A GRC Solution That Works With All Types Of Security Frameworks

With multiple security frameworks that have different purposes and guidance, how do organizations know what is the best fit for their needs?

The best place to begin is to understand what each security framework is designed for, and then determine if that applies to your organization’s structure and operations.

And, with a structured GRC solution like ComplyAssistant, you’ll have a single, organized source of truth for all documentation related to any and all security frameworks and compliance regulations you choose. Our software is purposely designed to be flexible enough to handle any federal, state and local compliance regulation.

A platform to meet any compliance regulation:

ComplyAssistant’s software is built to handle any federal, state and local compliance regulation. Any of these cybersecurity frameworks can be managed directly in our platform:

HIPAA

Manage HIPAA policies, procedures and evidence of operational compliance.

NIST Cybersecurity Framework

Build and implement a framework using NIST guidelines and structure.

HICP

Protect your organization against the top five threats identified by Health Industry Cybersecurity Practices (HICP) by implementing ten recommended security practices.

HITRUST

Answer HITRUST assessment questions, manage tasks, track standards documentation and manage maturity levels.

PCI

Manage security standards around credit card and payment accounts.

DNV GL Accreditation

Prepare and organize hospital and ancillary facility accreditation materials.

COVID-19

COVID-19 readiness checklists now available heavily discounted for all healthcare providers in ComplyAssistant’s GRC software.

FFIEC

Standardized cybersecurity software and services for financial institutions

ISO 27001

Manage your organization’s ISO 27001 compliance with ComplyAssistant’s GRC software and consulting.

CMMC

Meet U.S. Department of Defense (DOD) specifications for cybersecurity compliance.

Other frameworks:

  • HICP (Health Industry Cybersecurity Practices)

    Description: HICP (Health Industry Cybersecurity Practices), developed under HR 7898, was signed into law on January 5, 2021. It gives covered entities (CEs) and business associates (BAs) guidance on how to create and implement consistent “recognized security practices” (RSPs) for small, medium, and large organizations.

    HICP focuses on the top threats identified in healthcare and specific practices to mitigate those threats.

    Use case: With ComplyAssistant, use HICP threats and controls in our Risk Register and with custom assessment questions, which are both directly mapped into our Regulation Management module. This module can document current processes and controls, gaps, plans, compliance levels, risk levels, and follow-up tasks.

  • Center for Internet Security CIS Controls™ V7.1

    Description: The CIS Controls are cybersecurity best practices for defense against common threats, used by organizations with varying resources and risk exposure. V7.1 features Implementation Groups which provides controls to prioritize based on the type of organization and resources available.

    Use case: With ComplyAssistant, you have access to CIS v7.1 custom assessment questions which feed directly into our Regulation Management module. In this module, you can document current process and controls, gaps, future plans, compliance levels, risk levels and follow-up tasks.

  • CMMC

    Description: The Cybersecurity Maturity Model Certification is designed to review and combine various cybersecurity standards and best practices, and map these controls and processes across several maturity levels that range from basic to advanced cyber hygiene.

    Use case: With ComplyAssistant, you have access to CMMC custom assessment questions which feed directly into our Regulation Management module. In this module, you can document current process and controls, gaps, future plans, compliance levels, risk levels and follow-up tasks.

  • GDPR

    Description: The General Data Protection Regulation is a legal framework that sets guidelines for the collection and processing of personal information from individuals who live in the European Union (EU). GDPR applies regardless of where websites are based, so must be heeded by all sites that attract European visitors.

    Use case: With ComplyAssistant, you have access to custom GDPR assessment questions which feed directly into our Regulation Management module. In this module, you can document current process and controls, gaps, future plans, compliance levels, risk levels and follow-up tasks.

  • Mitre Enterprise

    Description: ATT&CK® for Enterprise is a security framework for describing the actions an adversary may take to compromise and operate within an enterprise network. Organizations can use it to expand their understanding of adversary behavior and assist with prioritizing network defense by detailing the tactics, techniques, and procedures cyber threats use to gain access and execute their objectives while operating inside a network.

    Use case: With ComplyAssistant, you can scope the Mitre Enterprise framework for your organization within our Regulation Management module.

    • Organize tactics, techniques and mitigation strategies.
    • Document current processes, controls, gaps, future plans, compliance levels and risk levels.
    • Create follow-up tasks.
  • Mitre PRE-ATT&CK

    Description: The Mitre PRE-ATT&CK framework includes 15 tactic categories designed to prevent an attack before it happens. The framework helps users anticipate attacks by understanding the tactics, statistics and patterns that adversaries use to select targets and launch attacks.

    Use case: With ComplyAssistant, you can scope the Mitre PRE-ATT&CK framework for your organization within our Regulation Management module.

    • Organize tactics and techniques.
    • Document current processes, controls, gaps, future plans, compliance levels and risk levels.
    • Create follow-up tasks.
  • SOC 2

    Description: SOC 2 is an auditing procedure that ensures service providers securely manage data to protect data and privacy. For security-conscious businesses, SOC 2 compliance is a minimal requirement when considering a SaaS provider. SOC 2 defines criteria for managing data based on five principles—security, availability, processing integrity, confidentiality and privacy.

