Regulations & Standards
- HIPAA
- ISO/IEC 27001
- NERC CIP
- PCI DSS
- Browse all
Guidelines
Services
Resources
- Latest
- Articles
- Reports
- Data Sheets
- White Papers
About
FAQ
My Account

Regulations & Standards
- HIPAA
- ISO/IEC 27001
- NERC CIP
- PCI DSS
- Browse all
Guidelines
Services
Resources
- Latest
- Articles
- Reports
- Data Sheets
- White Papers
About
FAQ
My Account

About
FAQ
Log in / Joins us

About
FAQ
Log in / Joins us

Regulations & Standards
- HIPAA1. What is HIPAA? The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal legislation that set forth national standards to safeguard sensitive patient health information from unauthorized disclosure without the patient’s knowledge or consent. The HIPAA regulation consists of four rules: 1. Privacy Rule The Privacy Rule is designed to guarantee that entities handling health information implement appropriate measures to safeguard the information from unauthorized access or disclosure.Empower individuals with the knowledge and control over how their health information is utilized. Adherence to the Privacy Rule assures individuals seeking healthcare that an organization is dedicated to preserving the confidentiality and security of their information. Even if individuals are not interacting directly with an organization, they can trust the HIPAA framework to maintain the privacy of their data across all involved parties. 2. Security Rule The Security Rule is focused on protecting a specific subset of information encompassed by the Privacy Rule by establishing standards for the protection of electronically stored and transmitted PHI (ePHI). This is achieved by mandating the implementation of administrative, technical, and physical safeguards. Compliance with the Security Rule signifies an organization’s dedication to safeguarding the confidentiality, integrity, and security of ePHI, and…
  - The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal legislation that set forth national standards to safeguard sensitive patient health information from unauthorized disclosure without the patient’s knowledge or consent.
- ISO/IEC 270011. What is ISO/IEC 27001? ISO/IEC 27001 is an internationally acknowledged standard, belonging to the ISO/IEC 27000 series, that outlines the requirements for managing an organization’s information security program through a well-defined ISMS. 2. What is an ISMS (Information Security Management System)? An Information Security Management System (ISMS) is a comprehensive set of documents, which includes policies, processes, procedures, and controls, designed to facilitate effective risk management. When developing your ISMS, it is crucial to ensure that the controls, policies, and procedures you implement address the following key information security objectives: Confidentiality: Guaranteeing that data is accessible only to authorized individuals. Integrity: Ensuring that data remains complete and accurate at all times. Availability: Ensuring that data is readily accessible to authorized individuals when needed. ISO/IEC 27001 is structured into 10 sections (referred to as “clauses” in ISO/IEC 27001 terminology) and one annex. The first three clauses provide an introductory overview of the process, while clauses 4 to 10 offer more strategic guidance for securing the business as a whole. Each clause provides a set of guidelines designed to enhance your organization’s security posture. Besides these clauses, ISO/IEC 27001 also includes a single annex, known as Annex A. This annex consists…
  - ISO/IEC 27001 is an internationally acknowledged standard, belonging to the ISO/IEC 27000 series, that outlines the requirements for managing an organization’s information security program through a well-defined ISMS.
- NERC CIP1. What is NERC CIP? NERC CIP, which stands for North American Electric Reliability Corporation Critical Infrastructure Protection, is a collection of cybersecurity standards devised to safeguard the vital infrastructure of the North American electric grid. The objective of NERC CIP standards is to guarantee the reliability, security, and resilience of the electric power system by setting requirements for the identification and protection of critical assets and confidential information. Below is a summary of the NERC CIP framework: CIP-002: Critical Cyber Assets Identification: This requirement is centered on the identification and categorization of critical cyber assets within an organization’s control systems that are essential for the reliable operation of large-scale energy systems. CIP-003: Security Management Controls: This requirement is centered on the implementation of security management controls to establish and maintain an effective cybersecurity program. This encompasses the development of policies, conducting risk assessments, and implementing security controls. CIP-004: Personnel and Training: This requirement underscores the significance of qualified personnel and appropriate training to support an organization’s cybersecurity initiatives. CIP-005: Electronic Security Perimeter: This requirement is centered on establishing secure electronic access points or security perimeters to shield critical cyber assets from unauthorized access and cyber threats. CIP-006: Physical Security…
  - NERC CIP, which stands for North American Electric Reliability Corporation Critical Infrastructure Protection, is a collection of cybersecurity standards devised to safeguard the vital infrastructure of the North American electric grid. The objective of NERC CIP standards is to guarantee the reliability, security, and resilience of the electric power system by setting requirements for the identification and protection of critical assets and confidential information.
