Strike Graph security compliance blog

Security frameworks 101

Written by Justin Beals : Founder & CEO | Aug 16, 2022 7:00:00 AM

With so many IT security frameworks out there, figuring out which one applies to your organization can be confusing. Below, you'll find details about common frameworks to help you determine which might be right for your organization. The good news is that many frameworks overlap. The even better news is that Strike Graph's multi-framework approach allows your busy team to upload evidence just once and apply it to many compliance initiatives.

What is it:
SOC stands for System and Organization Controls. SOC 2 is based on five Trust Service Principles — security, availability, confidentiality, processing integrity, and privacy. SOC 2 is technically an attestation (although you'll probably hear it casually called a certification) issued by outside auditors.

Governing body:
SOC 2 was developed by the American Institute of CPAs (AICPA), a national professional organization for certified public accountants.

Who needs it:
SOC 2 is becoming a requirement for security-conscious enterprises that rely on cloud service providers, such as software as a service (SaaS) vendors, managed service providers, banking and financial services, data centers, and cloud storage providers.

How Strike Graph can help:
Strike Graph’s SOC 2 solution simplifies the compliance process and gets you audit ready faster and with less frustration.

ISO 27001/2 (ISMS)

What is it:
ISO 27001 is an international standard that provides requirements for information security management systems (ISMSs). 

Governing body:
ISO stands for International Organization for Standardization. The organization has developed over 24,090 standards, ranging from environmental to information technology.

Who needs it:
ISO certification is recommended if you will be marketing or selling your products to consumers outside the United States. It improves customer confidence by documenting your commitment to keeping confidential and sensitive information secure.

How Strike Graph can help:
Strike Graph’s audit-proven policy templates, implementation guidance from experts, and automated, ongoing evidence collection makes compliance more efficient and seamless.

HIPAA

What is it:
The Health Insurance Portability and Accountability Act, or HIPAA, was enacted in 1996. One of its purposes is to ensure the protection of personal health information (PHI).

Governing body:
HIPAA is regulated by the Department of Health and Human Services’ Office for Civil Rights (OCR). As this is a law, adhering to it is self-assessed. However, some auditors do offer attestation audits similar to a SOC 2.

Who needs it:
The law is specific to Covered Entities (those that directly handle electronic PHI) and those that do business with them, also referred to as Business Associates.  

How Strike Graph can help:
Strike Graph has tools, templates, and experts to position you for an independent assurance or external audit.

HITRUST CSF

What is it:
HITRUST CSF is a mishmash of regulations and standards combined under a single framework. CSF stands for “common security framework.”

Governing body:
HITRUST CSF was developed by the Health Information Trust Alliance (HITRUST), a collection of healthcare Information security professionals.

Who needs it:
Consider HITRUST if you handle protected health information (PHI) or if a customer asks for it. It is very expensive.

How Strike Graph can help:
Strike Graph starts you with HIPAA and then adds a HITRUST layer on top.

PCI DSS

What is it:
The Payment Card Industry Data Security Standard (or PCI DSS) applies to any organization that processes credit cards. Companies fall into one of four compliance tiers based on volume of transactions. These range from Self Assessments (low volume) up to Level One, which requires an audit from a Qualified Security Assessor, or QSA.

Governing body:
PCI DSS is governed by the major credit card companies — American Express, Discover, JCB International, MasterCard, and Visa Inc. 

Who needs it:
If your organization processes or plans to process credit cards, regardless of volume, you will need to be compliant to avoid being banned or fined by a major credit card company.

How Strike Graph can help:
Strike Graph facilitates the annual PCI check (either self-assessed or audited) with control reminders, setting you up for success in not only reaching but also maintaining PCI compliance.  

What is it:
ISO 27701 is an add-on to ISO 27001 and is specific to privacy. It expands your ISMS and creates a privacy information management system (or PIMS).  

Governing body:
ISO stands for International Organization for Standardization. The organization has developed over 24,090 standards, ranging from environmental to information technology.

Who needs it:
Many organizations implement 27701 to assist in privacy compliance with laws such as CCPA or GDPR.

How Strike Graph can help:
The Strike Graph ISO suite includes the 27701 framework, which by extension, includes GDPR.

