Security Compliance & Frameworks

Which regulatory compliance mandates does your organization need to follow? Get the support you need to meet your goals with advanced compliance solutions. 

TALK TO AN EXPERT

Understanding the Major Regulations

Understand the difference between major cybersecurity compliance regulations like PCI DSS, HIPAA, SOX, GDPR, and more as you explore compliance solutions from Fortra. Go beyond the basics with a top-line knowledge of lesser-known data protection requirements like LGPD, DORA, and FISMA and learn what it takes to operate compliantly within a range of different industries. Whether you find yourself within one of the covered industries or simply plan on working with one, Fortra can help you become audit-ready and turn your data compliance value from a liability into an asset.

What is CUI protection? 

The standard by which government agencies and their private sector affiliates handle the sharing of controlled unclassified information (CUI) which is government data that is not designated classified but is still information that should not be made public. 

Who should care about CUI protection? 

Federal government agencies and private sector businesses or contractors that work with the government should comply with CUI rules. 

What systems does this affect? 

All systems that contain controlled unclassified information (CUI) are impacted by this regulation. 

Learn more about CUI protection >

What is DORA? 

The Digital Operational Resilience Act (DORA) governs how financial institutions in the EU manage all components of operational resilience, explicitly referring to Information Communication Technology (ICT) risk and ICT risk-management.  

Who should care about DORA? 

Financial entities such as banks, insurance companies, investment firms, and crypt-asset providers in the EU are under DORA compliance requirements, as are critical third parties which provide ICT-related services to EU financial institutions.  

What systems does this affect? 

Dora impacts systems designed to relay digital communications to financial entities across the EU. 

Learn more about DORA compliance >  

What is India's DPDP Act?
The Digital Personal Data Protection Act (DPDP) is India's comprehensive data protection law, governing the collection, storage, processing, and transfer of personal data in India.

Who should care about DPDP?
Any business that collects, stores, or processes personal data of Indian residents should care about DPDP, even if they’re located outside these locations.

What systems does this affect?
DPDP affects all data processing systems that handle personal data of Indian residents.

Learn more about the DPDP Act >

What is FISMA? 

The Federal Information Security Management Act (FISMA) sets forth requirements for rigorous information security protection processes to protect federal government data. 

Who should care about FISMA? 

Federal agencies and state agencies that administer federal programs, and contractors or private sector companies that interface with federal government agencies or programs are affected by FISMA. 

What systems does this affect? 

FISMA impacts any systems that store or transmit sensitive federal agency data.  

Learn more about FISMA compliance >

What is GDPR? 

The General Data Protection Regulation (GDPR) regulates the way personal data is processed, stored, and destroyed by organizations in the European Union (EU) and United Kingdom (UK). 

Who should care about GDPR? 

Organizations that store or process personal data of citizens of the EU and UK, even if they’re located outside these locations, are impacted by GDPR regulations.  

What systems does this affect? 

GDPR regulations affect all systems that handle personally identifying information for any EU or UK citizen. 

Learn more about GDPR compliance >

What is HIPAA? 

The Health Insurance Portability and Accountability Act (HIPAA) sets out privacy and security rules for patient healthcare data. 

Who should care about HIPAA? 

Healthcare organizations that store electronic health records and other personal health information (PHI), as well as companies and contractors that provide services or functions for those organizations are required to comply with HIPAA regulations and can face substantial fines if they do not.  

What systems does this affect? 

HIPAA regulations affect any system that store or transmit personal health information. 

Learn more about HIPAA compliance >

What is Indonesia PDP Law?

The Indonesia Personal Data Protection (PDP) Law regulates the collection, use, and processing of personal data. The purpose was to create a comprehensive framework to address the complexity of data usage. 

Who should care about Indonesia PDP?

This applies to any business that collects, stores, or processes personal data of Indonesia residents whether in Indonesia or in other countries. 

What systems does this affect?

Indonesia PDP affects all data processing systems that handle personal data of Indonesian residents. 

Learn more about Indonesia Personal Data Protection (PDP) Law> 

What is ISO 27001?  

The International Standards Organization (ISO), developed ISO 27001 which helps organizations across every sector with guidance for establishing, maintaining, and continuously improving information security management systems (ISMS). 

Who should care about ISO 27001?  

ISO 27001 is for organizations that need to comply with rapidly changing data protection laws and regulations.  Companies that choose to adopt ISO 27001 demonstrate their commitment to high levels of information security. 

What systems does this affect?  

ISO 27001 is applicable to all systems used by an organization that contains intellectual property, contracts, financial data, and other sensitive data which needs to be secured. 

Learn More About ISO 27001>>

What is ITAR? 