- PCI DSS1. What is PCI DSS? Companies that store, process or transmit cardholder data are required to comply with the Payment Card Industry Data Security Standard (PCI DSS). This standard defined by the Payment Card Industry Security Standards Council (PCI SSC) specifies technical and operational requirements established to protect cardholder data, in-scope data includes the sensitive authentication data (stored on magnetic stripe data or equivalent on a chip, CVC2, CVV2, CID, PINs, PIN blocks) and the primary account number (PAN). The PCI SSC is responsible for managing the security standards, while compliance with the PCI set of standards is enforced by the founding members of the Council, American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. Companies must undergo an annual security audit and quarterly network scan by PCI SSC approved providers. Not complying with the PCI DSS standard could lead to fines of non-compliance up to $500,000, expensive litigation costs, and being barred from cardholder data processing from card schemes. Furthermore, non-compliance has a direct impact on brand reputation and exposes companies to negative publicity that damages consumer confidence. The PCI DSS is composed of 12 requirements, organized into six control objectives: Build and Maintain a Secure…
  - This standard defined by the Payment Card Industry Security Standards Council (PCI SSC) specifies technical and operational requirements established to protect cardholder data, in-scope data includes the sensitive authentication data (stored on magnetic stripe data or equivalent on a chip, CVC2, CVV2, CID, PINs, PIN blocks) and the primary account number (PAN).
- Browse all
Guidelines
- MITRE ATT&CK®1. What is MITRE ATT&CK? The MITRE ATT&CK is a comprehensive cybersecurity knowledge base of adversary tactics and techniques, grounded in actual real-world observations. This knowledge base provides a standardized approach to understanding, categorizing, and analyzing cyber threats and attack techniques. The MITRE ATT&CK was developed by MITRE, a nonprofit entity, established to offer engineering and technical advice to the federal government. The MITRE ATT&CK focuses on adversary behavior and provides insights into how cyber threats operate, their tactics, techniques, and procedures (TTPs), and the different stages of a cyber-attack. It is widely used in the cybersecurity industry and is valuable for organizations seeking to enhance their threat detection, incident response, and overall cybersecurity defenses. MITRE ATT&CK consists of a matrix that categorizes cyber threats based on the different stages of an attack, known as the “ATT&CK Matrix.” It includes the following components: Tactics: The high-level objectives that adversaries aim to achieve during a cyber-attack. These tactics include initial access, execution, persistence, privilege escalation, defense evasion, credential access, discovery, lateral movement, collection, exfiltration, and impact. Techniques: The specific methods and techniques used by adversaries to accomplish their objectives within each tactic. These techniques describe the step-by-step actions and procedures employed…
  - The MITRE ATT&CK is a comprehensive cybersecurity knowledge base of adversary tactics and techniques, grounded in actual real-world observations. This knowledge base provides a standardized approach to understanding, categorizing, and analyzing cyber threats and attack techniques.
- NIST CSF1. What is NIST CSF? The National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) is a widely recognized and widely adopted framework that provides a set of guidelines, best practices, and standards for improving cybersecurity risk management. The framework is specifically designed to help organizations, including critical infrastructure sectors, identify, protect, detect, respond to, and recover from cyber threats and incidents. The NIST CSF is based on industry standards and best practices, and it is a voluntary framework that organizations can adopt and tailor to their specific needs and risk profiles. It consists of three main components: Core: The Core is the heart of the framework and provides a set of cybersecurity activities and desired outcomes. It is organized into five key functions: Identify: This function involves understanding and managing cybersecurity risks by identifying critical assets, assessing vulnerabilities, and understanding the potential impact of cyber threats. Protect: The Protect function focuses on implementing safeguards to ensure the security and resilience of critical infrastructure. It includes activities such as access control, awareness training, data protection, and secure configurations. Detect: The Detect function involves continuous monitoring and timely detection of cybersecurity events. It includes activities such as threat intelligence, anomaly…
  - The National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) is a widely recognized and widely adopted framework that provides a set of guidelines, best practices, and standards for improving cybersecurity risk management. The framework is specifically designed to help organizations, including critical infrastructure sectors, identify, protect, detect, respond to, and recover from cyber threats and incidents.
