Frameworks Glossary

Prudential Standard CPS 234 is a regulatory framework established by the Australian Prudential Regulation Authority (APRA) to enhance cybersecurity in the financial services industry.

Developed and recommended by the Australian Cyber Security Centre (ACSC), the Essential Eight framework offers a foundational set of mitigation strategies designed to prevent malware attacks, unauthorized access, and data exfiltration.

The Privacy Act promotes and protects the privacy of individuals in Australia. It regulates the handling of personal information by organizations in the federal public sector and in the private sector.

The BSI IT-Grundschutz offers a systematic approach to information security management, providing both methodology and a catalog of security measures tailored to different aspects of IT environments.

The Building Security In Maturity Model (BSIMM) is a data-driven model that provides an in-depth view of software security initiatives. BSIMM is not a standard or a checklist but rather a reflection of current practices observed in real-world software security programs. By assessing the software security initiatives of multiple organizations, BSIMM offers a benchmark for comparing and guiding software security practices.

The COSO Enterprise Risk Management (ERM) Framework, often just referred to as COSO ERM, is a widely accepted and utilized framework for designing, implementing, conducting, and improving enterprise risk management in organizations. It aligns risk management with business strategy, driving performance.

The COSO Internal Control Framework, often referred to simply as COSO, is a widely recognized framework designed to enhance an organization's ability to achieve its objectives through the effective application of internal controls. This framework provides guidance for organizations in designing and evaluating the effectiveness of internal control systems.

The Center for Internet Security (CIS) Controls and CIS Benchmarks are a set of best practices designed to help organizations bolster their security posture. These controls, which have been developed by a community of IT experts, focus on a series of prioritized actions that form the foundation of any good cybersecurity program, assisting organizations in safeguarding their systems and data against the most pervasive cyber threats.

The Cloud Security Alliance (CSA) is a non-profit organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. Through its various initiatives, research projects, and working groups, CSA provides comprehensive guidance to businesses and individuals leveraging cloud services.

Control Objectives for Information and Related Technologies (COBIT) is a comprehensive framework designed for the development, implementation, monitoring, and improvement of IT governance and management practices. It provides an end-to-end business perspective for IT governance that links business goals to IT goals.

The Criminal Justice Information Services (CJIS) Security Policy is a set of stringent standards that govern the creation, viewing, modification, transmission, dissemination, storage, and destruction of Criminal Justice Information (CJI). These standards ensure that CJI remains available, confidential, and integral. Secureframe supports out-of-the-box compliance with CJIS Security Policy requirements.

Critical Information Infrastructure Protection (CIIP) pertains to measures, strategies, and activities aimed at ensuring the security, reliability, and resilience of critical information infrastructures. These infrastructures, often regarded as the backbone of nations' essential services and functions, require special protection from various cyber threats to ensure societal and economic well-being.

Cyber Essentials is a UK government-backed scheme aimed at helping organizations protect themselves against common cyber threats. It offers a set of basic technical controls that organizations can implement to significantly reduce their vulnerability to cyberattacks. Secureframe fully supports Cyber Essentials compliance, out-of-the-box.

The Cybersecurity Capability Maturity Model (C2M2) is a framework designed to assess and enhance the cybersecurity capabilities of organizations. Its focus is on the implementation and management of cybersecurity practices associated with information technology (IT), operations technology (OT), and information assets and environments.

CMMC is a framework introduced by the United States Department of Defense (DoD). It is a unified standard for implementing cybersecurity across the Defense Industrial Base (DIB), which consists of over 300,000 companies in the supply chain for the DoD.

The Transportation Systems Sector (TSS) represents a vast, interconnected, and complex network of systems and assets that facilitate movement of passengers and cargo. Recognizing the critical nature of this sector in the country's daily operations and economy, the Cybersecurity and Infrastructure Security Agency (CISA) has designated the TSS as one of the nation's critical infrastructure sectors.

The Data Protection Act 2018(DPA) provides individuals with rights regarding their personal information and also establishes requirements that the government and organizations must follow when collecting and processing this data.

The Network and Information Security Directive, which entered into force in 2016, requires EU Member States to develop and adopt a national cybersecurity strategy (NCSS) to meet current and emerging cybersecurity threats. To support the efforts of these member states, the European Union Agency for Cybersecurity (ENISA) provides guidelines on how to develop, implement and update a NCSS.