NIST-CSF

What is it:
The NIST Cybersecurity Framework (or CSF) was a result of an Obama-era executive order and is the U.S. Government's take on cybersecurity and data protection best practices pulled from other frameworks. NIST comes in multiple flavors, for example NIST 800-53 (for US Federal Government Agencies) and NIST 800-171 (for government contractors and subcontractors).

Governing body:
The NIST (National Institute of Standards and Technology) is a government-funded agency under the Department of Commerce. 

Who needs it:
NIST is required for doing business with the US government and many state agencies.

How Strike Graph can help:
Strike Graph’s evidence collection reminders help keep you on track, so annual reassessment of compliance won’t sneak up on you.

CCM

What is it:
Cloud Controls Matrix (or CCM) is a vendor-agnostic collection of security controls that helps businesses and prospective cloud customers assess the risk associated with cloud implementation. Essentially, it is a spreadsheet of domains broken out into controls.

Governing body:
The Cloud Security Alliance (CSA) established CCM as a tool for the systematic assessment of a cloud implementation.

Who needs it:
CCM is specific to cloud computing. Cloud providers who wish to submit their service to the Security, Trust, Assurance, and Risk (STAR) Registry, as well as companies looking to evaluate cloud providers, could benefit from the CCM. 

How Strike Graph can help:
Strike Graph does not currently support CCM specifically, but our flexible compliance platform allows you to assign controls and evidence to any framework.

CMMC

What is it:
CMMC stands for Cybersecurity Maturity Model Certification. It comprises 3 levels of certification, and each layer builds upon the level below. Organizations become certified after undergoing an audit.

Governing body:
CMMC was established by the Department of Defense (DoD) to protect controlled unclassified information (or CUI) that resides on contractor or subcontractor systems or networks of suppliers.

Who needs it:
CMMC is a requirement if you plan to contract any work with the U.S. Department of Defense.

How Strike Graph can help:
Strike Graph does not currently support CCM specifically, but our flexible compliance platform allows you to assign controls and evidence to any framework.

TISAX

What is it:
TISAX stands for Trusted Information Security Assessment Exchange. It is a framework and assessment methodology for the automotive industry, specifically designed to ensure the secure exchange of sensitive information across the supply chain. TISAX helps organizations assess and manage the information security maturity of their business partners.

Governing body:
TISAX was developed by the German Association of the Automotive Industry (VDA) in collaboration with major automotive manufacturers. The VDA acts as the governing body for TISAX and oversees its implementation.

Who needs it:
TISAX is relevant for companies operating within the automotive industry, especially those that handle sensitive information and data as part of their business processes. This includes not only automotive manufacturers but also their suppliers, service providers, and other stakeholders involved in the supply chain.

How Strike Graph can help:
Strike Graph’s all-in-one compliance platform streamlines the TISAX process with pre-mapped controls, automated evidence collection, and AI security guidance. Once you’ve received your label, our trust asset library lets you easily share it to close deals quickly.

FedRAMP

What is it:
FedRAMP, short for Federal Risk and Authorization Management Program, is a government-wide program designed to standardize the security assessment, authorization, and continuous monitoring processes for cloud products and services used by US federal agencies. It aims to ensure that cloud services utilized by the government meet consistent security standards.

Governing body:
FedRAMP is managed by the US General Services Administration (GSA) and is a collaborative effort involving various government agencies, including the National Institute of Standards and Technology (NIST) and the Department of Homeland Security (DHS). The GSA oversees the program's policies and operations.

How NIST 800-53 supports FedRAMP:
NIST Special Publication 800-53, titled "Security and Privacy Controls for Federal Information Systems and Organizations," plays a pivotal role in supporting FedRAMP compliance. It provides a comprehensive catalog of security and privacy controls that federal agencies and cloud service providers (CSPs) must implement to protect information systems and sensitive data. FedRAMP leverages NIST 800-53 controls as a baseline for evaluating the security posture of cloud services seeking authorization.

Who needs it:
FedRAMP compliance is essential for cloud service providers (CSPs) seeking to offer their services to federal agencies. Additionally, federal agencies that use cloud services must ensure that these services are FedRAMP compliant.

How Strike Graph can help:
Using Strike Graph’s compliance platform makes it simple to bring your security program into compliance with NIST 800-53 standards, the framework on which FedRAMP is based. Easily implement NIST-mapped controls, collect evidence automatically and then share your trust asset with potential customers using our trust asset library.