Frameworks overview
Hyperproof supports the following 111 frameworks.
Framework | Description |
|---|---|
 | The Adobe Common Controls Framework (CCF) helps protect Adobe's infrastructure, applications, and services, as well as helps Adobe comply with several industry-accepted best practices, standards, regulations, and certifications. |
 | The Americans with Disabilities Act (ADA) and Web Content Accessibility Guidelines (WCAG) v2.2 combines Title I and Title III of the Americans with Disabilities Act (ADA) with the Web Content Accessibility Guidelines (WCAG) v2.2. Title I of the ADA prohibits employment discrimination against qualified individuals with disabilities (EEOC). Title III of the ADA prohibits discrimination based on disability in places of public accommodation. WCAG documents explain how to make web content more accessible to people with disabilities. |
 | APRA CPS 234 is an information security regulation issued by the Australian Prudential Regulation Authority. It requires financial institutions to establish and maintain security measures that protect critical data and IT systems. The regulation mandates proactive risk management, secure outsourcing arrangements, incident response planning, and governance structures to ensure resilience against cyber threats and unauthorized data access. |
 | The Australia ASD Essential 8 asks Australian organizations to implement eight essential mitigation strategies from the Strategies to Mitigate Cybersecurity Incidents as a baseline. |
 | Australian ISM for IRAP and ASD by Australian Cyber Security Centre (ACSC). For TOP SECRET systems, including sensitive compartmented information systems, security assessments can be undertaken by ASD assessors (or their delegates). While for SECRET and below systems, security assessments can be undertaken by an organization’s own assessors or Infosec Registered Assessors Program (IRAP) assessors. |
 | The AWS Well-Architected Framework is a comprehensive guide designed to help cloud architects build secure, high-performing, resilient, and efficient infrastructure for their applications and workloads. It is based on five key pillars: Operational Excellence, Security, Reliability, Performance Efficiency, and Cost Optimization. Each pillar includes best practices, design principles, and actionable guidance, enabling architects to evaluate and improve their cloud architecture. The framework also offers a structured approach to review and refine systems, ensuring they align with AWS's established best practices. |
 | The Bank Secrecy Act Compliance Program (BSA) framework includes regulations and illustrative controls covering selected regulations from Title 31 Chapter X and Title 12 Chapter I. It includes regulations addressing Customer Identification Program (CIP), Customer Due Diligence (CDD), Anti-money Laundering (AML), Enhanced Due Diligence (EDD), Currency Transaction Reports (CTR), Suspicious Activity Reporting (SAR), and others. |
 | Brazilian General Data Protection Law (LGPD). The LGPD contains provisions and requirements related to the processing of personal data of individuals, where the data is of individuals located in Brazil, where the data is collected or processed in Brazil, or where the data is used to offer goods or services to individuals in Brazil. |
 | The BSI Cloud Computing Compliance Controls Catalog (C5 v2020) is a German government-backed attestation scheme introduced in Germany by the Federal Office for Information Security (BSI). C5 helps organizations demonstrate operational security against common cyber-attacks when using cloud services within the context of the German Government's "Security Recommendations for Cloud Providers". |
 | C4 CryptoCurrency Security Standard (CCSS) is a security standard that helps secure all information systems that make use of cryptocurrencies. By standardizing the security techniques and methodologies used by cryptocurrency systems around the globe, end-users will be able to easily make educated decisions about which products and services to use and with which companies they wish to align. |
 | CA Browser Forum (CAB). These Network and Certificate System Security Requirements (Requirements) apply to all publicly trusted Certification Authorities (CAs). |
 | The California Consumer Privacy Act (CCPA) is a bill intended to enhance privacy rights and consumer protection for residents of California, United States. |
 | The Canadian OSFI Guideline B-13 provides comprehensive cybersecurity risk management standards for federally regulated financial institutions in Canada. It outlines best practices to enhance cyber resilience, focusing on governance, risk assessment, controls, and incident response. The guideline aims to help institutions protect against and respond to cybersecurity threats effectively, ensuring the stability and security of the financial system. |
 | The Canadian Personal Information Protection and Electronic Documents Act (PIPEDA) is a Canadian law relating to data privacy. It governs how private sector organizations collect, use, and disclose personal information in the course of commercial business. |
 | The China Cybersecurity Law - Personal information (PI) security specification lays down principles and security requirements relating to the processing of PI, including collection, storage, use, sharing, transfer, and public disclosure. This specification applies to the processing of PI by various entities, as well as to the supervision, administration, and assessment of PI processing activities by entities such as supervisory authorities and third-party review organizations. |
