Centra State Healthcare System
AtlantiCare Healthcare
Greater New York Hospital Association
Christian Health Care Center
St. Joseph's Healthcare System
Hackensack UMC Palisades

A GRC solution that works with all types of security frameworks

With multiple security frameworks that have different purposes and guidance, how do organizations know what is the best fit for their needs?

The best place to begin is to understand what each security framework is designed for, and then determine if that applies to your organization’s structure and operations.

And, with a structured GRC solution like ComplyAssistant, you’ll have a single, organized source of truth for all documentation related to any and all security frameworks and compliance regulations you choose. Our software is purposely designed to be flexible enough to handle any federal, state and local compliance regulation.

  • Center for Internet Security CIS Controls™ V7.1

    Description: The CIS Controls are cybersecurity best practices for defense against common threats, used by organizations with varying resources and risk exposure. V7.1 features Implementation Groups which provides controls to prioritize based on the type of organization and resources available.

    Use case: With ComplyAssistant, create or use CIS v7.1 custom assessment questions which feed directly into our Regulation Management module. In this module, you can document current process and controls, gaps, future plans, compliance levels, risk levels and follow-up tasks.

  • CMMC

    Description: The Cybersecurity Maturity Model Certification is designed to review and combine various cybersecurity standards and best practices, and map these controls and processes across several maturity levels that range from basic to advanced cyber hygiene.

    Use case: With ComplyAssistant, create or use CIS v7.1 custom assessment questions which feed directly into our Regulation Management module. In this module, you can document current process and controls, gaps, future plans, compliance levels, risk levels and follow-up tasks.

  • GDPR

    Description: The General Data Protection Regulation is a legal framework that sets guidelines for the collection and processing of personal information from individuals who live in the European Union (EU). GDPR applies regardless of where websites are based, so must be heeded by all sites that attract European visitors.

    Use case: With ComplyAssistant, create or use custom GDPR assessment questions which feed directly into our Regulation Management module. In this module, you can document current process and controls, gaps, future plans, compliance levels, risk levels and follow-up tasks.

  • Mitre Enterprise

    Description: ATT&CK® for Enterprise is a security framework for describing the actions an adversary may take to compromise and operate within an enterprise network. Organizations can use it to expand their understanding of adversary behavior and assist with prioritizing network defense by detailing the tactics, techniques, and procedures cyber threats use to gain access and execute their objectives while operating inside a network.

    Use case: With ComplyAssistant, you can scope the Mitre Enterprise framework for your organization within our Regulation Management module.

    • Organize tactics, techniques and mitigation strategies.
    • Document current processes, controls, gaps, future plans, compliance levels and risk levels.
    • Create follow-up tasks.
  • Mitre PRE-ATT&CK

    Description: The Mitre PRE-ATT&CK framework includes 15 tactic categories designed to prevent an attack before it happens. The framework helps users anticipate attacks by understanding the tactics, statistics and patterns that adversaries use to select targets and launch attacks.

    Use case: With ComplyAssistant, you can scope the Mitre PRE-ATT&CK framework for your organization within our Regulation Management module.

    • Organize tactics and techniques.
    • Document current processes, controls, gaps, future plans, compliance levels and risk levels.
    • Create follow-up tasks.
  • SOC 2

    Description: SOC 2 is an auditing procedure that ensures service providers securely manage data to protect data and privacy. For security-conscious businesses, SOC 2 compliance is a minimal requirement when considering a SaaS provider. SOC 2 defines criteria for managing data based on five principles—security, availability, processing integrity, confidentiality and privacy.

    Use case: With ComplyAssistant, you can create SOC 2 assessment questions which feed directly into our Regulation Management module. In this module, you can document current process and controls, gaps, future plans, compliance levels, risk levels and follow-up tasks.

  • NIST Special Publication 800-171A

    Description: NIST Special Publication 800-171A, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, is an assessment process designed to help organizations gather information and produce evidence to determine the effectiveness of security safeguards intended to comply with NIST Special Publication 800-171, which will allow an organization to:

    • Identify potential problems or shortfalls in its security and risk management program;
    • Identify security weaknesses and deficiencies in its systems and environments;
    • Prioritize risk mitigation decisions and activities;
    • Confirm that security weaknesses and deficiencies have been addressed; and
    • Support continuous monitoring activities and provide information security situational awareness.

    Use case: With ComplyAssistant, you can create or use custom NIST 800-171A (DFARS) assessment questions which feed directly into our Regulation Management module. In this module, you can document current process and controls, gaps, future plans, compliance levels, risk levels and follow-up tasks.

