Compliance
FISMA
Summary The Federal Information Security Management Act (FISMA) was originally passed in 2002 as part of the Electronic Government Act. FISMA defines a framework of guidelines and security standards to protect government information and operations. ...
Introduction
This section consists of security standards, regulations and requirements that are known, used and implemented internationally in different types of organizations. Index BSIMM CAPEC™ CIS CWE™ ePrivacy Directive GDPR HIPAA ISO/IEC 27001 NERC CIP NIST ...
Resolution SB 2021 2126
Summary The Ecuadorian Resolution SB-2021-2126 of December 2, 2021, is published in the Official Registry 604 of December 23, 2021. This regulation applies to multiple and specialized banks, financial services entities and auxiliary services entities ...
CASA
Summary The Cloud Application Security Assessment (CASA) has built upon the industry-recognized standards of the OWASP's Application Security Verification Standard (ASVS) to provide a consistent set of requirements to harden security for any ...
OWASP API Security Top 10
Summary API Security focuses on strategies and solutions to understand and mitigate the unique vulnerabilities and security risks of Application Programming Interfaces (APIs). The version used in this section is OWASP API Security Top 10 2023. ...
SIG Core
Summary The Standardized Information Gathering (Questionnaire) (SIG) is a repository of third-party information security and privacy questions, indexed to multiple regulations and control frameworks, curated by Shared Assessments. The SIG gathers ...
SIG Lite
Summary The Standardized Information Gathering (Questionnaire) (SIG) Lite is a repository of third-party information security and privacy questions, indexed to multiple regulations and control frameworks, curated by Shared Assessments. SIG Lite takes ...
OWASP SAMM
Summary OWASP Software Assurance Maturity Model (SAMM) is an open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization. The version used in this ...
SWIFT CSCF
Summary SWIFT Customer Security Controls Framework (CSCF) establishes a set of mandatory and advisory security controls for the operating environment of SWIFT users. SWIFT provides the global messaging system that financial organizations use to ...
NIST 800-115
Summary NIST Special Publication 800-115 is an overview of the key elements of security testing. It directs organizations on how to plan and conduct technical information security testing, analyze the findings, and develop remediation strategies. The ...
NIST 800-171
Summary NIST Special Publication 800-171 named Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, provides agencies with recommended security requirements for protecting the confidentiality of controlled ...
OWASP MASVS
Summary The OWASP Mobile Application Security Verification Standard (OWASP MASVS) is a standard for mobile app security. It is used by mobile software architects and developers seeking to develop secure mobile applications, as well as security ...
BSAFSS
Summary The BSA Framework for Secure Software (BFAFSS) offers an outcome-focused, standards-based risk management tool to help stakeholders in the software industry. The framework also helps software development organizations describe the current ...
OWASP SCP
Summary OWASP Secure Coding Practices Reference Guide (OWASP SCP) defines a set of general controls that cover software security coding practices that can be integrated into the software development lifecycle. Its implementation will mitigate most ...
MVSP
Summary Minimum Viable Secure Product (MVSP) is a cybersecurity checklist baseline that lists controls to ensure minimally viable security posture of a product. Definitions Definition Requirements 1_6. Business controls - Compliance 331. Guarantee ...
OWASP Top 10 Privacy Risks
Summary The OWASP Top 10 Privacy Risks Project provides a list for privacy risks in web applications and related countermeasures, furthermore, it covers technological and organizational aspects that focus on real-life risks. The project provides tips ...
PTES
Summary The Penetration Testing Execution Standard (PTES) is a penetration testing method and a standard that provides a baseline for what is required of a penetration test. Developed by a team of information security practitioners with the aim of ...
ISSAF
Summary The Information Systems Security Assessment Framework is designed to evaluate the network, system and application controls in penetration testing methodology. The version used in this section is ISSAF 0.2.1B. Definitions Definition ...
NIST SSDF
Summary The NIST Secure Software Development Framework (SSDF) is a set of fundamental and secure software development practices based on established secure software development practice documents, it describes a set of high-level practices based on ...
FERPA
Summary The Family Educational Rights and Privacy Act (FERPA) is a Federal law that protects the privacy of student education records and the right to have some control over the disclosure of personally identifiable information from the education ...
