Skip to content

Policy Framework - Sources & References

This document provides detailed references for the policies and best practices included in this repository.

HR Policies & Employee Handbook

Primary Sources

ADP - Employee Handbook Best Practices - https://www.adp.com/spark/articles/2022/01/employee-handbooks-10-must-have-policies-for-2022.aspx - Topics: Must-have policies, at-will employment, anti-harassment, code of conduct - Used for: HR-004 (Anti-Harassment), HR-007 (Code of Conduct)

Paychex - Employee Handbook Guide - https://www.paychex.com/articles/human-resources/what-to-include-in-your-employee-handbook - Topics: PTO, benefits, performance management, workplace safety - Used for: HR-003 (PTO), HR-005 (Benefits), HR-009 (Performance Management)

Guru - Employee Handbook Templates - https://www.getguru.com/templates/employee-handbook - Topics: Handbook structure, policy organization, employee communications - Used for: Overall handbook structure and organization

U.S. Chamber of Commerce - Creating an Employee Handbook - https://www.uschamber.com/co/run/human-resources/how-to-create-an-employee-handbook - Topics: Legal requirements, policy essentials, compliance considerations - Used for: Legal compliance sections, policy disclaimers

Professional Associations

SHRM (Society for Human Resource Management) - https://www.shrm.org - Resources: Sample policies, legal compliance updates, HR best practices - Used for: HR policy templates, compliance frameworks, progressive discipline

WorldatWork - https://www.worldatwork.org - Topics: Compensation, benefits, total rewards - Used for: HR-008 (Compensation & Pay Practices)

Federal Regulations & Compliance

Labor & Employment Law

U.S. Department of Labor (DOL) - https://www.dol.gov - FLSA (Fair Labor Standards Act) - https://www.dol.gov/agencies/whd/flsa - Topics: Overtime, minimum wage, exempt vs. non-exempt classification - Used for: HR-008 (Compensation & Pay Practices) - FMLA (Family and Medical Leave Act) - https://www.dol.gov/agencies/whd/fmla - Topics: Family leave, medical leave, job protection - Used for: HR-006 (Leave of Absence)

EEOC (Equal Employment Opportunity Commission) - https://www.eeoc.gov - Title VII of the Civil Rights Act - Topics: Discrimination, harassment, equal employment opportunity - Used for: HR-004 (Anti-Harassment & Non-Discrimination) - ADA (Americans with Disabilities Act) - Topics: Reasonable accommodations, disability rights - Used for: HR-010 (Workplace Health & Safety), accommodation procedures

OSHA (Occupational Safety and Health Administration) - https://www.osha.gov - Topics: Workplace safety, hazard communication, emergency procedures - Used for: HR-010 (Workplace Health & Safety) - Key Standards: - General Duty Clause (Section 5(a)(1)) - Hazard Communication Standard (29 CFR 1910.1200) - Personal Protective Equipment (29 CFR 1910.132) - Emergency Action Plans (29 CFR 1910.38)

USERRA (Uniformed Services Employment and Reemployment Rights Act) - https://www.dol.gov/agencies/vets/programs/userra - Topics: Military leave, reemployment rights - Used for: HR-006 (Leave of Absence - Military Leave section)

Healthcare & Privacy

HHS - HIPAA (Health Insurance Portability and Accountability Act) - https://www.hhs.gov/hipaa - Topics: Privacy, security, data protection for healthcare information - Used for: PRIV-001 (Data Privacy & Security), IT security policies - Key Rules: - Privacy Rule (45 CFR Part 160 and Part 164, Subparts A and E) - Security Rule (45 CFR Part 164, Subpart C) - Breach Notification Rule (45 CFR Part 164, Subpart D)

COBRA (Consolidated Omnibus Budget Reconciliation Act) - https://www.dol.gov/agencies/ebsa/laws-and-regulations/laws/cobra - Topics: Health insurance continuation after employment - Used for: HR-005 (Employee Benefits - COBRA section)