  • NIST Special Publication 800-171 Revision 2

    Description: NIST Special Publication 800-171 Revision 2 provides federal agencies with recommended security requirements for protecting the confidentiality of Controlled Unclassified Information (CUI) when:

    • the CUI is resident in a nonfederal system and organization;
    • when the nonfederal organization is not collecting or maintaining information on behalf of a federal agency or using or operating a system on behalf of an agency;
    • there are no specific safeguarding requirements for protecting the confidentiality of CUI prescribed by the authorizing law, regulation, or government-wide policy for the CUI category listed in the CUI Registry.

    The requirements apply only to components of nonfederal systems that process, store, or transmit CUI, or that provide security protection for such components.

    Use case: With ComplyAssistant, you can create assessment questions that feed directly into our Regulation Management module. In this module, you can document current process and controls, gaps, future plans, compliance levels, risk levels and follow-up tasks.

  • NIST Special Publication 800-53 Revision 4

    Description: NIST Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organizations are part of a series that provides a comprehensive set of security controls, security control baselines and guidance for tailoring the appropriate baseline to specific needs according to the organization's missions, environments of operation and technologies used.

    Revision 4 includes updates based on the evolving technology and threat space (e.g., mobile and cloud computing; insider threats; applications security). Revision 4 also contains a new appendix of privacy controls and related implementation guidance for protocols that affect individual privacy.

    Use case: With ComplyAssistant, you can create assessment questions that feed directly into our Regulation Management module. In this module, you can document current process and controls, gaps, future plans, compliance levels, risk levels and follow-up tasks. A CSET questionnaire is also available within our application.

  • NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management

    Description: The NIST Privacy Framework (version 1.0) is a voluntary framework, intended for use by any size or type organization. Using a common approach, the Privacy Framework’s purpose is to help organizations manage privacy risks by:

    • Considering privacy as they design and deploy systems, products and services;
    • Communicating about their privacy practices; and
    • Encouraging cross-organizational workforce collaboration.

    The Privacy Framework is composed of three parts: Core, Profiles, and Implementation Tiers. Each component reinforces how organizations manage privacy risk through the connection between business or mission drivers, organizational roles and responsibilities and privacy protection activities.

    Use case: With ComplyAssistant, you can create assessment questions that feed directly into our Regulation Management module. In this module, you can document current process and controls, gaps, future plans, compliance levels, risk levels and follow-up tasks.

  • OIG Compliance Program Guidance

    Description: The Office of Inspector General has developed a series of voluntary compliance program guidance documents for healthcare facilities such as hospitals, nursing homes, third-party billers and durable medical equipment suppliers, to encourage the development and use of internal controls to monitor adherence to applicable statutes, regulations and program requirements.

    OIG’s Resource Guide was published to help ensure healthcare organizations include all elements in a compliance program, including:

    1. Standards, Policies, and Procedures
    2. Compliance Program Administration
    3. Screening and Evaluation of Employees, Physicians, Vendors and other Agents
    4. Communication, Education, and Training on Compliance Issues
    5. Monitoring, Auditing, and Internal Reporting Systems
    6. Discipline for Non‐Compliance
    7. Investigations and Remedial Measures

    Use case: With ComplyAssistant, you can create assessment questions that feed directly into our Regulation Management module. In this module, you can document current process and controls, gaps, future plans, compliance levels, risk levels and follow-up tasks.

  • 23 NYCRR Part 500

    Description: Applicable to financial services companies in the state of New York, 23 NYCRR Part 500 is a regulation designed to promote the protection of customer information and information technology systems of regulated entities. This regulation requires each company to assess its specific risk profile and design a program that addresses its risks in a robust fashion.

    Use case: With ComplyAssistant, you can create assessment questions that feed directly into our Regulation Management module. In this module, you can document current process and controls, gaps, future plans, compliance levels, risk levels and follow-up tasks.

  • ISO 27001

    Description: ISO 27001 (formally known as ISO/IEC 27001:2005) covers all types of organizations and specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented Information Security Management System within the context of the organization's overall business risks.

    The framework specifies requirements for the implementation of security controls customized to the needs of individual organizations, using a top-down, risk-based approach and is technology-neutral. The specification defines a six-part planning process:

    1. Define a security policy.
    2. Define the scope of the ISMS.
    3. Conduct a risk assessment.
    4. Manage identified risks.
    5. Select control objectives and controls to be implemented.
    6. Prepare a statement of applicability.

    The specification includes details for documentation, management responsibility, internal audits, continual improvement, and corrective and preventive action.

    Use case: With ComplyAssistant, you can create assessment questions that feed directly into our Regulation Management module. In this module, you can document current process and controls, gaps, future plans, compliance levels, risk levels and follow-up tasks.

Need help deciding which security framework is best for your organization?

Tell us a bit about your needs and one of our experts will reach out to schedule a meeting:

Want more info? Check out our Guide to the NIST Cybersecurity Framework, and our blog on how healthcare organizations can use both HIPAA and the NIST Cybersecurity Framework.