ZenGRC comes with the content you need to be compliant.

ZenGRC can support any framework and provides content for over 30 various standard and regulations. Using our pre-loaded content not only saves you time but also helps you quickly identify gaps and overlaps of running multiple programs at the same time.  If you need to comply with a standard or regulation that is not listed here, it can be easily loaded into ZenGRC and managed through the application like the frameworks below.

Framework
Useful Links
Contact Us
Use Case / Description
CJIS Official Policy Page Get help with CJIS The Criminal Justice Information Services (CJIS) Security Policy provides requirements for criminal justice and associated agencies to use when accessing Criminal Justice Information (CJI). This Policy is also applicable to service providers who process CJI on behalf of criminal justice agencies.

The policy prescribes safeguards that must be in place to secure CJI at rest and in transit. The policy integrates guidance from NIST with presidential and FBI directives, along with federal law and is audited periodically by the FBI for compliance. Failure to adhere to the policy may result in sanctions against non-compliant agencies.

COBIT 5 General Info Get help with COBIT v5 COBIT v5 (Control Objectives for Information and Related Technologies) is a framework created by international professional association ISACA for IT management and governance. It is generic and useful for enterprises of all sizes and across sectors, including commercial, not-for-profit, and the public sector. The framework incorporates the latest thinking in enterprise governance and management techniques, and provides globally accepted principles, practices, analytical tools and models to help increase the trust in, and value from, information systems. It is meant to be a supportive tool for managers to bridge gaps among technical issues, business risks and control requirements.
COSO 2013 Internal Control–Integrated Framework General Info Get help with COSO The Committee of Sponsoring Organizations of the Treadway Commission (COSO) provides non-prescriptive guidance on internal controls, enterprise risk management, and fraud deterrence. COSO 2013 Integrated Control-Integrated Framework is recognized as leading guidance for designing and implementing internal controls and assessing their effectiveness.

This framework is commonly used as basis for management's evaluation of its internal controls over financial reporting for compliance with the Sarbanes-Oxley Act of 2002 ("SOX").

CSA Cloud Controls Matrix General Info Get help with CSA CCM

The Cloud Security Alliance Cloud Controls Matrix (CCM) is specifically designed to provide fundamental security principles to guide cloud vendors and to assist prospective cloud customers in assessing the overall security risk of a cloud provider. The CSA CCM provides a controls framework that gives detailed understanding of security concepts and principles that are aligned to the Cloud Security Alliance guidance in 13 domains.

CSC-CIS/SANS 20 CIS General Info Page

SANS General Info Page

Get help with CSC-CIS/SANS 20 Sponsored by the Center for Internet Security (CIS) and the SANS Institute, the CIS Critical Security Controls (CSC) is a prioritized list of recommended controls for cyber defense based on collective best practices and real-world risks, threats, and responses.
EU/US Privacy Shield
(EU GDPR)
General Info Get help with Privacy Shield / EU GDPR Taken from the International Trade Associate Privacy Shield site:
The EU-U.S. and Swiss-U.S. Privacy Shield Frameworks were designed by the U.S. Department of Commerce, and the European Commission and Swiss Administration, respectively, to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States in support of transatlantic commerce.The Privacy Shield program enables U.S.-based organizations to join one or both of the Privacy Shield Frameworks in order to benefit from the adequacy determinations. To join either Privacy Shield Framework, a U.S.-based organization will be required to self-certify to the Department of Commerce (via this website) and publicly commit to comply with the Framework’s requirements. While joining the Privacy Shield is voluntary, once an eligible organization makes the public commitment to comply with the Framework’s requirements, the commitment will become enforceable under U.S. law. All organizations interested in self-certifying to the EU-U.S. Privacy Shield Framework or Swiss-U.S. Privacy Shield Framework should review the requirements in their entirety.
FedRAMP Low / Moderate / High General Info

Official templates

Official documentation

System classification information (FIPS 199)

Reciprocity Best Practices Wiki

Get help with FedRAMP From www.fedramp.gov: "The Federal Risk and Authorization Management Program, or FedRAMP, is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. This approach uses a 'do once, use many times' framework..." FedRAMP offers significant cost savings for US Federal Government agencies when using and securing of cloud services, and supports the compliance requirements in the Federal Information Security Management Act (FISMA).

