Compliance and Security Frameworks

Security Frameworks

Guidelines used for building plans to help mitigate risk and threats to data and privacy.

Purpose of Security Frameworks

• Protecting PII.

• Securing financial information.

• Identifying security weakness.

• Managing organizational risk.

Four Core Components of Frameworks

• Goals: Identifying and documenting security goals.

• Guidelines: Setting guidelines to achieve security goals.

• Processing: Implementing strong security processes.

• Communication: Monitoring and communicating results.

Security Controls

Safeguards designed to reduce specific risk.

CIA Triad

A foundational model that helps inform how organizations consider risk when setting up systems and security policies.

CIA

• Confidentiality: Only authorized users can access specific assets of data.

• Integrity: Data is correct, authentic and reliable.

• Availability: Data is accessible to those who are authorized to access it.

Asset

An item perceived as adding value to an organization.

NIST Cybersecurity Framework (CSF)

A voluntary framework that consists of standards, guidelines and best practices to manage cybersecurity risk.

Risk Management Framework (RMF)

Provides a process that integrates security, privacy, and cyber supply chain risk management activities into the system development life cycle.

The Federal Energy Regulatory Commission - North American Electric Reliability Corporation (FERC-NERC)

FERC-NERC is a regulation that applies to organizations that work with electricity or that are involved with the U.S. and North American power grid.

The Federal Risk and Authorization Management Program (FedRAMP®)

FedRAMP is a U.S. federal government program that standardizes security assessment, authorization, monitoring, and handling of cloud services and product offerings.

Center for Internet Security (CIS®)

CIS is a nonprofit with multiple areas of emphasis. It provides a set of controls that can be used to safeguard systems and networks against attacks.

General Data Protection Regulation (GDPR)

GDPR is a European Union (E.U.) general data regulation that protects the processing of E.U. residents’ data and their right to privacy in and out of E.U. territory.

Payment Card Industry Data Security Standard (PCI DSS)

PCI DSS is an international security standard meant to ensure that organizations storing, accepting, processing, and transmitting credit card information do so in a secure environment.

The Health Insurance Portability and Accountability Act (HIPAA)

HIPAA is a U.S. federal law established in 1996 to protect patients' health information. This law prohibits patient information from being shared without their consent. It is governed by three rules: 

1. Privacy

2. Security 

3. Breach notification 

International Organization for Standardization (ISO) 

ISO was created to establish international standards related to technology, manufacturing, and management across borders.

System and Organizations Controls (SOC type 1, SOC type 2)

The American Institute of Certified Public Accountants® (AICPA) auditing standards board developed this standard. The SOC1 and SOC2 are a series of reports that focus on an organization's user access policies at different organizational levels such as: 

• Associate

• Supervisor

• Manager

• Executive

• Vendor

• Others