Compliance

Free Compliance Assessment Tools

Use these spreadsheet-based assessment tools to map your security controls across a wide-range of specific regulations and industry standards and track your compliance progress.

Common Regulations and Standards

The Payment Card Industry Security Standards Council is a global forum, launched in 2006 that is responsible for the development, management, education, and awareness of the PCI Security Standards, including the Data Security Standard (PCI-DSS) for merchants. If your business takes credit/debit card payments, this international standard applies to you and you may be subject to fines and penalties up to $100,000/month and the revocation of your merchant ID for non-compliance.


The Health Insurance Portability and Accountability Act (HIPAA) of 1996 is a federal law intended to make it easier for people to keep health insurance, protect the confidentiality and security of healthcare information and help the healthcare industry control administrative costs. HIPAA consists of a "privacy" and "security" rule and was later updated under the "HITECH" portion of the American Recovery and Reinvestment Act (ARRA) and later in the Omnibus Rule of 2013.



The Federal Information Security Modernization Act (FISMA) of 2014 updates the Federal Government's cybersecurity practices by establishing the Department of Homeland Security’s role in administering the implementation of information security policies for all federal agencies, overseeing their compliance, and assisting the Office of Management and Budget (OMB) in developing those policies. Compliance requirements also include private contractors who build or maintain information systems in support of federal agencies.


The Gramm-Leach-Bliley Act (GLBA) requires financial institutions (companies that offer consumers financial products or services like loans, financial or investment advice, or insurance) to explain their information-sharing practices to their customers and to safeguard sensitive data. The Federal Trade Commission issued guidance on how to comply in 2002.

The Federal Financial Institutions Examination Council's (FFIEC) is responsible for establishing standards for the federal examination of financial institutions, and publishes their "Information Security Booklet", which is used to audit against such compliance.


The General Data Protection Regulation (GDPR) was drafted and passed by the European Union (EU), to impose strict rules on those hosting and processing data related to EU citizens anywhere in the world. The regulation was put into effect on May 25, 2018 and levies hefty fines against those who violate its privacy and security standards, with penalties reaching into the tens of millions of euros.


The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. FedRAMP compliance is required for vendors who offer cloud services in support of Federal Agencies.


The International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 27001 standard is intended to help any type of organization better protect their sensitive information. Certification against this international standard is often stipulated as a contractual requirement for service providers.



Named after its' sponsors (U.S. Senator Paul Sarbanes and U.S. Representative Michael G. Oxley), the Sarbanes-Oxley (SOX) Act of 2002 establishes financial accountability requirements for all U.S. publicly-traded company boards, management and public accounting firms. A number of provisions of the Act also apply to privately held companies, such as the willful destruction of evidence to impede a federal investigation.




Email Post