WASC
Summary The WASC Threat Classification is a cooperative effort to clarify and organize the threats to the security of a website. It outlines the attacks and weaknesses that can lead to the compromise of a website, its data or its users. The version ...
C2M2
Summary The Cybersecurity Capability Maturity Model (C2M2) is a tool for evaluating and improving cybersecurity. It focuses on the implementation and management of cybersecurity practices associated with information, information technology (IT), and ...
OSSTMM3
Summary The Open Source Security Testing Methodology Manual (OSSTMM) provides a methodology for the accurate characterization of operational security (OpSec) through examination and correlation of test results in a consistent way. It is one of the ...
WASSEC
Summary The Web Application Security Scanner Evaluation Criteria (WASSEC) is a set of guidelines to evaluate web application scanners on their ability to effectively test web applications and identify vulnerabilities. It covers areas such as ...
ISA/IEC 62443
Summary The ISA/IEC 62443 standard defines the necessary elements to establish a cyber security management system (CSMS) for industrial automation and control systems (IACS) and provides guidance on how to develop those elements. The version used in ...
LGPD
Summary The Brazilian General Data Protection Law (LGPD) can be considered as Brazil's answer to the GDPR —with the Brazilian law aligning with the European Regulation in many ways, while differing in others. The LGPD aims at creating a new legal ...
ISO/IEC 27002
Summary ISO/IEC 27002 is used as a reference for determining and implementing controls for information security risk treatment in an information security management system (ISMS) based on ISO/IEC 27001. It describes a suite of information security ...
FedRAMP
Summary FedRAMP is a U.S. Government program designed to standardize how the Federal Information Security Management Act (FISMA) applies to cloud computing services. It provides a standardized approach to security assessment, authorization and ...
HITRUST CSF
Summary HITRUST CSF is both risk and compliance-based, making it possible for organizations of varying risk profiles to customize their security and privacy control baselines. It is sensitive to data protection compliance and the challenges of ...
CMMC
Summary The Cybersecurity Maturity Model Certification (CMMC) program enhances cyber protection standards for companies in the Defense Industrial Base (DIB). It is aimed at measuring the maturity of an organization's cybersecurity processes (process ...
PDPO
Summary The Personal Data Privacy Ordinance (PDPO) is the main legislation in Hong Kong which aims to protect the privacy of individuals in relation to personal data, and to regulate the collection, holding, processing or use of personal data based ...
POPIA
Summary South Africa's Protection of Personal Information Act (POPIA) aims to promote the protection of personal information processed by public and private bodies and to introduce certain conditions so as to establish minimum requirements for the ...
PDPA
Summary Singapore's Personal Data Protection Act (PDPA) regulates the collection, use and disclosure of personal data in Singapore by giving enforceable rights to users, placing the responsibility of lawful data processing on the shoulders of ...
SANS 25
Summary CWE/SANS TOP 25 Most Dangerous Software Errors is a demonstrative list of the most common and impactful issues experienced over the previous two calendar years. It presents detailed descriptions of the top 25 software errors along with ...
PA-DSS
Summary The PCI Payment Application Data Security Standard (PA-DSS) Requirements and Security Assessment Procedures define security requirements and assessment procedures for software vendors of payment applications. The version used in this section ...
MITRE ATT&CK®
Summary MITRE ATT&CK® is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations and is used as a cybersecurity product and service community. This mitigation describes any guidance or training given ...
NY SHIELD Act
Summary Stop Hacks and Improve Electronic Data Security Act (SHIELD ACT) was developed in July of 2019. This Act amends New York's existing data breach notification law by expanding the definition of "Private Information" and by adding "Data Breach ...
NYDFS
Summary The NYDFS Cybersecurity Regulation (23 NYCRR 500) is a set of regulations from the New York State Department of Financial Services (NYDFS) that places cybersecurity requirements on all covered entities. The version used in this section is ...
MISRA-C
Summary MISRA C is a set of software development guidelines for the C programming language developed by The MISRA Consortium. It is the most widely used set of coding guidelines for C around the world. MISRA provides best practice guidelines for the ...
GLBA
Summary The Gramm–Leach–Bliley Act (GLBA) requires financial institutions —companies that offer consumers financial products or services like loans, financial or investment advice, or insurance— to explain their information-sharing practices to their ...
Next page