Compliance Frameworks in CloudDR
Applies To: WatchGuard CloudDR
On the Compliance page in WatchGuard CloudDR, you can manage your compliance with major frameworks. CloudDR supports these frameworks:
- CIS Controls (Center for Internet Security)
- SOC 2 (Service Organization Controls)
- HIPAA (Health Insurance Portability and Accountability Act)
- GDPR (General Data Protection Regulation)
- ISO 27001:2022 (International Organization for Standardization)
- NIST SP 800 - 53
- CSA STAR (Cloud Security Alliance Security Trust Assurance and Risk)
- PCI DSS (Payment Card Industry Data Security Standard)
- NIST CSF (National Institute of Standards and Technology Cybersecurity Framework)
CIS Controls (Center for Internet Security)
Overseeing Organization
Center for Internet Security (CIS) — Non-profit organization
Focus/Applicability
CIS controls are a recommended set of best practices for cybersecurity across various IT assets like servers, endpoints, and cloud environments. They are not official regulations but are widely adopted by organizations of all sizes.
Principles
CIS controls are based on a defense-in-depth approach, and prioritize critical security controls to mitigate the most common cyberthreats.
SOC 2 (Service Organization Controls)
Overseeing Organization
American Institute of Certified Public Accountants (AICPA)
Focus/Applicability
SOC 2 is an auditing standard for service providers that store or process customer data. It focuses on internal controls related to security, availability, integrity, confidentiality, and privacy.
Principles
SOC 2 reports come in three trust service principles (TSPs): Security, Availability, and Confidentiality (or Privacy). Organizations can select which principles to be audited for, based on their specific services and customer requirements.
HIPAA (Health Insurance Portability and Accountability Act)
Overseeing Organization
United States Department of Health and Human Services (HHS)
Focus/Applicability
HIPAA applies to healthcare providers, health plans, and healthcare clearinghouses that handle the protected health information (PHI) of individuals.
Principles
HIPAA focuses on protecting the privacy, security, and integrity of PHI. It outlines requirements for administrative, physical, and technical safeguards to achieve these goals.
GDPR (General Data Protection Regulation)
Overseeing Organization
European Union (EU)
Focus/Applicability
GDPR is a regulation that governs the processing of personal data of individuals who reside in the European Economic Area (EEA). It applies to any organization that processes this data, regardless of the location of the organization.
Principles
GDPR emphasizes individual control over personal data. It outlines principles such as transparency, accountability, and data subject rights (access, rectification, erasure, restriction of processing).
ISO 27001:2022 (International Organization for Standardization)
Overseeing Organization
International Organization for Standardization (ISO)
Focus/Applicability
ISO 27001 is an information security management system (ISMS) standard that any organization can apply, regardless of size or industry. It provides a framework for the implementation and maintenance of a comprehensive information security program.
Principles
ISO 27001 follows a risk-based approach, and requires organizations to identify information assets, assess security risks, implement controls, and continuously improve their ISMS.
NIST SP 800 - 53
Overseeing Organization
National Institute of Standards and Technology (NIST) — United States Department of Commerce.
Focus/Applicability
NIST SP 800-53 provides a catalog of security and privacy controls designed to protect information systems and organizations. It is applicable to US federal agencies, contractors, and organizations that handle government data, but it is also widely used in the private sector as a best-practice framework.
Principles
NIST SP 800-53 emphasizes a risk-based approach to cybersecurity, and organizes controls into families (such as, Access Control, Risk Assessment, Incident Response). Key principles include implementing multiple layers of security (defense-in-depth), continuous monitoring of risks and compliance, and tailoring controls to specific organizational needs (flexibility).
CSA STAR (Cloud Security Alliance Security Trust Assurance and Risk)
Overseeing Organization
Cloud Security Alliance (CSA)
Focus/Applicability
CSA STAR is a certification and assurance program designed to address cloud security. It applies to cloud service providers (CSPs) and their customers, and offers transparency and assurance of security practices in cloud environments.
Principles
CSA STAR emphasizes transparency by requiring CSPs to provide clear details about their security controls. It incorporates a three-level assurance model (self-assessment, third-party audit, and continuous monitoring), and aligns with frameworks like ISO 27001 and the Cloud Controls Matrix (CCM). Additionally, it supports organizations in the evaluation and management of cloud-related risks (risk management).
PCI DSS (Payment Card Industry Data Security Standard)
Overseeing Organization
Payment Card Industry Security Standards Council (PCI SSC)
Focus/Applicability
PCI DSS is a global standard that applies to all entities that store, process, or transmit credit card information. It is designed to protect payment card data and prevent fraud.
Principles
PCI DSS focuses on the protection of cardholder data through measures like encryption, masking, and tokenization (data protection). It emphasizes restricting access to sensitive data to authorized personnel (access control) and regularly monitoring and testing networks to detect vulnerabilities (monitoring and testing). Organizations must comply with stringent controls to make sure that they handle payment data safely (compliance enforcement).
NIST CSF (National Institute of Standards and Technology Cybersecurity Framework)
Overseeing Organization
National Institute of Standards and Technology (NIST), part of the United States Department of Commerce
Focus/Applicability
NIST CSF applies to organizations across all sectors, primarily in the United States, but is widely adopted globally. It is designed for organizations of all sizes to improve cybersecurity risk management.
Principles
NIST CSF focuses on the management and reduction of cybersecurity risk through a structured approach. It provides a risk-based framework that consists of six core functions:
- Govern – Establish and monitor cybersecurity risk management strategy, policies, and oversight.
- Identify – Understand assets, systems, data, and risks.
- Protect – Implement safeguards to limit or contain the impact of potential events.
- Detect – Develop activities to identify the occurrence of a cybersecurity event.
- Respond – Take action related to a detected cybersecurity incident.
- Recover – Restore capabilities and services impaired because of a cybersecurity event.