Compliance Frameworks

oak9 incorporates your compliance and regulatory requirements to provide security design guidance for your application. We have out-of-the box support for a number of industry standards, compliance frameworks and regulatory requirements that you want your application to adhere to.
​
Selecting your compliance frameworks is an important step in ensuring that oak9 understands the regulatory and compliance needs of your application. If your organization provides services within a unique regulatory environment, this will drive unique security requirements that oak9 will ensure your application addresses. Some compliance frameworks have different levels of rigor (e.g., NIST SP 800-53 has High, Medium and Low levels; HITRUST has increasing levels of rigor from 1-3). oak9 will ensure that your application architecture aligns with the security requirements of a given industry standard or compliance framework to satisfy the level of security rigor required.
Another advantage of selecting the applicable compliance frameworks is that oak9 will provide visibility into how your application architecture is fulfilling your compliance frameworks. Design gaps will be mapped to selected compliance frameworks along with oak9’s technical security requirements. Oak9 can generate reports for auditors and compliance professionals to provide real time compliance and security information about your application.
Compliance frameworks supported by oak9:
Compliance Framework
Summary
1 TAC
Title 1, Part 10, Chapter 202 of the Texas Administrative Code sets information security standards for Texas state agencies and certain vendors.
201 CMR 17
Title 201, Section 17 of the Code of Massachusetts Regulations is a state regulation setting minimum standards for the protection of Massachusetts residents' personal information.
23 NY CRR
Title 23, Chapter I, Part 500 of the New York Codes, Rules and Regulations is a state regulation setting information security requirements for most banks, insurance companies, and financial institutions that operate in New York.
AWS FTR
The AWS Foundational Technical Review (FTR) helps you identify AWS Well-Architected best practices specific to your software or solution.
Azure Benchmarks
The Azure Security Benchmark (ASB) provides prescriptive best practices and recommendations to help improve the security of workloads, data, and services on Azure.
CSA CCM
The Cloud Security Alliance Cloud Controls Matrix is a cloud focused control framework that provides guidance for security and privacy.
CIS Control v8
The CIS Critical Security Controls (CIS Controls) are a prioritized set of Safeguards to mitigate the most prevalent cyber-attacks against systems and networks.
GDPR
The General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection and processing of personal information from individuals who live in the European Union. Since the Regulation applies regardless of where websites are based, it must be implemented by all sites that have European visitors, even if they don't specifically market goods or services to EU residents.
FCA
SYSC, Chapter 13.7 of the UK Financial Conduct Authority’s Handbook of Rules and Guidance is a regulation that sets information security requirements for financial services firms and markets that operate in the UK.
HIPAA/HITECH
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) mandates industry-wide standards for health care information on electronic billing and other processes and requires the protection and confidential handling of protected health information. The HITECH Act, published in 2013, made several changes to HIPAA and introduced new requirements for HIPAA-covered entities with notable changes for business associates.
HITRUST
HITRUST CSF (“Common Security Framework”) is provides a prescriptive set of controls that meet the requirements of multiple regulations and standards. It leverages internationally accepted standards and regulations such as GDPR, ISO, NIST, PCI, and HIPAA to create a comprehensive set of baseline security and privacy controls. HITRUST customizes security control requirements based on organization type, size, infrastructure, and requirements. In v9.* HITRUST is looking to gain wider adoption by supporting security and privacy standards outside of healthcare.
ISO 27001
ISO 27001 is an international standard that helps organizations manage the security of their information assets. It provides a management framework for implementing an information security management system to ensure the confidentiality, integrity, and availability of all corporate data such as financial information, intellectual property, employee details or information managed by third parties.
MITRE ATT&CK
The MITRE ATT&CK framework models the behaviors and techniques known as TTPs (Tactics, Techniques, and Procedures) of the real-life adversaries and how to detect and mitigate these attacks.
NIST 800-53 R4
This framework provides a catalog of security and privacy controls primarily geared towards government and critical infrastructure. NIST SP 800-53 Revision 4 has since been superseded by Revision 5. The controls address a diverse set of security and privacy requirements, derived from legislation, executive orders, policies, directives, regulations, standards, and/or mission/business needs.
NIST 800-53 R5
This framework provides a catalog of security and privacy controls primarily geared towards government and critical infrastructure.The controls address a diverse set of security and privacy requirements, derived from legislation, executive orders, policies, directives, regulations, standards, and/or mission/business needs.
NIST CSF
The NIST Cybersecurity Framework is a voluntary set of guidelines to help organizations manage and reduce cybersecurity risk.
NRS 603A
Chapter 603A of the Nevada Revised Statutes is a state law setting minimum standards for the protection of Nevada residents' personal information.
PCI DSS
The Payment Card Industry Data Security Standard is an information security standard for organizations that handle branded credit cards from the major card providers. The standard was created to increase controls around cardholder data to reduce credit card fraud.
SCIDSA
The South Carolina Insurance Data Security Act sets information security requirements for insurance industry-related businesses operating in South Carolina.
SOC2
System and Organization Controls 2 provides guidance to organizations by ensuring their internal security practices meet industry standards for security, privacy, availability, processing integrity, and confidentiality.

