Common IT Compliance Frameworks Supported by Xetec

SOC 2, or Service Organization Control 2, is a widely recognized auditing standard framework intended for service organizations to report information and assurance about controls relevant to IT systems' security, availability, and integrity that process user data and information related to user confidentiality and privacy. SOC 2 defines criteria for managing customer data based on five “trust service principles” and produces reports unique to each organization.

The CIS Critical Security Controls (CIS Controls) are a prioritized set of safeguards to mitigate the most prevalent cyber-attacks against systems and networks. Multiple legal, regulatory, and policy frameworks map them to and reference them. The Center for Internet Security (CIS) publishes the CIS Critical Security Controls (CSC) to help organizations better defend against known attacks by distilling key security concepts into actionable controls to achieve greater overall cybersecurity defense. Examples of CIS controls include implementing firewalls, regularly updating software and operating systems, monitoring user activity, implementing strong passwords and multi-factor authentication, and conducting regular security assessments and audits. By implementing CIS controls, organizations can improve their cybersecurity posture and reduce their cyber-attack risk.

ISO/IEC 27001 (2022) provides organizations with requirements for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS). The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) developed the standard and specified the requirements for establishing, implementing, maintaining, and continuously improving an ISMS. Organizations of all types can do implementation and involve internal and external parties. The requirements of this standard are generic and are intended to be tailored to the organization’s needs.

ISO/IEC 27017 (2015) provides guidelines for information security controls and implementation guidance applicable to providing and using cloud services for providers and customers. This framework includes additional controls specifically related to cloud services and implementation guidance for relevant controls specified in ISO/IEC 27002.

ISO 27018 is not a standalone framework but rather an international standard that provides guidelines and controls for protecting personally identifiable information (PII) in cloud computing environments. It is an extension of ISO 27001, which is a well-known information security management system (ISMS) standard. ISO 27018 specifically addresses the privacy concerns related to cloud services.*ISO content is available in certain regions only. ISO 27018 is a valuable resource for organizations that use or provide cloud services, as it helps them address the unique privacy challenges associated with cloud computing. It enables organizations to build trust with their customers by demonstrating a commitment to protecting their personal data in the cloud.

The NIST Framework for Improving Critical Infrastructure Cybersecurity, also known as the NIST Cybersecurity Framework (CSF), was published in 2014 as a voluntary set of guidelines and best practices for managing cybersecurity risk in critical infrastructure organizations. The National Institute of Standards and Technology (NIST) developed the framework in response to a 2013 executive order by the President of the United States, which directed NIST to develop a framework that would help organizations manage and reduce cybersecurity risk. The NIST Cybersecurity Framework is built around five core functions: Identify, Protect, Detect, Respond, and Recover. These functions are designed to help organizations manage cybersecurity risk throughout the entire lifecycle of their critical infrastructure assets and systems. The NIST CSF uses business drivers to guide cybersecurity activities and considers cybersecurity risks as part of the organization’s risk management processes. Organizations of all sizes, degrees of cybersecurity risk, or cybersecurity sophistication can apply the principles and best practices of risk management to improve the security and resilience of critical infrastructure using this framework.

The Federal Risk and Authorization Management Program (FedRAMP) is a United States federal government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring of cloud products and services. The program ensures federal agencies can adopt cloud computing technologies quickly, securely, and cost-effectively by providing a standardized and consistent security and risk management approach. The FedRAMP program defines a set of security controls and requirements that cloud service providers (CSPs) must meet to receive authorization to provide services to federal agencies. The program also provides a marketplace for federal agencies to search for and select authorized cloud service providers. Once FedRAMP has authorized a CSP, it’s listed on the FedRAMP Marketplace, where federal agencies can search for authorized cloud service providers and review their authorization documentation. This makes it easier for federal agencies to adopt cloud computing technologies, with the ability to select from a pre-approved list of CSPs that have already been vetted for security and risk management. The FedRAMP program is managed by the General Services Administration (GSA), in collaboration with the National Institute of Standards and Technology (NIST) and other government agencies.

This publication describes the voluntary NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management (Version 1.0). The Privacy Framework is a tool developed to help organizations identify and manage privacy risks to build innovative products and services while protecting the privacy of individuals. The Privacy Framework provides a flexible, risk- and outcome-based approach, intended to be widely usable by organizations of all sizes and agnostic to any particular technology, sector, law, or jurisdiction. The Privacy Framework follows the structure of the NIST Cybersecurity Framework to facilitate the use of both frameworks together.

The purpose of the NIST 800-53 Rev. 5 publication is to provide a complete approach to information security and risk management by providing organizations with the security controls necessary to fundamentally strengthen their information systems and their operating environments. The security and privacy controls have been designed to be largely policy/technology-neutral to facilitate flexibility in implementation. This content pack contains the most recent NIST 800-53 Rev. 5 update and supplementary document NIST 800-53 Rev. 5 to address the increasing sophistication of cyberattacks. NIST 800-53 Rev. 5 is widely recognized as a leading set of security controls for information systems and organizations. It is often used as a basis for other security frameworks and standards, such as the Federal Risk and Authorization Management Program (FedRAMP) and the Cybersecurity Maturity Model Certification (CMMC). The publication is regularly updated to remain relevant and effective in the rapidly evolving cybersecurity landscape.

NIST 800-171A Rev. 2 (2020) provides agencies with recommended security requirements for protecting the confidentiality of Controlled Unclassified Information (CUI) residents in non-federal systems and organizations. The requirements apply to all components of non-federal systems and organizations that process, store, and/or transmit CUI, or that provide security protection for such components. Enforcement of these requirements is managed directly by the Department of Defense. NIST 800-171/A is an update to the original NIST 800-171 publication, which was released in 2016. The “A” in the revised version stands for “Assessment,” providing additional guidance on how organizations can assess their compliance with the security controls outlined in the publication.
The security controls in NIST 800-171/A are organized into 14 families, including access control, incident response, and system and communications protection. The controls are designed to provide a baseline level of security for protecting CUI and are customizable based on an organization’s specific needs. NIST 800-171/A is not a mandatory compliance framework, but organizations that handle CUI must comply with FAR Clause 52.204-21. Compliance with NIST 800-171/A can help organizations meet these requirements and demonstrate that they have implemented appropriate security controls to protect CUI.

The Payment Card Industry Data Security Standard (PCI DSS) is a global standard that provides a baseline of technical and operational requirements for protecting payment data. PCI DSS version 4. 0 is the next evolution of the standard. PCI DSS 4.0. Developed with Global Industry Collaboration, PCI DSS 4.0 provides organizations with a more comprehensive and flexible set of security standards to protect against evolving threats to cardholder data.

COBIT 5 is a comprehensive business framework for the governance and management of enterprise IT, developed by ISACA®, an international professional association for IT governance. COBIT 5 assists organizations of all sizes to achieve their objectives for the governance and management of enterprise information and technical assets. COBIT 5 incorporates COBIT 4.1 and major frameworks and standards, including VAL IT 2.0, RISK IT, ITIL®, and ISO. This content pack also includes COBIT 5 for Information Security, which helps provide guidance for IT and security professionals on information security-related activities.

The Health Insurance Portability and Accountability Act (effective April 14, 2003) is a US law designed to impose privacy standards to protect patients’ medical records and other health information provided to health plans, doctors, hospitals, and other health care providers. Developed by the Department of Health and Human Services, these standards give patients access to their medical records and more control over how their health information is used and disclosed. They represent a uniform federal floor of privacy protections for consumers nationwide. This new rule does not affect state laws, providing additional consumer protections.