Total Compliance Standards and Regulations
Here is a list of the Total Compliance Standards and Regulations that CloudCheckr adheres to and monitors in your cloud deployment:
Standard |
Industry |
Geo |
Description/Use Case |
---|---|---|---|
AICPA GAPP |
Accounting |
US |
The American Institute of CPAs’ Generally Accepted Accounting Principles (GAAP) are uniform minimum standards of, and guidelines to, financial accounting and reporting. See the AICPA website for details. |
AICPA SOC2, SOC3 TSPC |
Accounting |
US |
The International Auditing and Assurance Standards Board (IAASB) ensures security, availability, and privacy of computing operations. See the IAASB and AICPA websites for details. |
ANSSI - 40 Measures |
Universal |
Global |
The French Network and Information Security Agency (ANSSI) standard addresses computer security including user authentication, networking, upgrades, monitoring, and incident response. See the ANSSI website for details. |
Australian Essential 8 |
Universal |
Australia |
Australia’s recommendations to avoid Malware, limit intrusions, and improve availability. See the Essential Eight Explained page for details. |
Australian Top 35 |
Universal |
Australia |
More extensive strategies from Australian Signals Directorate covering access, privilege, Multi-Factor Authentication (MFA), auditing, updates, firewalls, filtering, password policy, and more. See the Strategies to Mitigate Cyber Security Incidents page for details. |
Center for Internet Security |
Universal |
Global |
The Center for Internet Security (CIS) is a non-profit organization that includes industry experts and delivers a cybersecurity framework independent of any government or industry. See the CIS Controls page for details. |
COBIT 5 / SOX |
Accounting |
US |
COBIT is a widely-accepted formal set of compliance requirements to meet the 2002 Sarbanes-Oxley Act, which regulates external audits and financial reporting. See the ISACA COBIT and Sarbanes-Oxley Act pages for details. |
CoM 201 CMR 17.00 |
Universal |
Massachusetts |
In 2017, the Commonwealth of Massachusetts established these protections for Massachusetts residents regarding privacy, breaches, encryption, and monitoring. See the 201 CMR 17.00 regulation for details. |
CSA CCM v3 |
Cloud |
Global |
The Cloud Security Alliance (CSA) has developed cloud-computing-specific best practices. While many other regulations were designed for the data center, pre-Cloud, and need to be “translated” to cloud technology, the CSA is cloud-first. See the Cloud Controls Matrix publication for details. |
DHS CDM Program |
Government |
US |
The Department of Homeland Security (DHS) has a scorecard for monitoring, diagnostics, and mitigation. See the DHS/CISA/PIA-030 Continuous Diagnostics and Mitigation (CDM) page for details. |
FFIEC Booklet 2016 |
Financial |
US |
The Federal Financial Institutions Examinations Council (FFIEC) created a booklet in 2016 that addresses Risk (identification, measurement, mitigation, monitoring, and reporting.) See the FFIEC Information Technology Examination Handbook for details. |
FFIEC CAT |
Financial |
US |
The Federal Financial Institutions Examinations Council (FFIEC) has a Cybersecurity Assessment Tool that works as a scorecard for specific metrics related to the FFIEC Booklet. See the FFIEC Cybersecurity Assessment Tool document for details. |
FY15 FISMA Metrics |
Government |
US |
The 2002 Federal Information Security Management Act/Electronic Government Act (FISMA) protects government IT against man-made and natural threats. See the Federal Information Security Modernization Act page for details. |
HIPAA |
Healthcare |
US |
The 1996 Health Insurance Portability and Accountability Act (HIPPA) mandates privacy and portability of health records. See the HHS Health Information Privacy page for details. |
IEC 62443-3-3-2013 |
Universal |
Global |
The International Society of Automation (ISA) and the International Electrotechnical Commission(IEC) developed standards for security vulnerabilities, risks, and security levels and is approved by the United Nations. See the United Nations commission to integrate ISA/IEC 62443 into Cybersecurity Regulatory Framework article for details. |
IRS Pub 1075 |
Government |
US |
The Internal Revenue Service (IRS) has guidelines for protecting tax information such as returns that include Personally Identifiable Information like Social Security Numbers (SSNs), bank account numbers, and more. See Publication 1075 for details. |
ISO 27002-2013 |
Universal |
Global |
The International Standards Organization (ISO) has guidelines regarding security controls and management, assessment, contractors and providers, and information handling. See the ISO/IEC 27002:2013 page for details. |
ITIL 2011 KPIs |
Universal |
Global |
