|Framework||Use Case / Description||Useful Links|
Contact us about this!
|Common Control Mapping Available|
|California Consumer Privacy Act (CCPA)||The California Consumer Privacy Act (CCPA) is a state statute intended to enhance privacy rights and consumer protection for residents of California, United States.||Official legislative information||Get help with CCPA||Yes!|
|Compliance Controls Catalogue (C5)||The Cloud Computing Compliance Controls Catalogue (abbreviated "C5") is intended primarily for professional cloud service providers, their auditors and customers of the cloud service providers. It is defined which requirements (also referred to as controls in this context) the cloud providers have to comply with or which minimum requirements the cloud providers should be obliged to meet.||Official Policy Page||Get help with C5|
The Criminal Justice Information Services (CJIS) Security Policy provides requirements for criminal justice and associated agencies to use when accessing Criminal Justice Information (CJI). This Policy is also applicable to service providers who process CJI on behalf of criminal justice agencies.
The policy prescribes safeguards that must be in place to secure CJI at rest and in transit. The policy integrates guidance from NIST with presidential and FBI directives, along with federal law and is audited periodically by the FBI for compliance. Failure to adhere to the policy may result in sanctions against non-compliant agencies.
Official Policy Page
|Get help with CJIS||Yes!|
|COBIT*||COBIT v5 (Control Objectives for Information and Related Technologies) is a framework created by international professional association ISACA for IT management and governance. It is generic and useful for enterprises of all sizes and across sectors, including commercial, not-for-profit, and the public sector. The framework incorporates the latest thinking in enterprise governance and management techniques, and provides globally accepted principles, practices, analytical tools and models to help increase the trust in, and value from, information systems. It is meant to be a supportive tool for managers to bridge gaps among technical issues, business risks and control requirements. |
|Get help with COBIT v5||Yes!|
|COSO Internal Control–Integrated Framework*||The Committee of Sponsoring Organizations of the Treadway Commission (COSO) provides non-prescriptive guidance on internal controls, enterprise risk management, and fraud deterrence. COSO 2013 Intergrated Control-Integrated Framework is recognized as leading guidance for designing and implementing internal controls and assessing their effectiveness.|
This framework is commonly used as basis for management's evaluation of its internal controls over financial reporting for compliance with the Sarbanes-Oxley Act of 2002 ("SOX").
|Get help with COSO||Yes!|
|CSA Cloud Controls Matrix||The Cloud Security Alliance Cloud Controls Matrix (CCM) is specifically designed to provide fundamental security principles to guide cloud vendors and to assist prospective cloud customers in assessing the overall security risk of a cloud provider. The CSA CCM provides a controls framework that gives detailed understanding of security concepts and principles that are aligned to the Cloud Security Alliance guidance in 13 domains.|
|Get help with CSA CCM||Yes!|
|CIS Controls||The CIS Controls are a prioritized set of Safeguards to mitigate the most prevalent cyber-attacks against systems and networks. They are mapped to and referenced by multiple legal, regulatory, and policy frameworks. CIS Controls v8 has been enhanced to keep up with modern systems and software. Movement to cloud-based computing, virtualization, mobility, outsourcing, Work-from-Home, and changing attacker tactics prompted the update and supports an enterprise's security as they move to both fully cloud and hybrid environments.||CIS General Info Page|
SANS General Info Page
|Get help with CSC-CIS/SANS 20||Yes!|
|Cybersecurity Maturity Model Certification (CMMC)||The Cybersecurity Maturity Model Certification (CMMC) framework consists of maturity processes and cybersecurity best practices from multiple cybersecurity standards, frameworks, and other references, as well as inputs from the Defense Industrial Base (DIB) and Department of Defense (DoD) stakeholders. The model framework organizes these processes and practices into a set of domains and maps them across five levels. In order to provide additional structure, the framework also aligns the practices to a set of capabilities within each domain. The ensuing subsections provide additional information regarding each element of the model.||Office of the Under Secretary of Defense for Acquisition & Sustainment||Get Help with CMMC||Yes!|
|EU/US Privacy Shield |
The EU-U.S. and Swiss-U.S. Privacy Shield Frameworks were designed by the U.S. Department of Commerce, and the European Commission and Swiss Administration, respectively, to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States in support of transatlantic commerce.