 | Simplified and prioritized cyber defense guidance. CIS Controls v8.1 was enhanced to keep up with evolving technology (modern systems and software), evolving threats, and even the evolving workplace. |
 | The Cisco CCF v2 is a rationalized framework with comprehensive control requirements taken from numerous, globally accepted, security compliance frameworks and certifications. It provides a structured, “build-once-use-many” approach for achieving multiple regional and international certifications, enabling market access and scalability, as well as easing compliance strain. |
 | The CMS Acceptable Risk Safeguards 5.0x and Information Systems Security and Privacy Policy (CMS IS2P2 v3.0) defines the framework for protecting and controlling the confidentiality, integrity, and availability of CMS information and information systems. It also provides direction for all CMS employees, contractors, and any individual who receives authorization to access CMS information technology (IT) systems; systems maintained on behalf of CMS; and other collections of information. |
| The CMS Minimum Acceptable Risk Safeguards for Exchanges (MARS-E) Harmonized Security and Privacy Framework defines a structure for managing the security and privacy requirements of systems deployed to administer the provisions of the Affordable Care Act (ACA) that ensure affordable healthcare for all Americans. |
 | COBIT 2019 is a framework for the governance and management of enterprise information and technology, aimed at the whole enterprise. |
 | Criminal Justice Information Services (CJIS) Security Policy, version 5.9.3. The CJIS Security Policy provides Criminal Justice Agencies (CJA) and Noncriminal Justice Agencies (NCJA) with a minimum set of security requirements for access to Federal Bureau of Investigation (FBI) Criminal Justice Information Services (CJIS) Division systems and information and to protect and safeguard Criminal Justice Information (CJI). |
 | The CSA Cloud Controls Matrix (CCM) v4 is a cybersecurity control framework for cloud computing. It is composed of 197 control objectives that are structured in 17 domains covering all key aspects of cloud technology. It can be used as a tool for the systematic assessment of a cloud implementation, and provides guidance on which security controls should be implemented by which actor within the cloud supply chain. The controls framework is aligned to the CSA Security Guidance for Cloud Computing, and is considered a de-facto standard for cloud security assurance and compliance. |
 | The Cyber Risk Institute (CRI) Profile eases this burden on the financial services industry while still meeting regulatory expectations. Focusing cybersecurity experts’ time on protecting global financial platforms, rather than compliance activity, will significantly enhance security efforts. For an industry already burdened by a shortage of adequately skilled individuals, reducing this percentage by streamlining compliance activity is an immediate gain in efficiency and managed risk. |
| The Cyber Risk Institute Profile 2.0 is designed to help financial institutions manage and mitigate cyber risks. Developed in collaboration with industry experts, the Profile 2.0 provides a comprehensive set of standards and best practices to enhance cybersecurity resilience. It aligns with various regulatory requirements and industry guidelines, enabling organizations to systematically assess, prioritize, and address cybersecurity threats. The Profile 2.0 emphasizes a risk-based approach, promoting effective cyber risk management through continuous monitoring, assessment, and improvement of security measures. |
 | The Cybersecurity Capability Maturity Model (C2M2) enables organizations to evaluate their cybersecurity capabilities and optimize security investments. |
 | Select levels 1-5 to create a program with the requirements for that level. The Cybersecurity Maturity Model Certification (CMMC v1.02) is a DoD certification process that measures a DIB sector company’s ability to protect FCI and CUI. |
| The Cybersecurity Maturity Model Certification (CMMC 2.0) is a new requirement for existing DoD contractors, replacing the self-attestation model and moving to third-party certification. In November 2021, the Department announced “CMMC 2.0,” an updated program structure and requirements designed to achieve the primary goals of the internal review. |
 | This DHS 4300A - Sensitive Systems Handbook serves as the foundation on which Department of Homeland Security (DHS) components are to develop, build, and implement their information security programs; it provides specific techniques and procedures for implementing the requirements of the DHS Information Security Program for Sensitive Systems, and for meeting the Program’s Baseline Security Requirements (BLSR), which are generated by the DHS information security policies published in DHS Sensitive Systems Policy Directive 4300A. Components must address these BLSRs when developing and maintaining information for their security documents. This Handbook contains a compilation of DHS Component best practices that adhere to DHS Information Technology (IT) security policies and meet requirements contained in various National Institute of Standards and Technology (NIST) publications, Office of Management and Budget (OMB) direction, and Congressional and Executive mandates. |
