The American Institute of Certified Public Accountants (AICPA) created the SOC 2 framework to help organizations safeguard customer data from unauthorized access and other security risks. The framework delineates five Trust Services Criteria: security, availability, processing integrity, confidentiality, and privacy. Each criterion is intended to ensure that customer data remains secure at all times.
Supported compliance standards:
SOC 2 Type I & II
ISO/IEC 27001:2013 (ISO 27001) is an international standard that defines the requirements for an effective information security management system (ISMS). It provides a framework to help organizations protect and manage their data assets. This includes financial data, employee records, intellectual property, and third-party managed information and ensures confidentiality, integrity, and availability.
ISO 27001 (2022)
ISO 27001 is the internationally recognized standard for implementing and managing an Information Security Management System (ISMS). This standard can be used to pass an audit, guaranteeing that a business's information security protocols are up-to-date. On October 25, ISO 27001:2022 was released, replacing the previous version established in 2013.
The National Institute of Standards and Technology (NIST) Cybersecurity Framework is a comprehensive set of standards, guidelines, and best practices created to help organizations manage their cybersecurity risk. This framework was developed with flexibility in mind, in order to be implemented alongside existing security processes in any industry.
The U.S. Department of Defense's Cybersecurity Maturity Model Certification (CMMC) was introduced as a means to ensure that all defense contractors comply with relevant security protocols in order to protect sensitive defense information. Companies responsible for handling Controlled Unclassified Information (CUI) or Federal Contract Information (FCI) must meet the CMMC requirements to remain compliant.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal standard mandated by the Department of Health and Human Services. HIPAA compliance is regulated by the Office for Civil Rights in order to protect protected health information (PHI). HIPAA outlines the permissible use and disclosure of PHI as set forth by HHS guidelines.
GDPR is a revolutionary set of data protection regulations designed to give people full control over information associated with them and limit the ways organizations can use personal data. Comprised of 99 distinct articles, it stands as one of the world's most comprehensive sets of privacy laws.
FedRAMP® was launched in 2011 to provide a cost-effective and risk-focused model for the federal government's use of cloud technology. FedRAMP allows agencies to adopt modern cloud services with increased attention to security and the protection of federal data. This program is essential for government operations as it ensures that cloud technologies are implemented securely and efficiently.
The CSA Cloud Controls Matrix (CCM) is a cybersecurity control framework that provides guidance on cloud implementation and security controls. It's a spreadsheet which contains 16 domains covering all aspects of cloud technology, in addition to 133 control objectives. The CCM includes comprehensive guidance on the security controls necessary for all actors within a cloud supply chain.
COBIT® 2019 (Control Objectives for Information and Related Technologies) is the most recent evolution of ISACA’s globally recognized and utilized COBIT framework. This broad and comprehensive framework was developed to support understanding, designing, and implementing the management and governance of enterprise IT
The Consumer Privacy Act of 2018 (CCPA) legislation grants Californian consumers greater control over the personal information businesses collect from them. As a result, the CCPA provides clear and comprehensive directions to organizations on how they can comply with the law. Businesses governed by the CCPA have a set of legal obligations, such as handling consumer rights requests and providing customers with necessary notices related to their privacy policies.
The CIS Critical Security Controls (CIS Controls) are a globally implemented set of best practices used to boost an organization's cybersecurity. Thousands of professionals worldwide use the CIS Controls today, and they are continually updated through a collaborative consensus-based approach. The CIS Controls prioritize and simplify the steps necessary to form a strong cybersecurity defense.
NIST Special Publication 800-171 (NIST 800-171) is a federal standard that establishes procedures for how defense contractors and subcontractors manage "controlled, unclassified information," or CUI. CUI consists of personal data, intellectual property, equipment specs, logistical plans and other confidential defense-related information. Compliance with this standard is vital in protecting valuable information.
NIST Privacy Framework v1.0
NIST created the Privacy Framework as a collaborative tool to help organizations protect individuals' privacy while also creating innovative products and services. The intent is to allow organizations to better identify and manage potential privacy-related risks. This voluntary framework is intended to be a useful resource in navigating the ever-evolving technological landscape.
SOC 1 Type 2 Controls
A SOC 1 Type 2 report is an internal controls assessment designed to meet the needs of OneLogin customers' management and their auditors. The independent third-party auditor who issues the SOC 1 reports periodically performs an examination in accordance with SSAE No. 16 and ISAE No. 3402 so that customers, both in the US and abroad, can use them to evaluate how OneLogin's controls affect their own internal financial reporting processes.
The Payment Card Industry Data Security Standard (PCI DSS) is a vital tool for any organization that handles credit card information. This set of security standards is carefully designed to protect and secure payment accounts during the entirety of the transaction process. Changes in PCI security standards are regularly made with a focus on improving data safety. All companies that accept, process, store, or transmit credit card data should be sure to abide by these standards.
Minimum Acceptable Risk Standards (MARS) compliance is designed to ensure the availability, confidentiality, and integrity of protected health information (PHI), personally identifiable information (PII), and federal tax information (FTI). Developed by the Centers for Medicare and Medicaid Services (CMS), the standards are based on the National Institute of Standards and Technology (NIST) Special Publication 800-53.
TX-RAMP (Texas Department of Information Resources program) is a data security certification requirement for cloud computing services. It provides "a standardized approach for security assessment, authorization, and continuous monitoring of cloud computing services that process the data of a state agency."