The Privacy Shield program enables U.S.-based organizations to join one or both of the Privacy Shield Frameworks in order to benefit from the adequacy determinations. To join either Privacy Shield Framework, a U.S.-based organization will be required to self-certify to the Department of Commerce (via this website) and publicly commit to comply with the Framework’s requirements. While joining the Privacy Shield is voluntary, once an eligible organization makes the public commitment to comply with the Framework’s requirements, the commitment will become enforceable under U.S. law. All organizations interested in self-certifying to the EU-U.S. Privacy Shield Framework or Swiss-U.S. Privacy Shield Framework should review the requirements in their entirety.
|General Info||Get help with Privacy Shield||Yes!|
|FedRAMP Low / Moderate / High|
"The Federal Risk and Authorization Management Program, or FedRAMP, is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. This approach uses a 'do once, use many times' framework..." FedRAMP offers significant cost savings for US Federal Government agencies when using and securing of cloud services, and supports the compliance requirements in the Federal Information Security Management Act (FISMA).
- The Low/Moderate baselines are appropriate for systems with public or sensitive information, where a breach or loss of availability would have a limited, non-catastrophic impact.
- The High baseline is appropriate for systems with highly sensitive information, where a breach or loss of availability would have a severe and/or catastrophic impact.
System classification information (FIPS 199)
|Get help with FedRAMP||Yes!|
|General Data Protection Regulation (GDPR)||The General Data Protection Regulation (EU) 2016/679 (GDPR) is a regulation in EU law on data protection and privacy in the European Union (EU) and the European Economic Area (EEA). It also addresses the transfer of personal data outside the EU and EEA areas.||Get help with GDPR||Yes!|
The Health Insurance Portability and Accountability act (HIPAA) defines rules for the security and privacy of healthcare information, called Protected/Personal Health Information (PHI). The US Department of Health & Human Services (HHS) is responsible for enforcement.
You may be subject to HIPAA if you are a:
- Covered Entity: a business that generates or processes PHI
- Business Associate: a business supporting a Covered Entity
HIPAA for Professionals
Covered Entities and Business Associates
|Get help with HIPAA||Yes!|
|ISO 27001 Annex A with guidance from ISO 27002*||The ISO/IEC 27000 family of standards helps organizations keep information assets secure.|
ISO IEC 27001:2013 includes Annex A, which lists illustrative information security control objectives and information security controls. It is taken directly from ISO IEC 27002 2013 sections 5 to 18, which provides additional guidance on the implementation, operation, and maintenance of security controls. However, using this framework in not obligatory in order to be ISO 27001 certified.
ISO IEC 27001:2013 section 6.1.3 enables organizations to use Annex A, and/or any other suitable resources, to "produce a Statement of Applicability that contains the necessary controls".
ISO 27000 Family of Standards
ISO 27001 Wikipedia entry
|Get help with ISO 27001 Appendix A||Yes!|
ISO 27001/2, 27017, 27018, 27701*
The ISO/IEC 27000 family of standards helps organizations keep information assets secure.
Within the ISO 27000 family of standards there are a variety of frameworks which focus on specific areas of information security.
- 27001:2013 is the best-known standard in the family providing requirements for an information security management system (ISMS).
- 27002:2013 contains guidelines for organizational information security standards and information security management practices. This includes the selection, implementation and management of controls taking into consideration the organization's information security risk environment(s).
- 27017:2015 provides guidance for information security controls applicable to the provision and use of cloud services
- 27018:2019 establishes control objectives, controls and guidelines for protecting Personally Identifiable Information (PII) in accordance with the privacy principles in ISO/IEC 29100 for the public cloud computing environment
- 27701:2019 specifies requirements and provides guidance for establishing, implementing, maintaining and continually improving a Privacy Information Management System (PIMS) in the form of an extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy management within the context of the organization.