- NIST SP 800-531. What is NIST SP800-53? The National Institute of Standards and Technology (NIST) Special Publication 800-53 (SP800-53) is a comprehensive cybersecurity framework that provides guidelines and controls for federal information systems and organizations. While it is not specifically focused on critical infrastructure, it serves as a valuable resource for enhancing cybersecurity practices in critical infrastructure sectors. NIST SP800-53 covers a wide range of security controls and best practices that organizations can implement to protect their information systems from various cyber threats. The framework is organized into 18 control families, each addressing a specific area of cybersecurity. Some of the key control families include: Access Control (AC): Controls related to granting and managing access to information systems and resources. This includes user identification, authentication, authorization, and accountability. Incident Response (IR): Controls focused on detecting, responding to, and recovering from cybersecurity incidents. It includes incident response planning, incident handling, and communication protocols. Configuration Management (CM): Controls related to establishing and maintaining secure configurations for information systems. This includes configuration baselines, change management processes, and configuration monitoring. System and Information Integrity (SI): Controls aimed at ensuring the integrity of information systems and data. This includes malware protection, security event monitoring, and vulnerability scanning.…
  - The National Institute of Standards and Technology (NIST) Special Publication 800-53 (SP800-53) is a comprehensive cybersecurity framework that provides guidelines and controls for federal information systems and organizations. While it is not specifically focused on critical infrastructure, it serves as a valuable resource for enhancing cybersecurity practices in critical infrastructure sectors.
- NIST SSDF1. What is NIST SSDF? The NIST SSDF (Secure Software Development Framework) is a cybersecurity framework developed by the National Institute of Standards and Technology (NIST) to help organizations secure their software development processes. The framework provides guidelines and best practices to integrate security into every phase of the software development life cycle (SDLC), from design to deployment and maintenance. The NIST SSDF Framework consists of a set of core principles and practices aimed at ensuring the development of secure and resilient software. It emphasizes the importance of proactive security measures and risk management throughout the entire software development process. Key components of the NIST SSDF Framework include: Risk Assessment: The framework emphasizes the need for conducting risk assessments early in the software development life cycle. This involves identifying potential security risks and vulnerabilities and analyzing their potential impact on the software and the overall system. Security Requirements: The NIST SSDF Framework promotes the inclusion of security requirements in the software development process. These requirements are defined based on the identified risks and help guide the development team in implementing appropriate security controls. Secure Design: The framework emphasizes the importance of secure design principles in developing resilient software. This involves…
  - The NIST SSDF (Secure Software Development Framework) is a cybersecurity framework developed by the National Institute of Standards and Technology (NIST) to help organizations secure their software development processes. The framework provides guidelines and best practices to integrate security into every phase of the software development life cycle (SDLC), from design to deployment and maintenance.
- Browse all
Services
- Compliance Services
  - - - Software Compliance testing
      - Evaluating software for efficient cybersecurity regulation compliance.
      - Software Custom testing
      - Enhancing compliance processes with thorough software evaluation and testing.
    - - NERC CIP
      - Safeguarding critical infrastructure against cybersecurity threats, ensuring reliability.
      - PCI DSS
      - Protecting cardholderdata, reducing risks, and ensuring compliance.
    - - NIST SSDF
      - Improving cybersecurity resilience through a risk-based framework.
      - NIST CSF
      - Improving cybersecurity resilience through a risk-based framework.
  - - - Browse all frameworks
- Cybersecurity for OT
  - Résumer rapidement ce service. Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur.
- Strategy and Risk
  - Résumer rapidement ce service. Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur.
Resources
- Latest
  - Discover resources to systematically enhance your cybersecurity strategy. Dive into our in-depth research reports, insightful white papers, informative data sheets, latest news, and other valuable materials.
- Articles
  - Discover resources to systematically enhance your cybersecurity strategy. Dive into our in-depth research reports, insightful white papers, informative data sheets, latest news, and other valuable materials.
- Reports
  - Discover resources to systematically enhance your cybersecurity strategy. Dive into our in-depth research reports, insightful white papers, informative data sheets, latest news, and other valuable materials.
- Data Sheets
  - Discover resources to systematically enhance your cybersecurity strategy. Dive into our in-depth research reports, insightful white papers, informative data sheets, latest news, and other valuable materials.
- White Papers
  - Discover resources to systematically enhance your cybersecurity strategy. Dive into our in-depth research reports, insightful white papers, informative data sheets, latest news, and other valuable materials.
About
FAQ
My Account