ITIL (originally an acronym for Information Technology Infrastructure Library) describes processes, procedures, tasks, and checklists that are neither organization-specific nor technology-specific, but can be applied by an organization toward strategy, delivering value, and maintaining a minimum level of competency. It allows the organization to establish a baseline from which it can plan, implement, and measure. It is used to demonstrate compliance and to measure improvement. Individuals, but not organizations, can be certified via training. See the What is ITIL? page for details. |
NERC CI v5, v6, v7 |
Energy |
US |
North American Electric Reliability Corporation (NERC) is for power plants and the Critical Infrastructure Protection (CIP) standards evaluate and ensure compliance with reliability standards, pursuant to the Federal Power Act. See the NERC Compliance & Enforcement page for details. |
NIST 800-171 |
Government |
US |
National Institute of Standards and Technology (NIST) 800-171 corresponds to Defense Federal Acquisition Regulation Supplement (DFARS), which is designed to keep federal systems secure but is also relevant to organizations that have access to federal data, such as financial aid information. See the Archived NIST Technical Series Publication for details. |
NIST 800-53 rev4 |
Government |
US |
National Institute of Standards and Technology (NIST) 800-53 is the basis for the Federal Risk and Authorization Management Program (FedRAMP) that agencies often must abide by when selecting vendors. See the FedRAMP website for details. |
NIST 800-82 rev2 |
Government |
US |
This standard from the National Institute of Standards and Technology (NIST) deals with security architecture, firewalls, traffic, access, audits, and planning. See the Guide to Industrial Control Systems (ICS) Security for details. |
NIST Cybersecurity Framework |
Universal |
US |
The National Institute of Standards and Technology (NIST) Cybersecurity Framework is focused on business practices and activities (identify, protect, detect, respond, recover) more than technology. See the NIST Cybersecurity Framework for details. |
NIST SMB Guide |
Small/Mid-size Business |
US |
National Institute of Standards and Technology (NIST) has resources based on their Cybersecurity Framework, specifically focused on small and medium-sized businesses. See the Small Business Cybersecurity Corner page for details. |
NSA MNT (MNP) |
Government |
US |
The National Security Agency (NSA) has a framework to take an unmanageable, insecure network and make it more defensible, secure, and manageable. See the Manageable Network Plan (MNP) Guide for details. |
NSA Top 10 |
Government |
US |
The National Security Agency (NSA) publishes a Top Ten Cybersecurity Mitigation Strategies that covers updates, accounts, policies, recovery, and management. See the NSA’s Top Ten Mitigation Strategies document for details. |
NV Gaming MICS |
Gaming |
Nevada |
The Nevada Gaming Commission has their own security controls with specific requirements for different types of gambling. See the Minimum Internal Control Standards (MICS) document for details. |
NYCRR 500 |
Financial |
New York State |
New York State has established regulations—with penalties—for financial entities that don’t follow their rules for audits, access, application security, personnel, third parties, Multi-Factor Authentication (MFA), data retention, training, and monitoring. See the Adoption of New 23 NYCRR 500 document for details. |
PCI DSS 3.2 |
Financial |
Global |
The Payment Card Industry Data Security Standard (PCI DSS) is an industry standard that regulates credit card companies and related firms. See the PCI Document Library for details. |
Saudi AMA |
Financial |
Saudi Arabia |
The Saudi Arabian Monetary Authority (AMA) released their Cyber Security Framework in 2017 that covers policy, roles, risk management, and even compliance with other standards. See the Cyber Security Framework document for details. |
SEC OCIE Audit Guide for AWS |
Financial |
US |
The U.S. Securities and Exchange Commission (SEC) Office of Compliance Inspections and Examinations (OCIE) is responsible for protecting investors, ensuring market integrity, and establishing guidelines for risk management. They have mapped these guidelines specifically to Amazon Web Services (AWS). See the Cybersecurity Initiative Audit Guide for details. |
SG MAS TRM |
Financial |
Singapore |
The Monetary Authority of Singapore (MAS) has established guidelines on risk management with specific sections on cloud computing. See the Guidelines on Risk Management Practices for details. |
Victorian PDSF v1.0 |
Universal |
Australia |
The State of Victoria, Australia has created guidelines specifically related to cloud computing. See the Victorian Government Cloud Security Guidance page for details. |