Rochester Information Security - Resources

COMPLIANCE RESOURCES

A curated collection of resources for information security professionals, compliance officers, and organizations navigating security frameworks and standards. These resources provide authoritative guidance directly from standard-setting bodies and regulatory authorities.

NIST FRAMEWORK RESOURCES

NIST 800-53 - Security and Privacy Controls

Official Publication: https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final 
Control Catalog: https://csrc.nist.gov/projects/cprt/catalog 

What It Is: Comprehensive catalog of security and privacy controls for federal information systems and organizations. Provides controls for Low, Moderate, and High impact systems.

Key Documents: SP 800-53 Rev 5 (main publication), SP 800-53A (assessment procedures), SP 800-53B (control baselines), SP 800-37 (Risk Management Framework)

NIST Cybersecurity Framework (CSF)

Official Site: https://www.nist.gov/cyberframework 
Framework Download: https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.29.pdf 

What It Is: Risk-based framework organized around five core functions: Identify, Protect, Detect, Respond, and Recover. Flexible approach suitable for organizations of all sizes and sectors.

Key Resources: Framework Core, Implementation Tiers, Framework Profiles, Quick Start Guide, Sector-specific guides

NIST 800-171 - Protecting CUI

Official Publication: https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final 
>>> Self-Assessment Handbook: https://csrc.nist.gov/pubs/sp/800/172/a/final 

What It Is: Protecting Controlled Unclassified Information (CUI) in nonfederal systems. Contains 110 security requirements across 14 families. Required for government contractors handling CUI.

Key Documents: SP 800-171 Rev 2, SP 800-172A (assessment procedures), Self-Assessment Handbook, CUI Registry

CMMC RESOURCES

Cybersecurity Maturity Model Certification

Official CMMC Site: https://dodcio.defense.gov/CMMC/ 
CMMC Model: https://dodcio.defense.gov/Portals/0/Documents/CMMC/ModelOverviewv2.pdf 

What It Is: Department of Defense framework for protecting Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) in the defense industrial base supply chain.

Key Resources: CMMC 2.0 Model, Assessment Guides, CMMC-AB Marketplace (for finding assessors), Rulemaking documents

ISO STANDARDS

ISO/IEC 27001 - Information Security Management

Official ISO Site: https://www.iso.org/isoiec-27001-information-security.html 

What It Is: International standard specifying requirements for establishing, implementing, maintaining, and improving an Information Security Management System (ISMS). Based on risk assessment and treatment.

Related Standards: ISO 27002 (controls guidance), ISO 27003 (implementation guide), ISO 27004 (monitoring and measurement), ISO 27005 (risk management)

Note: ISO standards require purchase; the official site provides overviews and purchasing information.

ISO/IEC 27017 & 27018 - Cloud Security

What They Are: ISO 27017 provides cloud-specific information security controls. ISO 27018 addresses privacy in cloud computing. Both extend ISO 27001 for cloud environments.

SOC 2 RESOURCES

AICPA Trust Services Criteria

Official AICPA Site: https://www.aicpa.org/soc4so 

What It Is: Auditing procedure ensuring service providers securely manage data. Based on Trust Services Criteria: Security (required), Availability, Processing Integrity, Confidentiality, and Privacy (optional).

Key Resources: Trust Services Criteria (TSC), SOC 2 Reporting Guide, Cloud Security Alliance STAR Registry, Pre-qualification questionnaires

REGULATORY & COMPLIANCE FRAMEWORKS

GDPR - General Data Protection Regulation

Official Text: https://gdpr-info.eu/ 

What It Is: EU regulation governing data protection and privacy. Applies to any organization processing personal data of EU residents regardless of organization location.

HIPAA - Health Insurance Portability and Accountability Act

Official HHS Site: https://www.hhs.gov/hipaa/index.html 

What It Is: US regulation protecting sensitive patient health information. Includes Privacy Rule, Security Rule, and Breach Notification Rule.

PCI DSS - Payment Card Industry Data Security Standard

Official PCI SSC Site: https://www.pcisecuritystandards.org/ 

What It Is: Information security standard for organizations handling credit card data. Includes 12 requirements across 6 control objectives.

GOVERNMENT RESOURCES

CISA - Cybersecurity & Infrastructure Security Agency

Official Site: https://www.cisa.gov/ 

Key Resources: Security alerts and advisories, vulnerability database, free cyber hygiene services, frameworks and best practices

DCSA - Defense Counterintelligence and Security Agency

Official Site: https://www.dcsa.mil/ 

What It Is: Agency responsible for CMMC assessments and defense industrial base security. Provides guidance for cleared contractors.

FedRAMP - Federal Risk and Authorization Management Program

Official Site: https://www.fedramp.gov/ 

What It Is: Standardized approach to security assessment and authorization for cloud products used by federal agencies. Based on NIST 800-53.

INDUSTRY ORGANIZATIONS

SANS Institute

Website: https://www.sans.org/ 
Free Resources: Security awareness materials, posters, policy templates, reading room papers

Center for Internet Security (CIS)

Website: https://www.cisecurity.org/ 
Key Resources: CIS Controls (prioritized security actions), CIS Benchmarks (configuration standards), free assessment tools

Cloud Security Alliance (CSA)

Website: https://cloudsecurityalliance.org/ 
Key Resources: Cloud Controls Matrix (CCM), Security Guidance for Cloud Computing, STAR Registry

USEFUL TOOLS & TEMPLATES

NIST Resources
- National Vulnerability Database: Searchable database of vulnerabilities
- OSCAL: Open Security Controls Assessment Language for machine-readable security data
- Privacy Framework: Voluntary tool for managing privacy risks

Free & Open Source GRC Tools
- Eramba: Open-source GRC platform
- OpenGRC: Governance, risk, and compliance framework

STAYING CURRENT

Newsletters & Updates
- CISA (was US-CERT) Alerts: Subscribe at CISA.gov for security alerts
- NIST Updates: Subscribe to CSRC announcements
- CUI Institute Newsletter: Updates on CMMC program changes

Security Blogs & Publications
- Krebs on Security: In-depth security reporting
- Dark Reading: Cybersecurity news and analysis
- CSO Online: Security leadership perspectives

NEED GUIDANCE?
While these resources are excellent starting points, navigating complex compliance requirements often requires expert guidance. If you need help interpreting standards, implementing controls, or preparing for audits, we're here to help. Contact us for a consultation.

---

This resource page is maintained as a reference for information security and compliance professionals. While every effort is made to keep links current, standards and regulations evolve. Always verify you're working with the latest version of any framework or standard.