Every organization faces different challenges when it comes to governance, risk, and compliance (GRC). Multiple frameworks can apply to the same organization, making compliance difficult to keep track of. We thought it might be nice to have all of the major frameworks in one, convenient platform called Defensix to help organizations save time, energy, and resources.
You may know which frameworks are required for your organization, but new information and updates are published every day. This presents a challenge to organizations trying to stay ahead of compliance and best-practice requirements. We thought it might be helpful to have a little insight into the requirements of the various frameworks and how they might apply to your organization now, or at some point in the future. Below you’ll find a bit about each of the frameworks that Defensix streamlines into one unified framework. Here is the breakdown.
- 23 NYCRR Part 500
- CIS Critical Security Controls
- FFIEC IT Handbook: Information Security
- HITRUST CSF
- ISO 27001
- NIST SP 800-171
- NIST SP 800-53
- NIST CSF
- OECD Privacy Principles
- PCI DSS 3.2
- SOC 2
23 NYCRR Part 500
As of March 1, 2019, financial, banking, and insurance organizations must now be compliant to the New York State Department of Financial Services regulation 23 NYCRR part 500. NYCRR stands for New York Codes Rules and Regulations, which is exactly what you think it is, published by the New York State Department of State. 23 NYCRR Part 500 applies to any entity providing financial services.
It contains risk-based minimum standards for information technology systems, including data protection and encryption, access controls, and penetration testing. The regulatory framework requires financial services organizations to assess risk and create comprehensive plans to recognize and mitigate risk. It also requires:
- Adequately funded programs that are overseen by a Chief Information Security Officer (CISO), which can include a third-party service provider, and implemented by qualified cybersecurity personnel.
- Effective incident response plans that include preserving data in order to respond to data breaches including notice within 72 hours to the NYDFS of material events.
- Accountability provided by identification and documentation of deficiencies, remediation plans, and certifications of compliance on an annual basis.
- Audit trails designed to detect and respond to cybersecurity events.
- Annual reports covering the risks faced, all material events, and the impact on protected data.
More resources for 23 NYCRR Part 500:
CIS Critical Security Controls (CSC 20)
Spearheaded by the National Security Agency (NSA), the Critical Security Controls top 20 best-practice controls for security outline the basic, foundational, and organizational CIS controls. The controls are organized into the same three categories. CSC 20 is a general guideline for entities that range all industries. Here is a little more detail about the control categories:
- Basic CIS Controls
- Inventory and Control of Hardware Assets
- Inventory and Control of Software Assets
- Continuous Vulnerability Management
- Controlled Use of Administrative Privileges
- Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
- Foundational CIS Controls
- Email and Web Browser Protections
- Malware Defenses
- Limitation and Control of Network Ports, Protocols and Services
- Data Recovery Capabilities
- Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches
- Boundary Defense
- Data Protection
- Controlled Access Based on the Need to Know
- Wireless Access Control
- Account Monitoring and Control
- Organizational CIS Controls
- Implement a Security Awareness and Training Program
- Application Software Security
- Incident Response and Management
- Penetration Tests and Red Team Exercises
For more information about CSC 20 visit:
Federal Risk and Authorization Management Program. Besides being a fun name to say, this framework developed in collaboration with NIST, GSA, DOD, and DHS is how the U.S. government standardizes the application of the Federal Information Security Management Act (FISMA) to cloud computing services. Its aim is to “simplify security for the digital age by providing a standardized approach to security assessments, authorization, and continuous monitoring for the cloud products and services.”
FedRAMP is intended to be a “do once, use many times” framework which includes:
- Standardized security requirements
- Conformity assessment identifying qualified independent, third-party security assessors
- Repository of authorization packages for secure clouds that all Agencies can leverage
- Standardized ongoing assessment and authorization approach for Government clouds
- Standardized contract language to help Agencies integrate FedRAMP requirements and best practices into acquisitions.
Learn more about FedRAMP here:
FFIEC IT Handbook: Information Security
The Federal Financial Institutions Examination Council published and updates their own IT handbook, which includes a thorough section on information security. It is designed to help implement best-practice solutions for common IT problems.
The FFIEC IT Handbook’s purpose is “to guide examiners on factors to assess information security risks and procedures to evaluate the adequacy of the information security program.”
The FFIEC IT Handbook covers the following:
- Information Security Program Management
- Risk Management
- Risk Mitigation
- Inventory and Classification of Assets
- User Security Controls
- Physical Security
- Network Controls
- Change Management within the IT Environment
- Control of Information
- Logical Security
- Customer Remote Access to Financial Services
- Application Security
- Database Security
- Business Continuity
- Security Operations
- Threat Identification and Assessment
- Incident Identification and Assessment
- Assurance and Testing
Access more about the FFIEC IT Handbook on Information Security here
This famous or rather infamous framework has seen a lot of attention as of late. The General Data Protection Regulation (GDPR) is the European Union’s (EU) plan to hold companies more responsible for the handling and protection of personal data privacy. It applies to any and every organization that does business in or with customers in the EU. It went into full effect on May 25, 2018, and major companies have been hit with massive penalties for lack of compliance. Don’t be one of those companies.
Here is a bit of what GDPR entails. Entities within or dealing within the EU must:
- Establish proper security frameworks
- Hire a Data Protection Office (DPO)
- Receive explicit consent of customers
- Conduct a data protection impact assessment
- Outline and implement precise procedures and policies in case of a data breach
- Report a breach within 72 hours after the event
Organizations who are not compliant with GDPR face severe penalties, including but not limited to a fine of 20 million Euros or 4 percent of a company’s global revenue, whichever is the highest.