The International Traffic in Arms Regulations (ITAR) controls the import and export from the United States (US) of certain defense and military equipment and technologies. 

Who should care about ITAR? 

Companies that create or distribute goods or services covered under the United States Munitions List (USML) or sell products to the US Department of Defense are impacted by ITAR regulations.  

What systems does this affect? 

Systems interfacing with data on the manufacturing of defense weapons and classified information relating to technologies on the USML are impacted by ITAR. 

Learn more about ITAR compliance >

What is ITSAR? 

The Indian Telecommunication Security Assurance Requirements (ITSAR) was developed by Department of Telecommunications in India. The purpose was to develop security requirements and standards that address the country specific security needs for telecoms. 

Who should care about ITSAR? 

This applies to telecommunication service providers (TSP) in India. 

What systems does this affect? 

This is for (U)ICC platforms and it recommends common security requirements of various pluggable (U)ICC platforms, specific security requirements of hardware, operating system, and components of (U)SIM, network security, (U)SIM application related security, and the support for special applications. 

Learn more about ITSAR compliance >

What is LGPD?

The General Personal Data Protection Law (LGPD) is the overarching law for the protection of personal data in Brazil. It regulates the processing of personal data, with its objective being to protect the fundamental rights of freedom and privacy and a natural person’s ability to freely develop their personality.

Who should care about LGPD?

LGPD applies to organizations in either of the following scenarios: - When processing of personal data is a) carried out in Brazil and b) the purpose of the processing is to offer or provide goods or services. - When personal data is processed that was collected from individuals who were in Brazil when that data was collected.

What systems does this affect?

LGPD regulations affect all systems that handle personally identifying information that is processed in Brazil and has the purpose of offering or providing goods or services; or was collected from individuals who were in Brazil at that time.

Learn more about LGPD compliance >

What is NERC CIP?

The North American Reliability Corporation Critical Infrastructure Protection (NERC CIP) reliability standards provide responsible entities with the processes to achieve a crucial mandate: secure the electric grid from physical and cyber threats. 

Who should care about NERC CIP?

All organizations working within the bulk electric system (BES) are responsible for protecting  the safety and reliability of critical infrastructure. As a result they are required to meet NERC CIP requirements at a minimum. 

What systems does this affect?

Adhering to NERC CIP helps prevent dangerous power outages and ensures reliable power for everyone.

Learn more about NERC CIP compliance >

What is PCI DSS? 

The Payment Card Industry Data Security Standard (PCI DSS) regulates organizations that handle cardholder data in order to prevent breaches and fraud. 

Who should care about PCI DSS? 

Any entity that processes, stores, or transmits payment card data need to adhere to PCI DSS regulations. 

What systems does this affect? 

PCI DSS regulations affect any system and network that interacts with cardholder data.  

Learn more about PCI compliance >

What is SOX? 

The Sarbanes-Oxley Act (SOX) was created by the US Government to reduce fraud in financial recordkeeping and reporting for SEC-registered companies. 

Who should care about SOX? 

Publicly traded American or overseas companies registered with the Securities and Exchange Commission (SEC) and the companies that provide financial services to them are under obligation to meet SOX compliance.  

What systems does this affect? 

Systems that store and report on financial data for companies are mandated with SOX compliance.  

Learn more about SOX compliance >

Understanding Major Frameworks

Cyber security frameworks are a set of policies, procedures, and best practices to create a strong security posture. These frameworks provide guidance to organizations on how to protect an IT estate from data breaches and operational disruption. 

CIS Controls

What are CIS Controls? 

The Center for Internet Security (CIS) Controls are a prioritized, easy to understand framework comprising 18 core security principles. 

Who should care about CIS Controls? 

The CIS Controls can be used by any organization in any industry. This framework is common for organizations that want to begin measuring and evaluating different aspects of their security posture as it covers the most critical controls. 

What systems does this affect? 

This is a comprehensive framework that not only covers all systems (laptops, workstations, servers) but also covers aspects such as network connectivity, software assets, and processes. 

Learn more about CIS Controls >

Need to comply with other regulations?

We can help. Chat with a compliance expert now. 

CONTACT US

Cybersecurity & Compliance

Email Data Protection

Find the ally you need in the fight against Business Email Compromise (BEC), phishing and social engineering attacks, ransomware, ATO, accidental data loss and other email-borne threats.

Data Privacy

Keep your data where it belongs. Partner with the solutions that help you stay compliant with data privacy regulations across the board, including HIPAA, SOX, GDPR, PCI DSS, and more.

Data Loss Prevention (DLP)

Avoid compliance blunders with best-in-class Data Loss Prevention (DLP). Our one-of-a-kind approach to DLP leverages cloud-based Managed Detection and Response for a scalable, no-compromise protection.

