Security Compliance Frameworks
Manage and organize assessment documentation in a single source of truth to support any type of security framework.
- Home
- Security Frameworks
"ComplyAssistant’s cloud-based software solution allowed us to efficiently and effectively manage the entire compliance process, from assessment development and distribution through management of action items." --CIO, Cape Regional Health System
A GRC Solution That Works With All Types Of Security Frameworks
With multiple security frameworks that have different purposes and guidance, how do organizations know what is the best fit for their needs?
The best place to begin is to understand what each security framework is designed for, and then determine if that applies to your organization’s structure and operations.
And, with a structured GRC solution like ComplyAssistant, you’ll have a single, organized source of truth for all documentation related to any and all security frameworks and compliance regulations you choose. Our software is purposely designed to be flexible enough to handle any federal, state and local compliance regulation.
Start your governance, risk, and compliance journey with Diligent’s expert guidance. Our solutions ensure your organization remains compliant, efficient, and ready for future challenges.
What we offer
A platform to meet any compliance regulation:
HIPAA
Manage HIPAA policies, procedures and evidence of operational compliance.
NIST Cybersecurity Framework
Build and implement a framework using NIST guidelines and structure.
HICP
Protect your organization against the top five threats identified by Health Industry Cybersecurity Practices (HICP) by implementing ten recommended security practices.
HITRUST
Answer HITRUST assessment questions, manage tasks, track standards documentation and manage maturity levels.
PCI
Manage security standards around credit card and payment accounts.
DNV GL Accreditation
Prepare and organize hospital and ancillary facility accreditation materials.
FFIEC
Standardized cybersecurity software and services for financial institutions
ISO 27001
Manage your organization’s ISO 27001 compliance with ComplyAssistant’s GRC software and consulting.
CMMC
Meet U.S. Department of Defense (DOD) specifications for cybersecurity compliance.
Other Frameworks:
Description: HICP (Health Industry Cybersecurity Practices), developed under HR 7898, was signed into law on January 5, 2021. It gives covered entities (CEs) and business associates (BAs) guidance on how to create and implement consistent “recognized security practices” (RSPs) for small, medium, and large organizations.
HICP focuses on the top threats identified in healthcare and specific practices to mitigate those threats.
Use case: With ComplyAssistant, use HICP threats and controls in our Risk Register and with custom assessment questions, which are both directly mapped into our Regulation Management module. This module can document current processes and controls, gaps, plans, compliance levels, risk levels, and follow-up tasks.
Description: The CIS Controls are cybersecurity best practices for defense against common threats, used by organizations with varying resources and risk exposure. V7.1 features Implementation Groups which provides controls to prioritize based on the type of organization and resources available.
Use case: With ComplyAssistant, you have access to CIS v7.1 custom assessment questions which feed directly into our Regulation Management module. In this module, you can document current process and controls, gaps, future plans, compliance levels, risk levels and follow-up tasks.
Description: The Cybersecurity Maturity Model Certification is designed to review and combine various cybersecurity standards and best practices, and map these controls and processes across several maturity levels that range from basic to advanced cyber hygiene.
Use case: With ComplyAssistant, you have access to CMMC custom assessment questions which feed directly into our Regulation Management module. In this module, you can document current process and controls, gaps, future plans, compliance levels, risk levels and follow-up tasks.
Description: The Cybersecurity Maturity Model Certification is designed to review and combine various cybersecurity standards and best practices, and map these controls and processes across several maturity levels that range from basic to advanced cyber hygiene.
Use case: With ComplyAssistant, you have access to CMMC custom assessment questions which feed directly into our Regulation Management module. In this module, you can document current process and controls, gaps, future plans, compliance levels, risk levels and follow-up tasks.
Description: ATT&CK® for Enterprise is a security framework for describing the actions an adversary may take to compromise and operate within an enterprise network. Organizations can use it to expand their understanding of adversary behavior and assist with prioritizing network defense by detailing the tactics, techniques, and procedures cyber threats use to gain access and execute their objectives while operating inside a network.
Use case: With ComplyAssistant, you can scope the Mitre Enterprise framework for your organization within our Regulation Management module.
- Organize tactics, techniques and mitigation strategies.
- Document current processes, controls, gaps, future plans, compliance levels and risk levels.
- Create follow-up tasks.
Description: The Mitre PRE-ATT&CK framework includes 15 tactic categories designed to prevent an attack before it happens. The framework helps users anticipate attacks by understanding the tactics, statistics and patterns that adversaries use to select targets and launch attacks.
Use case: With ComplyAssistant, you can scope the Mitre PRE-ATT&CK framework for your organization within our Regulation Management module.
- Organize tactics and techniques.
- Document current processes, controls, gaps, future plans, compliance levels and risk levels.
- Create follow-up tasks.