 | The Digital Operational Resilience Act (DORA) is a European Union (EU) regulation that creates a binding, comprehensive information and communication technology (ICT) risk management framework for the EU financial sector. |
 | The Digital Services Act (DSA) regulates online intermediaries and platforms such as marketplaces, social networks, content-sharing platforms, app stores, and online travel and accommodation platforms. Its main goal is to prevent illegal and harmful activities online and the spread of disinformation. It ensures user safety, protects fundamental rights, and creates a fair and open online platform environment. The DSA protects consumers and their fundamental rights online by setting clear and proportionate rules. It fosters innovation, growth and competitiveness, and facilitates the scaling up of smaller platforms, SMEs and start-ups. The roles of users, platforms, and public authorities are rebalanced according to European values, placing citizens at the centre. |
 | The DJCP Multi-Level Protection Scheme 2.0 (MLPS) (GB/T 22239-2019) Level 3 and Classification Guide for Classified Protection of Cybersecurity (GB/T 22240-2020) is a set of cybersecurity protection requirements for basic information networks, information systems and big data, which is mandatory for all the network operators in China. |
 | ETSI EN 319 401 v2.2.1 Electronic Signatures and Infrastructures (ESI); General Policy Requirements for Trust Service Providers. |
 | The EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. Data Privacy Framework (UK Extension to the EU-U.S. DPF), and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) were developed to facilitate transatlantic commerce by providing U.S. organizations with reliable mechanisms for personal data transfers to the United States from the European Union / European Economic Area, the United Kingdom (and Gibraltar), and Switzerland that are consistent with EU, UK, and Swiss law. |
 | The Family Educational Rights and Privacy Act of 1974 (FERPA) helps protect the privacy of student education records. The Act provides for the right to inspect and review education records, the right to seek to amend those records and to limit disclosure of information from the records. The intent of the legislation is to protect the rights of students and to ensure the privacy and accuracy of education records. |
 | FDA Electronic Records; Electronic Signatures (21 CFR Part 11) defines the criteria under which electronic records and electronic signatures are considered trustworthy, reliable, and equivalent to paper records. It applies to drug makers, medical device manufacturers, biotech companies, biologics developers, CROs, and other FDA-regulated industries, with some specific exceptions. It requires that they implement controls, including audits, system validations, audit trails, electronic signatures, and documentation for software and systems involved in processing the electronic data that FDA predicate rules require them to maintain. |
 | The FedRAMP LI-SaaS Rev.5 requirements provide a more efficient path for Low Impact-Software as a Service providers to achieve a FedRAMP Agency Authorization to Operate (ATO). |
| Select High, Moderate, or Low to create a program with the requirements for that security baseline. FedRAMP is a government-wide program that promotes the adoption of secure cloud services across the federal government by providing a standardized approach to security and risk assessment for cloud technologies and federal agencies. |
 | The FFIEC Cybersecurity Assessment Tool (CAT), developed by the Federal Financial Institutions Examination Council (FFIEC) on behalf of its members, helps institutions identify their risks and determine their cybersecurity maturity. The content of the Assessment is consistent with the principles of the FFIEC Information Technology Examination Handbook (IT Handbook) and the National Institute of Standards and Technology (NIST) Cybersecurity Framework, as well as industry-accepted cybersecurity practices. The Assessment provides institutions with a repeatable and measurable process to inform management of their institution’s risks and cybersecurity preparedness. |
 | The Florida Information Protection Act (FIPA) of 2014 is a Florida state law governing privacy rules for entities handling personal information. Updated 2019. |
 | France ASIP HDS - HDH Certification v1.1 constitutes the certification reference system applicable to hosts wishing to obtain certification for the scope of "physical infrastructure provider" or "IT managed services provider" of personal health data in France. |
 | Hyperproof's version of the European Union's GDPR legislation has been reduced to only those requirements that apply directly to Data Controllers and Processors. The General Data Protection Regulation 2016/679 is a regulation in EU law on data protection and privacy for all individual citizens of the European Union and the European Economic Area. It also addresses the transfer of personal data outside the EU and EEA areas. |