Data Classification

Operate safely in industries with strict data requirements when you identify, classify, and secure sensitive assets across platforms and in the cloud.

Integrity Management

Create a solid foundation for cybersecurity and compliance by efficiently tracking suspicious changes and monitoring for security misconfigurations. 

Learn More About Cybersecurity

Featured Case Study

What can you do with GoAnywhere?

Alliant Credit Union Enhances PCI DSS with MFT Agents

Illinois-based credit union Alliant was processing over 500 file transfers a week with homegrown solutions. As their need to scale increased and work began on a new data warehouse, it became necessary to consider an automated solution.  

“With our current setup, we saw we needed a more robust system,” explained Computer Operations Supervisor Jay Wehner. “We wanted better automation of the files and a process to import them.” They chose GoAnywhere MFT. Finding it a painless transition, they used it to create secure encrypted connections between their servers. Said Wehner, “No other product was evaluated. GoAnywhere is a true ‘one product does it all.’ It’s not just file movement and SFTP.” 

Branching out beyond the product’s basic capabilities, Alliant adopted GoAnywhere Secure Mail and GoAnywhere GoDrive, a cloud-based Enterprise File Sync and Sharing (EFSS) service which immediately replaced their current cloud-based file sharing solution. “[Those] that are using it … are loving it.” 

Leveraging GoAnywhere MFT agents ultimately helped Alliant to enhance their PCI DSS compliance. “We needed a way to securely store and transmit PCI data,” Wehner revealed. “By utilizing GoAnywhere Agents, we were able to use a secure channel to transmit this data. We now no longer use standard protocols like SMB for file transfers.” 

More Compliance Case Studies

Compliance & Audit Reporting Services

Managed Security Services

Avoid security configuration errors. Partner with cybersecurity experts who can identify issues before threats materialize.

Security Consultation Services - IBM i

Partner with cybersecurity experts to solve your most challenging data protection problems at any stage of the security management lifecycle.

Security Consulting Services

Trusted by clients for more than 35 years, our Security Consulting Services (SCS) team delivers expert security assessments, penetration tests, and red teaming exercises. Composed of experienced cybersecurity professionals, the SCS team specializes in ensuring organizations safeguard their IT infrastructure from cyber-attacks through exercises that highlight security gaps. Security testing from SCS not only provides proof of compliance for both internal and external audits, it also gives assurance that these measures are working. 

Cyber Compliance by Industry

Cybersecurity compliance requirements are as unique as the sectors they protect. Know the data regulations by industry and what it takes to securely do business with each one.

Government Industry Icon

Government

Secure CUI per Executive Order mandated controls, ensure safe Department of Defense technology with ITAR, and be FISMA compliant as you protect sensitive federal data.

Learn More >

Healthcare Industry Icon

Healthcare

As threats to health care increase, protect your peace of mind with HIPAA compliant architecture.

Learn More >

Defense Industry Icon

Critical National Infrastructure

CNI sectors from energy to water to manufacturing benefit from NIST frameworks designed to secure high-risk national agencies.

Learn More >

retail

Retail

Take charge of your bottom-line and secure sensitive customer data with PCI DSS compliant payment card systems.

Learn More >

Finance Industry Icon

Finance

Simplify SOX compliance with streamlined documentation and reporting on internal controls.

Learn More >

Get the Comprehensive Guide >

HR Icon

Consumer

Government mandated data privacy regulations like GDPR and LGPD are becoming increasingly common as individuals hold corporations accountable for the responsible handling of their sensitive personal information.

Learn More >

Solutions

Energy

Today’s electric grid is highly vulnerable to potential cybersecurity threats which is why adhering to NERC CIP requirements is of the utmost importance to keep our power sources safe. 

Learn More>

Saas-icon

SaaS

Making sure your software development process adheres to data and privacy standards such as SOX not only helps you avoid compliance fines but increases consumer trust. 

Learn More>

Compliance Resources

4 Strategies to Enhance Both Your Security and Compliance Posture

Regulatory Compliance in the Cloud: What You Need to Know

Data Compliance—Take a Practical Approach with 5 Key Steps

Emailing Credit Card Information—Why Redaction is Crucial for PCI Compliance

Staying Accountable: A Sarbanes-Oxley (SOX) Overview and Compliance Checklist

Penetration Testing for Regulatory Compliance

What is Policy Compliance? Four Tips to Help You Succeed

Overcoming Compliance Issues in Cloud Computing

Take the Next Step Toward Compliance

Ace your next audit with Fortra and take the guesswork out of the compliance process. 

TALK TO AN EXPERT
Discover Compliance Reporting Solutions