Maintenance Page

We'll be back soon!

Stay informed

Sign up to receive the latest security news and trends from Compliance Labs

We promise not to spam you.

Acceptance

I accept the terms and conditions

By proceeding, you agree to our Terms Of Use and Privacy Policy. Unsubscribe at any time.

Tour Ariane – 5 place de la Pyramide
92088 Paris La Défense CEDEX

+33 (0)6 1800 0458
Contact us

Linkedin-in X-twitter

About
Why Compliance Labs
The team

services
Compliance Services
Strategy & Risk
Cybersecurity for OT

Resources
Resources
Blog

my account
Join us
Log in
Get listed (for Vendors)

FAQ
|
Terms of us
|
Privacy Policy

Hide similarities
Highlight differences

Select the fields to be shown. Others will be hidden. Drag and drop to rearrange the order.

Software logo
Vendor
About
Website
Supported compliance
Deployment
Environment
Industry
Mitre Att&ck Mitigations
Application and DevOps Security
Asset Inventory and Management
Audit and Compliance Management
Awareness and Training
Backup and Recovery
Data Security
Endpoint and Device Protection
Identity Management and Access Control
Incident Response
Logging and Threat Detection
Network security
Posture and Vulnerability Management
Risk Assessment and Management
Software Bill Of Materials (SBOM)
Zero Trust Network Access
HIPAA_164.308: Administrative Safeguards
HIPAA_164.310: Physical Safeguards
HIPAA_164.312: Technical Safeguards
HIPAA_164.314: Policies and Procedures and Documentation Requirements
NERC_CIP-002-5.1a: BES Cyber System Categorization
NERC_CIP-003-8: Security Management Controls
NERC CIP Categorisation
NERC_CIP-004-7: Personnel & Training
NERC_CIP-005-7: Electronic Security Perimeter(s)
NERC_CIP-007-6: System Security Management
NERC_CIP-009-6: Recovery Plans for BES Cyber Systems
NERC_CIP-010-4: Configuration Change Management and Vulnerability Assessments
NERC_CIP-011-3: Information Protection
NERC_CIP-012-1: Communications between Control Centers
NERC_CIP-013-2: Supply Chain Risk Management
ISO 27001_Organisational Controls
ISO 27001_People Controls
ISO 27001_Physical Controls
ISO 27001_Technological Controls
PCI DSS_Requirement 1: Install and Maintain Network Security Controls
PCI DSS_Requirement 2: Apply Secure Configurations to All System Components
PCI DSS_Requirement: 3 Protect Stored Account Data
PCI DSS_Requirement 4: Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks
PCI DSS_Requirement 5: Protect All Systems and Networks from Malicious Software
PCI DSS_Requirement 6: Develop and Maintain Secure Systems and Software
PCI DSS_Requirement 7: Restrict Access to System Components and Cardholder Data by Business Need to Know
PCI DSS_Requirement 8: Identify Users and Authenticate Access to System Components
PCI DSS_Requirement 9: Restrict Physical Access to Cardholder Data
PCI DSS_Requirement 10: Log and Monitor All Access to System Components and Cardholder Data
PCI DSS_Requirement 11: Test Security of Systems and Networks Regularly
PCI DSS_Requirement 12: Support Information Security with Organizational Policies and Programs
MITRE ATT&CK Mitigations (Enterprise) Supported by the Software
NIST CSF_GOVERN (GV) - Risk Management Strategy (GV.RM)
NIST CSF_GOVERN (GV) - Oversight (GV.OV)
NIST CSF_IDENTIFY (ID) - Asset Management (ID.AM)
NIST CSF_IDENTIFY (ID) - Risk Assessment (ID.RA)
NIST CSF_PROTECT (PR) - Identity Management, Authentication, and Access Control (PR.AA)
NIST CSF_PROTECT (PR) - Awareness and Training (PR.AT)
NIST CSF_PROTECT (PR) - Data Security (PR.DS)
NIST CSF_PROTECT (PR) - Platform Security (PR.PS)
NIST CSF_PROTECT (PR) - Technology Infrastructure Resilience (PR.IR)
NIST CSF_DETECT (DE) - Continuous Monitoring (DE.CM)
NIST CSF_DETECT (DE) - Adverse Event Analysis (DE.AE)
NIST CSF_RESPOND (RS) - Incident Management (RS.MA)
NIST CSF_RESPOND (RS) - Incident Analysis (RS.AN)
