A set of criteria that is developed by an organization that achieves some objective or outcome with the intended purpose of having some type of benefit to the organization. Compliance frameworks allow you to take parts of your organization’s procedures, policies, and other documentation and compile them all into one cohesive entity. There are always new regulations and standards being mandated, so as the number of requirements grows, so too does your need for policies to be integrated into your already existing framework. When it comes to frameworks, organizations usually have different frameworks for different scenarios. For example, an organization might have one compliance framework for protecting data privacy and another for combatting discrimination.
What is information security compliance?
Information security compliance refers to organizations meeting the rules, standards and best practices about the protection of data and information. There will be a number of government, industry, and other regulations for any organization that determine the specific security requirements for data and information.
Information security risk management
Information security risk management, or ISRM, is the process of managing risks associated with the use of information technology.
Risk frameworks are intended to minimize risk within an organization whereas a governance framework is intended to drive process changes and ensure that management is achieving objectives set defined by the framework. Some common frameworks are as follows:
SOC 2 – Set of attestation reports based on a framework that essentially provides assurance over controls relevant to the selected scope and verifies that the system is implemented with secure, appropriate processes to protect information and provide the best security.
ISO 27001 – A set of rules that combines policies & processes to allow effective development of an ISMS. Ensures compliance with security standards that drive regulatory and legal requirements.
HIPAA – The Health Insurance Portability and Accountability Act is a United States federal law enacted in 1996 that created a framework for protecting confidential patient data from being shared without patient consent or knowledge.
FedRAMP – A United States program within the federal government that created a standard for adopting cloud services using a cost-effective risk-based approach.
NIST – The United States National Institute of Standards and Technology Framework is targeted toward mitigating cybersecurity risks coming from organizations. It is adopted by many governments and organizations worldwide and is widely known to be one of the most effective frameworks out there, although is a significant investment of time and money.
SOX – The Sarbanes-Oxley Act, enacted in the United States in 2002, was created to combat corporate fraud. This framework is different from many others in the respect that there are no specific technological requirements, many organizations keep this framework in mind when designing their data processes.
GDPR - The General Data Protection Regulation was adopted in 2016 to strengthen data protection procedures and practices for citizens of the European Union (EU). The GDPR impacts all organizations that are established in the EU or any business that collects and stores the private data of EU citizens, including U.S. businesses. The framework includes 99 articles pertaining to a company’s compliance responsibilities including a consumer’s data access rights, data protection policies and procedures, data breach notification requirements and more.