  • The Low/Moderate baselines are appropriate for systems with public or sensitive information, where a breach or loss of availability would have a limited, non-catastrophic impact.
  • The High baseline is appropriate for systems with highly sensitive information, where a breach or loss of availability would have a severe and/or catastrophic impact.
HIPAA HIPAA for Professionals

Covered Entities and Business Associates

Reciprocity Best Practices Wiki

Get help with HIPAA The Health Insurance Portability and Accountability act (HIPAA) defines rules for the security and privacy of healthcare information, called Protected/Personal Health Information (PHI). The US Department of Health & Human Services (HHS) is responsible for enforcement.

You may be subject to HIPAA if you are a:

  • Covered Entity: a business that generates or processes PHI
  • Business Associate: a business supporting a Covered Entity
HITRUST CSF HITRUST CSF License

CSF Assessment Guide

SOC 2 for HITRUST

Get help with HITRUST CSF The Health Information Trust Alliance (HITRUST Alliance) publishes a Common Security Framework (CSF). The HITRUST CSF is designed to provide healthcare organizations with a consolidated approach to a variety of federal, state, and industry regulations governing their operations. The CSF harmonizes these regulatory frameworks and provides cross references to a variety of other frameworks, including ISO 27001, NIST, and PCI-DSS.

HITRUST also publishes guides for assessment against the framework, including cross references needed to assess compliance as part of a SOC 2 audit.

Note: Reciprocity can not provide the HITRUST CSF unless a customer is already a licensee. The framework is free, and available for download from the HITRUST License website (linked at Right).

ISO 27001 Appendix A with guidance from ISO 27002

 

ISO 27000 Family of Standards

ISO 27001 Wikipedia entry

ISO Store

Reciprocity Best Practices Wiki

Get help with ISO 27001 Appendix A The ISO/IEC 27000 family of standards helps organizations keep information assets secure.

ISO IEC 27001:2013 includes Annex A, which lists illustrative information security control objectives and information security controls. It is taken directly from ISO IEC 27002 2013 sections 5 to 18, which provides additional guidance on the implementation, operation, and maintenance of security controls. However, using this framework in not obligatory in order to be ISO 27001 certified.

ISO IEC 27001:2013 section 6.1.3 enables organizations to use Annex A, and/or any other suitable resources, to "produce a Statement of Applicability that contains the necessary controls".

ISO 27001/2, 27017, 27018 ISO 27000 Family of Standards

ISO 27000 Family Wikipedia entry

ISO Store

Reciprocity Best Practices Wiki

Get help with ISO 27001, 2, 17, 18 The ISO/IEC 27000 family of standards helps organizations keep information assets secure.

Within the ISO 27000 family of standards there are a variety of frameworks which focus on specific areas of information security.

  • 27001:2013 is the best-known standard in the family providing requirements for an information security management system (ISMS).
  • 27002:2013 contains guidelines for organizational information security standards and information security management practices. This includes the selection, implementation and management of controls taking into consideration the organization's information security risk environment(s).
  • 27017:2015 provides guidance for information security controls applicable to the provision and use of cloud services
  • 27018:2014 establishes control objectives, controls and guidelines for protecting Personally Identifiable Information (PII) in accordance with the privacy principles in ISO/IEC 29100 for the public cloud computing environment
NIST CSF NIST CSF Page

NIST CSF Reference Tool (desktop app)

In response to Executive Order 13636, “Improving Critical Infrastructure Cybersecurity," the National Institute of Standards and Technology (NIST) published the Framework for Improving Critical Infrastructure Cybersecurity (Cybersecurity Framework or CSF). The CSF is designed to drive an organization's cybersecurity efforts through a risk-based management process. It contains a set of requirements hierarchically structured into Functions, Categories, and Subcategories, as well as Informative References which point to other security frameworks such as ISO 27001, NIST SP 800-53, and COBIT.

The overall framework is structured into three parts:

  1. The Framework Core: A set of cybersecurity requirements, desired outcomes, and the Informative References which guide implementation of security controls framework.
  2. Implementation Tiers: Describe a level of achievement in an organization's approach to cybersecurity risk assessment and management, representing maturation from informal, reactive processes to risk-driven proactive ones. They range from Partial (Tier 1) to Adaptive (Tier 4).
  3. Framework Profile: Represents the state of an organization's cybersecurity efforts based on analysis against the Framework Categories and Subcategories. A Current Profile is created to judge the organizations as-is state, and a Target Profile is created to identify gaps, opportunites, and the desired outcome of cybersecurity improvement efforts.
NIST SP 800-53 rev4 NIST SP 800-53 - Security and Privacy Controls for Federal Information Systems and Organizations

NIST SP 800-53A - Assessing Security and Privacy Controls in Federal Information Systems and Organizations

FIPS 199 - Standards for Security Categorization of Federal Information and Information Systems

FIPS 200 - Minimum Security Requirements for Federal Information and Information Systems

Reciprocity Best Practices Wiki

Get help with NIST SP 800-53 The Federal Information Security Modernization Act (FISMA) requires civilian agencies of the US Federal Government to report on the security posture of their information systems. Businesses supporting these government agencies may also be required to implement such controls, if they interconnect with or operate systems on behalf of the government.