    Use case: With ComplyAssistant, you have access to SOC 2 assessment questions which feed directly into our Regulation Management module. In this module, you can document current process and controls, gaps, future plans, compliance levels, risk levels and follow-up tasks.

  • NIST Special Publication 800-171A

    Description: NIST Special Publication 800-171A, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, is an assessment process designed to help organizations gather information and produce evidence to determine the effectiveness of security safeguards intended to comply with NIST Special Publication 800-171, which will allow an organization to:

    • Identify potential problems or shortfalls in its security and risk management program;
    • Identify security weaknesses and deficiencies in its systems and environments;
    • Prioritize risk mitigation decisions and activities;
    • Confirm that security weaknesses and deficiencies have been addressed; and
    • Support continuous monitoring activities and provide information security situational awareness.

    Use case: With ComplyAssistant, you have access to NIST 800-171A (DFARS) assessment questions which feed directly into our Regulation Management module. In this module, you can document current process and controls, gaps, future plans, compliance levels, risk levels and follow-up tasks.

  • NIST Special Publication 800-171 Revision 2

    Description: NIST Special Publication 800-171 Revision 2 provides federal agencies with recommended security requirements for protecting the confidentiality of Controlled Unclassified Information (CUI) when:

    • the CUI is resident in a nonfederal system and organization;
    • when the nonfederal organization is not collecting or maintaining information on behalf of a federal agency or using or operating a system on behalf of an agency;
    • there are no specific safeguarding requirements for protecting the confidentiality of CUI prescribed by the authorizing law, regulation, or government-wide policy for the CUI category listed in the CUI Registry.

    The requirements apply only to components of nonfederal systems that process, store, or transmit CUI, or that provide security protection for such components.

    Use case: With ComplyAssistant, you have access to assessment questions that feed directly into our Regulation Management module. In this module, you can document current process and controls, gaps, future plans, compliance levels, risk levels and follow-up tasks.

  • NIST Special Publication 800-53 Revision 4

    Description: NIST Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organizations are part of a series that provides a comprehensive set of security controls, security control baselines and guidance for tailoring the appropriate baseline to specific needs according to the organization's missions, environments of operation and technologies used.

    Revision 4 includes updates based on the evolving technology and threat space (e.g., mobile and cloud computing; insider threats; applications security). Revision 4 also contains a new appendix of privacy controls and related implementation guidance for protocols that affect individual privacy.

    Use case: With ComplyAssistant, you have access to assessment questions that feed directly into our Regulation Management module. In this module, you can document current process and controls, gaps, future plans, compliance levels, risk levels and follow-up tasks. A CSET questionnaire is also available within our application.

  • NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management

    Description: The NIST Privacy Framework (version 1.0) is a voluntary framework, intended for use by any size or type organization. Using a common approach, the Privacy Framework’s purpose is to help organizations manage privacy risks by:

    • Considering privacy as they design and deploy systems, products and services;
    • Communicating about their privacy practices; and
    • Encouraging cross-organizational workforce collaboration.

    The Privacy Framework is composed of three parts: Core, Profiles, and Implementation Tiers. Each component reinforces how organizations manage privacy risk through the connection between business or mission drivers, organizational roles and responsibilities and privacy protection activities.

    Use case: With ComplyAssistant, you have access to assessment questions that feed directly into our Regulation Management module. In this module, you can document current process and controls, gaps, future plans, compliance levels, risk levels and follow-up tasks.

  • OIG Compliance Program Guidance

    Description: The Office of Inspector General has developed a series of voluntary compliance program guidance documents for healthcare facilities such as hospitals, nursing homes, third-party billers and durable medical equipment suppliers, to encourage the development and use of internal controls to monitor adherence to applicable statutes, regulations and program requirements.

    OIG’s Resource Guide was published to help ensure healthcare organizations include all elements in a compliance program, including:

    1. Standards, Policies, and Procedures
    2. Compliance Program Administration
    3. Screening and Evaluation of Employees, Physicians, Vendors and other Agents
    4. Communication, Education, and Training on Compliance Issues
    5. Monitoring, Auditing, and Internal Reporting Systems
    6. Discipline for Noncompliance
    7. Investigations and Remedial Measures

    Use case: With ComplyAssistant, you have access to assessment questions that feed directly into our Regulation Management module. In this module, you can document current process and controls, gaps, future plans, compliance levels, risk levels and follow-up tasks.

  • 23 NYCRR Part 500

    Description: Applicable to financial services companies in the state of New York, 23 NYCRR Part 500 is a regulation designed to promote the protection of customer information and information technology systems of regulated entities. This regulation requires each company to assess its specific risk profile and design a program that addresses its risks in a robust fashion.

    Use case: With ComplyAssistant, you have access to assessment questions that feed directly into our Regulation Management module. In this module, you can document current process and controls, gaps, future plans, compliance levels, risk levels and follow-up tasks.

Need Help Deciding Which Security Framework Is Best For Your Organization?

Tell us a bit about yourself and one of our experts will contact you:

This site is protected by reCAPTCHA Enterprise and the Google Privacy Policy and Terms of Service apply.

Want more info? Check out our Guide to the NIST Cybersecurity Framework, and our blog on how healthcare organizations can use both HIPAA and the NIST Cybersecurity Framework.