Sitefinity SaaS regulatory compliance and standards
Overview
To ensure top level industry security and architecture, Sitefinity SaaS complies with different regulatory standards. Some organizations require cloud service provider deployments to be meeting one or more of the current and most popular regulatory standards to ensure proper governance of their application infrastructure, code, and data.
Following is a summary of the regulatory standards that Sitefinity SaaS complies with as a product.
Regulatory compliance
SOC2
System and Organization Controls 2 (SOC2), defined by the American Institute of Certified Public Accountants (AICPA), is the name of a suite of reports produced during an independent audit. It is intended for use by service organizations (organizations that provide information systems as a service to other organizations) to issue validated reports of internal controls over those information systems to the users of those services.
The reports focus on controls grouped into five categories, called Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy.
The Sitefinity Cloud SOC2-compliance reports can be downloaded from Progress Security Center.
HIPAA
The Health Insurance Portability and Accountability Act (HIPAA) defines the security and privacy regulations required to protect sensitive patient health data. The HIPAA Security Compliance Assessment addresses Administrative, Physical, and Technical
Safeguards, with primary focus on the HIPAA Security Final Rule governing “protected health information”, as they relate to Progress’ Web Content Management services.
Sitefinity Cloud helps safeguard Personally Identifiable Information (PII) and Protected Health Information (PHI) by utilizing field mapping, PII/PHI removal workflows, and data obfuscation during database restore to a non-production environment.
The Sitefinity Cloud HIPAA-compliance report can be downloaded from Progress Security Center.
SAMM
The Software Assurance Maturity Model (SAMM) is an open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization. SAMM offers a maturity model that enables organizations to assess their software security maturity and identify areas for improvement.
Microsoft Azure compliance
The following regulatory standards are measured by Microsoft Azure against every Sitefinity SaaS subscription:
- PCI DSS 3.2.1
- ISO 27001
- SOC TSP
- Azure CIS 1.1.0
- Canada Federal PBMM
- ISO 27001:2013
- Azure CIS 1.3.0
- UKO and UK NHS
- NIST SP 800-53 R4
- NIST SP 800 171 R2
- HIPAA HITRUST
- SWIFT CSP CSCF v2020
- New Zealand ISM Restricted
- CMMC Level 3
PCI DSS 3.2.1
PCI Security Standards are technical and operational requirements set by the PCI Security Standards Council (PCI SSC) to protect cardholder data. The standards apply to all entities that store, process or transmit cardholder data – with requirements for software developers and manufacturers of applications and devices used in those transactions. The PCI DSS applies to all entities that store, process, and/or transmit cardholder data. It covers technical and operational system components included in or connected to cardholder data.
SOC TSP
The AICPA Trust Services Categories and Related Criteria are essentially control criteria established by the Assurance Services Executive Committee (ASEC), and consist of Security, Availability, Processing Integrity, Confidentiality, and Privacy. Furthermore, such control criteria are used for attestation or consulting engagements for evaluating and reporting on controls over the security, availability, processing integrity, confidentiality, or privacy over information and systems (a) across an entire entity; (b) at a subsidiary, division, or operating unit level; (c) within a function relevant to the entity's operational, reporting, or compliance objectives; or (d) for a particular type of information used by the entity.
The Trust Services Criteria relate to the following categories:
- Security
- Availability
- Processing Integrity
- Confidentiality
- Privacy
Azure CIS 1.1.0
The CIS Microsoft Azure Foundations Benchmark v1.1.0 blueprint sample provides governance guardrails using Azure Policy that help you assess specific CIS Microsoft Azure Foundations Benchmark recommendations. This blueprint helps customers deploy a core set of policies for any Azure-deployed architecture that must implement CIS Microsoft Azure Foundations Benchmark v1.1.0 recommendations.
Canada Federal PBMM
The Canada Federal PBMM blueprint sample provides governance guardrails using Azure Policy that help you assess specific Canada Federal PBMM controls. This blueprint helps customers deploy a core set of policies for any Azure-deployed architecture that must implement controls for Canada Federal PBMM.
ISO 27001:2013
ISO/IEC 27001:2013 specifies the requirements for establishing, implementing, maintaining, and continually improving an information security management system within the context of the organization. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. The requirements set out in ISO/IEC 27001:2013 are generic and are intended to be applicable to all organizations, regardless of type, size or nature.
Azure CIS 1.3.0
An updated version of the Azure CIS 1.1.0 regulation.
UKO and UK NHS
The UK OFFICIAL and UK NHS blueprint sample provides governance guardrails using Azure Policy that help you assess specific UK OFFICIAL and UK NHS controls. This blueprint helps customers deploy a core set of policies for any Azure-deployed architecture that must implement controls for UK OFFICIAL and UK NHS.
NIST SP 800-53 R4
The NIST SP 800-53 R4 blueprint sample provides governance guardrails using Azure Policy that help you assess specific NIST SP 800-53 R4 controls. This blueprint helps customers deploy a core set of policies for any Azure-deployed architecture that must implement NIST SP 800-53 R4 controls.
NIST SP 800 171 R2
The NIST SP 800-171 R2 blueprint sample provides governance guardrails using Azure Policy that help you assess specific NIST SP 800-171 R2 requirements or controls. This blueprint helps customers deploy a core set of policies for any Azure-deployed architecture that must implement NIST SP 800-171 R2 requirements or controls.
HIPAA HITRUST
The HIPAA HITRUST blueprint sample provides governance guardrails using Azure Policy that help you assess specific HIPAA HITRUST controls. This blueprint helps customers deploy a core set of policies for any Azure-deployed architecture that must implement HIPAA HITRUST controls.
SWIFT CSP CSCF v2020
The SWIFT CSP-CSCF v2020 blueprint sample provides governance guardrails using Azure Policy that help you assess specific SWIFT CSP controls. This blueprint helps customers deploy a core set of policies for any Azure-deployed architecture that must implement SWIFT CSP controls.
New Zealand ISM Restricted
The New Zealand ISM Restricted blueprint sample provides governance guardrails using Azure Policy that help you assess specific New Zealand Information Security Manual controls. This blueprint helps customers deploy a core set of policies for any Azure-deployed architecture that must implement controls for New Zealand ISM Restricted.
CMMC Level 3
The CMMC Level 3 blueprint sample provides governance guardrails using Azure Policy that help you assess specific Cybersecurity Maturity Model Certification (CMMC) framework controls. This blueprint helps customers deploy a core set of policies for any Azure-deployed architecture that must implement controls for CMMC Level 3.