Compress Your Audit Cycle and Maintain Compliance with TruOps
TruOps Content Library
Access to All the Common Frameworks in One Place
At TruOps, we understand compliance can be a complex and time-consuming task, especially around audit time—and we want to make it easier for you. The TruOps platform includes an extensive content library of pre-mapped controls for all the major security frameworks including ISO 27001, PCI-DSS, HIPAA and NIST. Our controls are updated on a quarterly basis to ensure constant compliance. Learn more in the list below:
As of 2020, California-based businesses with revenues exceeding $25 million must meet the requirements of this stringent regulation. But the CCPA doesn’t end at the state’s borders. Companies around the world that collect or sell data on California residents or households may also need to comply.
CCPA compliance won’t be easy. The act gives Californians the right to consent to their data’s use, to find out who is using it and for what, and to opt out at any time. The onus is on businesses to track, protect, and, upon request, produce that data. Noncompliance or a data breach could cost many thousands of dollars.
COBIT v5 (Control Objectives for Information and Related Technologies) is a framework created by international professional association ISACA for IT management and governance. It is generic and useful for enterprises of all sizes and across industries, including commercial, not-for-profit, and the public sector. The framework incorporates the latest thinking in enterprise governance and management techniques and provides globally accepted principles, practices, analytical tools and models to help increase the trust in—and value from—information systems. It is meant to be a supportive tool for managers to bridge gaps among technical issues, business risks and control requirements.
Taken from the International Trade Associate Privacy Shield site:
The EU-U.S. and Swiss-U.S. Privacy Shield Frameworks were designed by the U.S. Department of Commerce, and the European Commission and Swiss Administration, respectively , to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States in support of transatlantic commerce. The Privacy Shield program enables U.S.-based organizations to join one or both of the Privacy Shield Frameworks in order to benefit from the adequacy determinations. To join either Privacy Shield Framework, a U.S.-based organization will be required to self-certify to the Department of Commerce (via this website) and publicly commit to comply with the Framework’s requirements. While joining the Privacy Shield is voluntary, once an eligible organization makes the public commitment to comply with the Framework’s requirements, the commitment will become enforceable under U.S. law. All organizations interested in self-certifying to the EU-U.S. Privacy Shield Framework or Swiss-U.S. Privacy Shield Framework should review the requirements in their entirety.
The Health Insurance Portability and Accountability act (HIPAA) defines rules for the security and privacy of healthcare information, called Protected/Personal Health Information (PHI). The U.S. Department of Health & Human Services (HHS) is responsible for enforcement.
You may be subject to HIPAA if you are a:
- Covered Entity: a business that generates or processes PHI
- Business Associate: a business supporting a Covered Entity
The ISO/IEC 27000 family of standards helps organizations keep information assets secure.
Within the ISO 27000 family of standards there are a variety of frameworks which focus on specific areas of information security.
- 27001:2013 is the best-known standard in the family providing requirements for an information security management system (ISMS).
- 27002:2013 contains guidelines for organizational information security standards and information security management practices. This includes the selection, implementation and management of controls, taking into consideration the organization’s information security risk environment(s).
- 27017:2015 provides guidance for information security controls applicable to the provision and use of cloud services.
- 27018:2014 establishes control objectives, controls, and guidelines for protecting Personally Identifiable Information (PII) in accordance with the privacy principles in ISO/IEC 29100 for the public cloud computing environment.
In response to Executive Order 13636, “Improving Critical Infrastructure Cybersecurity,” the National Institute of Standards and Technology (NIST) published the Framework for Improving Critical Infrastructure Cybersecurity (Cybersecurity Framework or CSF). The CSF is designed to drive an organization’s cybersecurity efforts through a risk-based management process. It contains a set of requirements hierarchically structured into Functions, Categories, and Subcategories, as well as Informative References which point to other security frameworks such as ISO 27001, NIST SP 800-53, and COBIT.
The overall framework is structured in three parts:
- The Framework Core: A set of cybersecurity requirements, desired outcomes, and the Informative References that guide implementation of security controls framework.
- Implementation Tiers: Describe a level of achievement in an organization’s approach to cybersecurity risk assessment and management, representing maturation from informal, reactive processes to risk-driven proactive ones. They range from Partial (Tier 1) to Adaptive (Tier 4).
- Framework Profile: Represents the state of an organization’s cybersecurity efforts based on analysis against the Framework Categories and Subcategories. A Current Profile is created to judge the organization’s as-is state, and a Target Profile is created to identify gaps, opportunities, and the desired outcome of cybersecurity improvement efforts.
The Payment Card Industry Data Security Standard (PCI-DSS) was created by the major credit card brands in 2004 to encourage and enhance the security of credit card data. The use of the DSS, which is a prescriptive set of requirements for securing credit card data at rest and in transit, is mandated by the major card brands and is required of all organizations accepting credit card payment transactions, known as merchants.
Merchants are assigned levels based on the number of transactions they process of various brands per year. These levels determine the type of annual compliance assessment that the merchant must perform, either a self-assessment or one by a third-party Qualified Security Assessor (QSA). Failure to comply with the PCI-DSS may result in fines from credit card acquirers or even loss of the ability to accept credit card transactions. The DSS and associated standards are managed by the PCI Security Standards Council and regularly updated as new threats emerge.
These reports, prepared in accordance with Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization, are specifically intended to meet the needs of the managements of user entities and the user entities’ auditors, as they evaluate the effect of the controls at the service organization on the user entities’ financial statement assertions. These reports are important components of user entities’ evaluation of their internal controls over financial reporting for purposes of complying with laws and regulations such as the Sarbanes-Oxley Act and for the user entities’ auditors as they plan and perform audits of the user entities’ financial statements. There are two types of reports for these engagements:
- Type 1 – report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design of the controls to achieve the related control objectives included in the description as of a specified date.
- Type 2 – report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives included in the description throughout a specified period.
The use of these reports is restricted to the management of the service organization, user entities of the service organization and user auditors.
SOC 2 is intended to meet the needs of a broad range of users that need information and assurance about the controls at a service organization that affect the security, availability, and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of the information these systems process. Examples of stakeholders who may need these reports are: management or those charged with governance of the user entities and of the service organization, customers of the service organization, regulators, business partners, suppliers, and others who have an understanding of the service organization and its controls.
Publicly traded U.S. corporations must maintain compliance with provisions of the Sarbanes-Oxley Act of 2002 (SOX). The U.S. Securities and Exchange Commission (SEC) enforces this law directly and through oversight of the Public Company Accounting Oversight Board (PCAOB). Companies subject to SOX must establish and evaluate internal controls in accordance with other established controls frameworks such as COSO and COBIT.
While there are high-level requirements, SOX is not prescriptive regarding the scope and approach to conducting a SOX assessment of internal controls. Corporate management establishes the design and evaluates the effectiveness of internal controls, which are also assessed externally by public accounting firms.