{"total":3,"limit":20,"offset":0,"items":[{"id":"impl-hris-ac2-001","sspId":"ssp-hris-001","controlId":"AC-2","controlTitle":"Account Management","status":"implemented","responsibleRole":"Identity & Access Management Team","implementationDescription":"User accounts are managed through Okta Universal Directory integrated with Active Directory. Automated provisioning and de-provisioning via SCIM. Quarterly access reviews conducted using SailPoint IdentityIQ.","implementationType":"system_specific","satisfiedEnhancements":["AC-2(1)","AC-2(2)","AC-2(3)","AC-2(4)"],"updatedAt":"2025-05-20T11:00:00Z"},{"id":"impl-hris-ac3-001","sspId":"ssp-hris-001","controlId":"AC-3","controlTitle":"Access Enforcement","status":"implemented","responsibleRole":"Application Security Team","implementationDescription":"Role-based access control (RBAC) enforced at the application layer. API gateway enforces OAuth 2.0 scopes. Database-level row security for PII segregation.","implementationType":"system_specific","satisfiedEnhancements":[],"updatedAt":"2025-05-20T11:30:00Z"},{"id":"impl-hris-ac4-001","sspId":"ssp-hris-001","controlId":"AC-4","controlTitle":"Information Flow Enforcement","status":"partially_implemented","responsibleRole":"Network Security Team","implementationDescription":"East-west traffic controlled via micro-segmentation in AWS VPC. DLP policies applied to outbound email. Gap: No DLP coverage for cloud storage file sharing.","implementationType":"hybrid","satisfiedEnhancements":[],"updatedAt":"2025-05-22T09:00:00Z"}]}