Compliance & regulatory frameworks are sets of guidelines and best practices. Organizations adopt and follow these guidelines to improve processes, strengthen security, meet regulatoryrequirements,and achieve other business objectives.
These frameworks provide a common language that can be used across the organisation from Boardroom to server room. These standards are leveraged by:
Internal auditors&External auditors to evaluate the controls in place within an organizationand by Third parties (potential customers, investors, etc.) to evaluate the potential risks of partnering with an organization.
Below are a few widely used vertical specific Cybersecurity frameworks:
ISO -IEC 27001/ISO 27002 - ISO 27001 provides a risk-based process for businesses to put controls for detecting security threats impacting theirIT systems.ISO 27001 advocates 114 controls, categorized into 14 different categories including information security policies, information security organization, human resource security etc.
PCI DSS - Payment Card Industry (PCI) Data Security Standards (DSS)is a set of security standards governed by the Payment Card Industry Security Standards Council (PCI SSC), the compliance scheme aims to secure credit and debit card transactions against data theft and fraud.
NIST Cybersecurity framework describes five functions that manage the risks to data and information security. The functions are Identify, Protect, Detect, Respond, and Recover.
HIPAA(Health Insurance Portability and Accountability Act) provides guidelines for enabling organizations to implement different controls for securing employee and customer health information.
GDPR(General Data Protection Regulation) framework is enacted to secure personally identifiable information belonging to European citizens.This regulation framework provides a set of mandatory security requirements that organizations must implement. It is a global framework that protects the data of all EU citizens andnon-compliance to the same leads to huge penalties