 | The Gramm-Leach-Bliley Act (GLBA) requires financial institutions – companies that offer consumers financial products or services like loans, financial or investment advice, or insurance – to explain their information-sharing practices to their customers and to safeguard sensitive data. Includes 12 CFR Appendix F to Part 225, "Interagency Guidelines Establishing Information Security Standards"; 16 CFR 313, "Privacy of Consumer Financial Information", and 16 CFR 314, "Standards for Safeguarding Customer Information". |
 | The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a United States legislation that provides data privacy and security provisions for safeguarding medical information. |
 | Hyperproof Common Control Framework (CCF) -This framework is a modern set of cybersecurity and privacy controls, each distilled from key elements found in established frameworks such as NIST 800-53, AICPA SOC 2, ISO 27001, CIS, GDPR, and PCI DSS. This framework facilitates organizational compliance by standardizing processes to effectively address cybersecurity, privacy, and information system risks. Designed to support organizations in advancing their compliance maturity, it provides a structured yet flexible approach to cybersecurity and privacy risk management. |
 | The IBM Cloud Framework for Financial Services is designed to help address the needs of financial services institutions with regulatory compliance, security, and resiliency during the initial deployment phase and with ongoing operations. |
 | IEC 62443 4-1:2018 and 4-2:2019 are international standards series designed to secure industrial communication networks and systems. IEC 62443 4-1 focuses on secure product development lifecycle requirements. It outlines practices and procedures for developing and maintaining secure products, addressing aspects from specification and design to maintenance. IEC 62443 4-2 deals with technical security requirements for industrial automation and control systems components. It specifies how to secure components against unauthorized access and misuse, thereby ensuring the resilience and integrity of industrial operations. Together, these standards provide a framework for enhancing the cybersecurity of industrial environments. |
 | Information System Security Management and Assessment Program (ISMAP) is a Japanese government program for assessing the security of public cloud services. The aim of ISMAP is to enable a common set of security standards for the Cloud Service Provider (CSP) to comply as baseline requirements for government procurement. ISMAP introduces security requirements for the cloud domains, practices, and procedures that cloud service providers must implement. Cloud service providers must engage with a ISMAP approved third party assessor to assess compliance with the ISMAP security requirements in order to apply as a ISMAP registered provider. The ISMAP program will evaluate the security of cloud service provider, and register those who satisfy the Japanese government’s security requirements. Upon successful ISMAP registration as a registered providers, government procurement departments can accelerate their engagement with the registered providers. |
 | ISO 9001:2015 specifies requirements for a quality management system when an organization: a) needs to demonstrate its ability to consistently provide products and services that meet customer and applicable statutory and regulatory requirements, and b) aims to enhance customer satisfaction through the effective application of the system, including processes for improvement of the system and the assurance of conformity to customer and applicable statutory and regulatory requirements. All the requirements of ISO 9001:2015 are generic and are intended to be applicable to any organization, regardless of its type or size, or the products and services it provides. |
| ISO 14001:2015 Environmental management systems provides organizations with a framework to protect the environment and respond to changing environmental conditions in balance with socio-economic needs. It specifies requirements that enable an organization to achieve the intended outcomes it sets for its environmental management system. |
| ISO 17025 specifies the general requirements for the competence, impartiality, and consistent operation of laboratories. |
| The ISO 20000 framework specifies requirements for an organization to establish, implement, maintain and continually improve a service management system (SMS). The requirements specified include the planning, design, transition, delivery and improvement of services to meet the service requirements and deliver value. |
| The ISO 21434:2021 framework addresses the cybersecurity perspective in engineering of electrical and electronic (E/E) systems within road vehicles. By ensuring appropriate consideration of cybersecurity, this document aims to enable the engineering of E/E systems to keep up with state-of-the-art technology and evolving attack methods. |
| ISO 22301:2019 Security and resilience - Business continuity management systems specifies requirements to implement, maintain and improve a management system to protect against, reduce the likelihood of the occurrence of, prepare for, respond to and recover from disruptions when they arise. The requirements specified in this document are generic and intended to be applicable to all organizations, or parts thereof, regardless of type, size and nature of the organization. The extent of application of these requirements depends on the organization's operating environment and complexity. |
