If you want more information or to discuss these compliance frameworks, please get in touch with us today!

GRC – Governance, Risk and Compliance

Governance, Risk, and Compliance (GRC) is a structured way to align IT with business goals while managing risks and meeting all industry and government regulations. It includes tools and processes to unify an organization’s governance and risk management with technological innovation and adoption. Companies use GRC to achieve organizational goals reliably, remove uncertainty, and meet compliance requirements.

RMF – Risk Management Framework (NIST, ISO, SOC2, FTC Safeguards, PCI, CMMC, CJIS, and more)

The Risk Management Framework is a template and guideline companies use to identify, eliminate, and minimize risks. It was originally developed by the National Institute of Standards and Technology (NIST) to help protect the information systems of the United States government.

The RMF was initially designed for federal agencies but can be easily adopted by organizations operating in the private sector. Businesses cannot exist without exposing themselves to risks such as IT problems, litigation, and capital loss. While it is impossible to eliminate all risks involved in running a business, they can be minimized.

Do your clients need to align to an RMF?  There are regulatory requirements in some cases.  Voluntary efforts are driven by the need to prove a high cyber security posture.  Then there are the organizations that want to self-assess their posture against a framework to ensure they do what they should to protect themselves and their clients.  Bottom line – every organization needs some level.

NIST – The National Institute of Standards and Technology

NIST Cyber Security Frameworks such as the CSF, 800-53, and 800-171 (to name a few) are frameworks built to give organizations a set of cyber security best practices.  Organizations will align themselves to this framework to ensure they meet today’s data protection standards.

ISO – International Standard for Information Security

This framework requires organizations to identify information security risks and select appropriate controls to tackle them.  The standard ISO framework for cyber security is ISO 27001, which contains 114 controls divided into 14 domains.

Organizations that need to prove a higher standard in cyber security get ISO 27001 certified.  This is an official certification given by a third-party certification registrar.  Organizations that get ISO 27001 certified are in an industry that isn’t regulated but need to prove to their clients, vendors, board of directors, etc., that they have been tested, audited, and certified in cyber security best practices.  These organizations typically store information or data on their clients, such as PII (Personally Identifiable Information) or IP (Intellection Property).

SOC 2 – Service Organization Control Type 2

SOC 2 is an extremely popular form of cybersecurity audit, used by many organizations to demonstrate that they take cybersecurity and privacy seriously. In a world filled with data breaches and information leaks, establishing trust is critical to your revenue stream and can be a competitive differentiator when closing new businesses. Customers and partners seek assurances that the companies they work with are doing everything they can to avoid exposing sensitive information and creating risk. That’s exactly why SOC 2 compliance is important. Organizations seeking SOC2 compliance do it for the same reasons as those that get ISO 27001.  It gives them an advantage and audited proof of their cyber security posture.

FTC Safeguards – Federal Trade Commission Safeguards Rule for Safeguarding Customer Information

The Safeguards Rule, for short – is to ensure that entities covered by the Rule maintain safeguards to protect the security of customer information. The Safeguards Rule took effect in 2003, but after public comment, the FTC amended it in 2021 to make sure the Rule keeps pace with current technology. While preserving the flexibility of the original Safeguards Rule, the revised Rule provides more concrete guidance for businesses. It reflects core data security principles that all covered companies need to implement.

If an organization is a financial institution under the Rule, including mortgage lenders, payday lenders, finance companies, mortgage brokers, account servicers, check cashers, wire transferors, collection agencies, credit counselors and other financial advisors, tax preparation firms, non-federally insured credit unions, and investment advisors are covered under this rule and need to align their cyber security control to this framework.

PCI – Payment Card Industry

This financial industry segment includes all the various organizations responsible for storing, processing, and transmitting cardholder data. This consists of both debit cards and credit cards.

PCI is frequently used in conjunction with a secondary acronym, DSS. Together, they stand for Payment Card Industry Data Security Standards, a set of recommended practices ensuring cardholder information is handled securely. PCI DSS regulations cover how businesses should transmit and store this sensitive data with a set of guidelines for payment processors to follow. The standards also apply to developers or manufacturers creating new payment processing devices. If an organization processes credit cards through a third-party merchant, there might still be residual risks they need to cover under this framework.

CMMC – Cybersecurity Maturity Model Certification

CMMC is a certification program created by the Department of Defense (DoD) that assesses an organization’s cybersecurity posture. The CMMC framework consists of three maturity levels (formerly five), each with increasing requirements for safeguarding Controlled Unclassified Information (CUI).

To be CMMC compliant, an organization must be assessed by a certified third-party assessor and receive a passing score for the appropriate CMMC level. Organizations that handle CUI on behalf of the DoD must be certified at one of the three maturity levels to bid on or work on relevant contracts. Organizations that work with the Department of Defense on contracts involving Controlled Unclassified Information must be CMMC certified. This includes prime contractors and their subcontractors, regardless of size.

CJIS – Criminal Justice Information Services

CJIS is a division of the Federal Bureau of Investigation (FBI) in the United States that provides a wide range of information services to support law enforcement agencies at the federal, state, and local levels.

CJIS compliance requirements protect national security while safeguarding the civil liberties of individuals and businesses and shielding private and sensitive information. It is integral to securing organizations for law enforcement and civil agencies with access to criminal justice information (CJI) and ensuring they do not become victims of cybercriminals looking to exploit CJI for ransom or cause public damage.

CJI refers to all the FBI CJIS-provided data needed for law enforcement and civil agencies to conduct their missions, including but not limited to biographic, biometric, identity history, property, and case or incident history data.

  • Cybersecurity CompTIA Infrastructure Security Expert CSIE logo
  • ceh
  • CISSP Logo
  • CISM
  • CISA Logo 1
  • CCSP Logo