ISO 27000 Family of Standards
ISO 27000 Family Wikipedia entry
|Get help with ISO |
*ISO 27017 not included
|NIST CSF||In response to Executive Order 13636, “Improving Critical Infrastructure Cybersecurity," the National Institute of Standards and Technology (NIST) published the Framework for Improving Critical Infrastructure Cybersecurity (Cybersecurity Framework or CSF). The CSF is designed to drive an organization's cybersecurity efforts through a risk-based management process. It contains a set of requirements hierarchically structured into Functions, Categories, and Subcategories, as well as Informative References which point to other security frameworks such as ISO 27001, NIST SP 800-53, and COBIT.|
The overall franework is structured into three parts:
- The Framework Core: A set of cybersecurity requirements, desired outcomes, and the Informative References which guide implementation of security controlsFramework
- Implementation Tiers: Describe a level of achievement in an organization's approach to cybersecurity risk assessment and management, representing maturation from informal, reactive processes to risk-driven proactive ones. They range from Partial (Tier 1) to Adaptive (Tier 4).
- Framework Profile: Represents the state of an organization's cybersecurity efforts based on analysis against the Framework Categories and Subcategories. A Current Profile is created to judge the organizations as-is state, and a Target Profile is created to identify gaps, opportunites, and the desired outcome of cybersecurity improvement efforts.
NIST CSF Page
NIST CSF Reference Tool (desktop app)
|NIST SP 800-53||The Federal Information Security Modernization Act (FISMA) requires civilian agencies of the US Federal Government to report on the security posture of their information systems. Businesses supporting these government agencies may also be required to implement such controls, if they interconnect with or operate systems on behalf of the government.|
There are a variety of documents which guide the implementation and management of security controls for such systems, including the Federal Information Processing Standards (FIPS) and National Institute of Standards and Technology Special Publications (NIST SP).
- FIPS 199 & 200: Describes the security categorization of systems and controls needed based on that categorization
- NIST SP 800-53: The catalog of controls to choose from
NIST SP 800-53 has three risk-based baselines for controls: Low, Moderate, and High. Higher-risk systems require more controls, while lower-risk systems require less stringent levels of protection.
NIST SP 800-53 - Security and Privacy Controls for Federal Information Systems and Organizations
NIST SP 800-53A - Assessing Security and Privacy Controls in Federal Information Systems and Organizations
FIPS 199 - Standards for Security Categorization of Federal Information and Information Systems
FIPS 200 - Minimum Security Requirements for Federal Information and Information Systems
|Get help with NIST SP 800-53||Yes!|
|NIST SP 800-171||The purpose of NIST 800-171 is to provide agencies with recommended requirements|
for protecting the confidentiality of CUI: (i) when the CUI is resident in nonfederal information
systems and organizations; (ii) when the information systems where the CUI resides are not used
or operated by contractors of federal agencies or other organizations on behalf of those agencies;
and (iii) where there are no specific safeguarding requirements for protecting the confidentiality
of CUI prescribed by the authorizing law, regulation, or governmentwide policy for the CUI
category or subcategory listed in the CUI Registry. The requirements apply only to components9
of nonfederal information systems that process, store, or transmit CUI, or that provide security
protection for such components. The CUI requirements are intended for use by federal agencies
in appropriate contractual vehicles or other agreements established between those agencies and
nonfederal organizations. In CUI guidance and the CUI Federal Acquisition Regulation (FAR),
the CUI Executive Agent will address determining compliance with CUI requirements.
|NIST 800-171 Overview||Get help with NIST SP 800-171||Yes!|
|NYDFS 23 NYCRR 500||Effective March 1, 2017, the Superintendent of Financial Services promulgated 23 NYCRR Part 500, a regulation establishing cybersecurity requirements for financial services companies (referred to below as “the Cybersecurity Regulation” or “Part 500”). The individuals and entities required to comply with the Cybersecurity Regulation include, but are not limited to, partnerships, corporations, branches, agencies, and associations operating under, or required to operate under, a license, registration, charter, certificate, permit, accreditation, or similar authorization under the Banking Law, the Insurance Law, or the Financial Services Law (referred to below as “Covered Entities”).||NYDFS 23 NYCRR 500 Overview||Get help with NYDFS 23 NYCRR 500||Yes!|
The Payment Card Industry Data Security Standard (PCI-DSS) was created by the major credit card brands in 2004 to encourage and enhance the security of credit card data. The use of the DSS, which is a prescriptive set of requirements for securing credit card data at rest and in transit, is mandated by the major card brands and is required of all organizations accepting credit card payment transactions, known as merchants.