ETSI EN 303 645 is a cybersecurity standard that establishes a security baseline for internet-connected consumer products and provides the foundation for future IoT certification schemes. Developed by the European Telecommunications Standards Institute (ETSI), this standard aims to address widespread concerns about the security of Internet of Things (IoT) devices.

ETSI's Industry Specification Group on Securing Artificial Intelligence (ISG SAI) focuses on securing AI from both a usage and an adversarial perspective, aiming to build a standardized foundation for robust and secure AI deployments.

The ETSI MEC (European Telecommunications Standards Institute Mobile Edge Computing) framework is a standardization framework that enables IT service environment capabilities at the edge of mobile networks. This framework aims to bring cloud-computing capabilities into the Radio Access Network (RAN) and enable efficient deployment of new applications and services.

ETSI NFV (Network Functions Virtualization) is a conceptual framework proposed by the European Telecommunications Standards Institute. It aims to transform the way network services are deployed on telecommunication networks by utilizing standard IT virtualization technology.

ETSI's work in quantum-safe cryptography involves researching and developing standards that are resistant to the potential cryptographic threats posed by quantum computing. This field of cryptography focuses on creating algorithms and protocols that would remain secure even in the era of quantum computers, which could potentially break many of the cryptographic systems currently in use.

ETSI TC Cyber is a Technical Committee within the European Telecommunications Standards Institute (ETSI) that focuses on standardization in the area of cybersecurity. Its work involves developing standards, technical specifications, and reports to ensure high levels of security for Information and Communication Technology (ICT) services, equipment, and infrastructures.

ETSI TS 103 645 is a European Standard (Telecommunications Standardization Sector) that provides a set of baseline security requirements for consumer Internet of Things (IoT) devices. It is one of the first standards aimed specifically at ensuring a minimum level of security for IoT products intended for consumer use.

The Essential 8 is a set of baseline cybersecurity strategies and controls developed by the Australian Cyber Security Centre (ACSC). It is designed to help organizations protect their systems against a wide range of cyber threats by prioritizing and implementing essential mitigation strategies. Secureframe supports Essential 8 compliance out-of-the-box.

The Federal Information Processing Standards Publication 199 (FIPS 199) is a set of standards for categorizing information and information systems collected or maintained by or on behalf of federal agencies.

The Federal Trade Commission's Standards for Safeguarding Customer Information is a regulatory framework aimed at ensuring the security and confidentiality of customer information held by financial institutions and other entities. Secureframe offers out-of-the-box support for compliance with the FTC Safeguards Rule.

FAIR (Factor Analysis of Information Risk) is a risk management framework specifically designed for understanding, analyzing, and quantifying information risk in financial terms. It is unlike traditional qualitative risk assessment methods and focuses on risk quantification in terms of probable frequency and probable magnitude of future loss.

The Federal Risk and Authorization Management Program (FedRAMP) is designed to promote the adoption of secure cloud services across the federal government. It provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud technologies.

The Federal Information Security Management Act (FISMA) is United States legislation that defines a comprehensive framework to protect government information, operations, and assets against natural or man-made threats.

HITRUST, which stands for Health Information Trust Alliance, is a privately held company that collaborated with healthcare, technology, and information security leaders to establish the HITRUST Common Security Framework. The HITRUST CSF is a comprehensive and certifiable security framework used by healthcare organizations to efficiently manage regulatory compliance and risk management.

The Information and Communication Technology (ICT) Accessibility 508 Standards and 255 Guidelines are a set of guidelines and requirements established to ensure that the information and communication technology of federal agencies is accessible to individuals with physical, sensory, or cognitive disabilities. These standards are designed to promote inclusivity and equal access to digital information and communication tools, making it possible for all individuals, regardless of their disabilities, to fully participate in the digital world.

The Internet Engineering Task Force (IETF) Best Current Practices (BCP) are a series of documents that capture the consensus of the IETF on a range of technical and organizational matters. They are intended to provide guidance, explanations, and recommendations on best practices to facilitate the smooth operation of the Internet and to inform users and technicians about preferred operational norms.

ISA/IEC 62443 is a series of standards that provide a flexible framework to address and mitigate current and future security vulnerabilities in industrial automation and control systems (IACS). These standards have been developed by both the International Electrotechnical Commission (IEC) and the International Society of Automation (ISA).

