Total Compliance Standards and Regulations

Here is a list of the Total Compliance Standards and Regulations that CloudCheckr adheres to and monitors in your cloud deployment:

Standard

Industry

Geo

Description/Use Case

AICPA GAPP

Accounting

US

The American Institute of CPAs’ Generally Accepted Accounting Principles (GAAP) are uniform minimum standards of, and guidelines to, financial accounting and reporting. See the AICPA website for details.

AICPA SOC2, SOC3 TSPC

Accounting

US

The International Auditing and Assurance Standards Board (IAASB) ensures security, availability, and privacy of computing operations. See the IAASB and AICPA websites for details.

ANSSI - 40 Measures

Universal

Global

The French Network and Information Security Agency (ANSSI) standard addresses computer security including user authentication, networking, upgrades, monitoring, and incident response. See the ANSSI website for details.

Australian Essential 8

Universal

Australia

Australia’s recommendations to avoid Malware, limit intrusions, and improve availability. See the Essential Eight Explained page for details.

Australian Top 35

Universal

Australia

More extensive strategies from Australian Signals Directorate covering access, privilege, Multi-Factor Authentication (MFA), auditing, updates, firewalls, filtering, password policy, and more. See the Strategies to Mitigate Cyber Security Incidents page for details.

Center for Internet Security

Universal

Global

The Center for Internet Security (CIS) is a non-profit organization that includes industry experts and delivers a cybersecurity framework independent of any government or industry. See the CIS Controls page for details.

COBIT 5 / SOX

Accounting

US

COBIT is a widely-accepted formal set of compliance requirements to meet the 2002 Sarbanes-Oxley Act, which regulates external audits and financial reporting. See the ISACA COBIT and Sarbanes-Oxley Act pages for details.

CoM 201 CMR 17.00

Universal

Massachusetts

In 2017, the Commonwealth of Massachusetts established these protections for Massachusetts residents regarding privacy, breaches, encryption, and monitoring. See the 201 CMR 17.00 regulation for details.

CSA CCM v3

Cloud

Global

The Cloud Security Alliance (CSA) has developed cloud-computing-specific best practices. While many other regulations were designed for the data center, pre-Cloud, and need to be “translated” to cloud technology, the CSA is cloud-first. See the Cloud Controls Matrix publication for details.

DHS CDM Program

Government

US

The Department of Homeland Security (DHS) has a scorecard for monitoring, diagnostics, and mitigation. See the DHS/CISA/PIA-030 Continuous Diagnostics and Mitigation (CDM) page for details.

FFIEC Booklet 2016

Financial

US

The Federal Financial Institutions Examinations Council (FFIEC) created a booklet in 2016 that addresses Risk (identification, measurement, mitigation, monitoring, and reporting.) See the FFIEC Information Technology Examination Handbook for details.

FFIEC CAT

Financial

US

The Federal Financial Institutions Examinations Council (FFIEC) has a Cybersecurity Assessment Tool that works as a scorecard for specific metrics related to the FFIEC Booklet. See the FFIEC Cybersecurity Assessment Tool document for details.

FY15 FISMA Metrics

Government

US

The 2002 Federal Information Security Management Act/Electronic Government Act (FISMA) protects government IT against man-made and natural threats. See the Federal Information Security Modernization Act page for details.

HIPAA

Healthcare

US

The 1996 Health Insurance Portability and Accountability Act (HIPPA) mandates privacy and portability of health records. See the HHS Health Information Privacy page for details.

IEC 62443-3-3-2013

Universal

Global

The International Society of Automation (ISA) and the International Electrotechnical Commission(IEC) developed standards for security vulnerabilities, risks, and security levels and is approved by the United Nations. See the United Nations commission to integrate ISA/IEC 62443 into Cybersecurity Regulatory Framework article for details.

IRS Pub 1075

Government

US

The Internal Revenue Service (IRS) has guidelines for protecting tax information such as returns that include Personally Identifiable Information like Social Security Numbers (SSNs), bank account numbers, and more. See Publication 1075 for details.

ISO 27002-2013

Universal

Global

The International Standards Organization (ISO) has guidelines regarding security controls and management, assessment, contractors and providers, and information handling. See the ISO/IEC 27002:2013 page for details.