 | ISO 27001:2013 is an international Standard to provide requirements for establishing, implementing, maintaining and continually improving an information security management system. |
| ISO 27001:2019 Security techniques — Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management — Requirements and guidelines. |
| ISO 27001:2022 IT security, cybersecurity and privacy protection are vital for companies and organizations today. The ISO/IEC 27000 family of standards keeps them safe. ISO/IEC 27001 is is the world’s best-known standard for information security management systems (ISMS) and their requirements. |
| ISO 27017:2015 Information technology Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services. |
| ISO 27018:2019 Information technology — Security techniques — Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors. |
| ISO 27701:2019 Security techniques — Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management — Requirements and guidelines |
| ISO 27799:2016 Health informatics — Information security management in health using ISO/IEC 27002. This International Standard provides guidance to healthcare organizations and other custodians of personal health information on how best to protect the confidentiality, integrity and availability of such information. It is based upon and extends the general guidance provided by ISO/IEC 27002:2013 and addresses the special information security management needs of the health sector and its unique operating environments. |
| ISO 28000:2022 Security and resilience — Security management systems specifies requirements for a security management system, including those aspects critical to the security assurance of the supply chain. It requires the organization to assess the security environment in which it operates including its supply chain (including dependencies and interdependencies); determine if adequate security measures are in place to effectively manage security-related risks; manage compliance with statutory, regulatory and voluntary obligations to which the organization subscribes; and align security processes and controls, including the relevant upstream and downstream processes and controls of the supply chain to meet the organization’s objectives. |
| ISO 42001 AI Management System ISO/IEC 42001 is an international standard that provides a framework for organizations to manage the ethical development, deployment, and governance of Artificial Intelligence (AI) systems. It details mandatory clauses and control requirements aimed at ensuring AI systems are developed and utilized in a manner that considers ethical implications, bias, transparency, and accountability. The standard includes guidance on organizational context analysis, stakeholder engagement, AI policy formulation, risk assessment processes, and internal audit mechanisms. Annex A of the standard further elaborates on specific requirements for AI system development and usage, covering aspects such as policies, resources, impact assessments, and data management. ISO 42001's applicability is intended for various industries and organizations aiming to adhere to responsible AI practices. |
| ISO 45001:2018 Occupational health and safety management systems contain requirements that can be used by an organization to implement an OH&S management system and to assess conformity. |
| ISO/IEC 20243:2023 - Open Trusted Technology Provider Standard (O-TTPS)ISO/IEC 20243:2023 - Open Trusted Technology Provider Standard (O-TTPS) ISO 20243 is an international standard focused on mitigating risks in the supply chain for information and communication technology (ICT) products. It establishes best practices for detecting and avoiding counterfeit, maliciously tainted, or unauthorized products within the supply chain. By implementing ISO 20243, organizations can enhance the security and integrity of their ICT systems by ensuring trustworthy sourcing and production processes. |
 | The Israeli Protection of Privacy Law and Regulations — The Israeli privacy laws, particularly those from 1981 (Protection of Privacy Law, 5741-1981), 2001 (Regulations Under the Protection of Privacy Law, 5761-2001), 2017 (Protection of Privacy Law Amendment, 5777-2017), and 2023 (further amendments in 5783-2023), establish a robust legal framework designed to protect the privacy and personal data of individuals. The 1981 law laid the foundation, establishing basic privacy rights and creating the framework for data protection, which prohibits the misuse or unauthorized sharing of personal data. Subsequent amendments and regulations, such as those in 2001, have updated the law to include specific guidelines on data security and the responsibilities of data controllers, adapting to technological advances. The 2017 amendment further tightened data security requirements, introducing obligations for notification of data breaches. Most recently, the 2023 amendments have focused on enhancing transparency and granting individuals greater control over their personal data, reflecting global trends towards stronger data protection and privacy rights. |
 | The ITAR Compliance Program contains information on the elements of an effective ITAR Compliance Program (ICP) and how to design and implement an ICP for organizations that manufacture, export, broker, or temporarily import defense articles and defense services described on the United States Munitions List (USML). |
