IT compliance frameworks are meant to guide organizations on best practices for managing security risks and protecting sensitive data. It’s important for your company to align with compliance frameworks for both internal and external auditing purposes, stakeholders, new and existing customers, and current staff.
What are common IT regulatory compliance frameworks, and how does Resolver support them?
The Resolver Core platform supports a growing library of content sources to meet the increasing demands of regulators and auditors, and support IT Compliance Management teams. The content packs cover a wide breadth of frameworks to establish best-in-class security practices across multiple industries. Here are the most common IT compliance frameworks that Resolver supports:
FFIEC Cybersecurity Assessment Tool
The Federal Financial Institutions Examination Council (FFIEC) Cybersecurity Assessment is a framework that provides guidance to financial institutions in the United States to assess and manage their cybersecurity risk. The FFIEC Cybersecurity Assessment Tool (CAT) is a diagnostic test that helps institutions identify their risk level and determine the maturity of their cybersecurity programs. This content pack includes the FFIEC’s Inherent Risk Profile and Cybersecurity Maturity modules. The Inherent Risk Profile reviews 5 key categories: Technology and Connection Types, Delivery Channels, Online/Mobile Products and Technology Services, Organizations Characteristics, and External Threats, and is used to determine an institution’s overall inherent risk profile across the specific categories. The Cyber Security Maturity module helps institutions assess their maturity levels across the following domains: Cyber Risk Management and Oversight, Threat Intelligence and Collaboration, Cybersecurity Controls, External Dependency Management, Cyber Incident Management, and Resilience.
SOC 2, or Service Organization Control 2, is a widely recognized auditing standard framework intended for service organizations to report information and assurance about controls relevant to the security, availability, and integrity of IT systems that process user data and information related to user confidentiality and privacy. SOC 2 defines criteria for managing customer data based on five “trust service principles” and produces reports unique to each organization.
Read more: SOC 2 Basics | SOC 2 Checklist
The CIS Critical Security Controls (CIS Controls) are a prioritized set of safeguards to mitigate the most prevalent cyber-attacks against systems and networks. They are mapped to and referenced by multiple legal, regulatory, and policy frameworks. The Center for Internet Security (CIS) publishes the CIS Critical Security Controls (CSC) to help organizations better defend against known attacks by distilling key security concepts into actionable controls to achieve greater overall cybersecurity defense.
Examples of CIS controls include implementing firewalls, regularly updating software and operating systems, monitoring user activity, implementing strong passwords and multi-factor authentication, and conducting regular security assessments and audits. By implementing the CIS controls, organizations can improve their cybersecurity posture and reduce their risk of cyber attacks.
International Organization for Standardization (ISO) Frameworks
ISO/IEC 27001 (2022) provides organizations with requirements for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS). The standard was developed by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) and specifies the requirements for establishing, implementing, maintaining, and continuously improving an ISMS. Implementation can be done by organizations of all types and involve internal and external parties. The requirements of this standard are generic and are intended to be tailored to the organization’s needs.
Read more on ISO 27001 in our Quick Start Guide.
ISO/IEC 27017 (2015) provides guidelines for information security controls and implementation guidance applicable to the provision and use of cloud services for both providers and customers. This framework includes additional controls specifically related to cloud services and implementation guidance for relevant controls specified in ISO/IEC 27002.
ISO/IEC 27002 (2022) is an information security standard published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). ISO/IEC 27002 provides guidelines and general principles for initiating, implementing, maintaining, and improving information security management in an organization. ISO/IEC 27002 is intended to be used in conjunction with other standards, such as ISO/IEC 27001, to provide a comprehensive framework for information security management in an organization. The standard is applicable to organizations of all sizes and types, across all industry sectors.
*ISO content available in certain regions only
National Institute of Standards and Technology (NIST) Frameworks
NIST Cybersecurity Framework (CSF)
The NIST Framework for Improving Critical Infrastructure Cybersecurity, also known as the NIST Cybersecurity Framework (CSF), was published in 2014 as a voluntary set of guidelines and best practices for managing cybersecurity risk in critical infrastructure organizations. The framework was developed by the National Institute of Standards and Technology (NIST) in response to a 2013 executive order by the President of the United States, which directed NIST to develop a framework that would help organizations manage and reduce cybersecurity risk.
The NIST Cybersecurity Framework is built around five core functions: Identify, Protect, Detect, Respond, and Recover. These functions are designed to help organizations manage cybersecurity risk throughout the entire lifecycle of their critical infrastructure assets and systems. The NIST CSF focuses on using business drivers to guide cybersecurity activities and consider cybersecurity risks as part of the organization’s risk management processes. Organizations of all sizes, degrees of cybersecurity risk, or cybersecurity sophistication, can apply the principles and best practices of risk management to improve the security and resilience of critical infrastructure using this framework.
The Federal Risk and Authorization Management Program (FedRAMP) is a United States federal government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring of cloud products and services. The program is designed to ensure that federal agencies can adopt cloud computing technologies quickly, securely, and cost-effectively by providing a standardized and consistent approach to security and risk management.
The FedRAMP program defines a set of security controls and requirements that cloud service providers (CSPs) must meet to receive authorization to provide services to federal agencies. The program also provides a marketplace for federal agencies to search for and select authorized cloud service providers.
Once FedRAMP has authorized a CSP, it’s listed on the FedRAMP Marketplace, where federal agencies can search for authorized cloud service providers and review their authorization documentation. This makes it easier for federal agencies to adopt cloud computing technologies, with the ability to select from a pre-approved list of CSPs that have already been vetted for security and risk management. The FedRAMP program is managed by the General Services Administration (GSA), in collaboration with the National Institute of Standards and Technology (NIST) and other government agencies.