ISO 13485 is an internationally recognized standard that sets out the requirements for a quality management system specific to the medical devices industry. It is designed to be used by organizations involved in the design, production, installation, and servicing of medical devices and related services.

ISO 14040 is an internationally recognized standard that focuses on the principles and framework for life cycle assessment (LCA) of products and services. This LCA encompasses all stages from raw material extraction through processing, distribution, use, repair, and maintenance, to final disposal or recycling.

ISO 14044 is an internationally accepted standard that elaborates on specific requirements and guidelines for life cycle assessment (LCA) related to the environmental performance of products, taking into account all stages from raw material extraction to final disposal or recycling. It builds on the principles established in ISO 14040.

ISO 20121 is an international standard that specifies requirements of an event sustainability management system to improve the sustainability of events.

ISO 22000 is an international standard for food safety management systems. It provides a comprehensive approach for food producers to identify and control food safety hazards.

ISO/IEC 22301 is an international standard that specifies the requirements for establishing, implementing, maintaining, and continually improving a documented business continuity management system (BCMS). This standard is designed to help organizations protect against, reduce the likelihood of, and ensure their business recovers from disruptive incidents.

ISO 26000 is an international standard developed to provide guidance on social responsibility. It offers organizations a comprehensive framework for understanding and implementing socially responsible practices and principles, fostering sustainability, and contributing positively to society.

ISO 28000 is an international standard that specifies the requirements for a security management system, particularly for the supply chain. It is designed to assist organizations in managing security risks, threats, and vulnerabilities in the supply chain, including logistics.

ISO 31000 is an international standard that provides principles, a framework, and a process for managing risk. It offers guidelines on risk management principles and the implementation of risk management strategies, aiming to help organizations identify, assess, and manage risks across various aspects of their operations.

ISO 37001 is an international standard that specifies the requirements and provides guidance for establishing, implementing, maintaining, reviewing, and improving an anti-bribery management system. This standard is designed to help organizations in the prevention, detection, and response to bribery, fostering a culture of integrity, transparency, and compliance.

ISO 50001 is an international standard that specifies requirements for establishing, implementing, maintaining, and improving an energy management system (EnMS). The standard aims to enable organizations to follow a systematic approach in achieving continual improvement of energy performance, including energy efficiency, use, and consumption.

ISO 8601 is an international standard that specifies the format for representing dates and times. It aims to provide a clear and consistent way to express dates and times across different countries and cultures, avoiding ambiguity and misinterpretation.

ISO 9001 is an internationally recognized quality management framework designed to help organizations consistently meet the needs and expectations of their customers as well as applicable statutory and regulatory requirements, while continuously improving their processes and overall performance. Secureframe supports ISO 9001 out of the box!

ISO/IEC 11179 is an international standard for metadata registries. It provides a framework for the representation of metadata in order to facilitate the correct and proper use and interpretation of data.

ISO/IEC 11801 is an international standard that specifies general-purpose telecommunication cabling systems (structured cabling) that are suitable for a wide range of applications (analog and ISDN telephony, various data communication standards, building control systems, factory automation). It covers both balanced copper cabling and optical fiber cabling.

ISO/IEC 15288 is a globally recognized standard for systems and software engineering. It offers a comprehensive framework for the life cycle processes of systems, which includes both software and hardware components.

ISO/IEC 15408, popularly known as the Common Criteria (CC), is an international standard that provides a framework for evaluating the security properties of Information Technology (IT) products and systems.

ISO/IEC 15415 is an international standard that specifies the quality parameters and methodologies to assess the optical characteristics of two-dimensional (2D) bar code symbols, such as QR codes, Data Matrix, and PDF417.

ISO/IEC 17025 is a global standard for testing and calibration laboratories. It outlines the general requirements for the competence, impartiality, and consistent operation of laboratories.

ISO/IEC 19770 is an international standard that specifies requirements for the establishment, implementation, maintenance, and improvement of an IT asset management system.

ISO/IEC 20000-1 is an international standard that specifies requirements for the establishment, implementation, maintenance, and continuous improvement of a service management system.

ISO/IEC 20243-1, also known as the Open Trusted Technology Provider™ Standard (O-TTPS), is an international standard designed to mitigate the risk of tainted and counterfeit products entering the supply chain. It focuses on the integrity of commercial off-the-shelf (COTS) Information and Communication Technology (ICT) products and provides a set of guidelines for organizational best practices in manufacturing, sourcing, and product integrity.