 | The ITSG-33 Government of Canada Controls Catalogue has been developed to help Government of Canada (GC) departments ensure security is considered right from the start. These requirements have been derived from ITSG-33 Annex 3A which covers roles, responsibilities and activities of GC department risk management. Published 2012. |
 | The Korean Personal Information & Information Security Management System (ISMS-P) is a Korean 'integrated certification system' that consolidated 'Personal Information Management System (PIMS) certification' and 'Information Security Management System (ISMS) certification' into one certification system, both of which were operated separately. ISMS-P has been enforced since November 7, 2018. Enterprises and institutions can expect to improve the external reliability of their personal information protection and security and reduce the risk of external and internal personal information infringements through the 'Personal information and Information Security Management System.' |
 | The Microsoft Supplier Privacy and Assurance Standards (SSPA DPR v9.1) apply to each Microsoft supplier that processes personal data or Microsoft confidential data in connection with that supplier’s performance (e.g., provision of services, software licenses, cloud services) under the terms of its contract with Microsoft (e.g. purchase order terms, master agreement). |
 | The revised Monetary Authority of Singapore (MAS) Technology Risk Management Guidelines (TRM) set out technology risk management principles and best practices for the financial sector, to guide FIs in the Establishment of Sound and Robust Technology Risk Governance and Oversight, and Maintain Cyber Resilience. |
 | NERC Critical Infrastructure Protection (CIP) is a set of regulatory standards developed by the North American Electric Reliability Corporation to safeguard the security and reliability of the bulk power system in North America. These standards focus on protecting critical cyber assets, physical infrastructure, and personnel from threats, vulnerabilities, and risks that could disrupt the operation of power grids. The CIP standards require utility companies to implement robust security measures, including risk assessments, access controls, incident response, and regular compliance audits to ensure the continuous protection of vital infrastructure. |
 | The NIS2 Directive revises the European Union's Network and Information Security Directive, expanding its scope to include additional sectors and services such as health, energy, and digital infrastructure. It imposes more stringent security measures and comprehensive incident reporting requirements. |
 | The NIST AI Risk Management Framework (AI RMF) is intended for voluntary use and to improve the ability to incorporate trustworthiness considerations into the design, development, use, and evaluation of AI products, services, and systems. |
| Select Low, Medium, or High to create a program with the requirements in that baseline. Optionally add the privacy baseline requirements as well. NIST SP 800-53 Rev5 Selectable Baseline provides a catalog of security and privacy controls for information systems and organizations to protect organizational operations and assets, individuals, other organizations, and the Nation from a diverse set of threats and risks, including hostile attacks, human errors, natural disasters, structural failures, foreign intelligence entities, and privacy risks. |
| NIST 800-82 provides guidance on how to improve the security of Operational Technology (OT) systems while addressing their unique performance, reliability, and safety requirements. |
| NIST 800-161 Rev1 (draft 2) is the Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations. This framework is not yet final; the current requirements represent Draft 2, dated October 28, 2021. |
| NIST 800-171 Rev2 is the Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. Revision 2, February 2020. |
 | NIST 800-171 rev. 3 This publication provides federal agencies with recommended security requirements for protecting the confidentiality of Controlled Unclassified Information (CUI) when the information is resident in nonfederal systems and organizations. The requirements apply to components of nonfederal systems that process, store, or transmit CUI or that provide protection for such components. The security requirements are intended for use by federal agencies in contractual vehicles or other agreements established between those agencies and nonfederal organizations. This publication can be used in conjunction with its companion publication, NIST Special Publication 800-171A, which provides a comprehensive set of procedures to assess the security requirements. |
| This document recommends the Secure Software Development Framework (SSDF) – a core set of high-level secure software development practices that can be integrated into each SDLC implementation. Following these practices should help software producers reduce the number of vulnerabilities in released software, mitigate the potential impact of the exploitation of undetected or unaddressed vulnerabilities, and address the root causes of vulnerabilities to prevent future recurrences. |