Employee Benefits

IRS - Retirement Plans & Tax-Advantaged Accounts - https://www.irs.gov/retirement-plans - Topics: 401(k) plans, HSAs, FSAs, contribution limits - Used for: HR-005 (Employee Benefits)

ERISA (Employee Retirement Income Security Act) - https://www.dol.gov/agencies/ebsa/laws-and-regulations/laws/erisa - Topics: Retirement plan administration, fiduciary requirements - Used for: HR-005 (Employee Benefits)

IT & Cybersecurity Standards

NIST (National Institute of Standards and Technology)

NIST Cybersecurity Framework - https://www.nist.gov/cyberframework - Topics: Risk management, security controls, incident response - Used for: SEC-004 (Incident Response), COMP-001 (IT Governance)

NIST SP 800-53 - Security and Privacy Controls - https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final - Topics: Access control, authentication, audit logging - Used for: SEC-002 (Access Control), SEC-003 (Password & Authentication)

NIST SP 800-171 - Protecting Controlled Unclassified Information - https://csrc.nist.gov/pubs/sp/800/171/r3/final - Topics: Data protection, encryption, incident response - Used for: PRIV-001 (Data Privacy & Security)

Industry Security Standards

CIS Controls (Center for Internet Security) - https://www.cisecurity.org/controls - Topics: Critical security controls, benchmarks - Used for: Overall security policy framework, SEC-001 through SEC-005

SANS Institute - Information Security Policy Templates - https://www.sans.org/information-security-policy - Topics: Acceptable use, password policies, incident response - Used for: SEC-001 (Acceptable Use), SEC-003 (Password Policy)

OWASP (Open Web Application Security Project) - https://owasp.org - Topics: Web application security, secure coding practices - Used for: SEC-001 (Acceptable Use - development practices)

Compliance Frameworks

SOC 2 (Service Organization Control 2) - https://us.aicpa.org/interestareas/frc/assuranceadvisoryservices/sorhome - Topics: Trust Service Criteria (Security, Availability, Processing Integrity, Confidentiality, Privacy) - Used for: COMP-001 (IT Governance), multiple security policies - Key Trust Services Criteria: - CC6.1: Logical and physical access controls - CC6.6: Unauthorized access prevention - CC7.2: System monitoring - CC7.3: Threat evaluation and response

ISO 27001 - Information Security Management - https://www.iso.org/isoiec-27001-information-security.html - Topics: Information security management systems, risk assessment - Used for: Security policy framework reference

State-Specific Regulations

California

California Labor Code - Topics: Paid sick leave, final paycheck timing, meal/rest breaks - Used for: State-specific addendums to HR policies

CCPA (California Consumer Privacy Act) - https://oag.ca.gov/privacy/ccpa - Topics: Data privacy, consumer rights - Used for: PRIV-001 (Data Privacy & Security)

California DFEH (Department of Fair Employment and Housing) - Topics: Harassment prevention training requirements - Used for: HR-004 (Anti-Harassment)

New York

New York Labor Law - Topics: Wage theft prevention, paid sick leave - Used for: State-specific HR policy addendums

NY SHIELD Act - https://its.ny.gov/ny-shield-act - Topics: Data breach notification, cybersecurity requirements - Used for: SEC-004 (Incident Response)

Massachusetts

Massachusetts Paid Family and Medical Leave - https://www.mass.gov/info-details/massachusetts-paid-family-and-medical-leave - Topics: Paid family leave - Used for: HR-006 (Leave of Absence)

Industry-Specific References

Healthcare

HHS Office for Civil Rights - HIPAA Guidance - https://www.hhs.gov/hipaa/for-professionals/index.html - Topics: HIPAA compliance for covered entities and business associates - Used for: Healthcare-specific privacy and security policies

Financial Services

PCI DSS (Payment Card Industry Data Security Standard) - https://www.pcisecuritystandards.org - Topics: Credit card data security, payment processing - Used for: Reference for organizations handling payment card data

Additional Resources

Government Resources

USA.gov - Labor Laws and Issues - https://www.usa.gov/labor-laws - General reference for federal labor laws