Last modified 4mo ago

Compliance Framework	Summary
1 TAC	Title 1, Part 10, Chapter 202 of the Texas Administrative Code sets information security standards for Texas state agencies and certain vendors.
201 CMR 17	Title 201, Section 17 of the Code of Massachusetts Regulations is a state regulation setting minimum standards for the protection of Massachusetts residents' personal information.
23 NY CRR	Title 23, Chapter I, Part 500 of the New York Codes, Rules and Regulations is a state regulation setting information security requirements for most banks, insurance companies, and financial institutions that operate in New York.
AWS FTR	The AWS Foundational Technical Review (FTR) helps you identify AWS Well-Architected best practices specific to your software or solution.
Azure Benchmarks	The Azure Security Benchmark (ASB) provides prescriptive best practices and recommendations to help improve the security of workloads, data, and services on Azure.
CSA CCM	The Cloud Security Alliance Cloud Controls Matrix is a cloud focused control framework that provides guidance for security and privacy.
CIS Control v8	The CIS Critical Security Controls (CIS Controls) are a prioritized set of Safeguards to mitigate the most prevalent cyber-attacks against systems and networks.
GDPR	The General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection and processing of personal information from individuals who live in the European Union. Since the Regulation applies regardless of where websites are based, it must be implemented by all sites that have European visitors, even if they don't specifically market goods or services to EU residents.
FCA	SYSC, Chapter 13.7 of the UK Financial Conduct Authority’s Handbook of Rules and Guidance is a regulation that sets information security requirements for financial services firms and markets that operate in the UK.
HIPAA/HITECH	The Health Insurance Portability and Accountability Act of 1996 (HIPAA) mandates industry-wide standards for health care information on electronic billing and other processes and requires the protection and confidential handling of protected health information. The HITECH Act, published in 2013, made several changes to HIPAA and introduced new requirements for HIPAA-covered entities with notable changes for business associates.
HITRUST	HITRUST CSF (“Common Security Framework”) is provides a prescriptive set of controls that meet the requirements of multiple regulations and standards. It leverages internationally accepted standards and regulations such as GDPR, ISO, NIST, PCI, and HIPAA to create a comprehensive set of baseline security and privacy controls. HITRUST customizes security control requirements based on organization type, size, infrastructure, and requirements. In v9.* HITRUST is looking to gain wider adoption by supporting security and privacy standards outside of healthcare.
ISO 27001	ISO 27001 is an international standard that helps organizations manage the security of their information assets. It provides a management framework for implementing an information security management system to ensure the confidentiality, integrity, and availability of all corporate data such as financial information, intellectual property, employee details or information managed by third parties.
MITRE ATT&CK	The MITRE ATT&CK framework models the behaviors and techniques known as TTPs (Tactics, Techniques, and Procedures) of the real-life adversaries and how to detect and mitigate these attacks.
NIST 800-53 R4	This framework provides a catalog of security and privacy controls primarily geared towards government and critical infrastructure. NIST SP 800-53 Revision 4 has since been superseded by Revision 5. The controls address a diverse set of security and privacy requirements, derived from legislation, executive orders, policies, directives, regulations, standards, and/or mission/business needs.
NIST 800-53 R5	This framework provides a catalog of security and privacy controls primarily geared towards government and critical infrastructure.The controls address a diverse set of security and privacy requirements, derived from legislation, executive orders, policies, directives, regulations, standards, and/or mission/business needs.
NIST CSF	The NIST Cybersecurity Framework is a voluntary set of guidelines to help organizations manage and reduce cybersecurity risk.
NRS 603A	Chapter 603A of the Nevada Revised Statutes is a state law setting minimum standards for the protection of Nevada residents' personal information.
PCI DSS	The Payment Card Industry Data Security Standard is an information security standard for organizations that handle branded credit cards from the major card providers. The standard was created to increase controls around cardholder data to reduce credit card fraud.
SCIDSA	The South Carolina Insurance Data Security Act sets information security requirements for insurance industry-related businesses operating in South Carolina.
SOC2	System and Organization Controls 2 provides guidance to organizations by ensuring their internal security practices meet industry standards for security, privacy, availability, processing integrity, and confidentiality.