Security Frameworks

For Your Ezentria ComplyWise Program

Security Frameworks

For Your Ezentria ComplyWise Program

Ezentria ComplyWise is a flexible program for addressing the information security and privacy compliance requirements (certifications and attestations) of small and midsize businesses. The process is easily adapted to support a variety of cyber security frameworks. ComplyWise is also capable of implementing and tracking multiple compliance frameworks, simultaneously. Below are the frameworks we support with our ComplyWise Process, Services, and Portal.


The California Consumer Privacy Act (CCPA) grants consumers new rights with respect to the collection of their personal information. This state law requires that qualifying businesses implement and communicate policies and procedures regarding the details, use, and security of private and personal data.

CIS Controls

The Center for Internet Security (CIS) Controls (previously known as the SANS Top 20 Critical Security Controls) are a set of best practices (security actions) derived from the most common attack patterns. The twenty (20) critical security controls are vetted and updated annually by volunteer practitioners who are experienced with how attacks are executed.


The Federal Information Processing Standards (FIPS) are compulsory for all non-military government agencies, as well as any of their contractors. FIPS purpose is to ensure government agencies are using identical standards to secure vital information.


Federal Information Security Modernization Act (FISMA) requires all federal agencies to implement a certain set of policies, procedures, and system upgrades to ensure network security in a cost-effective manner.


General Data Protection Regulation (GDPR) applies to organizations both inside and outside of the European Union providing goods and services to, or monitoring the behavior of, EU data subjects.  The rules apply to both controllers and processors of personal data. Fines are imposed for non-compliance.


Health Insurance Portability and Accountability Act (HIPAA) applies to health plans, health care clearinghouses, and health care providers electronically transmitting health information. The regulation addresses the electronic exchange, privacy, and security of the data.

ISO 27001

The International Organization for Standardization (ISO) / International Electrotechnical Commission (IEC) 27000 family contains over a dozen standards for Information Security. ISO 27001 details the requirements of an information security management system (ISMS).

ISO 20252

The International Organization for Standardization (ISO) also has a standard for market, opinion, and social research, including insights and data analytics. ISO 20252 standard leads to continual improvement of research and harmony with other national standards and industry codes. It now includes access panels, both online and offline.

Microsoft SSPA

Microsoft has a corporate program for suppliers that handle Microsoft Personal and/or Confidential data. The Microsoft Supplier Security and Privacy Assurance (SSPA) program manages compliance of the Microsoft Supplier Data Protection Requirements (DPR) through annual compliance audits. 


The National Institute of Standards and Technology (NIST) produces a voluntary framework that consists of standards, guidelines and best practices to manage cybersecurity risk. The NIST Cybersecurity Framework (CSF) is a prioritized, flexible, repeatable, performance-based and cost-effective approach to identifying, assessing and managing cyber risk.

NIST 800-53

The National Institute of Standards and Technology (NIST) also offers a framework for Security and Privacy Controls for Federal Information Systems and Organizations. NIST 800-53 provides a catalog of security and privacy controls, and a process for selecting controls for federal agencies, contractors and service providers.

NIST 800-171

The National Institute of Standards and Technology (NIST) has a framework for Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations. NIST 800-171 provides federal agencies, contractors and service providers with a set of recommended security requirements for protecting the confidentiality of Controlled Unclassified Information.


The New York State Department of Financial Services (NYDFS) has established minimum cybersecurity requirements for entities that operate under the state’s Banking Law, Insurance Law or Financial Services Law. The New York Codes, Rules and Regulations (NYCRR) Title 23 Part 500 addresses these requirements. NYDFS 23 NYCRR 500 requires each Covered Entity to assess their risk and protect the confidentiality, integrity, and availability of their information systems.


Payment Card Industry Data Security Standard (PCI DSS) compliance is for organizations that store, process and transmit cardholder data. Developed by the PCI Security Standards Council, the standard provides a structured, predictable and continuous approach to cardholder data security.


Statement on Standards for Attestation Engagements No. 18 (SSAE 18, previously SSAE 16) is an auditing standard for organizations from the American Institute of Certified Public Accountants (AICPA) that addresses System and Organization Controls (SOC). A SOC 2 Report communicates relevant and useful information about the service organization’s compliance with the AICPA Trust Services Criteria for information security, availability, processing, integrity, confidentiality, or privacy.

PCI Compliance
ISO 27001 Certification
23 NYCRR 500
HIPAA Security Rule

Need help preparing for a Compliance Audit?

Pin It on Pinterest