post-img

Cybersecurity Frameworks 101

  • copy-link-icon

    Copy URL

  • linkedin-icon

With so many IT security frameworks out there, figuring out which one applies to your organization can be confusing. In this blog, we’ll focus on frameworks that can be audited or certified against. This is not to say that frameworks such as COBIT or the CIS 20 are not valid—in fact, these may be most apt for your business. When deciding on a framework to tackle, start with one you know your customer base will ask for. As your organization grows, you can add additional frameworks. The good news is that many frameworks overlap. The even better news is that Strike Graph can be that crosswalk, providing a flexible platform that allows busy IT teams to upload evidence just once and apply it to many compliance initiatives.  

Below, we explain each framework, who governs it, and who typically needs it.

SOC 2

What is it:
SOC stands for System and Organization Controls and is based on five “trust service principles”—security, availability, confidentiality, processing integrity, and privacy. SOC 2 is a ‘certification’ (technically, an attestation) issued by outside auditors.

Governing body:
It was developed by the American Institute of CPAs (AICPA), a national professional organization for certified public accountants.

Who needs it:
SOC 2 is becoming a requirement for security-conscious enterprises that rely on cloud service providers, such as software as a service (SaaS) vendors, managed service providers, banking and financial services, data centers, and cloud storage providers.

How Strike Graph can help:
Strike Graph’s SOC 2 solution simplifies the process and gets you audit-ready faster and with less frustration.

ISO 27001/2 (ISMS)

What is it:
ISO 27001 is an international standard that provides requirements for an information security management system (ISMS). 

Governing body:
ISO stands for International Organization for Standardization; the organization has developed over 24,090 standards, ranging from environmental to information technology.

Who needs it:
ISO certification is recommended if you will be marketing or selling your products to consumers outside the U.S. and improves customer confidence through your commitment to keeping confidential and sensitive information secure.

How Strike Graph can help:
Strike Graph’s audit-proven policy templates, implementation guidance from experts, and automated, ongoing evidence collection makes compliance more efficient and seamless.

ISO 27701 (Privacy)

What is it:
ISO 27701 is an add-on to ISO 27001 and is specific to Privacy. It expands the ISMS and creates a privacy information management system (or PIMS).  

Governing body:
ISO stands for International Organization for Standardization; the organization has developed over 24,090 standards, ranging from environmental to information technology.

Who needs it:
Many organizations implement 27701 to assist in privacy compliance with laws such as CCPA or GDPR.

How Strike Graph can help:
The Strike Graph ISO suite includes the 27701 framework, which by extension includes GDPR.

HIPAA

What is it:
The Health Insurance Portability and Accountability Act, or HIPAA, was enacted in 1996. One of its purposes is to ensure the protection of personal health information (PHI).

Governing body:
HIPAA is regulated by the Department of Health and Human Services’ Office for Civil Rights (OCR). As this is a law, adhering to it is self-assessed. However, some auditors do offer Attestation audits similar to a SOC 2.

Who needs it:
The law is specific to Covered Entities (those that directly handle electronic PHI) and those that do business with them, also referred to as Business Associates.  

How Strike Graph can help:
Strike Graph has experts, tools, and templates to position you for an independent assurance or an external audit.

HITRUST CSF

What is it:
HITRUST CSF is a mishmash of regulations and standards, combined under a single framework. CSF stands for “common security framework.”

Governing body:
HITRUST CSF was developed by the Health Information Trust Alliance (HITRUST), a collection of healthcare Information security professionals.

Who needs it:
Consider HITRUST if you handle protected health information (PHI) or if a customer asks for it. It is very expensive.

PCI DSS

What is it:
The Payment Card Industry Data Security Standard (or PCI DSS) applies to any organization that processes credit cards. Companies fall into one of four compliance tiers based on the volume of transactions. These range from Self Assessments (low volume) up to Level One, which requires an audit from a Qualified Security Assessor, or QSA.

Governing body:
PCI-DSS is governed by the major credit card companies—American Express, Discover, JCB International, MasterCard, and Visa Inc. 

Who needs it:
If your organization processes or plans to process credit cards, regardless of volume, you will need to be compliant to avoid being banned or fined by a major credit card company.

How Strike Graph can help:
Strike Graph facilitates the annual PCI check (either self-assessed or audited) with control reminders, setting you up for success in not only reaching but also maintaining PCI compliance.   

NIST-CSF

What is it:
The NIST Cybersecurity Framework (or CSF) was a result of an Obama-era executive order and is the U.S. Government's take on cybersecurity and data protection best practices pulled from other frameworks. NIST comes in multiple flavors, for example, NIST 800-53 (for U.S Federal Government Agencies—very granular with over 400 controls) and NIST 800-171 (for government contractors and subcontractors).

Governing body:
The NIST (National Institute of Standards and Technology) is a government-funded agency under the Department of Commerce. 

Who needs it:
NIST is required for doing business with the U.S. government and many state agencies.

How Strike Graph can help:
Strike Graph’s evidence collection reminders help keep you on track, so annual reassessment of compliance won’t sneak up on you.

FedRAMP

What is it:
The Federal Risk and Management Program (or FedRAMP) relies heavily on the NIST 800-53 framework and lays out a certification pathway for organizations doing business with Federal Agencies.

Governing body:
FedRAMP was designed by the U.S. Office of Management and Budget (OMB). Organizations must meet specific criteria and then obtain provisional authorization from the Joint Authorization Board (JAB) or an individual agency.

Who needs it:
FedRAMP is for cloud service providers who want to do business with the federal government.

CCM

What is it:
Cloud Controls Matrix (or CCM) is a vendor-agnostic collection of security controls that helps businesses and prospective cloud customers assess the risk associated with cloud implementation. Essentially, it is a spreadsheet of domains broken out into controls.

Governing body:
The Cloud Security Alliance (CSA) established CCM as a tool for the systematic assessment of a cloud implementation.

Who needs it:
CCM is specific to cloud computing. Cloud providers who wish to submit their service to the Security, Trust, Assurance, and Risk (STAR) Registry, as well as companies looking to evaluate cloud providers, could benefit from the CCM. 

CMMC

What is it:
CMMC stands for Cybersecurity Maturity Model Certification. It comprises 3 levels of certification, and each layer builds upon the level below. Organizations become certified after undergoing an audit.

Governing body:
CMMC was established by the Department of Defense (DoD) to protect controlled unclassified information (or CUI) that resides on contractor or subcontractor systems or networks of suppliers.

Who needs it:
CMMC is a requirement if you plan to contract any work with the U.S. Department of Defense.

 

Keep up to date with Strike Graph.

The security landscape is ever changing. Sign up for our newsletter to make sure you stay abreast of the latest regulations and requirements.