Small Business Administration (SBA) - Employment Law Guide - https://www.sba.gov - Topics: Small business employment law compliance - Used for: Guidance for small to medium-sized organizations

Legal Information Institute (Cornell Law School) - https://www.law.cornell.edu - Topics: Federal regulations, case law, legal definitions - Used for: Legal research and policy language

National Conference of State Legislatures (NCSL) - https://www.ncsl.org - Topics: State employment laws, legislative updates - Used for: State-specific compliance requirements

Professional Development

ATD (Association for Talent Development) - https://www.td.org - Topics: Employee training, professional development - Used for: HR-001 (Employee Training & Awareness), HR-009 (Performance Management)

Chartered Institute of Personnel and Development (CIPD) - https://www.cipd.co.uk - Topics: HR best practices, performance management - Used for: HR policy best practices

Policy-Specific References

HR-001: Employee IT Training & Awareness

  • NIST SP 800-50: Building an Information Technology Security Awareness and Training Program
  • SANS Security Awareness: https://www.sans.org/security-awareness-training

HR-002: Employee Onboarding & Offboarding

  • SHRM: Onboarding New Employees
  • NIST SP 800-53: AC-2 (Account Management)

HR-003: Paid Time Off (PTO) Policy

  • DOL: Vacation Leave
  • State-specific paid sick leave laws (CA, WA, OR, NY, etc.)

HR-004: Anti-Harassment & Non-Discrimination

  • EEOC: Harassment Prevention Guidance
  • Title VII of the Civil Rights Act of 1964
  • State harassment prevention training requirements

HR-005: Employee Benefits Policy

  • DOL ERISA guidance
  • IRS Publication 15-B: Employer's Tax Guide to Fringe Benefits
  • Healthcare.gov: COBRA continuation coverage

HR-006: Leave of Absence Policy

  • DOL FMLA regulations (29 CFR Part 825)
  • USERRA (38 U.S.C. ยงยง 4301-4335)
  • State family leave laws

HR-007: Employee Code of Conduct

  • SHRM: Code of Conduct sample policies
  • Ethics & Compliance Initiative: Code of Conduct guidance

HR-008: Compensation & Pay Practices

  • DOL Wage and Hour Division: FLSA guidance
  • DOL: Overtime Pay rules
  • State wage and hour laws

HR-009: Performance Management

  • SHRM: Performance Management best practices
  • OPM (Office of Personnel Management): Performance Management guidance

HR-010: Workplace Health & Safety

  • OSHA regulations (29 CFR 1910)
  • OSHA Small Business Handbook
  • CDC: Workplace Health & Safety

SEC-001: Acceptable Use Policy

  • SANS: Acceptable Use Policy template
  • NIST SP 800-50: IT Security Awareness

SEC-002: Access Control & Authorization

  • NIST SP 800-53: AC (Access Control) family
  • NIST SP 800-63: Digital Identity Guidelines

SEC-003: Password & Authentication

  • NIST SP 800-63B: Authentication and Lifecycle Management
  • NIST: Password Guidelines (deprecated 800-63-2, updated to 800-63B)

SEC-004: Incident Response

  • NIST SP 800-61: Computer Security Incident Handling Guide
  • CISA: Incident Response resources

SEC-005: Remote Work & MDM

  • NIST SP 800-46: Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security
  • CISA: Telework guidance

PRIV-001: Data Privacy & Security

  • HIPAA Privacy Rule (45 CFR Part 164)
  • GDPR (for international data): https://gdpr.eu
  • CCPA (California residents)
  • State data breach notification laws

COMP-001: IT Governance & Compliance

  • COBIT 2019 (Control Objectives for Information and Related Technologies)
  • ITIL (Information Technology Infrastructure Library)
  • SOC 2 Trust Services Criteria

Disclaimer

The policies in this repository are provided as templates and examples based on the sources listed above. They are not legal advice and should be reviewed by qualified legal counsel before implementation. Laws and regulations vary by jurisdiction and change over time. Organizations are responsible for ensuring their policies comply with all applicable federal, state, and local laws.

Last Updated: 2025-11-09 Maintained By: Policy Framework Project