NIST Privacy Framework
This publication describes the voluntary NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management (Version 1.0). The Privacy Framework is a tool developed to help organizations identify and manage privacy risks to build innovative products and services while protecting the privacy of individuals. The Privacy Framework provides a flexible, risk- and outcome-based approach, intended to be widely usable by organizations of all sizes and agnostic to any particular technology, sector, law, or jurisdiction. The Privacy Framework follows the structure of the NIST Cybersecurity Framework to facilitate the use of both frameworks together.
NIST 800-53 Rev. 5
The purpose of the NIST 800-53 Rev. 5 publication is to provide a complete approach to information security and risk management by providing organizations with the security controls necessary to fundamentally strengthen their information systems and their operating environments. The security and privacy controls have been designed to be largely policy/technology-neutral to facilitate flexibility in implementation. This content pack contains the most recent NIST 800-53 Rev. 5 update and supplementary document NIST 800-53 Rev. 5 to address the increasing sophistication of cyberattacks.
NIST 800-53 Rev. 5 is widely recognized as a leading set of security controls for information systems and organizations. It is often used as a basis for other security frameworks and standards, such as the Federal Risk and Authorization Management Program (FedRAMP) and the Cybersecurity Maturity Model Certification (CMMC). The publication is regularly updated to remain relevant and effective in the rapidly evolving cybersecurity landscape.
NIST 800-171A Rev. 2 (2020) provides agencies with recommended security requirements for protecting the confidentiality of Controlled Unclassified Information (CUI) resident in non-federal systems and organizations. The requirements apply to all components of non-federal systems and organizations that process, store, and/or transmit CUI, or that provide security protection for such components. Enforcement of these requirements is managed directly by the Department of Defense. NIST 800-171/A is an update to the original NIST 800-171 publication, which was released in 2016. The “A” in the revised version stands for “Assessment,” as it provides additional guidance on how organizations can assess their compliance with the security controls outlined in the publication.
The security controls in NIST 800-171/A are organized into 14 families, including access control, incident response, and system and communications protection. The controls are designed to provide a baseline level of security for protecting CUI and are customizable based on an organization’s specific needs. NIST 800-171/A is not a mandatory compliance framework, but organizations that handle CUI are required to comply with the FAR Clause 52.204-21. Compliance with NIST 800-171/A can help organizations meet these requirements and demonstrate that they have implemented appropriate security controls to protect CUI.
Other common IT compliance frameworks
PCI DSS 4.0
The Payment Card Industry Data Security Standard (PCI DSS) is a global standard that provides a baseline of technical and operational requirements designated to protect payment data. PCI DSS version 4. 0 is the next evolution of the standard. PCI DSS 4.0. Developed with Global Industry Collaboration, PCI DSS 4.0 provides organizations with a more comprehensive and flexible set of security standards to protect against the evolving threats to cardholder data.
Designed by the United States Department of Defense (DoD), the Cybersecurity Maturity Model Certification (CMMC) framework consists of maturity processes and cybersecurity best practices from multiple standards, frameworks, and other references, as well as inputs from the Defense Industrial Base and Department of Defense stakeholders.
COBIT 5 is a comprehensive business framework for the governance and management of enterprise IT, developed by ISACA®, an international professional association for IT governance. COBIT 5 assists organizations of all sizes to achieve their objectives for the governance and management of enterprise information and technical assets. COBIT 5 incorporates COBIT 4.1 and major frameworks and standards including VAL IT 2.0, RISK IT, ITIL®, and ISO. This content pack also includes COBIT 5 for Information Security, which helps provide guidance for IT and security professionals on information security-related activities.
The Health Insurance Portability and Accountability Act (effective April 14, 2003) is a US law designed to impose privacy standards to protect patients’ medical records and other health information provided to health plans, doctors, hospitals, and other health care providers.
Developed by the Department of Health and Human Services, these standards provide patients with access to their medical records and more control over how their personal health information is used and disclosed. They represent a uniform, federal floor of privacy protections for consumers across the country. State laws providing additional protections to consumers are not affected by this new rule.
What are framework content mappings?
Framework enhancements are additional developments that provide depth to our framework offerings and are automatically included with framework subscriptions. These enhancements are unique to Resolver and were included to enhance customers’ compliance efforts and effectiveness.
Organizations often utilize multiple frameworks to guide their cybersecurity strategy and certification goals. Quite often, there are significant overlaps in evidence and controls between frameworks. Framework mappings are leveraged to draw connections between these overlaps and allow customers to easily document their compliance across multiple frameworks rather than creating compliance documentation specific to each one. These mappings show where existing controls may fulfill new framework requirements and allows companies to focus and consolidate their efforts while offering a single source of truth.
IT framework mappings Resolver offers:
- SOC 2: ISO 27001
- SOC 2: NIST 800-53
- SOC 2: NIST CSF
- SOC 2: PCI DSS 4.0
- ISO 27001: PCI DSS 4.0
- NIST 800-53: ISO 27001
- NIST CSF: ISO 27001
- NIST CSF: NIST 800-53
- NIST 800-171: CMMC
- NIST 800-171: FFIEC CAT
- NIST CSF: PCI DSS 4.0
- NIST CST: COBIT 5
- NIST CSF: FFIEC CAT
- CIS: FFIEC CAT
- CIS: NIST CSF
- PCI DSS 4.0: CIS Controls
- SOC 2: CIS Controls
Request a demo to see how Resolver can meet your IT compliance regulation and framework requirements, or learn more here.