| NIST 800-218 Secure Software Development Framework (SSDF) Version 1.1 are recommendations for Mitigating the Risk of Software Vulnerabilities - Few software development life cycle (SDLC) models explicitly address software security in detail, so secure software development practices usually need to be added to each SDLC model to ensure that the software being developed is well-secured. This document recommends the Secure Software Development Framework (SSDF) – a core set of high-level secure software development practices that can be integrated into each SDLC implementation. Following these practices should help software producers reduce the number of vulnerabilities in released software, mitigate the potential impact of the exploitation of undetected or unaddressed vulnerabilities, and address the root causes of vulnerabilities to prevent future recurrences. |
| NIST Cybersecurity Framework (CSF) 1.1 is a voluntary framework consisting of standards, guidelines and best practices to manage cybersecurity risks. |
| NIST Cybersecurity Framework (CSF) 2.0 provides guidance to industry, government agencies, and other organizations to manage cybersecurity risks. It offers a taxonomy of high-level cybersecurity outcomes that can be used by any organization—regardless of its size, sector, or maturity—to better understand, assess, prioritize, and communicate its cybersecurity efforts. |
| NIST Privacy Framework 1.0 is a voluntary tool designed to enable better privacy engineering practices that support privacy by design concepts and help organizations protect individuals' privacy. |
| NIST SP 800-53 Rev5 - Security and Privacy Controls for Information Systems and Organizations - provides a catalog of security and privacy controls for information systems and organizations to protect organizational operations and assets, individuals, other organizations, and the Nation from a diverse set of threats and risks, including hostile attacks, human errors, natural disasters, structural failures, foreign intelligence entities, and privacy risks. |
 | NISTIR 8374 Ransomware Risk Management can help organizations gauge their level of readiness to counter threats, deal with the potential consequences of events, and identify opportunities for improvement. It maps security objectives from the Framework for Improving Critical Infrastructure Cybersecurity, Version1.1 to security capabilities and measures that help to identify, protect against, detect, respond to, and recover from ransomware events. |
 | Effective March 1, 2017, The New York Department of Financial Services (NYDFS) promulgated 23 NYCRR Part 500, a regulation establishing cybersecurity requirements for financial services companies. |
 | The OWASP Application Security Verification Standard (ASVS) v4.0.3 provides a basis for testing web application technical security controls and also provides developers with a list of requirements for secure development. |
 | The Payment Card Industry Data Security Standard (PCI DSS) v3.2.1 was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally. PCI DSS provides a baseline of technical and operational requirements designed to protect account data. PCI DSS applies to all entities involved in payment card processing—including merchants, processors, acquirers, issuers, and service providers. PCI DSS also applies to all other entities that store, process or transmit cardholder data (CHD) and/or sensitive authentication data (SAD). |
| The Payment Card Industry Data Security Standard (PCI DSS) v4.0.1 was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally. PCI DSS provides a baseline of technical and operational requirements designed to protect account data. While specifically designed to focus on environments with payment card account data, PCI DSS can also be used to protect against threats and secure other elements in the payment ecosystem. |
 | This supplement provides an overview of SASB’s approach to greenhouse gas emissions and related topics in the SASB ESG Standards and offers guidance for reporting entities that wish to disclose Scope 1, 2, or 3 emissions. |
 | The Saudi Arabia Essential Cybersecurity Controls (ECC) are measures that aim to help government and government-affiliated organizations enhance their cybersecurity posture. The Kingdom of Saudi Arabia, as part of the Saudi Vision 2030, has developed and promulgated the Essential Cybersecurity Controls (ECC). |
 | The Secure Controls Framework (SCF) rev April 2023 focuses on internal controls. These are the cybersecurity and privacy-related policies, standards, procedures, technologies and associated processes that are designed to provide reasonable assurance that business objectives will be achieved and undesired events will be prevented, detected and corrected. |
 | The SEC 17 CFR Part 240 15c: Rules Relating to Over-the-Counter Markets (§§ 240.15c-2 and 240.1c-3), under the Securities Exchange Act of 1934; the bulk of 240.15c is included in this framework, with the exception of definitions and terms. |
| The SEC 17 CFR PART 240 17a: Preservation of Records and Reports of Stabilizing Activities (§§ 240.17a-1 – 240.17f-2), under the Securities Exchange Act of 1934, specify minimum requirements with respect to the records that broker-dealers must make, and how long those records and other documents relating to a broker-dealer's business must be kept. The bulk of 240.17 is included in this framework, with the exception of definitions and terms. |
