Commercial Standards-Based Frameworks
Systems & Organization Controls 2 (SOC 2) Compliance
Payment Card Industry Data Security Standards (PCI DSS) Compliance
Payment Card Industry Data Security Standards (PCI DSS) Compliance
- SOC 2 certification is not required by any industry regulations, the American Institute of Certified Public Accounts (AICPA) recommends that all data-handling service providers comply with SOC 2.
- Completing a SOC 2 certification on its own is typically not enough to demonstrate that your organization is secure; however, it provides a strong start to building a mature security program and establishing trust in your customer relationships.
- The SOC 2 Framework supports both Type 1 and Type 2 certifications and includes the five Trust Service Criteria (TSC) - Security, Availability, Processing Integrity, Confidentiality and Privacy.
Payment Card Industry Data Security Standards (PCI DSS) Compliance
Payment Card Industry Data Security Standards (PCI DSS) Compliance
Payment Card Industry Data Security Standards (PCI DSS) Compliance
- The Payment Card Industry Data Security Standards (PCI DSS) specify technical and operational requirements set by the PCI Security Standards Council (PCI SSC) to protect cardholder data.
- The PCI DSS provides a rigorous security framework and best practices for protecting sensitive cardholder data from malicious software and individuals.
- The PCI DSS Framework supports all four Merchant Levels and includes all 12 requirements comprised of 251 sub-controls.
General Data Protection Regulation (GDPR) Compliance
Payment Card Industry Data Security Standards (PCI DSS) Compliance
Health Insurance Portability and Accountability Act (HIPAA) Compliance
.jpg/:/cr=t:10.52%25,l:0%25,w:100%25,h:78.96%25/rs=w:388,h:194,cg:true)
- The General Data Protection Regulation (GDPR) was created by the European Union to regulate how organizations manage and protect personal data.
- GDPR includes 11 Chapters and 99 Articles about the rights of individuals and the obligations of businesses.
- While GDPR is required by every organization that operates within the European Union, it is also required to be followed by any organization that offers goods and services in the EU.
- The GDPR Framework provides controls covering the first five chapters of the regulation – General Provisions, Principles, Rights of the Data Subject, Controller and Processor, and Transfers of Personal Data to Third Countries or International Organizations.
Health Insurance Portability and Accountability Act (HIPAA) Compliance
Health Insurance Portability and Accountability Act (HIPAA) Compliance
Health Insurance Portability and Accountability Act (HIPAA) Compliance
.jpg/:/cr=t:0%25,l:1.25%25,w:97.5%25,h:100%25/rs=w:388,h:194,cg:true)
- The Health Insurance Portability and Accountability Act (HIPAA) is legislation which provides security provisions and data privacy, in order to keep patients’ medical information, referred to as protected health information (PHI), safe.
- The act provides the ability to transfer and continue health insurance coverage for millions of American workers and their families when they change or lose their jobs, reduces health care fraud and abuse, mandates industry-wide standards for health care information on electronic billing and other processes, and requires the protection and confidential handling of protected health information.
- The HIPAA Privacy and Security Frameworks cover the Security Rule with 6 controls, the Privacy Rule with 13 controls and the Breach Rule with 3 controls.
California Consumer Privacy Act (CCPA) Compliance
Health Insurance Portability and Accountability Act (HIPAA) Compliance
California Consumer Privacy Act (CCPA) Compliance
- The California Consumer Privacy Act (CCPA) grants California resident's new rights regarding their personal information and imposes various data protection duties on certain entities conducting business in California.
- The CCPA affects any business that collects or stores data about California residents and will likely set a precedent for nationwide privacy protection in the United States.
- The CCPA Framework includes controls that span the three main areas of the law - individual rights, data security, and service providers – and each of the nine sections of the law.
Government & Standards-Based Frameworks
Cybersecurity Maturity Model Certification (CMMC) 2.0
The National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 Compliance
The National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 Compliance
- Department of Defense Cybersecurity Maturity Model Certification 2.0 creates compliance and certification standards and a network of C3PAOs (Certified 3rd Party Audit Organizations) in a coordinated effort to protect Controlled Unclassified Information (CUI) throughout the U.S. Manufacturing and Defense Industrial Base and Supply Chain.
- When fully implemented, all contractors and subcontractors at all levels in this supply chain must be certified to the CMMC standard to bid on or renew Department of Defense contracts.
The National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 Compliance
The National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 Compliance
The National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 Compliance
- The National Institute of Standards and Technology (NIST) 800-53 is a set of guidelines and requirements that government institutions are required to follow.
- Non-federal organizations only need to comply in situations where they are operating federal systems. NIST 800-53 helps meet requirements set by FISMA and promotes risk management programs to keep information safe and secure.
- The NIST 800-53 Framework supports all 18 primary controls throughout the three tiers (organizational risks, business process risks and information risks) that comprise NIST 800-53.
The National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 Complianc
The National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 Compliance
The National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 Complianc
- The National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 is a requirement for non-federal organizations that process, store, or transmit Controlled Unclassified Information (CUI).
- DFARS (Defense Federal Acquisition Regulation Supplement) regulates the minimum standards for security protocols and policy relating to sensitive information.
- NIST 800-171 compliance is self-reported and in the process of being replaced by CMMC. The NIST 800-171 Framework supports all 14 primary control areas defined in the NIST 800-171 and all of the sub-controls within the 14 controls.
International Organization for Standardization (ISO) 27001 Compliance
Federal Risk and Authorization Management Program (FedRAMP) Compliance
The National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 Complianc
- ISO 27001 is one of the most widely used security frameworks on a global scale. It is commonly used to create, implement, and/or maintain a strong Information Security Management System (ISMS).
- ISO 27001 is ideal for any organization looking to develop a structured and well-organized security program with the purpose of protecting organizational information and systems.
- The ISO 27001 Framework includes the 14 controls that detail best practices for cybersecurity measures (Annex A).
Federal Risk and Authorization Management Program (FedRAMP) Compliance
Federal Risk and Authorization Management Program (FedRAMP) Compliance
Federal Risk and Authorization Management Program (FedRAMP) Compliance
- FedRamp establishes a standardized approach for companies that handle federal government data in the cloud.
- Applicable to both cloud service providers and SaaS solution vendors, FedRAMP streamlines cloud security approaches into standardized security measures organizations can implement and measure with a common baseline.
- The FedRAMP Authorization Framework supports all 17 core domains and 325 controls for Moderate impact level.
Center for Internet Security (CIS) Compliance
Federal Risk and Authorization Management Program (FedRAMP) Compliance
Federal Risk and Authorization Management Program (FedRAMP) Compliance
- The Center for Internet Security (CIS) is a general-purpose cybersecurity framework that entails best practices for securing information systems.
- The framework — which boasts 172 sub-controls across 20 controls — is maintained by the Center for Internet Security (CIS), which is a non-profit organization dedicated to providing up-to-date best practices for cyber security.
- CIS Controls and CIS Benchmarks are considered one of the global standards and recognized best practices for securing IT systems and data against the most pervasive attacks.
- The CIS Framework is comprised of all 20 control areas that make up the complete guideline.