ISO/IEC 27018 is an important international standard that focuses on protecting the privacy of Personally Identifiable Information (PII). It is part of the larger ISO/IEC 27000 family, and serves as a vital first step for cloud service providers in assessing risk and implementing appropriate security measures for PII. This industry-driven initiative creates a secure foundation for cloud computing services.
The SCF (Security and Control Framework) presents a broad range of security and privacy controls to streamline the process of creating and sustaining secure processes, systems, and applications. The SCF is designed to maximize cybersecurity protection at all levels – strategic, operational and tactical. It encourages companies to establish robust, layered protection systems that protect from both cybercriminal threats as well as unsanctioned data access or misuse.
Secure Controls Framework (SCF) provides organizations with a comprehensive approach to cybersecurity and privacy compliance across all operational levels. This framework offers the guidance needed to implement and maintain internal controls in line with business objectives.
ISO/IEC 27701 enables organizations to put in place policies and standards for the handling of Personally Identifiable Information (PII), thus enhancing their ability to comply with GDPR and other data privacy regulations. This information security standard provides guidelines on how Data Controllers and Data Processors should manage PII, making this a valuable tool for promoting data privacy within organizations.
ISO/IEC 27017:2015 offers rigorous guidance in the security elements of cloud computing. It suggests that cloud service providers adhere to the ISO/IEC 27002 and ISO/IEC 27001 standards while implementing specific information security controls. This code of practice provides clear instructions for additional information security control implementation based on the various cloud services being used.
Microsoft Data Protection Regulations (DPR) are annual requirements that Microsoft suppliers enrolled in the SSPA program must abide by. The regulations ensure the appropriate processing of Personal Data and Confidential Data. All Microsoft suppliers are expected to adhere to these regulations in order to remain compliant with Microsoft requirements.
TISAX is an industry-standard method for assessing and exchanging information security for enterprises. By utilizing TISAX, companies can not only simplify the process of evaluating their own supplier's level of data security but also determine appropriate ways to handle sensitive customer information. In short, TISAX provides effortless evaluation of data protection.
This framework provides the essential elements of a successful privacy management program. Although it is not comprehensive and does not substitute for compliance with all aspects of data protection regulations, careful evaluation and consideration should be taken for your specific needs. Additionally, other guidance such as GDPR should be consulted when necessary.
Essential Eight (ACSC)
Australian organizations of all sizes must defend themselves against malicious cyber threats. To that end, the Australian Cyber Security Centre (ACSC) offers a baseline to help protect systems from these threats: the Essential Eight, eight key mitigation strategies defined by ACSC's Strategies to Mitigate Cyber Security Incidents. Adopting this baseline makes it much more difficult for adversaries to gain access and compromise systems.
AESCSF - AEMO
The Australian Energy Sector Cyber Security Framework (AESCSF) is the result of a collaborative effort between government and industry stakeholders, such as the Australian Energy Market Operator (AEMO), Australian Cyber Security Centre (ACSC), Cyber and Infrastructure Security Centre (CISC), as well as multiple energy organizations from Australia. The framework is designed to ensure the highest level of security in the energy sector.
FTC Safeguards Rule
The FTC Safeguards Rule ensures that entities covered by the Rule maintain safeguards to protect the security of customer information. It applies to financial institutions subject to the FTC’s jurisdiction that aren’t subject to the enforcement authority of another regulator under section 505 of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6805.
UK Cyber Essentials
UK Cyber Essentials is a government-supported program that provides organizations of any size an effective way to guard against commonly occurring cyber attacks. With two levels, Cyber Essentials and Cyber Essentials Plus, businesses can proactively protect themselves from security risks
Motion Picture Association
The MPA manages security assessments at entertainment vendor facilities on behalf of its member studios. A set of Content Security Best Practices that outlines standard controls to help secure content, production, post-production, marketing, and distribution. Learn more.
The Cloud Controls Matrix (CCM) and the corresponding Cloud Security Alliance Questionnaire (CAIQ) are a comprehensive set of security controls and practices, based on the CSA best practices. The CCM provides an industry-standard set of cybersecurity frameworks tailored specifically to cloud computing.
Prudential Standard CPS 234
This Prudential Standard is designed to help ensure that APRA-regulated entities have the capability to safeguard themselves against information security incidents (including cyberattacks). They are required to maintain information security that is matching the threat posed by digital vulnerabilities and threats.
The Protective Security Policy Framework (PSPF) outlines the Australian Government's protective security policy. The framework provides guidance to all government bodies on how to effectively implement the policy in four key areas: personnel, physical, governance, and information security. With the PSPF, government organizations are able to ensure effective security measures.
FFIEC Cybersecurity Assessment
In an effort to help financial institutions recognize potential risks and determine their cybersecurity preparedness, the Federal Financial Institutions Examination Council has developed the Cybersecurity Assessment Tool. This tool is based on the ideas within the FFIEC Information Technology Examination Handbook, NIST Cybersecurity Framework, and industry-established best practices.
New Zealand Information Security Manual (NZISM)
The New Zealand Information Security Manual provides essential controls and processes necessary for protecting all New Zealand Government information and systems. In addition, the manual provides supplemental controls that are recommended for optimum security--efforts to exceed the minimum acceptable baseline levels.