Compliance Frameworks

  • ISO/IEC 27001:2005 - specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented Information Security Management System within the context of the organization's overall business risks.

  • FedRAMP - The Federal Risk and Authorization Management Program, is a government-wide program that provides a standardized approach to security assessment, authorization and continuous monitoring for cloud products and services.

  • HIPAA - Federal Health Insurance Portability and Accountability Act of 1996. The primary goal of the law is to make it easier for people to keep health insurance, protect the confidentiality and security of healthcare information and help the healthcare industry control administrative costs.

  • NIST - National Institute of Standards and Technology - framework for improving critical infrastructure cybersecurity. A set of industry standards and best practices to help organizations manage cybersecurity risks.

  • PCI DSS v3.2 - The Payment Card Industry Data Security Standard is a widely accepted set of policies and procedures intended to optimize the security of credit, debit, and cash card transactions and protect cardholders against misuse of their personal information.

    Requirements:

    • 1: Install and maintain a firewall configuration to protect cardholder data.

    • 2: Do not use vendor supplied defaults for system passwords and other security parameters.

    • 3: Protect cardholder data at rest.

    • 4: Encrypt transmission of cardholder data across open, public networks.

    • 5: Protect all systems against malware and regularly update antivirus software or programs.

    • 6: Develop and maintain secure systems and applications.

    • 7: Restrict access to cardholder data by business need to know.

    • 8: Identify and authenticate access to system components.

    • 9: Restrict physical access to cardholder data.

    • 10: Track and monitor all access to network resources and cardholder data.

    • 11: Regularly test security systems and processes.

    • 12: Maintain a policy that addresses information security for all personnel.

  • Other frameworks:

    • SAS70 - Statement on Auditing Standards No.70.

    • SOC1 - Service Organization Controls - accounting standards.

    • FISMA - Federal Information Security Modernization Act.

    • FIPS 140-2 - US Government computer security standard used to approve cryptographic modules. Rated from level 1 to Level 4, with 4 being the highest security. CloudHSM meets the Level 3 standard.

Last updated