ISO/IEC 24734 is an international standard that specifies the method for testing and measuring the productivity of digital printing devices, including single-function and multi-function printers, regardless of technology (e.g., inkjet, laser). It provides a set of standardized test documents, test setup procedures, and the reporting requirements for the test results.

ISO/IEC 24748 is a series of international standards providing guidance on life cycle management, including terms and definitions, process, and conceptual models. It is part of the systems and software engineering suite of standards and is closely related to the processes defined in ISO/IEC/IEEE 15288 and ISO/IEC/IEEE 12207.

ISO/IEC 27003 is part of the ISO/IEC 27000 family of standards, which is known for providing best practice recommendations on information security management within an organization. Specifically, ISO/IEC 27003 focuses on the guidelines for implementing an information security management system (ISMS) as outlined in ISO/IEC 27001, providing additional details to assist in the design and implementation process.

ISO/IEC 27004 is an international standard that provides guidelines intended to assist organizations in evaluating the performance and the effectiveness of an Information Security Management System (ISMS) that is implemented based on ISO/IEC 27001. It offers guidance on measurement and evaluation of information security within the organization.

ISO/IEC 27005 is an international standard dedicated to information security risk management. It provides guidelines for information security risk management in an organization, supporting the requirements of an Information Security Management System (ISMS) defined in ISO/IEC 27001.

ISO/IEC 27017 provides guidelines on the information security aspects of cloud computing, recommending information security controls for cloud service providers and customers. It builds on the existing controls in ISO/IEC 27002 with additional implementation guidance specific to cloud services.

ISO/IEC 27018 provides guidelines and controls for protecting personally identifiable information (PII) in the public cloud computing environment. 

ISO/IEC 27037 is an international standard providing guidelines for identifying, collecting, acquiring, and preserving electronic evidence, which is part of the digital evidence recovery process. This framework is crucial for ensuring the integrity and authenticity of digital evidence, which can be used in legal proceedings.

ISO/IEC 27400, titled "Internet of Things (IoT) – Security and privacy for the IoT," is an international standard that provides guidelines for IoT security and privacy, including considerations for the design, development, implementation, and use of IoT systems and services.

ISO/IEC 29147 is an international standard that provides guidelines for vulnerability disclosure processes. It sets out recommendations for how organizations should inform vendors of potential vulnerabilities in their products and how vendors should process and manage these disclosures.

ISO/IEC 30111 is an international standard that outlines the proper handling of potential vulnerability information in products. It provides a framework for how organizations should manage the process of receiving, investigating, and resolving issues regarding vulnerabilities in a product or online service.

ISO/IEC 38500 is an international standard providing a framework for effective corporate governance of information technology (IT). It aims to assist organizations in understanding and fulfilling their legal, regulatory, and ethical obligations concerning their IT use.

ISO/IEC 42001 is a groundbreaking international standard designed to ensure the responsible development, deployment, and management of artificial intelligence (AI) systems. It provides organizations with a comprehensive framework to address the ethical, legal, and operational risks associated with AI, fostering trust and transparency in AI technologies. Secureframe offers out-of-the-box support for ISO 42001 compliance.

The purpose of ISO/IEC/IEEE 29119 is to define an internationally agreed set of standards for software testing that can be used by any organization involved in software development. It covers aspects such as test processes, test documentation, test techniques, and test management, aiming to provide a comprehensive guide for effective and efficient software testing.

ISO/SAE 21434, "Road vehicles — Cybersecurity engineering," is a standard that establishes guidelines and best practices for cybersecurity risk management regarding the engineering of road vehicle systems. It addresses the growing concern for the cybersecurity of vehicles in the context of increasingly connected and automated automotive technology.

Information Technology General Controls (ITGC) are critical controls that support the reliability of systems and information within an organization. They typically encompass a range of policies and procedures that ensure the effective and secure operation of an organization’s IT systems and safeguard data integrity. Secureframe offers out-of-the-box support for compliance with ITGC requirements.

The Internet of Things Security Foundation (IoTSF) Security Compliance Framework is a set of guidelines and best practices aimed at ensuring the secure design, development, and deployment of IoT (Internet of Things) devices and their associated ecosystems.

MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) Framework is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. It serves as a foundation for the development of specific threat models and methodologies in the private sector, government, and the cybersecurity product and service community.

