Compliance Frameworks

Compress Your Audit Cycle and Maintain Compliance with TruOps

TruOps Content Library

Access to All the Common Frameworks in One Place

At TruOps, we understand compliance can be a complex and time-consuming task, especially around audit time—and we want to make it easier for you. The TruOps platform includes an extensive content library of pre-mapped controls for all the major security frameworks including ISO 27001, PCI-DSS, HIPAA and NIST. Our controls are updated on a quarterly basis to ensure constant compliance. Learn more in the list below:

23 NYCRR 500

The New York State Department of Financial Services (DFS) has been closely monitoring the ever-growing threat posed to information and financial systems by nation-states, terrorist organizations and independent criminal actors. Recently, cybercriminals have sought to exploit technological vulnerabilities to gain access to sensitive electronic data. Cybercriminals can cause significant financial losses for DFS regulated entities as well as for New York consumers whose private information may be revealed and/or stolen for illicit purposes. The financial services industry is a significant target of cybersecurity threats. DFS appreciates that many firms have proactively increased their cybersecurity programs with great success.

Given the seriousness of the issue and the risk to all regulated entities, certain regulatory minimum standards are warranted, while not being overly prescriptive so that cybersecurity programs can match the relevant risks and keep pace with technological advances. Accordingly, this regulation is designed to promote the protection of customer information as well as the information technology systems of regulated entities. This regulation requires each company to assess its specific risk profile and design a program that addresses its risks in a robust fashion. Senior management must take this issue seriously and be responsible for the organization’s cybersecurity program and file an annual certification confirming compliance with these regulations. A regulated entity’s cybersecurity program must ensure the safety and soundness of the institution and protect its customers.

It is critical for all regulated institutions that have not yet done so to move swiftly and urgently to adopt a cybersecurity program and for all regulated entities to be subject to minimum standards with respect to their programs. The number of cyber events has been steadily increasing and estimates of potential risk to our financial services industry are stark. Adoption of the program outlined in these regulations is a priority for New York State.

More About 23 NYCRR 500

CCPA

As of 2020, California-based businesses with revenues exceeding $25 million must meet the requirements of this stringent regulation. But the CCPA doesn’t end at the state’s borders. Companies around the world that collect or sell data on California residents or households may also need to comply.

CCPA compliance won’t be easy. The act gives Californians the right to consent to their data’s use, to find out who is using it and for what, and to opt out at any time. The onus is on businesses to track, protect, and, upon request, produce that data. Noncompliance or a data breach could cost many thousands of dollars.

More About CCPA

CIS20

CIS Critical Security Controls Version 8

The CIS Critical Security Controls (CIS Controls) are a prioritized set of Safeguards to mitigate the most prevalent cyber-attacks against systems and networks. They are mapped to and referenced by multiple legal, regulatory, and policy frameworks. CIS Controls v8 has been enhanced to keep up with modern systems and software. Movement to cloud-based computing, virtualization, mobility, outsourcing, Work-from-Home, and changing attacker tactics prompted the update and supports an enterprise’s security as they move to both fully cloud and hybrid environments.

More About CIS20

CMMC

The Cybersecurity Maturity Model Certification (CMMC) program enhances cyber protection standards for companies in the DIB. It is designed to protect sensitive unclassified information that is shared by the Department with its contractors and subcontractors. The program incorporates a set of cybersecurity requirements into acquisition programs and provides the Department increased assurance that contractors and subcontractors are meeting these requirements.

The framework has three key features:

  • Tiered Model: CMMC requires that companies entrusted with national security information implement cybersecurity standards at progressively advanced levels, depending on the type and sensitivity of the information. The program also sets forward the process for information flow down to subcontractors.
  • Assessment Requirement: CMMC assessments allow the Department to verify the implementation of clear cybersecurity standards.
  • Implementation through Contracts: Once CMMC is fully implemented, certain DoD contractors that handle sensitive unclassified DoD information will be required to achieve a particular CMMC level as a condition of contract award.

More About CMMC

COBIT 5

COBIT v5 (Control Objectives for Information and Related Technologies) is a framework created by international professional association ISACA for IT management and governance. It is generic and useful for enterprises of all sizes and across industries, including commercial, not-for-profit, and the public sector. The framework incorporates the latest thinking in enterprise governance and management techniques and provides globally accepted principles, practices, analytical tools and models to help increase the trust in—and value from—information systems. It is meant to be a supportive tool for managers to bridge gaps among technical issues, business risks and control requirements.

