COMPLIANCE FRAMEWORKS AND STANDARDS
What do you need help complying with?
A U.S. based framework that examines a service organization's security and operational controls, reporting on the design / operational effectiveness to customers or other end users.
System Organization Controls (SOC 2) is a widely accepted IT framework often required of service providers by their clients that do business in the United States and is industry agnostic.
If you are a service provider, we recommend having a completed SOC 2 to substantiate your security, confidentiality, availability, processing integrity and / or privacy practices to your clients. This is the baseline framework that we recommend starting with in most cases.
A regulation to protect European personal data.
The General Data Protection Regulation (GDPR) was created in response to European citizens request for the consistent data protection rights across the European Union (EU).
If you are a company that stores or processes European personal information regardless of business location, you need to comply with the GDPR.
SARBANES OXLEY 404
A U.S. law requiring publicly traded companies assurance over the accuracy of their financial statements.
Section 404 of the Sarbanes Oxley Act (SOX) requires management of public companies and their external auditor to report on the adequacy of the company’s internal controls over financial reporting (ICOFR).
If you are a publicly traded company or are getting ready to go public with an IPO, you need SOX compliance.
A U.S. law protecting patient healthcare information.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a U.S. law that provides data privacy and security provisions for safeguarding medical information.
If you handle protected health information (health care clearinghouses, health care providers, and health plans), even if you contract with others (business associates), you need to comply with HIPAA.
A U.S. mandate protecting unclassified government information by a non-government entity in the private sector.
The National Institute of Standards and Technology (NIST) special publication 800-171 applies to the protection of Controlled Unclassified Information (CUI) shared by the federal government with a nonfederal entity. When a federal entity shares information with a private company, they need assurance over protection of the information.
If you conduct business directly or indirectly as a supplier with a federal entity (defense, government, or subcontractor selling to a government supplier), then you need to comply with the NIST 800-171.
An internationally recognized framework providing assurance over an organization's information security management system (ISMS).
ISO 27001 is an international standard published by the International Standardization Organization (ISO). It is a formal framework of specifications and guidelines for organizations to use in developing and managing their information security management system (ISMS) and is recognized by companies globally.
Part of the process for getting certified in ISO 27001 involves assessing and monitoring your security risks, threats, vulnerabilities and impacts to your ISMS. If you want assurance that your company is following leading practices for information security and be able to demonstrate this to your customers or business partners, we recommend you comply with ISO 27001.
A standard protecting credit card information.
The Payment Card Industry Security Standards Council (PCI SSC) created a comprehensive set of security standards for protecting cardholder data. The standards are updated on an ongoing basis. The number and type of transactions processed determines the requirements for adhering to the PCI Data Security Standard (DSS).
If you are a merchant, service provider or payment application that stores, processes or transmits credit card data, you are required by your credit card issuer to be PCI compliant.