ITIL 2011 KPIs

Universal

Global

ITIL (originally an acronym for Information Technology Infrastructure Library) describes processes, procedures, tasks, and checklists that are neither organization-specific nor technology-specific, but can be applied by an organization toward strategy, delivering value, and maintaining a minimum level of competency. It allows the organization to establish a baseline from which it can plan, implement, and measure. It is used to demonstrate compliance and to measure improvement. Individuals, but not organizations, can be certified via training. See the What is ITIL? page for details.

NERC CI v5, v6, v7

Energy

US

North American Electric Reliability Corporation (NERC) is for power plants and the Critical Infrastructure Protection (CIP) standards evaluate and ensure compliance with reliability standards, pursuant to the Federal Power Act. See the NERC Compliance & Enforcement page for details.

NIST 800-171

Government

US

National Institute of Standards and Technology (NIST) 800-171 corresponds to Defense Federal Acquisition Regulation Supplement (DFARS), which is designed to keep federal systems secure but is also relevant to organizations that have access to federal data, such as financial aid information. See the Archived NIST Technical Series Publication for details.

NIST 800-53 rev4

Government

US

National Institute of Standards and Technology (NIST) 800-53 is the basis for the Federal Risk and Authorization Management Program (FedRAMP) that agencies often must abide by when selecting vendors. See the FedRAMP website for details.

NIST 800-82 rev2

Government

US

This standard from the National Institute of Standards and Technology (NIST) deals with security architecture, firewalls, traffic, access, audits, and planning. See the Guide to Industrial Control Systems (ICS) Security for details.

NIST Cybersecurity Framework

Universal

US

The National Institute of Standards and Technology (NIST) Cybersecurity Framework is focused on business practices and activities (identify, protect, detect, respond, recover) more than technology. See the NIST Cybersecurity Framework for details.

NIST SMB Guide

Small/Mid-size Business

US

National Institute of Standards and Technology (NIST) has resources based on their Cybersecurity Framework, specifically focused on small and medium-sized businesses. See the Small Business Cybersecurity Corner page for details.

NSA MNT (MNP)

Government

US

The National Security Agency (NSA) has a framework to take an unmanageable, insecure network and make it more defensible, secure, and manageable. See the Manageable Network Plan (MNP) Guide for details.

NSA Top 10

Government

US

The National Security Agency (NSA) publishes a Top Ten Cybersecurity Mitigation Strategies that covers updates, accounts, policies, recovery, and management. See the NSA’s Top Ten Mitigation Strategies document for details.

NV Gaming MICS

Gaming

Nevada

The Nevada Gaming Commission has their own security controls with specific requirements for different types of gambling. See the Minimum Internal Control Standards (MICS) document for details.

NYCRR 500

Financial

New York State

New York State has established regulations—with penalties—for financial entities that don’t follow their rules for audits, access, application security, personnel, third parties, Multi-Factor Authentication (MFA), data retention, training, and monitoring. See the Adoption of New 23 NYCRR 500 document for details.

PCI DSS 3.2

Financial

Global

The Payment Card Industry Data Security Standard (PCI DSS) is an industry standard that regulates credit card companies and related firms. See the PCI Document Library for details.

Saudi AMA

Financial

Saudi Arabia

The Saudi Arabian Monetary Authority (AMA) released their Cyber Security Framework in 2017 that covers policy, roles, risk management, and even compliance with other standards. See the Cyber Security Framework document for details.

SEC OCIE Audit Guide for AWS

Financial

US

The U.S. Securities and Exchange Commission (SEC) Office of Compliance Inspections and Examinations (OCIE) is responsible for protecting investors, ensuring market integrity, and establishing guidelines for risk management. They have mapped these guidelines specifically to Amazon Web Services (AWS). See the Cybersecurity Initiative Audit Guide for details.

SG MAS TRM

Financial

Singapore

The Monetary Authority of Singapore (MAS) has established guidelines on risk management with specific sections on cloud computing. See the Guidelines on Risk Management Practices for details.

Victorian PDSF v1.0

Universal

Australia

The State of Victoria, Australia has created guidelines specifically related to cloud computing. See the Victorian Government Cloud Security Guidance page for details.


How did we do?