More About COBIT 5

EU/US Privacy Shield (EU GDPR)

Taken from the International Trade Associate Privacy Shield site:
The EU-U.S. and Swiss-U.S. Privacy Shield Frameworks were designed by the U.S. Department of Commerce, and the European Commission and Swiss Administration, respectively , to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States in support of transatlantic commerce. The Privacy Shield program enables U.S.-based organizations to join one or both of the Privacy Shield Frameworks in order to benefit from the adequacy determinations. To join either Privacy Shield Framework, a U.S.-based organization will be required to self-certify to the Department of Commerce (via this website) and publicly commit to comply with the Framework’s requirements. While joining the Privacy Shield is voluntary, once an eligible organization makes the public commitment to comply with the Framework’s requirements, the commitment will become enforceable under U.S. law. All organizations interested in self-certifying to the EU-U.S. Privacy Shield Framework or Swiss-U.S. Privacy Shield Framework should review the requirements in their entirety.

More About Privacy Shield

GLBA

In 1999, President Clinton signed the Gramm-Leach-Bliley Act (GLBA) into law. The act essentially updated and replaced the 70-year-old Glass-Steagall Act and provided greater opportunities for financial institutions to offer more services. Before 1999, banks’ ability to consolidate was quite limited; investment banks, commercial banks, and insurance companies were considered separate, and the merging of any of these services was typically illegal. The GLBA removed this regulation but meant that the financial institutions would be governed more strictly in consumer privacy, consumer data sales, and information sharing. These components are codified in the Financial Privacy Rule, the Safeguards Rule, and Pretexting Provision of the act.

More About GLBA

HIPAA

The Health Insurance Portability and Accountability act (HIPAA) defines rules for the security and privacy of healthcare information, called Protected/Personal Health Information (PHI). The U.S. Department of Health & Human Services (HHS) is responsible for enforcement.

You may be subject to HIPAA if you are a:

  • Covered Entity: a business that generates or processes PHI
  • Business Associate: a business supporting a Covered Entity

More About HIPAA

ISO 9001:2015

ISO 9001:2015 specifies requirements for a quality management system when an organization:

  • needs to demonstrate its ability to consistently provide products and services that meet customer and applicable statutory and regulatory requirements, and
  • aims to enhance customer satisfaction through the effective application of the system, including processes for improvement of the system and the assurance of conformity to customer and applicable statutory and regulatory requirements.

All the requirements of ISO 9001:2015 are generic and are intended to be applicable to any organization, regardless of its type or size, or the products and services it provides.

More About ISO 9001:2015

ISO 27001/2, 27017, 27018

The ISO/IEC 27000 family of standards helps organizations keep information assets secure.

Within the ISO 27000 family of standards there are a variety of frameworks which focus on specific areas of information security.

  • 27001:2013 is the best-known standard in the family providing requirements for an information security management system (ISMS).
  • 27002:2013 contains guidelines for organizational information security standards and information security management practices. This includes the selection, implementation and management of controls, taking into consideration the organization’s information security risk environment(s).
  • 27017:2015 provides guidance for information security controls applicable to the provision and use of cloud services.
  • 27018:2014 establishes control objectives, controls, and guidelines for protecting Personally Identifiable Information (PII) in accordance with the privacy principles in ISO/IEC 29100 for the public cloud computing environment.

More About ISO 27000 Family of Standards

NIST 800-53

Security and Privacy Controls for Information Systems and Organizations

This publication provides a catalog of security and privacy controls for information systems and organizations to protect organizational operations and assets, individuals, other organizations, and the Nation from a diverse set of threats and risks, including hostile attacks, human errors, natural disasters, structural failures, foreign intelligence entities, and privacy risks. The controls are flexible and customizable and implemented as part of an organization-wide process to manage risk. The controls address diverse requirements derived from mission and business needs, laws, executive orders, directives, regulations, policies, standards, and guidelines. Finally, the consolidated control catalog addresses security and privacy from a functionality perspective (i.e., the strength of functions and mechanisms provided by the controls) and from an assurance perspective (i.e., the measure of confidence in the security or privacy capability provided by the controls). Addressing functionality and assurance helps to ensure that information technology products and the systems that rely on those products are sufficiently trustworthy.

Revision 5 of this foundational NIST 800-53 publication represents a multi-year effort to develop the next generation of security and privacy controls that will be needed to accomplish the above objectives. It includes changes to make the controls more usable by diverse consumer groups (e.g., enterprises conducting mission and business functions; engineering organizations developing information systems, IoT devices, and systems-of-systems; and industry partners building system components, products, and services). The most significant changes to this publication include:

  • Making the controls more outcome-based by removing the entity responsible for satisfying the control (i.e., information system, organization) from the control statement;
  • Integrating information security and privacy controls into a seamless, consolidated control catalog for information systems and organizations;
  • Establishing a new supply chain risk management control family;
  • Separating control selection processes from the controls, thereby allowing the controls to be used by different communities of interest, including systems engineers, security architects, software developers, enterprise architects, systems security and privacy engineers, and mission or business owners;
  • Removing control baselines and tailoring guidance from the publication and transferring the content to NIST SP 800-53B, Control Baselines for Information Systems and Organizations;
  • Clarifying the relationship between requirements and controls and the relationship between security and privacy controls; and
  • Incorporating new, state-of-the-practice controls (e.g., controls to support cyber resiliency, support secure systems design, and strengthen security and privacy governance and accountability) based on the latest threat intelligence and cyber-attack data.

