

Backup frequency, retention, encryption, and restore testing.

HIPAA + CIS v8
17

Incident Response Policy

Detecting, reporting, and responding to security incidents and breaches.

HIPAA + CIS v8
18

Security Awareness & Training Policy

Required security training and phishing awareness for the workforce.

HIPAA + CIS v8
19

Business Continuity & Disaster Recovery Policy

Maintaining operations and recovering systems after a disruption.

HIPAA
20

Breach Notification Policy

How suspected breaches are assessed and how individuals, regulators, and partners are notified within required deadlines.

HIPAA
21

Vendor & Business Associate Management Policy

Risk-assessing vendors, requiring Business Associate Agreements, and reviewing third parties that access company data.

HIPAA + CIS v8
22

Data Retention & Secure Disposal Policy

How long records and data are retained, and how data, devices, and media are securely destroyed at end of life.

HIPAA + CIS v8