Regulatory Compliance

Achieving compliance within a regulatory framework is an ongoing process. Your environment is always changing, and the operating effectiveness of a control may break down. Regular monitoring and reporting is a must, and guidance on exactly what “regular monitoring” entails is also outlined within each framework.

Here are some of the regulatory frameworks you might come across:

Sarbanes-Oxley (SOX)
Why does it exist? The Sarbanes-Oxley Act of 2002 was passed to counteract fraud after accounting scandals at Enron, WorldCom, and Tyco impacted investor trust. These controls are mandatory for public companies.
What types of organizations leverage this framework? Public companies, or companies eyeing a potential initial public offering (IPO).

Why does it exist? The Payment Card Industry Data Security Standard (PCI DSS) exists to protect the security of cardholder data. These controls are mandatory for organizations that process credit card data. The standards are made up of multiple levels, and the extent to which your organization interacts with credit card data will determine what level of PCI compliance your organization needs to achieve. For example, banks, merchants, and service providers will be held to higher standards given the nature of the business.
What types of organizations leverage this framework? Merchants, payment card-issuing banks, processors, developers, and other vendors.

Why does it exist? Unlike SOX, NIST not a singular set of controls. NIST, or the National Institute of Standards and Technology, is a federal agency within the US Chamber of Commerce that spans manufacturing, quality control, and security, among others. The agency collaborated with security industry experts, other government agencies, and academics to establish a set of controls and balances to help operators of critical infrastructure manage cybersecurity risk. Today, many organizations leverage NIST guidelines to manage and reduce risks that could impact their environment and their customers. Unlike some other frameworks, NIST is voluntary, however customers may require that some of the controls be in place before they will partner with you.
What type of organizations leverage this framework? This is generally leveraged by large business enterprises and government agencies, but it can be a helpful framework for any organization interested in evaluating and reducing cyber risk.

Why does it exist? Statement on Standards for Attestation Engagements No. 16 (SSAE-16) monitors and enforces controls around the applications and application infrastructure that impact financial reporting. It covers business process controls and IT general controls. Service organization controls (SOC) 1 reports, formerly known as SAS 70 reports, leverage the SSAE-16 framework.
What type of organizations leverage this framework? Types of companies that usually get SOC 1 reports, or companies that provide applications used to process financial information and that will ultimately affect financial statements.

Why does it exist? SOC 2 reports are based on the AT-101 auditing standard. SOC 2 reports test the design or operating effectiveness of security, availability, processing integrity, confidentiality, and/or privacy controls. All SOC 2 reports need to cover security controls. Availability, processing integrity, confidentiality, and/or privacy controls are optional principles that a company may opt to include if those controls are integral to providing a service. AT-101 SOC 2 reports are based on the Trust Service Principles, which are tied to the security controls listed above.

FedRAMP is a standardized way for government agencies to evaluate the risks of cloud-based solutions. It follows a “do it once, use it many times” approach, allowing existing security assessments and packages to be reused across multiple agencies. Since continuous monitoring of cloud products and services is at the core of the framework, it can improve real-time security visibility for organizations.
What type of organizations leverage this framework? Cloud solution providers interested in selling to federal government agencies will go through the FedRAMP certification process.

ISO (International Organization for Standardization)
Why does it exist? ISO exists to be an international suite of standards. There are different sub-frameworks within ISO, and the sub-framework that is most relevant to your organization/industry depends on your goals. For example, a manufacturing organization would be likely to leverage the sub-framework ISO 9000, because the controls in this framework are focused on quality management. An organization looking to improve processes around information security management systems would derive more helpful guidance from the controls outlined in ISO 27000. For more on the ISO standards and which ones are most relevant to your organization, visit
What types of organizations leverage this framework? Any organization, whether public or private, could use this framework to improve and report on quality management and security.

Privacy Shield (replaced US-EU Safe Harbor)
Why does it exist? US-EU Safe Harbor was created to ensure US companies complied with European Union data protection standards when transferring European data to the States. It was invalidated by a European court in 2015, in relation to controversy over Edward Snowden and the NSA leaks. The Privacy Shield Framework was put in place to replace it. It exists to safeguard or mitigate the risk of data being tampered with while it’s transferred between these two geographic regions. It enables US companies to more easily receive personal data from the EU under EU privacy laws meant to protect European citizens; this allows for a more free exchange of data, which is good for commerce.
What type of organizations leverage this framework? Organizations collecting, storing or processing personal data between the EU and US. US companies can self-certify that they will comply with EU data protection standards in order to allow for transfer of European data to the US.

HIPAA/HITECH enforces security to protect Personal Health Information (PHI).
What type of organizations leverage this framework? Anyone who is collecting, storing or processing personal health information (PHI), including hospitals, medical providers, and insurance companies.

These are only some of the compliance and regulatory frameworks your organization may need to adhere to. Achieving compliance will be an ongoing process, but regular monitoring and reporting can help make adhering to these frameworks (and maintaining a secure environment) a standard part of business operations.