Read more about GDPR and the EU’s cybersecurity policies at:
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule “establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity…requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.”
This framework applies to health plans, health care clearinghouses, and to any health care provider who transmits health information in electronic form in connection with a transaction and to business associates. Definitions for certain terms can be learned here.
HIPAA is an oldie but a goodie. It went into effect as of April 20, 2005, and April 20, 2006, for small health plans. In cases of dispute between state and federal regulations, HIPAA takes precedence over state regulations.
The HIPAA Security Rule includes:
- Administrative Safeguards
- Security management process
- Security Personnel
- Information Access Management
- Workforce Training and Management
- Physical Safeguards
- Facility Access and Control
- Workstation and Device Security
- Technical Safeguards
- Access Control
- Audit Controls
- Integrity Controls
- Transmission Security
Check out more about HIPAA Security Rule at:
Learn more about the HITRUST CSF at:
The International Organization for Standardization (ISO) has created a family series of standards to keep information assets secure. Part 27001 is the best-known of the family and covers requirements for information security management systems.
ISO 27001 is built to systematically examine an organization’s information security risks, including but not limited to threats, vulnerabilities and impacts. It outlines requirements for
- Information security in project management
- Restrictions on software installation
- Secure development policy
- Secure system engineering principles
- Secure development environment
- System security testing
- Information security policy for supplier relationships
- Information and communication technology supply chain
- Assessment of and decision on information security events
- Response to information security incidents
- Availability of information processing facilities
A great, easy to understand overview of ISO 27001 can be found at:
NIST SP 800-171
The National Institute of Standards and Technology, a part of the US. Department of Commerce developed a special publication entitled, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, more commonly referred to as NIST 800-171. It was last updated as of December 20, 2017, and was designed to provide federal agencies with recommended requirements for protecting the confidentiality of Controlled Unclassified Information (CUI).
It is conditional upon the following:
- “When the CUI is resident in nonfederal information systems and organizations;
- When the information systems where the CUI resides are not used or operated by contractors of federal agencies or other organizations on behalf of those agencies; and
- Where there are no specific safeguarding requirements for protecting the confidentiality of CUI prescribed by the authorizing law, regulation, or government-wide policy for the CUI category or subcategory listed in the CUI Registry. The requirements apply to all components of nonfederal information systems and organizations that process, store, or transmit CUI, or provide security protection for such components. The CUI requirements are intended for use by federal agencies in contractual vehicles or other agreements established between those agencies and nonfederal organizations.”
Read more here:
NIST SP 800-53
Another important special publication by the NIST is entitled Security and Privacy Controls for Federal Information Systems and Organizations, or NIST 800-53. It provides a catalog of security and privacy controls for federal information systems and organizations. It details a process for selecting controls to protect organizations and the Nation in operations and from a variety of threats. These threats include hostile cyber-attacks, natural disasters, structural failures, and human error.
This special publication originated with influence from legislation, Executive Orders, policies, directives, regulations, standards, and needs. It addresses security from both a functionality and an assurance perspective to ensure IT products and information systems that are sufficiently trustworthy.
Check out more about NIST SP 800-53 here:
This ongoing collaborative effort involving industry, academia, and the government was originally released in February 2014. The Cyber Security Framework (CSF) was developed to offer a flexible way to address cybersecurity, specifically its effect on physical, cyber and people dimensions.
According to NIST, it is “applicable to organizations relying on technology, whether their cybersecurity focus is primarily on information technology (IT), industrial control systems (ICS), cyber-physical systems (CPS), or connected devices more generally, including the Internet of Things (IoT).”
It is not a one-size-fits-all but can aid in determining activities and priorities to invest in to maximize spending.
Learn more about the NIST CSF it out here:
OECD Privacy Principles
The privacy principles derived from the guidelines are as follows:
- Collection Limitation Principle
- Data Quality Principle
- Purpose Specification Principle
- Use Limitation Principle
- Security Safeguards Principle
- Openness Principle
- Individual Participation Principle
- Accountability Principle
Find more detail at:
PCI DSS 3.2
The Payment Card Industry (PCI) Security Standards Council created the Data Security Standard (DSS) as a framework to safeguard payment data before, during, and after purchase. It is designed to address growing threats to customer payment information.
Take a quick big-picture overview of PCI DSS 3.2 and see how to
- Build and Maintain a Secure Network and Systems
- Protect Cardholder Data
- Maintain a Vulnerability Management Program
- Implement Strong Access Control Measures
- Regularly Monitor and Test Networks
- Maintain an Information Security Policy
Read more at:
The American Institute of CPAs (AICPA) developed the System and Organization Controls for Service Organizations: Trust Services Criteria to ensure providers securely manage data. The goal is to protect the interests of an organization and the privacy of its clients.
There are a few different SOCs—but SOC 2 is specifically designed for trust services. It includes controls regarding:
- Network/application firewalls
- Two-factor authentication
- Intrusion detection
- Performance monitoring
- Disaster recovery
- Security incident handling
- Processing integrity
- Quality assurance
- Processing monitoring
- Access Controls
- Network/application firewalls
- Access control
- Two-factor authentication
Read more info at:
If you are reading this, you survived the acronyms. We applaud your determination and stamina. We know it’s a lot of information but we hope it is a helpful overview of which frameworks are included in the Defensix GRC Unified Framework module. New rules and regulations are coming into effect every month or two and we will be adding more frameworks to the GRC module as time goes on.
Questions? Please feel free to reach out here.
*Please note that rules, regulations, and frameworks are updated regularly. Please frequently check with original organizations of each framework to see the most current information available.