Security Frameworks

Center for Internet Security (CIS)

A non-profit organization that publishes information on cybersecurity best practices and threats. They also provide tools to help harden your environment and provide risk management.

Cloud Security Alliance (CSA)

A nonprofit organization with a mission to promote best practices for using cloud computing securely.

SSAE SOC 2 Type I/II

American institute of Certified Public Accountants auditing standard statement on standards for attestation engagements

SOC 2

Focus is on systems reliability, and includes a description of the service auditor's tests of controls and results. Involves "generally" restricted distribution

Type 1 audit

Tests controls in a particular place and time

type 2 audit

Tests controls over a period of at least 6 months

NIST RMF

A risk-based approach to selection of security controls and considers effectiveness, efficiency, and constraints due to applicable laws, directives, executive orders, policies, standards, or regulations

NIST RMF Framework

Categorize Select Implement Assess Authorize Monitor

NIST CSF

Cyber Security Framework Partial Risk Informed Repeatable Adaptive

ISO/IEC Frameworks

ISO/IEC 27001 ISO/IEC 27002 ISO/IEC 27701 ISO 31000

Cloud Controls Matrix (CCM)

Lists and categorizes the domains and controls, along with which elements and components are relevant per the controls. This framework enables cooperation between cloud consumers and cloud providers on demonstrating adequate risk management.