More About NIST 800-53

NIST 800-171

Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations

The protection of Controlled Unclassified Information (CUI) resident in nonfederal systems and organizations is of paramount importance to federal agencies and can directly impact the ability of the federal government to successfully conduct its essential missions and functions. This publication provides agencies with recommended security requirements for protecting the confidentiality of CUI when the information is resident in nonfederal systems and organizations; when the nonfederal organization is not collecting or maintaining information on behalf of a federal agency or using or operating a system on behalf of an agency; and where there are no specific safeguarding requirements for protecting the confidentiality of CUI prescribed by the authorizing law, regulation, or governmentwide policy for the CUI category listed in the CUI Registry. The requirements apply to all components of nonfederal systems and organizations that process, store, and/or transmit CUI, or that provide protection for such components. The security requirements are intended for use by federal agencies in contractual vehicles or other agreements established between those agencies and nonfederal organizations.

More About NIST 800-171

NIST CSF 1.1

In response to Executive Order 13636, “Improving Critical Infrastructure Cybersecurity,” the National Institute of Standards and Technology (NIST) published the Framework for Improving Critical Infrastructure Cybersecurity (Cybersecurity Framework or CSF). The CSF is designed to drive an organization’s cybersecurity efforts through a risk-based management process. It contains a set of requirements hierarchically structured into Functions, Categories, and Subcategories, as well as Informative References which point to other security frameworks such as ISO 27001, NIST SP 800-53, and COBIT.

The overall framework is structured in three parts:

  1. The Framework Core: A set of cybersecurity requirements, desired outcomes, and the Informative References that guide implementation of security controls framework.
  2. Implementation Tiers: Describe a level of achievement in an organization’s approach to cybersecurity risk assessment and management, representing maturation from informal, reactive processes to risk-driven proactive ones. They range from Partial (Tier 1) to Adaptive (Tier 4).
  3. Framework Profile: Represents the state of an organization’s cybersecurity efforts based on analysis against the Framework Categories and Subcategories. A Current Profile is created to judge the organization’s as-is state, and a Target Profile is created to identify gaps, opportunities, and the desired outcome of cybersecurity improvement efforts.

More About NIST CSF

PCI-DSS v4.0

The Payment Card Industry Data Security Standard (PCI-DSS) was created by the major credit card brands in 2004 to encourage and enhance the security of credit card data.  The use of the DSS, which is a prescriptive set of requirements for securing credit card data at rest and in transit, is mandated by the major card brands and is required of all organizations accepting credit card payment transactions, known as merchants.

Merchants are assigned levels based on the number of transactions they process of various brands per year.  These levels determine the type of annual compliance assessment that the merchant must perform, either a self-assessment or one by a third-party Qualified Security Assessor (QSA).  Failure to comply with the PCI-DSS may result in fines from credit card acquirers or even loss of the ability to accept credit card transactions. The DSS and associated standards are managed by the PCI Security Standards Council and regularly updated as new threats emerge.

More About PSI-DSS

SOC 1 / SSAE 16 / ISAE 3402

From AICPA.org:

These reports, prepared in accordance with Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization, are specifically intended to meet the needs of the managements of user entities and the user entities’ auditors, as they evaluate the effect of the controls at the service organization on the user entities’ financial statement assertions. These reports are important components of user entities’ evaluation of their internal controls over financial reporting for purposes of complying with laws and regulations such as the Sarbanes-Oxley Act and for the user entities’ auditors as they plan and perform audits of the user entities’ financial statements. There are two types of reports for these engagements:

  • Type 1 – report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design of the controls to achieve the related control objectives included in the description as of a specified date.
  • Type 2 – report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives included in the description throughout a specified period.

The use of these reports is restricted to the management of the service organization, user entities of the service organization and user auditors.

More About SOC 1

SOC 2 / SOC 3

SOC 2 is intended to meet the needs of a broad range of users that need information and assurance about the controls at a service organization that affect the security, availability, and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of the information these systems process. Examples of stakeholders who may need these reports are: management or those charged with governance of the user entities and of the service organization, customers of the service organization, regulators, business partners, suppliers, and others who have an understanding of the service organization and its controls.

More About SOC 2

SOX

Publicly traded U.S. corporations must maintain compliance with provisions of the Sarbanes-Oxley Act of 2002 (SOX). The U.S. Securities and Exchange Commission (SEC) enforces this law directly and through oversight of the Public Company Accounting Oversight Board (PCAOB). Companies subject to SOX must establish and evaluate internal controls in accordance with other established controls frameworks such as COSO and COBIT.

While there are high-level requirements, SOX is not prescriptive regarding the scope and approach to conducting a SOX assessment of internal controls. Corporate management establishes the design and evaluates the effectiveness of internal controls, which are also assessed externally by public accounting firms.

More About SOX