Description: SOC 2 is an auditing procedure that ensures service providers securely manage data to protect data and privacy. For security-conscious businesses, SOC 2 compliance is a minimal requirement when considering a SaaS provider. SOC 2 defines criteria for managing data based on five principles—security, availability, processing integrity, confidentiality and privacy.
Use case: With ComplyAssistant, you have access to SOC 2 assessment questions which feed directly into our Regulation Management module. In this module, you can document current process and controls, gaps, future plans, compliance levels, risk levels and follow-up tasks.
Description: NIST Special Publication 800-171A, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, is an assessment process designed to help organizations gather information and produce evidence to determine the effectiveness of security safeguards intended to comply with NIST Special Publication 800-171, which will allow an organization to:
- Identify potential problems or shortfalls in its security and risk management program;
- Identify security weaknesses and deficiencies in its systems and environments;
- Prioritize risk mitigation decisions and activities;
- Confirm that security weaknesses and deficiencies have been addressed; and
- Support continuous monitoring activities and provide information security situational awareness.
Use case: With ComplyAssistant, you have access to NIST 800-171A (DFARS) assessment questions which feed directly into our Regulation Management module. In this module, you can document current process and controls, gaps, future plans, compliance levels, risk levels and follow-up tasks.
Description: NIST Special Publication 800-171 Revision 2 provides federal agencies with recommended security requirements for protecting the confidentiality of Controlled Unclassified Information (CUI) when:
- The CUI is resident in a nonfederal system and organization;
- When the nonfederal organization is not collecting or maintaining information on behalf of a federal agency or using or operating a system on behalf of an agency;
- There are no specific safeguarding requirements for protecting the confidentiality of CUI prescribed by the authorizing law, regulation, or government-wide policy for the CUI category listed in the CUI Registry.
The requirements apply only to components of nonfederal systems that process, store, or transmit CUI, or that provide security protection for such components.
Use case: With ComplyAssistant, you have access to assessment questions that feed directly into our Regulation Management module. In this module, you can document current process and controls, gaps, future plans, compliance levels, risk levels and follow-up tasks.
Description: NIST Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organizations are part of a series that provides a comprehensive set of security controls, security control baselines and guidance for tailoring the appropriate baseline to specific needs according to the organization's missions, environments of operation and technologies used.
Revision 4 includes updates based on the evolving technology and threat space (e.g., mobile and cloud computing; insider threats; applications security). Revision 4 also contains a new appendix of privacy controls and related implementation guidance for protocols that affect individual privacy.
Use case: With ComplyAssistant, you have access to assessment questions that feed directly into our Regulation Management module. In this module, you can document current process and controls, gaps, future plans, compliance levels, risk levels and follow-up tasks. A CSET questionnaire is also available within our application.
Description: The NIST Privacy Framework (version 1.0) is a voluntary framework, intended for use by any size or type organization. Using a common approach, the Privacy Framework’s purpose is to help organizations manage privacy risks by:
- Considering privacy as they design and deploy systems, products and services;
- Communicating about their privacy practices; and
- Encouraging cross-organizational workforce collaboration.
The Privacy Framework is composed of three parts: Core, Profiles, and Implementation Tiers. Each component reinforces how organizations manage privacy risk through the connection between business or mission drivers, organizational roles and responsibilities and privacy protection activities.
Use case: With ComplyAssistant, you have access to assessment questions that feed directly into our Regulation Management module. In this module, you can document current process and controls, gaps, future plans, compliance levels, risk levels and follow-up tasks.
Description: The Office of Inspector General has developed a series of voluntary compliance program guidance documents for healthcare facilities such as hospitals, nursing homes, third-party billers and durable medical equipment suppliers, to encourage the development and use of internal controls to monitor adherence to applicable statutes, regulations and program requirements.
OIG’s Resource Guide was published to help ensure healthcare organizations include all elements in a compliance program, including:
- Standards, Policies, and Procedures
- Compliance Program Administration
- Screening and Evaluation of Employees, Physicians, Vendors and other Agents
- Communication, Education, and Training on Compliance Issues
- Monitoring, Auditing, and Internal Reporting Systems
- Discipline for Noncompliance
- Investigations and Remedial Measures
Use case: With ComplyAssistant, you have access to assessment questions that feed directly into our Regulation Management module. In this module, you can document current process and controls, gaps, future plans, compliance levels, risk levels and follow-up tasks.
Description: Applicable to financial services companies in the state of New York, 23 NYCRR Part 500 is a regulation designed to promote the protection of customer information and information technology systems of regulated entities. This regulation requires each company to assess its specific risk profile and design a program that addresses its risks in a robust fashion.
Use case: With ComplyAssistant, you have access to assessment questions that feed directly into our Regulation Management module. In this module, you can document current process and controls, gaps, future plans, compliance levels, risk levels and follow-up tasks.
Need Help Deciding Which Security Framework Is Best For Your Organization?
Want more info? Check out our Guide to the NIST Cybersecurity Framework, and our blog on how healthcare organizations can use both HIPAA and the NIST Cybersecurity Framework.