NIS2 is an updated version of the Network and Information Systems (NIS) Directive, a key piece of European Union (EU) legislation aimed at enhancing cybersecurity across the EU. It establishes measures to achieve a high common level of cybersecurity across member states to improve the resilience of critical infrastructure and essential services. Secureframe offers out-of-the-box support for NIS2 compliance.

NIST Special Publication 800-115, "Technical Guide to Information Security Testing and Assessment," provides guidelines for organizations on how to conduct security testing and assessments of their information systems. It covers various methodologies, techniques, and processes related to security assessments.

NIST Special Publication 800-137, “Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations,” provides guidance and best practices for establishing, implementing, and maintaining a continuous monitoring program for information security in federal agencies and organizations.

NIST Special Publication 800-145, "The NIST Definition of Cloud Computing," provides a comprehensive framework for understanding and defining cloud computing. It serves as a valuable resource for organizations navigating the cloud landscape.

NIST 800-172 provides enhanced security requirements for protecting Controlled Unclassified Information (CUI) in non-federal systems and organizations. It outlines enhanced security measures to safeguard sensitive information that is not classified but still requires protection.

NIST Special Publication 800-30, "Guide for Conducting Risk Assessments," provides guidance for organizations to conduct risk assessments of federal information systems and organizations. It amplifies the guidance in NIST Special Publication 800-39, which describes the organizational risk management process. 

The NIST AI Risk Management Framework (AI RMF) is a comprehensive set of guidelines and best practices designed to help organizations manage the risks associated with artificial intelligence (AI) systems. It aims to improve the trustworthiness, fairness, transparency, and accountability of AI technologies. Secureframe offers out-of-the-box support for NIST AI RMF compliance.

The NIST Cybersecurity Framework (CSF) is a comprehensive set of guidelines and best practices designed to help organizations manage and reduce cybersecurity risks. It provides a common language for understanding, managing, and expressing cybersecurity risk both internally and externally. Secureframe offers out-of-the-box support for NIST CSF 2.0 compliance.

The New York Department of Financial Services (NYDFS) NYCRR 500 is a set of guidelines and requirements designed to enhance the cybersecurity posture of financial institutions operating in the state of New York. Secureframe offers out-of-the-box support for NYDFS NYCRR 500 compliance.

The OWASP Application Security Verification Standard (ASVS) Project provides a framework for the security of web applications and web services. It establishes a security control baseline for web applications in their design, development, and testing phases, providing developers, testers, and architects with a clear roadmap for creating secure applications.

The Personal Information Protection and Electronic Documents Act (PIPEDA) is a Canadian federal privacy law that governs how private sector organizations collect, use, and disclose personal information in the course of commercial activities.

SOC 1® is designed to provide specific users with information about a service organization’s controls relevant to their clients’ internal control over financial reporting. A SOC 1 report is often requested by a service organization's clients and their auditors.

SOC 3® is designed to provide general users with a concise and high-level report on a service organization’s controls related to security, availability, processing integrity, confidentiality, or privacy

The Sarbanes-Oxley Act, often abbreviated as SOX, is a United States federal law passed in 2002 in response to corporate failures and fraud that resulted in substantial financial losses to institutional and individual investors in the early 2000s. SOX was designed to enhance transparency and accountability in financial reporting and to protect investors and the public from fraudulent financial practices within publicly traded companies. Secureframe offers out-of-the-box support for SOX ITGC controls.

StateRAMP is designed to help state and local governments and public institutions partner with cloud service providers that have enacted strong information security and data privacy practices.

TX-RAMP was established by the Texas Department of Information Resources to provide a standardized approach for security assessment, authorization, and continuous monitoring of cloud computing services that process, store, or transmit the data of a state agency. Secureframe offers out-of-the-box support for TX-RAMP compliance.

Trusted Information Security Assessment Exchange(TISAX) is a framework tailored for the automotive industry to ensure the confidentiality, integrity, and availability of sensitive information. It provides a standardized method for assessing and exchanging information security in the automotive supply chain. Secureframe offers full, out-of-the-box support for TISAX compliance.

The UL 2900 series of standards, often referred to as the UL 2900 Framework, was developed by Underwriters Laboratories (UL) to provide a basis for evaluating and certifying the security of connected products. This series focuses on assessing the software vulnerabilities and weaknesses in network-connectable devices, considering both the product and the organizational environment.