Sitefinity Cloud regulatory compliance and standards

Overview

To ensure top level industry security and architecture, Progress Sitefinity Cloud complies with different regulatory standards. Some organizations require cloud service provider deployments to be meeting one or more of the current and most popular regulatory standards to ensure proper governance of their application infrastructure, code, and data.

Following is a summary of the regulatory certifications that Progress Software has been awarded as a company and the ones that Progress Sitefinity Cloud complies with as a product:

Regulatory certifications

As a result of an annual audit by an independent third-party companies, the following regulatory standards have been awarded to Progress Sooftaware as a company:

  • SOC2
  • SAMM (Software Assurance Maturity Model)

Microsoft Azure compliance

The following regulatory standards are measured by Microsoft Azure against every Progress Sitefinity Cloud subscription:

  • PCI DSS 3.2.1
  • ISO 27001
  • SOC TSP
  • Azure CIS 1.1.0
  • Canada Federal PBMM
  • ISO 27001:2013
  • Azure CIS 1.3.0
  • UKO and UK NHS
  • NIST SP 800-53 R4
  • NIST SP 800 171 R2
  • HIPAA HITRUST
  • SWIFT CSP CSCF v2020
  • New Zealand ISM Restricted
  • CMMC Level 3

SOC2

System and Organization Controls (SOC), defined by the American Institute of Certified Public Accountants (AICPA), is the name of a suite of reports produced during an audit. It is intended for use by service organizations (organizations that provide information systems as a service to other organizations) to issue validated reports of internal controls over those information systems to the users of those services.

The reports focus on controls grouped into five categories called Trust Service Principles.[1] The AICPA auditing standard Statement on Standards for Attestation Engagements no. 18 (SSAE 18), section 320, "Reporting on an Examination of Controls at a Service Organization Relevant to User Entities' Internal Control Over Financial Reporting", defines two levels of reporting, type 1 and type 2.

SAMM (Software Assurance Maturity Model)

The Software Assurance Maturity Model (SAMM) is an open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization. SAMM helps in evaluating an organization's existing software security practices.

PCI DSS 3.2.1

PCI Security Standards are technical and operational requirements set by the PCI Security Standards Council (PCI SSC) to protect cardholder data. The standards apply to all entities that store, process or transmit cardholder data – with requirements for software developers and manufacturers of applications and devices used in those transactions. The PCI DSS applies to all entities that store, process, and/or transmit cardholder data. It covers technical and operational system components included in or connected to cardholder data.

ISO 27001

PCI Security Standards are technical and operational requirements set by the PCI Security Standards Council (PCI SSC) to protect cardholder data. The standards apply to all entities that store, process or transmit cardholder data – with requirements for software developers and manufacturers of applications and devices used in those transactions. The PCI DSS applies to all entities that store, process, and/or transmit cardholder data. It covers technical and operational system components included in or connected to cardholder data.

SOC TSP

The AICPA Trust Services Principles and Criteria (TSP) are essentially control criteria established by the Assurance Services Executive Committee (ASEC), and consist of Security, Availability, Processing Integrity, Confidentiality, and Privacy. Furthermore, such control criteria are used for attestation or consulting engagements for evaluating and reporting on controls over the security, availability, processing integrity, confidentiality, or privacy over information and systems (a) across an entire entity; (b) at a subsidiary, division, or operating unit level; (c) within a function relevant to the entity's operational, reporting, or compliance objectives; or (d) for a particular type of information used by the entity.

The actual Trust Services Principles and Criteria (TSP) comprise of the following:

  • Security
  • Availability
  • Processing Integrity
  • Confidentiality
  • Privacy

Azure CIS 1.1.0

The CIS Microsoft Azure Foundations Benchmark v1.1.0 blueprint sample provides governance guardrails using Azure Policy that help you assess specific CIS Microsoft Azure Foundations Benchmark recommendations. This blueprint helps customers deploy a core set of policies for any Azure-deployed architecture that must implement CIS Microsoft Azure Foundations Benchmark v1.1.0 recommendations.

Canada Federal PBMM

The Canada Federal PBMM blueprint sample provides governance guardrails using Azure Policy that help you assess specific Canada Federal PBMM controls. This blueprint helps customers deploy a core set of policies for any Azure-deployed architecture that must implement controls for Canada Federal PBMM.

ISO 27001:2013

ISO/IEC 27001:2013 specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. The requirements set out in ISO/IEC 27001:2013 are generic and are intended to be applicable to all organizations, regardless of type, size or nature.

Azure CIS 1.3.0

An updated version of the Azure CIS 1.1.0 regulation.

UKO and UK NHS

The UK OFFICIAL and UK NHS blueprint sample provides governance guardrails using Azure Policy that help you assess specific UK OFFICIAL and UK NHS controls. This blueprint helps customers deploy a core set of policies for any Azure-deployed architecture that must implement controls for UK OFFICIAL and UK NHS.

NIST SP 800-53 R4

The NIST SP 800-53 R4 blueprint sample provides governance guardrails using Azure Policy that help you assess specific NIST SP 800-53 R4 controls. This blueprint helps customers deploy a core set of policies for any Azure-deployed architecture that must implement NIST SP 800-53 R4 controls.

NIST SP 800 171 R2

The NIST SP 800-171 R2 blueprint sample provides governance guardrails using Azure Policy that help you assess specific NIST SP 800-171 R2 requirements or controls. This blueprint helps customers deploy a core set of policies for any Azure-deployed architecture that must implement NIST SP 800-171 R2 requirements or controls.

HIPAA HITRUST

The HIPAA HITRUST blueprint sample provides governance guardrails using Azure Policy that help you assess specific HIPAA HITRUST controls. This blueprint helps customers deploy a core set of policies for any Azure-deployed architecture that must implement HIPAA HITRUST controls.

SWIFT CSP CSCF v2020

The SWIFT CSP-CSCF v2020 blueprint sample provides governance guardrails using Azure Policy that help you assess specific SWIFT CSP controls. This blueprint helps customers deploy a core set of policies for any Azure-deployed architecture that must implement SWIFT CSP controls.

New Zealand ISM Restricted

The New Zealand ISM Restricted blueprint sample provides governance guardrails using Azure Policy that help you assess specific New Zealand Information Security Manual controls. This blueprint helps customers deploy a core set of policies for any Azure-deployed architecture that must implement controls for New Zealand ISM Restricted.

CMMC Level 3

The CMMC Level 3 blueprint sample provides governance guardrails using Azure Policy that help you assess specific Cybersecurity Maturity Model Certification (CMMC) framework controls. This blueprint helps customers deploy a core set of policies for any Azure-deployed architecture that must implement controls for CMMC Level 3.

Was this article helpful?