 | SOX ICFR and ITGC includes sections 302, 401, 403, 404 and 409 of the Sarbanes-Oxley Act (SOX) of 2002. Additionally, it includes Regulation S-X, "Form and Content of and Requirements for Financial Statements"; Regulation S-K, "disclosure requirements"; COSO Internal Control - Integrated Framework; and COBIT Control Objectives for Information and Related Technologies. These additional inclusion are some of the primary rules, items, practices, and standards used by organizations to meet the requirements SOX. Internal control over financial reporting (ICFR) and Information Technology General Controls (ITGC) illustrative control templates are included with this program. |
 | The Spanish National Security Scheme (ENS) 2022 is a regulatory and reference framework established in Spain based on Spanish legislation and European regulations related to information security. The ENS was established in 2010 and is based on Royal Decree 311/2022, establishing the principles and requirements to protect information confidentiality, integrity, availability, and authenticity in public entities and organizations. |
 | StateRAMP represents the shared interests of state and local governments, third party assessment organizations, and service providers with IaaS, SaaS, and PaaS solutions. StateRAMP is built on the National Institute of Standards and Technology Special Publication 800-53 framework, modeled in part after FedRAMP, and based on a “complete once, use many” concept that saves time and reduces costs for both service providers and governments. Like FedRAMP, StateRAMP relies on FedRAMP Authorized 3PAOs to conduct assessments. |
 | The Swift Customer Security Controls Framework (CSCF) v2024 outlines a comprehensive set of mandatory and advisory security controls for institutions using the SWIFT network. This framework is designed to protect against fraud and cyber threats by enforcing rigorous standards around user access, security policies, and incident response. The v2024 update strengthens existing controls while introducing new measures to address emerging cybersecurity challenges and compliance requirements. |
 | AICPA SOC 2 for Service Organizations: Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy. |
 | The Task Force on Climate-Related Financial Disclosures (TCFD) is committed to market transparency and stability. We believe that better information will allow companies to incorporate climate-related risks and opportunities into their risk management and strategic planning processes. As this occurs, companies’ and investors’ understanding of the financial implications associated with climate change will grow, empowering the markets to channel investment to sustainable and resilient solutions, opportunities, and business models. |
 | The Trusted Information Security Assessment Exchange (TISAX VDA ISA v6) is an information security requirements catalogue based on key aspects of the international standard ISO/IEC 27001. It is used by companies both for internal purposes as well as assessments by suppliers and service providers who process sensitive information from their respective companies. |
 | The Texas Risk and Authorization Management Program (TX-RAMP 2.0) is a standardized approach to the assessment and evaluation of cloud computing services. Per 1 Texas Administrative Code Chapter 202, it defines the processes, procedures, and compliance requirements relating to the use of cloud computing services by Texas state agencies. |
 | UK Cyber Essentials: Requirements for IT Infrastructure is an effective, government-backed scheme that will help you to protect your organization, whatever its size, against a whole range of the most common cyber attacks. |
 | Webtrust for CAs - Extended Validation SSL v1.8 is criteria that would be used as a basis for an auditor to conduct an Extended Validation SSL audit. |
| Webtrust for CAs - PTCSC v1.0.1 is criteria that would be used as a basis for an auditor to conduct an engagement on the Issuance and Management of Publicly Trusted CS Certificates. |
| Webtrust for CAs - SSL Baseline with Network Security v2.7 is set out criteria that would be used as a basis for an auditor to conduct a SSL Baseline Requirements and Network and Certificate Systems Security Requirements audit. |
| Webtrust for CAs - Principles and Criteria for Certification Authorities v2.2.2 is a framework for auditors to assess the adequacy and effectiveness of the controls used by Certification Authorities (CAs). |
| Webtrust Principles and Criteria for Registration Authorities v1.0 is a framework for third-party assurance providers to assess the adequacy and effectiveness of the controls employed by a Registration Authority (RA) that performs either a portion or all of the registration-related functions for a Certification Authority (CA) on an outsourced basis. |
| The Webtrust for CAs - S/MIME was chartered to work on requirements applicable to Certification Authorities that issue S/MIME digital certificates used to sign, verify, encrypt, and decrypt email. |
| The Webtrust CA/Browser Forum Baseline Requirements for the Issuance and Management of Publicly-Trusted Code Signing Certificates enables efficient and secure electronic communication, whilst addressing user concerns about the trustworthiness of Code Signing Certificates (“CS Certificates”). The Guidelines also serve to inform users and help them to make informed decisions when relying on Certificates. |