NIST CSF_RESPOND (RS) - Incident Response Reporting and Communication (RS.CO)
NIST CSF_RESPOND (RS) - Incident Mitigation (RS.MI)
NIST CSF_RECOVER (RC) - Incident Recovery Plan Execution (RC.RP)
NIST SP6800-53 (Low)_Access Control
NIST SP6800-53 (Low)_Awareness and Training
NIST SP6800-53 (Low)_Audit and Accountability
NIST SP6800-53 (Low)_Assessment, Authorization, and Monitoring
NIST SP6800-53 (Low)_Configuration Management
NIST SP6800-53 (Low)_Contingency Planning
NIST SP6800-53 (Low)_Incident Response
NIST SP6800-53 (Low)_Identification and Authentication
NIST SP6800-53 (Low)_Maintenance
NIST SP6800-53 (Low)_Media Protection
NIST SP6800-53 (Low)_Risk Assessment
NIST SP6800-53 (Low)_NIST SP6800-53 (Low)_System and Services Acquisition
NIST SP6800-53 (Low)_System and Communications Protection
NIST SP6800-53 (Low)_System and Information Integrity
NIST SP6800-53 (Low)_Supply Chain Risk Management
NIST SSDF_Prepare the Organization (PO) Implement Roles and Responsibilities (PO.2)
NIST SSDF_Implement Supporting Toolchains (PO.3)
NIST SSDF_Define and Use Criteria for Software Security Checks (PO.4)
NIST SSDF_Implement and Maintain Secure Environments for Software Development (PO.5)
NIST SSDF_Protect Software (PS) Protect All Forms of Code from Unauthorized Access and Tampering (PS.1)
NIST SSDF_Provide a Mechanism for Verifying Software Release Integrity (PS.2)
NIST SSDF_Archive and Protect Each Software Release (PS.3)
NIST SSDF_Produce Well-Secured Software (PW) Design Software to Meet Security Requirements and Mitigate Security Risks (PW.1)
NIST SSDF_Review the Software Design to Verify Compliance with Security Requirements and Risk Information (PW.2)
NIST SSDF_Reuse Existing, Well-Secured Software When Feasible Instead of Duplicating Functionality (PW.4)
NIST SSDF_Create Source Code by Adhering to Secure Coding Practices (PW.5)
NIST SSDF_Configure the Compilation, Interpreter, and Build Processes to Improve Executable Security (PW.6)
NIST SSDF_Review and/or Analyze Human-Readable Code to Identify Vulnerabilities and Verify Compliance with Security Requirements (PW.7)
NIST SSDF_Test Executable Code to Identify Vulnerabilities and Verify Compliance with Security Requirements (PW.8)
NIST SSDF_Configure Software to Have Secure Settings by Default (PW.9)
NIST SSDF_Respond to Vulnerabilities (RV) Identify and Confirm Vulnerabilities on an Ongoing Basis (RV.1)
NIST SSDF_Assess, Prioritize, and Remediate Vulnerabilities (RV.2)
NIST SSDF_Analyze Vulnerabilities to Identify Their Root Causes (RV.3)
Periodic compliance activities supported by the Software
The Software store, process, or transmit
The Software requires to be integrated with other systems impacting the cybersecurity or compliance of the customer
Software modules implemented
Software vendor Third-Party Service Providers (TPSPs) used
Support a BES Reliability Operating Service (BROS)
In Electronic Security Perimeter (ESP)
External Routable Connectivity (ERC) Scope Impact
In Physical Security Perimeter (PSP)
With Electronic Access Point (EAP)
Accessibility Attributes
Connectivity Attributes
Software secure development lifecycle
The Software vendor provides support during installation or set-up
The Software vendor provides an implementation guide to assist customers in securely setting up the application
Cardholder Data Environment (CDE) Systems (in-scope for PCI DSS)
Connected-to and/or security-impacting systems
Out-of-scope Systems

Compare

Compare ×

See comparison Continue browsing software

Free Ebook

Get your 5 steps guide to choose software

We promise not to spam you. By signing up to our newsletter, you will receive tools and insights from compliance experts, as well as important information to improve your account.

Acceptance

I accept the terms and conditions

By proceeding, you agree to our Terms Of Use and Privacy Policy. Unsubscribe at any time.