Merchants are assigned levels based on the number of transactions they process of various brands per year. These levels determine the type of annual compliance assessment that the merchant must perform, either a self-assessment or one by a third-party Qualified Security Assessor (QSA). Failure to comply with the PCI-DSS may result in fines from credit card acquirers or even loss of the ability to accept credit card transactions. The DSS and associated standards are managed by the PCI Security Standards Council and regularly updated as new threats emerge.
PCI-DSS Document Download
|Get help with PCI-DSS v3.2||Yes!|
|Secure Controls Framework (SCF)|
The Secure Controls Framework (SCF) is a comprehensive catalog of controls that is designed to enable companies to design, build and maintain secure processes, systems and applications. The SCF addresses both cybersecurity and privacy, so that these principles are designed to be “baked in” at the strategic, operational and tactical levels.
In developing the SCF, we identified and analyzed 100 statutory, regulatory and contractual frameworks. Through analyzing these thousands of requirements, we identified commonalities and this allows several thousand unique controls to be addressed by the less than 750 controls that makeup the SCF. For instance, a requirement to maintain strong passwords is not unique, since it is required by dozens of frameworks. This allows one well-worded SCF control to address multiple requirements. This focus on simplicity and sustainability is key to the SCF, since it can enable various teams to speak the same controls language, even though they may have entirely different statutory, regulatory or contractual obligations that they are working towards.
|Secure Controls Framework Page||Get help with the Secure Controls Framework||N/A|
These reports, prepared in accordance with Statement on Standards for Attestation Engagements (SSAE) No. 18, Reporting on Controls at a Service Organization, are specifically intended to meet the needs of the managements of user entities and the user entities’ auditors, as they evaluate the effect of the controls at the service organization on the user entities’ financial statement assertions. These reports are important components of user entities’ evaluation of their internal controls over financial reporting for purposes of comply with laws and regulations such as the Sarbanes-Oxley Act and the user entities’ auditors as they plan and perform audits of the user entities’ financial statements. There are two types of reports for these engagements:
- Type 1 – report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design of the controls to achieve the related control objectives included in the description as of a specified date.
- Type 2 - report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives included in the description throughout a specified period.
The use of these reports are restricted to the management of the service organization, user entities of the service organization and user auditors.
SOC 1 Information Page
Wikipedia SOC Entry
|Get help with SOC 1|
|SOC 2||SOC2 is intended to meet the needs of a broad range of users that need information and assurance about the controls at a service organization that affect the security, availability, and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of the information processed by these systems. Examples of stakeholders who may need these reports are, management or those charged with governance of the user entities and of the service organization, customers of the service organization, regulators, business partners, suppliers, and others who have an understanding of the service organization and its controls.|
SOC 2 Information Page
|Get help with SOC 2||Yes!|
|SOX||Publicly-traded U.S. corporations must maintain compliance with provisions of the Sarbanes-Oxley Act of 2002 (SOX). The U.S. Securities and Exchange Commission (SEC) enforces this law directly and through oversight of the Public Company Accounting Oversight Board (PCAOB). Companies subject to SOX must establish and evaluate internal controls in accordance with other established controls frameworks such as COSO and COBIT. |
While there are high-level requirements, SOX is not prescriptive regarding the scope and approach to conducting a SOX assessment of internal controls. Corporate management establishes the design and evaluates the effectiveness of internal controls, which are also assessed externally by public accounting firms.
SEC About Page for SOX
SEC Small Business Page for SOX
|Get help with SOX|