Any organization that processes data about EEA citizens
Data security and availability, handling of personal data, and rights of data subjects
Anywhere in the world
Mandatory
FISMA
Federal agencies and their contractors, along with any CSPs they use
Security and privacy of data on federal systems
United States
Mandatory
HIPAA Privacy Rule
Healthcare providers, health insurance companies, and associated billing services
Security and privacy of healthcare information
United States
Mandatory except where state law takes precedence
SOX
Publicly traded companies
Largely financial and business practices, but also covers IT controls
United States
Mandatory for public companies although some requirements also apply to private companies and non-profit organizations
PCI DSS
Any organization that accepts or processes card payments
Data security
Anywhere in the world
Contractual
NIST SP 800-53
Federal agencies and their contractors, along with any CSPs they use
Security and privacy of federal data
United States
Mandatory
FedRAMP
Federal agencies and their contractors, along with any CSPs they use
Security and privacy of federal data processed or stored in the cloud
United States
Mandatory
SOC 2
Mainly SaaS vendors, companies that provide analytics and business intelligence services, financial institutions, and other organizations that store sensitive customer information
Data security, availability, processing integrity, confidentiality, and privacy
Globally recognized but mainly adopted in United States
Voluntary
CIS Controls
Organizations of any size and in any industry sector
Vulnerability prioritization is the practice of assessing and ranking identified security vulnerabilities based on critical factors such as severity, potential impact, exploitability, and business context. This ranking helps security experts and executives avoid alert fatigue to focus remediation efforts on the most critical vulnerabilities.
Application security posture management entails continuously assessing applications for threats, risks, and vulnerabilities throughout the software development lifecycle (SDLC).
AI risk management is a set of tools and practices for assessing and securing artificial intelligence environments. Because of the non-deterministic, fast-evolving, and deep-tech nature of AI, effective AI risk management and SecOps requires more than just reactive measures.
SAST (Static Application Security Testing) analyzes custom source code to identify potential security vulnerabilities, while SCA (Software Composition Analysis) focuses on assessing third-party and open source components for known vulnerabilities and license compliance.
Static Application Security Testing (SAST) is a method of identifying security vulnerabilities in an application's source code, bytecode, or binary code before the software is deployed or executed.