ISO, SOC, NIST, Oh My -- And Other Common Cybersecurity Compliance Requirements
Depending on your industry your company may be subject to adhere to many, one, or no compliance requirements. Even for companies that have no compliance requirements, following the associated guidance and controls often results in a more secure and better documented environment.
Today I'll be covering a high-level overview of some of the most common compliance requirements we run into in information security -- what they're used for, how they're different, and who they might apply to. This list is far from exhaustive, so if I've excluded any you think should be here please comment and let me know.
Disclaimer: Do not take the information provided here as definitive or current to your or your organization's compliance status or situation. Consult the appropriate legal and/or regulatory guidance for your situation.
SOC (1, 2, 3)
- Firewall with listed configurations.
- Network diagrams.
- Change records/management for all firewall modifications.
- Technical consistency between documentation and appliance configuration.
- Administrative logins to appliances require strong encryption methods.
- Benchmarks applicable to various operating systems and applications.
- The 20 critical security controls.
- Inventory and Control of Hardware Assets
- Inventory and Control of Software Assets
- Continuous Vulnerability Management
- Controlled Use of Administrative Privileges
- Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers
- Maintenance, Monitoring and Analysis of Audit Logs
- FIPS - Federal Information Processing Standards | Security standards.
- SP - NIST Special Publications | Guidelines, technical specifications, recommendations and reference materials.
- SP 800 - Computer security
- SP 1800 - Cybersecurity practice guides
- SP 500 - Information technology (relevant documents)
- NISTIR - NIST Internal or Interagency Reports Reports of research findings, including background information for FIPS and SPs.
- ITL Bulletin - NIST Information Technology Laboratory (ITL) Bulletins. Monthly overviews of NIST's security and privacy publications, programs and projects.
- Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit;
- Identify and protect against reasonably anticipated threats to the security or integrity of the information;
- Protect against reasonably anticipated, impermissible uses or disclosures; and
- Ensure compliance by their workforce.
- Address (including subdivisions smaller than state such as street address, city, county, or zip code)
- Any dates (except years) that are directly related to an individual, including birthday, date of admission or discharge, date of death, or the exact age of individuals older than 89
- Telephone number
- Fax number
- Email address
- Social Security number
- Medical record number
- Health plan beneficiary number
- Account number
- Certificate/license number
- Vehicle identifiers, serial numbers, or license plate numbers
- Device identifiers or serial numbers
- Web URLs
- IP address
- Biometric identifiers such as fingerprints or voice prints
- Full-face photos
- Any other unique identifying numbers, characteristics, or codes