There are a variety of documents which guide the implementation and management of security controls for such systems, including the Federal Information Processing Standards (FIPS) and National Institute of Standards and Technology Special Publications (NIST SP).

  • FIPS 199 & 200: Describes the security categorization of systems and controls needed based on that categorization
  • NIST SP 800-53: The catalog of controls to choose from

NIST SP 800-53 has three risk-based baselines for controls: Low, Moderate, and High. Higher-risk systems require more controls, while lower-risk systems require less stringent levels of protection.

PCI-DSS v3.2 PCI-DSS Overview

PCI-DSS Document Download

Get help with PCI-DSS v3.2 The Payment Card Industry Data Security Standard (PCI-DSS) was created by the major credit card brands in 2004 to encourage and enhance the security of credit card data.  The use of the DSS, which is a prescriptive set of requirements for securing credit card data at rest and in transit, is mandated by the major card brands and is required of all organizations accepting credit card payment transactions, known as merchants.

Merchants are assigned levels based on the number of transactions they process of various brands per year.  These levels determine the type of annual compliance assessment that the merchant must perform, either a self-assessment or one by a third-party Qualified Security Assessor (QSA).  Failure to comply with the PCI-DSS may result in fines from credit card acquirers or even loss of the ability to accept credit card transactions.  The DSS and associated standards are managed by the PCI Security Standards Council and regularly updated as new threats emerge.

Reciprocity Consolidated Objectives Get help with Reciprocity Consolidated Objectives The Reciprocity Consolidated Objectives provides mappings between common objectives across our most commonly used frameworks. These mappings provide a foundation on which to build a consolidated list of controls with the goal of reducing redundancy in your compliance program.

Frameworks included in the Reciprocity Consolidated Objectives include NIST800-53/FedRAMP, HIPAA, ISO27001, PCI DSS, SOC2, and the CSC-CIS/SANS Top 20.

SOC 1 / SSAE 16 / ISAE 3402 SOC 1 Information Page

Wikipedia SOC Entry

Get help with SOC 1 From AICPA.org:

These reports, prepared in accordance with Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization, are specifically intended to meet the needs of the managements of user entities and the user entities’ auditors, as they evaluate the effect of the controls at the service organization on the user entities’ financial statement assertions. These reports are important components of user entities’ evaluation of their internal controls over financial reporting for purposes of comply with laws and regulations such as the Sarbanes-Oxley Act and the user entities’ auditors as they plan and perform audits of the user entities’ financial statements. There are two types of reports for these engagements:

  • Type 1 – report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design of the controls to achieve the related control objectives included in the description as of a specified date.
  • Type 2 - report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives included in the description throughout a specified period.

The use of these reports are restricted to the management of the service organization, user entities of the service organization and user auditors.

SOC 2 / SOC 3 SOC 2 Information Page

Wikipedia SOC Entry

Get help with SOC 2
SOC2 is intended to meet the needs of a broad range of users that need information and assurance about the controls at a service organization that affect the security, availability, and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of the information processed by these systems. Examples of stakeholders who may need these reports are: management or those charged with governance of the user entities and of the service organization, customers of the service organization, regulators, business partners, suppliers, and others who have an understanding of the service organization and its controls.
SOX SOX Law

SEC About Page for SOX

SEC Small Business Page for SOX

PCAOB

Get help with SOX Publicly traded U.S. corporations must maintain compliance with provisions of the Sarbanes-Oxley Act of 2002 (SOX). The U.S. Securities and Exchange Commission (SEC) enforces this law directly and through oversight of the Public Company Accounting Oversight Board (PCAOB). Companies subject to SOX must establish and evaluate internal controls in accordance with other established controls frameworks such as COSO and COBIT.

While there are high-level requirements, SOX is not prescriptive regarding the scope and approach to conducting a SOX assessment of internal controls. Corporate management establishes the design and evaluates the effectiveness of internal controls, which are also assessed externally by public accounting firms.